Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Similar documents
European Union Agency for Network and Information Security

The NIS Directive and Cybersecurity in

M&A Cyber Security Due Diligence

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

CYBER SECURITY AIR TRANSPORT IT SUMMIT

ENISA EU Threat Landscape

Run the business. Not the risks.

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

GDPR: A QUICK OVERVIEW

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Security Awareness Training Courses

IoT & SCADA Cyber Security Services

Big data privacy in Australia

Building a Resilient Security Posture for Effective Breach Prevention

Jeff Wilbur VP Marketing Iconix

Discussion on MS contribution to the WP2018

GDPR Update and ENISA guidelines

NIS Standardisation ENISA view

BHConsulting. Your trusted cybersecurity partner

Cybersecurity. Securely enabling transformation and change

Cyber Resilience. Think18. Felicity March IBM Corporation

Avanade s Approach to Client Data Protection

Accelerate Your Enterprise Private Cloud Initiative

Cybersecurity The Evolving Landscape

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Protecting your data. EY s approach to data privacy and information security

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Position Paper of the ASD Civil Aviation Cybersecurity Taskforce

Continuous protection to reduce risk and maintain production availability

Medical Device Cybersecurity: FDA Perspective

Enhancing the cyber security &

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Security Beyond 2020

Call for Expressions of Interest

INTELLIGENCE DRIVEN GRC FOR SECURITY

BHConsulting. Your trusted cybersecurity partner

Cyber Resilience - Protecting your Business 1

Cyber Security in Smart Commercial Buildings 2017 to 2021

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

The University of Queensland

IoT and Smart Infrastructure efforts in ENISA

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Turning Risk into Advantage

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Addressing the elephant in the operating room: a look at medical device security programs

What It Takes to be a CISO in 2017

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Changing the Game: An HPR Approach to Cyber CRM007

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Introduction to Device Trust Architecture

Securing Europe s IoT Devices and Services

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

General Data Protection Regulation (GDPR) The impact of doing business in Asia

How To Build or Buy An Integrated Security Stack

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Cybersecurity and Nonprofit

Digital Health Cyber Security Centre

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Department of Management Services REQUEST FOR INFORMATION

Securing Europe's Information Society

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Internet of Things Security standards

Business Continuity Management

Manchester Metropolitan University Information Security Strategy

THE POWER OF TECH-SAVVY BOARDS:

IT risks and controls

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Why you should adopt the NIST Cybersecurity Framework

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

LPWA NETWORKS FOR IoT: WORLDWIDE TRENDS AND FORECASTS

Data Management and Security in the GDPR Era

2017 RIMS CYBER SURVEY

Cloud First: Policy Not Aspiration. A techuk Paper April 2017

Cyber Security Program

Vulnerability Assessments and Penetration Testing

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

FDA & Medical Device Cybersecurity

Transforming the utilities industry. How our insight and infrastructure can help you thrive in a changing world

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

DIGITAL TRUST Making digital work by making digital secure

Clarity on Cyber Security. Media conference 29 May 2018

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Emerging Technologies The risks they pose to your organisations

HCL GRC IT AUDIT & ASSURANCE SERVICES

Demonstrating data privacy for GDPR and beyond

End-to-end Safety, Security and Reliability Keys for a successful I4.0 Migration

Transcription:

White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO

Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating security in IoT... 6 What incentives for IoT security? 6 Regulation... 6 Privacy... 7 Safety... 7 Corporate strategy... 7 Business opportunity... 7 Contractual requirement... 7 Market differentiator... 7 Future developments 8 2

Securing a business is not easy! With the constant evolution of cyber risks and new regulations, security and privacy become strategical investments. Cetome is your trusted security expert. At Cetome, we accompany you to protect your corporate priorities. Cetome goes beyond the technical aspects of security. We develop adapted solutions to better protect your business, prepare your staff to face security and privacy challenges and secure what is important to you. OUR VISION Cetome s mission is to enhance the security and privacy of innovative solutions to secure a better future. Cetome is your trusted security advisor WHY CHOOSE CETOME? We think security must support the business Cetome understands that security must adapt to your environment, your corporate strategy and the regulatory landscape with the objective to reduce your business and operational risks. We believe collaboration is key Cetome collaborates with all relevant stakeholders to understand your current level of security and define priorities to improve your security posture. We raise awareness on risks and solutions Cetome enhances the security awareness to the board and to operational staff on threats and risks with the objective to better prepare your business against cyber incidents. We go beyond technical solutions Cetome follows a holistic approach to security and privacy, to secure your business priorities. We adapt our solutions to your organisation, its culture and processes. Cetome is an independent security consultancy based in London, UK. We operate globally for key clients and governments in the UK, Europe, North America and the Middle East. Cetome has expertise in: CRITICAL SECTORS TRANSPORT AUTOMOTIVE HEALTHCARE ENERGY INDUSTRY 4.0 Contact Us Email: info@cetome.com Website: cetome.com STRATEGIC ADVISORY INFORMATION ASSURANCE INNOVATIVE SOLUTIONS AWARENESS AND TRAININGS

Our Services STRATEGIC ADVISORY Security and Business Integration Security Roadmap and Priorities Security Cost Optimisation Cyber Resilience Business Continuity Management Awareness and Training INFORMATION ASSURANCE Security Governance Regulatory Compliance Security Posture Improvement Risk Management Threat Modeling Secure Procurement Guidelines INNOVATIVE SOLUTIONS Security by Design Security for Safety GDPR for Innovative Solutions Awareness and Training AWARENESS AND TRAINING IoT Security Challenges and Solutions (4 days) Security by Design (3 days) Privacy by Design (3 days) Governance The NIST Framework (2 days) The NIS Directive (1 day) Introduction to a GDPR Framework (1 day) Introduction to Threat Modeling (2 days) Understanding a Penetration Test (1 day) Previous Works CORPORATE SECURITY ROADMAP Cetome implemented the NIST Cyber Security Framework for a leading IoT manufacturer. Following a gap analysis, we established security policies, controls, and a roadmap to reach corporate objectives. 1.1.1 SECURE PROCUREMENT FOR HEALTHCARE Cetome created a secure procurement framework for a global connectedhealthcare manufacturer. We defined technical and non-technical controls to ensure security throughout the supply chain. We supported the CISO team to use this framework for auditing third parties. GDPR COMPLIANCE FOR AUTOMOTIVE Cetome established a GDPR roadmap for an automotive supplier defining key security measures, budget and resources. We engaged with their different teams to define key principles for implementation. IOT SECURITY TRAINING Cetome provided an IoT security training to non-technical teams, focusing on the threats and risks of IoT systems. We presented good security practices and a methodology to integrate them into existing processes. All rights reserved Cetome Limited 2018 Registered in England and Wales (No: 11074299)

DEFINING THE IOT The Internet of Things (IoT) has become a game-changer within the last couple of years. In 2018, multiple sectors have adopted and deployed IoT solutions: hospitals, utilities, transport, manufacturing, logistics, and more. Beyond the traditional Smart Home use-case, IoT systems can enhance important functionalities: collection of new data, enabling of remote operations and predictive maintenance, etc. IoT is the new normal! IoT is the new normal The Eggminder, a connected egg-tray to never forget buying eggs again. Most IoT systems rely on similar concepts. This paper considers an IoT system as a set of technologies that provide a service: Devices with sensors and actuators. They collect, process and exchange data. Devices are usually deployed remotely, in the field. Communication networks. They provide a communication channel between devices and with processing systems. An IoT system can rely on multiple communication networks, wireless or wired, high or low speed. Processing facilities. They provide the smartness of the system. These processing facilities can sit in devices, in mobile application, or remotely (e.g. Cloud computing). An IoT system can have one or several processing facilities. INSECURITY BY DESIGN IoT is poised with multiple security issues that could lead to risks on our privacy and safety. Every new security disclosure brings to light the vulnerabilities of IoT systems. The root cause is usually tied to limited awareness around basic security principles (limited data security, lack of secure update mechanism, usage of untrusted/insecure third-party components). To mitigate these risks, IoT security shall follow the by design concept: it integrates as early as the design stage and throughout the lifecycle of a solution until end-of-life. It shall also apply a by default approach, so that security features are active by default instead of only being present as an option. BUT WHY ARE IOT SYSTEMS SO VULNERABLE? IoT is still a relatively new business model which features multiple opportunities. Every stakeholder in the value chain (manufacturers, integrators, operators, consumers, etc.) can benefit from these systems to monitor, analyse and enhance their activities. 5

Yet, securing this system of systems is no simple task and remains an unclear topic due to the lack of accepted standard and too many competing guidelines (which can lead to information overhead). Hence, IoT security can quickly become a blocker (due to limited skillset, high financial cost, impact on time-tomarket delivery, etc.). INTEGRATING SECURITY IN IOT As mentioned above, there are too many IoT security references that range from high-level security guidance to very specific low-level recommendations, which cover every component of the IoT ecosystem. However, these references are often not applied, or not applicable. There are many reasons: they are very generic, they fail to consider business objectives, or they simply talk to the wrong audience. Integrating security in IoT requires a holistic approach that considers multiple aspects: the governance, the business environment, technologies, human factors, processes, etc. A risk-based approach integrating privacy and safety concerns can help to highlight priorities and remediate these risks adequately. IoT security should not be the ultimate goal. Instead, it should be seen as a business-enabler, by securing critical functions, protecting valuable information and mitigating the risks associated to the IoT solution. WHAT INCENTIVES FOR IOT SECURITY? It is always difficult to justify an investment with no incentive. IoT security could benefit from several incentives to actionize the efforts. Among these incentives, regulation, safety and privacy are the main ones that apply to vendors and users across all verticals. Proposed incentives for IoT Security. REGULATION There is currently no specific IoT regulation. Yet, the usage and operation of IoT system needs to comply with existing regulations and other sectorial requirements. The objective of a regulation is to define obligations and clarify liabilities. While an IoT-specific regulation might be an inconvenience (with an impact on innovation, compliance), two regulations already apply to IoT: the GDPR and the NIS Directive. Regulation is an incentive as it defines the obligations and liabilities around security, and punitive actions around non-compliance. Both the GDPR and the NIS Directive define obligations around minimum security measures and reporting security and privacy breaches. The incentive to invest in security is double: limit the possibly to be subject to expensive fines and protect the reputation of the company by better dealing with a breach. The fear of regulation could also constitute another incentive to invest. Thus, the industry would demonstrate they can self-regulate for the greater good, limiting the need for regulatory obligations. 6

PRIVACY Most IoT business models rely on private data collection and sharing with little to no concern on privacy and security. Yet, customers are becoming more concerned about privacy. As several events have shown recently, privacy could impact revenues and trust. A privacy incident can kill a business. An incentive would be to secure users trust by integrating privacy-by-design and privacy-by-default into IoT systems. Privacy also becomes an incentive to comply with the GDPR. A privacy incident can kill a business SAFETY Safety protects the human from the machine against failure. Safety becomes an important parameter in cyber-physical systems, as they interact in the physical domain following decisions made in software. In IoT and Industrial IoT, safety-functions are managed by software and a vulnerable IoT system is potentially unsafe: a safety incident can kill. A safety incident can kill The concept of security for safety intends to secure these critical functions to limit their exposure to threats and that a cyber incident cannot impact safety. Moreover, the NIS Directive mandates operators of essential services to secure their critical assets which are usually safety-critical systems. CORPORATE STRATEGY A corporate strategy could integrate the importance of security for IoT, either because a business wants to mitigate the associated risks or as part of their social responsibility. For example, IoT security could benefit from measures defined in existing security policies (e.g. collaboration with external stakeholders, threat intelligence, etc.). BUSINESS OPPORTUNITY IoT security can be an opportunity for a business. In particular, manufacturers and vendors who want to limit the risk of having their brand tarnished by a vulnerable IoT product. Moreover, investing in security by design at the start of a project would limit operational expenditure, in particular after an incident. CONTRACTUAL REQUIREMENT Security requirements in contracts define the obligations of a supplier. These obligations could be very specific (e.g. specific level of encryption) or at higher level (e.g. incident handling). For IoT customers, these contractual requirements should ensure a security baseline for all third-parties. MARKET DIFFERENTIATOR The fact that IoT security is still at its infancy offers a chance to differentiate from the competition through security. Introducing IoT security would effectively give an attractive advantage to a solution, which would effectively be more secure than the competition. 7

FUTURE DEVELOPMENTS IoT security is a complex task that requires a holistic approach. While there is currently no standard, there is a need for a cross-sector baseline with minimum security measures. This baseline would promote security practices applicable to IoT systems, and include technical (over-the-air updates, key management, encryption, etc.) and non-technical elements (incident handling, information sharing, etc.). Additionally, sectorial guidelines would enhance this baseline with targeted security measures (e.g. focus on privacy and data integrity for healthcare, focus on resilience and integrity for transport, etc.). Awareness around IoT threats and associated risks is also key (a compromised IoT system could provide access to non-iot systems), as several vendors promote their IoT solutions as secure for multiple wrong reasons, which gives a false sense of security to their customers. Defining liabilities around IoT would definitely improve the current status. However, it is usually done through regulation, which might take time and not be adapted. To anticipate a potential future regulation, several vendors are leading by example and have started to invest in IoT security. There are several discussions and projects around an IoT trust label. Such a label could provide an interesting tool to 1) define key IoT security measures, 2) assess the implementation of IoT security against these measures, 3) enhance awareness around IoT security. To conclude, there is no definitive solution to ensure IoT is secure. The key message is to follow a holistic approach and invest in security where it can present benefits for vendors, customers and end-users: to protect privacy, to ensure safety, and become a business-enabler. 8

Cetome Your trusted security advisor Email: info@cetome.com Website: cetome.com All rights reserved - Cetome Limited 2018 - Registered in England and Wales (No: 11074299)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback