jtsec | Blog | Contributing through standardization

- Oct

2019

Posted by: Luis Vargas

Contributing through standardization

It is well known that standardization brings broad benefits, since the ultimate goal is to organize and improve business processes. In the case of cybersecurity standardization, it allows us to adapt to a set of regulations with common requirements designed to a specific field in order to ensure security. In addition, once it has been decided to comply with a standard, it is necessary to keep complying with these standards. This process allows companies to improve the levels of protection of their assets as well as raise awareness among their workers.

From jtsec we work tirelessly with the purpose of favoring the use of the different existing standardizations and supporting the creation of new standards that allow security to win the race against the unstoppable technological development. Tomorrow´s society cannot be cybersecure if we do not have a vision of the future and if we do not anticipate by creating standards for technologies that today are unthinkable.

This article provides a summary of our participation in favor of standardization during the year 2019.

Javier Tallón has been involved in the ISO/IEC JTC 1/SC 27/WG 3 working group "Security Evaluation, Testing and Specification". He has carried out his work within the N1708 project, in which it has been proposed to open a new period of study for the introduction of new security assurance requirements in the ISO 15408-3 standard, covering management activities and deployment of security patches. As an expert participant in this study period. The conclusions of its work were provided to the working group in a detailed report on its study.

This study elaborates a proposal to cover critical security aspects in the development and distribution of updates, evaluation of product upgrade capabilities under evaluation, and improvements in the certification process to address security updates.

This proposal will help standardize the security assessment aspects of such a critical feature as IT product security patches or upgrades. This allows security errors to be corrected quickly and quickly in evaluated products, and ensures that such functionality has been implemented and configured securely.

During the last ISO meeting in Paris where jtsec actively participated, this project was approved opening the new study period and Javier was named "rapporteur" of the project.

José Ruiz is currently participating in the working group "Cybersecurity evaluation methodology for ICT products". This group is elaborating what will be the future methodology of product security evaluation at European level. As part of his collaboration, he has presented several reports with the different conclusions of his work.

This work is the adaptation to the European scope of the Spanish evaluation methodology LINCE, whose first draft as UNE standard has been developed by jtsec. Therefore, it is a fact of special relevance since this project will serve to define what will be the reference methodology for evaluation at the European level, and for this we have one of the creators of the Spanish standard that is being used as a reference.

Also, José Ruiz carried out an analysis and comparison between the main current lightweight evaluation methodologies in Europe, LINCE (Spain), BSZ (Germany), CSPN (France) and BSPA (The Netherlands) available at the jtsec web.

José Ruiz is also the current secretary of the ISO/IEC JTC 1/SC 27/WG 3 group, so, his involvement is not restricted to isolated projects.

José Pulido has worked at ISO/IEC JTC 1/SC 27/WG 3 as an expert in the field of automotive cybersecurity. He has participated in project N1697 for the study period on evaluation criteria for connected vehicles based on ISO/IEC 15408. As part of his work on this project, he has carried out a detailed study of current approaches to the problem of security evaluation of connected intelligent vehicles. In addition, it has developed a proposal with different options for Common Criteria certification models for this kind of technology.

This field of work is critical for safety, because a scenario is approaching in which vehicles will also depend on intercommunication technologies, with a tendency towards an increasing level of autonomy of the vehicle itself. Defining a standard methodology for certifying the IT safety aspects of connected vehicles is fundamental to ensure the safety of drivers and their occupants. This factor makes José Pulido´s work of great significance for the cybersecurity world.

During the last meeting in Paris, the report created by J. Pulido was used as a guide during the meeting and it was concluded to extend the period of study.

jtsec is a national reference in the field of security certification. In addition, it was the first laboratory accredited by ENAC and CCN to evaluate the security of IT products according to the LINCE methodology.

Finally, it should be mentioned that jtsec maintains continuous training so that workers are aware of the importance of standardisation, the different existing standardisations and the new advances that are arising in the world of cybersecurity standardisation.