Cyber Security Standardization & SMEs(Insider view)

Brussels, 24 May 2019

Dr. George Sharkov gesha@esicenter.bg

SBS expert @ ETSI TC CYBER

Digital SME Alliance

AI High Level Expert Group (“Trustworthy AI”), EC

European Software Institute CEE with Cyber Resilience Lab

2011

2016

… distributed systems — encompassing cloud and SaaS; A.I., machine learning, deep learning; and quantum computing — to the role of hardware; future interfaces; and data, big and small.… why simulations matter… and what do we make of our current reality if we are all really living in a simulation as Elon Musk believes?

Security Function:• products + new requirements• standards and norms• awareness• skills, competences• “by design” principle

The tipping point

Digital dependency:If Software is eating/programming the world, are we safe ?

How to make it all work?Technology roadmap and standardization

(Tech. ) StandardsCompliances = Lab tests

CERTIFICATES

Regulations &Requirements (Norms)

(Org.) Standards, Models

Compliances = Audits/Assessments/Appraisals

CERTIFICATESPULL

PUSH

January 25, 2018

WEF, Davos

To Prevent a Digital Dark Age: World Economic Forum Launches Global Centre for Cybersecurity

21 Members

Establishment ofEconomic importance of SMEs

Standardisation activities increasing/

Underrepresentation of SMEs in

standardisation

Legislative Framework (Annex III

organisation under Regulation

1025/2012)

35 EU & EFTA countries12 million SMEs

Europe

▪ > 20 million SMEs

▪ 99.8% of all businesses

▪ 93 million people employed

▪ 67% of all jobs

▪ 57% of the gross value added

▪ More than 1500 EU standards delivered

every year

What does SBS do?

Why should SMEs use standards?

• Facilitate conformity to regulation

> Mandates - harmonised standards

• Market access

> Interoperability and acceptance

• Costs reduction

> Economies of scale

SMEs = core of European economy

SME-compatible standards are

needed!

Sectors covered by SBS

SBS Sectoral approach: 4 sectors

ICT ConstructionLifts PPE & Textile

➢ Evaluate the implementation of relevant legislation and standards

➢ Engage with SMEs and participate in European technicalgroups

➢ Elaboration and dissemination of information

➢ SBS Forum once a year

• Construction

• Cosmetics

• Doors and Windows

• Electrical Installations

• Ergonomics

• Furniture

• ICT

• Insulation material

• Lifts

• Machinery

• Management

• Occupational Health and Safety

• Pyrotechnic

• Road Vehicles

• Textiles and footwear

• Tourism

• Transport systems and navigation

• Welding

• Wood

SBS experts in ICT Committees (2019):Committee in 2019 Name of committee

ISO/IEC JTC 1 SC 27 WG4 IT security techniques

ISO/IEC JWC 001 WG11 Smart cities

ETSI TC ATTM + WG AT2 + TM6 + SDMC Multiplexing

ETSI TC ESI Electronic signatures and infrastructures

CEN TC 224 WG17Protection profiles in the context of secure signature

creation devicesISO/IEC JTC 1/SC27 WG1 IT Security techniques

ISO TC 184 SC4/WG12 + SC4/WG21Industrial data, STEP product modelling and SMRL

Validation Team

ISO/IEC JTC 1 SC17 WG3 + WG8 + WG10 Cards and personal identification

ISO TC 307 Blockchain

CLC TC 9X + WG15-05 + WG26 ICT for railways

ISO/IEC JTC1 SC7 WG20Professions for ICT - Study group on competency

frameworks and models for software and systems engineering professionals

CEN TC 428 Digital competences and ICT Professionalism

ETSI TC ERM TG28 IoT value chains

CEN TC 442 WG4 BIM Support data dictionaries

ETSI TC CYBER Cyber

ETSI oneM2MMachine-to-Machine communications

systems and the Internet of Things

Cyber Domain (Digitized Ecosystem) and Standardization• Digitized Europe fundamentals:

• DSM (Digital Single Market)• GDPR (General Data Protection Regulation)• NISD (Security of Network and Information Systems Directive)• EU Cyber Package – ENISA 2.0 Regulation + Cybersecurity Certification• others (like PSD2 for banks/payments)

• All cybersecurity aspects are covered (no significant gaps), BUT:• too many standards, and many are not actionable or particularly useful (entry barrier for SMEs)• need to converge toward useful, interoperable sets of standards• if not freely available on-line, constantly evolving, and well-versioned – low practical value and represent

cybersecurity impediments• need broad industry & society, public-private support and adoption (multi-stakeholder holistic approach)

• There are no simple or easy cyber security solutions• 100% cybersecurity is not achievable – reduced risks (defense, threat exchange measures) and business

resilience• security measures may have privacy concerns (e.g. end-to-end-encryption)• Rapidly evolving new industry platforms (NFV-SDN/5G, quantum computing…) need urgent “predictive”

attention

• Difficult to provide effective cyber security certification

On 13 September 2017 the Commission issued a proposal for a regulation on:

1) ENISA (2.0), the "EU Cybersecurity Agency", and

2) Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').

Certification = increasing trust and security in products and services, crucial for DSM

Fact: different security certification schemes for ICT products exist in the EU. Without a common framework

for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers in

the single market.

The certification framework >> provide EU-wide certification schemes as a comprehensive set of rules,

technical requirements, standards and procedures. This will be based on agreement at EU level for the

evaluation of the security properties of a specific ICT-based product or service e.g. “smart cards”.

The certification will attest that ICT products and services that have been certified in accordance with such a

scheme comply with specified cybersecurity requirements. The resulting certificate will be recognized in all

Member States, making it easier for businesses to trade across borders and for purchasers to understand

the security features of the product or service.

The schemes proposed in the future European framework will rely as much as possible on international

standards as a way to avoid creating trade barriers and ensuring coherence with international initiatives.

Digital Single Market (DSM): EU certification framework for ICT security products and services (Sept 2017 – June 2019, regulation)

TC CYBER and SMEs (SBS role since 2015)

• ETSI - global collaborative body based in Europe• It is open, inclusive, expert, flexible, and highly diverse with extensive industry, SME,

academic and government participation• It avoids inventing its own specification wherever possible – especially for cyber security

• bring the standards that do exist to some form of order• address critical new platforms such as Quantum Computing and Network Functions Virtualization for 5G

implementations• Its reports and specifications with associated code (where appropriate) are freely-available

on-line, dynamic, and well-versioned with persistent URLs• cooperative relationships and constant pro-active outreach with a very large array of highly

active new security and industry bodies as well as legacy organisations and SMEs

• Standards via ETSI TC CYBER will allow DSM’s reliance on each of NISD and GDPR to be secure and viable

• The special legal status of ETSI standards in Europe (as with CEN and CENELEC) is useful for DSM, NISD and GDPR

small is BIG

business THREAT

CYBERSPACE SECURITY AND RESILIENCE:

Standardization & Compliances Challenge for SMEs

Solution: SBS proposal to TC CYBER (ETSI)“Translate” big standards for small businesses• Identify the four “A”-s challenges of standards and SMEs

• Availability• Awareness• Affordability• Accessibility

• Are SMEs in the real focus or just “mentioned”? (EU/EC – NIS Directive, ETSI, CEN, … - review)

• SMEs specific profile – types of SMEs by role in digital ecosystems• ICT/HW, SW, services - small business – developers and providers• Digital dependent businesses (clusters, value chains) - incl. CIS/essential service (NISD)• “Office” users (end users!) > moving to “Digitally dependent”• Startups – entry level and scale-up (“digitized”)

• Options for standardization bodies adapting standards for SMEs:• Evolution – new versions with specific levels to existing standards (“maturity levels”), adapted and applicable

to SMEs• Lightweight standard/requirements/recommendation - amend special section for SMEs - “minimum

requirements” (entry level, “cyber hygiene”/NISD)• Develop new, specific for SMEs standards (low interest)• Combined requirements – kind of “general security pack” digest – might not be a “standard”(example – Consumer IoT + IoT providers +…Smart meters + … Middle Box Security)

Example: work of relevance to DSM, NISD, GDPR and SMEs(with links to ETSI documents, open access)

TR 103 306: Global Cyber Security Ecosystem

TR 103 421: Network Gateway Cyber Defence

TR 103 305 Critical Security Controls - five-part series of pragmatic guidance to enterprises (incl. SMEs)

TR 103 331: Structured threat information sharing

TR 103 304: Personally Identifiable Information (PII) Protection in mobile and cloud services

TR 103 309: Secure by Default - platform security technology

TR 103 369: Design requirements ecosystem

TR 103 456: Implementation of the Network and Information Security (NIS) Directive

TS 103 458: Describes high-level requirements for Attribute-Based Encryption (ABE)

TR 103 370: Technical standards that can be used for data protection according to GDPR

TR 103 303: Critical infrastructure protection (CIP)

TS 103 523: series on Middlebox Security Protocol (MSP), delivered in parts evolving

TS 103 645: “Cyber Security in the Internet of Things”

May 2019: complete CYBER roadmap on website

https://www.etsi.org/cyber-security/tc-cyber-roadmap15

Example: Technical Specification 103 645Consumer IoT security

• 20-50 billion consumer IoT devices by 2020• Many products are poorly secured.• Three key risks: consumer privacy, DDoSagainst 3rd parties, infrastructure impact

In progress: transpose TS 103 645 into a European Standard (EN)

Challenge: Focus on SMEs - Implementation schemes

• Implementation guidelines & Assistance• Assessments and certifications

• Self assessment, Guided/Facilitated assessment, Audit/Appraisals• Minimum requirements (sector/business specific) – “Cyber essentials” (UK)• Lightweight and Incremental (maturity) – USA, Netherland,…

• European Digital SME Alliance project – “ISO 2700x implementation guide for SMEs”• Combined with other (business, quality) – like 3-in-1 ITMark (of ESI) – ISO 2700x +

business + quality (of processes)

• SMEs and Critical Infrastructure Protection (CIP) – NIST Framework, DHS CRR (Cyber Resilience Readiness – self assessment + guided self-assessment/”certificate”)

cPPP ECSO and WG1-3 of NISD

SMEs &Supply Chain Cyber Resilience = convergence of standards/models

+ ISO 28000 (Specification for security management systems for the supply chain)+ ISO 31000 (supply chain risk management)+ ISO 2700x (InfoSec)+ ISO 20000 (BC/SC)+…

TIER ZERO[internal risks]

TIER ONE[external dependencies]

TIER TWO TIER TWOTIER THREE TIER THREE

SMEprocesses

control

assets

LegalIT &

SecurityFinancial

environment risks[context/outsourced/enablers]

supplysiderisks

demandsiderisks

Solution: Implementation schemes & engagementSupply/value chains as Blockchains

1) TRUST = Need standards applicable and affordable for ALL players (SMEs!!)

but also

2) Provide a natural engagement and propagation mechanism(shared risk requires shared responsibility)

Example > NotPetya spread over Supply Chains and affected other countries !!!

Copyright: ESI CEE

EU New challenge (June 2018):Towards Trustworthy AI - HLEG AI

Trustworthy AI = Lawful AI + Ethically Adherent AI + Technically Robust AI

SMALL BUSINESS STANDARDSRue Jacques de Lalaingstraat 4

B-1040 Brussels, Belgium

www.sbs-sme.eu

info@sbs-sme.euSmall Business Standards is co-financed by the European Commission and EFTA

Thank you

Dr. George Sharkov gesha@esicenter.bg

SBS expert @ ETSI TC CYBER