Internet of Things Security standards

Similar documents
The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

NIS Standardisation ENISA view

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

IoT & SCADA Cyber Security Services

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

TEL2813/IS2820 Security Management

European Union Agency for Network and Information Security

External Supplier Control Obligations. Cyber Security

The NIS Directive and Cybersecurity in

Run the business. Not the risks.

Security Management Models And Practices Feb 5, 2008

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity Auditing in an Unsecure World

Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos

Security+ SY0-501 Study Guide Table of Contents

Security Standardization

Innovation policy for Industry 4.0

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

The NIST Cybersecurity Framework

[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Objectives of the Security Policy Project for the University of Cyprus

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

To Audit Your IAM Program

End-to-End Trust, Segmentation and Segregation in the IIoT

ITU Workshop on 5G Security

Information Technology Branch Organization of Cyber Security Technical Standard

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Discussion on MS contribution to the WP2018

TAN Jenny Partner PwC Singapore

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

TWELVEDOT SECURITY DESIGN.BUILD.SECURE

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Introduction to Device Trust Architecture

Security Challenges with ITS : A law enforcement view

Reinvent Your 2013 Security Management Strategy

Strong Security Elements for IoT Manufacturing

SGS CYBER SECURITY GROWTH OPPORTUNITIES

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Managing SaaS risks for cloud customers

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cyber Security in Smart Commercial Buildings 2017 to 2021

Heavy Vehicle Cyber Security Bulletin

align security instill confidence

THE POWER OF TECH-SAVVY BOARDS:

Effective Strategies for Managing Cybersecurity Risks

SDLC Maturity Models

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

Cybersecurity with Automated Certificate and Password Management for Surveillance

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Cyber Threat Intelligence Sharing Standards

How to Create, Deploy, & Operate Secure IoT Applications

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Cybersecurity Roadmap: Global Healthcare Security Architecture

Who s Protecting Your Keys? August 2018

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security and Privacy in Car2Car Adhoc Networks

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Automating the Top 20 CIS Critical Security Controls

Cloud Security Myths Paul Mazzucco, Chief Security Officer

ABB Ability Cyber Security Services Protection against cyber threats takes ability

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

GDPR Update and ENISA guidelines

SECURITY & PRIVACY DOCUMENTATION

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Future-Proof Security & Privacy in IoT

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Protecting your data. EY s approach to data privacy and information security

Twilio cloud communications SECURITY

IoT Security Guidelines for IoT Service Ecosystem Version October 2017

the SWIFT Customer Security

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cyber Security for Process Control Systems ABB's view

ISO/IEC JTC 1/SC 27 N7769

ISO & ISO & ISO Cloud Documentation Toolkit

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

IoT and Smart Infrastructure efforts in ENISA

Vulnerability Assessments and Penetration Testing

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Governance Ideas Exchange

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Procurement Language for Supply Chain Cyber Assurance

Secure Product Design Lifecycle for Connected Vehicles

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Healthcare Security Success Story

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Managing SCADA Security. NISTIR 7628 and the NIST/SGIP CSWG. Xanthus. May 25, Frances Cleveland

Transcription:

Internet of Things Security standards Vangelis Gazis (vangelis.gazis@huawei.com) Chief Architect Security Internet of Things (IoT) Security Solution Planning & Architecture Design (SPD)

Security standards for IoT where does one start? onem2m GSMA IETF OASIS 3GPP NIST ETSI OWASP ISO IEEE 2

Let s look at automotive (as an example) Study Groups Standardization Bodies Other Bodies SG 11 TC 22 GSMA ISO SG 13 TC 204 ATIS ITU-T SG 16 JTC1/SC6 CCSA ISO/IEC SG 20 JTC1/SC27 Standards TIA Development ITU-R WP5A SAE Vehicle Cyber Security Organizations TTA CITS Collaboration on ITS Communication Standards IEEE 802.11 WG 1609 WG ETSI TC ITS UNECE WP29 TFCS W3C Automotive WG AGL Automotive Grade Linux TTC https://www.itu.int/en/itu-t/workshops-and-seminars/201708/documents/s2-lee.pdf 3

Approaching cyber security in IoT Key observations Market lacks economic incentives for cyber security Customers prioritize functional features over security ones Depreciation of security assurances given at product/service launch New vulnerabilities are being discovered daily (discovery disclosure) The value chain may distribute the liabilities associated to cyber security assurances in a disproportionate manner DDoS attacks launched by a globally distributed population of low-cost end-user devices (e.g. as in IoT) under the control of malicious actor bring no additional cost to the manufacturer of any of these devices Consumers of products and/or services often lack in security awareness 4

Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Own millions of devices Poor security to start with and gradual security depreciation 5

Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Lightweight (cost-efficient) root-of-trust Own millions of devices Poor security to start with and gradual security depreciation 6

Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Enablement of markets for DDoS mitigation Own millions of devices Poor security to start with and gradual security depreciation 7

Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Standards for firmware and/or software updates Own millions of devices Poor security to start with and gradual security depreciation 8

Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics Lack of liability structures in the security of products and services Externalities of lack in security Practice Compromise one type of device Device players don t care enough Balancing stakeholders incentives Own millions of devices Poor security to start with and gradual security depreciation 9

Approaching cyber security in IoT Scale Devices are low-cost Lack of incentives for engineering robust security at device level Low security awareness Economics UNECE Lack of liability structures in WP29 security of products and services Externalities of lack in security Practice TCG DICE Compromise one type of device Device players don t care enough ENISA GSMA NIST OWASP CSA ISO/IEC IETF DOTS Own OASIS CTI millions of devices IETF SUIT Poor security to start with and gradual security depreciation 10

IoT security Recommendations and guidelines (non-exhaustive list) ENISA Baseline security recommendations for IoT in the context of critical information infrastructures CSA 13 steps to developing secure IoT products GSMA IoT security guidelines for endpoint ecosystems IoT security guidelines for service ecosystems IoT security guidelines for network operators 11

IoT security ENISA baseline security recommendations for IoT Policies Organizational People Processes Technical Measures Security by design End-of-life support Trust and integrity management Secure software/firmware update Privacy by design Proven solutions Strong default security Authentication Strong default privacy Authorization Asset management Vulnerability management Hardware security Access control Risk identification and assessment Threat identification and assessment Incident management Security training and awareness 3 rd party relationship management Data protection and compliance System safety and reliability Secure handling of input/output data Secure interfaces and network services Secure and trusted communications Logging Monitoring and auditing 12

IoT security CSA recommendations Policies Organizational People Processes Technical Measures Secure development methodology Secure development and integration environment Secure key management Hardware security Secure update capability Authentication Authorization Access control Establish privacy protections Data protection Secure associated Applications and Services Identify framework security Identify platform security Protect logical and API interfaces Logging Security reviews 13

IoT security GSMA recommendations Policies Organizational People Processes Technical Measures Set of security classifications Sunset model Manage cryptographic architecture Server provisioning Bootstrap method Network authentication services System hardening Communications model Data breach policy Root of Trust (RoT) Update model Incident response model Recovery model Communications privacy model Authorization model Strong password policy Persistent storage model Input validation Output filtering Service Trusted Computing Base (TCB) Security infrastructure for exposed systems Define an application execution environment Logging and monitoring 14

Summary Cyber security in IoT is primarily an ecosystem (i.e. economic model) concern Addressing IoT cyber security at its root causes calls for actions in key priorities Stakeholder incentives => ecosystem shift to a better balance Baseline measures => key enablers for cyber security in IoT (interoperability) o Lightweight root-of-trust o Secure updates for firmware and/or software o Technical enablers of an attack mitigation ecosystem (e.g. market-driven) Best practices => share the cost of cyber security know-how 15

Thank you. Copyright 2018. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback