Technical Committee (TC) CYBER (cybersecurity) Activity Report 2023

Chair: Alex Leadbeater, Maketh Secure

Responsible for the standardization of cybersecurity, and for providing a centre of relevant security expertise.

The needs for security and privacy are inescapable aspects of our digital existence. An evolving threat landscape and rapid growth in the complexity of new systems and networks present challenges to maintaining the security of Information and Communications Technologies (ICT). Security is particularly important to developments in networked systems such as the Internet of Things (IoT) and Industry 4.0 as well as in consumers’ daily lives. In addition, technologies such as virtualization, cloud computing and the wide adoption of generative AI, bring with them specific security challenges.

Sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure products and services. To encourage industry to address these challenges, the EU and other national regulators are placing increasingly demanding Cyber Security assurance and information threat sharing requirements on manufacturers and operators of ICT products and services. While many of these initial regulations are effectively optional, second generation regulations such as the EU Cyber Resilience Act (CRA) will place mandatory requirements on manufacturers and service providers.

Solutions to mitigate the complex security landscape must include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.

Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the communications and business we depend on. A trusted centre of expertise, ETSI’s Cybersecurity Technical Committee (TC CYBER) develops market-driven standardization solutions to meet strategic high-level needs, as well as offering guidance to regulators, users, manufacturers and network operators.

ETSI and TC CYBER co-operate with numerous international, regional and national organizations and governments involved in cyber security, including the European Cybersecurity Agency (ENISA), CEN, CENELEC, the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO).

The security of consumer IoT has been the focus of TC CYBER for many years. In 2023, the committee has worked on a revision of existing standard EN 303 645 ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’. This update has initially been published as ETSI TS 103 645 V3.1.1 (issued January 2024), progressing to an update of the EN version during 2024. The update builds on feedback received from industry and test labs who use the current EN version and extends the data protection provisions.

Anticipating the proposed European Cyber Resilience Act (CRA), TC CYBER – in collaboration with other ETSI groups – in 2023 continued its analysis of the proposed legislation, provided comments to the European Commission on the draft Standardisation Request, and developed a mapping to assess existing standards and identify further work required in ETSI in support of the Act. This will be finalized in early 2024, following the availability of the final draft of the CRA. EN 303 645 is expected to form a key part of ETSI’s approach to standards to address CRA requirements.

In May 2023 the committee published Technical Specification TS 103 929 V1.2.1 ‘Mapping specific requirements of the delegated act and Standardisation Request for RED articles 3(3)(d), 3(3)(e) and 3(3)(f) to IEC 62443-4-2 requirements and to EN 303 645 provisions’. A similar detailed mapping in under development and will be published when Standardisation Request for the CRA will be published in 2024.

In addition, the committee published a Technical Report TR 103 935 V1.1.1 presenting a comprehensive methodology for risk assessment based on products’ properties to support their placement on the internal market, which is one of the central requirements of the proposed regulation.

Originally published in 2021, ETSI’s Protection Profile for Consumer Mobile Devices was subsequently revised and expanded in 2023 as a multi-part specification. In addition to addressing basic requirements (TS 103 732-1 V2.1.2) it now spans the increasing use of biometric authentication (TS 103 732-2 V1.1.2) in consumer mobile devices. A third Technical Specification complements this Protection Profile, defining the evaluation configuration (TS 103 932-1 V1.1.2) and merging the requirements of the two other documents to allow the product can be evaluated as a whole. This ETSI Base Protection Profile for securing smartphones gained world-first certification from French Cybersecurity Agency at the end of 2023. In addition TC CYBER has been working with GSMA to develop a possible certification scheme based on TS 103 732.

Reflecting current societal concerns around the dangers of technology-enabled coercive control, a new Work Item was adopted and subsequently published as a Technical Report in early January 2024. TR 103 936 V1.1.1 provides emerging design practices through examples and explanatory text for organizations involved in the development and manufacturing of consumer IoT devices and associated services. While focused on design practices for consumer devices, the report’s guidance is also applicable to other types of smart technologies such as smart TVs and alarm systems. This important area has had very limited standards considerations to date across global SDOs and it is therefore noteworthy that TC CYBER is raising the bar in this area.

In the context of consumer devices, sensor hubs are microcontroller units or digital signal processors that help to integrate data from different sensors or other chips (e.g. Wi-Fi, Bluetooth, GPS). They are thus key components used for the management, pre-processing and presentation of user data to the device’s operating system. Published in January, TS 103 864 V1.1.1 is a Technical Specification detailing security threats and corresponding common security requirements of sensor hubs implemented in consumer devices.

In the domain of Home Gateway devices, July saw publication of TS 103 928 V1.1.1 ‘Conformance Assessment of Security Requirements as vertical from Consumer Internet of Things’. This Technical Specification supports suppliers or implementers of Home Gateway products in first-party assessment (self-assessment), user organizations in second party assessment, independent testing organizations in third party assessment and certification and conformance declaration scheme owners in operating harmonized schemes.

Also in the area of consumer devices and privacy, the committee’s continuing work embraces the development of standards for specific consumer IoT verticals such as Technical Specifications for the cybersecurity of residential smart door locking devices TS 103 815 V1.1.1, and of smart voice-controlled devices TS 103 927 V.1.1.1.

During the year work has continued on the security of Network Routers and Optical Network Devices and Services, resulting in the publication of these corresponding Technical Specifications:

  • TS 103 931 V1.1.1 - Network Router Security Requirements
  • TS 103 963 V1.1.1 - Optical Network and Device Security; Security provisions in transport network devices
  • TS 103 962 V1.1.1 - Optical Network and Device Security; Security provisions in Optical Access Network Devices
  • TS 103 961 V1.1.1 - Optical Network and Device Security; Security provisions for the management of Optical Network devices and services

During the year, TC CYBER made maintenance updates to a number of other specifications. In March TC CYBER published a revision TS 103 457 V1.2.1 of our Technical Specification “Trusted Cross-Domain Interface: Interface to offload sensitive functions to a trusted domain”. Similarly in October TC CYBER published an update to TS 103 307 V1.5.1 Technical Specification on security aspects for LI (Lawful Interception) and RD (Retained Data) interfaces. Both of these demonstrate TC CYBER’s work to maintain relevance of ETSI standards and further develop them based on industry user feedback.

Expanding and updating its guidance resources to organizations on Critical Security Controls for Effective Cyber Defence, two Technical Reports were updated in 2023, respectively on Critical Security Controls in the IoT Sector TR 103 305-3 V3.1.1, and in the Privacy and personal data protection area TR 103 305-5 V2.1.1. And a new Technical Report was published on the implementation of the revised Network and Information Security (NIS2) Directive applying Critical Security Controls TR 103 866 V.1.1.1. This later report is currently being revised as a Technical Specification to be published in 2024.

Quantum Safe Cryptography

Quantum computers pose a major challenge to conventional cryptographic techniques, where information such as bank account details become subject to potential discovery and misuse. This challenge is illustrated in an animated video created by ETSI on this topic in 2023.  

The focus of our CYBER QSC Working Group is on the practical implementation of quantum-safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. The group’s work also feeds into other groups and standards bodies such as International Telecommunications Union (ITU), Internet Engineering Task Force (IETF), International Standards Organisation (ISO) and GlobalPlatform.

While CYBER QSC objectives include architecture, implementation and protocols, they do not include the development of cryptographic primitives. This is conducted in academia and other groups who specialize in the area, such as ETSI’s Security Algorithms Group of Experts (SAGE) and the National Institute of Standards and Technology (NIST) in the U.S.

In May 2023 CYBER QSC published a Technical Report TR 103 949 V1.1.1 that offers recommendations on a QSC migration strategy for Intelligent Transport Systems and C-ITS use cases.

Progress was meanwhile made during the year on other deliverables, with several anticipating publication in 2024:

  • Technical Report on combining classical and post-quantum algorithms to construct ‘hybrid’ cryptographic schemes
  • Technical Report on impact of quantum computing on symmetric cryptography
  • Technical Specification on efficient quantum-safe hybrid key exchanges with hidden access policies
  • Technical Report on a repeatable framework for quantum-safe migrations
  • Technical Report on QSC protocol inventory
  • An update to TS 103 744 V1.1.1 on Quantum-safe Hybrid Key Exchanges that will align with NIST’s FIPS publication of ML-KEM (FIPS 203).
  • Technical Report on impact of quantum computing on cryptographic security proofs.

See the full list of TC CYBER and CYBER QSC Work Items in development here.

Events

Hosted in October at our Sophia Antipolis headquarters, the annual ETSI Security Conference attracted over 250 onsite attendees from 29 countries. The event focused on security research and global security standards in action, considering broader aspects such as attracting the next generation of cybersecurity standardization professionals and supporting SMEs.

The four-day programme gathered speakers from government agencies, other standards bodies, academia and various industry sectors. Featured topics included global security and regulatory matters, zero trust, IoT certification, 5G-related security, quantum safe cryptography and quantum key distribution. Already confirmed for 2024 and 2025, this event continues to be highly regarded by both ETSI members and wider security industry.

Organized in February by ENISA, CEN, CENELEC and ETSI, the 7th Cybersecurity Standardisation Conference 2023 in Brussels focused as before on the theme of ‘European Standardisation in support of the EU cybersecurity legislation’. Sessions included the proposed Cyber Resilience Act, eIDAS Regulation, the RED Directive, proposed EU Chips Act, Data Act, AI Act and others.

Also held in February, the 9th face-to-face ETSI-IQC Quantum-Safe Cryptography event attracted a large audience representing industry, academia and government. The Executive Track included keynote addresses on EU activities and direction in quantum-safe cryptography from ENISA and from colleagues in the telecom and aerospace industries who also lead EuroQCI (European Quantum Communication Infrastructure) initiatives. Expert panels shared advances in government actions and policies, while industry sessions discussed challenges faced by technology providers and leaders in finance and telecommunications as they prepare to migrate to quantum-safe cryptography.

The 10th ETSI-IQC Quantum Safe Cryptography Conference will be held in Singapore in May 2024, hosted by the Centre for Quantum Technologies, National University of Singapore. Registration is now open and the conference agenda can be found at the link above.