CYRENE Workshop on Cybersecurity Standardization and Supply Chain Security

Join us to a presentation of the Risk and Conformity Assessment Methodology for supply chain security, influenced by international standards

The CYRENE Project is thrilled to announce its upcoming workshop, focusing on Cybersecurity and Supply Chain Security Standardization. The event will take place on the 16th of June 2023, from 10:00 AM to 5:00 PM (CET). This workshop aims to foster an exchange of knowledge and ideas between
international standardization bodies and leading projects in the field of cybersecurity and supply chain security.

Info Pack

When?

June 16th, 2023

10:00 AM – 5:00 PM (CET)

Where?

Virtually

  • Participants: Representatives from 5 Standardization Bodies (ISO, ENISA, NIST, CEN CENELEC, and ETSI) and 6 cybersecurity and supply chain security projects (BIECO, MEDINA, SIFIS HOME, SANCUS, ASSURED, and IOTAC)
  • Main Outcome: Presentation of International Standards on Cybersecurity and Supply Chain Security

The CYRENE Project is thrilled to announce its upcoming workshop, focusing on Cybersecurity and Supply Chain Security Standardization. The event will take place on the 16th of June 2023, from 10:00 AM to 5:00 PM (CET). This workshop aims to foster an exchange of knowledge and ideas between
international standardization bodies and leading projects in the field of cybersecurity and supply chain security.

The workshop features representatives from esteemed Standardization Bodies such as ISO, ENISA, NIST, CEN CENELEC, and ETSI, as well as innovators from six forward-thinking cybersecurity and supply chain security projects, namely BIECO, MEDINA, SIFIS HOME, SANCUS, ASSURED, and IOTAC. These participants will present their current work and future directions, providing a comprehensive overview of the present landscape and future prospects in the field of cybersecurity standardization.

A key outcome of the CYRENE project, the Risk and Conformity Assessment Methodology for supply chain security, will be showcased during the workshop. This methodology, heavily influenced by international standards, represents a significant stride forward in supply chain security. Don’t miss this opportunity to learn, network, and share insights in this engaging and interactive forum.

Registration is free of charge but required in order to use the necessary remote facilitation tools. Please fill in the form below and we’ll forward you the invitation with all connection details a few days before the event.

CYRENE Standardization Workshop

AGENDA, June 16, 2023
Time (CET)TitlePresented by
10:00 - 10:10WelcomePN
10:10 - 10:40CYRENE Methodology and Standardization (30min)MAG/UBI
10:40 - 11:10ISO/IEC 27001 and 27002 and conformity assessment in the context of supply chain securityISO
11:10 - 11:40Standardisation supporting EU legislationENISA
11:40 - 12:10ETSI Cybersecurity Work on Cyber Resiliency and Supply Chain Management, including the Zero Trust ModelETSI
12:10 - 12:40Security standardisation by CEN & CENELECCEN CENELEC
12:40 - 13:10Cybersecurity Supply Chain Risk Management: Public and Private Sector Approaches and PracticesNIST
Lunch Break
14:00 - 14:30Overview of ISO/IEC 27036 – cybersecurity security in supplier relationshipsISO
14:30 - 14:45BIECO approach for a certification of cybersecurity systemsBIECO
15:00 - 15:15Standardization Pillars Supporting the Automation of Cloud Security Certification – the H2020 MEDINA projectMEDINA
15:15 - 15:30IETF Standardization of Lightweight Security Protocols for the IoTSIFIS HOME
15:30 - 15:45Guidance on Trusted Environments for Creating Cyber Resilient DevicesASSURED
15:45 - 16:00Strengthening IoT Security: Insights from the IoTAC ProjectIOTAC
16:00 - 16:15Standardization activities in European research projects: Case of H2020 SANCUSSANCUS
16:15 - 16:45Round table discussionALL
16:45 - 17:00ClosingMAG, ALL

Mr. Jon Boyens

Deputy Chief of NIST

Short biography

Jon Boyens is the Deputy Chief of the Computer Security Division, within the US Department of Commerce’s National Institute of Standards and Technology (NIST). He leads NIST’s Cybersecurity Supply Chain Risk Management Program, co-leads the Software and Supply Chain Assurance Forum, and is the NIST principal to the Federal Acquisition Security Council. Jon helps develop and coordinate the Department’s cybersecurity policy among the bureaus and represents the Department in the Administration’s interagency cybersecurity policy process. Jon has worked on various White House-led initiatives, including those on trusted identities, federal supply chain, ICT supply chain, the Cybersecurity Framework and, more recently, implementation of EO 14028, Improving the Nation’s Cybersecurity. management, risk and incident management, and cyber security.

Presentation Topic:

Cybersecurity Supply Chain Risk Management: Public and Private Sector Approaches and Practices

In today’s highly connected, interdependent world, all organizations rely on others for critical products and services. However, the reality of globalization, while providing many benefits, has resulted in a world where organizations no longer fully control the supply ecosystems of the products that they make or the services that they deliver. Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services. This presentation will discuss the similarities and differences in approaches and practices used by public and private sector organizations.

Dr. Edward Humphreys

ISO

Short biography

Dr Edward Humphreys is this convenor of ISO/IEC JTC 1/SC 27/WG 1, the working group responsible for the ISO/IEC 27000 family of standards. Edward has over forty years experience working in the field of security including advising international organizations, governments and various EU institutions. He has also served as a professor at several universities in Europe and Asia, and is the author of numerous books and papers on cybersecurity. He was awarded the coveted Wolfe Barry Gold Medal for his work on cybersecurity standards, and he has various lifetime achievement awards behind his name for ISO/IEC 27001 and 27002 – he is internationally recognised as ‘the father of the ISO/IEC 27000 family of standards.

Presentation Topic:

ISO/IEC 27001 and 27002 and conformity assessment in the context of supply chain security

This presentation will provide an overview of supply chain security as included in ISO/IEC 27001 and ISO/IEC 27002. This overview will also show the relationship between these standards and ISO 28001. This will be followed by presentation of conformity assessment, and certification in particular, in the context of ISO/IEC 27001.

Mrs. Nadya Bartol

Managing Director ISO

Short biography

Nadya Bartol is managing director at Boston Consulting Group, where she leads cyber and digital risk practice in North America. Nadya has worked with NIST and within ISO for a long time on the topics of cybersecurity, cyber supply chain risk management, and security measurement. Nadya is passionate about how people interact with technology and authored a TEDTalk on cybersecurity and shame that has been viewed over 1.2M times.

Presentation Topic:

Overview of ISO/IEC 27036 – cybersecurity security in supplier relationships

This presentation will provide an overview of ISO/IEC 27036 including target audiences, structure of this multipart standard, and its contents. The audience will learn how to use the standard to manage cyber and information security aspects of any supplier relationship, acquiring and managing digital products and services, as well as acquiring and managing cloud-based services.

Mr. Slawomir Gorniak

Telecommunications Engineer ENISA

Short biography

Sławomir Górniak, CISSP, CISM, is a telecommunications engineer focused on network security. Since 2008 he works at ENISA (EU Agency for Cybersecurity), where he has been involved in the areas of standardisation, certification and electronic identification. He is a coordinator and co-author of multiple ENISA reports covering various aspects of information security. Currently he is responsible for the Agency’s actions in the area of standardisation and assures its liaisons with Standards Developing Organisations.

Presentation Topic:

Standardisation supporting EU legislation

In recent months a plethora of draft legislative acts related to cybersecurity have been proposed by the European Commission. They all have a common denominator – they all mention standards as the base of the presumption of compliance with cybersecurity requirements. This talk will review the current situation and provide an overview of cybersecurity standardisation activities related to the proposed legislative acts.

Mr. Tony Rutkowski

Engineer-lawyer ETSI

Short biography

Tony Rutkowski is an engineer-lawyer with an extremely diverse, sixty-year professional career spanning the telecommunication, mobile, internet, satellite, and broadcasting fields in the U.S. and Europe where he has shaped major technical and legal developments in senior governmental, company, and academic leadership positions at international, national, and local levels. His roles have been focused on network security initiatives relating to cybersecurity, infrastructure protection, extraterritorial security law, and lawful interception for new networks and services. Currently, he represents the Center for Internet Security. Over the past several years, he has assumed rapporteur responsibilities in the ETSI Cyber Security Technical Committee for a number of major specifications and reports. Positions included the private-sector (VeriSign, SAIC, General Magic, Sprint, Horizon House, Pan American Engineering, General Electric Apollo Systems) government (FCC, International Telecommunication Union, Cape Canaveral City Council), academic (Internet Society, MIT, and NY Law School).

Presentation Topic:

ETSI Cybersecurity Work on Cyber Resiliency and Supply Chain Management, including the Zero Trust Model

This Technical Report addresses cyber resiliency throughout the supply chain and the various related frameworks and measures using risk-based, system of trust, and zero trust approaches, including the proposed EU Cyber Resilience Act.

Mr. Pertti Woitsch

CEO of CEN CENELEC

Short biography

 Mr. Pertti Woitsch is an experienced defence & security industry professional with wide experience in international sales, marketing and business development. He currently works as CEO at Woitsch Consulting Oy, a Helsinki based advisory firm with focus on providing consulting services to the industry, national public authorities and the research community, including EU-funded research projects. Mr. Woitsch has a special interest towards standardization; today, he acts as chairman of the CEN-CENELEC Sector Forum for Security (SF-SEC), which coordinates European security-related standardization. He also acts as convenor of Working Group 10 (Preparedness) at ISO/TC 292 (Security and resilience).

Presentation Topic:

Security standardisation by CEN & CENELEC

The European Standardisation Organisations CEN and CENELEC together with 43 National Standardisation Bodies and in cooperation with the European Commission produce every year a large set of standards addressing the wide area of physical and cyber security. This presentation gives an overview of these activities and about the exiasting and planned standards in this domain. It also explains how EU-funded projects can contribute to future standardisation as a part of their research and innovation activities.

Mr. Jose Barata

BIECO

Short biography

Jose Barata is Full Professor at the Electrical and Computing Engineering, Member of the Scientific Committee of the Doctoral Program in Electrical and Computing Engineering at the NOVA-FCT, where he is currently responsible for the courses units Robotics, Systems Integration, Telerobotics and Autonomous Systems, and Robotics Systems and CIM. He is senior researcher at the CTS – Centre of Technology and Systems at the UNINOVA Institute, where he is also coordinating the research group RICS – Robotics and Industrial Complex Systems (http://rics.uninova.pt), that develops research in the areas of service robots and smart industry. Within the RICS group he has leading the UNINOVA participation in several international projects from different European Programs, namely FP6 EUPASS, FP6 Self-Learning, FP7 IDEAS, FP7 PRIME, FP7 RIVERWATCH, FP7 ROBO-PARTNER, FP7 PROSECO, H2020 OPEN-MOS, H2020 PERFORM, H2020 GO0DMAN, MSC ITN DIMANDI, H2020 AVANGARD, and H2020 SOLSTICE. He is currently coordinating the H2020 project BIECO in the area of cybersecurity. He has also coordinated three research National Projects from the Portuguese science council (FCT) in the areas of smart manufacturing, service robots, and AI applied to diagnosis COVID-19. He has coordinated the participation of UNINOVA in several industrial projects related to industry 4.0 and autonomous service robots for surveillance and agriculture. He has published over 250 original papers in international journals and international conferences. He is a member of the IEEE technical committees on Industrial Agents (IES), Self-Organisation and Cybernetics for Informatics (SMC), and Education in Engineering and Industrial Technologies (IES). He is also a member of the IFAC technical committee 4.4 (Cost Oriented Automation).

Presentation Topic:

BIECO approach for a certification of cybersecurity systems

In this presentation, we will present the BIECO main results and how the certification methodology was integrated in the BIECO ecosystem.

Dr. Jesus Luna García

Robert Bosch GmbH

Representing project MEDINA

Short biography

Dr. Jesus Luna has worked since 1995 in the field of cybersecurity, both in America and Europe. He holds a PhD degree in Computer Architecture from the ”Technical University of Catalonia” (Spain), and has co-authored more than 50 cybersecurity-related publications including scientific papers, standards, and a patent. He previously worked as research director for the Cloud Security Alliance EMEA (U.K.), and currently for Robert Bosch GmbH (Germany) on topics related to security governance for cloud and AI. In 2020, he was nominated by ENISA as one of the 20 experts to develop the new European cybersecurity certification scheme for cloud services. Furthermore, Dr. Luna is the technical manager of the EU-funded MEDINA project on automated certification.

Presentation Topic:

Standardization Pillars Supporting the Automation of Cloud Security Certification – the H2020 MEDINA Project

 The upcoming EU Cybersecurity Certification Scheme for Cloud Services (EUCS) is just around the corner, and by introducing the notion of automated compliance monitoring, EUCS takes a firm step towards continuous audit-based certifications. By acknowledging the technological and organizational challenges associated to EUCS, this talk will present the standardization challenges faced by the EU-project MEDINA for developing a framework to leverage automated cybersecurity certification for cloud services. Our discussion will focus on the project’s ongoing standardization activities related to EUCS (CEN CENELEC), security metrics (ISO/IEC and NIST), and compliance automation (including our recently launched EUROSCAL initiative).

Dr. Marco Tiloca

RISE Research Institutes of Sweden

Representing project SIFIS HOME

Short biography

Dr. Marco Tiloca received the Ph.D. Degree in Computer Engineering from the University of Pisa in 2013. He is currently a Senior Researcher in the Cybersecurity Unit of RISE Research Institutes of Sweden in Stockholm (Sweden). His research interests are in the field of network and communication security, and include security in the Internet of Things, secure group communication, key management, and access control. He has long-time experience in European and national R&D projects, where he has also served as National Coordinator, Technical Coordinator and Work Package Leader. Marco is actively involved in standardization activities under the premier international body Internet Engineering Task Force (IETF), where he has also been serving as Chair of the Working Group “Constrained RESTful Environments” (CoRE).

Presentation Topic:

IETF Standardization of Lightweight Security Protocols for the IoT

This talk overviews the standardization contributions from partners of the SIFIS-Home project in the premier, international body Internet Engineering Task Force (IETF). Such contributions pertain the development of Network & System, lightweight security solutions for the IoT. These include protocols for end-to-end message protection also in group communication environments; establishment, distribution and update of keying material; and fine-grained, flexible enforcement of access control at remote resources. The work on these topics carried out in the project has been input to standardization proposals within the IETF, in its Working Groups “Constrained RESTful Environments” (CoRE), “Authentication and Authorization for Constrained Environments” (ACE), “Lightweight Authenticated Key Exchange” (LAKE), and “Static Context Header Compression” (SCHC).

Dr. Dimitris Karras

Representing Project ASSURED

Short biography

Dr. Dimitrios Karas is a Research Associate at the Digital Security and Trusted Computing Department of UBITECH. He has received his PhD in Physical Layer Security, as well as his degree in Electrical Engineering and Computer Science, from the Aristotle University of Thessaloniki. He has also worked as a test automation engineer and an application software developer in various embedded systems and applications in the automotive industry. Dimitrios has been involved in various European research projects and nationally funded projects, and he has authored several publications in international scientific journals and conferences.

Presentation Topic:

Guidance on Trusted Environments for Creating Cyber Resilient Devices

The emerging edge-cloud continuum that comprises complex safety-critical systems as part of supply chains (spanning from specialized embedded systems to highly capable computing systems running on the cloud), has the potential to significantly enhance the digital life of individuals but it also brings new challenges (or rather makes old unsolved challenges urgent to be solved), with trust and resilience being major concerns. In this talk, we will focus on Trusted Computing Group’s (TCG) new specification that enable Cyber-Physical Systems to achieve cyber resilience by implementing a minimal set of attestation capabilities. We will also describe how the work done in the ASSURED project enacts upon these specification with the design of new remote attestation schemes towards achieving sustainable security in such complex “Systems-of-Systems”. As such, security should be implemented in a sustainable way, namely achieving limiting energy and computational resources consumption, and being at least capable of supporting crypto-agility (so as to allow updates of security primitives rather than replacement of whole devices). These two properties are challenging to offer in security, since several attacks and weaknesses are discovered every day and simple updates could not be sufficient to defeat them.

Dr. Marija Jankovic

CERTH

Mr. Sascha Hackel

Fraunhofer FOKUS

Both Representing Project IOTAC

Short biography

Marija Jankovic

Dr. Marija Jankovic is a senior research associate at the Information Technologies Institute of the Centre for Research and Technology Hellas (CERTH), holding B.Sc., M.Sc., and Ph.D. degrees in Information Systems from the University of Belgrade, Faculty of Organizational Sciences. With extensive experience as a lead software architect in industry and research projects, her core research interests lie in software architecture design, system integration, interoperability, ontology-based knowledge engineering, and cybersecurity. She has been an active and valuable contributor to the Open Application Group (OAGi), participating in multiple working groups focused on smart manufacturing integration challenges. Besides, she actively supports the work of the ETSI TC MTS working group as a Rapporteur, specifically contributing to the fields of IoT functional and security testing

Sascha Hackel

Mr. Sascha Hackel is a research associate at the Fraunhofer Institute for Open Communication Systems (FOKUS) in Berlin. As a member of the System Quality Competence Center, he is involved and responsible for validation and test projects on next generation networks and software technologies. He has project experience with the development and validation of test solutions in several industry and research projects. He is Chair of the ETSI TC MTS working group TST. He actively supports the IDSA certification working group for a certification program. As deputy head of the software testing department in the Berlin and Brandenburg area of the ASQF association, he supports professional networking and the exchange of ideas in the area of software quality, software testing and other related IT topics.

Presentation Topic:

Strengthening IoT Security: Insights from the IoTAC Project

In this presentation, we will explore the Horizon 2020 European research project IoTAC (Security By Design IoT Development and Certificate Framework with Front-end Access Control) (No 952684), which aims to enhance IoT security through a comprehensive multi-layered approach. IoTAC leverages industry best practices, established standards, and cutting-edge research findings to bolster the security of IoT systems. The project integrates various cutting-edge components, including privacy-friendly access control mechanisms, machine learning-based attack detection, advanced honeypots, run-time monitoring strategies, and a security-by-design methodology. These technologies work together to create a robust security framework for IoT devices and systems. Furthermore, IoTAC provides software development kits (SDKs) and application programming interfaces (APIs) to facilitate seamless framework integration for developers and service providers. In our upcoming presentation, we will explore the testing methodologies and specifically highlight the security testing approaches implemented in the IoTAC project. We will discuss the approaches taken to assess and validate the security of IoT systems, highlighting the effectiveness of these methods in identifying vulnerabilities and ensuring robust protection.
Additionally, this presentation will explore the significance of bringing the IoTAC project’s approaches and learnings into the standardization process. We will discuss the potential impact on industry standards and highlight the importance of establishing best practices to enhance IoT security on a broader scale. By attending this presentation, you will gain insights into the innovative research efforts of the IoTAC project, its multi-layered security approach, and its implications for testing and standardization in the field of IoT security.

Dr. Wissam Mallouli

CTO of Montimage, France Expert in Cybersecurity Partner of H2020 SANCUS project and Leader of Standardization task

Representing Project SANCUS

Short biography

Dr. Wissam Mallouli is currently the Chief Technology Officer (CTO) at Montimage, an SME based in Paris, France. He obtained his Telecommunication Engineer degree from the National Institute of Telecommunication (INT) in 2005. Following that, he pursued his passion for cybersecurity and earned his Ph.D. from Telecom and Management SudParis in France in 2008. With a focus on continuous risk management and Cyberdefense, Dr. Mallouli specializes in securing critical systems and networks, including Cyber-physical systems, Cloud/edge/fog environments, and 5G/6G networks. As an active contributor to the field, Dr. Mallouli actively engages in several collaborative European research projects (e.g., HE AI4CYBER, HE DYNABIC, H2020 VERIDEVOPS, H2020 SANCUS). His involvement in these projects demonstrates his commitment to advancing the understanding and implementation of cybersecurity solutions at a broader scale. Dr. Mallouli’s contributions to the academic community are significant, as evidenced by his extensive publication record. He has authored more than 70 scientific publications in well-known conferences and journals and he is also in the program Committees of several workshops and conferences (Organiser of STAM 2023 in ARES conference, Book editor, Guest Editor in sensors journals etc). Dr. Mallouli is also an active member in several working groups in ETSI and ENISA.

Presentation Topic:

Standardization activities in European research projects: Case of H2020 SANCUS

The H2020 SANCUS project focuses on evaluating the security of 5G networks by integrating technologies and engines for automated security validation and verification. It relies on dynamic risk assessment, AI/ML processing, vulnerability detection, security emulation, and testing, along with optimization modeling to remediate to detected vulnerabilities and attacks. The project aims to align with ICT and network security standards and actively promote standardization. Standardization is crucial in advancing secure and trusted 5G networks, and SANCUS develops standards-compliant security engines, architectures, and methodologies to enhance interoperability and market acceptance. Through collaboration and engagement with industry stakeholders, the project pushes existing standardization activities in different standardization bodies, ensures regulatory compliance, and aims at a long-term sustainability and exploitation of results. By prioritizing standardization, SANCUS aims to address cybersecurity challenges, foster innovation, and facilitate the wider adoption of secure 5G networks.

Registration Form

KEY FACTS

Project Coordinator: Sofoklis Efremidis
Institution: Maggioli SPA
Email: sofoklis.efremidis@maggioli.gr
Start: 1-10-2020
Duration: 36 months
Participating organisations: 14
Number of countries: 10

TWEETS by

FUNDING

EU flagThis project has received funding from the European Union’s Horizon 2020 Research and Innovation program under grant agreement No 952690. The website reflects only the view of the author(s) and the Commission is not responsible for any use that may be made of the information it contains.