The Joint Standardisation Workshop, hosted by Cybersane Project represented an interesting venue for presenting different EU projects funded under SU-ICT-01-2018 H2020 Call and discussing the different approaches to the common problem of attack detection and situational awareness.
In spite of the different approaches, methodologies, domains, and objectives, standardization emerged as a common issue for all participants. Even if almost everyone was quite aware of its importance, most projects are not actively involved in any standardization initiative, and often find it difficult to identify relevant standards. A common misconception was to consider standards as something that should be largely “undergone,” with no or low opportunities to get actively involved in their definition.
The main outcomes from the internal brainstorming, with the precious support of Dr. Vasileios Mavroeidis keynote presentation “Cybersecurity standardization within the ‘Horizon’ sphere”, were the discussions on the possible ways to be involved in the working committees and the identification of the most relevant standards for the involved projects.
For what concerns the involvement process, it is clear that most standardization bodies are either industry-led or community-driven. In the first case, participation requires the payment of high association fees, which often discourage academics and research institutes from joining; in addition, big players are often the main contributors and the process may last several years, which might not be compatible with the duration of research projects. In the second case, association fees are usually cheaper, and the community is more dynamic and open to proposal. However, taking part in either working committee is a real time-consuming task, due to the number of meetings, contributions to prepare, and documents to be reviewed.
The discussion on current standards that may be of interest for the involved projects identified two main aspects, the first being cyber-threat intelligence and the second one modelling and control. Currently, there is no standardized way to document the description of attacks and the necessary steps to mitigate them, and to share this information across organizational boundaries and technology solutions. CACAO by OASIS emerged in the discussion as an interesting effort in this direction. Coming to the second aspect, cyber defence technologies, systems and applications often use proprietary software and commands to control system configurations, which hinder the composition of open systems and often leads to closed verticals and vendor lock-in. Some years ago, the telecommunication industry started the IETF I2NSF (Interface to Network Security Functions) initiative to address this problem, but this group got stuck for several months and its future is uncertain. A related group from IETF was also mentioned, SCAP, but the scope of this committee should be checked. OpenC2, again by OASIS, was identified as a possible technology-agnostic language for machine-to-machine communications for the command and control of technologies that provide or support cyber defences. Taken together, OpenC2 and CACAO playbooks may be used to implement Security Orchestration Automation and Response (SOAR), which is today a growing trend to reduce the impact of humans on cyber-security processes. NIST already published several versions of SCAP, which is intended to automate the exchange of security automation content used to assess configuration compliance and to detect the presence of vulnerable versions of software. Finally, several projects pointed out the need to model the infrastructure, or anyway digital assets, that should be protected. In this context, beside the FIWARE Smart Data Models, it seems there is a lack of protocols for describing the different resources in terms of cybersecurity properties.
Projects funded under SU-ICT-01-2018 H2020 Call are planning to hold a second workshop on standardization in 2021, that will be part of a virtual session with a wider scope in which some application use cases in the emerging ICT market sectors will be presented.