Cybersecurity Standardisation Conference: key take-aways

The Cybersecurity Standardisation Conference took place from 2 to 4 February 2021. As in earlier editions, the event was jointly organised by ENISA, CEN-CENELEC and ETSI.  

The link between standardisation and the Cybersecurity Act (CSA) was extensively developed throughout the event with the speakers offering different views on the matter.

An ENISA representative pointed out that certification schemes might become mandatory for NIS sectors. For instance, schemes could become mandatory for trust services.

Gisela Meister, Eurosmart consultant, was part of the panel on the future IoT certification scheme on behalf of Eurosmart. She presented her work at ETSI TC Cyber on the EN 303 645 standard (security requirements) and TS 103 701 (conformance assessment).

Please find below a few key points from the event. You can access all presentations from the conference here.

Panel Cybersecurity and Radio Equipment Directive – setting up the scene and future work

Pier Francesco Sammartino (DG GROW) and Aristotelis Tzafalias (DG CNECT) described the expected coverage of the Radio Equipment Directive (RED). RED will cover protection of privacy, of the networks and protection against fraud. It will also cover compliance at the upload of software. One of the added values of RED is that it covers the value chain. The burden of compliance is not only on the manufacturers of the final product but also on the suppliers of radio components.

The adoption of the delegated act of RED is expected for Q2 2021. The draft delegated act and the draft standardisation request will be shared at the same time.

However, RED does not cover all connected products and all cybersecurity aspects of connected products (e.g. it does not cover duty of care and vulnerability disclosure). Therefore, a horizontal regulation will be proposed this year.

The guiding principle of this horizontal approach will be NLF+: it will address the entire lifecycle (security updates, vulnerability handling etc.) and it will benefit from the European Cybersecurity Certification Framework.

Wim de Kesel, Chair of CEN-CENELEC RED Expert Group, explained that standardisation should work on generic standards to provide presumption of conformity with the cybersecurity requirements of RED. These standards should also provide presumption of conformity with the future (horizontal) legislation on cybersecurity for networkable products. The verticals should be evaluated against these generic standards, based on the risk specific to each vertical.

Wim de Kesel underlined that European generic standards should be based (if not identical) on international generic standards.

Neviana Nikoloski, Chair of ETSI GA, presented options for composition with RED and the Cybersecurity Act (CSA):

[click on the picture to enlarge]

In an ideal scenario, companies could ensure compliance with RED and the future horizontal act with one testing.

Nelly Ghaoui, Dutch Ministry of Economic Affairs, presented the Dutch perspective. In the Netherlands, the government supports testing by consumer organisations to improve market transparency. The government is also looking at public procurement policy to encourage products with a higher ICT security level. Nelly Ghaoui lamented that products cannot currently be taken off the market if they do not live up to the right cybersecurity level.

Dieter Wegener, DKE Vice-president, presented the BDI-DIN-DKE paper on the bridge between the  NLF and the CSA (see previous briefing here).

Panel Standardisation supporting the Cybersecurity Act:

Elena Santiago Cid, Director General of CEN-CENELEC, underlined the importance of cooperation with ISO and IEC to have one single solution whenever possible, thereby facilitating international trade. She presented the CEN-CENELEC Committees involved in cybersecurity standardisation:

-CEN-CENELEC JTC13 cyber and data protection

-CLC TC 65X Industrial-process measurement, control and automation

-Sectors-specific activities: health, transport, manufacturing, electrotechnology, energy, AI, blockchain, quantum etc.

Luis Romero, Director General of ETSI, stressed that there are three clear areas where standards can be used in schemes:

- IoT Security (ETSI standard)

-5G network security and assurance (3GPP, GSMA scheme)

- electronic signatures and infrastructures (standards available in 2016, adopted beyond Europe but not still recognised at EU level)

In Luis Romero’s views, one of the pending challenges is the coordination between schemes and standards. Will the Union Rolling Work Programme be enough for ESOs to prepare adequately?

Andreas Mitrakas, Head of Unit at ENISA, explained that horizontal schemes, such as EUCC and cloud, are likely to find their ways in sector covered by the NIS Directive. NIS areas might be covered by mandatory schemes. There might be a legislation referencing a scheme as mandatory, for instance for trust services.

Miguel Gonzalez-Sancho, Head of Unit at DG CNECT, pointed out that the EU needs to strengthen its presence in standardisation activities at international level. It is not only a technical matter but also a matter of values. The Union Rolling Work Programme contains one section on strategic priorities. The number 1 priority is standardisation. Funding programmes should support the work on standardisation.

Panel Future schemes: Consumer IoT:

Matthias Pocs, ANEC, mentioned the need to communicate to consumers in a more efficient manner. Something similar to the energy label could be envisaged.

Sylvie Wuidard, ST, gave details on the steps to comply with the security requirements:

Step 1: Identify the security requirements. Now there is an EN standard available. Subsequently, manufacturers need to identify the relevant security provisions for their products.

Step 2: Develop the product with security: most of the manufacturers re-use blocks of security that are already available.

Step 3: Prove compliance with requirements. The security of the foundation is essential. You need to ensure the hardware is not attackable. Rely on Composition Model: SESIP methodology.

SESIP is used and is perfectly suitable for horizontal legislations. Sylvie Wuidard recommended considering SESIP in the future certification scheme.

Jasper Pandza, ETSI EN 303 645 Rapporteur, presented the ETSI EN 303 645 standard Cybersecurity for Consumer IoT. This standard is suitable for level basic in the context of the CSA. It is not suitable to become a Harmonised Standard for RED.

Jasper Pandza believes that the most important provisions of the ETSI standard should be made mandatory. It would be too much of a burden to mandate application of all the provisions immediately.

Gisela Meister, Eurosmart, presented ETSI draft technical specification (TS) 103 701 on cybersecurity assessment for consumer IoT security. This document is essential to implement EN 303 645. The EN and the TS are both suitable for self-assessment and certification. For certification, there will be additional requirements, such as tester expertise, cryptographic requirements etc.

EN 303645 can be used in relation with SESIP (see slide below).

The first draft TS will be published at the end of April.

[click on the picture to enlarge]

Miguel Bañón, Convenor CEN-CENELEC JTC 13/WG 3, presented prEN 17640 fixed-time cyber evaluation methodology for ICT products. He underlined the importance of knowing how long the evaluation will take when a manufacturer sends the product to the lab. This standard provides a solution and methodology for third-party testing.

The scheme can be horizontal or vertical. A risk analysis is needed for every use case. The time needed may be different for every use case. There are no magic numbers in the standard.

The standard is on the final stage before being submitted to public consultation. It is a CEN-CENELEC standard. This standard needs to have the final blessing of all the national standardisation bodies.

The methodology is suitable as soon as you have a specific sector-requirement and the ETSI consumer standard is one of them.

Michał Zakrzewski, APPLiA (Home Appliance association), explained that APPLiA advocates for the well-established NLF as a basis for horizontal regulation. However, if schemes are really preferred, there should be one European IoT scheme only. As much as possible, the scheme should be voluntary. In conclusion, the best would be to manage these requirements with the horizontal NLF legislation.

Panel Future schemes: 5G:

Julie Ruff, DG CNECT, pointed out that the European Commission recently requested ENISA to prepare a scheme for 5G networks. There is no expected date of release for the 5G certification scheme. Speed should not compromise quality.

David Rogers, GSMA, underlined that the NESAS scheme is maturing. A third version will be released soon. NESAS is well placed to provide the basis for ENISA’s 5G scheme.

Noamen Ben Henda, Chair of SA3, 3GPP, Ericsson, agreed that NESAS should be taken into consideration for the future European scheme. He presented the work done on NESAS (see slides below). 3GPP currently drafts technical specifications for tests for this scheme. The NESAS scheme could cover new technologies, such as virtualisation. NESAS does not apply to smartphone manufacturers, only networks.

Robert Kosla, NIS Cooperation Group, Poland, explained that there were discussions of Poland and Germany with GSMA to understand the current state of NESAS and other schemes. Poland and Germany subsequently reported to the other Member States. MNOs provided promising feedback concerning the scope of the 5G scheme.

The 5G scheme should cover:

-critical network components and functions of 5G networks

-corresponding suppliers’ design, development, delivery and maintenance processes

NESAS is a very good start for the basic requirements.

The EU will not solve all the problems related to 5G with a scheme. Some vendors would like certification to be the only mandatory requirement. This is not possible, there are also non-technical challenges when it comes to 5G.

Robert Kosla proposes a few steps for the 5G scheme. The first step is to transfer current schemes (NESAS, eUICC and SAS) under the governance of the CSA. The second step is to analyse gaps and improve the schemes to have a full coverage.

François Zamora, Orange, Head of the French delegation to ISO/IEC JTC1/SC27, stressed that ISO standards provide an excellent toolbox for 5G security: risk management, continuous improvement etc. François Zamora explained that 5G sub-domains cybersecurity certification should consider two schemes:

-Pan-European 5G cybersecurity risk homologation “Substantial” to match Industries’ needs, at “High” to match Member States’ needs (on specific sub-domains),

-Pan-European 5G Vendors cybersecurity certification with “Basic” to enable a first level of system hardening and integration

Panel Vision of the future:

Domenico Ferrara, DG CNECT, presented the Union Rolling Work Programme of the European Commission.  Adoption of the URWP is expected for March 2021.

As possible candidate schemes and areas for future reflection, he mentioned:

-IoT, Industrial Automation Control Systems

-Lightweight Evaluation

-Secure development Lifecycle

-AI

-Cryptographic mechanism

-Security audit service providers