3 February the Cybersecurity Standardization Conference 2020 took place in Brussel, this yearly event organized by ENISA* was organized to discuss the role of standards in certification schema’s and assess the progress in cybersecurity standards. The conference started with presentation from ETSI, CEN/CENELC and IEC, although progress was made this did not result in a common accepted Certification schema for IoT, as was echoed in the questions put forward by the participants. It was also clear that the standards bodies where committed to increase their participation. ENISA presented a plan to proceed the development for certification but no clear deadline was committed.
In a second panel session, current failure of IoT security was highlighted, leading to uncertainty for consumers. The question discussed was should the consumer be made aware and willing to pay for security or should the industry be “forced” to make products secure. Interestingly there where supporters for both approaches, in SCRATCh we strive to make it easier to produce secure products, as we see security as an obligation to our customers.
There was a success story EIDAS (Electronic IDentification Authentication and
trust Services) build on EU legislation from 29 sept 2018, for this service a certification schema exists and is supported by the standards organization. It has not been setup in one year after 2018. There was already a start, eg ETSI started in 2001 with requirements for “trust service provider”, but legislation forced uniformity and convergence.
The last panel addressed sectorial certification, a panel with a majority of vendors, with two compelling quotes from Ericsson “Business is non -homogenous; Product development is organized by Business Area, not by Geography” and “The waterfall model for product development or delivery is over. Processes are executed in parallel” Two quotes that opened a Pandora box, as no leading international standard bodies or industry consortia where present, no OPC-foundation (industry 4.0) no OWAPS (Open Web Application Security Project) an opensource initiative. And no easy tools to make it easier for “agile” developers to create secure products. Certification is good thing but security by design is better and security as a process is best. This sentiment lingered throughout the conference in questions and lunch discussions. *The EU Cybersecurity act mandates to ENISA have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes and informing the public on the certification schemes as well as the issued certificates through a dedicated website.
Supporting the coordination of the EU in case of large-scale cross borders cyber-attacks and crises. This task builds on ENISA’s role as secretariat of the national https://www.enisa.europa.eu/events/cybersecurity_standardisation/cybersecurity-standards-presentations