An overview of security standardization
activities in CEN and CENELEC
Luc Van den Berghe [email protected] Manager Research Integration, CEN-CENELEC Management Centre
Contents
• Standardization in CEN and CENELEC standardization - the CEN and CENELEC deliverables
• A generic overview of ICT-security related work
© CEN-CENELEC 2013 - 2Luc Van den Berghe [email protected]
•
• Some extra information on
• CEN/TC 391 - Societal and Citizen Security
• CEN/TC 224 including eSignatures and Biometrics
• Security in a Smart Grids context
• Security in Cloud Computing - Workshop CIRRUS
Where we fit in:
ISO IEC
Europe CEN CENELEC
InternationalInternational
Vienna and DresdenAgreements
© CEN-CENELEC 2013 - 3Luc Van den Berghe [email protected]
NationalMembership:
National Standards Bodies or NCs
Industry, other stakeholders, standards‘
users...
Integration of regional and global standardization
Vienna Agreement signed between ISO and CEN
Dresden Agreement between CENELEC and IEC
� To adopt International Standards in Europe whenever possible
� No duplication of work
© CEN-CENELEC 2013 - 4Luc Van den Berghe [email protected]
� No duplication of work
Types of cooperation between ISO-CEN and IEC-CLC:
� Correspondence
� Mutual representation at meetings
� Adoption of same text as ISO or IEC and European Standard:
� Adoption by CEN or CLC of an available ISO or IEC standard and vice versa
� Elaboration of a standard in one organization, parallel ISO-CEN or IEC-CLC approval procedure
Deliverables of CEN and CENELEC
� Developed in a Technical Committee - national delegation principle:
� European Standard (EN) – the same everywhere
� Technical Specification (TS) – try it out and/or compete
© CEN-CENELEC 2013 - 5Luc Van den Berghe [email protected]
� Technical Report (TR) – give information
� Direct participation model:
� CEN-CENELEC Workshop Agreement (CWA) – agreement between parties
Security standardization in CENand CENELEC – an overview
� CENELEC/TCs� in CENELEC most technical work happens in IEC under the Dresden Agreement: some 70% of the CENELEC publications is identical to IEC
� e.g. CENELEC/TC 65X - Industrial-process measurement, control and automation
� At an earlier conference : CENELEC/TC 79 – alarm systems
CEN/TCs
© CEN-CENELEC 2013 - 6Luc Van den Berghe [email protected]
� CEN/TCs� TCs 391, 224, 225; note: there is today no equivalent CEN/TC for JTC1/SC27
� Some joint CEN-CENELEC-ETSI co-ordinating groups� Smart meters; smart grids; cybersecurity
� Link with R&D projects� CEN Workshop CIRRUS
CEN/TC 391- Societal and Citizen Security
• Addresses standardization mandate M/487
• Mandate’s scope: ICT is within the scope of this Mandate as security enabler but ICT as such not covered, with the exception of Cryptography
• COM(2012) 417 final (July 2012) - DG ENTR
© CEN-CENELEC 2013 - 7Luc Van den Berghe [email protected]
• COM(2012) 417 final (July 2012) - DG ENTR Policy Communication - 3 priorities for 2nd phase:
• Border security
• Crisis management/Civil Protection
• CBRNE (Chemical, Biological, Radiological, Nuclear and Explosives)
• Phase 2: January – July 2013
• Experts for each of the three priorities: co-organizer workshops and co-author report.
• Draft report debated and commented by allstakeholders (industry, research, authoritiesincluding DG ENTR, JRC, MOVE, HOME, Frontex,
Report Phase 2 M/487
© CEN-CENELEC 2013 - 8Luc Van den Berghe [email protected]
including DG ENTR, JRC, MOVE, HOME, Frontex, EDA, consultants, standardization bodies etc.).
• Report accepted by ESOs september 2013.
• Follow up for specific security standardizationmandates in preparation by EC.
a- Border Security
Warsaw April 4 and 5 2013
Chris Hurrey
� 50 participants/experts
� 150 in community of interest
Workshops and experts (1)
© CEN-CENELEC 2013 - 9Luc Van den Berghe [email protected]
� 150 in community of interest
� 70 proposals
Outcome: biometrics standards for important part already in ISO; privacy by design needed; align ICAO, FRONTEX and ISO.
b- Crisis Management and
Security of the Citizen
Edinburgh April 9/10 2013
Alain Coursaget
� 60 participants/experts
Workshops and experts (2)
© CEN-CENELEC 2013 - 10Luc Van den Berghe [email protected]
� 60 participants/experts
� 175 proposals
� 150 community of interest
Outcome: need for semantic interoperability ; needfor guidance in crisis response planning and resilience; improve operational efficiency. Step by step cautiously. Work together with ISO 223.
c- CBRNE
Ispra April 11/12 2013
Eelco Dykstra
� 55 participants/experts
� 150 community of interest
� 70 proposals
Workshops and experts (3)
© CEN-CENELEC 2013 - 11Luc Van den Berghe [email protected]
� 70 proposals
Outcome: fragmented market (CBRNE each letter separate and intentional and incidental); manystakeholders; hot items like terrorists attacks and major accidents; sampling and detection standardsneeded: sensors needed as well as standards forpersonal protective equipment.
CEN/TC 224 - Personal identification, electronic signature, cards and their related systems and operations
6 Working Groups
© CEN-CENELEC 2013 - 12Luc Van den Berghe [email protected]
12
CEN/TC224: past and presentOver 60 standards published
1990 2000 2010
General card characteristics
4*
Telecom ICC &
Terminal Biometrics
4*
© CEN-CENELEC 2013 - 13Luc Van den Berghe [email protected]
13
IntersectorElectronic Purse
5*
Terminal 8*
Health cards 4*
Transport data elements & applications5*
European Citizen Cards5*
Electronic Signature33*
4*
User Interface 6*
*Number of active documents (published, under revision or new)
eSignatures and eID (1)
Cooperation with ETSI on Mandate M460 (eSignatures)
EU project of Regulation for Electronic Identification and trust
services for electronic transactions in the internal market:
additional deliverables will have to be produced beyond
© CEN-CENELEC 2013 - 14Luc Van den Berghe [email protected]
additional deliverables will have to be produced beyond
eSignatures standards once a stable draft regulation will be
available (expected early 2014).
Electronic Signatures: 33 deliverables drafted by CEN/TC224
eSignatures and eID (2)
A set of certified Protection Profiles (CC V3.1) for most of
components (SSCD, Crypto Modules, creation and verification
applications, server signing, time stamping, authentication
devices): a formalized framework will be used for the
evaluation/certification of eSignature products in Europe
© CEN-CENELEC 2013 - 15Luc Van den Berghe [email protected]
evaluation/certification of eSignature products in Europe
Application interface for smart cards used as SSCD
Guidance for SMEs and Consumers
Other activities to take into account (e.g. ANSSI/BSI work:
protocols on eIDAS)
Biometrics
Interoperability of biometric recorded data for European requirements
TS 16428, Best practices for slap ten print captures: 2012 - Some discussionsto upgrade in EN
TS 16634 Recommendations for using biometrics in European ABC
(Automated Border Control) - Approved, pending publication; some discussions to
© CEN-CENELEC 2013 - 16Luc Van den Berghe [email protected]
(Automated Border Control) - Approved, pending publication; some discussions toupgrade in EN
WD Environmental influence testing methodology for operational
deployments of European ABC systems (NWI approved, TS expected)
WD Biometric application profiles for law enforcement and border control
authorities using portable identification systems (NWI approved, TS expected)
Support of M487 – Border security,
Active involvement of FRONTEX
M/490 SG-CG/SGIS
SG-CG/SGIS
© CEN-CENELEC 2012 - 17
Smart Grid security
SG-CG/SGIS – Draft Report Structure
US
E C
AS
ES
WP 1 – SGIS Standards
WP 2 – Cyber Security
SG-CG/SGIS
© CEN-CENELEC 2012 - 18
US
E C
AS
ES
WP 2 – Cyber Security
WP 3 – Privacy Protection
WP 4 – Toolbox Update
Use Cases are Used as Report Spine
SG-CG/SGIS WP1: Smart Grid Set of Security Standards
SG-CG/SGIS
© CEN-CENELEC 2012 - 19
Selected Standards Coverage, SGAM Mapping and Detailed Analysis are Presented in This Section
Security Standards Coverage
SG-CG/SGIS WP2: Cyber Security
SG-CG/SGIS
© CEN-CENELEC 2012 - 20
European Set of Recommendations Dashboard
European Set of Recommendations and Applied Information Security on
Smart Grid Use Cases are Covered in Cyber Security Work Package
Use Cases
Analyzed:
• Distribution Substation• Flexibility and Consumer Demand
Management• Distributed Energy Resources Control
• Transmission Substation• Distribution Control Room • Electrical Vehicle Smart (Re/De) Charging
SG-CG/SGIS WP3: Privacy Protection
�Analysis of Expectable Effects of proposed EU General Data
Protection Regulation
� Impact Assessment of Use Cases in Four Member States
SG-CG/SGIS
© CEN-CENELEC 2012 - 21
� Impact Assessment of Use Cases in Four Member States� (FR / DE / NL / UK)
�Analysis of Emerging Privacy Technologies
SGCG/SGIS WP4: SGIS Tool Box Update
SG-CG/SGIS
© CEN-CENELEC 2012 - 22
Current Toolbox methodology, Tools and Steps
WS CIRRUS
• Relates to FP7 project CIRRUS “ Certification, InteRnationalisation and standaRdization in cloUd Security“
• Kick-off meeting: 2014-02-11; duration 6 months
• CWA:
� a comprehensive overview on regulatory and
© CEN-CENELEC 2013 - 23Luc Van den Berghe [email protected]
� a comprehensive overview on regulatory and standardization activities related to Security in Cloud Computing, including representative samples of ICT technical specifications developed by consortia and fora,
� recommendations for the best practice and technical specifications in the area of assurance for continuous monitoring and certification of cloud computing services.
Thank you for your attention!
© CEN-CENELEC 2013 - 24Luc Van den Berghe [email protected]
Luc Van den Berghe