etsi security work update dr. carmine rizzo cisa, cism, cmp, itil, prince2 © etsi 2015 all rights...
TRANSCRIPT
ETSI SECURITY WORK UPDATEDr. Carmine RizzoCISA, CISM, CMP, ITIL, PRINCE2
© ETSI 2015 All rights reserved
ITU-T SG17 Meeting – 8 April 2015
ETSI: European roots, Global outreach
2
ETSI is a world-leading standards developing organization for Information and Communication Technologies (ICT)
Founded initially to serve European needs, ETSI has become highly-respected as a producer of technical standards for worldwide use
ETSI: some facts
3
Created in 1988
Recognised ESO by the EU and EFTAESO: European Standard OrganisationEFTA: European Free Trade Association
Independent, non for profit
Governed by (worldwide) ETSI Members
ETSI Members participate directly in the standardization process
Products & services
4
Technical specifications and standards with global application
Support to industry and European regulation
Specification & testing methodologies
Interoperability testing
Membership
5
Over 800 companies, big and small, from 64 countries on 5 continents
A powerful and dynamic mix of skills, resources and
ambitions
Manufacturers, network operators, service and content providers, national administrations, ministries, universities, research bodies, consultancies, user organizations
Innovations
6
Efficient and speedy standards-making
Agreement by consensus !!!
Free download of all our standards
Electronic working to boost efficiency and reduce cost and environmental impact
Quality certified to ISO 9001:2008
ETSI Clusters
7
http://www.etsi.org/technologies-clusters/clusters
Areas of security standardization
Cyber SecurityMobile/Wireless Comms (GSM/UMTS, TETRA, DECT…)Lawful Interception and Data RetentionElectronic SignaturesSmart CardsMachine-to-Machine (M2M)Methods for Testing and Specification (MTS)Emergency Communications / Public SafetyRFIDIntelligent Transport SystemsInformation Security IndicatorsQuantum Key Distribution (QKD)Quantum –Safe Cryptography (QSC)AlgorithmsIn 3GPP
8
Major security work over the last year
Maintenance of published deliverables• In all areas as necessary
New publications in various areas including:• Electronic Signatures• Intelligent Transport Systems• Smart Cards• Information Security Indicators
New security algorithm• UMTS authentication and key generation
9
Creation of new ETSI groups
Creation in 2014 of TC CYBER• Cybersecurity standardization• Very active!
Creation in 2015 of ISG QSC• Quantum-Safe Cryptography• 1st meeting 24-26 March
TC: Technical CommitteeISG: Industry Specification Group
10
ETSI TC CYBER – Terms of Reference
Cyber Security StandardizationSecurity of infrastructures, devices, services and protocolsSecurity advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operatorsSecurity tools and techniques to ensure securityCreation of security specifications and alignment with work done in other TCs and ISGsCoordinate work with external groups such as the CSCG with CEN, CENELEC, the NIS Platform and ENISACollaborate with other SDOs (ISO, ITU, NIST, ANSI...)Answer to policy requests on Cyber Security and ICT security in broad sense
TC CYBER meetings
TC CYBER met 3 times face-to-face• Around 50 participants at each meeting• Progress made on 9 documents
Participating organizations• Industry: Manufacturers, Operators, SMEs...• Administrations• European Commission• ENISA• Universities / Research Bodies• Service Providers• Micro Enterprises• Consultancy
TC CYBER documents
9 open documents• 8 Technical Reports• 1 ETSI Guide• Full scope of them all as annexes at the end of these slides
TR 103 303, Protection measures for ICT in the context of Critical InfrastructureTR 103 304, PII Protection and RetentionTR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber DefenceTR 103 306, Global Cyber Security EcosystemTR 103 307, Security Aspects for LI and RD interfacesTR 103 308, A security baseline regarding LI for NFV and related platformsTR 103 309, Secure by Default adoption – platform security technologyTR 103 331, Structured threat information sharingEG 203 310, Post Quantum Computing Impact on ICT Systems
Areas of work and related guidance
Critical Infrastructure protection• Guidance for the deployment of security
technologies and security management to deliver and maintain effective Critical Infrastructures that are reliant on ICT technology
• Resilience, M2M/IoT security, eHealth security
Structured threat information sharing • Guidance for exchanging cyber threat information in
a standardized and structured manner• Provide technical indicators of adversary activity,
contextual information, exploitation targets, and courses of action
14
Areas of work and related guidance
Security assurance by design/default• Guidance to detect, prevent, respond, and mitigate
damage from the most common to the most advanced of cyber attacks
• Measures reflecting the combined knowledge of actual attacks and effective defenses
• Guidance to business decision makers for the development and adoption of secure by default platform security technologies - how they can be used to effectively solve real business problems, and improve the usability of secure services
• Encourage industry to adopt device hardware security features – show that there is a market need
15
Areas of work and related guidance
Security for LI and RD interfaces• Guidance to protect information flows and interfaces
from a security perspective (confidentiality, integrity and authenticity) including implementation details (technologies, algorithms, options, minimum requirements on keys etc) in a context of provision of Lawful Interception (LI) and Retained Data (RD) functionalities
LI in the NFV context• Guidance related to the legal and physical challenges
to ensure LI functionalities in a Network Functions Virtualization context
• Focus on the infrastructure of NFV rather than the functions themselves
16
Areas of work and related guidance
Privacy measures• Guidance for the protection and retention of PII
(Personally Identifiable Information)• Enable the secure portability of data transferred from
one service provider to another
Post quantum computing impact on ICT• Review nature and vulnerabilities of security algorithms
when subjected to quantum computing attacks • Evaluate characteristics required of algorithms in order
to be invulnerable under such attacks
Global Cyber Security Ecosystem• Constantly updated overview of cyber security work
being undertaken in multiple forums worldwide17
ISG QSC – Terms of Reference
Identification of proposals from industry and academia for quantum safe cryptographic primitives, and the development of a framework for quantum safe algorithmsHigh-level characterization of these primitives and assessment of their suitability with respect to the quantum safe requirements and applicationsThreat and risk assessment for real-world use casesProviding evidence of the need for new standards and technological guidance, and building related roadmapDissemination of guidance and standards documents, and later maintenance of the standardized algorithms under the custodianship of the ETSI SC Security Algorithms Group of Experts (SAGE)Defining criteria for, and assessment of, the suitability of cryptographic primitives
18
ISG QSC (Quantum-Safe Cryptography)
1st meeting held 24-26 March 2015
5 Group Specifications adopted:GS QSC 001, Quantum safe algorithmic frameworkGS QSC 002, Cryptographic primitive characterization GS QSC 003, Cryptographic primitive suitability assessmentGS QSC 004, Quantum safe threat assessmentGS QSC 005, Quantum safe standards assessment
19
20
Workshop, Technical Streams, Meetings• Including TC CYBER#4 Meeting
Workshop/Streams free and open to everyone
TC CYBER meeting open to non ETSI Members upon invitation (see website to apply)
Networking opportunity every day!• Free lunches and networking cocktails
www.etsi.org/securityweek • Agendas and registrations
Separate registrations to eventsNetworking opportunities throughout the week
Security Week (22-26 June 2015, ETSI)
Security Week (22-26 June 2015, ETSI)
21
Mon 22 Tue 23 Wed 24 Thu 25 Fri 26
AM
Workshop
Workshop CYBER#4ISI#23
eIDAS
CYBER#4
PM
Workshop Workshop
Streams:M2M/IoT
ITSeIDAS
HF/USER/
eHealth
CYBER#4ISI#23
eIDAS
CYBER#4
ETSI Security White Paper
22
Achievements and current work
List of all security publications
6th Edition published January 2014• 7th will be published before Security Week
www.etsi.org/securitywhitepaper
Please keep in touch!
Contact Details:[email protected]
Full scope of all TC CYBER documents to follow as annexes
© ETSI 2015. All rights reserved23
Thank you!Available for your questions
ITU-T SG17 Meeting – 8 April 2015
TR 103 303, Protection measures for ICT in the context of Critical Infrastructure
Scope: The critical infrastructure protection addressed in the EU’s published directive is essentially Power and Transport. It is clear to most casual observers that the global economic infrastructure is now composed of a huge set of ICT networks and services. It would not be a stretch to say that ICT capabilities now underpin all of the other critical infrastructures. This means food security, economic activity security, citizen safety and just about everything else. The purpose of the TR to be delivered by this work item is to identify the role of ICT protections through the deployment of security technologies and security management to deliver effective Critical Infrastructures that are reliant on ICT technology. The topics to be addressed by the work item include: Resilience (taking as input the ENISA reports on this topic and work from related national programmes); M2M communications (in close liaison with oneM2M and smartM2M); eHealth (in order to give assurance of access to ICT enabled eHealth systems). The report is intended to highlight aspects of CI and ICT that have to be addressed to ensure that CI maintains its infrastructure role.
TR 103 304, PII Protection and Retention
Scope: Essentially different than any previous telco scenario where user data was accessible from network functional elements only, today even sensitive PII is directly accessible from terminals. Server-based data access control technologies are becoming less effective for PII protection. This new WI is intended to describe novel access control technologies that enable 1) data protection, based on policy rules, as soon as data leaves the boundary of terminal’s OS and 2) portability of protection settings when data moves from one service provider to another.
TR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber Defence
Scope: This Technical Report describes a specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks developed and maintained by the Council of Cybersecurity. The measures reflect the combined knowledge of actual attacks and effective defenses.
TR 103 306, Global Cyber Security Ecosystem
Scope: This proposed NWI provides a structured overview of cyber security work occurring in multiple other technical forums worldwide. The overview includes global identification of Cyber Security Centres of Excellence, heritage sites, historical collections, and reference libraries. It is intended to be continuously updated to account for the dynamics of the sector.
TR 103 307, Security Aspects for LI and RD interfaces
Scope: It is envisaged that TC Cyber would assess the information flows and interfaces (as identified by TC LI) from a security (confidentiality, integrity and authenticity) perspective and provide guidance on the implementation details (technologies, algorithms, options, minimum requirements on keys etc).
TR 103 308, A security baseline regarding LI for NFV and related platforms
Scope: The lawful interception capability is capable of being virtualised but the legal and physical challenges of doing so must be taken into account. The initial study is focused on the LI aspects. The challenge for both Lawful Interception and NFV as a community is that it is necessary to establish the fundamental security principles for generic platforms upon which the related groups can build. There is an urgent requirement to establish a minimum set of security principles for generic telecommunications platforms that will allow the virtualised network functions to utilise the features necessary to afford them appropriate protection and at the same time allow to undertake appropriate activities (LI, fraud management, cyber defense). Establishing such a baseline will help the industry as a whole to be better protected against Cyber threats. There is no overlap with other work e.g. SECAM – in fact the work is intended to be complementary. The focus of this work item is on the NFV infrastructure and not virtual network functions.
TR 103 309, Secure by Default adoption – platform security technology
Scope: A proposed TR to describe the following: An approach to encourage development and adoption of 'secure by default' platform security technologies by showing how they can be used to effectively solve real business problems, and improve the usability of secure services. The intended audience is decision makers rather than engineering teams. These could be deciding which features to include in a new platform, or which are required as part of a procurement activity. We will first produce a structure for describing identified business requirements/issues for a particular set of users; detailing the characteristics required of possible solutions, and finally identifying existing or emerging standards which provide those characteristics. The last two activities require technical expertise, hence the production of this TR within TC-CYBER. A particular example is to identify challenges relating to end user devices for large organisations. Currently adoption of device hardware security features is low, despite widespread agreement within the technical community that they are needed. This example will aim to show that a market for these features does exist, and that a strong case can be
made for organisations to actively seek them out.
TR 103 331, Structured threat information sharing
Scope: This work item will produce a Technical Report on means for describing and exchanging cyber threat information in a standardized and structured manner. Such information includes include technical indicators of adversary activity, contextual information, exploitation targets, and courses of action.
EG 203 310, Post Quantum Computing Impact on ICT Systems
Scope: The intent of the work item is to address business continuity arising from the concern that quantum computing is likely to invalidate the problems that lie at the heart of both RSA and ECC asymmetric cryptography. The current assumptions that underpin the security strength of RSA and ECC are that the solution to the prime factoring, and the discrete logarithm problems are infeasible without prior knowledge. It has been widely suggested that the application of quantum computing to these problems removes the assertion of infeasibility. Whilst it is not known when quantum computing will arrive or how long it will be until the factorisation and discrete logarithm problems are themselves solved the report will review the nature of the algorithms when subjected to QC attack and why they become vulnerable. In addition the report will highlight the characteristics required of algorithms in order to be invulnerable under QC attack. The report will consider a number of sub topics to be covered in considering the transition to the post-quantum era and they are not all algorithmic but many of the necessary considerations apply to business continuity. For example how to re-assert CAs in a PKI? How to distribute new algorithms? How to distribute new keys?