The EN-CENELEC-ETSI Cybersecurity Coordination Group was born in the second half of 2011 on an impulse coming from DIN, the German Standardization National Body. A need was felt for better coordination in Information Security standardization and on Cybersecurity in particular. The initial spark was the diffusion of so-called smart grids on a European level, with all the security and trans-boundary coordination challenges that they imply. Almost immediately the European standardization entities, CEN and CENELEC, and their members, were involved, and so were ETSI. Among the croup stakeholders are ENISA and the EU institutions – the Commission through the JRC (Joint Research Group) and in a way the Parliament, seen that CSCG Chairman, Dr. Christian Ehler, is a MEP.
Terms of Reference
It was made clear from the inception of the group that its aim it’s not to create directly standards or guidelines, obviously that is the job of the existing bodies, but rather to coordinate existing activities, to advise EU institutions on standardization on a strategic level and generally to operate as a point of contact between the “technical” standardization world and the “political” level. This a kind of job much needed in a fragmented landscape like we have in Europe, and more so when we are trying to establish relationships and collaborations with extra-UE partners, first of all Americans (e.g. NIST and ANSI).
The regular activity of the group kicked off in Berlin in december 2011 and beginning with 2012 three meetings per year are regularly scheduled, the last ones in Athens (december 2012, hosted by ENISA) and in Paris in March 2013 (hosted by AFNOR).
In detail, the Terms of Reference of CSCG, approved by all members, include:
- provide strategic advice on cyber security to the technical steering committees of CEN/CENELEC and ETSI
- analyse existing European and International Standards on cyber security
- define joint European requirements for European and International Standards on cyber security
- establish a European roadmap on standardization of cyber security taking into account EU Commission mandates as appropriate
- act as contact point for all questions of EU institutions relating to standardiza-tion of cyber security
- cooperate with US SDOs and SDOs in other countries working in the same field of standardization
- Co-ordinate European activities in ISO and IEC standards committees with the aim of implementing such a joint transatlantic strategy.
During this time the definitive Terms of Reference were approved; the same could not be said of the subjects the groups should concentrate on (cybersecurity is a vague term at best after all…). A document in form of matrix on subjects and threats has been developed, with contributions from most members, but only now it’s taking shape in a definite way – granted, it will be a “live” document in the future because of the changing nature of cyber. Smart grids take a prominent place here also, and so do Critical Infrastructure protection: personally I consider smart power grids one of many Critical Infrastructure but right now the two are considered distinct (maybe “smart grid” is too good a buzzword to let it go…). Among the other topics are for instance cloud and mobile security, digital identity and more.
The group has a lot of work still to do to better focus its topics, threats and standardization strategy; in my opinion some areas should be stressed more, like data protection, individual rights and standards on IT incidents data exchange among CERTs and institutions – where standardization efforts could bring a lot of value. In the near future the group should concentrate on finalizing its objectives and begin implementing its mandate, particularly the analysis of existing efforts and establishing a working relation with NIST and ANSI. To this end, an ad hoc group is working on a document asking for a mandate from the Commission and the whole group is developing a Memorandum of Understanding for a possible cooperation with US agencies: a NIST representative was invited to the Athens meeting but he was not able to attend.
Groups of this kind (there are some more in other related fields) are the subject of a lot of criticism, based mainly on the fear of encroaching on the activities of the national and European SDOs (Standard Developing Organizations). I believe most of them are not warranted, at least in the case of the CSCG, which has made clear that developing standards is not among its tasks. On the other hand there is a strong need for coordination among the SDOs, and of a “bridge” between the technical side and the policy side. For sure, the inner workings of the group need some adjustments – given the number and heterogeneity of its members – but overall it will be a useful tool and forum of discussion.
Update – July 2013
CEN, CENELEC ed ENISA official signed on July 10th 2013 a memorandum, formalizing their collaboration in the fram of the Coordination Group. i