Cybersecurity/Network and Information security

The rapid evolution and growth in the complexity of new systems and networks, coupled with the sophistication of changing threats, present demanding challenges for maintaining the security of Information and Communications Technologies (ICT) systems and networks. Security solutions must include a reliable and secure network infrastructure, but they must also protect the privacy of individuals and organizations. Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the Internet and the communications and business it carries. We offer market-driven cybersecurity standardization solutions, along with advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. See also the TC CYBER Roadmap.

ISO 15118-2:2014 specifies the communication between battery electric vehicles (BEV) or plug-in hybrid electric vehicles (PHEV) and the Electric Vehicle Supply Equipment. The application layer message set defined in ISO 15118-2:2014 is designed to support the energy transfer from an EVSE to an EV. ISO 15118-1 contains additional use case elements describing the bidirectional energy transfer. The implementation of these use cases requires enhancements of the application layer message set defined herein. The purpose of ISO 15118-2:2014 is to detail the communication between an EV (BEV or a PHEV) and an EVSE. Aspects are specified to detect a vehicle in a communication network and enable an Internet Protocol (IP) based communication between EVCC and SECC. ISO 15118-2:2014 defines messages, data model, XML/EXI based data representation format, usage of V2GTP, TLS, TCP and IPv6. In addition, it describes how data link layer services can be accessed from a layer 3 perspective. The Data Link Layer and Physical Layer functionality is described in ISO 15118-3.

This document, as a basis for the other parts of the ISO 15118 series, specifies terms and definitions, general requirements and use cases for conductive and wireless HLC between the EVCC and the SECC. This document is applicable to HLC involved in conductive and wireless power transfer technologies in the context of manual or automatic connection devices. This document is also applicable to energy transfer either from EV supply equipment to charge the EV battery or from EV battery to EV supply equipment in order to supply energy to home, to loads or to the grid. This document provides a general overview and a common understanding of aspects influencing identification, association, charge or discharge control and optimisation, payment, load levelling, cybersecurity and privacy. It offers an interoperable EV-EV supply equipment interface to all e-mobility actors beyond SECC. The ISO 15118 series does not specify the vehicle internal communication between battery and other internal equipment (beside some dedicated message elements related to the energy transfer).

This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services. This document builds on CEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).

With today’s fast-evolving threat landscape, a holistic cloud incident response framework that considers an expansive scope of factors for cloud outages is necessary. The working group aims to develop a holistic Cloud Incident Response (CIR) framework that comprehensively covers key causes of cloud incidents (both security and non-security related), and their handling and mitigation strategies. The aim is to serve as a go-to guide for cloud users to effectively prepare for and manage the aftermath of cloud incidents, and also a transparent and common framework for Cloud Service Providers to share with cloud customers their cloud incident response practices. Imperative factors of cloud incidents including, but not limited to, operational mistakes, infrastructure or system failure, environmental issues, cyber security incidents and malicious acts will be included in development of the framework.

Collaboration and coordination among all stakeholders are critical to secure the cloud platform. The current gap is that there is no defined guideline dividing the security roles and responsibilities between the Cloud Service Providers (CSPs) and Cloud customers; on how to secure Cloud services in different Cloud deployment models. This is especially the case for those who have little cloud security knowledge. This WG aims to develop guidelines for CSPs to secure its Cloud platform and provide Cloud security services to Cloud users; for Cloud users to select security qualified CSPs; for security vendors to develop their Cloud-based security products and services. Subsequently, this WG hopes to develop a platform for CSPs to publish their security requirements; for security vendors to share their security products and services, and to provide a platform for interoperability testing.

The Mobile Application Security Testing (MAST) initiative aims to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management. This initiative hopes that more research into mobile application security vetting and testing will help reduce the risk and security threats that organizations and individuals expose themselves to using mobile applications. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications. Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security issues of mobile applications for platforms such as Android, iOS and Windows.

‘Vanilla’ cloud environments were typically not made to handle harsh environments like that of High Performance Computing (HPC) Cloud Security. Technical concerns for HPC are further complicated by the complex and ever-evolving threat landscape. As we increasingly see cases of pure HPC bare metal infrastructure interacting with the cloud such as I/O interfaces and processes, it brings along more ‘opportunities’ for malicious attacks. While this should be considered and integrated into security policies and guidelines, performance face the perilof being compromised as precious resources are carved out for security protocols and processes. The crossing of cloud and HPC environments often leads us to questions of how security in an HPC cloud environment can be implemented, enforced and ensured without the need to compromise performance. This Working Group strives to provide recommendations that can answer these questions.

The OASIS KMIP TC works to define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications, including email, databases, and storage devices. By removing redundant, incompatible key management processes, KMIP will provide better data security while at the same time reducing expenditures on multiple products.

This document defines a mechanism by which web developers can control the resources which a particular page can fetch or execute, as well as a number of security-relevant policy decisions.

This specification describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.