Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
European Union Agency for Network and Information Security
ENISA And StandardsAdri án Belmonte | ETSI Security Week Event | Sophia Antipolis (France)| 22th June
22
Summary
01 What's ENISA?
02 Some challenges in standardization
03 Challenges from UE perspective
04 ENISA approach to Standards
05 ENISA actions in standardization
ENISA and Standards | Adrián Belmonte
33
Securing Europe’s Information Society
Seat in Heraklion
Operational Office in Athens
4ENISA and Standards | Adrián Belmonte
Positioning ENISA activities
5ENISA and Standards | Adrián Belmonte
“The nice thing about standards is there's so many to choose from”, A.S. Tanenbaum, Computer Networks, 2nd ed., p. 254
66
A plethora of standardisation initiatives
International
• ISO: International Organization for Standardization
• IEC: International Electro technical Commission
• ITU: International Telecommunications Union
• IETF: Internet Engineering Task Force
• IEEE: Institute of Electrical and Electronic Engineers
European
• CEN: Comité Européen de Normalisation
• ETSI: European Telecommunications Standards Institute – Cyber Security
• Coordination Group
• ICTSB: ICT Standards Board – NISSG (‘04-’08)
National
• ANSI: American National Standards Institute
• NIST: National Institute of Standards and Technology
Industrial initiatives
• W3C, OASIS, Liberty Alliance, FIDO, Wi-Fi Alliance, BioAPI, WS-Security, TCG
• GP, PC/SC, Open Card Framework, Multos
• PKCS, SECG
77
Challenges in standardization
Two “main” challenges in Standardization:
1. Complexity
2. Maintenance
88
The challenge of ‘complexity’
• Backwards compatibility
• Optimizations for various cases
• High complexity in some cases
- barrier for evaluation
- barrier for market entry
- makes secure implementation very difficult
99
The challenge of ‘maintenance’
• Context changes
• New technical vulnerabilities
• Is fixing it better than doing nothing?
• Fast changes incompatible with slow consensus-based procedures;
10
• Need establishing a small number of key initiatives at EU level
- Multi-disciplinary projects with industrial participation;
- Necessary contributions by Data Protection Authorities (DPAs), apps developers;
- Horizon2020
• Standardisation should be promoted
• Improve coordination between different actors (ie: EU funded R&D and ISO)
• Possible ‘vehicles’ for such a coordination
- ETSI CEN CENELEC CSCG;
- H2020 (industrial platforms);
ENISA and Standards | Adrián Belmonte
Challenges from UE perspective
11
• Aim: promotion of best practices through Standard Development Organizations (SDOs)
• ENISA role: interface between private sector, public sector, SDOs
• Short- and mid-term goals- Formal cooperation with SDOs and specific Work Groups (WGs)
- Working collaboration with SDOs
• Long-term goal- Review of and participation in NIS standardisation activities
- Proposal of standards, via means of proposals for standardisation mandates.
ENISA and Standards | Adrián Belmonte
ENISA approach to standards
12
• Until 2013 (Regulation (EC) 460/2004)
..to track the development of standards for products and services on network and information security..
• After 2013 (Regulation (EC) 526/2013)…support research and development and standardisation..
• Concrete actions include- Support for Cybersecurity Coordination Group (CSCG)
- Support for the ‘Algo paper’ (ETSI)
- SMEs Community Support
ENISA and Standards | Adrián Belmonte
ENISA actions in standardisation
13
ETSI CEN-CENELEC Cyber Security Coordination Group (CSCG)
• Give strategic advice to the technical committees of CEN, CENELEC and ETSI
• Develop a gap analysis of European and International Standards on cyber security
• Define of joint European requirements for European and International Standards on cyber security
• Establish a European roadmap on standardization of cyber security
• Act as contact point for all questions of EU institutions relating to standardization of cyber security
• Suggest a joint US and European strategy for the establishment of a framework of International standards on cyber security
1414
CSCG Action Plan
#1 – Governance Framework
#2 – Common Understanding Of “Cyber Security”
#3 – Trust In The European Digital Environment
#4 – European Pki And Cryptographic Capabilities
#5 – European Cyber Security Label
#6 – European Cyber Security Requirements
#7 – European Cyber Security Research
#8 – EU Industrial Forum On Cyber Security Standards
#9 – EU Global Initiative On Cyber Security Standards
Leading an expert group
Preparing the ground for a high level conference
1515
ETSI ESI “Algo paper”
ETSI TR 119 312
• Business Guidance on Cryptographic Suites
ETSI TS 119 312
• Cryptographic suites
ENISA reports 2013-2014
• Recommended cryptographic measures
• Algorithms, Key Sizes and Parameters
Collaboration 2014 –>
16
• SMEs: Employ fewer than 250 persons + annual turnover <= 50M and/or annual balance sheet <= 43M
• 99% of all European Business
• Reduced size, sometimes:
• Cannot have a large number of dedicated IT staff
• Cannot have a single dedicated person to ICT security and privacy protection.
• Standards are, in general, targeting larger, specialized, organizations and they are difficult to implement for small businesses
ENISA and Standards | Adrián Belmonte
SMEs & Security Standards
17
• ENISA aims to identify how to facilitate the adoption of Standards by European SMEs:
• Gather and analyze information about which standards are used (or why they are not using standards)
• Investigate the obstacles and perceived problems for SMEs to embrace standards
• Identify main gaps in security and privacy standardization for the SME community
• Identify initiatives to move forward
Based on the findings:
• Produce recommendations regarding how to facilitate and increase the adoption of standards in European SMEs
ENISA and Standards | Adrián Belmonte
ENISA and Standards SMEs
18
• Little mess with Standards: Some ICT areas overstandardised vs other areas lacks standards
• Standards are a tool, not the objective;• Maintaining security standards is perhaps more complex than
general standards;• Plethora of fora and initiatives
- not enough coordination
• Open evaluation procedures essential;• Stimulate European market through procurement might be an
approach?• Are Standards too focused on specialized or large companies?• Improve SMEs support• Need for an EU strategy on research & standardisation.
ENISA and Standards | Adrián Belmonte
Concluding Remarks
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you