D8.3 Cybersecurity Standardization Engagement Plan 2
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proposal No. 830929 Project start: February 1, 2019
Call H2020-SU-ICT-03-2018 Project duration: 42 months
D8.3
Cybersecurity Standardization Engagement Plan 2
Document Identification
Due date 31.01.2021
Submission date
Revision V1.0
Related WP WP 8 Dissemination PU
Level
Lead CONCEPT Lead Author CONCEPT
Participant
Contributing GUF, CYBER, AIT, Related D8.1
Beneficiaries POLITO, UPRC, Deliverables
VTT
iCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Abstract
The aim of this document is to provide a further picture of the current engagement of the project partners
within cybersecurity standardization/certification related activities, both international and national. By
compiling this information, we demonstrate the potential of Cybersec4Europe to actively contribute to the
further development of cybersecurity standardization/certification areas.
COVID-19 NOTE:
The reviewers and readers of this deliverable should be informed that due to the COVID-19 crisis in Europe,
many standardization/certification related efforts were delayed and postponed significantly during the
period covered in the deliverable. However, as such, over the past few months, new ways of working have
begun and standardization activities have restarted and will again regain some traction in 2021.
This document is issued within the CyberSec4Europe project. This project has received
funding from the European Union's Horizon 2020 Programme under grant agreement no.
830929. This document and its content are the property of the CyberSec4Europe Consortium.
All rights relevant to this document are determined by the applicable laws. Access to this
document does not grant any right or license on the document or its contents. This document
or its contents are not to be used or treated in any manner inconsistent with the rights or
interests of the CyberSec4Europe Consortium and are not to be disclosed externally without
prior written consent from the CyberSec4Europe Partners. Each CyberSec4Europe Partner
may use this document in conformity with the CyberSec4Europe Consortium Grant
Agreement provisions and the Consortium Agreement.
The information in this document is provided as is, and no warranty is given or implied that
the information is fit for any particular purpose. The user thereof uses the information at its
sole risk and liability.
iiCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Executive Summary
This deliverable is an update to Deliverable 8.1. It gives a report on the activities that our CyberSec4Europe
partners are undertaking in the realm of standardization and certification. It is important to note that, even
though many partners go to a very significant depth in their extensive involvement in standardization, this
deliverable summarizes these activities. While some partners are clearly driving the efforts with Standards
Development Organizations (SDOs) and their committees, others are active participants in contributing
content and feedback.
Deliverable D8.1 showed us the involvement of partners and their interest in standardization organizations.
This helped us to select three organizations with whom our partners collaborate most – ISO/IEC JTC 1/SC
27 (Information security, cybersecurity and privacy protection), CEN/CENELEC JTC 13 (Cybersecurity
and Data Protection) and ETSI TC CYBER (privacy and security) – for inclusion in the project standards
matrix (Deliverable D8.2). We also chose ISO/IEC because these standards are among the most used
worldwide, and CEN/CENELEC and ETSI because the standards of these two organizations are recognized
as European Standards.
The matrices in Deliverable 8.2 contain privacy, and cybersecurity standards from ISO/IEC,
CEN/CENELEC and ETSI that are relevant to the CyberSec4Europe verticals and research topics. We
studied the standards and mapped them to the CyberSec4Europe topics to direct the attention of the project
partners to the standards and technical reports that could be relevant in their vertical or research topic so
that they can more quickly find the necessary information. In addition, we have included draft projects from
ISO/IEC JTC1/SC27 and ETSI in the matrices. CyberSec4Europe applied for liaison status in ISO/IEC
JTC1/SC27 WG2 and WG5 in September 2019. This request was approved in September 2020, and with
this, CyberSec4Europe partners can contribute with the results of the project to the standards that are under
development, thus ensuring that the bleeding-edge research reaches standardization projects.
iiiCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Document information
Contributors
Mark Miller / Victoria Menezes Miller CONCEPT
Liina Kamm CYBER
Kai Rannenberg GUF
Stephan Krenn / Thomas Lorünser AIT
Antonio Skarmeta UMU
Luca Durante CNR
Pasquale Annicchino ARCH
Kimmo Halunen/ Jarno Salonen VTT
Lea Hemetsberger OASC
Juan Carlos Perez Baun ATOS
Javier Lopez / Carmen Fernandez Gago / Ruben Rios UMA
Martin Wimmer / Prabhakaran Kasinathan SIE
Marco Angelini ENG
Marco Crabu ABI
Antonio Lioy POLITO
Liliana Pasquale UCD
Vasileios Gkioulos NTNU
Vanesa Gil Laredo BBVA
Reviewers
The Reviewer Sandhra-Mirella Valdma (CYBER)
The Reviewer Jozef Vyskoc (VAF)
The Reviewer Peter Hamm (GUF)
History
0.01 2020-10-20 M. Miller / V. Menezes Miller (CONCEPT) 1st Draft for high-level review
0.02 2020-11-02 M. Miller / V. Menezes Miller (CONCEPT) 2nd Draft requesting updated
information
0.03 2020-11-18 S. Krenn (AIT) Updated activities
A. Skarmeta (UMU)
0.04 2020-11-23 L. Durante (CNR) Updated activities
P. Annicchino (ARCH)
K. Halunen (VTT)
0.05 2020-11-23 L. Kamm (CYBER) Information on liaison, plans for
Task 8.2, info on SC27 standard
projects, updated activities
0.06 2020-11-23 K. Rannenberg (GUF) Updated activities
0.07 2020-11-26 L. Hemetsberger (OASC) Updated activities
J.-C. Perez Baun (ATOS)
0.08 2020-12-01 M. Miller, V. Menezes Miller (CONCEPT) Updated activities
ivCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
0.09 2020-12-15 C. Fernandez Gago, J. Lopez (UMA) Updated activities
0.10 2020-12-17 M. Wimmer, P. Kasinathan (SIE) New standardization activities
(CSA, OASIS, IEC, W3C)
0.11 2020-12-17 M. Angelini (ENG) Contribution to Impact
0.12 2020-12-18 P. Annicchino (ARCH) Updated activities
0.13 2020-12-18 A. Skarmeta (UMU) Updated activities
0.14 2020-12-18 A. Lioy (POLITO) Updated activities
0.15 2020-12-18 M. Crabu (ABI) Updated activities
0.16 2020-12-18 M. Wimmer, P. Kasinathan (SIE) Updated activities
0.17 2020-12-18 K. Rannenberg (GUF) Updated activities
0.18 2020-12-18 C. Fernandez Gago (UMA) Editorial changes
0.19 2020-12-29 M. Miller / V. Menezes Miller (CONCEPT) Editing, authoring and integration
of multiple extensive inputs
0.20 2021-01-11 Review of S.-M. Valdma (CYBER) 1st Review
Review by e-mail of J. Vyskoc (VAF)
0.21 2021-01-11 L. Pasquale (UCD) Updated activities
0.22 2021-01-12 M. Crabu (ABI) Section 2.3.7.1
0.23 2021-01-12 L. Kamm (CYBER) Editorial changes
0.24 2021-01-14 A. Skarmeta (UMU) 1st Review changes
0.25 2021-01-14 J. Salonen (VTT) 1st Review changes
0.26 2021-01-15 V. Gkioulos (NTNU) 1st Review changes
0.27 2021-01-15 L. Kamm (CYBER) 1st Review changes
0.28 2021-01-18 R. Rios (UMA) 1st Review changes
0.29 2021-01-18 L. Durante (CNR) 1st Review changes
0.30 2021-01-18 P. Annicchino (ARCH) 1st Review changes
0.31 2021-01-18 M. Crabu (ABI) 1st Review changes
0.32 2021-01-18 R. Rannenberg (GUF) 1st Review changes
0.33 2021-01-18 L. Pasquale (UCD) 1st Review changes
0.34 2021-01-18 M. Wimmer (SIE) 1st Review changes
0.35 2021-01-19 L. Hemetsberger (OASC) 1st Review changes
0.36 2021-01-19 M. Miller / V. Menezes Miller (CONCEPT) Editing, authoring and integration
of multiple extensive inputs and
changes
0.37 2021-01-19 M. Miller / V. Menezes Miller (CONCEPT) Editing, authoring and integration
of changes, verification of changes
and removal of tracking
0.38 2021-01-19 S. Krenn (AIT) Updates of AIT-related activities
0.39 2021-01-21 M. Miller / V. Menezes Miller (CONCEPT) Updates, editing, integration
0.40 2021-01-21 V. Gil Laredo (BBVA) Updated activities
0.41 2021-01-21 M. Miller / V. Menezes Miller (CONCEPT) Editing, authoring and integration
of changes, verification of changes
and removal of tracking
0.42 2021-01-22 V. Menezes Miller (CONCEPT) Last second review changes
0.43 2021-01-26 P. Hamm (GUF) High-level review changes
0.44 2021-01-27 V. Menezes Miller (CONCEPT) Final formatting, Figure 1
modification, list of references
1.0 2021-01-31 Peter Hamm (GUF) Final Edits
vCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
List of Contents
1 Introduction .....................................................................................................1
2 Landscape of Consortium Standardization Activities ...................................2
2.1 Standardization Organizations ...............................................................................................2
2.1.1 CEN/CENELEC ..................................................................................................................3
2.1.2 European Telecommunications Standards Institute (ETSI) ...................................................4
2.1.3 International Organization for Standardization (ISO) ...........................................................9
2.1.4 International Telecommunications Union (ITU) ................................................................. 22
2.1.5 Internet Engineering Task Force (IETF) ............................................................................. 24
2.1.6 International Electrotechnical Commission (IEC)............................................................... 27
2.1.7 Organization for the Advancement of Structured Information Standards (OASIS) .............. 27
2.1.8 World Wide Web Consortium (W3C) ................................................................................ 28
2.2 National Standardization Bodies .......................................................................................... 29
2.2.1 Estonian Centre for Standardisation (EVS)......................................................................... 29
2.2.2 Finnish Standards Association (SFS).................................................................................. 30
2.2.3 Austrian Standards International (ASI)............................................................................... 31
2.2.4 German Standardization Body for Information Technologies (DIN) ................................... 31
2.2.5 Italian Standardization Body for Information Technologies (UNINFO) .............................. 32
2.2.6 Standards Norway (SN) ..................................................................................................... 32
2.2.7 Spanish Association for Standardization (UNE) ................................................................. 33
2.2.8 National Institute of Standards and Technology (NIST) – USA ......................................... 34
2.3 Other Bodies .......................................................................................................................... 36
2.3.1 Alliance for Internet of Things Innovation (AIOTI)............................................................ 36
2.3.2 Cloud Security Alliance ..................................................................................................... 36
2.3.3 Criminal Use of Information Hiding (CUIng) Initiative ...................................................... 37
2.3.4 CSPCERT – European Cloud Service Provider Certification Working Group..................... 38
2.3.5 Directorate-General for Communications Networks, Content and Technology (DG
CONNECT) .................................................................................................................................... 39
2.3.6 Estonian Information Security Authority ............................................................................ 39
2.3.7 European Banking Federation (EBF).................................................................................. 40
2.3.8 European Cyber Security Organization (ECSO) ................................................................. 41
2.3.9 European Payments Council (EPC) .................................................................................... 44
2.3.10 European Union Agency for Cybersecurity (ENISA) ......................................................... 45
2.3.11 European Union Agency for Law Enforcement Cooperation (Europol) .............................. 46
2.3.12 Financial Services Information Sharing and Analysis Center (FS-ISAC) ............................ 47
2.3.13 G7 Cyber Expert Group ..................................................................................................... 48
2.3.14 Institute of Electrical and Electronics Engineers (IEEE) ..................................................... 48
viCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2.3.15 Innovation and Networks Innovation Agency (INEA) ........................................................ 49
2.3.16 Trusted Computing Group (TCG) ...................................................................................... 50
2.3.17 ZKProof ............................................................................................................................ 51
3 Impact Upon CyberSec4Europe Objectives ................................................52
4 Conclusions, Recommendations and Next Steps .........................................55
List of Figures
Figure 1: Consortium members participating in SDOs and other standardization-related bodies ................2
List of Tables
Table 1: Brief summary of deliverable chapters ........................................................................................1
Table 2: Partners involvement in CEN/CENELEC ....................................................................................3
Table 3: Partners involvement in ETSI......................................................................................................6
Table 4: Milestones for ETSI T004 ...........................................................................................................7
Table 5: Partners involvement in ISO/IEC JTC 1/SC 27.......................................................................... 15
Table 6: Partners involvement in ISO/IEC JTC 1/SC 37.......................................................................... 15
Table 7: Partners involvement in ISO/PC 317 ......................................................................................... 16
Table 8: Partners involvement in ISO/TC 307 ......................................................................................... 16
Table 9: Partners involvement in ISO/TC 215 ......................................................................................... 17
Table 10: Partners involvement in ITU .................................................................................................. 23
Table 11: Partners involvement in IETF .................................................................................................. 25
viiCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
List of Acronyms
A AAA Authentication, Authorization and Accounting
API Application Programming Interface
C CD Committee Draft
CEF Connecting Europe Facility
CEG Cyber Expert Group
CIM Context Information Management
CSA Cloud Security Alliance
D DIS Draft International Standard
DSI Digital Service Infrastructure
DLT Distributed Ledger Technologies
DPM Data Processing and Management
E EBF European Banking Federation
ECSO European Cyber Security Organization
ENISA European Union Agency for Cybersecurity
EPC European Payments Council
ETSI European Telecommunications Standards Institute
EUROPOL European Union Agency for Law Enforcement Cooperation
F FDIS Final Draft International Standard
I IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IIF International Institute of Finance
INEA Innovation and Networks Innovation Agency
IS International Standard
ISACA Information Systems Audit and Control Association
ISO International Organization for Standardization
ITU International Telecommunications Union
J JTC Joint Technical Committee
JWG Joint Working Group
L LAKE Lightweight Authenticated Key Exchange
LD Linked Data
LoRaWAN Long Range Wide Area Network
LSP Large Scale Pilots
M MISP Malware Information Sharing Platform
N NGSI Next Generation Services Interface
NIST National Institute of Standards and Technology
O OBA Open Banking Architecture
viiiCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
OMA Open Mobile Alliance
OASIS Organization for the Advancement of Structured Information Standards
P PDTR Preliminary Draft Technical Report
PDTS Preliminary Draft Technical Specification
S SDO Standards Developing Organizations
SEPA Single Euro Payments Area
SG Study Group
T TEE Trusted Execution Environment
TCG Trusted Computing Group
TNC Trusted Network Communications
TPM Trusted Platform Module
TR Technical Report
TS Technical Specification
U UNE Spanish Association for Standardization
W W3C World Wide Web Consortium (W3C)
WD Working Draft
WG Working Group
WP Work Package
List of Acronyms of Consortium Partners
A ABI ABI LAB-CENTRO DI RICERCA E INNOVAZIONE PER LA BANCA
AIT AUSTRIAN INSTITUTE OF TECHNOLOGY GMBH
ARCH ARCHIMEDE SOLUTIONS SARL
ATOS ATOS SPAIN SA
B BBVA BANCO BILBAO VIZCAYA ARGENTARIA SA*
BRNO MASARYKOVA UNIVERZITA
C C3P UNIVERSIDADE DO PORTO
CNR CONSIGLIO NAZIONALE DELLE RICERCHE
CONCEPT CONCEPTIVITY SARL
CTI INSTITOUTO TECHNOLOGIAS YPOLOGISTONKAI EKDOSEON
DIOFANTOS
CYBER CYBERNETICA AS
DAWEX DAWEX SYSTEMS
D DTU DANMARKS TEKNISKE UNIVERSITET
ENG ENGINEERING - INGEGNERIA INFORMATICA SPA
F FORTH FOUNDATION FOR RESEARCH AND TECHNOLOGY HELLAS
G GEN COMUNE DI GENOVA
GUF JOHANN WOLFGANG GOETHE-UNIVERSITAT FRANKFURT AM MAIN
I I-BP INFORMATIQUE BANQUES POPULAIRES
ixCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
ICITA INTERNATIONAL CYBER INVESTIGATION TRAINING ACADEMY
SDRUZHENIE
ISGS INTESA SANPAOLO SPA
J JAMK JYVASKYLAN AMMATTIKORKEAKOULU
K KAU KARLSTADS UNIVERSITET
KUL KATHOLIEKE UNIVERSITEIT LEUVEN
N NEC NEC LABORATORIES EUROPE GMBH
NTNU NORGES TEKNISK-NATURVITENSKAPELIGE UNIVERSITET NTNU
O OASC OPEN & AGILE SMART CITIES
P POLITO POLITECNICO DI TORINO
S SIE SIEMENS AKTIENGESELLSCHAFT
SINTEF SINTEF AS
T TDL TRUST IN DIGITAL LIFE
TLEX TIME.LEX
TUD TECHNISCHE UNIVERSITEIT DELFT
U UCD UNIVERSITY COLLEGE DUBLIN, NATIONAL UNIVERSITY OF IRELAND,
DUBLIN
UCY UNIVERSITY OF CYPRUS
UM UNIVERZA V MARIBORU
UMA UNIVERSIDAD DE MALAGA
UMU UNIVERSIDAD DE MURCIA
UNILU UNIVERSITE DU LUXEMBOURG
UNITN UNIVERSITA DEGLI STUDI DI TRENTO
UPRC UNIVERSITY OF PIRAEUS RESEARCH CENTER
UPS-IRIT UNIVERSITE PAUL SABATIER TOULOUSE III
V VAF VaF, S. R. O.
VTT TEKNOLOGIAN TUKIMUSKESKUS VTT Oy
xCyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
1 Introduction
This Cybersecurity Stakeholder Engagement Plan provides a snapshot of engagement of the Consortium of
43 partners in standardization activities, their collaboration and relationships with standardization bodies.
It is recognized that although there are significant standardization activities of CyberSec4Europe
Consortium partners, which have a direct relationship with the objectives of the project, due to the long-
term nature of standardization efforts, many of these activities began well before the start of the
CyberSec4Europe pilot project and many will continue well beyond the life of the project, also ensuring a
legacy to the work that was done. However, at the same time there are important standardization activities
which would not have a direct link to the CyberSec4Europe objectives, but at the same time can be
considered critical for the future. As such, we have specifically noted those areas where there is a direct link
between standardization activities and the project objectives. The overall impact of the CyberSec4Europe
Consortium standardization efforts is significant now and well into the future. At the same time, the efforts
represent more than just the connection to the CyberSec4Europe project objectives, so therefore we have
taken the opportunity to include work efforts that are not directly linked as well. The result is that others
can benefit from this knowledge even at the early stage as sharing enables many to profit from these
opportunities. And furthermore, this demonstrates the depth and breadth of the capabilities and efforts
undertaken by our partners.
It is also important to note that CyberSec4Europe Deliverable 8.2 is a companion document to this
Deliverable 8.3, in that D8.2 addresses that linkages of standards to the different demonstrations and
elements and work within the CyberSec4Europe project. Such that D8.2 does map what is being done with
the relevant standards and thus the standardization work which is in this D8.3.
Table 1 below provides a brief summary of the content of this deliverable. While it is mainly a stocktaking
exercise it also contains comments on the strategic opportunities and challenges for Europe.
Chapter Title
Describes the involvement of Consortium partners in standardization activities and
Chapter 2
related and pre-cursor activities
Chapter 3 Impact upon CyberSec4Europe objectives
Chapter 4 Conclusions
Table 1: Brief summary of deliverable chapters
1CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2 Landscape of Consortium Standardization Activities
Between March and June 2019, information was collected from all partners concerning their involvement
in standardization activities, specifically, the standards groups they participate in, their area of interest, the
ongoing activity and the focal point in each case. This was the basis for D8.1 – Cybersecurity
Standardization Engagement Plan.
Between July 2019 and January 2021, these standardization activities were further updated and include
information which relates the partner involvement to the objectives of the project.
Figure 1 contains a snapshot of the standards bodies and/or related organizations in which partners are
involved, including national standardization offices and “Other Bodies”, the latter of which have an indirect
impact on standardization (See Section 2.3).
Standardization Activities of the Consortium
Other Bodies
National Standardization Bodies
ISO
ETSI
CEN/CENELEC
IETF
ITU
IEC
OASIS
W3C
0 2 4 6 8 10 12 14 16 18
Figure 1: Consortium members participating in SDOs and other standardization-related bodies
2.1 Standardization Organizations
This section contains information on the main standardization organizations and activities that our partners
have indicated they participate in. A list of the working group(s)/committee(s) in which a partner of the
consortium is a member is provided, together with a brief explanation of the specific standard or area in
which a partner of the consortium is involved and the current status in that activity.
2CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2.1.1 CEN/CENELEC
“The European Committee for Standardization (CEN) and the European Committee for
Electrotechnical Standardization (CENELEC) are two distinct private international non-profit
organizations based in Brussels.
By setting common standards that are applied across the whole of the European single market,
CEN and CENELEC ensure the protection of consumers, facilitate cross-border trade, ensure
the interoperability of products, encourage innovation and technological development, include
environmental protection and enable businesses to grow. Products and services that meet these
European Standards (ENs) can be offered and sold in all of the participating countries.
CEN and CENELEC bring together the national standards agencies of 34 countries.”
(Extract from CEN/CENELEC web site.)
Web site: www.cencenelec.eu/Pages/default.aspx
The Committee and Focus Group of CEN/CENELEC in which partners of the Consortium are involved are:
• CEN/CLC/JTC 13 “Cybersecurity and Data Protection” which has six Working Groups (WGs)
• CEN/CENELEC Focus Group on Blockchain and DLT which advises on EU technical
requirements relating to blockchain and Distributed Ledger Technologies (DLT). The Focus Group
does not develop standards.
Committee Title Partners
CEN/CLC/JTC 13 Cybersecurity and Data Protection GUF
Relation to CyberSec4Europe:
CEN/CLC/JTC 13 is the Committee for Cybersecurity and Data Protection in CEN/CENELC. It is one
of Europe’s fora for this topic and has strategic relevance for European standardization in the field.
Hence it is important for e.g. WP 8 Standardization and all its tasks. More details can be found in Section
2.1.1.1.
Focus Group CEN/CENELEC Focus Group on Blockchain and DLT NTNU
Relation to CyberSec4Europe:
The CEN/CENELEC Focus Group on Blockchain and DLT focused on preliminary investigations on
blockchain and Distributed Ledger Technologies (DLT) in the context of European deployments and
standardization. These results are relevant to the project, especially within the Task 3.2, where it is
envisioned to investigate distributed access control using blockchain.
Table 2: Partners involvement in CEN/CENELEC
The following describes the participation of each partner in the above-mentioned Committee and Focus
Group.
3CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2.1.1.1 GUF
CEN/CLC/JTC 13
The Johann Wolfgang Goethe-Universitat Frankfurt am Main (GUF) participates in CEN/CLC/JTC 13
“Cybersecurity and Data Protection”. In general, the JTC and 4 of its WGs are mirroring the work of
ISO/IEC JTC 1/SC 27 (except SC 27/WG 2), but they have recently started their own initiatives as well,
either to produce guidelines to ISO/IEC standards or for specific projects, such as prEN 17529 on Data
protection and privacy by design and by default and a new Work Item proposal “Privacy Information
Management System per ISO/IEC 27701 – Refinements in European context” (in WG 5), often to underpin
European regulation with international or adaptation standards. On top of that WG 1 functions as “Chairman
advisory group” and WG 6 as group for “Product security”.
Current status:
Several SC 27 projects are in the process of being adopted, about 8 have already been adopted by the JTC
(including 27001, 29100, and 29134 (29134 originally handled by the previous JTC 8)) and are waiting for
CEN and CENELEC Board decision. Several CEN/CENELEC “own” projects are now also under work.
2.1.1.2 NTNU
Norges Teknisk-Naturvitenskapelige Universitet (NTNU) participates mainly in the CEN/CENELEC Focus
Group on Blockchain and DLT. This is a European Union-based Focus Group, to conduct the preliminary
investigations on blockchain and Distributed Ledger Technologies (DLT) in the context of European
deployments and standardization. The lifetime of this Group was limited to the end of 2020, and the
members have been migrated to ISO/TC 307. At the beginning of 2020, CEN/CLC/JTC 19 - Blockchain
and Distributed Ledger Technologies was created as a continuation of the Focus Group.
Current status:
The work of the Focus Group culminated in a publication of the official Blockchain and DLT whitepaper
that summarizes the current state-of-the-art as well as the standardization needs, risks, future directions, and
current problems and solutions in this space. The Focus Group was followed by the creation of the joint
technical committee for blockchain and DLT
2.1.2 European Telecommunications Standards Institute (ETSI)
The European Telecommunications Standards Institute (ETSI) is a European Standards
Organization (ESO). ETSI is the recognized regional standards body dealing with
telecommunications, broadcasting and other electronic communications networks and services
with more than 900 member organizations drawn from over 65 countries and five continents.
Web site: https://www.etsi.org/
Partners are involved in the following groups:
4CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Study Title Partner
Group involvement
STF 561 Smart cities and communities: standardization to meet citizen and OASC
consumer requirements
Relation to CyberSec4Europe Objectives:
The objective of this ETSI STF 561 was to prepare and develop an ETSI Technical Report (TR)
identifying the requirements for citizen-related standardization in the area of Smart City development.
The report identifies requirements for citizen-related standardization in the area of Smart-City
development which are closely linked to CyberSec4Europe and WP5, Task 5.7 (Smart City Pilot). The
report provides an overview of citizen and city requirements with specific recommendations to
cybersecurity.
TC Technical Committee on Cyber Security AIT
CYBER
Relation to CyberSec4Europe:
TC CYBER focuses on the standardization of security solutions for reliable and secure network
infrastructure, privacy and data protection mechanisms, IoT security, support to EU legislation,
quantum-safe cryptography, and related aspects, thereby following a market-driven approach. The focus
of TC CYBER is thus directly aligned with the ambitions of CyberSec4Europe to meet next generation
cybersecurity challenges of the Member States, and to increase the resilience of European society
against cyber risks. In particular the market-driven approach of ETSI guarantees for a near-term to mid-
term impact on the expertise and findings of CyberSec4Europe on a broad scale.
ISG Industry Specification Group Context Information Management UMU
CIM
The purpose of this Work Item is to provide a state-of-the-art assessment of security and privacy issues
associated with ISG CIM specifications, in particular related to the API, Data Publishing Platforms and
Data Model Work Items. The WG focuses on several issues that need to be addressed, including but not
limited to provenance of data, assuring privacy and security between stakeholders, assuring trust,
understanding how to ensure the aggregation of data does not increase the attack space or compromise
privacy.
Relation to CyberSec4Europe:
The work of this group is related to the WP5, Task 5.6 and the deployment of security for smart city
and IoT solutions the contribution of CS4E focused on the security and privacy aspects of the NGSI-
LD models.
T004 Specialist Testing Taskforce T004 (ISG CIM) OASC
OASC is part of the ETSI T004 which has the objective to produce a conformance test suite for the
NGSI-LD API (see ISG CIM) specification and a testing environment to execute and validate the test
cases.
Relation to CyberSec4Europe:
The work of this Testing Taskforce T004 is related to the overall objective of CyberSec4Europe, i.e. to
pave the way for a sustainable cybersecurity ecosystem through the development and pilot operation of
a feasible governance model for a Cybersecurity Competence Network thoroughly tested through
5CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Study Title Partner
Group involvement
successful pilot projects addressing important industrial challenges in the areas of smart cities.
Specifically, the T004 activities are related to the WP5, Task 5.6 and the deployment of security for
smart city and IoT solutions the contribution of CS4E focused on the security and privacy aspects of the
NGSI-LD models. T004 particularly contributes to Technical Objective 3 as it provides a testing and
certification services to the smart city community linked to the work on ISG CIM.
ISG Industry Specification Group for Network Functions Virtualization POLITO
NFV
Relation to CyberSec4Europe:
The work of ISG NFV is relevant to WP3 and WP4 because it develops architectures, reference models,
and prototypes for NFV in general, including the security aspects. As such, it relevant for the project for
the aspects related to network security and automatic management of network-based security controls.
Table 3: Partners involvement in ETSI
The following describes the participation of each partner in the above-mentioned committees and groups:
2.1.2.1 AIT
The Austrian Institute of Technology GGMBH (AIT) participates in TC CYBER, which is the most
security-focused technical committee within ETSI. The committee works with stakeholders to increase
privacy and security for citizens and organizations in Europe and beyond. As explained in Table 3, TC
CYBER covers aspects like cyber security ecosystems, IoT security, critical infrastructures, or personal data
protection and cryptography.
AIT contributed webinar talks on the standardization efforts of ETSI towards attribute-based encryption and
post-quantum cryptography in the “Even More Advanced Cryptography” track at the ETSI virtual Security
Week 2020. Furthermore, AIT experts provided comments and feedback on the current draft technical report
ETSI TR 103 616 on “Quantum Safe Signatures”. This activity is also related to WP2, Task 3.2, which
among others investigates technologies providing long-term integrity guarantees.
All contributions to TC CYBER are performed in close collaboration with, and under the lead of, the ECSEL
Joint Undertaking SECREDAS1.
2.1.2.2 BBVA
Banco Bilbao Vizcaya Argentaria SA (BBVA) has been in contact with ETSI to explore future
collaborations and they have also invited ETSI to participate in a cloud stakeholder plenary session for them
to present ETSI and to explain the challenges and solutions they see with certifications in Europe, but BBVA
is currently not a member of ETSI.
1
https://secredas-project.eu/
6CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2.1.2.3 OASC
ETSI STF 561:
As a representative of 156 cities and communities in Europe and beyond, Open & Agile Smart Cities
(OASC) has participated in ETSI STF 561: “Smart cities and communities: standardisation to meet citizen
and consumer requirements”. In this STF 561, OASC has the role of Advisory Group Member to the Special
Task Force with the ambition to highlight critical aspects for consideration from the point of view of the
city concerning interoperability of data and services as well as cybersecurity linked to the specific pilot
operations of CyberSec4Europe.
In September 2020, ETSI STF 561 has published the final report which is available onlinei. The report
highlights, among other critical aspects for smart cities, the needs of citizens for protecting data and
safeguarding ethical values to data management and protection of personal data. The report highlights the
need for the work carried out by the smart city pilot in Task 5.7, and specifically recommends to:
1. “Provide guidance for cities, oriented towards protection of the citizen, on security measures to be
implemented across the city, and for individual services
2. Provide guidance to city personnel who have legitimate access to city services and technology, to
protect citizen security, including staff training and a code of good practice for management
3. Review physical security arrangements by cities in the context of the vulnerabilities these create for
city services, and the requirements to ensure the safety and security of citizens.“
ETSI T004:
ETSI has set up a specialist testing task force for ISG CIM with the goal to produce a conformance test suite
for this NGSI-LD API specification and a testing environment to execute and validate the test cases which
will be of relevance for the smart city pilot activities (WP5, Task 5.7). Recently, in June 2020, the first
Milestone has been achieved. The work will be concluded in March 2021 (see Table 4 below)
Code Task / Milestone Target Date
From To
Progress Report approved by ISG CIM May 2020 Jul 2020
Milestone A
D1-1, D1-2 and D2 Drafts V1.0.1 accepted by ISG CIM
Progress Report approved by ISG CIM Dec 2020
Milestone B
D3 and D4 Draft V1.0.1 accepted by ISG CIM
Final Report and D1, D2, D3, D4 and D5 Final Jan 2021
Milestone C
Drafts approved by ISG CIM
D1-1, D1-2, D2, D3, D4 and D5 published and TTF Mar 2021
Milestone D
closed
Table 4: Milestones for ETSI T004
7CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2.1.2.4 UMU
Universidad de Murcia (UMU) is working in the ETSI Industry Specification Group for cross-cutting
Context Information Management (ISG CIM). This group has released the NGSI-LD API, an extension of
the Next Generation Services Interface (NGSI) provided by Open Mobile Alliance (OMA) which has been
extended to support linked data (LD). The main activity of UMU in this work is related to security and
privacy. The goal of this activity is to introduce these considerations from the point of view of the
information itself. Currently, Juan A. Martinez, is rapporteur for the WI-007-SECii of this group.
Current status:
Regarding the work on the ISG-CIM, UMU is actively collaborating in this Working Group by attending
regular meetings, as well as the development of Work Item 007. There has been a second release of this
document in which different security and privacy mechanisms such as authentication, authorization and
confidentiality have been considered. Additionally, UMU is working on using the current NGSI-LD
vocabulary as a means to represent security properties that can be associated to entities represented using
NGSI-LD.
2.1.2.5 POLITO
Politecnico di Torino (POLITO) is working on the security aspects of network functions within the ETSI
Industry Specification Group for Network Functions Virtualization. More specifically, the emphasis of the
work of POLITO is in trust and integrity verification of software-defined infrastructures. As POLITO is not
a full member of ETSI, it works in cooperation with Telefonica and Hewlett-Packard and participates in
meetings upon their invitation.
8CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
2.1.3 International Organization for Standardization (ISO)
The International Organization for Standardization (ISO) is based in Geneva, Switzerland, and
is an independent, non-governmental international organization with a membership of 165
national standards bodies. and 783 technical committees and subcommittees to take care of
standards development.
Together with IEC, it is operating the Joint Technical Committee (JTC) 1 “Information
Technology”, which in turn has several subcommittees, eg. SC 27 and SC 37.
The scope of ISO/IEC JTC 1/SC 27 is the development of standards for the protection of
information and ICT. This includes generic methods, techniques and guidelines to address both
security and privacy aspects, such as Security requirements capture methodology, management
of information and ICT security, cryptographic and other security mechanisms, security aspects
of identity management, biometrics and privacy, conformance assessment, accreditation and
auditing requirements in the area of information security management systems, security
evaluation criteria and methodology.
The scope of ISO/IEC JTC 1/SC 37 is the Standardization of generic biometric technologies
pertaining to human beings to support interoperability and data interchange among applications
and systems. Generic human biometric standards include for instance Biometric application
programming interfaces, Biometric data interchange formats,
• Application of evaluation criteria to biometric technologies.
• The mission of ISO/IEC JTC 1/SC 37 is to ensure a comprehensive and high priority,
worldwide approach for the development and approval of international biometric
standards
Web site: www.iso.org
Partners of the Consortium are involved in the following committees:
• ISO/IEC JTC 1/SC 27 “Information Security, cybersecurity and privacy protection” and ISO/IEC
JTC 1/SC 37 “Biometrics” which are subcommittees of the Joint Technical Committee ISO/IEC
JTC 1 of the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). SC 27 aims at developing standards for the protection of
information and ICT.
o SC 27 currently has published 198 ISO/IEC standards (includes updates), 86 ISO/IEC
standards are under development (includes updates); there are 48 participating members
and 32 observing members from all over the world.iii
In the February and October 2020 general meetings of CyberSec4Europe, we discussed
how the partners can contribute to commenting on the standard projects using the methods
that ISO/IEC JTC 1/SC 27 uses. We decided on the following procedure. We will share the
names of the standards in WG 2 and WG 5 and their scope with all the project partners.
Then, we will make the standard drafts available on request and we will consolidate the
received comments. Then, we will send these to the list for partners to review and agree
upon (as our contribution needs to be commonly accepted within the project). If there are
disputes, we will hold a meeting to resolve any issues. If a unanimous solution cannot be
9CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
found, the comments under question will not be sent to the editors of the standard. Even
though the liaison organizations are not required to, we will endeavor to send the comments
by the date that the comments from national bodies are due (these dates differ for different
WGs and different standard projects) to have a higher rate of acceptance of comments.
o SC 37 currently has published 131 ISO/IEC standards (includes updates), 31 ISO/IEC
standards are under development (includes updates); there are 28 participating members
and 20 observing members.iv
• ISO/PC 317 “Consumer protection: privacy by design for consumer goods and services” currently
with 15 participating members and 25 observing members. There is one ISO standard under
development.v
• ISO/TC 307 “Blockchain and distributed leger technologies” currently has published 3 ISO
standards, 10 ISO standards are under development; there are 44 participating members and 13
observing members.vi
• ISO/TC 215 “Health informatics” currently has published 201 ISO standards (includes updates),
has published 67 ISO standards (includes updates); there are 28 participating members and 35
observing members.vii
Table 5 to Table 9 provide a breakdown of the committees, Working Groups and involvement of each
partner.
10CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/ Identification Number and title of involved and/or WP Task
Study Group standard
ISO/IEC JTC 1/SC 27 Information Security, cybersecurity and
privacy protection
ISO/IEC JTC 1/SC 27/WG 1 ATOS WP3, Tasks T3.2,
T3.4
Information security management WP5, Tasks 5.4,
systems T5.6
ISO/IEC 27005:2018 ATOS WP3, Tasks T3.4,
T3.5,
Information security risk management
WP5, Task T5.4
ISO/IEC 27010:2015 ATOS WP3, Tasks T3.4,
T3.5,
Information security management for
WP5, Task T5.4
inter-sector and inter-organizational
communications
ISO/IEC JTC 1/SC 27/WG 2 Cryptography and security mechanisms AIT, WP3, Task T3.2,
CYBER WP5, Task T5.3
ISO/IEC 19592-1:2016 Secret sharing, CYBER WP3, Task T3.2
Part 1: General
ISO/IEC 19592-2:2017 Secret sharing – AIT, WP3, Task T3.2
Part 2: Fundamental Mechanisms CYBER
ISO/IEC DIS 23264-1: CYBER WP3, Tasks T3.2,
Redaction of Authentic Data – Part 1: WP5, Task T5.3
AIT
General
ISO/IEC CD 23264-2 Redaction of AIT WP3, Tasks T3.2,
Authentic Data – Part 2: Schemes based WP5, Task T5.3
on asymmetric mechanisms
ISO/IEC DIS 20009-3: AIT WP3, Tasks T3.2,
WP5, Task T5.3
Anonymous entity authentication – Part
3: Mechanisms based on blind
signatures
ISO/IEC WD 4922-1: AIT, WP3, Task T3.2
CYBER
Secure multiparty computation – Part 1:
General
ISO/IEC WD 4922-2: AIT, WP3, Task T3.2
CYBER
Secure multiparty computation – Part 2:
Mechanisms based on secret sharing
11CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/ Identification Number and title of involved and/or WP Task
Study Group standard
ISO/IEC WD 20008-2 AMD2: AIT WP3, Tasks T3.2,
WP5, T5.3
Anonymous digital signatures – Part 2:
Mechanisms using a group public key –
Amendment 2
ISO/IEC JTC 1/SC 27/WG 3 Security evaluation, testing and NTNU, WP 7, T7.1 T7.3
specification GUF WP 7
ISO/IEC JTC 1/SC 27/WG 4 Security controls and services GUF WP 5
ISO/IEC CD 20547-4 GUF WP3, Tasks T3.2,
T3.7
Big data reference architecture – Part 4:
Security and Privacy WP5, Task T5.3
ISO/IEC JTC 1/SC 27/WG 5 Identity management and privacy AIT, WP3, Tasks T3.2,
technologies ATOS, T3.3, T3.7
CYBER,
WP5, Tasks T5.3,
GUF,
T5.6, T5.7
NTNU
WP 8, all Tasks
ISO/IEC 17922:2017 GUF WP3, Tasks T3.2,
Telebiometric authentication framework T3.7
using biometric hardware security
WP5, Task T5.3
module
ISO/IEC 20889:2018 GUF WP3, Tasks T3.2,
T3.7
Privacy enhancing data de-identification
terminology and classification of WP5, Task T5.3
techniques
ISO/IEC 24745:2011 GUF WP3, Tasks T3.2,
T3.7
Biometric information protection
WP5, Task T5.3
ISO/IEC 24760-1:2011, 2019 GUF WP3, Tasks T3.2,
T3.7
A framework for identity management –
Part 1: Terminology and concepts WP5, Task T5.3
ISO/IEC 24760-2:2015 GUF WP3, Tasks T3.2,
T3.7
A framework for identity management –
Part 2: Reference architecture and WP5, Task T5.3
requirements
ISO/IEC 24760-3:2016 GUF WP3, Tasks T3.2,
T3.7
12CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/ Identification Number and title of involved and/or WP Task
Study Group standard
A framework for identity management – WP5, Task T5.3
Part 3: Practice
ISO/IEC DTS 27006-2
GUF WP3, Tasks T3.2,
Requirements for bodies providing audit T3.7
and certification of information security
WP5, Task T5.3
management systems – Part 2: Privacy
information management systems
ISO/IEC 27550:2019 GUF WP3, Tasks T3.2,
T3.7
Privacy engineering for system life cycle
processes WP5, Task T5.3
ISO/IEC DIS 27551 AIT, WP3, Tasks T3.2,
GUF T3.7
Requirements for attribute-based
unlinkable entity authentication WP5, Task T5.3
ISO/IEC 27701:2019 (was 27552) GUF WP3, Tasks T3.2,
T3.7
Extension to ISO/IEC 27001 and
ISO/IEC 27002 for privacy management WP5, Task T5.3
– Requirements and guidelines
ISO/IEC CD 27553 GUF WP3, Tasks T3.2,
T3.7
Security requirements for authentication
using biometrics on mobile devices WP5, Task T5.3
ISO/IEC WD 27554 GUF WP3, Tasks T3.2,
T3.7
Application of ISO 31000 for
assessment of identity management- WP5, Task T5.3
related risk
ISO/IEC DIS 27555 GUF WP3, Tasks T3.2,
T3.7
Establishing a PII deletion concept in
organizations WP5, Task T5.3
ISO/IEC CD 27556 GUF WP3, Tasks T3.2,
T3.7
User-centric framework for the handling
of personally identifiable information WP5, Task T5.3
(PII) based on privacy preferences
ISO/IEC WD 27557 GUF WP3, Tasks T3.2,
T3.7
Organizational privacy risk management
WP5, Task T5.3
13CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/ Identification Number and title of involved and/or WP Task
Study Group standard
ISO/IEC WD 27559 GUF, WP3, Tasks T3.2,
CYBER T3.3, T3.7
Privacy enhancing data de-identification
framework WP5, Task T5.3
ISO/IEC WD 27560 GUF WP3, Tasks T3.2,
T3.7
Consent record information structure
WP5, Task T5.3
ISO/IEC NP TS 27561 GUF WP3, Tasks T3.2,
T3.7
Privacy operationalisation model and
method for engineering (POMME) WP5, Task T5.3
ISO/IEC NP 27562 GUF WP3, Tasks T3.2,
T3.7
Privacy guidelines for fintech services
WP5, Task T5.3
ISO/IEC TS 29115:2013 ATOS, Tasks T3.2 and
AIT, T5.3.
Entity authentication assurance
GUF
framework
ISO/IEC 29134:2017 GUF WP3, Tasks T3.2,
T3.7
Privacy impact assessment –
methodology WP5, Task T5.3
ISO/IEC 29146:2016 GUF WP3, Tasks T3.2,
A framework for access management T3.7
WP5, Task T5.3
ISO/IEC 29151:2017 GUF WP3, Tasks T3.2,
T3.7
Code of practice for PII protection
WP5, Task T5.3
ISO/IEC 29190:2015 GUF WP3, Tasks T3.2,
T3.7
Privacy capability assessment model
WP5, Task T5.3
ISO/IEC 29191:2012 GUF WP3, Tasks T3.2,
T3.7
Requirements for partially anonymous,
partially unlinkable authentication WP5, Task T5.3
ISO/IEC DIS 29184:2019 GUF WP3, Tasks T3.2,
T3.7
Online privacy notice and consent
WP5, Task T5.3
14CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/ Identification Number and title of involved and/or WP Task
Study Group standard
Relation to CyberSec4Europe:
Several projects in SC 27 are related to WPs and tasks in CyberSec4Europe. The respective standards help
to describe the state of the art. New results and from CyberSec4Europe can be integrated into new and
revised standards.
This subcommittee works on standards of information security, cybersecurity and privacy protection. These
topics are all relevant to the objectives of CyberSec4Europe. ISO/IEC JTC 1/SC 27 is dedicated to the
development of standards for the protection of information and ICT, including information security
management systems (WG 1), cryptography (WG 2), security evaluation, testing and specification (WG 3),
security controls and services (WG 4), and identity management and privacy technologies (WG 5). The
relation to CyberSec4Europe in particular includes the following aspects:
• WG 1 (Information security management systems) manages one of the most used information
security standards: ISO/IEC 27001 and its companions, including ISO/IEC 27005, which deals with
information security risk management. Several of the developed assets in WP 3 and WP 5 deal with
risk assessment and management, so this is an important source of information.
• WG 2 (Cryptography and security mechanisms) provides standardization for the cryptographic and
security mechanisms that are the building blocks for most assets included in WP3 and WP 5. The
standardization of cryptographic mechanisms is of crucial importance to increase the reliability,
interoperability, and security of cyber security solutions. WG2 provides a platform to standardize
advanced cryptographic mechanisms (e.g., redactable signatures, group- and ring signatures, secure
multi-party computation) investigated in particular within T3.2. For example, the Sharemind
(CYBER) asset from Task 3.2 uses multi-party computation based on secret sharing which is
currently under standardization in WG2.
• WG 5 (Identity management and privacy technologies) is dedicated to identity management and
privacy technologies and is therefore directly related to cryptographic protocols developed within
WP3, Task 3.2 as well as on the CyberSec4Europe demonstrator on privacy-preserving identity
management (WP5, Task 5.3), Task 5.6 (medical data exchange), Task 5.7 (smart cities).
Furthermore, the ambition of WG5 is directly linked to the CyberSec4Europe objective to increase
the security and privacy of end users in an increasingly interconnected world.
Table 5: Partners involvement in ISO/IEC JTC 1/SC 27
Technical Committee/ Sub- Title of Committee Partners Related Vertical
Committee/Committee/Study involved and/or WP Task
Group
ISO/IEC JTC 1/SC 37 Biometrics
ISO/IEC JTC 1/SC 37/WG 3 Biometric Data Interchange Formats NTNU WP3, Task 3.6
Relation to CyberSec4Europe:
ISO/IEC JTC 1/SC 37 focuses on the Standardization of biometric technologies to support interoperability
and data interchange among applications and systems. This is directly related with WP3, Task 3.6, which
among others focuses on specifying a unified validation framework to test both usability and security
requirements of biometric-based and multi-modal user authentication mechanisms.
Table 6: Partners involvement in ISO/IEC JTC 1/SC 37
15CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/Stu Identification Number and title of standard involved and/or WP Task
dy Group
ISO/PC 317 Consumer protection: privacy by design for GUF WP3, Tasks T3.2,
consumer goods and services T3.7
WP5, Task T5.3
WP 8, all tasks
Relation to CyberSec4Europe:
Project Committee ISO/PC 317 works on ISO CD 31700 Consumer protection — Privacy by design for
consumer goods and services. This is relevant for e.g. WP3, Tasks T3.2, T3.7 and WP5, Task T5.3, but also
WP 8 and its tasks
Table 7: Partners involvement in ISO/PC 317
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/Stu Identification Number and title of standard involved and/or WP Task
dy Group
ISO/TC 307 Blockchain and distributed leger NTNU
technologies
ISO/TC 307/WG 1 Foundations NTNU WP3, Task 3.2
ISO/TC 307/WG 2 Security, privacy and identity NTNU WP3, Task 3.2
ISO/TC 307/WG 3 Smart contracts and their applications NTNU WP3, Task 3.2
ISO/TC 307/WG 5 Governance NTNU WP3, Task 3.2
ISO/TC 307/SG 2 Use cases NTNU WP3, Task 3.2
ISO/TC 307/SG 7 Interoperability of blockchain and NTNU WP3, Task 3.2
distributed ledger technology systems
Relation to CyberSec4Europe:
This is the international committee for standardization in the blockchain and DLT space. The work goes on
in multiple study and working groups, as described above. The work of the committee is relevant to the
project and vice versa, especially within WP3, Task 3.2, where it is envisioned to investigate distributed
access control using blockchain, addressing applications in IoT and investigate approaches that achieve
extreme privacy- and integrity-preserving storage and processing of critical data with long-term protection
requirements.
Table 8: Partners involvement in ISO/TC 307
16CyberSec4Europe D8.3 Cybersecurity Standardization Engagement Plan
Technical Committee/ Sub- Title of Committee/ Partners Related Vertical
Committee/Committee/Stu Identification Number and title of standard involved and/or WP Task
dy Group
ISO/TC 215 Health Informatics
ISO/TC 215 IEC/SC Safe, effective and secure health software UCD T5.6
62A/JWG 7 and health IT systems, including those
incorporating medical devices
IEC 80001-1:2010 Application of risk management for IT- UCD T5.5, T3.5
networks incorporating medical devices –
Part 1: Roles, responsibilities and activities
ISO TR 80001-2-7:2015 Application of risk management for IT- UCD T5.5, T3.5
networks incorporating medical devices –
Application guidance – Part 2-7: Guidance
for healthcare delivery organizations
(HDOs) on how to self-assess their
conformance with IEC 80001-1
ISO/IEC Study Group Societal and Human Factors in IoT Based ARCH
Services
Relation to CyberSec4Europe:
The objective of ISO/TC 215 IEC/SC62A/JWG7 is to identify standards for the development of secure
software in the area of health informatics. This objective is directly linked to CyberSec4Europe and Task5.6
(Medical Data Exchange Pilot). The latter aims to identify requirements and security best practices for
exchange of data collected using medical devices.
The objectives of the IEC 80001-1:2010 and ISO TR 80001-2-7:2015 are to respectively apply and assess
conformance of risk management to networks incorporating medical devices. This objective is directly
linked to WP3, Task 3.5 of CyberSec4Europe which partly aims to explore an approach to adapt risk
assessment activities depending on varying contextual factors. Also, the report produced in these standards
will inform the activities of WP5, Task 5.5 (Maritime Transport Pilot) which aims to provide a risk
assessment approach in networks of communicating vessels.
The objective of this ETSI STF 561 was to prepare and develop an ETSI Technical Report (TR) identifying
the requirements for citizen-related standardization in the area of Smart City development. The report
identifies requirements for citizen-related standardization in the area of Smart-City development which are
closely linked to CyberSec4Europe and WP5, Task 5.7 (Smart City Pilot). The report provides an overview
of citizen and city requirements with specific recommendations to cybersecurity.
Table 9: Partners involvement in ISO/TC 215
17You can also read
