European Union Agency for Network and Information Security

ENISA And StandardsAdri án Belmonte | ETSI Security Week Event | Sophia Antipolis (France)| 22th June

22

Summary

01 What's ENISA?

02 Some challenges in standardization

03 Challenges from UE perspective

04 ENISA approach to Standards

05 ENISA actions in standardization

ENISA and Standards | Adrián Belmonte

33

Securing Europe’s Information Society

Seat in Heraklion

Operational Office in Athens

4ENISA and Standards | Adrián Belmonte

Positioning ENISA activities

5ENISA and Standards | Adrián Belmonte

“The nice thing about standards is there's so many to choose from”, A.S. Tanenbaum, Computer Networks, 2nd ed., p. 254

66

A plethora of standardisation initiatives

International

• ISO: International Organization for Standardization

• IEC: International Electro technical Commission

• ITU: International Telecommunications Union

• IETF: Internet Engineering Task Force

• IEEE: Institute of Electrical and Electronic Engineers

European

• CEN: Comité Européen de Normalisation

• ETSI: European Telecommunications Standards Institute – Cyber Security

• Coordination Group

• ICTSB: ICT Standards Board – NISSG (‘04-’08)

National

• ANSI: American National Standards Institute

• NIST: National Institute of Standards and Technology

Industrial initiatives

• W3C, OASIS, Liberty Alliance, FIDO, Wi-Fi Alliance, BioAPI, WS-Security, TCG

• GP, PC/SC, Open Card Framework, Multos

• PKCS, SECG

77

Challenges in standardization

Two “main” challenges in Standardization:

1. Complexity

2. Maintenance

88

The challenge of ‘complexity’

• Backwards compatibility

• Optimizations for various cases

• High complexity in some cases

- barrier for evaluation

- barrier for market entry

- makes secure implementation very difficult

99

The challenge of ‘maintenance’

• Context changes

• New technical vulnerabilities

• Is fixing it better than doing nothing?

• Fast changes incompatible with slow consensus-based procedures;

10

• Need establishing a small number of key initiatives at EU level

- Multi-disciplinary projects with industrial participation;

- Necessary contributions by Data Protection Authorities (DPAs), apps developers;

- Horizon2020

• Standardisation should be promoted

• Improve coordination between different actors (ie: EU funded R&D and ISO)

• Possible ‘vehicles’ for such a coordination

- ETSI CEN CENELEC CSCG;

- H2020 (industrial platforms);

ENISA and Standards | Adrián Belmonte

Challenges from UE perspective

11

• Aim: promotion of best practices through Standard Development Organizations (SDOs)

• ENISA role: interface between private sector, public sector, SDOs

• Short- and mid-term goals- Formal cooperation with SDOs and specific Work Groups (WGs)

- Working collaboration with SDOs

• Long-term goal- Review of and participation in NIS standardisation activities

- Proposal of standards, via means of proposals for standardisation mandates.

ENISA and Standards | Adrián Belmonte

ENISA approach to standards

12

• Until 2013 (Regulation (EC) 460/2004)

..to track the development of standards for products and services on network and information security..

• After 2013 (Regulation (EC) 526/2013)…support research and development and standardisation..

• Concrete actions include- Support for Cybersecurity Coordination Group (CSCG)

- Support for the ‘Algo paper’ (ETSI)

- SMEs Community Support

ENISA and Standards | Adrián Belmonte

ENISA actions in standardisation

13

ETSI CEN-CENELEC Cyber Security Coordination Group (CSCG)

• Give strategic advice to the technical committees of CEN, CENELEC and ETSI

• Develop a gap analysis of European and International Standards on cyber security

• Define of joint European requirements for European and International Standards on cyber security

• Establish a European roadmap on standardization of cyber security

• Act as contact point for all questions of EU institutions relating to standardization of cyber security

• Suggest a joint US and European strategy for the establishment of a framework of International standards on cyber security

1414

CSCG Action Plan

#1 – Governance Framework

#2 – Common Understanding Of “Cyber Security”

#3 – Trust In The European Digital Environment

#4 – European Pki And Cryptographic Capabilities

#5 – European Cyber Security Label

#6 – European Cyber Security Requirements

#7 – European Cyber Security Research

#8 – EU Industrial Forum On Cyber Security Standards

#9 – EU Global Initiative On Cyber Security Standards

Leading an expert group

Preparing the ground for a high level conference

1515

ETSI ESI “Algo paper”

ETSI TR 119 312

• Business Guidance on Cryptographic Suites

ETSI TS 119 312

• Cryptographic suites

ENISA reports 2013-2014

• Recommended cryptographic measures

• Algorithms, Key Sizes and Parameters

Collaboration 2014 –>

16

• SMEs: Employ fewer than 250 persons + annual turnover <= 50M and/or annual balance sheet <= 43M

• 99% of all European Business

• Reduced size, sometimes:

• Cannot have a large number of dedicated IT staff

• Cannot have a single dedicated person to ICT security and privacy protection.

• Standards are, in general, targeting larger, specialized, organizations and they are difficult to implement for small businesses

ENISA and Standards | Adrián Belmonte

SMEs & Security Standards

17

• ENISA aims to identify how to facilitate the adoption of Standards by European SMEs:

• Gather and analyze information about which standards are used (or why they are not using standards)

• Investigate the obstacles and perceived problems for SMEs to embrace standards

• Identify main gaps in security and privacy standardization for the SME community

• Identify initiatives to move forward

Based on the findings:

• Produce recommendations regarding how to facilitate and increase the adoption of standards in European SMEs

ENISA and Standards | Adrián Belmonte

ENISA and Standards SMEs

18

• Little mess with Standards: Some ICT areas overstandardised vs other areas lacks standards

• Standards are a tool, not the objective;• Maintaining security standards is perhaps more complex than

general standards;• Plethora of fora and initiatives

- not enough coordination

• Open evaluation procedures essential;• Stimulate European market through procurement might be an

approach?• Are Standards too focused on specialized or large companies?• Improve SMEs support• Need for an EU strategy on research & standardisation.

ENISA and Standards | Adrián Belmonte

Concluding Remarks

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you