Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cyber Security Standardization & SMEs(Insider view)
Brussels, 24 May 2019
Dr. George Sharkov [email protected]
SBS expert @ ETSI TC CYBER
Digital SME Alliance
AI High Level Expert Group (“Trustworthy AI”), EC
European Software Institute CEE with Cyber Resilience Lab
2011
2016
… distributed systems — encompassing cloud and SaaS; A.I., machine learning, deep learning; and quantum computing — to the role of hardware; future interfaces; and data, big and small.… why simulations matter… and what do we make of our current reality if we are all really living in a simulation as Elon Musk believes?
Security Function:• products + new requirements• standards and norms• awareness• skills, competences• “by design” principle
The tipping point
Digital dependency:If Software is eating/programming the world, are we safe ?
How to make it all work?Technology roadmap and standardization
(Tech. ) StandardsCompliances = Lab tests
CERTIFICATES
Regulations &Requirements (Norms)
(Org.) Standards, Models
Compliances = Audits/Assessments/Appraisals
CERTIFICATESPULL
PUSH
January 25, 2018
WEF, Davos
To Prevent a Digital Dark Age: World Economic Forum Launches Global Centre for Cybersecurity
21 Members
Establishment ofEconomic importance of SMEs
Standardisation activities increasing/
Underrepresentation of SMEs in
standardisation
Legislative Framework (Annex III
organisation under Regulation
1025/2012)
35 EU & EFTA countries12 million SMEs
Europe
▪ > 20 million SMEs
▪ 99.8% of all businesses
▪ 93 million people employed
▪ 67% of all jobs
▪ 57% of the gross value added
▪ More than 1500 EU standards delivered
every year
What does SBS do?
Why should SMEs use standards?
• Facilitate conformity to regulation
> Mandates - harmonised standards
• Market access
> Interoperability and acceptance
• Costs reduction
> Economies of scale
SMEs = core of European economy
SME-compatible standards are
needed!
Sectors covered by SBS
SBS Sectoral approach: 4 sectors
ICT ConstructionLifts PPE & Textile
➢ Evaluate the implementation of relevant legislation and standards
➢ Engage with SMEs and participate in European technicalgroups
➢ Elaboration and dissemination of information
➢ SBS Forum once a year
• Construction
• Cosmetics
• Doors and Windows
• Electrical Installations
• Ergonomics
• Furniture
• ICT
• Insulation material
• Lifts
• Machinery
• Management
• Occupational Health and Safety
• Pyrotechnic
• Road Vehicles
• Textiles and footwear
• Tourism
• Transport systems and navigation
• Welding
• Wood
SBS experts in ICT Committees (2019):Committee in 2019 Name of committee
ISO/IEC JTC 1 SC 27 WG4 IT security techniques
ISO/IEC JWC 001 WG11 Smart cities
ETSI TC ATTM + WG AT2 + TM6 + SDMC Multiplexing
ETSI TC ESI Electronic signatures and infrastructures
CEN TC 224 WG17Protection profiles in the context of secure signature
creation devicesISO/IEC JTC 1/SC27 WG1 IT Security techniques
ISO TC 184 SC4/WG12 + SC4/WG21Industrial data, STEP product modelling and SMRL
Validation Team
ISO/IEC JTC 1 SC17 WG3 + WG8 + WG10 Cards and personal identification
ISO TC 307 Blockchain
CLC TC 9X + WG15-05 + WG26 ICT for railways
ISO/IEC JTC1 SC7 WG20Professions for ICT - Study group on competency
frameworks and models for software and systems engineering professionals
CEN TC 428 Digital competences and ICT Professionalism
ETSI TC ERM TG28 IoT value chains
CEN TC 442 WG4 BIM Support data dictionaries
ETSI TC CYBER Cyber
ETSI oneM2MMachine-to-Machine communications
systems and the Internet of Things
Cyber Domain (Digitized Ecosystem) and Standardization• Digitized Europe fundamentals:
• DSM (Digital Single Market)• GDPR (General Data Protection Regulation)• NISD (Security of Network and Information Systems Directive)• EU Cyber Package – ENISA 2.0 Regulation + Cybersecurity Certification• others (like PSD2 for banks/payments)
• All cybersecurity aspects are covered (no significant gaps), BUT:• too many standards, and many are not actionable or particularly useful (entry barrier for SMEs)• need to converge toward useful, interoperable sets of standards• if not freely available on-line, constantly evolving, and well-versioned – low practical value and represent
cybersecurity impediments• need broad industry & society, public-private support and adoption (multi-stakeholder holistic approach)
• There are no simple or easy cyber security solutions• 100% cybersecurity is not achievable – reduced risks (defense, threat exchange measures) and business
resilience• security measures may have privacy concerns (e.g. end-to-end-encryption)• Rapidly evolving new industry platforms (NFV-SDN/5G, quantum computing…) need urgent “predictive”
attention
• Difficult to provide effective cyber security certification
On 13 September 2017 the Commission issued a proposal for a regulation on:
1) ENISA (2.0), the "EU Cybersecurity Agency", and
2) Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').
Certification = increasing trust and security in products and services, crucial for DSM
Fact: different security certification schemes for ICT products exist in the EU. Without a common framework
for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers in
the single market.
The certification framework >> provide EU-wide certification schemes as a comprehensive set of rules,
technical requirements, standards and procedures. This will be based on agreement at EU level for the
evaluation of the security properties of a specific ICT-based product or service e.g. “smart cards”.
The certification will attest that ICT products and services that have been certified in accordance with such a
scheme comply with specified cybersecurity requirements. The resulting certificate will be recognized in all
Member States, making it easier for businesses to trade across borders and for purchasers to understand
the security features of the product or service.
The schemes proposed in the future European framework will rely as much as possible on international
standards as a way to avoid creating trade barriers and ensuring coherence with international initiatives.
Digital Single Market (DSM): EU certification framework for ICT security products and services (Sept 2017 – June 2019, regulation)
TC CYBER and SMEs (SBS role since 2015)
• ETSI - global collaborative body based in Europe• It is open, inclusive, expert, flexible, and highly diverse with extensive industry, SME,
academic and government participation• It avoids inventing its own specification wherever possible – especially for cyber security
• bring the standards that do exist to some form of order• address critical new platforms such as Quantum Computing and Network Functions Virtualization for 5G
implementations• Its reports and specifications with associated code (where appropriate) are freely-available
on-line, dynamic, and well-versioned with persistent URLs• cooperative relationships and constant pro-active outreach with a very large array of highly
active new security and industry bodies as well as legacy organisations and SMEs
• Standards via ETSI TC CYBER will allow DSM’s reliance on each of NISD and GDPR to be secure and viable
• The special legal status of ETSI standards in Europe (as with CEN and CENELEC) is useful for DSM, NISD and GDPR
small is BIG
business THREAT
CYBERSPACE SECURITY AND RESILIENCE:
Standardization & Compliances Challenge for SMEs
Solution: SBS proposal to TC CYBER (ETSI)“Translate” big standards for small businesses• Identify the four “A”-s challenges of standards and SMEs
• Availability• Awareness• Affordability• Accessibility
• Are SMEs in the real focus or just “mentioned”? (EU/EC – NIS Directive, ETSI, CEN, … - review)
• SMEs specific profile – types of SMEs by role in digital ecosystems• ICT/HW, SW, services - small business – developers and providers• Digital dependent businesses (clusters, value chains) - incl. CIS/essential service (NISD)• “Office” users (end users!) > moving to “Digitally dependent”• Startups – entry level and scale-up (“digitized”)
• Options for standardization bodies adapting standards for SMEs:• Evolution – new versions with specific levels to existing standards (“maturity levels”), adapted and applicable
to SMEs• Lightweight standard/requirements/recommendation - amend special section for SMEs - “minimum
requirements” (entry level, “cyber hygiene”/NISD)• Develop new, specific for SMEs standards (low interest)• Combined requirements – kind of “general security pack” digest – might not be a “standard”(example – Consumer IoT + IoT providers +…Smart meters + … Middle Box Security)
Example: work of relevance to DSM, NISD, GDPR and SMEs(with links to ETSI documents, open access)
TR 103 306: Global Cyber Security Ecosystem
TR 103 421: Network Gateway Cyber Defence
TR 103 305 Critical Security Controls - five-part series of pragmatic guidance to enterprises (incl. SMEs)
TR 103 331: Structured threat information sharing
TR 103 304: Personally Identifiable Information (PII) Protection in mobile and cloud services
TR 103 309: Secure by Default - platform security technology
TR 103 369: Design requirements ecosystem
TR 103 456: Implementation of the Network and Information Security (NIS) Directive
TS 103 458: Describes high-level requirements for Attribute-Based Encryption (ABE)
TR 103 370: Technical standards that can be used for data protection according to GDPR
TR 103 303: Critical infrastructure protection (CIP)
TS 103 523: series on Middlebox Security Protocol (MSP), delivered in parts evolving
TS 103 645: “Cyber Security in the Internet of Things”
May 2019: complete CYBER roadmap on website
https://www.etsi.org/cyber-security/tc-cyber-roadmap15
Example: Technical Specification 103 645Consumer IoT security
• 20-50 billion consumer IoT devices by 2020• Many products are poorly secured.• Three key risks: consumer privacy, DDoSagainst 3rd parties, infrastructure impact
In progress: transpose TS 103 645 into a European Standard (EN)
Challenge: Focus on SMEs - Implementation schemes
• Implementation guidelines & Assistance• Assessments and certifications
• Self assessment, Guided/Facilitated assessment, Audit/Appraisals• Minimum requirements (sector/business specific) – “Cyber essentials” (UK)• Lightweight and Incremental (maturity) – USA, Netherland,…
• European Digital SME Alliance project – “ISO 2700x implementation guide for SMEs”• Combined with other (business, quality) – like 3-in-1 ITMark (of ESI) – ISO 2700x +
business + quality (of processes)
• SMEs and Critical Infrastructure Protection (CIP) – NIST Framework, DHS CRR (Cyber Resilience Readiness – self assessment + guided self-assessment/”certificate”)
cPPP ECSO and WG1-3 of NISD
SMEs &Supply Chain Cyber Resilience = convergence of standards/models
+ ISO 28000 (Specification for security management systems for the supply chain)+ ISO 31000 (supply chain risk management)+ ISO 2700x (InfoSec)+ ISO 20000 (BC/SC)+…
TIER ZERO[internal risks]
TIER ONE[external dependencies]
TIER TWO TIER TWOTIER THREE TIER THREE
SMEprocesses
control
assets
LegalIT &
SecurityFinancial
environment risks[context/outsourced/enablers]
supplysiderisks
demandsiderisks
Solution: Implementation schemes & engagementSupply/value chains as Blockchains
1) TRUST = Need standards applicable and affordable for ALL players (SMEs!!)
but also
2) Provide a natural engagement and propagation mechanism(shared risk requires shared responsibility)
Example > NotPetya spread over Supply Chains and affected other countries !!!
Copyright: ESI CEE
EU New challenge (June 2018):Towards Trustworthy AI - HLEG AI
Trustworthy AI = Lawful AI + Ethically Adherent AI + Technically Robust AI
SMALL BUSINESS STANDARDSRue Jacques de Lalaingstraat 4
B-1040 Brussels, Belgium
www.sbs-sme.eu
[email protected] Business Standards is co-financed by the European Commission and EFTA
Thank you
Dr. George Sharkov [email protected]
SBS expert @ ETSI TC CYBER