Cybersecurity

The IETF has a security-related working group called Supply Chain Integrity, Transparency, and Trust (SCITT), whose charter reads:

"The Supply Chain Integrity, Transparency, and Trust (SCITT) WG will define a set of interoperable building blocks that will allow implementers to build integrity and accountability into software supply chain systems to help assure trustworthy operation. For example, a public computer interface system could report its software composition that can then be compared against known software compositions or certifications for such a device thereby giving confidence that the system is running the software expected and has not been modified, either by attack or accident, in the supply chain.

Problem Statement

Some of the fundamental security issues that face the supply chain ecosystem today are as follows:

1. A single product is composed of multiple sub-products coming from different suppliers. There are several standards to compose supply chain information with different producers choosing different methods.

2. There are no uniform APIs or services to publish supply chain information to third parties, nor are there ways to verify the integrity or date of publication of that information.

3. There is a lack of decentralized, globally interoperable, transparent services to publish supply chain data.

4. The lack of sufficient standards for independently verifying the presence of supply chain data in tamper-proof data stores.

5. Fractured verification methodologies across software distribution ecosystems create inconsistent security guarantees for end users.

6. Software consumers have no trustworthy way to verify that a software signature on a software package is legitimate.

A minimal, simple, and concise set of building blocks that interact in a standardized way will assure long-term accountability and interoperability for supply chain components throughout their lifecycles across architecturally diverse systems.

Goals

Based on an input document on the architecture (draft-birkholz-scitt-architecture), the WG will standardize the technical flows for providing information about a software supply chain, which also includes firmware, and covering the essential building blocks that make up the architecture."
 

WG Link: https://datatracker.ietf.org/group/scitt/about/

WG Documents: https://datatracker.ietf.org/group/scitt/documents/

WG Mailing List: https://mailarchive.ietf.org/arch/browse/scitt/

According to the AI Standardization Request from the European Commission to CEN/CENELEC, European standards or standardisation deliverables shall provide suitable organisational and technical solutions to ensure that AI systems are resilient against attempts to alter their use, behaviour, or performance or compromise their security properties, by malicious third parties, exploiting vulnerabilities of AI systems. Organisational and technical solutions shall include, where appropriate, measures to prevent and control cyberattacks trying to manipulate AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial examples), or trying to exploit vulnerabilities in AI system’s digital assets or in the underlying ICT infrastructure. These solutions shall be appropriate to the relevant circumstances and risks. Furthermore, the requested European standards or standardisation deliverables shall take due account of the essential
requirements for products with digital elements as listed in Annex I of the EC proposed Regulation on horizontal cybersecurity requirements for products with digital elements (CRA proposal of 15 September 2022).

Discussion: identify existing standards and analyse the gaps (new standards) that still need to be developed to respond to the AI Standardization Request from the European Commission.

Until recently, data protection relied on two pillars: protection of data at rest and in transit. However, data remained unprotected during processing, leaving it vulnerable in shared computing environments, such as cloud computing. More recently, this shortcoming was addressed by Trusted Execution Environments capable of executing arbitrary code. Today, any user can leverage the capabilities of Trusted Execution Environments to protect data in use, closing the end-to-end data protection cycle.

Currently, all major enterprise server vendors have announced Confidential Computing solutions: AMD (with the SEV-SNP technology), ARM (with the CCA technology), IBM (with the PEF technology) and Intel (with its SGX and TDX solutions). Moreover, confidential computing capabilities have been announced for GPUs by NVIDIA. Alas, the architectures and approaches for confidential computing standardisation are diverse and often incompatible.

This growth in confidential computing deployments has led to a broad and diverse need in standardisation. Today, standardisation around software support for confidential computing is done in the Internet Engineering Task Force (IETF), namely the Trusted Execution Environments (TEEP) workgroup and Remote Attestation ProcedureS (RATS) workgroup (WG). Both groups already have adopted documents: Trusted Execution Environment Provisioning (TEEP) Architecture (RFC 9397) and Remote ATtestation procedureS (RATS) Architecture (RFC 9334). Moreover, there are 15+ additional documents under active development.

Along with IETF, the Confidential Computing Consortium and its individual member organizations are actively working on promoting the adoption of Confidential Computing. One such initiative is the CSA Confidential Computing working group, which recently started work on adding Confidential Computing considerations in the CSA Cloud Control Matrix.

The Confidential Computing technology will continue evolving and being adopted as more cloud deployments do hardware upgrades. This will in turn require further integration with existing standards and control frameworks both from international standards organizations (such as IETF), industry consortia (such as the CCC) and national or international regulators (ENISA in the EU or NIST in the United States of America).

In essence, this is how I would describe the situation. Radio equipment placed on the EU single market must comply with the essential requirements of the Radio Equipment Directive (RED). European Commission (EC) activated Article 3.3 d, e, f essential requirements in a delegated act on 29.10.2021. Some of the essential requirements activated in the RED articles 3(3) (d/e/f) aim at the protection of personal data and privacy, the protection from fraud and ensuring compliance of reconfigurable radio systems. The standards responding to the Article 3.3 do not yet exist.

An important element that is currently overlooked is the guideline describing the method and the process to produce the standardisation deliverables. While this might seem unlikely - after all the EU Harmonised European Standards were produced for a number of decades, the change in the domain of essential requirements coupled with a change in the EC legal view create a significant challenge for the timely production of European Norms.

Starting with the multidisciplinary aspects of this challenge, there are a number of issues that need to be solved in order for the standards covering these essential requirements to be produced. Hence the importance of discussing how to produce the standards and this discussion that may start drafting ways to guide the effort of standardisation for Harmonised European Norms. 

Get to know more about how the M-Sec solution is being implemented in Fujisawa, Japan, by watching this video on our Use Case 4: https://youtu.be/XioYWKcLfhM

Are you a company, university student, researcher, data scientist, entrepreneur or a concerned citizen?

Do you have an #innovative #earlystage business idea that addresses a #smartcity challenge? ?‍? Are you interested in #security and #privacy issues of #iot devices and apps? ??

Then don't miss this chance and apply by 26 August 5pm CET to M-Sec Project Online Contest, that will run between 6-10 September ? 
https://lnkd.in/ecfRk7b

Main perks:
??‍? 1-1 Technical and business support to develop your business idea
✍? Business workshop
? Present the business idea to an international panel of experts

Top 3 winners of each challenge will also have the chance to meet city council representatives of Santander and Fujisawa #smartcities

Guidelines and more info ?‍♀️
https://lnkd.in/eXS85QN

#msecsmarthack

At the end of 2020, the M-Sec Project launched a survey to the European and Japanese IoT community, to better understand their experience when using IoT devices and applications and on their knowledge of EU & Japan’s data protection regulations. 6 months after, and with more than 450 answers, here are the first insights from our community: https://www.msecproject.eu/m-sec-eu-japanese-consultation-preliminary-results/ 

We would like to invite you to the online workshop "How to reactively defend against advanced cyber threats" 20 May, 13:00-17:00 - CEST.

The workshop will zoom in on how you can mitigate advanced cybersecurity threats and zero day vulnerabilities thanks to the holistic approach the ReAct projecthas developed.

We'll also address the following questions:
 - can we protect a computer, or laptop, tablet or any other device before "day zero"?
 - can we protect them before we know about their vulnerability?

The workshop is open to anyone interested in cybersecurity but could be particularly beneficial for ICT Operators, Internet Service Providers, Hardware Manufacturers and Researchers.

Full agenda, programme, speakers and registration is available at link below:

https://www.cyberwatching.eu/projects/1053/react/events/how-reactively-defend-against-advanced-cyber-threats

The workshop is organised by the ReAct project and supported by Cyberwatching.eu which are both funded by the European Commission's H2020 programme.

We look forward to meet you online on 20 May, 13:00-17:00 - CEST.

Get to know more about how the M-Sec solution is being implemented in Santander, Spain, by watching this video on our Use Case 1: https://youtu.be/9o5QofdWhBs

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 3 to better understand how this Use Case is being implemented in the Japanese city of Fujisawa.

Dear community,

Get to know more about how the M-Sec solution is being implemented in Santander, Spain, by watching this video on our Use Case 2: https://youtu.be/GstjqDWPrUg

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 4 to better understand how this Use Case is being implemented in the Japanese city of Fujisawa.

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 2 to better understand how this Use Case is being implemented in the Spanish city of Santander.

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 1 to better understand how this Use Case is being implemented in the Spanish city of Santander.

Read the blogpost here

The main focus of M-Sec’s Cookbook is to introduce the M-Sec IoT security framework that has been developed by the European and Japanese consortium researchers for the past two years. Therefore, it presents techniques, methods, and design and operating principles of the M-Sec solution that those researchers believe will help other IoT developers to minimize the risk of suffering critical vulnerabilities in a wide range of IoT devices. In other words, the M-Sec Cookbook is a practical guide for all IoT developers to develop reliable and secure applications for the smart city context.

The Cookbook provides an introduction to the M-Sec components from five different aspects – IoT security, cloud and data level security, P2P level security and blockchain, application-level security, and overall end-to-end security – with their definition and ulterior implementation, thus serving as a practical guide for any IoT developer who wishes to implement the M-Sec solution in order to address security concerns and risks identified in a smart city context.

Want to know more about how to implement the M-Sec solution?
Download the Cookbook: https://www.msecproject.eu/wp-content/uploads/2020/12/M-Sec_Cookbook_final-version.pdf

M-Sec is an EU-Japan collaborative Project with the main goal of developing an innovative solution that ensures a more secure data transfer between stakeholders when using IoT devices and applications in hyper-connected smart cities.

In the scope of this research, the project is now conducting an online survey to all EU and Japanese citizens and stakeholders, to collect feedback on individuals use of IoT devices and applications, and their understanding of data protection regulation.

Your opinion is, thus, very much appreciated and will contribute to a better understanding of the IoT ecosystem in which M-Sec is expected to operate.

Filling in this survey will not take you more than 1 minute.
Access the survey: https://forms.gle/GhhDqGTUPPyfX7Fh6

Thank you so much for your collaboration,
The M-Sec Team

The M-Sec Project, an EU and Japanese collaboration, released a White Paper that acts as a guide to inform readers about the main IoT security issues faced nowadays and proposes concrete solutions to these problems.

Tell us your opinion! Read the Report:
https://www.msecproject.eu/wp-content/uploads/2020/10/M-Sec_WhitePaper_v5_CLEAN.pdf