ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June European Union Agency for Network and Information Security
Summary 01 What's ENISA? 02 Some challenges in standardization 03 Challenges from UE perspective 04 ENISA approach to Standards 05 ENISA actions in standardization ENISA and Standards Adrián Belmonte 2
Securing Europe s Information Society Operational Office in Athens Seat in Heraklion 3 3
Positioning ENISA activities ENISA and Standards Adrián Belmonte 4
The nice thing about standards is there's so many to choose from, A.S. Tanenbaum, Computer Networks, 2nd ed., p. 254 ENISA and Standards Adrián Belmonte 5
A plethora of standardisation initiatives International ISO: International Organization for Standardization IEC: International Electro technical Commission ITU: International Telecommunications Union IETF: Internet Engineering Task Force IEEE: Institute of Electrical and Electronic Engineers European CEN: Comité Européen de Normalisation ETSI: European Telecommunications Standards Institute Cyber Security Coordination Group ICTSB: ICT Standards Board NISSG ( 04-08) National ANSI: American National Standards Institute NIST: National Institute of Standards and Technology Industrial initiatives W3C, OASIS, Liberty Alliance, FIDO, Wi-Fi Alliance, BioAPI, WS-Security, TCG GP, PC/SC, Open Card Framework, Multos PKCS, SECG 6 6
Challenges in standardization Two main challenges in Standardization: 1. Complexity 2. Maintenance 7 7
The challenge of complexity Backwards compatibility Optimizations for various cases High complexity in some cases - barrier for evaluation - barrier for market entry - makes secure implementation very difficult 8 8
The challenge of maintenance Context changes New technical vulnerabilities Is fixing it better than doing nothing? Fast changes incompatible with slow consensus-based procedures; 9 9
Challenges from UE perspective Need establishing a small number of key initiatives at EU level - Multi-disciplinary projects with industrial participation; - Necessary contributions by Data Protection Authorities (DPAs), apps developers; - Horizon2020 Standardisation should be promoted Improve coordination between different actors (ie: EU funded R&D and ISO) Possible vehicles for such a coordination - ETSI CEN CENELEC CSCG; - H2020 (industrial platforms); ENISA and Standards Adrián Belmonte 10
ENISA approach to standards Aim: promotion of best practices through Standard Development Organizations (SDOs) ENISA role: interface between private sector, public sector, SDOs Short- and mid-term goals - Formal cooperation with SDOs and specific Work Groups (WGs) - Working collaboration with SDOs Long-term goal - Review of and participation in NIS standardisation activities - Proposal of standards, via means of proposals for standardisation mandates. ENISA and Standards Adrián Belmonte 11
ENISA actions in standardisation Until 2013 (Regulation (EC) 460/2004)..to track the development of standards for products and services on network and information security.. After 2013 (Regulation (EC) 526/2013) support research and development and standardisation.. Concrete actions include - Support for Cybersecurity Coordination Group (CSCG) - Support for the Algo paper (ETSI) - SMEs Community Support ENISA and Standards Adrián Belmonte 12
ETSI CEN-CENELEC Cyber Security Coordination Group (CSCG) Give strategic advice to the technical committees of CEN, CENELEC and ETSI Develop a gap analysis of European and International Standards on cyber security Define of joint European requirements for European and International Standards on cyber security Establish a European roadmap on standardization of cyber security Act as contact point for all questions of EU institutions relating to standardization of cyber security Suggest a joint US and European strategy for the establishment of a framework of International standards on cyber security 13
CSCG Action Plan #1 Governance Framework #2 Common Understanding Of Cyber Security Leading an expert group #3 Trust In The European Digital Environment #4 European Pki And Cryptographic Capabilities #5 European Cyber Security Label #6 European Cyber Security Requirements #7 European Cyber Security Research #8 EU Industrial Forum On Cyber Security Standards #9 EU Global Initiative On Cyber Security Standards Preparing the ground for a high level conference 14 14
ETSI ESI Algo paper ETSI TR 119 312 Business Guidance on Cryptographic Suites ETSI TS 119 312 Cryptographic suites ENISA reports 2013-2014 Recommended cryptographic measures Algorithms, Key Sizes and Parameters Collaboration 2014 > 15 15
SMEs & Security Standards SMEs: Employ fewer than 250 persons + annual turnover <= 50M and/or annual balance sheet <= 43M 99% of all European Business Reduced size, sometimes: Cannot have a large number of dedicated IT staff Cannot have a single dedicated person to ICT security and privacy protection. Standards are, in general, targeting larger, specialized, organizations and they are difficult to implement for small businesses ENISA and Standards Adrián Belmonte 16
ENISA and Standards SMEs ENISA aims to identify how to facilitate the adoption of Standards by European SMEs: Gather and analyze information about which standards are used (or why they are not using standards) Investigate the obstacles and perceived problems for SMEs to embrace standards Identify main gaps in security and privacy standardization for the SME community Identify initiatives to move forward Based on the findings: Produce recommendations regarding how to facilitate and increase the adoption of standards in European SMEs ENISA and Standards Adrián Belmonte 17
Concluding Remarks Little mess with Standards: Some ICT areas overstandardised vs other areas lacks standards Standards are a tool, not the objective; Maintaining security standards is perhaps more complex than general standards; Plethora of fora and initiatives - not enough coordination Open evaluation procedures essential; Stimulate European market through procurement might be an approach? Are Standards too focused on specialized or large companies? Improve SMEs support Need for an EU strategy on research & standardisation. ENISA and Standards Adrián Belmonte 18
Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu