HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
APRIL 2021 THE INTERVIEW Paul Browne CTO Assa Abloy UK. p.4-5 TECH HIGHLIGHTS Deep dive on quantum safe hybrid key exchange. p.10-11 IN THE SPOTLIGHT Standards to the rescue: Saving IoT security for consumers. p.13-14-15 HOME & OFFICE: SWEET AND SECURE?
Editorial The Interview Paul Browne, CTO & Business Development Director, Assa Abloy UK. P4/5 Meet the New Our ubiquitous Standards People connected P6/7 environment New Member opens new doors Interview Ted Ross, to cybersecurity CEO SpyCloud. breaches. P8/9 Tech Highlights Deep dive on quantum safe hybrid key exchange. IoT devices have become commonplace To address future needs, our Technology at home. We open our doors with smart P10/11 Highlights outlines how to exchange a locks, switch on light and music with a cryptographic key with classical and post smart home voice controller and make sure our cake will be ready on time in our quantum security and in a second article In the Spotlight the Vice Chair of our pandemic tracing smart oven when it’s time for dinner. We Home & Office: apps group explains how they tackle the share our computers and tablets among sweet and secure? challenge of digital fragility. And then, the family members and overall increase our activity online, bridging office and Chair of our Permissioned Distributed P13-15 home when working remotely. But this Ledger group tells us why standards for distributed ledger technologies ubiquitous connected environment opens new doors to cybersecurity breaches (commonly addressed by people as Blockchain and raises the question of ensuring that blockchain) will be key for industry and An Industrial Framework our homes and offices are as sweet and governmental institutions. for Blockchains. secure as we would expect them to be. In this new edition of Enjoy! we let you To help manage our ever-increasing P18/19 discover how standards come to the online activity, we have also developed guidelines and standards supporting What’s On? rescue to improve security in our private and professional life. it. US based Digicert explains why Europe has led the world in unifying Upcoming events. In the Spotlight section focuses on identity proofing standards. An our EN 303 645 security guidelines upcoming Plugtest™ will let industry P26/27 for IoT consumer devices which have test our guidelines for modern Electronic been adopted by manufacturers and Registered Delivery Services while our governmental bodies round the world, Centre for Testing and Interoperability has Enjoy! The ETSI Mag Midea dishwashers being the example of Edited and published by ETSI our showcase. developed a now popular free online tool that performs numerous checks to verify Quarterly edition Copyright ETSI 2021 SpyCloud CEO Ted Ross, one of our the conformity of the ETSI Advanced Director of Publications: Nadja Rachow new members, explains why human Electronic Signatures, those we use for intelligence remains key to prevent cyber Editor-in-Chief: Claire Boyer signing contracts online. crimes while in an exclusive interview, Design: Le Principe de Stappler Assa Abloy UK CTO, Paul Browne, tells And there’s more, so now Editorial office: ETSI, us how ARGE, the European Federation Enjoy reading! 650 route des Lucioles, of Associations of Locks & Builders 06560 Valbonne France Hardware Manufacturers can contribute to Luis Jorge Romero, Tel.: +33 (0)4 92 94 43 35 cybersecurity standards for smart homes. Director-General ETSI enjoy@etsi.org 2 ENJOY THE ETSI MAG
News Roundup ETSI IoT Week 2021 goes virtual The ETSI IoT Week is back on 26-30 April 2021 as a fully virtual event providing the latest IoT industry and standards updates. This year’s edition will focus on the major IoT standards achievements that support the digitalization of society, business, and multiple Industries across numerous sectors. It will also focus on how such digitalization enables countermeasures against the current pandemic. The event will cover oneM2M with service experiences and best practices; IoT in the face of ETSI IoT week the pandemic addressing digitalization and countermeasures; Virtual IoT cybersecurity for consumers, smart cities, e-Health and 26-30 April SMEs; Artificial Intelligence in IoT as well as other key topics. Register Now! New group on IPv6 Enhanced Innovation In the 5G and cloud era, IPv6 will grow rapidly. Strengthening new generation IP network technologies based on IPv6 and its innovative technologies has become the common direction of the IP industry. To tackle the increasing Industry needs for IPv6 adoption in multiple use cases and scenarios, ETSI has recently launched ISG IPv6 Enhanced innovation (IPE). IPE members include 45 organizations to date, comprising carriers, vendors, and academia, working together to improve the industry ecosystem and accelerate innovation. The group will first analyse the current landscape of existing IPv6 standards deployed on prime technologies such as 5G, IoT and Cloud Computing to identify gaps and thus accelerate IPv6- based innovations. Two other reports will cover data centre and Cloud use cases on one hand and 5G Transport use cases on the other hand. The last pieces of work will define Industrial IoT/ enterprise requirements and IPv6 only transition requirements across new and evolving technology domains and areas. ETSI at ENISA Cybersecurity Standardization Conference The European Standards Organizations, CEN, CENELEC and and Board Chair as well as several cybersecurity experts from ETSI, joined forces with ENISA, the European Union Agency for the technical committee CYBER and 3GPP outlined ETSI’s Cybersecurity, to organize their annual conference virtually this strong achievements for enterprise and consumer cybersecurity year. The event, which took place from 2 to 4 February, attracted standards and its input to harmonized legislation with testability some 1500 participants from the EU and from around the world. of security requirements. They highlighted as well ETSI’s The conference addressed standardization in relation to the Radio contribution to the Cybersecurity Act as regards consumer IoT Equipment Directive (RED) and certification under the provisions security, 5G Network Security Assurance, Trust Services, and AI of the Cybersecurity Act (CSA). ETSI Director-General, GA Chair security. ENJOY THE ETSI MAG 3
The Interview From his CTO office in the UK, Paul Browne tells us why an association of locks and builders hardware manufacturers entered the world of cybersecurity standardization. How did ASSA ABLOY, a leading hardware locks manufacturer, enter the digital lock market? It started ten years ago when we, in ASSA ABLOY UK, developed a digital door lock for residential use. At the time, we already had extensive experience in home security systems and we had the vision that people’s homes in Europe would eventually become connected so that they could have the convenience and the security of controlling devices around their home. Paul Browne CTO & Business Development Director, Assa Abloy UK, Board Member ARGE Paul Browne is the Chief Technology Officer and Business In 2000, he joined ASSA ABLOY where he now leads product Development Director of ASSA ABLOY UK. He started his innovation and new product introductions as well as business career at Creda, the largest manufacturer of white goods in development and strategy across channels, products and end- the UK, which became part of a joint venture between GE user markets. He is also responsible for standards development USA and General Electric Company (GEC UK) held several and IP. Paul is a Board Member of ARGE, the European Federation executive sales and marketing positions in the company before of Associations of Locks & Builders Hardware Manufacturers, becoming the general manager of one of their business divisions. member of ETSI. 4 ENJOY THE ETSI MAG
It was at about that time that ASSA ABLOY digital or smart door locks to be secure In parallel, we found out that ENISA’s acquired iRevo, a Korean company, and, at the time, there was no standard remit is to develop certification schemes, which was the largest manufacturer of to reassure them. particularly for consumer IoT devices. digital door locks for home use in the world. You have to bear in mind that in You mean that the standard So, certification schemes Korea, at least 50 to 60% of all homes, was actually initiated at the are important as well? probably more now, have a digital door consumers’ request? Yes, we’ve been participating in ENISA’s lock. Absolutely. The best standards Cyber Certification Stakeholder Group originate from end users. The worst and feeding back into the Union’s Rolling standards are those that are imposed Work Programme. In the European “In Korea, at least 50 to by central governments or by European Commission, it’s very clear that there is an governments. We therefore started appetite to develop certification schemes 60% of all homes have working with our national standards for consumer IoT devices. They see this a digital door lock.” body, the British Standards Institute, as being important, but they also see to develop a technical specification for that the level of home security connected digital door locks. But we wanted to devices needs to be somewhere between So for us as a manufacturer, digital door develop a performance standard which locks, and in particular now smart door would give consumers the reassurance locks, have a strategic importance. that the products are secure, that would “The EC wants to give insurance companies a standard on What are the benefits of digital which to base home insurance policies, develop certification locks for the market? and that would enable the police and schemes for consumer If I take the UK market, we sell a locksmiths to give guidance and advice IoT devices.” mechanical door lock for around 25 euros, to consumers. and that will last 20 years. A digital door Since connected IoT devices are a lock typically costs 200 to 300 euros and relatively new marketplace, we felt that will last ten years or so. You can see that unless we got a performance standard “substantial” and “high”, which backs from a commercial point of view, digital in place, with locks being potentially into our thinking. door locks and smart door locks are a vulnerable to cyberattacks, that this Within the ETSI cyber group, they terrific opportunity for manufacturers. would damage the credibility and the identified that a smart door lock technical Now when you look at it from a consumer reputation of the market before it even specification could form a pilot for a point of view, smart locks bring enhanced took off. vertical product certification scheme. A functionality. People can send keys by smart lock standard is holistic in nature phone to family members, allow access And this is when you heard but adding the cyber security aspect to their homes, or check on the status of about ETSI? combined into a certification scheme their doors and windows remotely. But Yes, that was two years ago when I met will reassure consumers. For example, unlike mechanical door locks, the life with the Minister of the UK Department in the UK, they will see the Kitemark cycles of digital door locks change every for Digital, Culture, Media and Sport, certification logo on the box, in France, two, three or five years. So as you can along with other suppliers of smart home that might be the A2P logo. see, the whole dynamic is more exciting, products. It was clear that the DCMS But as I said earlier, we were thinking of a more appealing. Digital and smart door was keen to address the security of IoT whole series of standards. locks, but also smart alarms, smart home devices from a cybersecurity standpoint. security are a big opportunity for the That’s where we found out that the This series of standards would be end user’s enhanced lifestyle and for the DCMS had worked in ETSI TC CYBER developed in ETSI? industry. to develop the technical specification TS Yes, to complement the smart door However, when we launched our digital 103 645. lock, they would address vertical sector door lock around 2010 in the UK, we That was when ARGE, in its role as the products such as connected alarms, had a problem. The police, insurance European Industry Association, made connected CCTV, connected door companies and the locksmiths were an important decision. As hardware viewers, and so on. asking us to develop a standard at the manufacturers in ARGE, we knew that What we like about ETSI is the fact request of consumers who wanted their we could identify the standards for the that they recognize and appreciate mechanical, electromechanical and that product life cycles are shorter, that the electronic aspects of a smart door technology and cyberattacks change. “The police, insurance lock with CEN, but we were lacking on And they adopt a much more flexible and companies and the the cybersecurity aspect. During that pragmatic approach to standardization meeting, we realized that the experts and developing technical specifications locksmiths were were in ETSI. So last year, when ARGE than other standards bodies. So, for us asking us to develop became a member of ETSI and we joined at ARGE the way that ETSI approached a standard.” TC CYBER, we suggested that we create the whole concept of certification and a smart door lock technical specification, standardization for connected IoT which is currently under development. devices for the home is very appropriate. ENJOY THE ETSI MAG 5
Meet the New Standards People Welcome to our NEW members Avanti Communications, United Kingdom Avanti Communications is a world leading provider of agile, evolutionQ, USA secure and pioneering satellite technology across Europe, the evolutionQ provides information on quantum-safe services. Middle East and Africa. They have a proven track record of evolutionQ offers a standard set of services proven to help satellite connectivity services, and bring a world of opportunities ensure your company’s quantum-safe cyber security migration is to carriers, defence and security departments, government progressive, sensible and orderly. agencies and the satellite industry. Exacta Global Smart Solutions, USA Bandwidth, USA Exacta offers a range of services that help companies bring Bandwidth provides cloud-ready voice, messaging, and Internet of Things solutions based on the oneM2M global emergency service connectivity built for the enterprise. It is the standard from concept to deployment. It offers oneM2M project only API platform provider that owns a Tier 1 network that gives support, oneM2M training, support for deployment of the industry better quality, rates, and control. It is also a leader in the cloud recognized Chordant implementation of oneM2M service layer. communications space, uniquely positioned to have enterprises who need high reliability and scale. Gatehouse Satcom A/S, Denmark Commsquare NV, Belgium GateHouse delivers the software that guarantees effective and secure communication between systems. They support live Commsquare provides mobile data network monitoring, analysis tracking and monitoring of more than 150,000 assets within and optimisation products and services, helping mobile operators different businesses and delivers mission critical solutions in measure network performance and extract actionable business satellite communication for maritime authorities, coastguards, intelligence. Their products and services deliver a holistic view ports and related businesses. of radio access and PS data network performance from a subscriber’s point of view. IASME, United Kingdom eID - Electronic Identification, Spain IASME is a cyber security business with products and services dedicated to help individuals and organizations to protect eID is the leading provider of remote user iDentification systems themselves against cyber-attacks. The IASME Governance via video streaming. It created VideoID which identifies the User assessment includes a Cyber Essentials assessment and GDPR in seconds and offers the same level of security as the face-to- requirements and is available either as a self-assessment or on- face iDentification made in a commercial office. site audit. LA (European Lift Association), E Innovile, Spain Belgium Innovile provides smart network management and optimisation ELA represents the lifts, escalators and moving walks active solutions and services. Innovile offers a wide range of innovative associations and their components manufacturers in the and future-proof portfolio of self-organising network, configuration European Union and the European Free Trade Area. It has management, performance management and expert services become the main communication vector of this industry to the that empower mobile network operators with real-time network European Commission and the European Parliament. intelligence and operational dynamics. 6 ENJOY THE ETSI MAG
ISEE SSU, Ukraine Schindler, Switzerland The Ukrainian scientific and research Institute of special Schindler is one of the world’s leading providers of elevators, equipment and forensic expertise of SSU is part of the Security escalators, and moving walks, as well as maintenance and Service of the Ukraine and ensures cyber security of the state modernization services. The company specializes in the thanks to complex measures to counter online terrorism, prevent latest-technology engineering, as well as mechanical and cyber espionage, defeat hacker attacks and refute subversive microprocessor technology products designed and tested for activities online. safety, comfort, efficiency and reliability. Kimeggi, France SK ID Solutions AS, Estonia Kimeggi consulting provides support to business in radio SK ID Solutions (SK) specializes in international e-identity strategy, radio solutions and standardization. They currently solutions. They enable citizens of different countries to log in to monitor, attend and/or contribute in many committees to bring e-services and give electronic signatures. Their main business the most up-to-date information on standards, technologies and is the certification and time-stamping service developing spectrum regulations. technology and applications for electronic signing and their validation services. MaxLinear, USA MaxLinear delivers high-performance broadband and networking SpyCloud Inc., USA semiconductors based on its highly integrated radio frequency SpyCloud prevents online fraud via solutions which protect analogue technology, high-performance optical networking billions of employee and consumer accounts from account technology and its pioneering MoCA and direct broadcast satellite takeover. They are the trusted account takeover fraud prevention ODU single-wire technology. Customers include telephone, cable partner for B2B organizations and consumer brands and some of and satellite operators, set-top box manufacturers, networking the most innovative financial services, retailers, and technology equipment and consumer technology providers. companies around the globe. Mercedes-Benz, Germany Universidad de Malaga, Spain Mercedes-Benz AG is one of the largest manufacturers of Málaga University (UMA) is a public institution which promotes premium passenger cars. The company aspires to be leading outstanding research and teaching within the European Higher in the fields of connectivity, automated driving and alternative Education Area. It follows an educational model to promote drives. With over 40 production sites on four continents, they competitive, quality teaching which is employment-orientated align themselves to meet the requirements of electric mobility. and accredited in Europe. ENJOY THE ETSI MAG 7
New Member Interview In this exclusive interview, SpyCloud CEO and founder shares his insight on the company’s mission to make the internet a safer place by preventing criminals from profiting from stolen information. Are you seeing any trends in cyberattacks so far in 2021? It pains me to say it, but what we saw the start of in 2020 – attacks resulting from our collective pivot to digitally managed lives – has spilled over into 2021. This shift to remote work, virtual school and online food shopping has substantially expanded the attack surface for both individuals and organizations, and criminals are taking advantage. People are sharing devices among family members at home, increasing the amount of activities done online, and managing new accounts – some that reuse compromised passwords already in criminals’ hands. Ted Ross CEO & Co-Founder of SpyCloud Ted Ross is an industry veteran of at TippingPoint, and VP of the Office of state threat groups that, at the time of twenty-nine years in the network and Advanced Technology at HP. publication, were considered to be the security industries. His career began in At HP, he created a new team and most comprehensive reports on select the U.S. Air Force, after which he became built the threat intelligence practice adversarial nations’ cyber capabilities. Director of Network Engineering at from the ground up as Director, Threat After HP, Ted led Exodus Intelligence as West Corp, Strategy Architect at Intelligence, HP Security Research. CEO. In 2016, Ted launched SpyCloud Walmart, Executive Technology Director This team created reports on nation- as CEO and Co-Founder. 8 ENJOY THE ETSI MAG
All of this aids our daily lives, and I think a attackers at their own game, negating plaintext passwords that enable easy lot of businesses would say they’ve seen the value of the stolen information before matching to users’ credentials. The a rise in productivity since the start of they have a chance to use it. process to parse and normalize that data the pandemic, but it also provides threat and make it machine-readable requires SpyCloud fuels global enterprises’ actors with a plethora of new targets. ability to safeguard more than 2 billion extensive technology – not to mention the So far this year, we’re seeing criminals employees’ and consumers’ accounts automation required to crack passwords continue to leverage the tactics they from cyberattacks including account at scale. Without cracking passwords, found most profitable last year: malware takeover and follow-on attacks like credit there would be no way for enterprises to campaigns designed to siphon personal card fraud, phishing, ransomware and exactly match passwords to determine more, which can be extremely costly and if a user’s account is truly compromised disruptive. and worth the little bit of friction to force a password reset or fire off MFA. “So far this year, we’re You state that you’re using Human seeing criminals Intelligence for breach data You have joined ETSI’s TC CYBER continue to leverage collection; in the AI era, it sounds lately, what is the added value of anachronistic. Can you elaborate standardization for your activity? the tactics they found on this? most profitable last SpyCloud is often the first to confirm The vast majority of the valuable breach year.” data we collect is via human intelligence to victim organizations that a breach has occurred, and we want to leverage (HUMINT) – SpyCloud researchers our industry-leading capabilities and embedded in the criminal underground and machine data from victims, phishing who social engineer data from bad database to work as a good citizen with attacks aimed at stealing credentials actors within days after a breach. These others in the industry to help alleviate (which then often lead to ransomware researchers are specialists in their field, account takeover and its associated attacks), and credential stuffing with extensive expertise that isn’t easy to cybercrime. SpyCloud has joined ETSI (often represented by the media as replicate. The reason we rely on HUMINT TC Cyber so we can more effectively and a ‘data breach,’ when in fact it’s just openly collaborate with other industry criminals performing account takeover leaders to put effective standards in by leveraging old passwords on new place that can most optimally benefit “Human intelligence accounts). enterprises and consumers globally. can deliver data much ETSI’s work on Mobile Device and IoT How do you protect customers sooner than dark web security guidelines and best practices are from Account Takeover Fraud? scanning.” complementary to the use of SpyCloud’s Criminals are clever and will keep data – and the use of a corpus of recovered inventing ways to steal from you, and breach data or recovered botnet logs users will keep making mistakes that could provide valuable data points that is because it delivers data so much sooner put their accounts at risk. There is one augment existing security best practices. than dark web scanning. Most people sure-fire way to get ahead of account don’t realize that by the time data shows For example, even if a device appears takeover, which is to check users’ up on the dark web, it could be years after to be “secure” both at the hardware and account credentials against recently- the breach occurred. By that time, the data software levels, it may be of value to also breached data and identify compromised has been fully monetized and is of very little know if any other factors associated with accounts. Then you have the choice value. We’re focused on the early part of the that device are compromised, such as the breach timeline, when the data is fresh and user’s account, password, IP address, or most valuable to criminals. In fact, human phone number. “To stop Account intelligence capabilities enable us to be the Takeover Fraud, you first to find out a breach has occurred and notify the affected victim organization. “ETSI’s work on need to beat attackers All that said, automated technology is still Mobile Device and IoT at their own game.” critical to the process of making breach security guidelines data ingestible by enterprises. and best practices to force a password reset or send the are complementary to user through a step-up authentication Tell us more about the technology that underlies HUMINT. the use of SpyCloud’s process, proving that the user is who they claim to be and not a criminal leveraging Breach data isn’t delivered in a neat data.” a stolen password. The goal is to beat .csv file with standardized columns and ENJOY THE ETSI MAG 9
Tech Highlights Deep dive on quantum safe hybrid key exchange Engineers and developers can now rely on ETSI’s specification to exchange a cryptographic key with classical and post quantum security and build, test and deploy quantum-resistant ICT systems today. of this data, it could result in the loss of confidentiality. ETSI has worked on the issue and the CYBER Quantum-safe Cryptography group developed ETSI TS 103 744, a Technical Specification that defines how to exchange a cryptographic key with classical and post quantum security. The specification called “CYBER; Quantum-safe Hybrid Key Exchanges,” combines a classical elliptic curve Diffie- Hellman ephemeral (ECDHE) exchange with a proposed post-quantum key encapsulation mechanism (KEM) from the NIST Round 3 candidates. Hybrid Standards and Technology (NIST) Post- key exchanges are a migration technique Some Quantum Cryptography Standardization to move to quantum-safe technology in background Process submissions is evaluating for solicited quantum-resilient advance. We know from experience it takes In 1994, Peter Shor showed how to public-key cryptographic algorithms and a decade to adopt new public-key factor large RSA modulus and solve has announced is 3rd Round finalists. algorithms into ICT systems. It starts the discrete log problem. His algorithm ETSI TS 103 744 specification is using a with in-depth analysis of the fundamental breaks the public key cryptosystems mechanism from these candidates. security claims of the algorithm, we use today for public-key based key exchanges but it requires a large-scale, fault-tolerant quantum computer to break The problem testing and standardization. Once the cryptographic standard is complete, cryptographically relevant instances of statement engineers and developers can include it into other ICT standards. We can ECC and RSA. As we know, there are a Today, the existing key exchanges are parallelize this work today to reduce the number of challenges in building such a at risk from a future adversary with a time to deploy standardized quantum- computer and while progress is routinely quantum computer. Many Information safe systems, ensuring the long-lived made on these challenges, it is uncertain and Communication Technology confidentiality of data in ICT systems. By if or when such a quantum computer will (ICT) solutions utilize these public- standardizing and using quantum-safe be available. Yet, we need to anticipate key mechanisms to provide long-term hybrid key exchanges, we can define and and work on quantum-safe cryptography. confidentiality. The confidentiality deploy ICT systems today that provide Post-quantum or quantum-safe requirement of the data in these ICT both classical and quantum-resistant cryptography refers to cryptographic systems vary from short-lived (days and security. schemes for which there is no known months) to long-lived (20-30 years). If a vulnerability by a large-scale quantum large-scale quantum computer arrived n Matthew Campagna, Chair of the ETSI Quantum computer. The National Institute of on the market during the security lifetime Safe Cryptography working group. 10 ENJOY THE ETSI MAG
Digital fragility: a challenge faced by COVID-19 tracing apps “Fragility” is not a term that one hears or reads very often when it comes to digital. “Agility” is much more common, particularly when it refers to the buzzword “agile”. It seems now that everything must be agile: every business, every system and, to a certain extent, every one of us must be agile. The recently released “Comparison of existing pandemic contact tracing systems” Report, developed by ETSI’s E4P group, includes the term “digital fragility” among its definitions in its clause dedicated to terms, symbols and abbreviations. GDPR & ePrivacy legislation and, last requisites. Stay tuned, you will be able to Digital fragility but not least, the relevance of protecting enjoy them in the following weeks! Today, “digital” permeates all aspects the networks against cyber attacks. Two In summary, attention should be paid to of society and will continue doing so. months later, as a result of this joint effort, the number of digital risks, from software Fragility, unfortunately, permeates all ETSI E4P held its kick-off meeting on 26 glitch, error, negligence, misuse or fraud things digital as the overall degree of May. to even sabotage during the development, digital dependency also increases. In such a context, mobile device-based And deployment and operation/use stages of Government-sponsored digital contact digital contact tracing is no exception. Digital fragility can be said to be an entity- cybersecurity tracing systems. These constitute a set of risks that could threaten the feasibility organization, system, application, etc.- So far, digital fragility has been present in of any of these counter-pandemic which may suffer an incident of a “digital” every step taken by experts in the ETSI solutions. Once again, rigour in training, nature disturbing its normal activity E4P group. The GR E4P-002 considers processes and the availability of these without, at times, being aware of it. A this issue among the most relevant systems’ source code (which will make more usual expression would be “weak challenges current digital contact it possible to audit all their details in the [digital] security”. Indeed, most people tracing systems have to face, along with area of cybersecurity, as should be done refer to it as a lack of “cybersecurity”. responsiveness, privacy preservation, regarding trust, ethics, privacy, etc.) will interoperability, etc. Other incoming Leading to ETSI’s deliverables describing technical contribute to minimizing digital contact tracing’s cyber-fragility. group requirements of these solutions also include security recommendations and n Miguel García-Menéndez, Vice Chair ETSI E4P ISG. On 23 March 2020, as part of the European Commission’s response to the coronavirus, the Internal Market Commissioner, Thierry Breton, held a videoconference with CEOs of European telecommunication companies and GSMA to discuss how to join forces to mitigate the spread of CoV-SARS-2. On that day, digital fragility in solutions to fight the pandemic was mentioned: the need to discuss telecommunication network resilience; the need to collect, share and analyse anonymized metadata for modelling and predicting the propagation of the virus; the need to comply with the ENJOY THE ETSI MAG 11
Just Released ETSI blockchain group releases major Reports ETSI ISG on Permissioned Distributed Ledger has recently released Reports to support the need on the part of industry and government institutions for what is commonly known as blockchain. ETSI GR PDL 002, “Applicability and compliance to data processing requirements”, describes the implications of the conduits used to connect data sources (sensors, gateways etc.) to distributed ledgers in utility and related industries. The Report also defines how regulatory aspects for data infrastructure security and privacy can be satisfied. ETSI GR PDL 003 details the application scenarios and operational requirements for permissioned ledgers to help telecom operators, Internet and over-the-top service providers implement the technology. The latest one, ETSI GR PDL 004, defines an architecture and functional framework for smart contracts and their planning, coding and testing. “Most ledgers in ICT have been centralized so far, but the recent approaches based on distributed ledgers provide higher openness and better resiliency,” says Diego Lopez, Chair of ETSI ISG PDL. First Report in Securing Middlebox Security Artificial Intelligence Protocols for fine- grained access The ETSI Securing Artificial Intelligence Industry Specification Group released its first Group Report, ETSI GR SAI 004, which control gives an overview of the problem statement regarding the securing of AI. ETSI SAI is the first standardization initiative dedicated to securing AI. The Report describes the problem of securing AI- The ETSI Technical Committee based systems and solutions, with a focus on machine learning, CYBER has released ETSI TS and the challenges relating to confidentiality, integrity and 103 523-2: Transport Layer MSP availability at each stage of the machine learning lifecycle. It also (TLMSP), Part 2 of the Middlebox points out some of the broader challenges of AI systems including Security Protocol (MSP) series, bias, ethics and ability to be explained. A number of different attack which defines a protocol for varied vectors are outlined, as well as several cases of real-world use and (fine-grained) access control to attacks. “There are a lot of discussions around AI ethics but none communications traffic. on standards around securing AI. Yet they are becoming critical to Middleboxes are vital in modern networks – from new ensure security of AI-based automated networks,” explains Alex 5G deployments, with ever-faster networks that need Leadbeater, Chair of ETSI ISG SAI. performance management, to resisting new cyberattacks with evolved threat defence that copes with encrypted traffic, to VPN provision. Network operators, service providers, users, enterprises, and small businesses require being granted varied (fine grained) permissions. ETSI TS 103 523-2, MSP Part 2 addresses this gap by specifying a protocol that allows fine-grained access and nuanced permissions for different portions of traffic, allowing middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical development. 12 ENJOY THE ETSI MAG
In the Spotlight HOME & OFFICE: SWEET AND SECURE? IoT has become commonplace at home as more devices connect to the internet. People now share their personal data with an increasing number of services and the cybersecurity of the Internet of Things (IoT) is a growing concern. If consumer IoT is an established global phenomenon, ETSI’s world-leading work in that field can help to improve security for a variety of devices and appliances. Alex Leadbeater, Chair of the ETSI Technical Committee CYBER, in our “spotlight” is leading us through our current and future activities for the consumer market. The ETSI EN 303 645 standard is a first of its kind and is already a highly successful achievement with worldwide uptake by manufacturers who now benefit from several certification schemes to enhance the security of their products. Today the Roborock vacuum cleaner has been certified by TUV-Rheinland against the ETSI standard. And more recently, Midea dishwashers, air conditioners and dehumidifiers have all been certified by TÜV SÜD as Luffy Deng explains in our showcase on page 16. In the future, consumers can expect more secured IoT home devices in their living room, kitchen, to unlock their door and make their life easier. ENJOY THE ETSI MAG 13
In the Spotlight Standards to the rescue: Saving IoT security for consumers As more devices in our homes connect to the internet and as people entrust their personal data to an increasing number of services, the cybersecurity of the Internet of Things (IoT) has become a growing concern. Consumer IoT is an established global phenomenon, with its security improved by ETSI’s world-leading work on Consumer IoT security. ETSI’s Consumer IoT Security work in a loss of dedicated security effort. This demonstrates the value of standards; one happened in consumer IoT, where default innovative and high-quality standard has passwords are widespread and poorly EN 303 645 provides underpinned many assurance schemes secured products threaten consumer’s a significant security and provided flexibility in certification - privacy, and some devices are exploited baseline, achievable whilst achieving a world-leading increase by attackers to launch large-scale DDoS by SMEs. in baseline security. cyber attacks, mine cryptocurrency and spy on users in their own homes. From protection provisions for consumer IoT dishwashers to Standards to the devices. doorbells… rescue - saving With an explosion in marketability, IoT IoT security has become commonplace in the home – Two years ago, ETSI TC CYBER from health trackers to home assistants, published the first globally applicable from smart TVs to smart lightbulbs, and standard on IoT security to address these from dishwashers to doorbells. Estimates security shortcomings, encouraging regularly state there are more than 30 manufacturers to build security into IoT billion connected devices in the world products from their design, rather than today, with the consumer IoT sector awkwardly bolting security measures on showing no signs of slowing down its at the end. This baseline focuses on 13 growth. security areas as well as data protection. New devices, This standard achieved global adoption and evolved into an EN standard, EN 303 same old security 645, designed to prevent large-scale, issues prevalent attacks against smart devices that cybersecurity experts see every But when a market moves quickly, the day. It establishing a security baseline pressure to be first to innovate can result for connected consumer products and provides a basis for future IoT certification schemes. ETSI EN 303 645 supports a good The pressure to be first security baseline for connected to innovate can result consumer products, provisioning a set of in a loss of dedicated recommendations for 13 security areas, with the top three being: no default security effort. passwords, implement a vulnerability disclosure policy, and keep software updated. There are also specific data 14 ENJOY THE ETSI MAG
Global uptake Many organizations The future of and accreditation have already based Consumer IoT schemes their products and certification schemes Security ETSI EN 303 645 is a cohesive and on EN 303 645. Yet, we are not done! TC CYBER’s achievable standard that provides a dedication to improve IoT security is single target for manufacturers and IoT ongoing, and currently includes the stakeholders to attain. It’s no surprise, •T ÜV Rheinland worldwide testing and development of three further standards given the urgent need for increased certification to complement and support EN 303 security in this sector and the momentum •V DE Institute testing 645: an assessment specification, an in ETSI’s work, that many organizations implementation guide, and a vertical have already based their products and •S ESIP by Global Platform mapping smart door lock standard. certification schemes on EN 303 645. •S GS IoT Testing and Conformity These include: 1. T he assessment specification specifies Assessment Program baseline conformance assessments • Singapore’s national Cybersecurity Labelling Scheme •D EKRA security evaluations against the provisions of ETSI EN •U L’s IoT Security Rating assessment, 303 645. It sets out mandatory and • Finland’s national consumer IoT verification and labeling solution recommended assessments, to be certification scheme used by testing labs, certifying bodies • PSA Certified (backed by Arm) •S afeshark and BSI IoT cyber security and manufacturers that wish to carry • The Global Certification Forum assessments, testing and certification out a self-assessment. Completion accreditation •A nd many more: Eurosmart, KIWA, is targeted for summer 2021 – so get • TÜV SÜD testing Secura, Nemko, ACCS, IASME… involved soon! 2. The implementation guide gives easy- to-use guidance to help manufacturers and other stakeholders to meet the provisions defined for Consumer IoT devices in ETSI EN 303 645. It sets out example implementations that meet the provisions in the EN. 3. As ETSI EN 303 645 provides a baseline that spans a variety of consumer IoT devices, sometimes additional sector-specific requirements need to be stipulated to standardize device S I N G A P O R E security. Currently, TC CYBER is working on one such vertical standard for smart door locks, based on ETSI EN 303 645 (read our interview on page 4-5). ETSI’s Consumer IoT Security work can’t stop gaining momentum! These initiatives demonstrate the value of quality and timely standards. One innovative and high-quality standard has underpinned many assurance schemes and provided flexibility in certification - whilst maintaining a world-leading security SMART HOME : EN 303 645 baseline for a huge security problem © ETSI n Alex Leadbeater, ETSI’s Chair TC CYBER. ENJOY THE ETSI MAG 15
In the Spotlight-Showcase Midea and TÜV SÜD join forces to inspire trust in smart-home appliances People-focused technology can make our home life smarter and happier. However, cybersecurity and the protection of personal data are critical considerations whenever people enjoy the convenience of their smart homes. product design, mobile application, Security, Smart Home Appliance Addressing communication and document review. Security, Application Security, and Data consumer For example, to keep software updated, the update communication of Midea Protection Management) smart home business group Midea has developed concerns IoT appliances is established over secure channel encrypted by a dynamic a comprehensive framework for smart- Improving cybersecurity and data session AES256 key. In addition, the home cybersecurity, privacy and data protection capabilities of smart home update also ensures not only the mutual protection which it continually improves devices and building customers’ trust authentication by RSA 2038 but also and advances in accordance with various are among the top priorities of consumer the integrity check by SHA256. Once international and industry standards. IoT manufacturers. In keeping with its the updated is completed, a user may vision of “bringing great innovations to receive notification pop-up on the APP. ETSI has revised and improved the life”, the Midea Group is committed to TÜV SÜD then tested several series of standards in line with the state of the art, a systematic smart home security and Midea dishwashers, air conditioners and providing a vital basis and operational privacy programme in accordance with dehumidifiers and issued certificates of guidelines for consumer protection. The international and industry standards, conformity with the ETSI EN 303 645 testing and certification organisation which extends from lower-level hardware standard, which help to inspire consumer TÜV SÜD has been passionate about to user-friendly software and covers threat trust in the use of smart-home appliances. and risk monitoring, cloud security and technology since day one and strives to Technology makes life better but inspire trust and add value. the security of connection modules and consumer protection requires the chips, apps and smart-home appliances. n L uffy Deng, Senior Project Engineer, joint efforts of all parties. With “4S + Given this, Midea has joined forces with 1M” (Cloud Security, Communication TÜV SÜD Shenzhen. TÜV SÜD for the assessment of its smart- home appliances in accordance with the ETSI EN 303 645 standard to ensure best practices in data security and data protection. First appliances compliant with EN 303 645 TÜV SÜD, a leading global provider of quality, safety and sustainability solutions, assessed the implementation of important security baseline functions against the 14 provisions of the ETSI EN 303 645 standard. The relevant mandatory provisions of the standard address 16 ENJOY THE ETSI MAG
Working Together “Localized” certification: the Indian example Global standards ensure that products will be able to address markets beyond national or regional borders. However, attention needs to be given to the local certification programmes that may ultimately bring in additional requirements for local market access. Discover how ETSI works towards minimizing such cases through international cooperation. EU-India or InDiCo, ETSI brings players together, in technical and political spheres, to assess discrepancies in certification requirements for ICT products and work towards increasing commonality, with partial or full recognition of testing/ certification results already obtained. The Indian example ETSI, the European Commission and the Delegation of the European Union in Delhi have recently worked with members of the European industry and of the Indian government to understand and compare the European requirements re. safety and EMC to those from India’s Mandatory Testing and Certification of Telecom Equipment (MTCTE). Subsequently, representatives of India’s Telecom Engineering Center (in charge of MTCTE) visited key European laboratories to fully manner that there is no avoiding running Ready? another full round of testing, with a grasp the extent of the testing performed, even for products meeting requirements So your product is ready, in line with the locally accredited laboratory. This costs of legislation developed under the latest global standards it has to comply time and money and therefore affects the lightweight New Legislative Framework. with. Everything is ready for distribution product’s time to market and price. The work continues with exchanges in your region and you are eyeing other markets, your team abroad reports great Partners will help on security requirements for telecom equipment, looking at the European 5G demand for this new product and sales ETSI and the Partnership Projects it is part Toolbox, the 3GPP specifications, the prospects are bright. But there is a catch: of (3GPP, oneM2M) strive to deliver a full GSMA NESAS and the Indian Telecom to begin distribution of your product, package: use cases and requirements, Security Assurance Requirements you need to get a stamp stating that it architecture and technical solutions, as (ITSAR). This will in the end result in meets all the local requirements. Ideally, well as testing specifications used to closer alignment of the requirements in it should only be a matter of showing the verify conformance/interoperability. Such Europe and India and reduce additional test results obtained when preparing for specifications need to be leveraged to efforts in the testing of products aimed distribution in your first target market. the maximum extent when establishing at both markets. Similar initiatives will Unfortunately, such recognition is not take place in other countries/regions as always possible and upon inspection, technical requirements for market needed. local compliance testing appears to access. Leveraging its Partners network tweak and add requirements in such and through projects like SESEC, SESEI, n Xavier Piednoir, Head of External Relations, ETSI. ENJOY THE ETSI MAG 17
Blockchain An Industrial Framework for Blockchains The general public is familiar with blockchains through the popular cryptocurrency Bitcoin but there is much more to it, and distributed ledgers are important tools to address industry and governmental institutions. there are many other uses besides them, and governmental institutions. This Blockchain or not with examples such as smart contracts, is due to reasons both technical and blockchain? support to digital identity attributes, object tracking, or the verification of organisational. Among the technical ones we can consider the cost and delay of the Often identified with the catchy name service level agreements. recording of a transaction, the cost of the of blockchains, distributed ledgers consensus algorithm, or the preservation have brought a wide range of disruptive applications enabling highly valuable Permissioned of fairness among participants. In the second category, the most relevant are the goals such as data sovereignty or and permission- support from external legal agreements disintermediation. Distributed ledgers store any kind of data as a consensus less and the regulatory enforcement in critical sectors. of replicated, shared, and synchronized Further on, it is important to remark digital records distributed across multiple sites, without depending on distributed ledgers can be considered Permissioned any central administrator. They provide as main features immutability (and as permissioned or permissionless, regarding the requirements for a Distributed therefore non-repudiation) and multi- node to be approved to validate the transactions and record them on the Ledger in ETSI party verifiability of the stored data and ledger. While permissionless ledgers Within the ETSI Industry Specification their temporal succession, addressing a wide range of application scenarios, and are the ones that have received most Group on Permissioned Distributed new interaction models among those attention from the general public, with Ledger (ISG PDL), we have been working entities willing to record the transactions the paradigmatic example of Bitcoin, for the last two years on analysing associated to those interactions through permissioned distributed ledgers are the and providing the foundations for the these ledgers. ones best qualified to address most of operation of permissioned distributed the use cases of interest to the industry ledgers. The group has already produced Distributed ledgers Applications and Services These technologies have become the intrinsic foundation of today’s secure decentralized cryptocurrencies, and APIs and Tooling distributed ledgers owe their popularity Templates and many of the main use cases to this fact, focusing on different ways to provide Platform decentralized multi-party compensation PDL Platform Management and therefore avoid the need for PDL and centralized clearinghouses. But we must Governance Support not forget we are talking about the many additional scenarios where a consensual, replicated, and synchronized data ledger Infrastructure could become a game changer. While distributed ledgers are mostly known Fig.1 ETSI PDL reference framework © ETSI because of their use as cryptocurrencies, 18 ENJOY THE ETSI MAG
Fig. 2: Smart contract framework Match with Smart Contract Coding specifications Draft Terms Compile Code Review Validation Testing Deployment Execution Termination template negotiation draft verification Draft doesn’t match Test output doesn’t match Online with planned contract with the requirements debugging TE SE Actors SH SE TB SH API API Coding & Deployment & Planning Phase Testing Phase Execution Phase SH: Stakeholders API: Application Programming Interface TE: Testing Engineers SE: Software Engineers TB: Test Beds SB: Standardization Bodies © ETSI a first set of documents, and a second on the execution of proof-of-concept models with special emphasis on ‘as-a- term has recently started, with the demonstrations and on supporting early service’ paradigms, PDL infrastructure ultimate purpose of creating an open interoperability assessment events. Two governance aspects, and identifying the ecosystem of industrial solutions to be of these proofs of concept have already definition of common terms to be used in deployed by different sectors, fostering been carried out. our future standardization work. the application of these technologies, and therefore contributing to consolidate the trust and dependability on information Achievements The last work completed by the PDL group is a report on smart contracts, technologies supported by global, open During its first term, the group started their components, planning, coding and telecommunications networks. by addressing a landscape document, testing. The scope of this report covers a intended to identify current activities in reference architecture of the technology Collaborative standardization and research which are particularly relevant to the PDL activities. enabling smart contracts, the methods for engaging in a smart contract using work Apart from performing opportunities and gaps to address, this spawned a specific this architecture, and a discussion on possible threats and limitations. The ISG PDL works in tight coordination activity focused on the identification and with other groups in ETSI and elsewhere, collaboration of research projects, that For its new term, the ISG PDL continues including open-source initiatives and a has translated in the direct involvement of its work on ledger interoperability as a clear connection with research activities, several of these projects willing to progress cornerstone for the operational framework especially the collaborative research in the standardization of their results. and has already started working on key projects within framework programmes aspects such as the interaction with such as Horizon 2020 and the future The group has produced another report as federated data frameworks and off-line Horizon Europe. As in other ETSI a result of examining the essential needs operation. The group is committed to ISGs on transformative technologies, in terms of trust, security and effective ensure the application of its principles the group work items are oriented to conformity assessment, analysing essential and work items in new application produce not only specifications of requirements for PDL technology to ensure environments, especially those enabled normative nature, but also informative regulatory compliance to preserve security by the emergence of next-generation deliverable in the form of technology and privacy in the conduits providing the networking infrastructures, such as those reports and recommendations for future data to be incorporated into the ledgers. related to resource trading at all levels, work, and, what is especially relevant Work on applicability foundations was from compute nodes to spectrum, as well in an environment so much populous completed by another report describing as new industrial scenarios. as distributed ledger standardization, potential application scenarios for the demonstrative deliverables focused operation of PDLs, including provision n Diego Lopez, Chair ETSI ISG PDL ENJOY THE ETSI MAG 19
You can also read