HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI

Page created by Adam Becker
 
CONTINUE READING
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
APRIL 2021
             THE INTERVIEW
                              Paul Browne
                  CTO Assa Abloy UK. p.4-5

          TECH HIGHLIGHTS
                 Deep dive on quantum safe
               hybrid key exchange. p.10-11

          IN THE SPOTLIGHT
          Standards to the rescue: Saving IoT
          security for consumers. p.13-14-15

HOME & OFFICE:
  SWEET AND SECURE?
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
Editorial                                                                                            The Interview
                                                                                                          Paul Browne,
                                                                                               CTO & Business Development
                                                                                                   Director, Assa Abloy UK.
                                                                                                                            P4/5

                                                                                                         Meet the New
                                             Our ubiquitous                                  Standards People
                                             connected                                                                      P6/7
                                             environment                                                      New Member
                                             opens new doors                                                 Interview
                                                                                                                      Ted Ross,
                                             to cybersecurity                                                     CEO SpyCloud.

                                             breaches.                                                                      P8/9

                                                                                                Tech Highlights
                                                                                                  Deep dive on quantum safe
                                                                                                       hybrid key exchange.
IoT devices have become commonplace          To address future needs, our Technology
at home. We open our doors with smart
                                                                                                                          P10/11
                                             Highlights outlines how to exchange a
locks, switch on light and music with a      cryptographic key with classical and post
smart home voice controller and make
sure our cake will be ready on time in our
                                             quantum security and in a second article             In the Spotlight
                                             the Vice Chair of our pandemic tracing
smart oven when it’s time for dinner. We                                                                         Home & Office:
                                             apps group explains how they tackle the
share our computers and tablets among                                                                         sweet and secure?
                                             challenge of digital fragility. And then, the
family members and overall increase
our activity online, bridging office and
                                             Chair of our Permissioned Distributed                                        P13-15
home when working remotely. But this         Ledger group tells us why standards
                                             for distributed ledger technologies
ubiquitous connected environment opens
new doors to cybersecurity breaches          (commonly addressed by people as                           Blockchain
and raises the question of ensuring that     blockchain) will be key for industry and                  An Industrial Framework
our homes and offices are as sweet and       governmental institutions.                                       for Blockchains.
secure as we would expect them to be.
In this new edition of Enjoy! we let you     To help manage our ever-increasing                                           P18/19
discover how standards come to the           online activity, we have also developed
                                             guidelines and standards supporting
                                                                                                               What’s On?
rescue to improve security in our private
and professional life.                       it. US based Digicert explains why
                                             Europe has led the world in unifying                              Upcoming events.
In the Spotlight section focuses on          identity    proofing     standards.      An
our EN 303 645 security guidelines           upcoming Plugtest™ will let industry                                         P26/27
for IoT consumer devices which have
                                             test our guidelines for modern Electronic
been adopted by manufacturers and
                                             Registered Delivery Services while our
governmental bodies round the world,
                                             Centre for Testing and Interoperability has
                                                                                             Enjoy! The ETSI Mag
Midea dishwashers being the example of                                                       Edited and published by ETSI
our showcase.                                developed a now popular free online tool
                                             that performs numerous checks to verify         Quarterly edition
                                                                                             Copyright ETSI 2021
SpyCloud CEO Ted Ross, one of our            the conformity of the ETSI Advanced
                                                                                             Director of Publications: Nadja Rachow
new members, explains why human              Electronic Signatures, those we use for
intelligence remains key to prevent cyber                                                    Editor-in-Chief: Claire Boyer
                                             signing contracts online.
crimes while in an exclusive interview,                                                      Design: Le Principe de Stappler
Assa Abloy UK CTO, Paul Browne, tells        And there’s more, so now
                                                                                             Editorial office: ETSI,
us how ARGE, the European Federation         Enjoy reading!                                  650 route des Lucioles,
of Associations of Locks & Builders                                                          06560 Valbonne France
Hardware Manufacturers can contribute to     Luis Jorge Romero,                              Tel.: +33 (0)4 92 94 43 35
cybersecurity standards for smart homes.     Director-General ETSI                           enjoy@etsi.org

2           ENJOY THE ETSI MAG
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
News Roundup

ETSI IoT Week 2021
goes virtual
The ETSI IoT Week is back on 26-30 April 2021 as a fully virtual
event providing the latest IoT industry and standards updates.
This year’s edition will focus on the major IoT standards
achievements that support the digitalization of society, business,
and multiple Industries across numerous sectors. It will also
focus on how such digitalization enables countermeasures
against the current pandemic. The event will cover oneM2M
with service experiences and best practices; IoT in the face of          ETSI IoT week
the pandemic addressing digitalization and countermeasures;              Virtual
IoT cybersecurity for consumers, smart cities, e-Health and              26-30 April
SMEs; Artificial Intelligence in IoT as well as other key topics.
Register Now!

                                                                     New group on IPv6
                                                                     Enhanced Innovation
                                                                     In the 5G and cloud era, IPv6 will grow rapidly. Strengthening
                                                                     new generation IP network technologies based on IPv6 and its
                                                                     innovative technologies has become the common direction of
                                                                     the IP industry.
                                                                     To tackle the increasing Industry needs for IPv6 adoption in
                                                                     multiple use cases and scenarios, ETSI has recently launched
                                                                     ISG IPv6 Enhanced innovation (IPE). IPE members include
                                                                     45 organizations to date, comprising carriers, vendors, and
                                                                     academia, working together to improve the industry ecosystem
                                                                     and accelerate innovation.
                                                                     The group will first analyse the current landscape of existing IPv6
                                                                     standards deployed on prime technologies such as 5G, IoT and
                                                                     Cloud Computing to identify gaps and thus accelerate IPv6-
                                                                     based innovations. Two other reports will cover data centre and
                                                                     Cloud use cases on one hand and 5G Transport use cases on
                                                                     the other hand. The last pieces of work will define Industrial IoT/
                                                                     enterprise requirements and IPv6 only transition requirements
                                                                     across new and evolving technology domains and areas.

ETSI at ENISA Cybersecurity Standardization Conference
The European Standards Organizations, CEN, CENELEC and               and Board Chair as well as several cybersecurity experts from
ETSI, joined forces with ENISA, the European Union Agency for        the technical committee CYBER and 3GPP outlined ETSI’s
Cybersecurity, to organize their annual conference virtually this    strong achievements for enterprise and consumer cybersecurity
year. The event, which took place from 2 to 4 February, attracted    standards and its input to harmonized legislation with testability
some 1500 participants from the EU and from around the world.        of security requirements. They highlighted as well ETSI’s
The conference addressed standardization in relation to the Radio    contribution to the Cybersecurity Act as regards consumer IoT
Equipment Directive (RED) and certification under the provisions     security, 5G Network Security Assurance, Trust Services, and AI
of the Cybersecurity Act (CSA). ETSI Director-General, GA Chair      security.

                                                                                                      ENJOY THE ETSI MAG              3
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
The I­nterview

                                                                                               From his CTO office in the
                                                                                                UK, Paul Browne tells us
                                                                                           why an association of locks
                                                                                                  and builders hardware
                                                                                                 manufacturers entered
                                                                                             the world of cybersecurity
                                                                                                           standardization.

                                                                                         How did ASSA ABLOY, a leading
                                                                                         hardware locks manufacturer,
                                                                                         enter the digital lock market?
                                                                                         It started ten years ago when we, in
                                                                                         ASSA ABLOY UK, developed a digital
                                                                                         door lock for residential use. At the time,
                                                                                         we already had extensive experience
                                                                                         in home security systems and we had
                                                                                            the vision that people’s homes in
                                                                                               Europe would eventually become
                                                                                                  connected so that they could
                                                                                                    have the convenience and
                                                                                                     the security of controlling
                                                                                                       devices around their home.

Paul Browne
CTO & Business Development Director, Assa Abloy UK, Board Member ARGE

Paul Browne is the Chief Technology Officer and Business           In 2000, he joined ASSA ABLOY where he now leads product
Development Director of ASSA ABLOY UK. He started his              innovation and new product introductions as well as business
career at Creda, the largest manufacturer of white goods in        development and strategy across channels, products and end-
the UK, which became part of a joint venture between GE            user markets. He is also responsible for standards development
USA and General Electric Company (GEC UK) held several             and IP. Paul is a Board Member of ARGE, the European Federation
executive sales and marketing positions in the company before      of Associations of Locks & Builders Hardware Manufacturers,
becoming the general manager of one of their business divisions.   member of ETSI.

4           ENJOY THE ETSI MAG
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
It was at about that time that ASSA ABLOY     digital or smart door locks to be secure     In parallel, we found out that ENISA’s
acquired iRevo, a Korean company,             and, at the time, there was no standard      remit is to develop certification schemes,
which was the largest manufacturer of         to reassure them.                            particularly for consumer IoT devices.
digital door locks for home use in the
world. You have to bear in mind that in       You mean that the standard                   So, certification schemes
Korea, at least 50 to 60% of all homes,       was actually initiated at the                are important as well?
probably more now, have a digital door        consumers’ request?                          Yes, we’ve been participating in ENISA’s
lock.                                         Absolutely.    The    best     standards     Cyber Certification Stakeholder Group
                                              originate from end users. The worst          and feeding back into the Union’s Rolling
                                              standards are those that are imposed         Work Programme. In the European
   “In Korea, at least 50 to                  by central governments or by European        Commission, it’s very clear that there is an
                                              governments. We therefore started            appetite to develop certification schemes
   60% of all homes have                      working with our national standards          for consumer IoT devices. They see this
   a digital door lock.”                      body, the British Standards Institute,       as being important, but they also see
                                              to develop a technical specification for     that the level of home security connected
                                              digital door locks. But we wanted to         devices needs to be somewhere between
So for us as a manufacturer, digital door     develop a performance standard which
locks, and in particular now smart door       would give consumers the reassurance
locks, have a strategic importance.           that the products are secure, that would        “The EC wants to
                                              give insurance companies a standard on
What are the benefits of digital              which to base home insurance policies,          develop certification
locks for the market?                         and that would enable the police and            schemes for consumer
If I take the UK market, we sell a            locksmiths to give guidance and advice          IoT devices.”
mechanical door lock for around 25 euros,     to consumers.
and that will last 20 years. A digital door   Since connected IoT devices are a
lock typically costs 200 to 300 euros and     relatively new marketplace, we felt that
will last ten years or so. You can see that   unless we got a performance standard         “substantial” and “high”, which backs
from a commercial point of view, digital      in place, with locks being potentially       into our thinking.
door locks and smart door locks are a         vulnerable to cyberattacks, that this        Within the ETSI cyber group, they
terrific opportunity for manufacturers.       would damage the credibility and the         identified that a smart door lock technical
Now when you look at it from a consumer       reputation of the market before it even      specification could form a pilot for a
point of view, smart locks bring enhanced     took off.                                    vertical product certification scheme. A
functionality. People can send keys by                                                     smart lock standard is holistic in nature
phone to family members, allow access
                                              And this is when you heard                   but adding the cyber security aspect
to their homes, or check on the status of
                                              about ETSI?                                  combined into a certification scheme
their doors and windows remotely. But         Yes, that was two years ago when I met       will reassure consumers. For example,
unlike mechanical door locks, the life        with the Minister of the UK Department       in the UK, they will see the Kitemark
cycles of digital door locks change every     for Digital, Culture, Media and Sport,       certification logo on the box, in France,
two, three or five years. So as you can       along with other suppliers of smart home     that might be the A2P logo.
see, the whole dynamic is more exciting,      products. It was clear that the DCMS         But as I said earlier, we were thinking of a
more appealing. Digital and smart door        was keen to address the security of IoT      whole series of standards.
locks, but also smart alarms, smart home      devices from a cybersecurity standpoint.
security are a big opportunity for the        That’s where we found out that the           This series of standards would be
end user’s enhanced lifestyle and for the     DCMS had worked in ETSI TC CYBER             developed in ETSI?
industry.                                     to develop the technical specification TS    Yes, to complement the smart door
However, when we launched our digital         103 645.                                     lock, they would address vertical sector
door lock around 2010 in the UK, we           That was when ARGE, in its role as the       products such as connected alarms,
had a problem. The police, insurance          European Industry Association, made          connected CCTV, connected door
companies and the locksmiths were             an important decision. As hardware           viewers, and so on.
asking us to develop a standard at the        manufacturers in ARGE, we knew that          What we like about ETSI is the fact
request of consumers who wanted their         we could identify the standards for the      that they recognize and appreciate
                                              mechanical,     electromechanical     and    that product life cycles are shorter, that
                                              the electronic aspects of a smart door       technology and cyberattacks change.
   “The police, insurance                     lock with CEN, but we were lacking on        And they adopt a much more flexible and
   companies and the                          the cybersecurity aspect. During that        pragmatic approach to standardization
                                              meeting, we realized that the experts        and developing technical specifications
   locksmiths were                            were in ETSI. So last year, when ARGE        than other standards bodies. So, for us
   asking us to develop                       became a member of ETSI and we joined        at ARGE the way that ETSI approached
   a standard.”                               TC CYBER, we suggested that we create        the whole concept of certification and
                                              a smart door lock technical specification,   standardization for connected IoT
                                              which is currently under development.        devices for the home is very appropriate.

                                                                                                    ENJOY THE ETSI MAG               5
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
Meet the New Standards People

Welcome to our                                           NEW
members

    Avanti Communications,
     United Kingdom
Avanti Communications is a world leading provider of agile,                evolutionQ, USA
secure and pioneering satellite technology across Europe, the          evolutionQ provides information on quantum-safe services.
Middle East and Africa. They have a proven track record of             evolutionQ offers a standard set of services proven to help
satellite connectivity services, and bring a world of opportunities    ensure your company’s quantum-safe cyber security migration is
to carriers, defence and security departments, government              progressive, sensible and orderly.
agencies and the satellite industry.

                                                                           Exacta Global Smart Solutions, USA
    Bandwidth, USA                                                     Exacta offers a range of services that help companies bring
Bandwidth provides cloud-ready voice, messaging, and                   Internet of Things solutions based on the oneM2M global
emergency service connectivity built for the enterprise. It is the     standard from concept to deployment. It offers oneM2M project
only API platform provider that owns a Tier 1 network that gives       support, oneM2M training, support for deployment of the industry
better quality, rates, and control. It is also a leader in the cloud   recognized Chordant implementation of oneM2M service layer.
communications space, uniquely positioned to have enterprises
who need high reliability and scale.
                                                                           Gatehouse Satcom A/S, Denmark
    Commsquare NV, Belgium                                             GateHouse delivers the software that guarantees effective and
                                                                       secure communication between systems. They support live
Commsquare provides mobile data network monitoring, analysis           tracking and monitoring of more than 150,000 assets within
and optimisation products and services, helping mobile operators       different businesses and delivers mission critical solutions in
measure network performance and extract actionable business            satellite communication for maritime authorities, coastguards,
intelligence. Their products and services deliver a holistic view      ports and related businesses.
of radio access and PS data network performance from a
subscriber’s point of view.
                                                                           IASME, United Kingdom
    eID - Electronic Identification, Spain                            IASME is a cyber security business with products and services
                                                                       dedicated to help individuals and organizations to protect
eID is the leading provider of remote user iDentification systems      themselves against cyber-attacks. The IASME Governance
via video streaming. It created VideoID which identifies the User      assessment includes a Cyber Essentials assessment and GDPR
in seconds and offers the same level of security as the face-to-       requirements and is available either as a self-assessment or on-
face iDentification made in a commercial office.                       site audit.

     LA (European Lift Association),
    E                                                                      Innovile, Spain
    Belgium                                                            Innovile provides smart network management and optimisation
ELA represents the lifts, escalators and moving walks active           solutions and services. Innovile offers a wide range of innovative
associations and their components manufacturers in the                 and future-proof portfolio of self-organising network, configuration
European Union and the European Free Trade Area. It has                management, performance management and expert services
become the main communication vector of this industry to the           that empower mobile network operators with real-time network
European Commission and the European Parliament.                       intelligence and operational dynamics.

6            ENJOY THE ETSI MAG
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
ISEE SSU, Ukraine                                                   Schindler, Switzerland
The Ukrainian scientific and research Institute of special          Schindler is one of the world’s leading providers of elevators,
equipment and forensic expertise of SSU is part of the Security     escalators, and moving walks, as well as maintenance and
Service of the Ukraine and ensures cyber security of the state      modernization services. The company specializes in the
thanks to complex measures to counter online terrorism, prevent     latest-technology engineering, as well as mechanical and
cyber espionage, defeat hacker attacks and refute subversive        microprocessor technology products designed and tested for
activities online.                                                  safety, comfort, efficiency and reliability.

    Kimeggi, France                                                     SK ID Solutions AS, Estonia
Kimeggi consulting provides support to business in radio            SK ID Solutions (SK) specializes in international e-identity
strategy, radio solutions and standardization. They currently       solutions. They enable citizens of different countries to log in to
monitor, attend and/or contribute in many committees to bring       e-services and give electronic signatures. Their main business
the most up-to-date information on standards, technologies and      is the certification and time-stamping service developing
spectrum regulations.                                               technology and applications for electronic signing and their
                                                                    validation services.
    MaxLinear, USA
MaxLinear delivers high-performance broadband and networking            SpyCloud Inc., USA
semiconductors based on its highly integrated radio frequency       SpyCloud prevents online fraud via solutions which protect
analogue technology, high-performance optical networking            billions of employee and consumer accounts from account
technology and its pioneering MoCA and direct broadcast satellite   takeover. They are the trusted account takeover fraud prevention
ODU single-wire technology. Customers include telephone, cable      partner for B2B organizations and consumer brands and some of
and satellite operators, set-top box manufacturers, networking      the most innovative financial services, retailers, and technology
equipment and consumer technology providers.                        companies around the globe.

    Mercedes-Benz, Germany                                              Universidad de Malaga, Spain
Mercedes-Benz AG is one of the largest manufacturers of             Málaga University (UMA) is a public institution which promotes
premium passenger cars. The company aspires to be leading           outstanding research and teaching within the European Higher
in the fields of connectivity, automated driving and alternative    Education Area. It follows an educational model to promote
drives. With over 40 production sites on four continents, they      competitive, quality teaching which is employment-orientated
align themselves to meet the requirements of electric mobility.     and accredited in Europe.

                                                                                                     ENJOY THE ETSI MAG              7
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
New Member Interview

                                                                                           In this exclusive interview,
                                                                                         SpyCloud CEO and founder
                                                                                             shares his insight on the
                                                                                         company’s mission to make
                                                                                            the internet a safer place
                                                                                              by preventing criminals
                                                                                           from profiting from stolen
                                                                                                          information.

                                                                                       Are you seeing any trends in
                                                                                       cyberattacks so far in 2021?
                                                                                       It pains me to say it, but what we saw the
                                                                                       start of in 2020 – attacks resulting from
                                                                                       our collective pivot to digitally managed
                                                                                       lives – has spilled over into 2021. This
                                                                                       shift to remote work, virtual school and
                                                                                       online food shopping has substantially
                                                                                       expanded the attack surface for both
                                                                                       individuals and organizations, and
                                                                                       criminals are taking advantage. People
                                                                                       are sharing devices among family
                                                                                       members at home, increasing the
                                                                                       amount of activities done online, and
                                                                                       managing new accounts – some that
                                                                                       reuse compromised passwords already
                                                                                       in criminals’ hands.

Ted Ross
CEO & Co-Founder of SpyCloud

Ted Ross is an industry veteran of          at TippingPoint, and VP of the Office of   state threat groups that, at the time of
twenty-nine years in the network and        Advanced Technology at HP.                 publication, were considered to be the
security industries. His career began in    At HP, he created a new team and           most comprehensive reports on select
the U.S. Air Force, after which he became   built the threat intelligence practice     adversarial nations’ cyber capabilities.
Director of Network Engineering at          from the ground up as Director, Threat     After HP, Ted led Exodus Intelligence as
West Corp, Strategy Architect at            Intelligence, HP Security Research.        CEO. In 2016, Ted launched SpyCloud
Walmart, Executive Technology Director      This team created reports on nation-       as CEO and Co-Founder.

8           ENJOY THE ETSI MAG
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
All of this aids our daily lives, and I think a   attackers at their own game, negating            plaintext passwords that enable easy
lot of businesses would say they’ve seen          the value of the stolen information before       matching to users’ credentials. The
a rise in productivity since the start of         they have a chance to use it.                    process to parse and normalize that data
the pandemic, but it also provides threat                                                          and make it machine-readable requires
                                                  SpyCloud fuels global enterprises’
actors with a plethora of new targets.            ability to safeguard more than 2 billion         extensive technology – not to mention the
So far this year, we’re seeing criminals          employees’ and consumers’ accounts               automation required to crack passwords
continue to leverage the tactics they             from cyberattacks including account              at scale. Without cracking passwords,
found most profitable last year: malware          takeover and follow-on attacks like credit       there would be no way for enterprises to
campaigns designed to siphon personal             card fraud, phishing, ransomware and             exactly match passwords to determine
                                                  more, which can be extremely costly and          if a user’s account is truly compromised
                                                  disruptive.                                      and worth the little bit of friction to force
                                                                                                   a password reset or fire off MFA.
   “So far this year, we’re                       You state that you’re using Human
   seeing criminals                               Intelligence for breach data                     You have joined ETSI’s TC CYBER
   continue to leverage                           collection; in the AI era, it sounds             lately, what is the added value of
                                                  anachronistic. Can you elaborate                 standardization for your activity?
   the tactics they found
                                                  on this?
   most profitable last                                                                            SpyCloud is often the first to confirm
                                                  The vast majority of the valuable breach
   year.”                                         data we collect is via human intelligence
                                                                                                   to victim organizations that a breach
                                                                                                   has occurred, and we want to leverage
                                                  (HUMINT) – SpyCloud researchers
                                                                                                   our industry-leading capabilities and
                                                  embedded in the criminal underground
and machine data from victims, phishing           who social engineer data from bad                database to work as a good citizen with
attacks aimed at stealing credentials             actors within days after a breach. These         others in the industry to help alleviate
(which then often lead to ransomware              researchers are specialists in their field,      account takeover and its associated
attacks),   and    credential   stuffing          with extensive expertise that isn’t easy to      cybercrime. SpyCloud has joined ETSI
(often represented by the media as                replicate. The reason we rely on HUMINT          TC Cyber so we can more effectively and
a ‘data breach,’ when in fact it’s just                                                            openly collaborate with other industry
criminals performing account takeover                                                              leaders to put effective standards in
by leveraging old passwords on new                                                                 place that can most optimally benefit
                                                     “Human intelligence
accounts).                                                                                         enterprises and consumers globally.
                                                     can deliver data much                         ETSI’s work on Mobile Device and IoT
How do you protect customers                         sooner than dark web                          security guidelines and best practices are
from Account Takeover Fraud?                         scanning.”                                    complementary to the use of SpyCloud’s
Criminals are clever and will keep                                                                 data – and the use of a corpus of recovered
inventing ways to steal from you, and                                                              breach data or recovered botnet logs
users will keep making mistakes that                                                               could provide valuable data points that
                                                  is because it delivers data so much sooner
put their accounts at risk. There is one                                                           augment existing security best practices.
                                                  than dark web scanning. Most people
sure-fire way to get ahead of account             don’t realize that by the time data shows        For example, even if a device appears
takeover, which is to check users’                up on the dark web, it could be years after      to be “secure” both at the hardware and
account credentials against recently-             the breach occurred. By that time, the data      software levels, it may be of value to also
breached data and identify compromised            has been fully monetized and is of very little   know if any other factors associated with
accounts. Then you have the choice                value. We’re focused on the early part of the    that device are compromised, such as the
                                                  breach timeline, when the data is fresh and      user’s account, password, IP address, or
                                                  most valuable to criminals. In fact, human       phone number.
   “To stop Account                               intelligence capabilities enable us to be the
   Takeover Fraud, you                            first to find out a breach has occurred and
                                                  notify the affected victim organization.            “ETSI’s work on
   need to beat attackers
                                                  All that said, automated technology is still        Mobile Device and IoT
   at their own game.”
                                                  critical to the process of making breach            security guidelines
                                                  data ingestible by enterprises.                     and best practices
to force a password reset or send the                                                                 are complementary to
user through a step-up authentication
                                                  Tell us more about the technology
                                                  that underlies HUMINT.                              the use of SpyCloud’s
process, proving that the user is who they
claim to be and not a criminal leveraging         Breach data isn’t delivered in a neat
                                                                                                      data.”
a stolen password. The goal is to beat            .csv file with standardized columns and

                                                                                                            ENJOY THE ETSI MAG                9
HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
Tech Highlights

Deep dive on quantum safe
hybrid key exchange
Engineers and developers can now rely on ETSI’s specification to exchange a
cryptographic key with classical and post quantum security and build, test and deploy
quantum-resistant ICT systems today.

                                                                                         of this data, it could result in the loss of
                                                                                         confidentiality.

                                                                                         ETSI has worked on the issue and the
                                                                                         CYBER Quantum-safe Cryptography
                                                                                         group developed ETSI TS 103 744, a
                                                                                         Technical Specification that defines how
                                                                                         to exchange a cryptographic key with
                                                                                         classical and post quantum security.
                                                                                         The specification called “CYBER;
                                                                                         Quantum-safe Hybrid Key Exchanges,”
                                                                                         combines a classical elliptic curve Diffie-
                                                                                         Hellman ephemeral (ECDHE) exchange
                                                                                         with a proposed post-quantum key
                                                                                         encapsulation mechanism (KEM) from
                                                                                         the NIST Round 3 candidates. Hybrid
                                            Standards and Technology (NIST) Post-        key exchanges are a migration technique
Some                                        Quantum Cryptography Standardization         to move to quantum-safe technology in

background                                  Process
                                            submissions
                                                        is    evaluating
                                                            for
                                                                            solicited
                                                                   quantum-resilient
                                                                                         advance.

                                                                                         We know from experience it takes
In 1994, Peter Shor showed how to           public-key cryptographic algorithms and
                                                                                         a decade to adopt new public-key
factor large RSA modulus and solve          has announced is 3rd Round finalists.
                                                                                         algorithms into ICT systems. It starts
the discrete log problem. His algorithm     ETSI TS 103 744 specification is using a
                                                                                         with in-depth analysis of the fundamental
breaks the public key cryptosystems         mechanism from these candidates.
                                                                                         security claims of the algorithm,
we use today for public-key based key
exchanges but it requires a large-scale,
fault-tolerant quantum computer to break
                                            The problem                                  testing and standardization. Once the
                                                                                         cryptographic standard is complete,
cryptographically relevant instances of     statement                                    engineers and developers can include
                                                                                         it into other ICT standards. We can
ECC and RSA. As we know, there are a
                                            Today, the existing key exchanges are        parallelize this work today to reduce the
number of challenges in building such a
                                            at risk from a future adversary with a       time to deploy standardized quantum-
computer and while progress is routinely
                                            quantum computer. Many Information           safe systems, ensuring the long-lived
made on these challenges, it is uncertain
                                            and      Communication       Technology      confidentiality of data in ICT systems. By
if or when such a quantum computer will
                                            (ICT) solutions utilize these public-        standardizing and using quantum-safe
be available. Yet, we need to anticipate
                                            key mechanisms to provide long-term          hybrid key exchanges, we can define and
and work on quantum-safe cryptography.
                                            confidentiality.   The     confidentiality   deploy ICT systems today that provide
Post-quantum       or     quantum-safe      requirement of the data in these ICT
                                                                                         both classical and quantum-resistant
cryptography refers to cryptographic        systems vary from short-lived (days and
                                                                                         security.
schemes for which there is no known         months) to long-lived (20-30 years). If a
vulnerability by a large-scale quantum      large-scale quantum computer arrived         n Matthew Campagna, Chair of the ETSI Quantum
computer. The National Institute of         on the market during the security lifetime      Safe Cryptography working group.

10          ENJOY THE ETSI MAG
Digital fragility: a challenge faced
by COVID-19 tracing apps
“Fragility” is not a term that one hears or reads very often when it comes to digital. “Agility”
is much more common, particularly when it refers to the buzzword “agile”. It seems now
that everything must be agile: every business, every system and, to a certain extent, every
one of us must be agile. The recently released “Comparison of existing pandemic contact
tracing systems” Report, developed by ETSI’s E4P group, includes the term “digital fragility”
among its definitions in its clause dedicated to terms, symbols and abbreviations.

                                                    GDPR & ePrivacy legislation and, last             requisites. Stay tuned, you will be able to
Digital fragility                                   but not least, the relevance of protecting        enjoy them in the following weeks!
Today, “digital” permeates all aspects              the networks against cyber attacks. Two
                                                                                                      In summary, attention should be paid to
of society and will continue doing so.              months later, as a result of this joint effort,
                                                                                                      the number of digital risks, from software
Fragility, unfortunately, permeates all             ETSI E4P held its kick-off meeting on 26
                                                                                                      glitch, error, negligence, misuse or fraud
things digital as the overall degree of             May.
                                                                                                      to even sabotage during the development,
digital dependency also increases. In
such a context, mobile device-based                 And                                               deployment and operation/use stages of
                                                                                                      Government-sponsored digital contact
digital contact tracing is no exception.
Digital fragility can be said to be an entity-      cybersecurity                                     tracing systems. These constitute a set
                                                                                                      of risks that could threaten the feasibility
organization, system, application, etc.-            So far, digital fragility has been present in     of any of these counter-pandemic
which may suffer an incident of a “digital”         every step taken by experts in the ETSI           solutions. Once again, rigour in training,
nature disturbing its normal activity               E4P group. The GR E4P-002 considers               processes and the availability of these
without, at times, being aware of it. A             this issue among the most relevant                systems’ source code (which will make
more usual expression would be “weak                challenges current digital contact                it possible to audit all their details in the
[digital] security”. Indeed, most people            tracing systems have to face, along with          area of cybersecurity, as should be done
refer to it as a lack of “cybersecurity”.           responsiveness, privacy preservation,
                                                                                                      regarding trust, ethics, privacy, etc.) will
                                                    interoperability, etc. Other incoming
Leading to ETSI’s                                   deliverables       describing       technical
                                                                                                      contribute to minimizing digital contact
                                                                                                      tracing’s cyber-fragility.
group                                               requirements of these solutions also
                                                    include security recommendations and              n Miguel García-Menéndez, Vice Chair ETSI E4P ISG.
On 23 March 2020, as part of the
European Commission’s response to
the coronavirus, the Internal Market
Commissioner, Thierry Breton, held a
videoconference with CEOs of European
telecommunication           companies        and
GSMA to discuss how to join forces to
mitigate the spread of CoV-SARS-2. On
that day, digital fragility in solutions to fight
the pandemic was mentioned: the need
to discuss telecommunication network
resilience; the need to collect, share
and analyse anonymized metadata for
modelling and predicting the propagation
of the virus; the need to comply with the

                                                                                                                ENJOY THE ETSI MAG                  11
Just Released

ETSI blockchain group releases major Reports
ETSI ISG on Permissioned Distributed Ledger has recently
released Reports to support the need on the part of industry
and government institutions for what is commonly known as
blockchain. ETSI GR PDL 002, “Applicability and compliance to
data processing requirements”, describes the implications of the
conduits used to connect data sources (sensors, gateways etc.) to
distributed ledgers in utility and related industries. The Report also
defines how regulatory aspects for data infrastructure security and
privacy can be satisfied. ETSI GR PDL 003 details the application
scenarios and operational requirements for permissioned ledgers
to help telecom operators, Internet and over-the-top service
providers implement the technology. The latest one, ETSI GR PDL
004, defines an architecture and functional framework for smart
contracts and their planning, coding and testing. “Most ledgers
in ICT have been centralized so far, but the recent approaches
based on distributed ledgers provide higher openness and better
resiliency,” says Diego Lopez, Chair of ETSI ISG PDL.

                                                                         First Report in Securing
   Middlebox Security                                                    Artificial Intelligence
   Protocols for fine-
   grained access                                                        The ETSI Securing Artificial Intelligence Industry Specification
                                                                         Group released its first Group Report, ETSI GR SAI 004, which

   control                                                               gives an overview of the problem statement regarding the securing
                                                                         of AI. ETSI SAI is the first standardization initiative dedicated to
                                                                         securing AI. The Report describes the problem of securing AI-
   The ETSI Technical Committee                                          based systems and solutions, with a focus on machine learning,
   CYBER has released ETSI TS                                            and the challenges relating to confidentiality, integrity and
   103 523-2: Transport Layer MSP                                        availability at each stage of the machine learning lifecycle. It also
   (TLMSP), Part 2 of the Middlebox                                      points out some of the broader challenges of AI systems including
   Security Protocol (MSP) series,                                       bias, ethics and ability to be explained. A number of different attack
   which defines a protocol for varied                                   vectors are outlined, as well as several cases of real-world use and
   (fine-grained) access control to                                      attacks. “There are a lot of discussions around AI ethics but none
   communications traffic.                                               on standards around securing AI. Yet they are becoming critical to
   Middleboxes are vital in modern networks – from new                   ensure security of AI-based automated networks,” explains Alex
   5G deployments, with ever-faster networks that need                   Leadbeater, Chair of ETSI ISG SAI.
   performance management, to resisting new cyberattacks
   with evolved threat defence that copes with encrypted
   traffic, to VPN provision. Network operators, service
   providers, users, enterprises, and small businesses require
   being granted varied (fine grained) permissions. ETSI TS
   103 523-2, MSP Part 2 addresses this gap by specifying
   a protocol that allows fine-grained access and nuanced
   permissions for different portions of traffic, allowing
   middleboxes to perform their functions securely whilst
   keeping up with the rapid pace of technical development.

12           ENJOY THE ETSI MAG
In the Spotlight

  HOME & OFFICE:
SWEET AND SECURE?
     IoT has become commonplace at home as more devices connect to the internet. People
     now share their personal data with an increasing number of services and the cybersecurity
     of the Internet of Things (IoT) is a growing concern. If consumer IoT is an established
     global phenomenon, ETSI’s world-leading work in that field can help to improve security
     for a variety of devices and appliances. Alex Leadbeater, Chair of the ETSI Technical
     Committee CYBER, in our “spotlight” is leading us through our current and future
     activities for the consumer market. The ETSI EN 303 645 standard is a first of its kind and
     is already a highly successful achievement with worldwide uptake by manufacturers who
     now benefit from several certification schemes to enhance the security of their products.
     Today the Roborock vacuum cleaner has been certified by TUV-Rheinland against the
     ETSI standard. And more recently, Midea dishwashers, air conditioners and dehumidifiers
     have all been certified by TÜV SÜD as Luffy Deng explains in our showcase on page 16.
     In the future, consumers can expect more secured IoT home devices in their living room,
     kitchen, to unlock their door and make their life easier.

                                                             ENJOY THE ETSI MAG            13
In the Spotlight

Standards to the rescue:
Saving IoT security for consumers
As more devices in our homes connect to the internet and as people entrust their personal
data to an increasing number of services, the cybersecurity of the Internet of Things (IoT)
has become a growing concern. Consumer IoT is an established global phenomenon, with
its security improved by ETSI’s world-leading work on Consumer IoT security.

ETSI’s Consumer IoT Security work             in a loss of dedicated security effort. This
demonstrates the value of standards; one      happened in consumer IoT, where default
innovative and high-quality standard has      passwords are widespread and poorly
                                                                                                 EN 303 645 provides
underpinned many assurance schemes            secured products threaten consumer’s               a significant security
and provided flexibility in certification -   privacy, and some devices are exploited            baseline, achievable
whilst achieving a world-leading increase     by attackers to launch large-scale DDoS            by SMEs.
in baseline security.                         cyber attacks, mine cryptocurrency and
                                              spy on users in their own homes.
From                                                                                          protection provisions for consumer IoT

dishwashers to                                Standards to the                                devices.

doorbells…                                    rescue - saving
With an explosion in marketability, IoT       IoT security
has become commonplace in the home –          Two years ago, ETSI TC CYBER
from health trackers to home assistants,      published the first globally applicable
from smart TVs to smart lightbulbs, and       standard on IoT security to address these
from dishwashers to doorbells. Estimates      security shortcomings, encouraging
regularly state there are more than 30        manufacturers to build security into IoT
billion connected devices in the world
                                              products from their design, rather than
today, with the consumer IoT sector
                                              awkwardly bolting security measures on
showing no signs of slowing down its
                                              at the end. This baseline focuses on 13
growth.
                                              security areas as well as data protection.

New devices,                                  This standard achieved global adoption
                                              and evolved into an EN standard, EN 303
same old security                             645, designed to prevent large-scale,

issues                                        prevalent attacks against smart devices
                                              that cybersecurity experts see every
But when a market moves quickly, the          day. It establishing a security baseline
pressure to be first to innovate can result   for connected consumer products and
                                              provides a basis for future IoT certification
                                              schemes.
                                              ETSI EN 303 645 supports a good
   The pressure to be first                   security   baseline   for    connected
   to innovate can result                     consumer products, provisioning a set of
   in a loss of dedicated                     recommendations for 13 security areas,
                                              with the top three being: no default
   security effort.                           passwords, implement a vulnerability
                                              disclosure policy, and keep software
                                              updated. There are also specific data

14           ENJOY THE ETSI MAG
Global uptake                                     Many organizations
                                                                                        The future of
and accreditation                                 have already based                    Consumer IoT
schemes                                           their products and
                                                  certification schemes
                                                                                        Security
ETSI EN 303 645 is a cohesive and                 on EN 303 645.                        Yet, we are not done! TC CYBER’s
achievable standard that provides a                                                     dedication to improve IoT security is
single target for manufacturers and IoT                                                 ongoing, and currently includes the
stakeholders to attain. It’s no surprise,     •T
                                                ÜV Rheinland worldwide testing and     development of three further standards
given the urgent need for increased            certification                            to complement and support EN 303
security in this sector and the momentum
                                              •V
                                                DE Institute testing                   645: an assessment specification, an
in ETSI’s work, that many organizations
                                                                                        implementation guide, and a vertical
have already based their products and         •S
                                                ESIP by Global Platform mapping
                                                                                        smart door lock standard.
certification schemes on EN 303 645.
                                              •S
                                                GS IoT Testing and Conformity
These include:                                                                          1. T
                                                                                            he assessment specification specifies
                                               Assessment Program                          baseline conformance assessments
• Singapore’s national Cybersecurity
   Labelling Scheme                           •D
                                                EKRA security evaluations                 against the provisions of ETSI EN
                                              •U
                                                L’s IoT Security Rating assessment,       303 645. It sets out mandatory and
• Finland’s national consumer IoT
                                               verification and labeling solution          recommended assessments, to be
   certification scheme
                                                                                           used by testing labs, certifying bodies
• PSA Certified (backed by Arm)              •S
                                                afeshark and BSI IoT cyber security
                                                                                           and manufacturers that wish to carry
• The Global Certification Forum              assessments, testing and certification
                                                                                           out a self-assessment. Completion
   accreditation                              •A
                                                nd many more: Eurosmart, KIWA,            is targeted for summer 2021 – so get
• TÜV SÜD testing                             Secura, Nemko, ACCS, IASME…                 involved soon!
                                                                                        2. The implementation guide gives easy-
                                                                                            to-use guidance to help manufacturers
                                                                                            and other stakeholders to meet the
                                                                                            provisions defined for Consumer IoT
                                                                                            devices in ETSI EN 303 645. It sets out
                                                                                            example implementations that meet
                                                                                            the provisions in the EN.
                                                                                        3. As ETSI EN 303 645 provides a baseline
                                                                                            that spans a variety of consumer
                                                                                            IoT devices, sometimes additional
                                                                                            sector-specific requirements need to
                                                                                            be stipulated to standardize device
                                        S I N G A P O R E                                   security. Currently, TC CYBER is
                                                                                            working on one such vertical standard
                                                                                            for smart door locks, based on ETSI
                                                                                            EN 303 645 (read our interview on
                                                                                            page 4-5).
                                                                                        ETSI’s Consumer IoT Security work can’t
                                                                                        stop gaining momentum! These initiatives
                                                                                        demonstrate the value of quality and
                                                                                        timely standards. One innovative and
                                                                                        high-quality standard has underpinned
                                                                                        many assurance schemes and provided
                                                                                        flexibility in certification - whilst
                                                                                        maintaining a world-leading security
SMART HOME : EN 303 645                                                                 baseline for a huge security problem
                                                                              © ETSI
                                                                                        n Alex Leadbeater, ETSI’s Chair TC CYBER.

                                                                                                  ENJOY THE ETSI MAG                15
In the Spotlight-Showcase

Midea and TÜV SÜD
join forces to inspire trust
in smart-home appliances
People-focused technology can make our home life smarter and happier. However,
cybersecurity and the protection of personal data are critical considerations whenever
people enjoy the convenience of their smart homes.

                                              product design, mobile application,          Security,   Smart     Home      Appliance
Addressing                                    communication and document review.           Security, Application Security, and Data
consumer                                      For example, to keep software updated,
                                              the update communication of Midea
                                                                                           Protection Management) smart home
                                                                                           business group Midea has developed
concerns                                      IoT appliances is established over
                                              secure channel encrypted by a dynamic        a comprehensive framework for smart-
Improving cybersecurity and data              session AES256 key. In addition, the         home cybersecurity, privacy and data
protection capabilities of smart home         update also ensures not only the mutual      protection which it continually improves
devices and building customers’ trust         authentication by RSA 2038 but also          and advances in accordance with various
are among the top priorities of consumer      the integrity check by SHA256. Once          international and industry standards.
IoT manufacturers. In keeping with its        the updated is completed, a user may
vision of “bringing great innovations to      receive notification pop-up on the APP.      ETSI has revised and improved the
life”, the Midea Group is committed to        TÜV SÜD then tested several series of        standards in line with the state of the art,
a systematic smart home security and          Midea dishwashers, air conditioners and      providing a vital basis and operational
privacy programme in accordance with          dehumidifiers and issued certificates of     guidelines for consumer protection. The
international and industry standards,         conformity with the ETSI EN 303 645
                                                                                           testing and certification organisation
which extends from lower-level hardware       standard, which help to inspire consumer
                                                                                           TÜV SÜD has been passionate about
to user-friendly software and covers threat   trust in the use of smart-home appliances.
and risk monitoring, cloud security and                                                    technology since day one and strives to
                                              Technology makes life better but             inspire trust and add value.
the security of connection modules and
                                              consumer protection requires the
chips, apps and smart-home appliances.                                                     n L uffy Deng, Senior Project Engineer,
                                              joint efforts of all parties. With “4S +
Given this, Midea has joined forces with
                                              1M” (Cloud Security, Communication              TÜV SÜD Shenzhen.
TÜV SÜD for the assessment of its smart-
home appliances in accordance with the
ETSI EN 303 645 standard to ensure
best practices in data security and data
protection.

First appliances
compliant with
EN 303 645
TÜV SÜD, a leading global provider
of quality, safety and sustainability
solutions, assessed the implementation
of important security baseline functions
against the 14 provisions of the ETSI EN
303 645 standard. The relevant mandatory
provisions of the standard address

16           ENJOY THE ETSI MAG
Working Together

“Localized” certification:
the Indian example
Global standards ensure that products will be able to address markets beyond national
or regional borders. However, attention needs to be given to the local certification
programmes that may ultimately bring in additional requirements for local market access.
Discover how ETSI works towards minimizing such cases through international cooperation.

                                                                                             EU-India or InDiCo, ETSI brings players
                                                                                             together, in technical and political spheres,
                                                                                             to assess discrepancies in certification
                                                                                             requirements for ICT products and
                                                                                             work towards increasing commonality,
                                                                                             with partial or full recognition of testing/
                                                                                             certification results already obtained.

                                                                                             The Indian
                                                                                             example
                                                                                             ETSI, the European Commission and the
                                                                                             Delegation of the European Union in Delhi
                                                                                             have recently worked with members of
                                                                                             the European industry and of the Indian
                                                                                             government to understand and compare
                                                                                             the European requirements re. safety and
                                                                                             EMC to those from India’s Mandatory
                                                                                             Testing and Certification of Telecom
                                                                                             Equipment (MTCTE). Subsequently,
                                                                                             representatives of India’s Telecom
                                                                                             Engineering Center (in charge of MTCTE)
                                                                                             visited key European laboratories to fully
                                              manner that there is no avoiding running
Ready?                                        another full round of testing, with a
                                                                                             grasp the extent of the testing performed,
                                                                                             even for products meeting requirements
So your product is ready, in line with the    locally accredited laboratory. This costs      of legislation developed under the
latest global standards it has to comply      time and money and therefore affects the       lightweight New Legislative Framework.
with. Everything is ready for distribution    product’s time to market and price.
                                                                                             The work continues with exchanges
in your region and you are eyeing other
markets, your team abroad reports great       Partners will help                             on security requirements for telecom
                                                                                             equipment, looking at the European 5G
demand for this new product and sales
                                              ETSI and the Partnership Projects it is part   Toolbox, the 3GPP specifications, the
prospects are bright. But there is a catch:
                                              of (3GPP, oneM2M) strive to deliver a full     GSMA NESAS and the Indian Telecom
to begin distribution of your product,
                                              package: use cases and requirements,           Security     Assurance      Requirements
you need to get a stamp stating that it
                                              architecture and technical solutions, as       (ITSAR). This will in the end result in
meets all the local requirements. Ideally,
                                              well as testing specifications used to         closer alignment of the requirements in
it should only be a matter of showing the
                                              verify conformance/interoperability. Such      Europe and India and reduce additional
test results obtained when preparing for
                                              specifications need to be leveraged to         efforts in the testing of products aimed
distribution in your first target market.
                                              the maximum extent when establishing           at both markets. Similar initiatives will
Unfortunately, such recognition is not
                                                                                             take place in other countries/regions as
always possible and upon inspection,          technical requirements for market
                                                                                             needed.
local compliance testing appears to           access. Leveraging its Partners network
tweak and add requirements in such            and through projects like SESEC, SESEI,        n Xavier Piednoir, Head of External Relations, ETSI.

                                                                                                       ENJOY THE ETSI MAG                   17
Blockchain

An Industrial Framework
for Blockchains
The general public is familiar with blockchains through the popular cryptocurrency
Bitcoin but there is much more to it, and distributed ledgers are important tools to address
industry and governmental institutions.

                                              there are many other uses besides them,           and governmental institutions. This
Blockchain or not                             with examples such as smart contracts,            is due to reasons both technical and

blockchain?                                   support to digital identity attributes,
                                              object tracking, or the verification of
                                                                                                organisational. Among the technical ones
                                                                                                we can consider the cost and delay of the
Often identified with the catchy name         service level agreements.                         recording of a transaction, the cost of the
of blockchains, distributed ledgers                                                             consensus algorithm, or the preservation
have brought a wide range of disruptive
applications enabling highly valuable
                                              Permissioned                                      of fairness among participants. In the
                                                                                                second category, the most relevant are the
goals such as data sovereignty or             and permission-                                   support from external legal agreements
disintermediation. Distributed ledgers
store any kind of data as a consensus         less                                              and the regulatory enforcement in critical
                                                                                                sectors.
of replicated, shared, and synchronized
                                              Further on, it is important to remark
digital records distributed across
multiple sites, without depending on
                                              distributed ledgers can be considered             Permissioned
any central administrator. They provide
as main features immutability (and
                                              as permissioned or permissionless,
                                              regarding the requirements for a                  Distributed
therefore non-repudiation) and multi-
                                              node to be approved to validate the
                                              transactions and record them on the
                                                                                                Ledger in ETSI
party verifiability of the stored data and
                                              ledger. While permissionless ledgers              Within the ETSI Industry Specification
their temporal succession, addressing a
wide range of application scenarios, and      are the ones that have received most              Group on Permissioned Distributed
new interaction models among those            attention from the general public, with           Ledger (ISG PDL), we have been working
entities willing to record the transactions   the paradigmatic example of Bitcoin,              for the last two years on analysing
associated to those interactions through      permissioned distributed ledgers are the          and providing the foundations for the
these ledgers.                                ones best qualified to address most of            operation of permissioned distributed
                                              the use cases of interest to the industry         ledgers. The group has already produced
Distributed
ledgers                                                                 Applications and Services

These technologies have become the
intrinsic foundation of today’s secure
decentralized cryptocurrencies, and                                          APIs and Tooling
distributed ledgers owe their popularity
                                                                                                                                 Templates

and many of the main use cases to this
fact, focusing on different ways to provide
                                                                                                 Platform
decentralized multi-party compensation
                                                   PDL Platform

                                                                                                Management
and therefore avoid the need for                                       PDL                          and
centralized clearinghouses. But we must                                                         Governance
                                                                                                  Support
not forget we are talking about the many
additional scenarios where a consensual,
replicated, and synchronized data ledger                                       Infrastructure
could become a game changer. While
distributed ledgers are mostly known              Fig.1 ETSI PDL reference framework                                            © ETSI
because of their use as cryptocurrencies,

18           ENJOY THE ETSI MAG
Fig. 2: Smart contract framework
                Match with Smart Contract                                   Coding
                     specifications

      Draft       Terms           Compile                            Code
                                                 Review                           Validation      Testing     Deployment      Execution      Termination
    template    negotiation        draft                          verification

                          Draft doesn’t match                              Test output doesn’t match            Online
                         with planned contract                               with the requirements            debugging

                                                                                                       TE         SE

      Actors
                                    SH                                SE                               TB         SH              API             API

                                                                                   Coding &                                         Deployment &
                               Planning Phase
                                                                                 Testing Phase                                     Execution Phase

      SH: Stakeholders           API: Application Programming Interface    TE: Testing Engineers
      SE: Software Engineers     TB: Test Beds                             SB: Standardization Bodies                                            © ETSI

a first set of documents, and a second                  on the execution of proof-of-concept                models with special emphasis on ‘as-a-
term has recently started, with the                     demonstrations and on supporting early              service’ paradigms, PDL infrastructure
ultimate purpose of creating an open                    interoperability assessment events. Two             governance aspects, and identifying the
ecosystem of industrial solutions to be                 of these proofs of concept have already             definition of common terms to be used in
deployed by different sectors, fostering                been carried out.                                   our future standardization work.
the application of these technologies,
and therefore contributing to consolidate
the trust and dependability on information
                                                        Achievements                                        The last work completed by the PDL
                                                                                                            group is a report on smart contracts,
technologies supported by global, open                  During its first term, the group started            their components, planning, coding and
telecommunications networks.                            by addressing a landscape document,                 testing. The scope of this report covers a
                                                        intended to identify current activities in          reference architecture of the technology
Collaborative                                           standardization and research which are
                                                        particularly relevant to the PDL activities.
                                                                                                            enabling smart contracts, the methods
                                                                                                            for engaging in a smart contract using
work                                                    Apart from performing opportunities and
                                                        gaps to address, this spawned a specific
                                                                                                            this architecture, and a discussion on
                                                                                                            possible threats and limitations.
The ISG PDL works in tight coordination                 activity focused on the identification and
with other groups in ETSI and elsewhere,                collaboration of research projects, that            For its new term, the ISG PDL continues
including open-source initiatives and a                 has translated in the direct involvement of         its work on ledger interoperability as a
clear connection with research activities,              several of these projects willing to progress       cornerstone for the operational framework
especially the collaborative research                   in the standardization of their results.            and has already started working on key
projects within framework programmes                                                                        aspects such as the interaction with
such as Horizon 2020 and the future                     The group has produced another report as            federated data frameworks and off-line
Horizon Europe. As in other ETSI                        a result of examining the essential needs           operation. The group is committed to
ISGs on transformative technologies,                    in terms of trust, security and effective           ensure the application of its principles
the group work items are oriented to                    conformity assessment, analysing essential          and work items in new application
produce not only specifications of                      requirements for PDL technology to ensure           environments, especially those enabled
normative nature, but also informative                  regulatory compliance to preserve security
                                                                                                            by the emergence of next-generation
deliverable in the form of technology                   and privacy in the conduits providing the
                                                                                                            networking infrastructures, such as those
reports and recommendations for future                  data to be incorporated into the ledgers.
                                                                                                            related to resource trading at all levels,
work, and, what is especially relevant                  Work on applicability foundations was
                                                                                                            from compute nodes to spectrum, as well
in an environment so much populous                      completed by another report describing
                                                                                                            as new industrial scenarios.
as distributed ledger standardization,                  potential application scenarios for the
demonstrative deliverables focused                      operation of PDLs, including provision              n Diego Lopez, Chair ETSI ISG PDL

                                                                                                                       ENJOY THE ETSI MAG                  19
You can also read