Internet of Things Security standards Vangelis Gazis (vangelis.gazis@huawei.com) Chief Architect Security Internet of Things (IoT) Security Solution Planning & Architecture Design (SPD)
Security standards for IoT where does one start? onem2m GSMA IETF OASIS 3GPP NIST ETSI OWASP ISO IEEE 2
Let s look at automotive (as an example) Study Groups Standardization Bodies Other Bodies SG 11 TC 22 GSMA ISO SG 13 TC 204 ATIS ITU-T SG 16 JTC1/SC6 CCSA ISO/IEC SG 20 JTC1/SC27 Standards TIA Development ITU-R WP5A SAE Vehicle Cyber Security Organizations TTA CITS Collaboration on ITS Communication Standards IEEE 802.11 WG 1609 WG ETSI TC ITS UNECE WP29 TFCS W3C Automotive WG AGL Automotive Grade Linux TTC https://www.itu.int/en/itu-t/workshops-and-seminars/201708/documents/s2-lee.pdf 3
Approaching cyber security in IoT Key observations Market lacks economic incentives for cyber security Customers prioritize functional features over security ones Depreciation of security assurances given at product/service launch New vulnerabilities are being discovered daily (discovery disclosure) The value chain may distribute the liabilities associated to cyber security assurances in a disproportionate manner DDoS attacks launched by a globally distributed population of low-cost end-user devices (e.g. as in IoT) under the control of malicious actor bring no additional cost to the manufacturer of any of these devices Consumers of products and/or services often lack in security awareness 4
Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Own millions of devices Poor security to start with and gradual security depreciation 5
Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Lightweight (cost-efficient) root-of-trust Own millions of devices Poor security to start with and gradual security depreciation 6
Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Enablement of markets for DDoS mitigation Own millions of devices Poor security to start with and gradual security depreciation 7
Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Standards for firmware and/or software updates Own millions of devices Poor security to start with and gradual security depreciation 8
Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Balancing stakeholders incentives Own millions of devices Poor security to start with and gradual security depreciation 9
Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics UNECE Lack of liability structures in WP29 security of products and services Externalities of lack in security Practice TCG DICE Compromise one type of device Device players don t care enough ENISA GSMA NIST OWASP CSA ISO/IEC IETF DOTS Own OASIS CTI millions of devices IETF SUIT Poor security to start with and gradual security depreciation 10
IoT security Recommendations and guidelines (non-exhaustive list) ENISA Baseline security recommendations for IoT in the context of critical information infrastructures CSA 13 steps to developing secure IoT products GSMA IoT security guidelines for endpoint ecosystems IoT security guidelines for service ecosystems IoT security guidelines for network operators 11
IoT security ENISA baseline security recommendations for IoT Policies Organizational People Processes Technical Measures Security by design End-of-life support Trust and integrity management Secure software/firmware update Privacy by design Proven solutions Strong default security Authentication Strong default privacy Authorization Asset management Vulnerability management Hardware security Access control Risk identification and assessment Threat identification and assessment Incident management Security training and awareness 3 rd party relationship management Data protection and compliance System safety and reliability Secure handling of input/output data Secure interfaces and network services Secure and trusted communications Logging Monitoring and auditing 12
IoT security CSA recommendations Policies Organizational People Processes Technical Measures Secure development methodology Secure development and integration environment Secure key management Hardware security Secure update capability Authentication Authorization Access control Establish privacy protections Data protection Secure associated Applications and Services Identify framework security Identify platform security Protect logical and API interfaces Logging Security reviews 13
IoT security GSMA recommendations Policies Organizational People Processes Technical Measures Set of security classifications Sunset model Manage cryptographic architecture Server provisioning Bootstrap method Network authentication services System hardening Communications model Data breach policy Root of Trust (RoT) Update model Incident response model Recovery model Communications privacy model Authorization model Strong password policy Persistent storage model Input validation Output filtering Service Trusted Computing Base (TCB) Security infrastructure for exposed systems Define an application execution environment Logging and monitoring 14
Summary Cyber security in IoT is primarily an ecosystem (i.e. economic model) concern Addressing IoT cyber security at its root causes calls for actions in key priorities Stakeholder incentives => ecosystem shift to a better balance Baseline measures => key enablers for cyber security in IoT (interoperability) o Lightweight root-of-trust o Secure updates for firmware and/or software o Technical enablers of an attack mitigation ecosystem (e.g. market-driven) Best practices => share the cost of cyber security know-how 15
Thank you. Copyright 2018. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. 16