Introduction of ITU-T Study Group 17 “Security” for ITS perspective

(Primary focus in SG17 is to build confidence and security in

the use of Information and Communication Technologies (ICTs))

July 29, 2015

Koji Nakao ITU-T SG17 vice-chair

Study Group 17 is the Lead Study Group on: ● Security

● Identity management (IdM) ● Languages and description techniques

A study group may be designated by WTSA or TSAG as the lead study group for ITU-T studies forming a defined programme of work involving a number of study groups.

This lead study group is responsible for the study of the appropriate core Questions.

In addition, in consultation with the relevant study groups and in collaboration, where appropriate, with other standards bodies, the lead study group has the responsibility to define and maintain the overall framework and to coordinate, assign (recognizing the mandates of the study groups) and prioritize the studies to be carried out by the study groups, and to ensure the preparation of consistent, complete and timely Recommendations.

* Extracted from WTSA-12 Resolution 1

2/89

SG17, Security

3/89

Study Group 17

WP 1/17 Fundamental

security

WP 2/17 Network and information

security

WP 3/17 IdM + Cloud computing

security

WP 4/17 Application

security

WP 5/17 Formal

languages

Q6/17

Ubiquitous services

Q7/17

Applications

Q9/17

Telebiometrics

Q12/17

Languages + Testing

Q1/17

Telecom./ICT security

coordination

Q2/17 Security

architecture and framework

Q3/17

ISM

Q4/17

Cybersecurity

Q5/17

Countering spam

Q8/17

Cloud Computing

Security

Q10/17

IdM

Q11/17 Directory,

PKI, PMI, ODP, ASN.1,

OID, OSI

SG17 Management Team

4/89

Chairman Arkadiy KREMER Russian Federation

Vice-Chairmen

Khalid BELHOUL United Arab Emirates Mohamed M.K. ELHAJ Sudan Antonio GUIMARAES Brazil George LIN P.R. China Patrick MWESIGWA Uganda Koji NAKAO Japan Mario FROMOW RANGEL Mexico Sacid SARIKAYA Turkey Heung Youl YOUM Korea (Republic of)

Working Party 1/17 Fundamental security

Q1/17 Telecommunication/ICT security coordination

Q2/17 Security architecture and framework

Q3/17 Telecommunication information security management

Chairman: Koji NAKAO

5/89

Working Party 2/17 Network and information security

Q4/17 Cybersecurity

Q5/17 Countering spam by technical means

Chairman: Sacid SARIKAYA

6/89

Working Party 3/17 Identity management and cloud computing security

Q10/17 Identity management architecture and mechanisms

7/89

Q8/17 Cloud computing security

Working Party 4/17 Application Security

Q9/17 Telebiometrics

Q7/17 Secure application services

Q6/17 Security aspects of ubiquitous telecommunication services

8/89

Question 6/17 Security aspects of ubiquitous telecommunication services Responsible for multicast security, home network security, mobile security,

networked ID security, IPTV security, ubiquitous sensor network security, intelligent transport system security, and smart grid security

13 Recommendations approved in last study period. 1 Recommendation and 1 Supplement approved in this study period. Recommendations currently under study include:

X.msec-7, Guidelines on the management of infected terminals in mobile networks X.msec-8, Secure application distribution framework for communication devices X.sgsec-1, Security functional architecture for smart grid services using

telecommunication network X.unsec-1, Security requirements and framework of ubiquitous networking X.itssec-1, Secure Software Update for ITS communications devices X.itssec-2. Security Guidelines for V2X communication systems

Close relationship with JCA-IPTV and ISO/IEC JTC 1/SC 6/WG 7 Close relationship with SG16 Question 27 on ITS security Rapporteur: Jonghyun BAEK

9/89

Scope of the Recommendation X.itssec-1

On-board Information Device

10

Power Management Control ECU

Seat Belt Control ECU

Driving Support ECU

Parking Assist ECU

Skid Control ECU

etc.,

Vehicle Mobile Gateway

Aftermarket Information Device

Update Server / log database

Car Manufacturer / Garage center

Communication Path

..... ... Communication Path Supplier

Functionality of Head Unit

! Status check of ECUs ! Log collection ! In-car diagnosis function

Diagnosis of on-board devices

! Status check of ECUs ! Log collection ! Verification of update module

Communication protocol

! Between Car and Manufacturer / Garage

! Encryption ! Authentication

Functionality of Server

! Stored Data Definition Auth info Log Audit

With considerations of

privacy concerns

1. Supplier provides an update module to a car manufacturer.

2. Vehicle mobile gateway requests ECUs to diagnose themselves and submit their software list.

3. ECUs generate a software list and submit it to the Vehicle mobile gateway.

4. The vehicle mobile gateway gathers the lists of software and submit them to update server.

5. Update server issues a receipt of the software list for vehicle mobile gateway.

6. Update server determines necessary software modules for each ECU.

7. After a certain period of time, the vehicle mobile gateway requests update modules for the vehicle.

8. Update software modules are delivered to vehicle mobile gateway.

9. The gateway pushes a notification to a user interface.

10. The car owner confirms to apply the update via the user interface.

11. Vehicle mobile gateway delivers the updates to corresponding ECUs and request them to apply the updates.

12. Each ECU applies the update and reports the application result to the vehicle mobile gateway.

13. Finally the vehicle mobile gateway submits a report of application results to the update server.

14. Finally the vehicle mobile gateway submits a report of application results to the update server.

Model data flow of remote software update

11

ECU Vehicle mobile gateway (VMG) Update Server at Car Manufacturer

..... .... User Interface Supplier

update

request

list

report

receipt

request

notification

update

confirmation

update

update

update

receipt

Structure of the Recommendation X.itssec-1 6. Basic model of remote software update

6.1. Modules of ITS environment for software update 6.2 . Model of software update process

7. Threats and Risk analysis and Security Objectives 7.1. Definition of Target System of Evaluation 7.2. Identification of threats 7.3. Risk analysis 7.4. Security Objectives

8. Functional requirements for the secure software update 8.1. Countermeasures against each identified threat (T.1-1 ~ T.11-6)

8.2. Recommended architecture of secure software update (P.1-1 ~ P.11-6)

9. How to utilize this Recommendation 9.1. Example of protocol specification

12

Working Party 5/17 Formal languages

Q11/17 Generic technologies to support secure applications

Q12/17 Formal languages for telecommunication software and testing

Chairman: George LIN

13/89

Security Coordination Security activities in other ITU-T Study Groups

14/89

ITU-T SG2 Operational aspects & TMN – International Emergency Preference Scheme, ETS/TDR – Disaster Relief Systems, Network Resilience and Recovery – Network and service operations and maintenance procedures, E.408 – TMN security, TMN PKI,

ITU-T SG5 Environment and climate change – protection from lightning damage, from Electromagnetic Compatibility (EMC) issues and also the

effects of High-Altitude Electromagnetic Pulse (HEMP) and High Power Electromagnetic (HPEM) attack and Intentional Electromagnetic Interference (IEMI)

ITU-T SG9 Integrated broadband cable and TV – Conditional access, copy protection, HDLC privacy, – DOCSIS privacy/security – IPCablecom 2 (IMS w. security), MediaHomeNet security gateway, DRM,

ITU-T SG11 Signaling Protocols and Testing – EAP-AKA for NGN – methodology for security testing and test specification related to security testing

ITU-T SG13 Future networks including cloud computing, mobile, NGN, SDN – Security and identity management in evolving managed networks – Deep packet inspection

ITU-T SG15 Networks and infrastructures for transport, access and home – Reliability, availability, Ethernet/MPLS protection switching

ITU-T SG16 Multimedia – Secure VoIP and multimedia security (H.233, H.234, H.235, H.323, JPEG2000)

(especially for ITS security)

Coordination with other bodies

ITU-D, ITU-R, xyz…

Study Group 17

15/89

Reference links Webpage for ITU-T Study Group 17

• http://itu.int/ITU-T/studygroups/com17 Webpage on ICT security standard roadmap

• http://itu.int/ITU-T/studygroups/com17/ict Webpage on ICT cybersecurity organizations

• http://itu.int/ITU-T/studygroups/com17/nfvo Webpage for JCA on identity management

• http://www.itu.int/en/ITU-T/jca/idm Webpage for JCA on child online protection

• http://www.itu.int/en/ITU-T/jca/COP Webpage on lead study group on security

• http://itu.int/en/ITU-T/studygroups/com17/Pages/telesecurity.aspx Webpage on lead study group on identity management

• http://itu.int/en/ITU-T/studygroups/com17/Pages/idm.aspx Webpage on lead study group on languages and description techniques

• http://itu.int/en/ITU-T/studygroups/com17/Pages/ldt.aspx ITU Security Manual: Security in Telecommunications and Information Technology

• http://www.itu.int/pub/publications.aspx?lang=en&parent=T-HDB-SEC.05-2011 16/89

ITU-T SG 17 Security Workshop (15th-16th September, 2014 at Geneva)

Structure of Sessions Opening Session (by George Lin) Session 1 (by Patrick Mwesigwa) - ICT infrastructure development, new security threats and counter-

measures Session 2 (by Koji Nakao) - End user security round table from both public and private sectors

(ITS sector, Health sector, Mobile-banking, ITU-D sector, and Ted) Session 3 (by Sacid Sarikaya) - Cybersecurity and data protection Session 4 (by Antonio Guimaraes) - ICT role in critical infrastructure protection

17 27-28 May 2004

18 27-28 May 2004

Structure of Sessions (cont.) Session 5 (by Heung Youl Youm) - Trust services and cloud security Session 6 (by Herb Bertine) - Security standardization challenges

1) ISO/IEC JTC1/SC27 - Walter Fumy, chairman of SC27 2) OASIS - Abbie Barbir to advise on appropriate representative to ask 3) ETSI - Charles Brookson, chairman of new ETSI TC CYBER Technical Committee 4) CSA (Cloud Security Alliance) - Andreas Fuchsberger and Eric A. Hibbard are co-

chairmen of its International Standardization Council (ISC) 5) 3GPP SA3 - Anand Prasad is chairman 6) RAISE Forum - Koji Nakao is co-chairman 7) CTO (Commonwealth Telecommunication Organization) – cybersecurity initiatives 8) Q1/17 representative (Hua Jiang)

Future plan for SG17 and ITS standardization on X.itssec-1

• Next ITU-T SG 17 meeting September 8 – 19, 2015 in Geneva

• Next Interim meeting on Q6/17 for ITS security December 2015 maybe in Seoul (Date is not fixed)

------------- • By the middle of August 2015: a Stable Draft will be

submitted to ITU-T SG17 for considerations in SG17; • After the next SG17, the agreed draft text will be asked

to review by related stakeholders on ITS in order to obtain the nearly final text on this Recommendation.

19 27-28 May 2004