Developing a PKI to achieve a significant impact on the security industry
The SDOs / SSOs you are working with at the moment
-
Danish Standard Committee S-557: Power systems management and associated information exchange.
-
Danish Standard Committee S-840: Interne of Things (IoT)
-
ITU-T Study Group 17: Security
-
ISO/IEC JTC 1/SC 6: Telecommunications and information exchange between systems
-
IEC TC 57 WG 15: Power systems management and associated information exchange - Data and communication security
Your main field(s) of activity
The main activity is related to cybersecurity products. Most activities in cybersecurity have been related to procedures, like not doing any action that impairs cybersecurity, while ensuring that products that go into ICT networks provide protection against hostile cyber attacks i.e., by providing authenticity, integrity (protection against modifications), confidentiality (encryption), access control support and much more.
Such requirements on products must be expressed in International Standards for interworking products to be developed.
I performed most of my work in this domain, e.g., the smart grid security area, but also within the security sector in general. An activity that requires much more attention and more participant's engagement.
What ICT Challenges are you addressing in the ICT standardisation area?
When making a specification for cybersecurity products some aspects are crucial as the following ones:
- Ensure that there are no holes in the specification
- Guarantee the deployment of secure cryptographic algorithms
- Possibility of future migration to more safe algorithms
- The text must be complete and non-ambiguous to allow secure and interworking products.
A major obstacle is to get cybersecurity standards developed in a speedy way.
Another major challenge is to provide a specification that is able to protect other specifications.
How, if implemented will this make a difference in a specific context?
Migration path to quantum-safe cryptographic algorithms for public-key certificates (X.509 certificates) has already been implemented by ISARA. A similar technique for protocols, in general, has been developed within a new X.510 standard expected to be completed during 2020. It has been decided to include these principles in smart grid security standards.
Developing a public-key infrastructure based on blockchain technology is a long-term project. When completed, it could have a major impact on the use of PKI in the future.
IEC 62351-4 developed as part of the StandICT project is able to protect other protocols. An implementation is currently under development. The second edition of IEC 62351-9 is expected to have a significant impact on the security industry.
Are there any best practices that you are aware of that put into practice these challenges described?
There is no real best practice planned, but there are similar activities.
- ITU-T Study Group 17 is developing a guide called x-pki-em: Information technology - Public-key infrastructure: Establishment and maintenance.
- IEC TC 57 WG 15 is developing a library with adds and hints to developers of IEC 62351-4.
What future actions or further specifications work would be necessary to undertake within an ICT Standards context?
-
IEC 62351-4, "Power systems management and associated information exchange – Data and communications security – Part 4: Profiles including MMS" needs to be extended to protect additional protocols and to provide a migration path for stronger cryptographic algorithms, such as quantum-safe algorithms.
-
IEC 62351-9, "Cyber Security Key Management for Power System Equipment” needs to be extended in areas such as Attribute certificates, check of certificates and development of related log records, further use of white lists, etc.
-
IEC 62351-14, "Power systems management and associated information exchange – Data and communications security – Part 14: Cybersecurity event logging" needs adaptation to IEC 62351-4 requirements.
-
IEC 62351-100-4, “Power systems management and associated information exchange – Data and Communication Security – Part 100-4 : "Cybersecurity Conformance Testing for 62351-4” needs much additional work.
-
Rec. ITU-T X.509 | ISO/IEC 9594-8, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks” need an extension in different areas (whitelist, certificate sizes, clarification of attribute certificates, verification procedures etc.).
-
Rec. ITU-T X.510 | ISO/IEC 9594-11, “Information technology — Open systems interconnection — The directory — Part 11: Protocol specifications for secure operations” needs completion and the development of a second edition.
-
A public-key infrastructure based on blockchain technology is a very substantial activity requiring many resources in the future to be a success. It will take several months.