Privanova successfully hosts standardization workshop on cybersecurity and supply chain security
On June 16, 2023, PRIVANOVA hosted an enriching workshop dedicated to Cybersecurity and Supply Chain Security Standardization. The workshop, which spanned from 10:00 AM to 5:00 PM (CET), fostered a vibrant exchange of knowledge and innovative ideas between international standardization bodies and leading projects in the field of cybersecurity and supply chain security.
The event was well-attended, with around 30 participants registered. The participants were engaged throughout the day, contributing to an atmosphere of collaborative learning and innovation. The primary outcome of the event was a comprehensive presentation of International Standards on Cybersecurity and Supply Chain Security
Exploring Cybersecurity and Supply Chain Security Standards
The workshop offered a deep dive into the complex world of cybersecurity and supply chain security standards, with presentations given by experts from leading standardization bodies and projects. Each presentation shed light on various aspects of these intricate fields, promoting a clearer understanding and encouraging thoughtful discussion.
From ISO’s focus on developing robust and scalable security measures, to ENISA’s efforts on strengthening cybersecurity in Europe, each discussion painted a comprehensive picture of the current landscape of cybersecurity standards. The insight from CEN CENELEC and ETSI further enriched the discourse with their unique perspectives on European and telecommunication standards.
Representatives from six cybersecurity and supply chain security projects also shared their insights. The discussions ranged from BIECO’s strategy on blockchain innovation, MEDINA’s approach to the security of medical supply chains, SIFIS HOME’s contribution to securing smart homes, SANCUS’s architecture for secure networked control systems, ASSURED’s secure software updates for IoT devices, and IOTAC’s focus on trustworthy IoT environments.
These dialogues stimulated a rich exchange of ideas, with each presentation further enhancing the participants’ understanding of the current state of cybersecurity and supply chain security standards. The workshop offered an invaluable opportunity for participants to learn from and engage with top professionals in the field, bringing to light the importance of international collaboration in the constant evolution of security standards.
Driving Standardization Forward: The Integral Role of PN in the Workshop
The workshop was seamlessly executed, thanks largely to the diligent efforts of PN, a leader in consortium operations with a primary focus on privacy, data protection, and ethical compliance. PN’s contributions were vital to the success of the event, particularly in their role in standardization efforts.
Their hands-on involvement in the workshop was highlighted as they expertly moderated the event, including the round table discussion. Their moderation kept the dialogue clear and on-point, helping the participants to stay focused on the subject of cybersecurity and supply chain security standards.
While PN’s contributions were significant, they were one part of a larger team effort. The success of the workshop was a result of the collective dedication and hard work of everyone involved.
The success of this workshop reaffirms the CYRENE Project’s commitment to fostering innovation and collaboration in the fields of cybersecurity and supply chain security. We are excited about the future, and we eagerly look forward to hosting more such workshops that contribute to the advancement of knowledge and standardization in these critical areas.
The Workshop Presentations
Presentations by Standardisation Bodies
ENISA
Presentation by:
Mr. Slawomir Gorniak
Telecommunications Engineer ENISA
Presentation Topic:
Standardisation supporting EU legislation
In recent months a plethora of draft legislative acts related to cybersecurity have been proposed by the European Commission. They all have a common denominator – they all mention standards as the base of the presumption of compliance with cybersecurity requirements. This talk will review the current situation and provide an overview of cybersecurity standardisation activities related to the proposed legislative acts.
ETSI
Presentation by:
Mr. Tony Rutkowski
Engineer-lawyer ETSI
Presentation Topic:
ETSI Cybersecurity Work on Cyber Resiliency and Supply Chain Management, including the Zero Trust Model
This Technical Report addresses cyber resiliency throughout the supply chain and the various related frameworks and measures using risk-based, system of trust, and zero trust approaches, including the proposed EU Cyber Resilience Act.
CEN CENELEC
Presentation by:
Mr. Pertti Woitsch
CEO of CEN CENELEC
Presentation Topic:
Security standardisation by CEN & CENELEC
The European Standardisation Organisations CEN and CENELEC together with 43 National Standardisation Bodies and in cooperation with the European Commission produce every year a large set of standards addressing the wide area of physical and cyber security. This presentation gives an overview of these activities and about the exiasting and planned standards in this domain. It also explains how EU-funded projects can contribute to future standardisation as a part of their research and innovation activities.
ISO
Presentation by:
Dr. Edward Humphreys
ISO
Presentation Topic:
ISO/IEC 27001 and 27002 and conformity assessment in the context of supply chain security
This presentation will provide an overview of supply chain security as included in ISO/IEC 27001 and ISO/IEC 27002. This overview will also show the relationship between these standards and ISO 28001. This will be followed by presentation of conformity assessment, and certification in particular, in the context of ISO/IEC 27001.
ISO
Presentation by:
Mrs. Nadya Bartol
Managing Director ISO
Presentation Topic:
Overview of ISO/IEC 27036 – cybersecurity security in supplier relationships
This presentation will provide an overview of ISO/IEC 27036 including target audiences, structure of this multipart standard, and its contents. The audience will learn how to use the standard to manage cyber and information security aspects of any supplier relationship, acquiring and managing digital products and services, as well as acquiring and managing cloud-based services.
Presentations by Other Projects
Presentation Topic:
BIECO approach for a certification of cybersecurity systems
In this presentation, we will present the BIECO main results and how the certification methodology was integrated in the BIECO ecosystem.
Presentation Topic:
Standardization Pillars Supporting the Automation of Cloud Security Certification – the H2020 MEDINA Project
The upcoming EU Cybersecurity Certification Scheme for Cloud Services (EUCS) is just around the corner, and by introducing the notion of automated compliance monitoring, EUCS takes a firm step towards continuous audit-based certifications. By acknowledging the technological and organizational challenges associated to EUCS, this talk will present the standardization challenges faced by the EU-project MEDINA for developing a framework to leverage automated cybersecurity certification for cloud services. Our discussion will focus on the project’s ongoing standardization activities related to EUCS (CEN CENELEC), security metrics (ISO/IEC and NIST), and compliance automation (including our recently launched EUROSCAL initiative).
Presentation by:
Dr. Marco Tiloca
RISE Research Institutes of Sweden
Representing project SIFIS HOME
Presentation Topic:
IETF Standardization of Lightweight Security Protocols for the IoT
This talk overviews the standardization contributions from partners of the SIFIS-Home project in the premier, international body Internet Engineering Task Force (IETF). Such contributions pertain the development of Network & System, lightweight security solutions for the IoT. These include protocols for end-to-end message protection also in group communication environments; establishment, distribution and update of keying material; and fine-grained, flexible enforcement of access control at remote resources. The work on these topics carried out in the project has been input to standardization proposals within the IETF, in its Working Groups “Constrained RESTful Environments” (CoRE), “Authentication and Authorization for Constrained Environments” (ACE), “Lightweight Authenticated Key Exchange” (LAKE), and “Static Context Header Compression” (SCHC).
Presentation Topic:
Guidance on Trusted Environments for Creating Cyber Resilient Devices
The emerging edge-cloud continuum that comprises complex safety-critical systems as part of supply chains (spanning from specialized embedded systems to highly capable computing systems running on the cloud), has the potential to significantly enhance the digital life of individuals but it also brings new challenges (or rather makes old unsolved challenges urgent to be solved), with trust and resilience being major concerns. In this talk, we will focus on Trusted Computing Group’s (TCG) new specification that enable Cyber-Physical Systems to achieve cyber resilience by implementing a minimal set of attestation capabilities. We will also describe how the work done in the ASSURED project enacts upon these specification with the design of new remote attestation schemes towards achieving sustainable security in such complex “Systems-of-Systems”. As such, security should be implemented in a sustainable way, namely achieving limiting energy and computational resources consumption, and being at least capable of supporting crypto-agility (so as to allow updates of security primitives rather than replacement of whole devices). These two properties are challenging to offer in security, since several attacks and weaknesses are discovered every day and simple updates could not be sufficient to defeat them.
Presentation by:
Dr. Marija Jankovic
CERTH
Mr. Sascha Hackel
Fraunhofer FOKUS
Both Representing Project IOTAC
Presentation Topic:
Strengthening IoT Security: Insights from the IoTAC Project
In this presentation, we will explore the Horizon 2020 European research project IoTAC (Security By Design IoT Development and Certificate Framework with Front-end Access Control) (No 952684), which aims to enhance IoT security through a comprehensive multi-layered approach. IoTAC leverages industry best practices, established standards, and cutting-edge research findings to bolster the security of IoT systems. The project integrates various cutting-edge components, including privacy-friendly access control mechanisms, machine learning-based attack detection, advanced honeypots, run-time monitoring strategies, and a security-by-design methodology. These technologies work together to create a robust security framework for IoT devices and systems. Furthermore, IoTAC provides software development kits (SDKs) and application programming interfaces (APIs) to facilitate seamless framework integration for developers and service providers. In our upcoming presentation, we will explore the testing methodologies and specifically highlight the security testing approaches implemented in the IoTAC project. We will discuss the approaches taken to assess and validate the security of IoT systems, highlighting the effectiveness of these methods in identifying vulnerabilities and ensuring robust protection.
Additionally, this presentation will explore the significance of bringing the IoTAC project’s approaches and learnings into the standardization process. We will discuss the potential impact on industry standards and highlight the importance of establishing best practices to enhance IoT security on a broader scale. By attending this presentation, you will gain insights into the innovative research efforts of the IoTAC project, its multi-layered security approach, and its implications for testing and standardization in the field of IoT security.
Presentation by:
Dr. Wissam Mallouli
CTO of Montimage, France Expert in Cybersecurity Partner of H2020 SANCUS project and Leader of Standardization task
Representing Project SANCUS
Presentation Topic:
Standardization activities in European research projects: Case of H2020 SANCUS
The H2020 SANCUS project focuses on evaluating the security of 5G networks by integrating technologies and engines for automated security validation and verification. It relies on dynamic risk assessment, AI/ML processing, vulnerability detection, security emulation, and testing, along with optimization modeling to remediate to detected vulnerabilities and attacks. The project aims to align with ICT and network security standards and actively promote standardization. Standardization is crucial in advancing secure and trusted 5G networks, and SANCUS develops standards-compliant security engines, architectures, and methodologies to enhance interoperability and market acceptance. Through collaboration and engagement with industry stakeholders, the project pushes existing standardization activities in different standardization bodies, ensures regulatory compliance, and aims at a long-term sustainability and exploitation of results. By prioritizing standardization, SANCUS aims to address cybersecurity challenges, foster innovation, and facilitate the wider adoption of secure 5G networks.
KEY FACTS
Project Coordinator: Sofoklis Efremidis
Institution: Maggioli SPA
Email: info{at}cyrene.eu
Start: 1-10-2020
Duration: 36 months
Participating organisations: 14
Number of countries: 10
FUNDING
This project has received funding from the European Union’s Horizon 2020 Research and Innovation program under grant agreement No 952690. The website reflects only the view of the author(s) and the Commission is not responsible for any use that may be made of the information it contains.
