Cyber Security Standards – why should you care?
At Azenby we take network and data security very seriously and we are proud to have Charles Brookson, a renowned authority on the subject, as part of our team. We asked Charles to give us an update on what’s been happening in the world of Cyber Security recently:
ETSI TC Cyber has been going for just over three years, and I’ve been there from the start, since I was involved in setting it up.
For those of you who don’t know, ETSI produces standards for Europe on Telecoms and ICT. There are three standards organisations within Europe and they all cover different sectors of standardisation. It also manages areas like mobile from the GSM days to 5G (www.3gpp.org). It is true of course that ETSI standards are often adopted well beyond the shores of Europe and can be considered to have great influence globally.
Lately we have produced some quite interesting documents and reports, which are well worth looking at for cyber security.
One of them is ETSI guide to quantum safe computing. Although we can’t expect quantum computers for maybe another 10 or 15 years, it’s worth looking at the history of cryptography to see just how long old algorithms are used in devices. GSM A5/1 was produced in 1986, and is still being used today despite being able to be broken within a few minutes. You should be thinking about Quantum if you’re designing something for the Internet of Things; with an estimated life of 15 to 25 years, you’d have to look at building algorithms to provide confidentiality, integrity and authentication that will hold up for this length of time.
The same goes for Banks and Institutions securing customer information, for example.
So, what does this ETSI guide tell us? Well even with conventional symmetrical algorithms such as AES, you’d have to look at doubling the effective key length in order to remain secure. What is more worrying is that some public key algorithms and elliptic curves will offer no security at all, this is because these type of public key algorithms can be broken by quantum computer: It can be a real concern, because I believe that many of the cloud based resource suppliers for computers are looking at people being able to access a shared quantum computer.
So, if you are designing or looking at new systems, or using systems that may use public key or symmetric algorithms, you ought to have a read of the ETSI guide on quantum computers.
Another report that we have just written is the one on the NIS directive, which is an EC Directive. This one looks at what you have to do to meet the rather opaque statements that are contained within the NIS directive. This should be of interest to anybody who is running a network and information system. Basically, there are some legal requirements that you have to meet, have technical and organizational information system risk management and you have to be capable of exchanging information of incidents securely when there are issues with your system or service.
So, what are we going to be working on in the future? Well there are over 20 documents already produced by the cyber security group, but certainly I think one of the major ones that we will be working on will be how you actually try and meet the General Data Protection Regulation (GDPR) on Data Protection, which is due to be published in May next year. One of the most important features of this will be that if you are trying to meet it as a business, then you have an existing standard that will enable you to at least make sure that you meet all requirements!
We’re also working on Middlebox security, and many other important security issues.
I’d encourage anybody who is interested in these particular areas to come along to ETSI and participate, or at least read the documents.
ETSI TC Cyber details: http://www.etsi.org/technologies-clusters/technologies/cyber-security
• TR 103 456 CYBER; Implementation of the Network and Information Security (NIS) Directive http://www.etsi.org/deliver/etsi_tr/103400_103499/103456/01.01.01_60/tr_103456v010101p.pdf
• EG 203 310 CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection http://www.etsi.org/deliver/etsi_eg/203300_203399/203310/01.01.01_60/eg_203310v010101p.pdf
And if you think you need some help in getting your network and systems up to standard for cyber security, then feel free to get in contact with us here at Azenby.