Cybersecurity / network and information security (RP2020)

Policy and legislation

Policy objectives

The European cybersecurity strategy and the Directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive)provide for action to promote the development and take-up of ICT security standards.

The EU Cybersecurity Act (Regulation EU 2019/881) established the European Cybersecurity Certification Framework in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes. The European cybersecurity certification framework provides for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.

Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks identifies a series of actions in order to support the development of a Union approach to ensuring the cybersecurity of 5G networks.

The communication setting up ICT standardisation priorities for the DSM refers to cybersecurity as a priority domain for Europe.

EC perspective and progress report

The Communication on ICT standardisation priorities for the digital single market proposes actions on cybersecurity, considered as priority domain for Europe:

For security and notification requirements for operators of essential services, the focus will be on establishing a number of reference standards and/or specifications relevant to network and information security, including, where relevant, harmonised standards, to serve as a basis for encouraging the coherent adoption of standardisation practices across the EU.
For security and notification requirements for digital service providers, in line with the objectives of the Digital single market strategy, the Directive aims to establish a harmonised set of requirements so that they can expect similar rules wherever they operate in the EU.

It is important that all levels of an organisation –particularly the strategic level and the management board - are aware of the need for standards and frameworks for cybersecurity. Moreover, between organisations that are partners in (vital) online chains, clear agreements will have to be made on the different standards. In general, organisations, manufacturers or providers involved in the design and development of ICT products, ICT services or ICT processes are encouraged to implement appropriate measures at the earliest stages of design and development to protect the security of those products, services and processes to the highest possible degree, in such a way that the occurrence of cyberattacks is presumed and their impact is anticipated and minimised (‘security-by-design’). The need for security to be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation should also be considered in the context of relevant standardisation activities.

References

Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace — JOIN(2013) 1 final — 7/2/2013
Joint Communication on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, JOIN(2017) 450 final, 13.9.2017
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
Commission Recommendation (EU) 2019/553 of 3 April 2019 on cybersecurity in the energy sector (notified under document C(2019) 2400)
Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises - C/2017/6100
Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks - C/2019/2335
COM(2016)176 ICT Standardisation Priorities for the Digital Single Market
COM(2015)192 A Digital single market strategy for Europe
COM(2017)228 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy - A Connected Digital Single Market for All and accompanying Staff Working Document SWD(2017)155
Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures (01/2020)

Requested actions

Action 1 SDOs to develop standards for critical infrastructure protection and thus in support of and responding to the requirements laid down in the NIS Directive.

Action 2 SDOs to assess existing standards required to support the European Cyber-security Certifi cation Framework to ensure that standards are available for providing the core of any certifi cation activity. In particular, SDOs are encouraged to work on standards related to the specifi cation and assessment of security properties in ICT products and services as well as those related to security in processes related to the design, development, delivery and maintenance of an ICT product or service.

Action 3 SDOs to investigate the issue of malware on personal computers. ENISA (the European union agency for network and information security) has concluded that many personal computers contain malware that is can monitor (fi nancial) transactions. As we are becoming increasingly dependent on eBusiness and e-transactions, a European initiative should investigate this topic

Action 4 SDOs to investigate requirements for secure protocols for networks of highly constrained devices and heavily constrained protocol interaction (low bandwidth/ ultra-short session duration (50ms)/low processing capabilities

Action 5 SDOs to investigate the availability of standards as regards to the security and incident notifi cation requirements for digital service providers as defi ned in the NIS Directive

Action 6 SDOs to develop a “guided” version of ISO/IEC 270xx series (information security management systems including specifi c activity domains) specifi cally addressed to SMEs, possibly coordinating with ISO/IEC JTC1 SC27 WG1 to extend the existing guidance laid out in ISO/IEC 27003. This guidance should be 100% compatible with ISO/IEC 270xx and help SMEs to practically apply it, including in scarce resource and competence scenarios

Action 7 SDOs to assess gaps and develop standards on cybersecurity of consumer products in support of possible certification schemes completed under the European Cybersecurity Act

Activities and additional information

Related standardisation activities

CEN, CENELEC

In 2020, CEN-CLC/JTC 13 'Cybersecurity and Data Protection' will continue to develop standards for data protection, information protection and security techniques with specific focus on cybersecurity covering all concurrent aspects of the evolving information society, including: Organizational frameworks and methodologies, including IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services.

CLC/TC 65X 'Industrial-process measurement, control and automation' contributes, supports and coordinates the preparation of European Standards for systems and elements used for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The IEC EN 62443 series, as developed by CLC/TC 65X, addresses operational technology found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas.

In this context, CEN and CENELEC are responsible for the adoption at European level of the EN IEC 62443 series (CLC/TC 65X) - which focuses on operational technology (OT) and which is concerned with keeping cyber-physical systems operating as intended - and the EN ISO/IEC 27000 series (CEN-CLC/JTC 13) - which focuses on information technology (IT) and which is concerned about the flow and accuracy of data, data privacy, etc.

CEN and CENELEC are also active in the following areas:

CEN/TC 301 'Road Vehicles' is responsible for developing requirements for Vehicle to Grid communication interface (physical layer and data link layer)
CEN/TC 377 ‘Air traffic management’ on 'Information security for organisations supporting civil aviation operations' (prEN 16495) and specifications for software assurance levels (CEN/TS 16501)
CLC/TC 9X ‘Electrical and electronic applications for railways’ is active in the development of requirements for Cybersecurity
CLC/TC 13 'Electrical energy measurement and control' develops the EN 62056 series on 'Electricity metering data exchange'
CLC/TC 57 ‘Power systems management and associated information exchange’ develops EN 62351-7 'Data and communications security – Network and system management data object models'. Moreover, the CEN-CLC-ETSI Coordination Groups on 'Smart Energy Grids' and 'Smart Meters' are also active on Cybersecurity. End 2014, the Coordination Group on Smart Energy Grids finalized several mandated reports, including on cybersecurity
CEN-CLC/JTC 19 'Blockchain and Distributed Ledger Technologies" will work with CEN-CLC/JTC 13 to further investigate the cybersecurity requirements for Distributed Ledger Technologies, in the context of the activities of ISO/TC 307.
CEN/TC 224 'Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment'

ETSI

ETSI's work on cybersecurity ranges from general and transversal guidelines and standards, to securing complete technological systems/areas, down to specific security topics.

TC CYBER coordinates ETSI cybersecurity work and offers market-driven cyber security standardisation solutions, advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. In particular, ETSI TC CYBER published TR 103 306 which describes the global cybersecurity ecosystem providing an overview of cybersecurity work occurring in multiple technical forums worldwide. The TR is revised regularly to provide latest information.

ETSI TC CYBER (TC CYBER publications and TC CYBER work programme) covers privacy in response to European Commission (EC) Mandate M/530 on Privacy by Design, with a new TS on mechanisms for privacy assurance and the verification of Personally Identifiable Information, a TS on identity management and discovery for IoT, which will identify means to prevent identity theft and resultant crime, and a practical introductory guide to privacy related standards. TC CYBER also released two specifications on Attribute-Based Encryption (ABE) that describe how to protect personal data securely—with fine-grained access controls (TS 103 458 and TS 103 532). ETSI TC CYBER develops standards for secure by default solutions, with publications on critical security controls, baseline security requirements regarding sensitive functions for NFV and on security aspects for lawful interception and retained data interfaces, guidance on security by default for products and services and threat information sharing. One major ongoing activity is the specification of middlebox security protocols allowing transparent management of middleboxes in networks while enhancing cybersecurity posture of networks.

ETSI TR 103 456 provides advice on implementing the NIS Directive and guidance on the available technical specifications and those in development by major cybersecurity communities in the world which are designed to meet the legal measures and technical requirements of the NIS Directive.

TC CYBER has a dedicated working group on Quantum-safe cryptography.

The ISG ISI (Information Security Indicators) work on measurement of information security risks was transferred to TC CYBER.

ETSI works on securing overall systems and technologies such as mobile communications (3GPP SA3), network functions virtualisation (ETSI NFV ISG), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (RRS WG3) and emergency telecommunications (including terrestrial trunked radio (TETRA)).

Finally, ETSI works on specific security topics, including smart cards and secure elements (SCP), cryptography and lawful interception and data retention. In terms of cryptography, ETSI develops security algorithms, it works on quantum safe cryptography (QSC) and quantum key distribution (QKD).

IEC

IEC TC 65 'Industrial-process measurement, control and automation' develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

IEC TC 65 WG 10 'Security for industrial process measurement and control - network and system security' is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2 'Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components' was published in 2019. The publication of the following International Standards is foreseen in 2020: IEC 62443-2-1 ' Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners', and IEC 62443-3-2 ' Security for industrial automation and control systems - Part 3-2: Security risk assessment and system design'.

In Europe, IEC TC 65 is mirrored by CLC/TC 65X 'Industrial-process measurement, control and automation'. This CENELEC standardisation work is carried out for equipment and systems, and closely coordinated with IEC TC 65.

IEC TC57 is responsible for the IEC 62351 standards series. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC's conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

For the PKCS 11 standardisation project for cryptographic tokens controlling authentication information (such as personal identity), see https://www.oasis-open.org/committees/pkcs11

Key management interoperability protocol (KMIP) for enterprise encryption key administration and deployment. https://www.oasis-open.org/committees/kmip

Cyber Threat Intelligence (CTI) TC

A committee defining a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX) language provides a common set of descriptors for security threats and events, and the Trusted Automated Exchange of Indicator Information (TAXII) specification provides common message exchange patterns. http://www.oasis-open.org/committees/cti

SAML TC

Syntax and semantics for XML-encoded assertions about identity authentication, attributes, and authorization

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

Open Command and Control (OPenC2) is a suite of specifications to administer command and control of cyber defense functions distributed across multiple systems. https://www.oasis-open.org/committees/openc2/"

Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC was launched in 2019 to implement the cybersecurity course of action playbook model, with JSON-encoded "cookbooks" or "playbook" sequences of cyber defense actions for rapid response to specific threat or breach events. http://www.oasis-open.org/committees/cacao/

ISO/IEC JTC 1

ISO/IEC JTC 1/SC 27: Information security, cybersecurity and privacy protection. The development of standards for the protection of information and ICT includes generic methods, techniques and guidelines to address both security and privacy aspects. http://www.iso.org/iso/iso_technical_committee?commid=45306

ITU-T

ITU-T SG17 (Security) develops globally harmonized standards on telecommunication and information security, application security, cyberspace security, identity management and authentication. On application security, currently ITU-T SG17 works specifically on software defined networking, cloud computing, intelligent transport systems, distributed ledger technologies etc. Nearly 200 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series.

More info: http://itu.int/ITU-T/go/tsg17

http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17.

SG17 / Q10/17 — Identity management architecture and mechanisms

http://www.itu.int/itu-t/workprog/wp_block.aspx?isn=2048

ITU-T SG 20 under question Q6/20 studies aspects related to Security, Privacy, Trust and Identification for IoT and SC&C. In August 2017, it approved Recommendation ITU-T Y.4805 Identifier service requirements for the interoperability of Smart City applications, which specifies a set of requirements for identifier services in smart city. Currently, SG20 is working on a draft Recommendation on “Agility by design for Telecommunications/ICT Systems Security used in the Internet of Things” (Y.IoT-Agility).

More info: http://itu.int/ITU-T/go/tsg20

ITU-T SG11 under Question 2/11 deals with the SS7 security-related issues. Following the Member States' demands on dealing with the spoofing of calling party number, SG11 revised ITU-T Q.731.3, which specifies an exceptional procedure for transit exchange connected to CPE (Customer Premises Equipment) with the purpose of providing predefined calling party number by the originating operator. From ITU-T SG11 perspective, all calling party numbers delivered in the telecommunications network should be generated or verified by an operator. Also, SG11 studies SS7 vulnerabilities and mitigation measures for digital financial services transactions.

More info: http://itu.int/ITU-T/go/tsg11

ITU-T SG13 is carrying out work on trust in telecommunications since 2016. It approved a new Recommendation, Y.3053 Amd1 on “Framework of trustworthy networking with trust-centric network domains. There are six ongoing work items on this topic. A dedicated flipbook on “Trust in ICT”, has a collection of the ITU-T work on trust as of 2017 : https://www.itu.int/en/publications/Documents/tsb/2017-Trust-in-ICT-2017/mobile/index.html

ITU-T commenced studies on quantum safe communications in June 2018. As of fall 2019, Recommendation ITU-T Y.3800 on “Framework for Networks supporting Quantum Key Distribution” (QKDN) was consented, Y.3800. Additionally, SG13 has four ongoing work items on QKDN.

More info: http://itu.int/ITU-T/go/tsg13

W3C

W3C runs several groups in the area of Security :

Web Cryptography working group, which is defining an API that lets developers implement secure application protocols for web applications, including message confidentiality and authentication services, by exposing trusted cryptographic primitives from the browser.
Web Application Security "WebAppSec" working group, which is developing standards to ensure that web applications are delivered free from spoofing, injection, and eavesdropping.
Hardware-based secure services community group, which analyses use-cases where browser (and web application)'s developers could benefit from secure services in the field of cryptographic operation, citizen identity and payment to native applications.
Web bluetooth community group, which is developing a specification for bluetooth APIs to allow websites to communicate with devices in a secure and privacy-preserving way.
Web NFC community group, which is creating a near field communication API that is browser-friendly and adheres to the web's security model.

https://www.w3.org/Security

IEEE

IEEE has standardisation activities in the cybersecurity and NIS space, and in anti-malware technologies, including in the encryption, fixed and removable storage, and hard copy devices areas, as well as applications of these technologies in smart grids (https://ieeesa.io/rp-nis)

IETF

The following IETF WGs are active in this area:

The Managed Incident Lightweight Exchange (MILE) WG develops standards to support computer and network security incident management. The WG is focused on two areas: IODEF (Incident Object Description Exchange Format, RFC5070), the data format and extensions to represent incident and indicator data, and RID (Real-time Inter-network Defense, RFC6545), the policy and transport for structured data.

The Security Automation and Continuous Monitoring (SACM) WG is working on standardising protocols to collect, verify, and update system security configurations that allow high degree of automation. This facilitates securing information and the systems that store, process, and transmit that information. The focus of the WG is the assessment of network endpoint compliance with security policies so that corrective measures can be provided before they are exposed to those threats.

The aim of DDoS Open Threat Signalling (DOTS) WG is to develop a standards based approach for the realtime signalling of DDoS related telemetry and threat handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation.

The goal of the Interface to Network Security Functions (I2NSF) WG is to define a set of software interfaces and data models for controlling and monitoring aspects of physical and virtual NSFs. A Network Security Function (NSF) is a function used to ensure integrity, confidentiality, or availability of network communications, to detect unwanted network activity, or to block or at least mitigate the effects of unwanted activity. The hosted, or cloud-based, security service is especially attractive to small and medium size enterprises who suffer from a lack of security experts to continuously monitor networks, acquire new skills and propose immediate mitigations to ever increasing sets of security attacks.

The Source Address Validation Improvements (savi) WG develops standardised mechanisms that prevent nodes attached to the same IP link from spoofing each other's IP addresses.

The full list of IETF Working Groups in the Security Area is available here: https://datatracker.ietf.org/wg/#sec

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications.

http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

ECMA

ECMA TC39: Secure EcmaScript (SES) is a runtime environment for running EcmaScript (JavaScript) strict-mode code under object-capability (ocap) rules.

Other activities related to standardisation

ECSO

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management. https://www.ecs-org.eu/

ECSO WG1 has published the State of the Art Syllabus (SOTA) (December 2017), which lists all standards and specifications related to cyber security. The SOTA document gives a good overview of cyber security standards, initiatives and certification schemes, both at the European and international level (including national elements), for assessment and certification of items. https://www.ecs-org.eu/documents/uploads/updated-sota.pdf

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts. http://openid.net/wg/risc/charter/

NIST

NIST has started work in several areas, active documents with two reports already published which provide guidance on critical security controls and security by default for products and services. Other areas of work include critical infrastructure protection, privacy matters and cybersecurity issues.

Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm

Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm

Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm

National Institute of Standards and Technology Initiates Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm

Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

Cyber Security PPP

The cPPP will be instrumental in structuring and coordinating digital security industrial resources in Europe https://ec.europa.eu/digital-single-market/en/cybersecurity-industry

Additional information

The Danish business community has developed a corporate partnership to increase ICT security in the Danish business community. The partnership will develop preventive security measures and launch efforts to promote businesses’ use of international security standards.

The Dutch government has selected a group of security specifications for its comply-or-explain policy: DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, SAML, ISO 27001/2, and is actively using different adoption strategies to get the specifications implemented. A very useful tool is the website www.internet.nl . Organisations and individuals can, by entering a domain name of a website or email service, easily test whether websites offer support for the modern Internet Specifications. The result is a test report with detailed explanations. The website is available in English and Dutch. In addition business, industry and government collectively established the 'Safe Email Coalition' to fight abuse such as phishing and eavesdropping in e-mail.

In Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

Develop a reference document
Define and develop an update and versioning mechanism
Host the reference document
Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map

Report abusive content Share