ETSI SECURITY WORK UPDATE Dr. Carmine Rizzo CISA, CISM, CMP, ITIL, PRINCE2
advertisement
ETSI SECURITY WORK UPDATE Dr. Carmine Rizzo CISA, CISM, CMP, ITIL, PRINCE2 ITU-T SG17 Meeting – 8 April 2015 © ETSI 2015 All rights reserved ETSI: European roots, Global outreach ETSI is a world-leading standards developing organization for Information and Communication Technologies (ICT) Founded initially to serve European needs, ETSI has become highly-respected as a producer of technical standards for worldwide use 2 ETSI: some facts Created in 1988 Recognised ESO by the EU and EFTA ESO: European Standard Organisation EFTA: European Free Trade Association Independent, non for profit Governed by (worldwide) ETSI Members ETSI Members participate directly in the standardization process 3 Products & services Technical specifications and standards with global application Support to industry and European regulation Specification & testing methodologies Interoperability testing 4 Membership Over 800 companies, big and small, from 64 countries on 5 continents Manufacturers, network operators, service and content providers, national administrations, ministries, universities, research bodies, consultancies, user organizations A powerful and dynamic mix of skills, resources and ambitions 5 Innovations Efficient and speedy standards-making Agreement by consensus !!! Free download of all our standards Electronic working to boost efficiency and reduce cost and environmental impact Quality certified to ISO 9001:2008 6 ETSI Clusters http://www.etsi.org/technologies-clusters/clusters 7 Areas of security standardization Cyber Security Mobile/Wireless Comms (GSM/UMTS, TETRA, DECT…) Lawful Interception and Data Retention Electronic Signatures Smart Cards Machine-to-Machine (M2M) Methods for Testing and Specification (MTS) Emergency Communications / Public Safety RFID Intelligent Transport Systems Information Security Indicators Quantum Key Distribution (QKD) Quantum –Safe Cryptography (QSC) Algorithms In 3GPP 8 Major security work over the last year Maintenance of published deliverables • In all areas as necessary New publications in various areas including: • Electronic Signatures • Intelligent Transport Systems • Smart Cards • Information Security Indicators New security algorithm • UMTS authentication and key generation 9 Creation of new ETSI groups Creation in 2014 of TC CYBER • Cybersecurity standardization • Very active! Creation in 2015 of ISG QSC • Quantum-Safe Cryptography • 1st meeting 24-26 March TC: Technical Committee ISG: Industry Specification Group 10 ETSI TC CYBER – Terms of Reference Cyber Security Standardization Security of infrastructures, devices, services and protocols Security advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operators Security tools and techniques to ensure security Creation of security specifications and alignment with work done in other TCs and ISGs Coordinate work with external groups such as the CSCG with CEN, CENELEC, the NIS Platform and ENISA Collaborate with other SDOs (ISO, ITU, NIST, ANSI...) Answer to policy requests on Cyber Security and ICT security in broad sense TC CYBER meetings TC CYBER met 3 times face-to-face • Around 50 participants at each meeting • Progress made on 9 documents Participating organizations • Industry: Manufacturers, Operators, SMEs... • Administrations • European Commission • ENISA • Universities / Research Bodies • Service Providers • Micro Enterprises • Consultancy TC CYBER documents 9 open documents • 8 Technical Reports • 1 ETSI Guide • Full scope of them all as annexes at the end of these slides TR 103 303, Protection measures for ICT in the context of Critical Infrastructure TR 103 304, PII Protection and Retention TR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber Defence TR 103 306, Global Cyber Security Ecosystem TR 103 307, Security Aspects for LI and RD interfaces TR 103 308, A security baseline regarding LI for NFV and related platforms TR 103 309, Secure by Default adoption – platform security technology TR 103 331, Structured threat information sharing EG 203 310, Post Quantum Computing Impact on ICT Systems Areas of work and related guidance Critical Infrastructure protection • Guidance for the deployment of security • technologies and security management to deliver and maintain effective Critical Infrastructures that are reliant on ICT technology Resilience, M2M/IoT security, eHealth security Structured threat information sharing • Guidance for exchanging cyber threat information in • 14 a standardized and structured manner Provide technical indicators of adversary activity, contextual information, exploitation targets, and courses of action Areas of work and related guidance Security assurance by design/default • Guidance to detect, prevent, respond, and mitigate • • • 15 damage from the most common to the most advanced of cyber attacks Measures reflecting the combined knowledge of actual attacks and effective defenses Guidance to business decision makers for the development and adoption of secure by default platform security technologies - how they can be used to effectively solve real business problems, and improve the usability of secure services Encourage industry to adopt device hardware security features – show that there is a market need Areas of work and related guidance Security for LI and RD interfaces • Guidance to protect information flows and interfaces from a security perspective (confidentiality, integrity and authenticity) including implementation details (technologies, algorithms, options, minimum requirements on keys etc) in a context of provision of Lawful Interception (LI) and Retained Data (RD) functionalities LI in the NFV context • Guidance related to the legal and physical challenges to ensure LI functionalities in a Network Functions Virtualization context • Focus on the infrastructure of NFV rather than the functions themselves 16 Areas of work and related guidance Privacy measures • Guidance for the protection and retention of PII • (Personally Identifiable Information) Enable the secure portability of data transferred from one service provider to another Post quantum computing impact on ICT • Review nature and vulnerabilities of security algorithms • when subjected to quantum computing attacks Evaluate characteristics required of algorithms in order to be invulnerable under such attacks Global Cyber Security Ecosystem • Constantly updated overview of cyber security work being undertaken in multiple forums worldwide 17 ISG QSC – Terms of Reference Identification of proposals from industry and academia for quantum safe cryptographic primitives, and the development of a framework for quantum safe algorithms High-level characterization of these primitives and assessment of their suitability with respect to the quantum safe requirements and applications Threat and risk assessment for real-world use cases Providing evidence of the need for new standards and technological guidance, and building related roadmap Dissemination of guidance and standards documents, and later maintenance of the standardized algorithms under the custodianship of the ETSI SC Security Algorithms Group of Experts (SAGE) Defining criteria for, and assessment of, the suitability of cryptographic primitives 18 ISG QSC (Quantum-Safe Cryptography) 1st meeting held 24-26 March 2015 5 Group Specifications adopted: GS QSC 001, Quantum safe algorithmic framework GS QSC 002, Cryptographic primitive characterization GS QSC 003, Cryptographic primitive suitability assessment GS QSC 004, Quantum safe threat assessment GS QSC 005, Quantum safe standards assessment 19 Security Week (22-26 June 2015, ETSI) Workshop, Technical Streams, Meetings • Including TC CYBER#4 Meeting Workshop/Streams free and open to everyone TC CYBER meeting open to non ETSI Members upon invitation (see website to apply) Networking opportunity every day! • Free lunches and networking cocktails 20 www.etsi.org/securityweek • Agendas and registrations Security Week Mon 22 A M Tue 23 Worksho p (22-26 June 2015, ETSI) Wed 24 Thu 25 Workshop CYBER#4 ISI#23 Fri 26 CYBER#4 eIDAS P Workshop M 21 Worksho p Streams: M2M/IoT ITS eIDAS HF/USER/ eHealth CYBER#4 ISI#23 M2M/IoT: Machine-to-Machine / Internet of Things ITS: Intelligent Transport Systems eIDAS: Electronic identification and trust services HF: Human Factors USER: User Group eHealth: Health ICT eIDAS CYBER#4 ETSI Security White Paper Achievements and current work List of all security publications 6th Edition published January 2014 • 7th will be published before Security Week www.etsi.org/securitywhitepaper 22 Please keep in touch! Contact Details: carmine.rizzo@etsi.org Full scope of all TC CYBER documents to follow as annexes Thank you! Available for your questions ITU-T SG17 Meeting – 8 April 2015 23 © ETSI 2015. All rights reserved TR 103 303, Protection measures for ICT in the context of Critical Infrastructure Scope: The critical infrastructure protection addressed in the EU’s published directive is essentially Power and Transport. It is clear to most casual observers that the global economic infrastructure is now composed of a huge set of ICT networks and services. It would not be a stretch to say that ICT capabilities now underpin all of the other critical infrastructures. This means food security, economic activity security, citizen safety and just about everything else. The purpose of the TR to be delivered by this work item is to identify the role of ICT protections through the deployment of security technologies and security management to deliver effective Critical Infrastructures that are reliant on ICT technology. The topics to be addressed by the work item include: Resilience (taking as input the ENISA reports on this topic and work from related national programmes); M2M communications (in close liaison with oneM2M and smartM2M); eHealth (in order to give assurance of access to ICT enabled eHealth systems). The report is intended to highlight aspects of CI and ICT that have to be addressed to ensure that CI maintains its infrastructure role. TR 103 304, PII Protection and Retention Scope: Essentially different than any previous telco scenario where user data was accessible from network functional elements only, today even sensitive PII is directly accessible from terminals. Server-based data access control technologies are becoming less effective for PII protection. This new WI is intended to describe novel access control technologies that enable 1) data protection, based on policy rules, as soon as data leaves the boundary of terminal’s OS and 2) portability of protection settings when data moves from one service provider to another. TR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber Defence Scope: This Technical Report describes a specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks developed and maintained by the Council of Cybersecurity. The measures reflect the combined knowledge of actual attacks and effective defenses. TR 103 306, Global Cyber Security Ecosystem Scope: This proposed NWI provides a structured overview of cyber security work occurring in multiple other technical forums worldwide. The overview includes global identification of Cyber Security Centres of Excellence, heritage sites, historical collections, and reference libraries. It is intended to be continuously updated to account for the dynamics of the sector. TR 103 307, Security Aspects for LI and RD interfaces Scope: It is envisaged that TC Cyber would assess the information flows and interfaces (as identified by TC LI) from a security (confidentiality, integrity and authenticity) perspective and provide guidance on the implementation details (technologies, algorithms, options, minimum requirements on keys etc). TR 103 308, A security baseline regarding LI for NFV and related platforms Scope: The lawful interception capability is capable of being virtualised but the legal and physical challenges of doing so must be taken into account. The initial study is focused on the LI aspects. The challenge for both Lawful Interception and NFV as a community is that it is necessary to establish the fundamental security principles for generic platforms upon which the related groups can build. There is an urgent requirement to establish a minimum set of security principles for generic telecommunications platforms that will allow the virtualised network functions to utilise the features necessary to afford them appropriate protection and at the same time allow to undertake appropriate activities (LI, fraud management, cyber defense). Establishing such a baseline will help the industry as a whole to be better protected against Cyber threats. There is no overlap with other work e.g. SECAM – in fact the work is intended to be complementary. The focus of this work item is on the NFV infrastructure and not virtual network functions. TR 103 309, Secure by Default adoption – platform security technology Scope: A proposed TR to describe the following: An approach to encourage development and adoption of 'secure by default' platform security technologies by showing how they can be used to effectively solve real business problems, and improve the usability of secure services. The intended audience is decision makers rather than engineering teams. These could be deciding which features to include in a new platform, or which are required as part of a procurement activity. We will first produce a structure for describing identified business requirements/issues for a particular set of users; detailing the characteristics required of possible solutions, and finally identifying existing or emerging standards which provide those characteristics. The last two activities require technical expertise, hence the production of this TR within TC-CYBER. A particular example is to identify challenges relating to end user devices for large organisations. Currently adoption of device hardware security features is low, despite widespread agreement within the technical community that they are needed. This example will aim to show that a market for these features does exist, and that a strong case can be made for organisations to actively seek them out. TR 103 331, Structured threat information sharing Scope: This work item will produce a Technical Report on means for describing and exchanging cyber threat information in a standardized and structured manner. Such information includes include technical indicators of adversary activity, contextual information, exploitation targets, and courses of action. EG 203 310, Post Quantum Computing Impact on ICT Systems Scope: The intent of the work item is to address business continuity arising from the concern that quantum computing is likely to invalidate the problems that lie at the heart of both RSA and ECC asymmetric cryptography. The current assumptions that underpin the security strength of RSA and ECC are that the solution to the prime factoring, and the discrete logarithm problems are infeasible without prior knowledge. It has been widely suggested that the application of quantum computing to these problems removes the assertion of infeasibility. Whilst it is not known when quantum computing will arrive or how long it will be until the factorisation and discrete logarithm problems are themselves solved the report will review the nature of the algorithms when subjected to QC attack and why they become vulnerable. In addition the report will highlight the characteristics required of algorithms in order to be invulnerable under QC attack. The report will consider a number of sub topics to be covered in considering the transition to the postquantum era and they are not all algorithmic but many of the necessary considerations apply to business continuity. For example how to re-assert CAs in a PKI? How to distribute new algorithms? How to distribute new keys?
