by Hui Han (Fraunhofer IESE)
Standardisation can help ensure proper contractual procedures for protecting digital information and systems, guaranteeing security and privacy in the dynamic digital environment. With standardisation, companies can effectively collaborate with their partners, thus strengthening trust among organisations. As a result, various standards have been established for security applications and technologies.
When identifying a system’s deficiencies, and potential threats from internal and external sources, it is important to consider the characteristics of the security applications and technologies that are being used by an organisation. Security issues can be classified into three types :
- Physical security: preventing unauthorised crew or even occasional interlopers from accessing internal software components and hardware.
- Network security: preventing malware (malicious software) or cyber-attacks on underlying networking infrastructures and communication systems.
- Data security: protecting data from the actions of unauthorised users, including data encryption, tokenisation, and key management.
Physical security standardisation
Three typical standards used to define physical security are the IEC 62443, the ISO 27033 series and ISO/IEC 29180:2012, which represent the security standards for the control systems, information system networks and sensor networks, respectively. The IEC 62443 series addresses the security required for business IT applications by industrial automation and control systems (IACSs). The ISO/IEC 27033 series addresses security facets of the design, implementation, and management of information system networks. The ISO/IEC 29180:2012 addresses the security requirements of the ubiquitous sensor network (USN). Furthermore, it classifies the security technologies based on the security functions that meet the above-mentioned security requirements and where the security technologies are to be used for constructing the security model of USN.
The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. It provides assurance for the process of designation, execution and assessment of a computer security product.
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a computer chip (microcontroller) that is designed to provide hardware-based, security-related functions through integrated cryptographic keys.
eIDAS (electronic IDentification, Authentication and trust Services) creates a standard framework on electronic identification and trust services for electronic transactions that applies as law within the whole of the EU.
OAuth 2.0 is a security standard which gives one application permission to access data in another application.
Network security standardisation
The Organisation for the Advancement of Structured Information Standards (OASIS) is a non-profit consortium that develops web services standards along with security standards. OASIS security standards relevant to cloud computing are: SAML, XACML, SPML, WS-Security Policy, and WS-Trust. In addition, Cloud Data Management Interface (CDMI) are cloud-computing standards for customer interactions with cloud-based storage, cloud data management, and cloud-to-cloud storage interactions.
The Transport Layer Security (TLS) protocol is the de facto standard when it comes to securing communications on the World Wide Web.
PKCS (Public Key Cryptography Standards) are a set of public-key cryptography standard protocols that enable secure information exchange on the internet. GOST 28147-89 is a well-known 256-bit block cipher that submitted to ISO 18033 to become a worldwide industrial encryption standard.
QUIC (Quick UDP Internet Connections) is a new encrypted-by-default internet transport protocol that contributes many improvements designed to speed up HTTP traffic and make it more secure, with the purpose of eventually replacing TCP and TLS on the web.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely accepted protocol for sending digitally signed and encrypted messages.
Data security standardisation
Privacy is an important aspect of security. Government policies and protocols in this domain are receiving more attention because of the growing concern of citizens about the abuse of personal data and violations of privacy. In this area, the General Data Protection Regulation (GDPR) that entered into force in the EU in May 2018 provides for governments to establish standardisation on data protection and privacy.
The World Wide Web Consortium (W3C) forms the XML-Encryption standard, which specifies a process for encrypting data and displaying the result in XML.
Secure Channel Protocol (SCP) is a way of transferring data that is resistant to overhearing and tampering.
ISO/IEC 29176 is a consumer privacy-protection protocol for mobile RFID services. ISO/IEC 29134:2017 are guidelines for privacy impact assessment (e.g. assessing operating data processing systems). ISO 29190:2015 provides guidance about how to assess their capability to manage privacy-related processes.
The project: Software Engineering for AI (SE4AI) in the context of small and medium-sized enterprises (SME)
SMEs face different challenges to large enterprises when it comes to digitisation and the application of AI and data-driven methods. The Data Science department at Fraunhofer IESE has developed and has been applying several methods to help companies in their digital transition , but these are not dedicated to SMEs. Our new project focusses on how current SE4AI methods apply to SMEs and will propose solutions for the implementation and evaluation of these methods. Security standardisation is a main challenge faced by SMEs when applying SE4AI methods.
 P. Leitao, J. Barbosa, M. E. C. Papadopoulou, and I. S. Venieris, “Standardization in cyber-physical systems: the ARUM case,” in Proceedings of the IEEE International Conference on Industrial Technology, 2015, pp. 2988–2993, doi: 10.1109/ICIT.2015.7125539.
 J. Heidrich, A. Trendowicz, and C. Ebert, “Exploiting Big Data’s Benefits,” IEEE Software, vol. 33, no. 4, pp. 111–116, 2016.
Hui Han, Fraunhofer Institute for Experimental Software Engineering (IESE), Germany