The SDOs / SSOs you are working with at the moment
The people working at jtsec is involved with different SDOs, mainly with CTN 320 the new Spanish National Cybersecurity Technical Committee of UNE (the Spanish body in the European Committee for Standardization, CEN, in the European Committee for Electrotechnical Standardization, CENELEC, in the European Telecommunications Standards Institute, ETSI, in the Pan-American Commission for Technical Standards, COPANT, as well as in the International Organization for Standardization, ISO and in the International Electrotechnical Commission, IEC), where we stands the secretariat of WG3. We are also member of different working groups like ISO SC27, the Common Criteria Users Forum (CCUF), the Cryptographic Module User Forum (CMUF) and an active member of the group ERNCIP “IACS Cybersecurity certification “.
Your main field(s) of activity
At jtsec we are expert in cybersecurity certification. We help companies to certify their products or systems against different security norms, sometimes providing consultancy and sometimes doing the evaluation work. This way we are really involved in promoting the use of internationally recognized norms while providing real value to our clients bringing out the true value of the standard. Cybersecurity standards such as iso 27001 or ISO 15408 are able to gather many years of expert knowledge from a large number of brilliant people all over the world and this cannot be underestimated. Lately we have collaborated with the CCN (National Cryptologic Center) in the creation of a national standard called LINCE for the lightweight evaluation of IT security products. This new standard will allow the Spanish administration, and collaterally to the Spanish citizens, to develop a catalogue of products that increases trust in the electronic administration. This past April, jtsec has become the first laboratory accredited by ENAC (the Spanish national accreditation entity) and CCN to evaluate the security of ICT products according to the LINCE methodology, the National Essential Security Certification scheme.
What ICT Challenges are you addressing in the ICT standardisation area?
The time to market has been reduced dramatically in the last years and it is required to adapt certifications to take into account this. In this regard, we note two trends in the area of product cybersecurity analysis. On the one hand, America is leaning towards using the Common Criteria standard (ISO 15408) as a functional compliance tool, promoting the use of the so-called cPP (collaborative Protection Profiles) where it is tending to eliminate most of the effort in vulnerability analysis required by the standard, replacing it with tests that can be automated to achieve greater speed in evaluation, but sacrificing much of the security assurance provided. On the other hand, the trend in Europe and that we promote from jtsec, contemplates two ways of action:
- Maintaining the traditional use of Common Criteria for High Assurance while developing the standard to be able to reuse as much work as possible and maintain the warranty despite software changes.
- Creating agile product evaluation and certification standards, such as the Spanish LINCE or the French CSPN, focused on vulnerability analysis and penetration tests and with limited effort and duration.
jtsec participates in both lines of work thanks to the collaboration of StandICT, through the following projects "Cybersecurity Patch Management" and "lightweight / non-CC evaluation methods" respectively.
How, if implemented will this make a difference in a specific context ?
The following years will be fundamental to create the European cybersecurity framework and ensure the alignment of this initiative with the worldwide standards is the base for the European companies’ competitiveness. On the one hand, having a patch management certified methodology will ensure providing a fast and efficient way for the industry to provide certified security updates in a timely and responsive manner, increasing its competitivity. As a side effect this will augment the security of citizens, one example is the smartcard devices through their electronic identity cards and banking cards. On the other hand, Europe needs a common and recognized lightweight evaluation methodology standard. It will be a key factor in the future of the European certification landscape. The focus in cybersecurity certification is higher than ever due to the cybersecurity act. The current available standards do not meet the requirements for all the IT products in terms of certification. The time to market and the costs are not the same for aerospacial products than for consumer ones so bringing cybersecurity certification to consumer products and therefore citizens, is a must.
Are there any best practices that you are aware of that put into practice these challenges described ?
Patch management was a hot topic at ISO SC 27. During the last study period, several presentations were carried out about this topic but finally it was considered difficult to achieve something in a reasonable time. The use of different lightweight cybersecurity certification schemes, however, is already a reality throughout Europe. Currently they are being used mainly to guide the acquisition of products by administrations, but their applicability to the consumer market is undeniable. In the meantime, manufacturers are being forced to certify their products under the schemes of each country, which means an increase in cost, an inconvenience to competitiveness and a betrayal of the principles of a united Europe. It is necessary that what is already working in practice achieves an agreement at European level that allows the mutual recognition of the certifications issued under the different member states. Since jtsec we like to imagine a future where the use of a European cybersecurity certification methodology can ensure the safety of consumer products and is a requirement for all Internet-connected devices that are sold in Europe. This is the only way to avoid events such as the one that occurred in 2016 with the Mirai botnet, which put half the world in danger by means of a DDoS attack.
What future actions or further specifications work would be necessary to undertake within an ICT Standards context?
The emergence of IoT, the cloud, AI, or quantum computing, pose real challenges for those of us who work in cybersecurity, and particularly for those of us who are trying to develop standards that fit and are useful now and in the future. This is especially true for those sectors where a cybersecurity failure can put human life at risk, such as health or connected cars. With a growing market, a prediction of a potential huge economic impaction the near future, and a forecast of more than 70 million of connected cards sold by 2023, this technology is an attractive target for cyberattacks. Cases of remote hacking of vehicles have been registered between 2015 and 2018 affecting multiple vendors. While vehicle communication technologies have been widely used in nowadays vehicle information system, there is no proper industry standard to evaluate the information security of vehicle information system or products. Currently, ISO/IEC 15408 is a general methodology to evaluate the information system and products. However, due to the complexity and key features of vehicle information system, the general criteria might not be applicable for the evaluation on vehicle information security. The massification of the connected vehicle market foreseen for the next years makes it essential to have an evaluation and certification methodology that allows the safe and reliable use of this type of technology for an activity as critical as driving, in which human lives are at stake.
jtsec, in its commitment to standardization as the way to a more cybersecure world, is really happy to participate in the StandICT initiative supporting the development of international standards by providing the vision of our experts in the development of current standards and those that may arise in support of the new European regulatory framework such as the NIS Directive and the future Cybersecurity Act.