cyber security in europe
play

Cyber Security in Europe Priorities, Standards and Cooperation - PowerPoint PPT Presentation

Cyber Security in Europe Priorities, Standards and Cooperation Opportunities Alessandro Guarino ETSI TC CYBER StudioAG EU-SEA Workshop - Hanoi 2/12/2015 Hanoi National University 1 / 38 Introduction Who am I ? Day job: Information


  1. Cyber Security in Europe Priorities, Standards and Cooperation Opportunities Alessandro Guarino ETSI TC CYBER – StudioAG EU-SEA Workshop - Hanoi 2/12/2015 Hanoi National University 1 / 38

  2. Introduction ● Who am I ? ● Day job: Information Security consultant and adviser – StudioAG www.studioag.eu ● Standardisation activity – ISO SC 27 – ETSI Technical Commitee “CYBER” – Cyber Security Coordination Group ● Independent researcher and speaker – CyCon 2013, ISSE 13-15 2 / 38

  3. Introduction ● Priorities – the 2013 EU Cyber Security Strategy – Achieving cyber resilience (NIS) – (Drastically) reducing cybercrime – Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy – Develop industrial and technological resources for cybersecurity – Establish a coherent international cyberspace policy for the EU, promote EU values ● Critical Infrastructure Protection 3 / 38

  4. Europe Cybersecurity Ecosystem 4 / 38

  5. Introduction ● Horizon 2020 – The EU research program – Just published the 16-17 work programme – Periodic “Calls” open to consortia (European and Extra-EU) – Specific “Digital Security” area (beside direct calls for cooperation) ● Standardisation work – ESOs: CEN/CENELC and ETSI – Similarities and differences – Cyber Security Coordination Group 5 / 38

  6. CSCG ● Advisory Body of the three ESOs (CEN/CENELEC/ETSI) ● Composed of ESO members and EU institutions – ENISA, JRC, DG GROWTH, DG CNECT ● White Paper Feb 2014: 9 main Recommendations for a Strategy on European Cyber Security Standardization http://www.din.de/de/din-und-seine-partner/din-e- – v/organisation/koordinierungsstellen/kits/cscg/cscg-white-paper- published-61526 6 / 38

  7. CSCG White Paper Areas ● GOVERNANCE – Coordination, scope, trust ● HARMONISATION – PKI/cryptography, requirements/evaluation, EU security label, interface with research ● GLOBALISATION – Harmonisation with international key players, global promotion of EU Cyber Security standards 7 / 38

  8. ETSI – Some Facts ● Created in 1988 ● Recognised ESO ● Independent, non for profit ● ICT Focus ● Governed by (worldwide) ETSI Members – Born European, global outreach – Technical standards ● ETSI Members participate directly in the standardisation process 8 / 38

  9. Products & services ● Technical Specifications and Standards with global application ● Support to industry and European regulation ● Specification & testing methodologies ● Interoperability testing 9 / 38

  10. Membership ● O v e r 8 0 0 c o m p a n i e s , big and small, from 64 countries on 5 continents M a n u f a c t u r e r s , n e t w o r k o p e r a t o r s , service and content providers, national administrations, ministries, universities, research bodies, consultancies, user organizations 10 / 38 1 0

  11. Innovations Effjcient and speedy standards-making Agreement by consensus !!! Free download of all our standards Electronic working to boost effjciency and reduce cost and environmental impact Quality certjfjed to ISO 9001:2008 11 / 38 11

  12. ETSI Clusters 12 / 38 12

  13. Areas of security standardization ● C y b e r S e c u r i t y ● Mobile/Wireless Comms ( G S M / U M T S , T E T R A , D E C ) – I n o l v e m e n t i n 3 G P P ● Lawful Interception and Retained Data ● Electronic Signatures ● Smart Cards ● Machine-to-Machine (M2M) ● Methods for Testing and Specification (MTS) ● Emergency Communications / Public Safety ● RFID ● Intelligent Transport Systems ● Information Security Indicators ● Quantum Key Distribution (QKD) ● Quantum –Safe Cryptography (QSC) ● Algorithms ● Network Functions Virtualisation (NFV) 13 / 38 13

  14. ETSI TC CYBER ● C y b e r S e c u r i t y S t a n d a r d i s a t i o n ● S e c u r i t y o f i n f r a s t r u c t u r e s , d e v i c e s , s e r v i c e s a n d p r o t o c o l s ● Security advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operators ● Tools and techniques to ensure security ● Creation of security specifications and alignment with work done in other TCs and ISGs ● Coordinate work with external groups such as the CSCG with CEN, CENELEC, the NIS Platform and ENISA ● Collaborate with other SDOs (ISO, ITU, NIST, ANSI...) ● Answer to policy requests on Cyber Security and ICT security in broad sense 14 / 38

  15. ETSI TC CYBER ● C r e a t e d i n 2 0 1 4 - m e t f i v e t i m e s f a c e - t o - f a c e ● Next meeting (CYBER #6) scheduled for February 2016 – O n a v e r a g e o v e r 5 0 p a r t i c i p a n t s p e r m e e t i n g – Work carried out on 13 documents ● P a r t i c i p a t i n g o r g a n i s a t i o n s : – Industry: Manufacturers, Operators, SMEs... – Public Administrations – The European Commission – ENISA – Universities and Research Bodies – Service Providers – Micro Enterprises – C o n s u l t a n c y 15 / 38

  16. TC CYBER – 13 Active Documents ● T R 1 0 3 3 0 3 P r o t e c t i o n m e a s u r e s f o r I C T i n t h e c o n t e x t o f C r i t i c a l Infrastructure ● TR 103 304 PII Protection and Retention ● TR 103 305 Security Assurance by Default; Critical Security Controls for Effective Cyber Defence ● TR 103 306 Global Cyber Security Ecosystem ( a p p r o v e d ) ● TS 103 307 Security Aspects for LI and RD interfaces ● TR 103 308 A security baseline regarding LI for NFV ● TR 103 309 Secure by Default adoption – platform security technology ● TR 103 369 Design requirements ecosystem ● TR 103 370 Practical introductory guide to privacy ● TR 103 331 Structured threat information sharing ● EG 203 310 Post Quantum Computing Impact on ICT Systems ● TS 103 485 Mechanisms for privacy assurance and verification ● TS 103 486 Identity management 16 / 38

  17. Areas of work ● C r i t i c a l I n f r a s t r u c t u r e P r o t e c t i o n – G u i d a n c e f o r t h e d e p l o y m e n t o f I C T s e c u r i t y t e c h n o l o g i e s and security management to deliver and maintain effective Critical Infrastructures ● Structured Threat Information Sharing – Guidance for exchanging cyber threat information in a standardized and structured manner – Provide technical indicators of adversary activity, contextual information, exploitation targets, and courses of action 17 / 38 1 7

  18. Areas of work ● Security by Default – Published May 2015 – Critical Security Controls for Effective Cyber Defence – Guidance to detect, prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks – Measures reflecting the combined knowledge of actual attacks and effective defenses ● Structured Threat Information Sharing – Published August 2015 – Guidance to business decision makers for the development and adoption of secure by default platform security technologies – Encourage industry to adopt device hardware security features 18 / 38 18

  19. Areas of work ● Security for Lawful Interception and RD interfaces – Guidance to protect information flows and interfaces from a security perspective (confidentiality, integrity and authenticity) including implementation details (technologies, algorithms, options, minimum requirements on keys etc) in a context of provision of Lawful Interception (LI) and Retained Data (RD) functionalities ● Lawful Interception in the NFV context – To be Published end 2015 – Guidance related to the legal and physical challenges to ensure LI functionalities in a Network Functions Virtualization context – Focus on the infrastructure of NFV rather than the functions themselves 19 / 38 19

  20. Areas of work ● Post-Quantum Computing Impact on ICT – Review nature and vulnerabilities of security algorithms when subjected to quantum computing attacks – Evaluate characteristics required of algorithms in order to be invulnerable under such attacks ● Global Cyber Security Ecosystem – To be Published end 2015 – Constantly updated overview of cyber security work being undertaken in multiple forums worldwide ● Design Requirements Ecocystem – Structured ecosystem of security design requirements that may be applicable to ICT networks and devices 20 / 38 20

  21. Areas of work ● Privacy measures (4 documents) – G u i d a n c e o n t h e basics for privacy management: terms and definitions, standards, practical applications – Guidance for the protection and retention of PII (Personally Identifiable Information) and how to enable the secure portability of data transferred from one service provider to another – Provision of technical means, that enable assurance of privacy and verification of said assurance – Identification of means to protect identity in order to alleviate some of the resultant threats 21 / 38 21

  22. In-Depth ● ETSI White Paper (7th Edition, June 2015) – Achievements and current work – List of all Security publications – www.etsi.org/security/whitepaper ● Membership details – www.etsi.org/membership – Fees vary by organisation type and size 22 / 38

  23. TC CYBER Work Details I n t h e f i n a l s l i d e s y o u w i l l f i n d t h e f u l l s c o p e f o r a l l T C C Y B E R documents for your reference. 23 / 38

Recommend


More recommend