HOME & OFFICE: SWEET AND SECURE? - THE INTERVIEW - ETSI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
APRIL 2021
THE INTERVIEW
Paul Browne
CTO Assa Abloy UK. p.4-5
TECH HIGHLIGHTS
Deep dive on quantum safe
hybrid key exchange. p.10-11
IN THE SPOTLIGHT
Standards to the rescue: Saving IoT
security for consumers. p.13-14-15
HOME & OFFICE:
SWEET AND SECURE?
Editorial The Interview
Paul Browne,
CTO & Business Development
Director, Assa Abloy UK.
P4/5
Meet the New
Our ubiquitous Standards People
connected P6/7
environment New Member
opens new doors Interview
Ted Ross,
to cybersecurity CEO SpyCloud.
breaches. P8/9
Tech Highlights
Deep dive on quantum safe
hybrid key exchange.
IoT devices have become commonplace To address future needs, our Technology
at home. We open our doors with smart
P10/11
Highlights outlines how to exchange a
locks, switch on light and music with a cryptographic key with classical and post
smart home voice controller and make
sure our cake will be ready on time in our
quantum security and in a second article In the Spotlight
the Vice Chair of our pandemic tracing
smart oven when it’s time for dinner. We Home & Office:
apps group explains how they tackle the
share our computers and tablets among sweet and secure?
challenge of digital fragility. And then, the
family members and overall increase
our activity online, bridging office and
Chair of our Permissioned Distributed P13-15
home when working remotely. But this Ledger group tells us why standards
for distributed ledger technologies
ubiquitous connected environment opens
new doors to cybersecurity breaches (commonly addressed by people as Blockchain
and raises the question of ensuring that blockchain) will be key for industry and An Industrial Framework
our homes and offices are as sweet and governmental institutions. for Blockchains.
secure as we would expect them to be.
In this new edition of Enjoy! we let you To help manage our ever-increasing P18/19
discover how standards come to the online activity, we have also developed
guidelines and standards supporting
What’s On?
rescue to improve security in our private
and professional life. it. US based Digicert explains why
Europe has led the world in unifying Upcoming events.
In the Spotlight section focuses on identity proofing standards. An
our EN 303 645 security guidelines upcoming Plugtest™ will let industry P26/27
for IoT consumer devices which have
test our guidelines for modern Electronic
been adopted by manufacturers and
Registered Delivery Services while our
governmental bodies round the world,
Centre for Testing and Interoperability has
Enjoy! The ETSI Mag
Midea dishwashers being the example of Edited and published by ETSI
our showcase. developed a now popular free online tool
that performs numerous checks to verify Quarterly edition
Copyright ETSI 2021
SpyCloud CEO Ted Ross, one of our the conformity of the ETSI Advanced
Director of Publications: Nadja Rachow
new members, explains why human Electronic Signatures, those we use for
intelligence remains key to prevent cyber Editor-in-Chief: Claire Boyer
signing contracts online.
crimes while in an exclusive interview, Design: Le Principe de Stappler
Assa Abloy UK CTO, Paul Browne, tells And there’s more, so now
Editorial office: ETSI,
us how ARGE, the European Federation Enjoy reading! 650 route des Lucioles,
of Associations of Locks & Builders 06560 Valbonne France
Hardware Manufacturers can contribute to Luis Jorge Romero, Tel.: +33 (0)4 92 94 43 35
cybersecurity standards for smart homes. Director-General ETSI enjoy@etsi.org
2 ENJOY THE ETSI MAG
News Roundup
ETSI IoT Week 2021
goes virtual
The ETSI IoT Week is back on 26-30 April 2021 as a fully virtual
event providing the latest IoT industry and standards updates.
This year’s edition will focus on the major IoT standards
achievements that support the digitalization of society, business,
and multiple Industries across numerous sectors. It will also
focus on how such digitalization enables countermeasures
against the current pandemic. The event will cover oneM2M
with service experiences and best practices; IoT in the face of ETSI IoT week
the pandemic addressing digitalization and countermeasures; Virtual
IoT cybersecurity for consumers, smart cities, e-Health and 26-30 April
SMEs; Artificial Intelligence in IoT as well as other key topics.
Register Now!
New group on IPv6
Enhanced Innovation
In the 5G and cloud era, IPv6 will grow rapidly. Strengthening
new generation IP network technologies based on IPv6 and its
innovative technologies has become the common direction of
the IP industry.
To tackle the increasing Industry needs for IPv6 adoption in
multiple use cases and scenarios, ETSI has recently launched
ISG IPv6 Enhanced innovation (IPE). IPE members include
45 organizations to date, comprising carriers, vendors, and
academia, working together to improve the industry ecosystem
and accelerate innovation.
The group will first analyse the current landscape of existing IPv6
standards deployed on prime technologies such as 5G, IoT and
Cloud Computing to identify gaps and thus accelerate IPv6-
based innovations. Two other reports will cover data centre and
Cloud use cases on one hand and 5G Transport use cases on
the other hand. The last pieces of work will define Industrial IoT/
enterprise requirements and IPv6 only transition requirements
across new and evolving technology domains and areas.
ETSI at ENISA Cybersecurity Standardization Conference
The European Standards Organizations, CEN, CENELEC and and Board Chair as well as several cybersecurity experts from
ETSI, joined forces with ENISA, the European Union Agency for the technical committee CYBER and 3GPP outlined ETSI’s
Cybersecurity, to organize their annual conference virtually this strong achievements for enterprise and consumer cybersecurity
year. The event, which took place from 2 to 4 February, attracted standards and its input to harmonized legislation with testability
some 1500 participants from the EU and from around the world. of security requirements. They highlighted as well ETSI’s
The conference addressed standardization in relation to the Radio contribution to the Cybersecurity Act as regards consumer IoT
Equipment Directive (RED) and certification under the provisions security, 5G Network Security Assurance, Trust Services, and AI
of the Cybersecurity Act (CSA). ETSI Director-General, GA Chair security.
ENJOY THE ETSI MAG 3
The Interview
From his CTO office in the
UK, Paul Browne tells us
why an association of locks
and builders hardware
manufacturers entered
the world of cybersecurity
standardization.
How did ASSA ABLOY, a leading
hardware locks manufacturer,
enter the digital lock market?
It started ten years ago when we, in
ASSA ABLOY UK, developed a digital
door lock for residential use. At the time,
we already had extensive experience
in home security systems and we had
the vision that people’s homes in
Europe would eventually become
connected so that they could
have the convenience and
the security of controlling
devices around their home.
Paul Browne
CTO & Business Development Director, Assa Abloy UK, Board Member ARGE
Paul Browne is the Chief Technology Officer and Business In 2000, he joined ASSA ABLOY where he now leads product
Development Director of ASSA ABLOY UK. He started his innovation and new product introductions as well as business
career at Creda, the largest manufacturer of white goods in development and strategy across channels, products and end-
the UK, which became part of a joint venture between GE user markets. He is also responsible for standards development
USA and General Electric Company (GEC UK) held several and IP. Paul is a Board Member of ARGE, the European Federation
executive sales and marketing positions in the company before of Associations of Locks & Builders Hardware Manufacturers,
becoming the general manager of one of their business divisions. member of ETSI.
4 ENJOY THE ETSI MAG
It was at about that time that ASSA ABLOY digital or smart door locks to be secure In parallel, we found out that ENISA’s
acquired iRevo, a Korean company, and, at the time, there was no standard remit is to develop certification schemes,
which was the largest manufacturer of to reassure them. particularly for consumer IoT devices.
digital door locks for home use in the
world. You have to bear in mind that in You mean that the standard So, certification schemes
Korea, at least 50 to 60% of all homes, was actually initiated at the are important as well?
probably more now, have a digital door consumers’ request? Yes, we’ve been participating in ENISA’s
lock. Absolutely. The best standards Cyber Certification Stakeholder Group
originate from end users. The worst and feeding back into the Union’s Rolling
standards are those that are imposed Work Programme. In the European
“In Korea, at least 50 to by central governments or by European Commission, it’s very clear that there is an
governments. We therefore started appetite to develop certification schemes
60% of all homes have working with our national standards for consumer IoT devices. They see this
a digital door lock.” body, the British Standards Institute, as being important, but they also see
to develop a technical specification for that the level of home security connected
digital door locks. But we wanted to devices needs to be somewhere between
So for us as a manufacturer, digital door develop a performance standard which
locks, and in particular now smart door would give consumers the reassurance
locks, have a strategic importance. that the products are secure, that would “The EC wants to
give insurance companies a standard on
What are the benefits of digital which to base home insurance policies, develop certification
locks for the market? and that would enable the police and schemes for consumer
If I take the UK market, we sell a locksmiths to give guidance and advice IoT devices.”
mechanical door lock for around 25 euros, to consumers.
and that will last 20 years. A digital door Since connected IoT devices are a
lock typically costs 200 to 300 euros and relatively new marketplace, we felt that
will last ten years or so. You can see that unless we got a performance standard “substantial” and “high”, which backs
from a commercial point of view, digital in place, with locks being potentially into our thinking.
door locks and smart door locks are a vulnerable to cyberattacks, that this Within the ETSI cyber group, they
terrific opportunity for manufacturers. would damage the credibility and the identified that a smart door lock technical
Now when you look at it from a consumer reputation of the market before it even specification could form a pilot for a
point of view, smart locks bring enhanced took off. vertical product certification scheme. A
functionality. People can send keys by smart lock standard is holistic in nature
phone to family members, allow access
And this is when you heard but adding the cyber security aspect
to their homes, or check on the status of
about ETSI? combined into a certification scheme
their doors and windows remotely. But Yes, that was two years ago when I met will reassure consumers. For example,
unlike mechanical door locks, the life with the Minister of the UK Department in the UK, they will see the Kitemark
cycles of digital door locks change every for Digital, Culture, Media and Sport, certification logo on the box, in France,
two, three or five years. So as you can along with other suppliers of smart home that might be the A2P logo.
see, the whole dynamic is more exciting, products. It was clear that the DCMS But as I said earlier, we were thinking of a
more appealing. Digital and smart door was keen to address the security of IoT whole series of standards.
locks, but also smart alarms, smart home devices from a cybersecurity standpoint.
security are a big opportunity for the That’s where we found out that the This series of standards would be
end user’s enhanced lifestyle and for the DCMS had worked in ETSI TC CYBER developed in ETSI?
industry. to develop the technical specification TS Yes, to complement the smart door
However, when we launched our digital 103 645. lock, they would address vertical sector
door lock around 2010 in the UK, we That was when ARGE, in its role as the products such as connected alarms,
had a problem. The police, insurance European Industry Association, made connected CCTV, connected door
companies and the locksmiths were an important decision. As hardware viewers, and so on.
asking us to develop a standard at the manufacturers in ARGE, we knew that What we like about ETSI is the fact
request of consumers who wanted their we could identify the standards for the that they recognize and appreciate
mechanical, electromechanical and that product life cycles are shorter, that
the electronic aspects of a smart door technology and cyberattacks change.
“The police, insurance lock with CEN, but we were lacking on And they adopt a much more flexible and
companies and the the cybersecurity aspect. During that pragmatic approach to standardization
meeting, we realized that the experts and developing technical specifications
locksmiths were were in ETSI. So last year, when ARGE than other standards bodies. So, for us
asking us to develop became a member of ETSI and we joined at ARGE the way that ETSI approached
a standard.” TC CYBER, we suggested that we create the whole concept of certification and
a smart door lock technical specification, standardization for connected IoT
which is currently under development. devices for the home is very appropriate.
ENJOY THE ETSI MAG 5
Meet the New Standards People
Welcome to our NEW
members
Avanti Communications,
United Kingdom
Avanti Communications is a world leading provider of agile, evolutionQ, USA
secure and pioneering satellite technology across Europe, the evolutionQ provides information on quantum-safe services.
Middle East and Africa. They have a proven track record of evolutionQ offers a standard set of services proven to help
satellite connectivity services, and bring a world of opportunities ensure your company’s quantum-safe cyber security migration is
to carriers, defence and security departments, government progressive, sensible and orderly.
agencies and the satellite industry.
Exacta Global Smart Solutions, USA
Bandwidth, USA Exacta offers a range of services that help companies bring
Bandwidth provides cloud-ready voice, messaging, and Internet of Things solutions based on the oneM2M global
emergency service connectivity built for the enterprise. It is the standard from concept to deployment. It offers oneM2M project
only API platform provider that owns a Tier 1 network that gives support, oneM2M training, support for deployment of the industry
better quality, rates, and control. It is also a leader in the cloud recognized Chordant implementation of oneM2M service layer.
communications space, uniquely positioned to have enterprises
who need high reliability and scale.
Gatehouse Satcom A/S, Denmark
Commsquare NV, Belgium GateHouse delivers the software that guarantees effective and
secure communication between systems. They support live
Commsquare provides mobile data network monitoring, analysis tracking and monitoring of more than 150,000 assets within
and optimisation products and services, helping mobile operators different businesses and delivers mission critical solutions in
measure network performance and extract actionable business satellite communication for maritime authorities, coastguards,
intelligence. Their products and services deliver a holistic view ports and related businesses.
of radio access and PS data network performance from a
subscriber’s point of view.
IASME, United Kingdom
eID - Electronic Identification, Spain IASME is a cyber security business with products and services
dedicated to help individuals and organizations to protect
eID is the leading provider of remote user iDentification systems themselves against cyber-attacks. The IASME Governance
via video streaming. It created VideoID which identifies the User assessment includes a Cyber Essentials assessment and GDPR
in seconds and offers the same level of security as the face-to- requirements and is available either as a self-assessment or on-
face iDentification made in a commercial office. site audit.
LA (European Lift Association),
E Innovile, Spain
Belgium Innovile provides smart network management and optimisation
ELA represents the lifts, escalators and moving walks active solutions and services. Innovile offers a wide range of innovative
associations and their components manufacturers in the and future-proof portfolio of self-organising network, configuration
European Union and the European Free Trade Area. It has management, performance management and expert services
become the main communication vector of this industry to the that empower mobile network operators with real-time network
European Commission and the European Parliament. intelligence and operational dynamics.
6 ENJOY THE ETSI MAG
ISEE SSU, Ukraine Schindler, Switzerland
The Ukrainian scientific and research Institute of special Schindler is one of the world’s leading providers of elevators,
equipment and forensic expertise of SSU is part of the Security escalators, and moving walks, as well as maintenance and
Service of the Ukraine and ensures cyber security of the state modernization services. The company specializes in the
thanks to complex measures to counter online terrorism, prevent latest-technology engineering, as well as mechanical and
cyber espionage, defeat hacker attacks and refute subversive microprocessor technology products designed and tested for
activities online. safety, comfort, efficiency and reliability.
Kimeggi, France SK ID Solutions AS, Estonia
Kimeggi consulting provides support to business in radio SK ID Solutions (SK) specializes in international e-identity
strategy, radio solutions and standardization. They currently solutions. They enable citizens of different countries to log in to
monitor, attend and/or contribute in many committees to bring e-services and give electronic signatures. Their main business
the most up-to-date information on standards, technologies and is the certification and time-stamping service developing
spectrum regulations. technology and applications for electronic signing and their
validation services.
MaxLinear, USA
MaxLinear delivers high-performance broadband and networking SpyCloud Inc., USA
semiconductors based on its highly integrated radio frequency SpyCloud prevents online fraud via solutions which protect
analogue technology, high-performance optical networking billions of employee and consumer accounts from account
technology and its pioneering MoCA and direct broadcast satellite takeover. They are the trusted account takeover fraud prevention
ODU single-wire technology. Customers include telephone, cable partner for B2B organizations and consumer brands and some of
and satellite operators, set-top box manufacturers, networking the most innovative financial services, retailers, and technology
equipment and consumer technology providers. companies around the globe.
Mercedes-Benz, Germany Universidad de Malaga, Spain
Mercedes-Benz AG is one of the largest manufacturers of Málaga University (UMA) is a public institution which promotes
premium passenger cars. The company aspires to be leading outstanding research and teaching within the European Higher
in the fields of connectivity, automated driving and alternative Education Area. It follows an educational model to promote
drives. With over 40 production sites on four continents, they competitive, quality teaching which is employment-orientated
align themselves to meet the requirements of electric mobility. and accredited in Europe.
ENJOY THE ETSI MAG 7
New Member Interview
In this exclusive interview,
SpyCloud CEO and founder
shares his insight on the
company’s mission to make
the internet a safer place
by preventing criminals
from profiting from stolen
information.
Are you seeing any trends in
cyberattacks so far in 2021?
It pains me to say it, but what we saw the
start of in 2020 – attacks resulting from
our collective pivot to digitally managed
lives – has spilled over into 2021. This
shift to remote work, virtual school and
online food shopping has substantially
expanded the attack surface for both
individuals and organizations, and
criminals are taking advantage. People
are sharing devices among family
members at home, increasing the
amount of activities done online, and
managing new accounts – some that
reuse compromised passwords already
in criminals’ hands.
Ted Ross
CEO & Co-Founder of SpyCloud
Ted Ross is an industry veteran of at TippingPoint, and VP of the Office of state threat groups that, at the time of
twenty-nine years in the network and Advanced Technology at HP. publication, were considered to be the
security industries. His career began in At HP, he created a new team and most comprehensive reports on select
the U.S. Air Force, after which he became built the threat intelligence practice adversarial nations’ cyber capabilities.
Director of Network Engineering at from the ground up as Director, Threat After HP, Ted led Exodus Intelligence as
West Corp, Strategy Architect at Intelligence, HP Security Research. CEO. In 2016, Ted launched SpyCloud
Walmart, Executive Technology Director This team created reports on nation- as CEO and Co-Founder.
8 ENJOY THE ETSI MAG
All of this aids our daily lives, and I think a attackers at their own game, negating plaintext passwords that enable easy
lot of businesses would say they’ve seen the value of the stolen information before matching to users’ credentials. The
a rise in productivity since the start of they have a chance to use it. process to parse and normalize that data
the pandemic, but it also provides threat and make it machine-readable requires
SpyCloud fuels global enterprises’
actors with a plethora of new targets. ability to safeguard more than 2 billion extensive technology – not to mention the
So far this year, we’re seeing criminals employees’ and consumers’ accounts automation required to crack passwords
continue to leverage the tactics they from cyberattacks including account at scale. Without cracking passwords,
found most profitable last year: malware takeover and follow-on attacks like credit there would be no way for enterprises to
campaigns designed to siphon personal card fraud, phishing, ransomware and exactly match passwords to determine
more, which can be extremely costly and if a user’s account is truly compromised
disruptive. and worth the little bit of friction to force
a password reset or fire off MFA.
“So far this year, we’re You state that you’re using Human
seeing criminals Intelligence for breach data You have joined ETSI’s TC CYBER
continue to leverage collection; in the AI era, it sounds lately, what is the added value of
anachronistic. Can you elaborate standardization for your activity?
the tactics they found
on this?
most profitable last SpyCloud is often the first to confirm
The vast majority of the valuable breach
year.” data we collect is via human intelligence
to victim organizations that a breach
has occurred, and we want to leverage
(HUMINT) – SpyCloud researchers
our industry-leading capabilities and
embedded in the criminal underground
and machine data from victims, phishing who social engineer data from bad database to work as a good citizen with
attacks aimed at stealing credentials actors within days after a breach. These others in the industry to help alleviate
(which then often lead to ransomware researchers are specialists in their field, account takeover and its associated
attacks), and credential stuffing with extensive expertise that isn’t easy to cybercrime. SpyCloud has joined ETSI
(often represented by the media as replicate. The reason we rely on HUMINT TC Cyber so we can more effectively and
a ‘data breach,’ when in fact it’s just openly collaborate with other industry
criminals performing account takeover leaders to put effective standards in
by leveraging old passwords on new place that can most optimally benefit
“Human intelligence
accounts). enterprises and consumers globally.
can deliver data much ETSI’s work on Mobile Device and IoT
How do you protect customers sooner than dark web security guidelines and best practices are
from Account Takeover Fraud? scanning.” complementary to the use of SpyCloud’s
Criminals are clever and will keep data – and the use of a corpus of recovered
inventing ways to steal from you, and breach data or recovered botnet logs
users will keep making mistakes that could provide valuable data points that
is because it delivers data so much sooner
put their accounts at risk. There is one augment existing security best practices.
than dark web scanning. Most people
sure-fire way to get ahead of account don’t realize that by the time data shows For example, even if a device appears
takeover, which is to check users’ up on the dark web, it could be years after to be “secure” both at the hardware and
account credentials against recently- the breach occurred. By that time, the data software levels, it may be of value to also
breached data and identify compromised has been fully monetized and is of very little know if any other factors associated with
accounts. Then you have the choice value. We’re focused on the early part of the that device are compromised, such as the
breach timeline, when the data is fresh and user’s account, password, IP address, or
most valuable to criminals. In fact, human phone number.
“To stop Account intelligence capabilities enable us to be the
Takeover Fraud, you first to find out a breach has occurred and
notify the affected victim organization. “ETSI’s work on
need to beat attackers
All that said, automated technology is still Mobile Device and IoT
at their own game.”
critical to the process of making breach security guidelines
data ingestible by enterprises. and best practices
to force a password reset or send the are complementary to
user through a step-up authentication
Tell us more about the technology
that underlies HUMINT. the use of SpyCloud’s
process, proving that the user is who they
claim to be and not a criminal leveraging Breach data isn’t delivered in a neat
data.”
a stolen password. The goal is to beat .csv file with standardized columns and
ENJOY THE ETSI MAG 9
Tech Highlights
Deep dive on quantum safe
hybrid key exchange
Engineers and developers can now rely on ETSI’s specification to exchange a
cryptographic key with classical and post quantum security and build, test and deploy
quantum-resistant ICT systems today.
of this data, it could result in the loss of
confidentiality.
ETSI has worked on the issue and the
CYBER Quantum-safe Cryptography
group developed ETSI TS 103 744, a
Technical Specification that defines how
to exchange a cryptographic key with
classical and post quantum security.
The specification called “CYBER;
Quantum-safe Hybrid Key Exchanges,”
combines a classical elliptic curve Diffie-
Hellman ephemeral (ECDHE) exchange
with a proposed post-quantum key
encapsulation mechanism (KEM) from
the NIST Round 3 candidates. Hybrid
Standards and Technology (NIST) Post- key exchanges are a migration technique
Some Quantum Cryptography Standardization to move to quantum-safe technology in
background Process
submissions
is evaluating
for
solicited
quantum-resilient
advance.
We know from experience it takes
In 1994, Peter Shor showed how to public-key cryptographic algorithms and
a decade to adopt new public-key
factor large RSA modulus and solve has announced is 3rd Round finalists.
algorithms into ICT systems. It starts
the discrete log problem. His algorithm ETSI TS 103 744 specification is using a
with in-depth analysis of the fundamental
breaks the public key cryptosystems mechanism from these candidates.
security claims of the algorithm,
we use today for public-key based key
exchanges but it requires a large-scale,
fault-tolerant quantum computer to break
The problem testing and standardization. Once the
cryptographic standard is complete,
cryptographically relevant instances of statement engineers and developers can include
it into other ICT standards. We can
ECC and RSA. As we know, there are a
Today, the existing key exchanges are parallelize this work today to reduce the
number of challenges in building such a
at risk from a future adversary with a time to deploy standardized quantum-
computer and while progress is routinely
quantum computer. Many Information safe systems, ensuring the long-lived
made on these challenges, it is uncertain
and Communication Technology confidentiality of data in ICT systems. By
if or when such a quantum computer will
(ICT) solutions utilize these public- standardizing and using quantum-safe
be available. Yet, we need to anticipate
key mechanisms to provide long-term hybrid key exchanges, we can define and
and work on quantum-safe cryptography.
confidentiality. The confidentiality deploy ICT systems today that provide
Post-quantum or quantum-safe requirement of the data in these ICT
both classical and quantum-resistant
cryptography refers to cryptographic systems vary from short-lived (days and
security.
schemes for which there is no known months) to long-lived (20-30 years). If a
vulnerability by a large-scale quantum large-scale quantum computer arrived n Matthew Campagna, Chair of the ETSI Quantum
computer. The National Institute of on the market during the security lifetime Safe Cryptography working group.
10 ENJOY THE ETSI MAGDigital fragility: a challenge faced
by COVID-19 tracing apps
“Fragility” is not a term that one hears or reads very often when it comes to digital. “Agility”
is much more common, particularly when it refers to the buzzword “agile”. It seems now
that everything must be agile: every business, every system and, to a certain extent, every
one of us must be agile. The recently released “Comparison of existing pandemic contact
tracing systems” Report, developed by ETSI’s E4P group, includes the term “digital fragility”
among its definitions in its clause dedicated to terms, symbols and abbreviations.
GDPR & ePrivacy legislation and, last requisites. Stay tuned, you will be able to
Digital fragility but not least, the relevance of protecting enjoy them in the following weeks!
Today, “digital” permeates all aspects the networks against cyber attacks. Two
In summary, attention should be paid to
of society and will continue doing so. months later, as a result of this joint effort,
the number of digital risks, from software
Fragility, unfortunately, permeates all ETSI E4P held its kick-off meeting on 26
glitch, error, negligence, misuse or fraud
things digital as the overall degree of May.
to even sabotage during the development,
digital dependency also increases. In
such a context, mobile device-based And deployment and operation/use stages of
Government-sponsored digital contact
digital contact tracing is no exception.
Digital fragility can be said to be an entity- cybersecurity tracing systems. These constitute a set
of risks that could threaten the feasibility
organization, system, application, etc.- So far, digital fragility has been present in of any of these counter-pandemic
which may suffer an incident of a “digital” every step taken by experts in the ETSI solutions. Once again, rigour in training,
nature disturbing its normal activity E4P group. The GR E4P-002 considers processes and the availability of these
without, at times, being aware of it. A this issue among the most relevant systems’ source code (which will make
more usual expression would be “weak challenges current digital contact it possible to audit all their details in the
[digital] security”. Indeed, most people tracing systems have to face, along with area of cybersecurity, as should be done
refer to it as a lack of “cybersecurity”. responsiveness, privacy preservation,
regarding trust, ethics, privacy, etc.) will
interoperability, etc. Other incoming
Leading to ETSI’s deliverables describing technical
contribute to minimizing digital contact
tracing’s cyber-fragility.
group requirements of these solutions also
include security recommendations and n Miguel García-Menéndez, Vice Chair ETSI E4P ISG.
On 23 March 2020, as part of the
European Commission’s response to
the coronavirus, the Internal Market
Commissioner, Thierry Breton, held a
videoconference with CEOs of European
telecommunication companies and
GSMA to discuss how to join forces to
mitigate the spread of CoV-SARS-2. On
that day, digital fragility in solutions to fight
the pandemic was mentioned: the need
to discuss telecommunication network
resilience; the need to collect, share
and analyse anonymized metadata for
modelling and predicting the propagation
of the virus; the need to comply with the
ENJOY THE ETSI MAG 11Just Released
ETSI blockchain group releases major Reports
ETSI ISG on Permissioned Distributed Ledger has recently
released Reports to support the need on the part of industry
and government institutions for what is commonly known as
blockchain. ETSI GR PDL 002, “Applicability and compliance to
data processing requirements”, describes the implications of the
conduits used to connect data sources (sensors, gateways etc.) to
distributed ledgers in utility and related industries. The Report also
defines how regulatory aspects for data infrastructure security and
privacy can be satisfied. ETSI GR PDL 003 details the application
scenarios and operational requirements for permissioned ledgers
to help telecom operators, Internet and over-the-top service
providers implement the technology. The latest one, ETSI GR PDL
004, defines an architecture and functional framework for smart
contracts and their planning, coding and testing. “Most ledgers
in ICT have been centralized so far, but the recent approaches
based on distributed ledgers provide higher openness and better
resiliency,” says Diego Lopez, Chair of ETSI ISG PDL.
First Report in Securing
Middlebox Security Artificial Intelligence
Protocols for fine-
grained access The ETSI Securing Artificial Intelligence Industry Specification
Group released its first Group Report, ETSI GR SAI 004, which
control gives an overview of the problem statement regarding the securing
of AI. ETSI SAI is the first standardization initiative dedicated to
securing AI. The Report describes the problem of securing AI-
The ETSI Technical Committee based systems and solutions, with a focus on machine learning,
CYBER has released ETSI TS and the challenges relating to confidentiality, integrity and
103 523-2: Transport Layer MSP availability at each stage of the machine learning lifecycle. It also
(TLMSP), Part 2 of the Middlebox points out some of the broader challenges of AI systems including
Security Protocol (MSP) series, bias, ethics and ability to be explained. A number of different attack
which defines a protocol for varied vectors are outlined, as well as several cases of real-world use and
(fine-grained) access control to attacks. “There are a lot of discussions around AI ethics but none
communications traffic. on standards around securing AI. Yet they are becoming critical to
Middleboxes are vital in modern networks – from new ensure security of AI-based automated networks,” explains Alex
5G deployments, with ever-faster networks that need Leadbeater, Chair of ETSI ISG SAI.
performance management, to resisting new cyberattacks
with evolved threat defence that copes with encrypted
traffic, to VPN provision. Network operators, service
providers, users, enterprises, and small businesses require
being granted varied (fine grained) permissions. ETSI TS
103 523-2, MSP Part 2 addresses this gap by specifying
a protocol that allows fine-grained access and nuanced
permissions for different portions of traffic, allowing
middleboxes to perform their functions securely whilst
keeping up with the rapid pace of technical development.
12 ENJOY THE ETSI MAGIn the Spotlight
HOME & OFFICE:
SWEET AND SECURE?
IoT has become commonplace at home as more devices connect to the internet. People
now share their personal data with an increasing number of services and the cybersecurity
of the Internet of Things (IoT) is a growing concern. If consumer IoT is an established
global phenomenon, ETSI’s world-leading work in that field can help to improve security
for a variety of devices and appliances. Alex Leadbeater, Chair of the ETSI Technical
Committee CYBER, in our “spotlight” is leading us through our current and future
activities for the consumer market. The ETSI EN 303 645 standard is a first of its kind and
is already a highly successful achievement with worldwide uptake by manufacturers who
now benefit from several certification schemes to enhance the security of their products.
Today the Roborock vacuum cleaner has been certified by TUV-Rheinland against the
ETSI standard. And more recently, Midea dishwashers, air conditioners and dehumidifiers
have all been certified by TÜV SÜD as Luffy Deng explains in our showcase on page 16.
In the future, consumers can expect more secured IoT home devices in their living room,
kitchen, to unlock their door and make their life easier.
ENJOY THE ETSI MAG 13In the Spotlight
Standards to the rescue:
Saving IoT security for consumers
As more devices in our homes connect to the internet and as people entrust their personal
data to an increasing number of services, the cybersecurity of the Internet of Things (IoT)
has become a growing concern. Consumer IoT is an established global phenomenon, with
its security improved by ETSI’s world-leading work on Consumer IoT security.
ETSI’s Consumer IoT Security work in a loss of dedicated security effort. This
demonstrates the value of standards; one happened in consumer IoT, where default
innovative and high-quality standard has passwords are widespread and poorly
EN 303 645 provides
underpinned many assurance schemes secured products threaten consumer’s a significant security
and provided flexibility in certification - privacy, and some devices are exploited baseline, achievable
whilst achieving a world-leading increase by attackers to launch large-scale DDoS by SMEs.
in baseline security. cyber attacks, mine cryptocurrency and
spy on users in their own homes.
From protection provisions for consumer IoT
dishwashers to Standards to the devices.
doorbells… rescue - saving
With an explosion in marketability, IoT IoT security
has become commonplace in the home – Two years ago, ETSI TC CYBER
from health trackers to home assistants, published the first globally applicable
from smart TVs to smart lightbulbs, and standard on IoT security to address these
from dishwashers to doorbells. Estimates security shortcomings, encouraging
regularly state there are more than 30 manufacturers to build security into IoT
billion connected devices in the world
products from their design, rather than
today, with the consumer IoT sector
awkwardly bolting security measures on
showing no signs of slowing down its
at the end. This baseline focuses on 13
growth.
security areas as well as data protection.
New devices, This standard achieved global adoption
and evolved into an EN standard, EN 303
same old security 645, designed to prevent large-scale,
issues prevalent attacks against smart devices
that cybersecurity experts see every
But when a market moves quickly, the day. It establishing a security baseline
pressure to be first to innovate can result for connected consumer products and
provides a basis for future IoT certification
schemes.
ETSI EN 303 645 supports a good
The pressure to be first security baseline for connected
to innovate can result consumer products, provisioning a set of
in a loss of dedicated recommendations for 13 security areas,
with the top three being: no default
security effort. passwords, implement a vulnerability
disclosure policy, and keep software
updated. There are also specific data
14 ENJOY THE ETSI MAGGlobal uptake Many organizations
The future of
and accreditation have already based Consumer IoT
schemes their products and
certification schemes
Security
ETSI EN 303 645 is a cohesive and on EN 303 645. Yet, we are not done! TC CYBER’s
achievable standard that provides a dedication to improve IoT security is
single target for manufacturers and IoT ongoing, and currently includes the
stakeholders to attain. It’s no surprise, •T
ÜV Rheinland worldwide testing and development of three further standards
given the urgent need for increased certification to complement and support EN 303
security in this sector and the momentum
•V
DE Institute testing 645: an assessment specification, an
in ETSI’s work, that many organizations
implementation guide, and a vertical
have already based their products and •S
ESIP by Global Platform mapping
smart door lock standard.
certification schemes on EN 303 645.
•S
GS IoT Testing and Conformity
These include: 1. T
he assessment specification specifies
Assessment Program baseline conformance assessments
• Singapore’s national Cybersecurity
Labelling Scheme •D
EKRA security evaluations against the provisions of ETSI EN
•U
L’s IoT Security Rating assessment, 303 645. It sets out mandatory and
• Finland’s national consumer IoT
verification and labeling solution recommended assessments, to be
certification scheme
used by testing labs, certifying bodies
• PSA Certified (backed by Arm) •S
afeshark and BSI IoT cyber security
and manufacturers that wish to carry
• The Global Certification Forum assessments, testing and certification
out a self-assessment. Completion
accreditation •A
nd many more: Eurosmart, KIWA, is targeted for summer 2021 – so get
• TÜV SÜD testing Secura, Nemko, ACCS, IASME… involved soon!
2. The implementation guide gives easy-
to-use guidance to help manufacturers
and other stakeholders to meet the
provisions defined for Consumer IoT
devices in ETSI EN 303 645. It sets out
example implementations that meet
the provisions in the EN.
3. As ETSI EN 303 645 provides a baseline
that spans a variety of consumer
IoT devices, sometimes additional
sector-specific requirements need to
be stipulated to standardize device
S I N G A P O R E security. Currently, TC CYBER is
working on one such vertical standard
for smart door locks, based on ETSI
EN 303 645 (read our interview on
page 4-5).
ETSI’s Consumer IoT Security work can’t
stop gaining momentum! These initiatives
demonstrate the value of quality and
timely standards. One innovative and
high-quality standard has underpinned
many assurance schemes and provided
flexibility in certification - whilst
maintaining a world-leading security
SMART HOME : EN 303 645 baseline for a huge security problem
© ETSI
n Alex Leadbeater, ETSI’s Chair TC CYBER.
ENJOY THE ETSI MAG 15In the Spotlight-Showcase
Midea and TÜV SÜD
join forces to inspire trust
in smart-home appliances
People-focused technology can make our home life smarter and happier. However,
cybersecurity and the protection of personal data are critical considerations whenever
people enjoy the convenience of their smart homes.
product design, mobile application, Security, Smart Home Appliance
Addressing communication and document review. Security, Application Security, and Data
consumer For example, to keep software updated,
the update communication of Midea
Protection Management) smart home
business group Midea has developed
concerns IoT appliances is established over
secure channel encrypted by a dynamic a comprehensive framework for smart-
Improving cybersecurity and data session AES256 key. In addition, the home cybersecurity, privacy and data
protection capabilities of smart home update also ensures not only the mutual protection which it continually improves
devices and building customers’ trust authentication by RSA 2038 but also and advances in accordance with various
are among the top priorities of consumer the integrity check by SHA256. Once international and industry standards.
IoT manufacturers. In keeping with its the updated is completed, a user may
vision of “bringing great innovations to receive notification pop-up on the APP. ETSI has revised and improved the
life”, the Midea Group is committed to TÜV SÜD then tested several series of standards in line with the state of the art,
a systematic smart home security and Midea dishwashers, air conditioners and providing a vital basis and operational
privacy programme in accordance with dehumidifiers and issued certificates of guidelines for consumer protection. The
international and industry standards, conformity with the ETSI EN 303 645
testing and certification organisation
which extends from lower-level hardware standard, which help to inspire consumer
TÜV SÜD has been passionate about
to user-friendly software and covers threat trust in the use of smart-home appliances.
and risk monitoring, cloud security and technology since day one and strives to
Technology makes life better but inspire trust and add value.
the security of connection modules and
consumer protection requires the
chips, apps and smart-home appliances. n L uffy Deng, Senior Project Engineer,
joint efforts of all parties. With “4S +
Given this, Midea has joined forces with
1M” (Cloud Security, Communication TÜV SÜD Shenzhen.
TÜV SÜD for the assessment of its smart-
home appliances in accordance with the
ETSI EN 303 645 standard to ensure
best practices in data security and data
protection.
First appliances
compliant with
EN 303 645
TÜV SÜD, a leading global provider
of quality, safety and sustainability
solutions, assessed the implementation
of important security baseline functions
against the 14 provisions of the ETSI EN
303 645 standard. The relevant mandatory
provisions of the standard address
16 ENJOY THE ETSI MAGWorking Together
“Localized” certification:
the Indian example
Global standards ensure that products will be able to address markets beyond national
or regional borders. However, attention needs to be given to the local certification
programmes that may ultimately bring in additional requirements for local market access.
Discover how ETSI works towards minimizing such cases through international cooperation.
EU-India or InDiCo, ETSI brings players
together, in technical and political spheres,
to assess discrepancies in certification
requirements for ICT products and
work towards increasing commonality,
with partial or full recognition of testing/
certification results already obtained.
The Indian
example
ETSI, the European Commission and the
Delegation of the European Union in Delhi
have recently worked with members of
the European industry and of the Indian
government to understand and compare
the European requirements re. safety and
EMC to those from India’s Mandatory
Testing and Certification of Telecom
Equipment (MTCTE). Subsequently,
representatives of India’s Telecom
Engineering Center (in charge of MTCTE)
visited key European laboratories to fully
manner that there is no avoiding running
Ready? another full round of testing, with a
grasp the extent of the testing performed,
even for products meeting requirements
So your product is ready, in line with the locally accredited laboratory. This costs of legislation developed under the
latest global standards it has to comply time and money and therefore affects the lightweight New Legislative Framework.
with. Everything is ready for distribution product’s time to market and price.
The work continues with exchanges
in your region and you are eyeing other
markets, your team abroad reports great Partners will help on security requirements for telecom
equipment, looking at the European 5G
demand for this new product and sales
ETSI and the Partnership Projects it is part Toolbox, the 3GPP specifications, the
prospects are bright. But there is a catch:
of (3GPP, oneM2M) strive to deliver a full GSMA NESAS and the Indian Telecom
to begin distribution of your product,
package: use cases and requirements, Security Assurance Requirements
you need to get a stamp stating that it
architecture and technical solutions, as (ITSAR). This will in the end result in
meets all the local requirements. Ideally,
well as testing specifications used to closer alignment of the requirements in
it should only be a matter of showing the
verify conformance/interoperability. Such Europe and India and reduce additional
test results obtained when preparing for
specifications need to be leveraged to efforts in the testing of products aimed
distribution in your first target market.
the maximum extent when establishing at both markets. Similar initiatives will
Unfortunately, such recognition is not
take place in other countries/regions as
always possible and upon inspection, technical requirements for market
needed.
local compliance testing appears to access. Leveraging its Partners network
tweak and add requirements in such and through projects like SESEC, SESEI, n Xavier Piednoir, Head of External Relations, ETSI.
ENJOY THE ETSI MAG 17Blockchain
An Industrial Framework
for Blockchains
The general public is familiar with blockchains through the popular cryptocurrency
Bitcoin but there is much more to it, and distributed ledgers are important tools to address
industry and governmental institutions.
there are many other uses besides them, and governmental institutions. This
Blockchain or not with examples such as smart contracts, is due to reasons both technical and
blockchain? support to digital identity attributes,
object tracking, or the verification of
organisational. Among the technical ones
we can consider the cost and delay of the
Often identified with the catchy name service level agreements. recording of a transaction, the cost of the
of blockchains, distributed ledgers consensus algorithm, or the preservation
have brought a wide range of disruptive
applications enabling highly valuable
Permissioned of fairness among participants. In the
second category, the most relevant are the
goals such as data sovereignty or and permission- support from external legal agreements
disintermediation. Distributed ledgers
store any kind of data as a consensus less and the regulatory enforcement in critical
sectors.
of replicated, shared, and synchronized
Further on, it is important to remark
digital records distributed across
multiple sites, without depending on
distributed ledgers can be considered Permissioned
any central administrator. They provide
as main features immutability (and
as permissioned or permissionless,
regarding the requirements for a Distributed
therefore non-repudiation) and multi-
node to be approved to validate the
transactions and record them on the
Ledger in ETSI
party verifiability of the stored data and
ledger. While permissionless ledgers Within the ETSI Industry Specification
their temporal succession, addressing a
wide range of application scenarios, and are the ones that have received most Group on Permissioned Distributed
new interaction models among those attention from the general public, with Ledger (ISG PDL), we have been working
entities willing to record the transactions the paradigmatic example of Bitcoin, for the last two years on analysing
associated to those interactions through permissioned distributed ledgers are the and providing the foundations for the
these ledgers. ones best qualified to address most of operation of permissioned distributed
the use cases of interest to the industry ledgers. The group has already produced
Distributed
ledgers Applications and Services
These technologies have become the
intrinsic foundation of today’s secure
decentralized cryptocurrencies, and APIs and Tooling
distributed ledgers owe their popularity
Templates
and many of the main use cases to this
fact, focusing on different ways to provide
Platform
decentralized multi-party compensation
PDL Platform
Management
and therefore avoid the need for PDL and
centralized clearinghouses. But we must Governance
Support
not forget we are talking about the many
additional scenarios where a consensual,
replicated, and synchronized data ledger Infrastructure
could become a game changer. While
distributed ledgers are mostly known Fig.1 ETSI PDL reference framework © ETSI
because of their use as cryptocurrencies,
18 ENJOY THE ETSI MAGFig. 2: Smart contract framework
Match with Smart Contract Coding
specifications
Draft Terms Compile Code
Review Validation Testing Deployment Execution Termination
template negotiation draft verification
Draft doesn’t match Test output doesn’t match Online
with planned contract with the requirements debugging
TE SE
Actors
SH SE TB SH API API
Coding & Deployment &
Planning Phase
Testing Phase Execution Phase
SH: Stakeholders API: Application Programming Interface TE: Testing Engineers
SE: Software Engineers TB: Test Beds SB: Standardization Bodies © ETSI
a first set of documents, and a second on the execution of proof-of-concept models with special emphasis on ‘as-a-
term has recently started, with the demonstrations and on supporting early service’ paradigms, PDL infrastructure
ultimate purpose of creating an open interoperability assessment events. Two governance aspects, and identifying the
ecosystem of industrial solutions to be of these proofs of concept have already definition of common terms to be used in
deployed by different sectors, fostering been carried out. our future standardization work.
the application of these technologies,
and therefore contributing to consolidate
the trust and dependability on information
Achievements The last work completed by the PDL
group is a report on smart contracts,
technologies supported by global, open During its first term, the group started their components, planning, coding and
telecommunications networks. by addressing a landscape document, testing. The scope of this report covers a
intended to identify current activities in reference architecture of the technology
Collaborative standardization and research which are
particularly relevant to the PDL activities.
enabling smart contracts, the methods
for engaging in a smart contract using
work Apart from performing opportunities and
gaps to address, this spawned a specific
this architecture, and a discussion on
possible threats and limitations.
The ISG PDL works in tight coordination activity focused on the identification and
with other groups in ETSI and elsewhere, collaboration of research projects, that For its new term, the ISG PDL continues
including open-source initiatives and a has translated in the direct involvement of its work on ledger interoperability as a
clear connection with research activities, several of these projects willing to progress cornerstone for the operational framework
especially the collaborative research in the standardization of their results. and has already started working on key
projects within framework programmes aspects such as the interaction with
such as Horizon 2020 and the future The group has produced another report as federated data frameworks and off-line
Horizon Europe. As in other ETSI a result of examining the essential needs operation. The group is committed to
ISGs on transformative technologies, in terms of trust, security and effective ensure the application of its principles
the group work items are oriented to conformity assessment, analysing essential and work items in new application
produce not only specifications of requirements for PDL technology to ensure environments, especially those enabled
normative nature, but also informative regulatory compliance to preserve security
by the emergence of next-generation
deliverable in the form of technology and privacy in the conduits providing the
networking infrastructures, such as those
reports and recommendations for future data to be incorporated into the ledgers.
related to resource trading at all levels,
work, and, what is especially relevant Work on applicability foundations was
from compute nodes to spectrum, as well
in an environment so much populous completed by another report describing
as new industrial scenarios.
as distributed ledger standardization, potential application scenarios for the
demonstrative deliverables focused operation of PDLs, including provision n Diego Lopez, Chair ETSI ISG PDL
ENJOY THE ETSI MAG 19You can also read
