News‎ > ‎

SMESEC: Cybersecurity Standardisation 2020

posted Feb 4, 2020, 7:43 AM by Marco Spruit   [ updated Feb 5, 2020, 5:28 AM ]
On February 3 2020 in Brussels, the annual Cybersecurity Standardisation 2020 Conference organised by ENISA, ETSI CEN CENELEC was being held with around 400 participants: “Cybersecurity Standardization and the EU Cybersecurity Act - What's Up?”. Since UU is leading the standardisation task in the SMESEC Horizon2020 project, we are interested in finding out exactly “what’s up”. The EU’s strategic goal is pretty clear: to arrive at some sort of Energy Label Certification scheme, where all software products are accompanied by a simple assessment score like A+. The question is whether before 2023 this will have materialised already, not whether this should happen at all, btw.

The three main panels during this day were about (1) The role of standardisation to support the certification framework, (2) Achievements in cybersecurity standardisation and the rolling plan of standardisation bodies, and (3) EU certification scheme – difficulties and success stories in relation to standards, and the road ahead. I was particularly interested in the second one, about achievements in cybersecurity standardisation, so here’s a more elaborate account on that. The panel included Alex Leadbeater (AL) from ETSI TC Cyber, Jean-Pierre Quemard (JPQ) from CEN/CENELEC JTC13, Marcus Pritsch (MP) as the consumer voice, Emilio Gonzalez (EG) representing the EU commission, and Roberto Cascella (RC) from ECSO.

As if the panel members had jointly prepared the session, there was considerable consensus throughout. AL mentioned 5G and IoT’s consumer security standard as the major achievements of last year, which was confirmed by MP as well. However, he noted that there is still a gap in (re)using existing standards instead of reinventing the wheel all the time. Also, certification needs to apply for both SEMs as big infrastructures. MP mentioned the need for a unified standard for IoT, a holistic one which integrates both the cloud connectivity and local device aspects. JPQ repeatedly confirmed the mantra of not wanting to reinvent the wheel in developing standards, and added the desire for a smaller scope of standards and the need the develop horizontal standards. Peer review could be better employed as a quality tool, and in order to take off, we need to train organisations to become better aware of the cybersecurity dimension. These objectives require a lightweight certification scheme: a security quickscan, perhaps?

#cyberactstdconf2020 #smesec #uu on cybersecurity standardisation achievements, today in Brussels

— Marco Spruit (@marcospruit) February 3, 2020
EG mentioned the Rolling Plan for Cybersecurity, pointing out that standardisation is a bottom-up process, and the importance of promoting collaboration. Standardisation is a strategic tool! RC focused on the importance of finding out what the market needs, and that the ECSO state-of-the-art syllabus is openly available to... avoid everyone reinventing the wheel. In addition, he interestingly mentioned that, after pointing out the importance of understanding the priorities wrt standards, we are shifting from meta-schemes to security assessments. The thing is, this is exactly the conceptual foundation of the SMESEC project efforts... Work is still in progress but milestones have already been reported in our Journal of Intellectual Capital paper titled “Modelling adaptive information security for SMEs in a cluster” and our 2019 conference paper on “A Questionnaire Model for Cybersecurity Maturity Assessment for Critical Infrastructures”. We believe that an open reference model for personalisable maturity assessments of SMEs should be made available to EU organisations to address this cybersecurity challenge, but more on that later.

RC added that in general we simply lack the skills in cybersecurity, including in management. Nevertheless, the goal of certification would increase trust in the market. We need to be better able to mitigate risks. At the policy level this is being stimulated through ENISA/SDO collaboration wrt certification schemes. The concept privacy-by-design is important, then. Furthermore, it was reassuring to hear that JPQ explicitly invited all to come, be welcome and contribute to certification efforts. As UU and as a part of SMESEC, we intend to do just that in the coming months. AL then had some final words, stating and demonstrating that “Consumers don’t buy security”, so how can we as EU realise our vision of a Cybersecurity Certification Scheme analogous to the highly successful Energy Efficiency Scheme? Learning from the past, he retold the car theft problem in the UK in the 1960s, which was basically turned around through Naming And Shaming to nudge the general public into changing their buying behavior. The reoccurring mention of the Energy Efficiency metric made me feel quite happy, as it seems to imply that there might be some real interest into our newly funded Horizon2020 Research & Innovation project, for which UU will develop a simple yet personalised metric for cybersecurity, much like the Energy Efficiency metric, among others! (More on this new project soon)

A final question from the audience asked about what to do in cases of new technologies, when there are by definition no specific standards available yet, e.g. with AI products. What to do then? Currently, the AI-specific standards are seemingly written by people outside this ineer circle, which results in using different terminology, which creates many interoperability issues. Luckily, the reply was quite unambiguous: Join working groups, contribute! And that is what UU will do as well, with our SMESEC contributions, which we believe may benefit many organisations throughout Europe.