“indian, european perspective of security regulations...

1

“Indian, European Perspective of Security

Regulations & Standards” Seconded European Standardization Expert In INDIA

(Dinesh Chand Sharma)

03-06-2015 GISFI CYBER SECURITY EVENT

GISFI CYBER SECURITY EVENT |3rd June 2015 | Slide 2

Agenda

Project SESEI in brief

Regulation v/s Standards

In India

Cyber, Telecom Security and Standards

In Europe


Conclusion


Agenda



In India


In Europe


Conclusion


Project SESEI Scope

Seconded European Standardization Expert in India

— local representative and a connect-between standardizers’ communities in EU/EFTA and India

— EU-India dialogue and cooperation on standards, R&D, Innovation, and policy/regulation around standardization

Project Owners

— EU Standards Organizations (ETSI, CENELEC and CEN),

— European Commission and EFTA - European Free Trade Association

— Managed by ETSI

Priority Sector for this phase of the project (3 Year)

— Information & Communication Technologies (equipment and services)

— Electrical equipment including Consumer Electronics

— Automotive industry

— Smart Cities

— Environment (Energy Efficiency in ICT) and any other of mutual interest


Agenda



In India


In Europe


Conclusion


Législation v/s Standards

Standards :

1. Voluntary

2. Consensual

3. Developed by independent organisations

4. Revised every 5 years

5. Provide specifications and test methods (interoperability, safety, quality, etc.)

Legislation (Regulation) :

1. Mandatory

2. Imposed by Law

3. Established by public authorities

4. Revised when legislators decide

5. Gives requirements to protect public interests


Agenda



In India


In Europe


Conclusion


Cyber Security - Critical Infrastructures


India – Cyber Security Scenario

India has 55% share of the global IT outsourcing market

155 major ISPs in India

DSCI and DeitY run a Training program Cyber Forensics: to tackle

cybercrime

Cyber Security of Banks in India not addressed completely: The

recommendations of Reserve Bank of India (RBI) to ensure Cyber

Security yet to be implemented fully

Mobile Security in India – Banking, Governance is still a serious concern

Government unveiled a National Cyber Security Policy 2013 on 2nd July

2013


National Cyber Security Policy India 1(2) Creating a secure Cyber Ecosystem:

— Designate a national nodal agency to coordinate all matters related to cyber security in

the country

— All organizations (Public & Private) to designate a senior official as Chief Information

Security Officer, responsible for cyber security

Creating an assurance framework

— Adoption of global practices on cyber security and compliance

— Compliance with Conformity Assessment Certification

Encouraging Open Standards

— Adopt open standards for interoperability & data exchange

— Promote tested & certified products based on open standards

Promotion of research and development in cyber security reducing supply chain risk.


National Cyber Security Policy India 2(2) Strengthening the Regulatory Framework

— Creation of dynamic legal framework and its periodic review

— Harmonization with International framework on cyber-crime & internet governance

Creating mechanism for security Threats early warning , vulnerability management and

response to security threat

— The existing Indian Computer Emergency Response Team (CERT-IN) to handle the 24x7

proactive responses to hackers, cyber-attacks, intrusions and restoration of affected

systems.

Securing E-Governance services

Protection and resilience of critical information Infrastructure

— 24x7 National Critical Information Infrastructure Protection Centre (NCIIPC) to function as nodal

agency for critical information infrastructure protection


Cyber Security - Architecture Ministry of Home Affairs (MHA)

National Cyber Security Coordination Centre (NCCC)

National Cyber Security Coordinator (NCSC)

National CERT-IN (Indian Computer Emergency Response Team)

National Technical Research Organization (NTRO) - National Critical Information

Infrastructure Protection Centre (NCIIPC)

JWG on Public Pvt. Partnership: 4 Centers of Excellence

Cryptology Research Centre at Indian Statistical Institute: Cryptology Research Group

(CRG) at Indian Statistical Institute, Kolkata

National Intelligence Grid (NATGRID)

Information Sharing & Analysis Centre (ISAC)

Cyber education, Security Tools and solutions development and experts

Standardization Testing and Quality Certification (STQC)


Telecom Security Department of Telecom, Ministry of Communication & IT in May 2011 issued a notification

to include Security conditions for Telecom networks across pan India. Further to this

notification, license condition were amended and a chapter on Security Condition were

updated; Chapter VI and section 39 of the License Amendment

— LICENSEE shall have organizational policy on security and security management

— LICENSEE shall audit its network or get the network audited from security point of view once in

a financial year

— Induct only those network elements got tested . IT and IT related elements against ISO/IEC

15408 standards, for Information Security Management System against ISO 27000 series

Standards, Telecom and Telecom related elements against 3GPP security standards, 3GPP2

security standards etc

— Rs 50 crore per occasion will be levied for any security breach

— Remote Access (RA) to network would be provided only to approved locations abroad through

approved location(s) in India

— Establishment of Telecom Security Council of India (TSCI)


Telecom Security contd.. National Telecom Security Policy (Draft):

— Vulnerabilities and threats to the telecom network : Communication assistance to the Security

Agencies keeping in view the developmental needs of the country and the civil liberties of its

citizens.

— Security of Communication, Information and Data for user trust and confidence.

— Creation of robust modern telecom network with sound international security standards.

— Safeguard public health and safety, Communication for public safety.

— Secured Communication for strategic needs.

— Disaster Management, Capability Creations and Capacity Building

From 1st April 2013 the testing and certification shall be done in India by Authorized &

Certified Labs/Agency in India

— Setting up of Telecom Test Lab in India : WIP

Central Monitoring System (CMS) :

— Centralized data center: 2, 21 Regional Monitoring Center & 195 ISF Server : WIP


Standards @ BIS

BIS LITD 17 which is a mirror committee of IEC/ISO/JTC 1/SC 27 & 37 looks after the Security standardization activities

Security Processes - Information Security Management System (ISO 27001:2013) and ISO 20002

Many form of standards for biometrics, signature authentication (ISO 14888-Part 1,2,3)

ISO 37033: Part 1, 2, 3, 4 &5, ISO 27034-Part1, ISO 27035, ISO 27036-Part 1 & 3

Security testing according to the international standards like ISO 17025 (General requirements for the competence of testing and calibration laboratories)

Identity and Protection authentication ISO 9728.

Cryptographic standards ( ISO 15946) its applications and process review Encryption algorithm ( ISO 18033)

Standards on Intrusion detection system (ISO 18043), network security (ISO 27033), etc.

ISO 17065 (Requirements for bodies certifying products, processes and services).

Conformity assessment infrastructure (enabling and endorsement actions concerning security product – ISO 15408

Adopted at BIS Under Consideration


Standards @ DSCI , IDRBT

DSCI Security Framework (DSF©) : comprised of 16 disciplines that are organized in four

layers.

— This document compiles practices under each discipline.

— It brings a fresh outlook to the security initiatives of an organization by focusing on each

individual discipline of security.

Institute for Development and Research in Banking Technology (IDRBT)’s

— Security Framework for Banking industry


Standards – Telecom GISFI work on this important subject is ongoing for long and quite matured

3GPP SA3 has produced a Technical Report describing a new security assurance and

evaluation framework for mobile network products

3GPP Security Assurance Methodology (SECAM) aims at providing common and testable

baseline security properties for the different network product classes

— Mobility Management Entity (MME) test-cases are close to completion, expected readiness by

August’2015,

2 Technical Specifications: General and MME specific

Progress at GSMA Network Equipment Security Assurance Group (NESAG) now known as

Security Assurance Group (SECAG) is also progressing well

— GSMA is planning a dry run of current work that should end early 2016.

Telecom Standards Development Society, India (TSDSI) is in the process to establish a

Working Group on Security.

DoT/TEC NWG 17 working with ITU SG-17


Agenda



In India


In Europe


Conclusion


Global Cyber Security ecosystem

ISO|IEC

JTC1

IETF

ITU-T Trusted

Computing

Group

CA/B

Forum

3GPP

NIST

FIRST

CESG

ETSI

Common

Criteria

Recognition

Arrangement

SANS

DHS

Council

on

Cybersecurity

OMG

GSMA Security Group

NESAG

OASIS

NATO


European Cyber Security ecosystem

European Commission

NIS

ENISA

Europol

Joint

Research

Centre

Advanced Cyber

Defense Centre

Smart Grids

Taskforce European Cybercrime

Centre (EC3)

CEPOL

European

Defence

Agency

WG1

WG2 WG3

CERT

-EU

ETSI

CEN/ CENELEC

C

S

C

G

H2020

CYBER

ESI

E2NA

SAGE

FIRST European

CERTs (125)

CCRA European partners

(16)

NATO European partners

(26)

DIN FOCUS.ICT

KITS

CA/B

Electronic Communications

Reference Group

ISI

LI

NFV


EC NIS Platform and Digital Agenda NIS: Network and Information Security Platform (Public/Private)

— Created by the EC in 2013 to provide recommendations on Cybersecurity. It consists of 3 Working Groups:

— WG1: Risk Management Best Practices

— WG2: Information Sharing and Incident Notification

— WG3: Secure ICT Research and Innovation

From the NIS recommendations might derive standardization work for ETSI

Digital agenda for Europe – Europe 2020 initiative has listed down 101 action items in 7 pillars.

— Pillar III of this agenda is dedicated to Trust & Security,

— has 17 action items to address Security, Cyber Security and Data Protection and Privacy.

— European Commission is investing more than 50 million Euro on DIGITAL SECURITY: CYBERSECURITY, PRIVACY AND TRUST


EC MSP (Multi Stakeholder Platform) on ICT

Created in 2011 to advise on matters related to the implementation of ICT standardization policies

Composed of representatives of

— National authorities from EU Member States & EFTA countries

— European and international ICT standardization bodies

— industry, SMEs and consumers

Role of MSP for Cyber Security

— It exists an “EC MSP cyber security reflection group”

— ETSI is represented – MSP work is fed back into TC CYBER


Cyber Security Coordination Group (CSCG)

Advisory Body of the three ESOs (CEN/CENELEC/ETSI)

Composed of ESO members and EU institutions

— CCMC, ETSI, ENISA, JRC, DG ENTR

White Paper Feb 2014: Recommendations for a Strategy on European Cyber Security Standardization

— GOVERNANCE (coordination, scope, trust)

— HARMONISATION (PKI/cryptography, requirements/evaluation, EU security label, interface with research)

— GLOBALISATION (harmonisation with international key players, global promotion of EU Cyber Security standards)


Areas of security standardization @ETSI Cyber Security

Mobile/Wireless Comms (GSM/UMTS, TETRA, DECT…)

Lawful Interception and Retained Data

Electronic Signatures

Smart Cards

Machine-to-Machine (M2M)

Methods for Testing and Specification (MTS)

Emergency Communications / Public Safety

RFID

Intelligent Transport Systems

Information Security Indicators

Quantum Key Distribution (QKD)

Quantum –Safe Cryptography (QSC)

Algorithms

Network Functions Virtualisation (NFV)

In 3GPP

2

4


Major security work over the last year

Maintenance of published deliverables — In all areas as necessary

New publications in various areas including: — Electronic Signatures

— Intelligent Transport Systems, Smart Cards

— Network Functions Virtualisation

— Cyber Security

— Machine-to-Machine

— Information Security Indicators

— In 3GPP

ETSI Security White Paper

— 6th Edition published January 2014,

— 7th will be published this month : ww.etsi.org/securitywhitepaper

2

5

http://www.etsi.org/securitywhitepaper


Creation of new ETSI groups

Creation in 2014 of TC CYBER — Cybersecurity standardization

— Very active!

Creation in 2015 of ISG QSC — Quantum-Safe Cryptography

— 1st meeting 24-26 March

TC: Technical Committee

ISG: Industry Specification Group

2

6


TC CYBER - ToR & meetings TC CYBER met 3 times face-to-face

— Around 50 participants at each meeting

— Work carried out on 9 documents

Participating organizations

— Industry: Manufacturers, Operators, SMEs...

— Administrations

— European Commission

— ENISA

— Universities / Research Bodies

— Service Providers

— Micro Enterprises

— Consultancy

Cyber Security Standardization

Security of infrastructures, devices, services and protocols

Security advice, guidance and operational security requirements to users, manufacturers and network and infrastructure operators

Security tools and techniques to ensure security

Creation of security specifications and alignment with work done in other TCs and ISGs

Coordinate work with external groups such as the CSCG with CEN, CENELEC, the NIS Platform and ENISA

Collaborate with other SDOs (ISO, ITU, NIST, ANSI...)


TC CYBER documents 9 documents (1 published, several expected to be published in July)

• 8 Technical Reports and 1 ETSI Guide

TR 103 303, Protection measures for ICT in the context of Critical Infrastructure

TR 103 304, PII Protection and Retention

TR 103 305, Security Assurance by Default; Critical Security Controls for Effective Cyber Defence (PUBLISHED MAY 2015)

TR 103 306, Global Cyber Security Ecosystem

TR 103 307, Security Aspects for LI and RD interfaces

TR 103 308, A security baseline regarding LI for NFV and related platforms

TR 103 309, Secure by Default adoption – platform security technology

TR 103 331, Structured threat information sharing

EG 203 310, Post Quantum Computing Impact on ICT Systems


2

9

Workshop, Technical Streams, Meetings

— Including TC CYBER#4 Meeting

Workshop/Streams free and open to everyone

TC CYBER meeting open to non ETSI Members upon invitation (see website to apply)

www.etsi.org/securityweek

Separate registrations to events

Networking opportunities throughout the week

Security Week (22-26 June 2015, ETSI)

Mon 22 Tue 23 Wed 24 Thu 25 Fri 26

AM Workshop

Workshop

CYBER#4

ISI#23

eIDAS

CYBER#4

ESI#51

PM Workshop Workshop

Streams:

M2M/IoT

ITS

eIDAS

CYBER#4

ISI#23

eIDAS

CYBER#4

ESI#51

M2M/IoT: Machine-to-Machine / Internet of Things

ITS: Intelligent Transport Systems

eIDAS: Electronic identification and trust services

ESI: Electronic Signatures and Infrastructures

ISI: Information Security Indicator

Separate registrations to events

Networking opportunities throughout the week

http://www.etsi.org/securityweek

http://www.etsi.org/securityweek


Conclusion India must actively participate in Global efforts, initiatives

and Standards Development Activities

— TSDSI & GISFI 3GPP, ETSI, oneM2M

— BIS ISO/IEC/JTC1

— DoT/TEC ITU SG-17

— Government Budapest Convention, WSIS, ITU Global Cyber Security Agenda, ENISA – European Union Agency for Network and Information Security etc.

World is connected, Security is a global concern, cyber activity transgresses national boundaries hence International Cooperation is essential to succeed


Contact Details:

Dinesh Chand Sharma (Seconded European Standardization Expert in India)

Director – Standardization, Policy and Regulation

European Business Technology Centre, DLTA Complex, South Block, 1st Floor, 1, Africa Avenue, New Delhi

110029

Mobile: +91 9810079461, Tel: +91 11 3352 1500, [email protected]

3

1

www.eustandards.in

mailto:[email protected]

http://www.eustandards.in/

“indian, european perspective of security regulations...

Documents