“indian, european perspective of security regulations...
TRANSCRIPT
1
“Indian, European Perspective of Security
Regulations & Standards” Seconded European Standardization Expert In INDIA
(Dinesh Chand Sharma)
03-06-2015 GISFI CYBER SECURITY EVENT
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 2
Agenda
Project SESEI in brief
Regulation v/s Standards
In India
Cyber, Telecom Security and Standards
In Europe
Cyber, Telecom Security and Standards
Conclusion
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 3
Agenda
Project SESEI in brief
Regulation v/s Standards
In India
Cyber, Telecom Security and Standards
In Europe
Cyber, Telecom Security and Standards
Conclusion
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 4
Project SESEI Scope
Seconded European Standardization Expert in India
— local representative and a connect-between standardizers’ communities in EU/EFTA and India
— EU-India dialogue and cooperation on standards, R&D, Innovation, and policy/regulation around standardization
Project Owners
— EU Standards Organizations (ETSI, CENELEC and CEN),
— European Commission and EFTA - European Free Trade Association
— Managed by ETSI
Priority Sector for this phase of the project (3 Year)
— Information & Communication Technologies (equipment and services)
— Electrical equipment including Consumer Electronics
— Automotive industry
— Smart Cities
— Environment (Energy Efficiency in ICT) and any other of mutual interest
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 5
Agenda
Project SESEI in brief
Regulation v/s Standards
In India
Cyber, Telecom Security and Standards
In Europe
Cyber, Telecom Security and Standards
Conclusion
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 6
Législation v/s Standards
Standards :
1. Voluntary
2. Consensual
3. Developed by independent organisations
4. Revised every 5 years
5. Provide specifications and test methods (interoperability, safety, quality, etc.)
Legislation (Regulation) :
1. Mandatory
2. Imposed by Law
3. Established by public authorities
4. Revised when legislators decide
5. Gives requirements to protect public interests
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 7
Agenda
Project SESEI in brief
Regulation v/s Standards
In India
Cyber, Telecom Security and Standards
In Europe
Cyber, Telecom Security and Standards
Conclusion
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 8
Cyber Security - Critical Infrastructures
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 9
India – Cyber Security Scenario
India has 55% share of the global IT outsourcing market
155 major ISPs in India
DSCI and DeitY run a Training program Cyber Forensics: to tackle
cybercrime
Cyber Security of Banks in India not addressed completely: The
recommendations of Reserve Bank of India (RBI) to ensure Cyber
Security yet to be implemented fully
Mobile Security in India – Banking, Governance is still a serious concern
Government unveiled a National Cyber Security Policy 2013 on 2nd July
2013
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 10
National Cyber Security Policy India 1(2) Creating a secure Cyber Ecosystem:
— Designate a national nodal agency to coordinate all matters related to cyber security in
the country
— All organizations (Public & Private) to designate a senior official as Chief Information
Security Officer, responsible for cyber security
Creating an assurance framework
— Adoption of global practices on cyber security and compliance
— Compliance with Conformity Assessment Certification
Encouraging Open Standards
— Adopt open standards for interoperability & data exchange
— Promote tested & certified products based on open standards
Promotion of research and development in cyber security reducing supply chain risk.
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 11
National Cyber Security Policy India 2(2) Strengthening the Regulatory Framework
— Creation of dynamic legal framework and its periodic review
— Harmonization with International framework on cyber-crime & internet governance
Creating mechanism for security Threats early warning , vulnerability management and
response to security threat
— The existing Indian Computer Emergency Response Team (CERT-IN) to handle the 24x7
proactive responses to hackers, cyber-attacks, intrusions and restoration of affected
systems.
Securing E-Governance services
Protection and resilience of critical information Infrastructure
— 24x7 National Critical Information Infrastructure Protection Centre (NCIIPC) to function as nodal
agency for critical information infrastructure protection
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 12
Cyber Security - Architecture Ministry of Home Affairs (MHA)
National Cyber Security Coordination Centre (NCCC)
National Cyber Security Coordinator (NCSC)
National CERT-IN (Indian Computer Emergency Response Team)
National Technical Research Organization (NTRO) - National Critical Information
Infrastructure Protection Centre (NCIIPC)
JWG on Public Pvt. Partnership: 4 Centers of Excellence
Cryptology Research Centre at Indian Statistical Institute: Cryptology Research Group
(CRG) at Indian Statistical Institute, Kolkata
National Intelligence Grid (NATGRID)
Information Sharing & Analysis Centre (ISAC)
Cyber education, Security Tools and solutions development and experts
Standardization Testing and Quality Certification (STQC)
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 13
Telecom Security Department of Telecom, Ministry of Communication & IT in May 2011 issued a notification
to include Security conditions for Telecom networks across pan India. Further to this
notification, license condition were amended and a chapter on Security Condition were
updated; Chapter VI and section 39 of the License Amendment
— LICENSEE shall have organizational policy on security and security management
— LICENSEE shall audit its network or get the network audited from security point of view once in
a financial year
— Induct only those network elements got tested . IT and IT related elements against ISO/IEC
15408 standards, for Information Security Management System against ISO 27000 series
Standards, Telecom and Telecom related elements against 3GPP security standards, 3GPP2
security standards etc
— Rs 50 crore per occasion will be levied for any security breach
— Remote Access (RA) to network would be provided only to approved locations abroad through
approved location(s) in India
— Establishment of Telecom Security Council of India (TSCI)
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 14
Telecom Security contd.. National Telecom Security Policy (Draft):
— Vulnerabilities and threats to the telecom network : Communication assistance to the Security
Agencies keeping in view the developmental needs of the country and the civil liberties of its
citizens.
— Security of Communication, Information and Data for user trust and confidence.
— Creation of robust modern telecom network with sound international security standards.
— Safeguard public health and safety, Communication for public safety.
— Secured Communication for strategic needs.
— Disaster Management, Capability Creations and Capacity Building
From 1st April 2013 the testing and certification shall be done in India by Authorized &
Certified Labs/Agency in India
— Setting up of Telecom Test Lab in India : WIP
Central Monitoring System (CMS) :
— Centralized data center: 2, 21 Regional Monitoring Center & 195 ISF Server : WIP
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 15
Standards @ BIS
BIS LITD 17 which is a mirror committee of IEC/ISO/JTC 1/SC 27 & 37 looks after the Security standardization activities
Security Processes - Information Security Management System (ISO 27001:2013) and ISO 20002
Many form of standards for biometrics, signature authentication (ISO 14888-Part 1,2,3)
ISO 37033: Part 1, 2, 3, 4 &5, ISO 27034-Part1, ISO 27035, ISO 27036-Part 1 & 3
Security testing according to the international standards like ISO 17025 (General requirements for the competence of testing and calibration laboratories)
Identity and Protection authentication ISO 9728.
Cryptographic standards ( ISO 15946) its applications and process review Encryption algorithm ( ISO 18033)
Standards on Intrusion detection system (ISO 18043), network security (ISO 27033), etc.
ISO 17065 (Requirements for bodies certifying products, processes and services).
Conformity assessment infrastructure (enabling and endorsement actions concerning security product – ISO 15408
Adopted at BIS Under Consideration
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 16
Standards @ DSCI , IDRBT
DSCI Security Framework (DSF©) : comprised of 16 disciplines that are organized in four
layers.
— This document compiles practices under each discipline.
— It brings a fresh outlook to the security initiatives of an organization by focusing on each
individual discipline of security.
Institute for Development and Research in Banking Technology (IDRBT)’s
— Security Framework for Banking industry
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 17
Standards – Telecom GISFI work on this important subject is ongoing for long and quite matured
3GPP SA3 has produced a Technical Report describing a new security assurance and
evaluation framework for mobile network products
3GPP Security Assurance Methodology (SECAM) aims at providing common and testable
baseline security properties for the different network product classes
— Mobility Management Entity (MME) test-cases are close to completion, expected readiness by
August’2015,
2 Technical Specifications: General and MME specific
Progress at GSMA Network Equipment Security Assurance Group (NESAG) now known as
Security Assurance Group (SECAG) is also progressing well
— GSMA is planning a dry run of current work that should end early 2016.
Telecom Standards Development Society, India (TSDSI) is in the process to establish a
Working Group on Security.
DoT/TEC NWG 17 working with ITU SG-17
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 18
Agenda
Project SESEI in brief
Regulation v/s Standards
In India
Cyber, Telecom Security and Standards
In Europe
Cyber, Telecom Security and Standards
Conclusion
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 19
Global Cyber Security ecosystem
ISO|IEC
JTC1
IETF
ITU-T Trusted
Computing
Group
CA/B
Forum
3GPP
NIST
FIRST
CESG
ETSI
Common
Criteria
Recognition
Arrangement
SANS
DHS
Council
on
Cybersecurity
OMG
GSMA Security Group
NESAG
OASIS
NATO
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 20
European Cyber Security ecosystem
European Commission
NIS
ENISA
Europol
Joint
Research
Centre
Advanced Cyber
Defense Centre
Smart Grids
Taskforce European Cybercrime
Centre (EC3)
CEPOL
European
Defence
Agency
WG1
WG2 WG3
CERT
-EU
ETSI
CEN/ CENELEC
C
S
C
G
H2020
CYBER
ESI
E2NA
SAGE
FIRST European
CERTs (125)
CCRA European partners
(16)
NATO European partners
(26)
DIN FOCUS.ICT
KITS
CA/B
Electronic Communications
Reference Group
ISI
LI
NFV
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 21
EC NIS Platform and Digital Agenda NIS: Network and Information Security Platform (Public/Private)
— Created by the EC in 2013 to provide recommendations on Cybersecurity. It consists of 3 Working Groups:
— WG1: Risk Management Best Practices
— WG2: Information Sharing and Incident Notification
— WG3: Secure ICT Research and Innovation
From the NIS recommendations might derive standardization work for ETSI
Digital agenda for Europe – Europe 2020 initiative has listed down 101 action items in 7 pillars.
— Pillar III of this agenda is dedicated to Trust & Security,
— has 17 action items to address Security, Cyber Security and Data Protection and Privacy.
— European Commission is investing more than 50 million Euro on DIGITAL SECURITY: CYBERSECURITY, PRIVACY AND TRUST
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 22
EC MSP (Multi Stakeholder Platform) on ICT
Created in 2011 to advise on matters related to the implementation of ICT standardization policies
Composed of representatives of
— National authorities from EU Member States & EFTA countries
— European and international ICT standardization bodies
— industry, SMEs and consumers
Role of MSP for Cyber Security
— It exists an “EC MSP cyber security reflection group”
— ETSI is represented – MSP work is fed back into TC CYBER
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 23
Cyber Security Coordination Group (CSCG)
Advisory Body of the three ESOs (CEN/CENELEC/ETSI)
Composed of ESO members and EU institutions
— CCMC, ETSI, ENISA, JRC, DG ENTR
White Paper Feb 2014: Recommendations for a Strategy on European Cyber Security Standardization
— GOVERNANCE (coordination, scope, trust)
— HARMONISATION (PKI/cryptography, requirements/evaluation, EU security label, interface with research)
— GLOBALISATION (harmonisation with international key players, global promotion of EU Cyber Security standards)
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 24
Areas of security standardization @ETSI Cyber Security
Mobile/Wireless Comms (GSM/UMTS, TETRA, DECT…)
Lawful Interception and Retained Data
Electronic Signatures
Smart Cards
Machine-to-Machine (M2M)
Methods for Testing and Specification (MTS)
Emergency Communications / Public Safety
RFID
Intelligent Transport Systems
Information Security Indicators
Quantum Key Distribution (QKD)
Quantum –Safe Cryptography (QSC)
Algorithms
Network Functions Virtualisation (NFV)
In 3GPP
2
4
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 25
Major security work over the last year
Maintenance of published deliverables — In all areas as necessary
New publications in various areas including: — Electronic Signatures
— Intelligent Transport Systems, Smart Cards
— Network Functions Virtualisation
— Cyber Security
— Machine-to-Machine
— Information Security Indicators
— In 3GPP
ETSI Security White Paper
— 6th Edition published January 2014,
— 7th will be published this month : ww.etsi.org/securitywhitepaper
2
5
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 26
Creation of new ETSI groups
Creation in 2014 of TC CYBER — Cybersecurity standardization
— Very active!
Creation in 2015 of ISG QSC — Quantum-Safe Cryptography
— 1st meeting 24-26 March
TC: Technical Committee
ISG: Industry Specification Group
2
6
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 27
TC CYBER - ToR & meetings TC CYBER met 3 times face-to-face
— Around 50 participants at each meeting
— Work carried out on 9 documents
Participating organizations
— Industry: Manufacturers, Operators, SMEs...
— Administrations
— European Commission
— ENISA
— Universities / Research Bodies
— Service Providers
— Micro Enterprises
— Consultancy
Cyber Security Standardization
Security of infrastructures, devices, services and protocols
Security advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operators
Security tools and techniques to ensure security
Creation of security specifications and alignment with work done in other TCs and ISGs
Coordinate work with external groups such as the CSCG with CEN, CENELEC, the NIS Platform and ENISA
Collaborate with other SDOs (ISO, ITU, NIST, ANSI...)
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 28
TC CYBER documents 9 documents (1 published, several expected to be published in July)
• 8 Technical Reports and 1 ETSI Guide
TR 103 303, Protection measures for ICT in the context of Critical Infrastructure
TR 103 304, PII Protection and Retention
TR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber Defence (PUBLISHED MAY 2015)
TR 103 306, Global Cyber Security Ecosystem
TR 103 307, Security Aspects for LI and RD interfaces
TR 103 308, A security baseline regarding LI for NFV and related platforms
TR 103 309, Secure by Default adoption – platform security technology
TR 103 331, Structured threat information sharing
EG 203 310, Post Quantum Computing Impact on ICT Systems
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 29
2
9
Workshop, Technical Streams, Meetings
— Including TC CYBER#4 Meeting
Workshop/Streams free and open to everyone
TC CYBER meeting open to non ETSI Members upon invitation (see website to apply)
www.etsi.org/securityweek
Separate registrations to events
Networking opportunities throughout the week
Security Week (22-26 June 2015, ETSI)
Mon 22 Tue 23 Wed 24 Thu 25 Fri 26
AM Workshop
Workshop
CYBER#4
ISI#23
eIDAS
CYBER#4
ESI#51
PM Workshop Workshop
Streams:
M2M/IoT
ITS
eIDAS
CYBER#4
ISI#23
eIDAS
CYBER#4
ESI#51
M2M/IoT: Machine-to-Machine / Internet of Things
ITS: Intelligent Transport Systems
eIDAS: Electronic identification and trust services
ESI: Electronic Signatures and Infrastructures
ISI: Information Security Indicator
Separate registrations to events
Networking opportunities throughout the week
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 30
Conclusion India must actively participate in Global efforts, initiatives
and Standards Development Activities
— TSDSI & GISFI 3GPP, ETSI, oneM2M
— BIS ISO/IEC/JTC1
— DoT/TEC ITU SG-17
— Government Budapest Convention, WSIS, ITU Global Cyber Security Agenda, ENISA – European Union Agency for Network and Information Security etc.
World is connected, Security is a global concern, cyber activity transgresses national boundaries hence International Cooperation is essential to succeed
GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 31
Contact Details:
Dinesh Chand Sharma (Seconded European Standardization Expert in India)
Director – Standardization, Policy and Regulation
European Business Technology Centre, DLTA Complex, South Block, 1st Floor, 1, Africa Avenue, New Delhi
110029
Mobile: +91 9810079461, Tel: +91 11 3352 1500, [email protected]
3
1
www.eustandards.in