ETSI SECURITY WORK UPDATEDr. Carmine RizzoCISA, CISM, CMP, ITIL, PRINCE2

© ETSI 2015 All rights reserved

ITU-T SG17 Meeting – 8 April 2015

ETSI: European roots, Global outreach

2

ETSI is a world-leading standards developing organization for Information and Communication Technologies (ICT)

Founded initially to serve European needs, ETSI has become highly-respected as a producer of technical standards for worldwide use

ETSI: some facts

3

Created in 1988

Recognised ESO by the EU and EFTAESO: European Standard OrganisationEFTA: European Free Trade Association

Independent, non for profit

Governed by (worldwide) ETSI Members

ETSI Members participate directly in the standardization process

Products & services

4

Technical specifications and standards with global application

Support to industry and European regulation

Specification & testing methodologies

Interoperability testing

Membership

5

Over 800 companies, big and small, from 64 countries on 5 continents

A powerful and dynamic mix of skills, resources and

ambitions

Manufacturers, network operators, service and content providers, national administrations, ministries, universities, research bodies, consultancies, user organizations

Innovations

6

Efficient and speedy standards-making

Agreement by consensus !!!

Free download of all our standards

Electronic working to boost efficiency and reduce cost and environmental impact

Quality certified to ISO 9001:2008

ETSI Clusters

7

http://www.etsi.org/technologies-clusters/clusters

Areas of security standardization

Cyber SecurityMobile/Wireless Comms (GSM/UMTS, TETRA, DECT…)Lawful Interception and Data RetentionElectronic SignaturesSmart CardsMachine-to-Machine (M2M)Methods for Testing and Specification (MTS)Emergency Communications / Public SafetyRFIDIntelligent Transport SystemsInformation Security IndicatorsQuantum Key Distribution (QKD)Quantum –Safe Cryptography (QSC)AlgorithmsIn 3GPP

8

Major security work over the last year

Maintenance of published deliverables• In all areas as necessary

New publications in various areas including:• Electronic Signatures• Intelligent Transport Systems• Smart Cards• Information Security Indicators

New security algorithm• UMTS authentication and key generation

9

Creation of new ETSI groups

Creation in 2014 of TC CYBER• Cybersecurity standardization• Very active!

Creation in 2015 of ISG QSC• Quantum-Safe Cryptography• 1st meeting 24-26 March

TC: Technical CommitteeISG: Industry Specification Group

10

ETSI TC CYBER – Terms of Reference

Cyber Security StandardizationSecurity of infrastructures, devices, services and protocolsSecurity advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operatorsSecurity tools and techniques to ensure securityCreation of security specifications and alignment with work done in other TCs and ISGsCoordinate work with external groups such as the CSCG with CEN, CENELEC, the NIS Platform and ENISACollaborate with other SDOs (ISO, ITU, NIST, ANSI...)Answer to policy requests on Cyber Security and ICT security in broad sense

TC CYBER meetings

TC CYBER met 3 times face-to-face• Around 50 participants at each meeting• Progress made on 9 documents

Participating organizations• Industry: Manufacturers, Operators, SMEs...• Administrations• European Commission• ENISA• Universities / Research Bodies• Service Providers• Micro Enterprises• Consultancy

TC CYBER documents

9 open documents• 8 Technical Reports• 1 ETSI Guide• Full scope of them all as annexes at the end of these slides

TR 103 303, Protection measures for ICT in the context of Critical InfrastructureTR 103 304, PII Protection and RetentionTR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber DefenceTR 103 306, Global Cyber Security EcosystemTR 103 307, Security Aspects for LI and RD interfacesTR 103 308, A security baseline regarding LI for NFV and related platformsTR 103 309, Secure by Default adoption – platform security technologyTR 103 331, Structured threat information sharingEG 203 310, Post Quantum Computing Impact on ICT Systems

Areas of work and related guidance

Critical Infrastructure protection• Guidance for the deployment of security

technologies and security management to deliver and maintain effective Critical Infrastructures that are reliant on ICT technology

• Resilience, M2M/IoT security, eHealth security

Structured threat information sharing • Guidance for exchanging cyber threat information in

a standardized and structured manner• Provide technical indicators of adversary activity,

contextual information, exploitation targets, and courses of action

14

Areas of work and related guidance

Security assurance by design/default• Guidance to detect, prevent, respond, and mitigate

damage from the most common to the most advanced of cyber attacks

• Measures reflecting the combined knowledge of actual attacks and effective defenses

• Guidance to business decision makers for the development and adoption of secure by default platform security technologies - how they can be used to effectively solve real business problems, and improve the usability of secure services

• Encourage industry to adopt device hardware security features – show that there is a market need

15

Areas of work and related guidance

Security for LI and RD interfaces• Guidance to protect information flows and interfaces

from a security perspective (confidentiality, integrity and authenticity) including implementation details (technologies, algorithms, options, minimum requirements on keys etc) in a context of provision of Lawful Interception (LI) and Retained Data (RD) functionalities

LI in the NFV context• Guidance related to the legal and physical challenges

to ensure LI functionalities in a Network Functions Virtualization context

• Focus on the infrastructure of NFV rather than the functions themselves

16

Areas of work and related guidance

Privacy measures• Guidance for the protection and retention of PII

(Personally Identifiable Information)• Enable the secure portability of data transferred from

one service provider to another

Post quantum computing impact on ICT• Review nature and vulnerabilities of security algorithms

when subjected to quantum computing attacks • Evaluate characteristics required of algorithms in order

to be invulnerable under such attacks

Global Cyber Security Ecosystem• Constantly updated overview of cyber security work

being undertaken in multiple forums worldwide17

ISG QSC – Terms of Reference

Identification of proposals from industry and academia for quantum safe cryptographic primitives, and the development of a framework for quantum safe algorithmsHigh-level characterization of these primitives and assessment of their suitability with respect to the quantum safe requirements and applicationsThreat and risk assessment for real-world use casesProviding evidence of the need for new standards and technological guidance, and building related roadmapDissemination of guidance and standards documents, and later maintenance of the standardized algorithms under the custodianship of the ETSI SC Security Algorithms Group of Experts (SAGE)Defining criteria for, and assessment of, the suitability of cryptographic primitives

18

ISG QSC (Quantum-Safe Cryptography)

1st meeting held 24-26 March 2015

5 Group Specifications adopted:GS QSC 001, Quantum safe algorithmic frameworkGS QSC 002, Cryptographic primitive characterization GS QSC 003, Cryptographic primitive suitability assessmentGS QSC 004, Quantum safe threat assessmentGS QSC 005, Quantum safe standards assessment

19

20

Workshop, Technical Streams, Meetings• Including TC CYBER#4 Meeting

Workshop/Streams free and open to everyone

TC CYBER meeting open to non ETSI Members upon invitation (see website to apply)

Networking opportunity every day!• Free lunches and networking cocktails

www.etsi.org/securityweek • Agendas and registrations

Separate registrations to eventsNetworking opportunities throughout the week

Security Week (22-26 June 2015, ETSI)

Security Week (22-26 June 2015, ETSI)

21

Mon 22 Tue 23 Wed 24 Thu 25 Fri 26

AM

Workshop

Workshop CYBER#4ISI#23

eIDAS

CYBER#4

PM

Workshop Workshop

Streams:M2M/IoT

ITSeIDAS

HF/USER/

eHealth

CYBER#4ISI#23

eIDAS

CYBER#4

ETSI Security White Paper

22

Achievements and current work

List of all security publications

6th Edition published January 2014• 7th will be published before Security Week

www.etsi.org/securitywhitepaper

Please keep in touch!

Contact Details:carmine.rizzo@etsi.org

Full scope of all TC CYBER documents to follow as annexes

© ETSI 2015. All rights reserved23

Thank you!Available for your questions

ITU-T SG17 Meeting – 8 April 2015

TR 103 303, Protection measures for ICT in the context of Critical Infrastructure

Scope: The critical infrastructure protection addressed in the EU’s published directive is essentially Power and Transport. It is clear to most casual observers that the global economic infrastructure is now composed of a huge set of ICT networks and services. It would not be a stretch to say that ICT capabilities now underpin all of the other critical infrastructures. This means food security, economic activity security, citizen safety and just about everything else. The purpose of the TR to be delivered by this work item is to identify the role of ICT protections through the deployment of security technologies and security management to deliver effective Critical Infrastructures that are reliant on ICT technology. The topics to be addressed by the work item include: Resilience (taking as input the ENISA reports on this topic and work from related national programmes); M2M communications (in close liaison with oneM2M and smartM2M); eHealth (in order to give assurance of access to ICT enabled eHealth systems). The report is intended to highlight aspects of CI and ICT that have to be addressed to ensure that CI maintains its infrastructure role.

TR 103 304, PII Protection and Retention

Scope: Essentially different than any previous telco scenario where user data was accessible from network functional elements only, today even sensitive PII is directly accessible from terminals. Server-based data access control technologies are becoming less effective for PII protection. This new WI is intended to describe novel access control technologies that enable 1) data protection, based on policy rules, as soon as data leaves the boundary of terminal’s OS and 2) portability of protection settings when data moves from one service provider to another.

TR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber Defence

Scope: This Technical Report describes a specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks developed and maintained by the Council of Cybersecurity. The measures reflect the combined knowledge of actual attacks and effective defenses.

TR 103 306, Global Cyber Security Ecosystem

Scope: This proposed NWI provides a structured overview of cyber security work occurring in multiple other technical forums worldwide. The overview includes global identification of Cyber Security Centres of Excellence, heritage sites, historical collections, and reference libraries. It is intended to be continuously updated to account for the dynamics of the sector.

TR 103 307, Security Aspects for LI and RD interfaces

Scope: It is envisaged that TC Cyber would assess the information flows and interfaces (as identified by TC LI) from a security (confidentiality, integrity and authenticity) perspective and provide guidance on the implementation details (technologies, algorithms, options, minimum requirements on keys etc).

TR 103 308, A security baseline regarding LI for NFV and related platforms

Scope: The lawful interception capability is capable of being virtualised but the legal and physical challenges of doing so must be taken into account. The initial study is focused on the LI aspects. The challenge for both Lawful Interception and NFV as a community is that it is necessary to establish the fundamental security principles for generic platforms upon which the related groups can build. There is an urgent requirement to establish a minimum set of security principles for generic telecommunications platforms that will allow the virtualised network functions to utilise the features necessary to afford them appropriate protection and at the same time allow to undertake appropriate activities (LI, fraud management, cyber defense). Establishing such a baseline will help the industry as a whole to be better protected against Cyber threats. There is no overlap with other work e.g. SECAM – in fact the work is intended to be complementary. The focus of this work item is on the NFV infrastructure and not virtual network functions.

TR 103 309, Secure by Default adoption – platform security technology

Scope: A proposed TR to describe the following: An approach to encourage development and adoption of 'secure by default' platform security technologies by showing how they can be used to effectively solve real business problems, and improve the usability of secure services. The intended audience is decision makers rather than engineering teams. These could be deciding which features to include in a new platform, or which are required as part of a procurement activity. We will first produce a structure for describing identified business requirements/issues for a particular set of users; detailing the characteristics required of possible solutions, and finally identifying existing or emerging standards which provide those characteristics. The last two activities require technical expertise, hence the production of this TR within TC-CYBER. A particular example is to identify challenges relating to end user devices for large organisations. Currently adoption of device hardware security features is low, despite widespread agreement within the technical community that they are needed. This example will aim to show that a market for these features does exist, and that a strong case can be

made for organisations to actively seek them out.

TR 103 331, Structured threat information sharing

Scope: This work item will produce a Technical Report on means for describing and exchanging cyber threat information in a standardized and structured manner. Such information includes include technical indicators of adversary activity, contextual information, exploitation targets, and courses of action.

EG 203 310, Post Quantum Computing Impact on ICT Systems

Scope: The intent of the work item is to address business continuity arising from the concern that quantum computing is likely to invalidate the problems that lie at the heart of both RSA and ECC asymmetric cryptography. The current assumptions that underpin the security strength of RSA and ECC are that the solution to the prime factoring, and the discrete logarithm problems are infeasible without prior knowledge. It has been widely suggested that the application of quantum computing to these problems removes the assertion of infeasibility. Whilst it is not known when quantum computing will arrive or how long it will be until the factorisation and discrete logarithm problems are themselves solved the report will review the nature of the algorithms when subjected to QC attack and why they become vulnerable. In addition the report will highlight the characteristics required of algorithms in order to be invulnerable under QC attack. The report will consider a number of sub topics to be covered in considering the transition to the post-quantum era and they are not all algorithmic but many of the necessary considerations apply to business continuity. For example how to re-assert CAs in a PKI? How to distribute new algorithms? How to distribute new keys?