Education

Continuing on from our observations from Day 1, we noted several key points at the ETSI annual conference relating to cybersecurity policies.

Some future plans for standards and certifications under CSA include future candidate schemes in areas of IoT and IACS (industrial automation control system). As ENISA develops a candidate scheme for 5G network, several items need to be considered. One is the 5G context. This concerns what subset of 5G architecture, for the certification to be applied. Another is identifying scheme elements that support 5G evaluation and certification. Currently, we can expect a draft version of the NIS Directive v2 soon. Interestingly, the new directive introduces responsibilities for ENISA to be more involved in standardization. In response, ENISA developed its strategic objectives to maintain an inventory of standardization organizations and their activities and products. The goal is to then act as a cybersecurity reference point for the EU and participate in relevant standardization actives.

In the context of EU5G, the Network Equipment Security Assurance Scheme was submitted to ENISA for EU adoption. NESAS seeks to provide a security baseline for network equipment in the scope of mobile infrastructure. In particular, NESAS looks at if the equipment is developed to meet secure by design guidelines and does satisfy defined security requirements. Although NESAS is not a certification scheme, GSMA is currently looking at how certification components can be added.

We are also seeing some trends of transitioning from current schemes to CSA schemes. ANSSI is looking to provide EU-wide recognition for certified products and services. One example is ANSSI seeking to provide equivalent services of EUCS to the market. This may be achieved by leveraging consistency such as CSA levels, resistance tests, and applicable EU legislation.

A framework for European cybersecurity assessment (conformity) was proposed. The goal is to increase involvement and transparency to every member state, even those not offering certification or heavily involved in conformity assessment. The agreed new approach would then push for a horizontal regulation on cybersecurity (i.e. – it will capture all cybersecurity needs during vertical regulations to avoid fragmented conformant assessment across industries.

For SMEs, the SBS SME Compatibility Test for Standards was piloted. It provides an overall perception of SME compatibility of a given standard. As SMEs are essential parts of the supply chain, this may be a necessary starting point for improving standards.

Some updates on RED (Radio Equipment Directive) are the proposed applicable requirements. One interesting update is the essential requirements in article 3(3). Currently, Q3 2021 is the expected Commission adoption of a delegated act under Article 3(3)(d/e/f) of RED. This came from the Commission’s consideration of mandatory requirements to be proposed for market access of certain wireless products. For manufactures, this means they will need to demonstrate features to ensure protection of networks, privacy and data protection, and/or protection from frauds as conditions for market access.

The RED Article 3(3)(i) is the proposed next step after RED 3(3)(d/e/f). It concerns the software for the radio equipment. Currently, ETSI had developed a solution proposal on how to test for the new requirements and communicated it to the Commission.

The topic of cybersecurity policy presented challenges in standardizations. In which, we’d like to highlight that all schemes and legislation must provide some improvements to baseline security. Parallel schemes do not necessarily de-value, rather it is important that any parallel schemes will then allow manufactures to submit evidence transferred from 1 of the overlapping schemes to prove compliance.

At the recent ETSI annual conference, several cybersecurity domains were discussed. In this article, we’ll look at the latest development in IoT.

With the increasing adoption of 5G technology, the European Commission had requested ENISA to develop a candidate European Cybersecurity Certification scheme for 5G network. The EU 5G will be an extension of the EU toolbox for 5G security as it seeks to address certain risks, as part of a broader risk mitigation strategy. While ENISA is still processing both ECUU and ECUS schemes, we can expect the finalized version of ECUS in Q4 2021.

As the European Commission and Cybersecurity Group under the CSA start the discussion on a candidate for a cybersecurity certification scheme for connected devices, we can expect such scheme will be aligned to EU legislative frameworks and other European Cybersecurity Certification Schemes. In the EU, it’d be consistent with EU Cybersecurity Certification Schemes such as the European Common Criteria Scheme and the European Cloud Services Cybersecurity Certification Scheme. We believe combining multiple schemes may provide a holistic approach to certification. For example, using the IoT scheme for products and the EUCS scheme for supporting services may complement the standalone IoT scheme approach. As of now, we are expecting the URWP for European Cybersecurity Certification to be published in Q3 2021 where we can then understand how the European Commission would issue the request to the EU Cybersecurity Agency. Right now, we know the scope for such scheme will capture IoT devices in residential, industrial, and any other settings. The assurance levels will be the same three levels provided under the CSA. As the European Commission emphasizes the need for standardization, standards development in EU member states and internationally will need to be integrated into the EU Cybersecurity Certification Scheme for IoT.

We are also seeing exciting updates to EN303 645. EN provides a common baseline across the European and global markets for all consumer IoT. Currently, the focus for Q2 2021 is on developing assessment specifications (TS 103 701) to test against provisions of EN303 645. As this standard matures, we can expect alignment to standards and legislation under development for IoT.

General cybersecurity assessment frameworks often serve as a horizontal solution; however, to cover the general assurance requirements (such as assurance levels defined by the CSA) and to the specific field of application such as IoT, some guidance is provided on how to integrate EN17640 into a certification scheme. EN 17640 as a general evaluation methodology that when integrated into a certification scheme to fit the scheme assurance requirements, it raises some interesting questions. One is the extent of assessments required for each level. Currently, dEN 17640 editors and CEN/CLC JTC 13/WG 3 are working to publish this standard in September of 2021. Interesting to note is the future outlook of possible application in the Radio Equipment Directive Certification scheme.

The GCF also had some interesting updates on its Consumer IoT Security Accreditation programme based on EN303 645. Currently, its phase 1 provides self-accreditation for non-constrained devices. This involves the manufactures submitting a security compliance declaration covering the first 3 IoT Security Provisions defined by ETSI Cyber (EN 303 645). We are expecting development work for phase 2 to focus on extending assessment coverage to include constrained IoT and using TS 103 701 Test Specification as a baseline for conformity assessment to EN 303 645. For now, product manufactures should make sure no universal default passwords are used, implement a way to manage reports of vulnerabilities, and keep software updated for phase 1.

Another aspect of EN303 645 adoption is from the Cybersecurity Labelling Scheme from CSA Singapore. This scheme consists of 4 tiers. Although participation is voluntary, security-critical devices such as Wi-Fi routers will obtain at least tier 1 in Singapore. As more nations launch their schemes, we have to more mindful of fragmentations. For this particular scheme, it is done by leveraging EN303 645 and TS103701 for tier 4 testing.

Our observation was the importance of the collaborative effort in developing mutually recognized standards. For product manufactures in the global market, this provides value in that manufacturers do not have to choose which standard to be compliant for to operate in many jurisdictions.

Over the past few months, we have been working with the Chang School at Ryerson to develop a one day seminar on cyber security. The goal is to get more executives and board members comfortable talking about security and ensuring they have strong security strategies regardless of sector. The staff at Ryerson have been great at supporting our ideas and concepts and are helping this course become a reality. From an educational perspective, these are the key aspects that will be discuss during the session:

  1. Principles of a Cyber Security Strategy
  2. A Case Study
  3. Implementing a Risk Management Process
  4. Preparing for a Breach including a drafting a Breach and Cyber Security Playbook

There will be lots of open discussions and examples on these topics and you can pick my brain on these issues specific to your company or sector. I am looking forward to spending the day exchanging, learning and sharing. Bring your questions and problems and I hope to see you on Sept.24th. More details to the course and registration are located here http://ow.ly/QeiK2.

 

Faud Khan