Committed to connecting the world

ICTs for a Sustainable World #ICT4SDG

Executive Summary

Executive Summary

ITU-T Study Group 17, Security, meeting

14 – 23 March 2016, Geneva/Switzerland

Participation:

150 participants (10 less than at the previous SG17 meeting, 200 pre-registered); 27 Member States, 18 Sector Members, 3 Associates, and 2 Academia. Several invited experts. Increased participation of Member States from of developing countries.

  • New participation from: Latvia, Alibaba, InterDigital Communications, Aetna (new Associate to SG17), Bournemouth University.

SG17 vice chairmen vacancies:

  • Arab Region: SG17 vice Chairman from UAE left and the post is vacant. A replacement is sought.
  • Americas Region: SG17 vice Chairman from Mexico has never participated. A replacement is sought.

SG17 appointments:

  • Ms Yiwen WANG as an additional Q1/17 Associate Rapporteur as proposed by China (P.R.); she will be sharing responsibilities with Mr Chen for updating the security roadmap.
  • Mr Heung Ryong OH (Korea, Republic of) and Ms Zhiyuan HU (Alcatel-Lucent Shanghai Bell Co. Ltd) to co-chair the Q2/17 sessions.
  • Mr Yanbin ZHANG as new Q5/17 Rapporteur, as proposed by China (P.R.).
  • Mr Yutaka MIYAKE to be acting Q6/17 Rapporteur for the first three days of the meeting.
  • Mr Jeong-Jun SUH to be acting Q6/17 associate Rapporteur for the first three days of the meeting.
  • Mr Bo YU as an additional Q6/17 associate Rapporteur, as proposed by China (P.R.).

Meeting input and organizations

  • Contributions: 81 (77 last time, stable), two contributions were withdrawn.
  • TDs: 415 (37 more than in the previous meeting). This includes 54 incoming liaison statements, and 32 outgoing liaison statements.
  • Busy and productive 7th meeting of this study period having 8 working days.
  • Two SG17 open, extended management team meetings were held (during the weekends), complemented by the SG17 security coordination meeting.
  • Many parallel meetings per quarter each day. Many sessions were equipped with AdobeConnect teleconferencing to allow participation from remote.

Meeting Output

The SG17 plenary meeting:

  1. Approved five draft new ITU-T Recommendations and one draft revised Recommendation announced for TAP in accordance with WTSA-12 Resolution 1, Section 9. Details are in Annex A a).
  2. Approved one new Amendment, agreed two new Supplements, and approved one revised Implementer's guide. Details are in Annex A c).
  3. Determined (TAP) three draft new ITU-T Recommendations in accordance with WTSA-12 Resolution 1, Section 9. Details are in Annex A d).
  4. Consented (AAP) two draft new ITU-T Recommendations, ten draft revised ITU-T Recommendations, and one draft Corrigendum for Last Call according to Recommendation ITU-T A.8. Details are in Annex A e).
  5. Agreed nine new work items to be added to the SG17 work programme. Details are in Annex B.

Coordination and promotion activities:

  • One Joint Coordination Activity on COP meeting under the SG17 parent-ship was held.
  • One Joint Coordination Activity on IdM meeting under the SG17 parent-ship was held and coordination took place with SG2, SG20 on IoT identification; OASIS, FIDO Alliance and GLEIF shared information.
  • A joint session of Q4/17 and Q10/17 was held on addressing security challenges through IdM and cybersecurity standardization. The joint session shared the positive outlook that these developments in IdM and cybersecurity, together with associated ecosystems in private and public sectors will help address security challenges in each of the Member States, where ITU-T can play considerable role to facilitate proliferation of standards.

Correspondence Groups:

Two Correspondence Groups were continued, and two CGs were terminated.

  • CG-CYBEX: Continued Correspondence Group on cybersecurity information exchange capabilities.
  • CG-IoTSec: Continued (joint with SG20) Correspondence Group on Security and Privacy for IoT to improve the report to TSAG on security and privacy aspects of IoT.
  • SG17 is continuing its efforts on identifying new areas for standardization using an orchestrated Q1/17 mailing list.

Other highlights

  • Seven special sessions were held to off-load the plenaries from debates:
    • on bridging the standardization gap. The SG17 regional group for Africa presented its activity report which was agreed;
    • on collaboration between SG17 and SG20 on IoT security. This special session included participation of the SG20 chairman and several SG20 management team members (remotely). It gave support to Contribution C 489 from United States. The meeting concluded to continue using the Correspondence Group (CG-IoTSec) with revised terms of reference for discussion and for finalization of the improved report on security & privacy to TSAG; to collect all comments and views, and to resolve them in the CG-IoTSec; and to include C 489 into the report of this special session.
    • on preparation of SG17 for WTSA-16 and the next study period with the finalized suite of 12 Question texts and mandate (in four sessions). Draft Part I and Part II reports were produced and agreed as output of the meeting. In result, SG17 wants to continue all its 12 Questions (only slight amendments were made at this meeting).
    • On discussion of possible areas for joint ITU-T SG17 and IETF security standards development, which concluded with four identified steps to improve coordination: a) to support a presentation by ITU-T SG17 on its activities and to provide more information to the IETF at the next IETF meetings. Mr Vasiliy Dolmatov is nominated to make a presentation at SAAG, if a speaking slot would be offered. b) to support collaboration through IETF participation in ITU-T SG17 interim Rapporteur group meetings; for example with Question 4/17, Cybersecurity. c) to seek more information from the IETF about its security activities. SG17 invites a representative from the IETF Security Area to participate in and provide a tutorial during our 29 August – 7 September 2016 meeting. A liaison was sent to IETF.
    • on outcome and future of CG-investigate with conclusions not to continue this CG with revised ToR, but to suspend this CG, and to reconsider reconstitution of the CG in the next study period after results of the WTSA-16 are available; and to use the Q1/17 mailing list for discussions within SG17 on future standardization strategy of SG17, new issues and technical ideas, where SG17 experts from industry should bring-in topics. An idea was to organize a workshop in 2017 at the first or second SG17 meeting in the next study period.
    • on FG-AC deliverables with conclusions that the mailing list of Q1/17 be used to discuss security issues in the deliverables; all Rapporteurs were asked to participate in the Q1/17 mailing list discussion. Mr Koji Nakao was asked to provide a technical analysis of the security aspects in the deliverables. SG17 to organize a session or (mini) workshop at the August/September 2016 SG17 meeting involving all interested parties for preparation of future work items in the next study period.
    • Ad-hoc sessions on Security coordination requirements for interconnection of a satellite based network with terrestrial networks for public protection and disaster relief. Issues related to ITU-R, ITU-D and ITU Academy were identified. The ad-hoc sessions demonstrated very practically how it is important to work in a collaborative style with all ITU Sectors.
  • The ICT Security Standards Roadmap and the Security Compendia were updated.

Associated events:

Associated events below assisted in identifying new actions for the study group and leverage the collaboration with other organizations and hopefully attract new experts to the ITU-T and SG17 community.

  • Mentoring programme for newcomers: Comprehensive programme through tutorials (see below), welcome, feedback session and guided tour, all attended with interest.
  • BSG hands-on training session for 15 newcomers from developing countries.

Tutorial presentations:

Eight tutorial presentations were given at this Study Group 17 meeting and found quite some positive interest, addressing SG17 overview for newcomers; presentations from the Rapporteurs of Questions 2, 3, 4, 5, and 6/17; on Digital Object Architecture; and on NextGen (5G) security and the importance of Platform Integrity.

Next SG17 meeting:

  • MON 29 August – WED 07 September 2016, Geneva, Switzerland.
  • Seven interim Rapporteur Group meetings are planned until August 2016.
  • 6 texts are planned for approval or agreement, and up to 42 texts are planned for determination or consent in September 2016.

 Annex A

Actions taken on Recommendations, and other texts at the 23 March 2016 SG17 plenary

a)          Recommendations approved (TAP – WTSA-12 Resolution 1):

The SG17 plenary meeting approved (TAP) five draft new ITU-T Recommendations and one draft revised ITU-T Recommendation in accordance with WTSA-12 Resolution 1, Section 9.

QAcronymTitleNew / RevisedEditor(s)Location of textEquivalent
e.g., ISO/IEC
Start of workTiming
4/17X.1521Common vulnerability scoring system 3.0RevisedDamir RajnovicCOM 17 – R 49
+ TD 2542
 2015-092016-03
5/17X.1247Technical framework for countering mobile messaging spamNewFeng Gao,
Laifu Wang,
Junjie Xia,
Annan Zhu
COM 17 – R 50 2013-042016-03
8/17X.1602Security requirements for software as a service application environmentsNewZhaoji Lin,
Ruoni Wang,
Peng Zhao
COM 17 – R 52 2011-042016-03
8/17X.1642Guidelines for the operational security of cloud computingNewMing Feng,
Zhaoji Lin,
Jun Shen,
Huirong Tian,
Laifu Wang
COM 17 – R 53 2012-032016-03
10/17X.1256Guidelines and framework for sharing network authentication results with service applicationsNewLijun Liu,
Min Zuo
COM 17 – R 54 Rev.1
+ TD 2566
 2009-092016-03
10/17X.1257Identity and access management taxonomyNewRadu MarianCOM 17 – R 55 Rev.1 2012-092016-03

Approval of the above Recommendations is reflected in TSB Circular 213 of 4 April 2016.

b)          Recommendations (not approved) (TAP – WTSA-12 Resolution 1):

None.

c)          Amendment approved, Supplements agreed, Implementer's guide approved:

The SG17 plenary meeting approved one new Amendment, two new Supplements, and one revised Implementer's guide.

QAcronymTitleNew / RevisedEditor(s)Location of TextEquivalent
e.g., ISO/IEC
Start of workTiming
4/17X.1500
Amd.9
Overview of cybersecurity information exchange – Amendment 9 – Revised structured cybersecurity information exchange techniquesNote (1)Youki KadobayashiTD 2510 2015-042016-03
5/17X.Suppl.25
(X.gcsfmpd)**

Supplement 25 to ITU-T X-series Recommendations –ITU-T X.1231

Supplement on guidance to assist in countering spam for mobile phone developers

NewTae-Jin Lee,
Jeong-Jun Suh
TD 2531 Rev.1 2015-042016-03
6/17X.Suppl.26
(X.sgsec-1)**

Supplement 26 to ITU-T X-series Recommendations – ITU-T X.1111

Supplement on security functional architecture for smart grid services using telecommunication networks

NewMijoo Kim,
Jeong-Jun Suh,
Mi Yeon Yoon
TD 2591 Rev.2 2012-032016-03
12/17Z.Imp100
Note (2)
Specification and Description Language implementer's guide - Version 3.0.0RevisedRick ReedTD 2378 2015-092016-03

Note:

**    Supplement for agreement

(1)   Amendment 9 supersedes Amendment 8.

(2)   Implementer's Guide for approval.

d)          Recommendations determined (TAP – WTSA-12 Resolution 1):

The SG17 plenary meeting determined (TAP) three draft new ITU-T Recommendations in accordance with WTSA-12 Resolution 1, Section 9.

Q(1)AcronymTitleNew / RevisedEditor(s)Location of textEquivalent
e.g., ISO/IEC
Start of workTiming
4/17X.1542
(X.simef)*
Session information message exchange formatNewIk-Kyun Kim,
Jong-Hyun Kim
COM 17 – R 61
(TD 2561 Rev.1)
 2014-092016-03
8/17X.1641
(X.CSCDataSec)*
Guidelines for cloud service customer data securityNewNan Meng,
Wei Liang
COM 17 – R 63 (TD 2514 Rev.3) 2014-092016-03
10/17,
(7/17)
X.1258
(X.eaaa)*
Enhanced entity authentication based on aggregated attributesNewTae Kyung Kim,
Jae Hoon Nah,
Junjie Xia
COM 17 – R 64
(TD 2518 Rev.1)
 2014-092016-03

Notes:

(1)   In case of joint Question activity, the lead Question is given without parentheses and other Questions are shown in parentheses; such entries are only shown in the table against the lead Question.

Information on the Member States consultation is available in TSB Circular 214 issued 4 April 2016.

e)          Recommendations consented for Last Call (AAP – Recommendation ITU-T A.8):

The SG17 plenary meeting gave consent (AAP) to two draft new ITU-T Recommendations, ten draft revised ITU-T Recommendations, and one draft Corrigendum for Last Call according to Recommendation ITU-T A.8:

QAcronymTitleNew / RevisedEditor(s)Location of textEquivalent
e.g., ISO/IEC
Start of workTiming
2/17X.1033
(X.gsiiso)
Guidelines on security of the individual information service provided by the operatorsNewJunjie Xia,
Bo Yu
TD 2544 2009-022016-03
3/17X.1051revInformation technology – Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizationsRevisedKyeong Hee Oh,
Wataru Senga
TD 2602 Rev.1ISO/IEC 270112013-042016-03
11/17X.894
(X.cms)
Information technology – Generic applications of ASN.1 – Cryptographic Message SyntaxNewJean-Paul LemaireTD 2558 Rev.1ISO/IEC 24824-42013-092016-03
11/17X.509 Cor.2Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks – Technical Corrigendum 2 Erik AndersenTD 2587ISO/IEC 9594-8 Cor.22016-032016-03
12/17Z.100Specification and Description Language - Overview of SDL-2010RevisedRick ReedTD 2370 Rev.1 2015-092016-03
12/17Z.101Specification and Description Language - Basic SDL-2010RevisedRick ReedTD 2371 Rev.1 2015-092016-03
12/17Z.102Specification and Description Language - Comprehensive SDL-2010RevisedRick ReedTD 2372 Rev.1 2015-092016-03
12/17Z.103Specification and Description Language - Shorthand notation and annotation in SDL-2010RevisedRick ReedTD 2373 Rev.1 2015-092016-03
12/17Z.104Specification and Description Language - Data and action language in SDL-2010RevisedRick ReedTD 2374 Rev.1 2015-092016-03
12/17Z.105Specification and Description Language - SDL-2010 combined with ASN.1 modulesRevisedRick ReedTD 2375 Rev.1 2015-092016-03
12/17Z.106Specification and Description Language - Common interchange format for SDL-2010RevisedRick ReedTD 2376 Rev.2 2015-092016-03
12/17Z.107Specification and Description Language - Object-oriented data in SDL-2010RevisedRick ReedTD 2377 Rev.1 2015-092016-03
12/17Z.111Notations and guidelines for the definition of ITU-T languagesRevisedRick ReedTD 2470 2015-092016-03

Notes:

(1)   Draft Recommendations ITU-T X.1033 (X.gsiiso), X.1051 (revised), X.894 (X.cms), X.509 Cor.2, Z.100 (revised), Z.101 (revised), Z.102 (revised), Z.103 (revised), Z.104 (revised), Z.105 (revised), Z.106 (revised), Z.107 (revised), and Z.111 (revised) were sent to AAP Last Call #77 on 1 April 2016.

Annex B

New work items

The following nine new work items were agreed to be added to the SG17 work programme:

Q(1)AcronymTitleAAP/TAP/ AgreementEditor(s)Document

Equivalent

e.g., ISO/IEC

Timing*
2/17, (3/17)X.salcmSecurity reference architecture for lifecycle management of e-commerce business dataAAPKepeng Li,
Zhaoji Lin,
Junjie Xia,
Feng Zhang

NWI template:

COM 17 – R 59 Annex B Attachment 1

Base text:

TD 2588 Rev.2

 2017-10
2/17, (6/17)X.voLTEsec-1Security framework for voice-over-long-term-evolution (VoLTE) network operationAAPHaitao Du,
Zhaoji Lin,
Feng Zhang,
Liang Wei

NWI template:

COM 17 – R 59 Annex B Attachment 2

Base text:

TD 2549 Appendix I

 2018-04
4/17X.metricMetrics for evaluating threat and resilience in cyberspaceTAPYouki Kadobayashi,
Daisuke Miyamoto

NWI template:

COM 17 – R 60 Annex A Attachment 1

Base text:

C-475

 2017
6/17X.msec-11Guidelines on mitigating the negative effects of infected terminals in mobile networksTAPLiu Lijun,
Chen Zhang,

NWI template:

COM 17 – R 65 Annex A Attachment 1

Base text:

C-494 (Rev.2)

 2016-09
6/17,
27/16
X.sotavsu

Non-normative document

Secure Over-the-Air Vehicle Software Updates – Operational and Functional Requirements

AgreementKoji Nakao

NWI template:

COM 17 – R 65 Annex A Attachment 2

Base text:

TD 2482 Att.1

 2016-09
8/17X.SRIaaSSecurity requirements of public infrastructure as a service (IaaS) in cloud computingTAPHuamin Jin,
Laifu Wang,
Mengxi Wang,
Shuai Wang

NWI template:

COM 17 – R 62 Annex A Attachment 1

Base text:

TD 2530 Rev.2 Appendix I

 2018-4Q
10/17X.1254revEntity authentication assurance frameworkTAPAbbie Barbir,
Heung-Youl Youm

NWI template:

COM 17 – R 62 Annex B Attachment 1

Base text:

C 485

 2017
10/17X.teTrust elevation protocolAAPAbbie Barbir,
Heung Youl Youm,

NWI template:

COM 17 – R 62 Annex B Attachment 2

Base text:

TD 2498

 2017
11/17X.jsonerInformation technology – ASN.1 encoding rules: Specification of Javascript Object Notation (JSON) Encoding Rules (JSON/ER)AAPPaul E. Thorpe

NWI template:

COM 17 – R 66 Annex A Attachment 1

Base text:

TD 2624

ISO/IEC 8825-x2018

Notes:

*         Target date for consent or determination of Recommendations or for agreement of Supplements or non-normative text

(1)   In case of joint Question activity, the lead Question is given without parentheses and other Questions are shown in parentheses; such entries are only shown in the table against the lead Question.

________________