[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

Similar documents
Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos

IoT & SCADA Cyber Security Services

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Internet of Things Security standards

Control System Security for Social Infrastructure

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

ISAO SO Product Outline

An Overview of ISO/IEC family of Information Security Management System Standards

Security Management Models And Practices Feb 5, 2008

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

National Institute of Standards and Technology

The NIST Cybersecurity Framework

Secure Technology Alliance Response: NIST IoT Security and Privacy Risk Considerations Questions

Trust Services for Electronic Transactions

DIGITIZING INDUSTRY, ICT STANDARDS TO

Framework for Improving Critical Infrastructure Cybersecurity

NIS Standardisation ENISA view

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Device Discovery for Vulnerability Assessment: Automating the Handoff

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Cloud Security Alliance Quantum-safe Security Working Group

Mapping BeyondTrust Solutions to

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Timing in Cyber Physical Systems. Marc Weiss, Ph.D. NIST, Time and Frequency Division WSTS 2015

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Recommendations for Implementing an Information Security Framework for Life Science Organizations

National Institute of Information and Communications Technology. Cybersecurity Laboratory Security Fundamentals Laboratory Planning Office

Strong Security Elements for IoT Manufacturing

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Innovation policy for Industry 4.0

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

SC27 WG4 Mission. Security controls and services

The Honest Advantage

Cloud Security Standards Supplier Survey. Version 1

The NIS Directive and Cybersecurity in

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

6 CONCLUSION AND RECOMMENDATION

John Snare Chair Standards Australia Committee IT/12/4

MASP Chapter on Safety and Security

Accelerate Your Enterprise Private Cloud Initiative

TEL2813/IS2820 Security Management

Disaster Management and Security Solutions to Usher in the IoT Era

Hitachi s Social Infrastructure Defenses for Safety and Security through Collaborative Creation with Customers

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Introducing Cyber Observer

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Why you should adopt the NIST Cybersecurity Framework

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds

NCSF Foundation Certification

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cybersecurity Auditing in an Unsecure World

SECURITY & PRIVACY DOCUMENTATION

The Cyber War on Small Business

Managing SaaS risks for cloud customers

Security and Privacy Governance Program Guidelines

Development of Information Security-Focused Incident Prevention Measures for Critical Information Infrastructure in Japan

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

Featured Articles II Security Platforms Hitachi s Security Solution Platforms for Social Infrastructure

Effective Strategies for Managing Cybersecurity Risks

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Building a Resilient Security Posture for Effective Breach Prevention

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Internet of Things Toolkit for Small and Medium Businesses

OVERVIEW OF ETSI IoT ACTIVITIES

NSF Transition to Practice Challenges. Anita Nikolich National Science Foundation Program Director, Advanced Cyberinfrastructure November, 2015

General Framework for Secure IoT Systems

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

Towards a European Cloud Computing Strategy

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Security Models for Cloud

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Checklist: Credit Union Information Security and Privacy Policies

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

MIS Week 9 Host Hardening

IIC World Tour - Turin: Security Working Group Briefing. Nisarg Desai Product Manager, GlobalSign

About the NGMN Alliance - Status and 5G Work-Programme. Klaus Moschner 27 th April 2016 GSC Delhi Delhi, India

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

Gujarat Forensic Sciences University

How to ensure control and security when moving to SaaS/cloud applications

In Accountable IoT We Trust

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

CTIA Cybersecurity Certification Test Plan for IoT Devices

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Introduction of the Industrial Internet Consortium. May 2016

MEETING ISO STANDARDS

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Deliver Data Protection Services that Boost Revenues and Margins

Transcription:

[NEC Group Internal Use Only] IoT Security - Challenges & Standardization status Sivabalan Arumugam <sivabalan.arumugam@necindia.in>

Outline IoT Security Overview IoT Security Challenges IoT related Threats Elements of a Protection Architecture for IoT IoT Security Standards IoT Security Standards at each Layers IoT Security Life Cycle Summary 2 NEC Corporation 2015 NEC Group Internal Use Only

IoT Security Overview 3 NEC Corporation 2015 NEC Group Internal Use Only

IOT Security Challenges(1/2) Poorly designed and implemented IoT system, using diverse protocols and technologies that create complex configurations. Lack of maturity (eg: business processes, technologies). Limited guidance for lifecycle maintenance and management of IoT devices. Unique physical security concerns. Privacy concerns are complex and not always readily evident. Limited best practices available for IoT developers. 4 NEC Corporation 2015 NEC Group Internal Use Only

IOT Security Challenges(2/2) Lack of standards for authentication and authorization. No best practices for IoT based incident response activities. Audit and Logging standards are not defined for IoT components. Restricted interfaces available to interact IoT devices with security devices and applications. No focus yet on identifying methods for achieving situational awareness of the security posture. Security standards for platform configurations involving virtualized IoT platforms supporting multitenancy is immature. 5 NEC Corporation 2015 NEC Group Internal Use Only

IOT Threats(1/2) Control systems, vehicles, and human body can be accessed & manipulated causing injury or worse. Health care providers can improperly diagnose and treat patients. Loss of vehicle control Safety-critical information such as warnings of a broken gas line can go unnoticed Critical infrastructure damage can occur Malicious parties can steal identities and money Unanticipated leakage of personal or sensitive information can occur Unauthorized tracking of people s location behaviors and activities 6 NEC Corporation 2015 NEC Group Internal Use Only

IOT Threats(2/2) Unlawful surveillance Inappropriate profiles and categorizations of individuals can be created Manipulation of financial transactions Vandalism, theft or destruction of IoT assets Ability to gain unauthorized access to IoT edge devices and Enterprise network Ability to create botnets Ability to impersonate IoT devices Unknown fielding of compromised devices 7 NEC Corporation 2015 NEC Group Internal Use Only

Elements of a Protection Architecture for IoT 8 NEC Corporation 2015 NEC Group Internal Use Only

IoT Security Standards An unfortunate characteristic of the current state of the IoT is the lack of standardization across all aspects of the IoT. But still some standards exists such as onem2m 3GPP-MTC IEC/TC65, IEC-MSB NIST NISC IoT Acceleration Consortium CSA 9 NEC Corporation 2015 NEC Group Internal Use Only

onem2m Release1: Released global standards (specification) for deployment in Feb 2015 Basic framework for authentication and authorization Release 2 Interworking framework across IoT protocols including OMA, OIC and ASA New Security functions End-to End Security Group authentication Dynamic authorization Release 2 planned for delivery in autumn 2016 10 NEC Corporation 2015 NEC Group Internal Use Only

3GPP-MTC 3GPP-MTC specifies the architecture and API to better facilitate machine type communications. Resulting from Short packets Large number of nodes Need to support highly energy efficient protocols SA WG3 discusses possible security requirements and the possible solutions including secure connection and triggering security. Release 13 discuss about the Light weight authentication process to achieve battery efficiency. Group message protection Location management Security for service capability exposure interface Release 13 is planned to be fixed in autumn 2016. 11 NEC Corporation 2015 NEC Group Internal Use Only

IEC/TC65 IEC/TC65 focuses on industrial-process measurement, control and automation. TC65 covers the specific requirements for security in Industrial automation such as Organisation Process Systems Systems components ISA introduces cybersecurity certificate programs based on IEC62443. Currently IEC discuss about next generation technologies to achieve safe and secure factory operations. IEC develops the white papers relating to smart factory/iot. 12 NEC Corporation 2015 NEC Group Internal Use Only

NIST (National Institute of Standards and Technology) NIST is a unit of the U.S. Commerce Department. NIST specifies and publishes security-related documents, SP800/FPS. Used as guidelines for enforcement of security rules and as legal references NIST holds open competitions of cryptography primitives. Accepted algorithms are widely used as industry standards. Cloud System research laboratories submit their authenticated encryption technology to the competition funded by NIST. 13 NEC Corporation 2015 NEC Group Internal Use Only

NISC (National center of Incident readiness and strategy for Cybersecurity) NISC was established as part of the Cabinet Secretariat to form security policy strategies in Japan Goal: To protect the information security of government organisations while improving the overall level of information security in Japan. NISC develops draft government standards for information security measures. To perform evaluation based on the draft standards, formulate recommendations based on the evaluation results and promotes responses to the recommendations. METI and NISC plan to specify the Cyber-Security management Guidelines for certification program on ISMS certificate in 2015 14 NEC Corporation 2015 NEC Group Internal Use Only

IoT Acceleration Consortium Aims to combine the strengths of Government Industry Academia It build a structure for developing and demonstrating technologies related to the promotion of IoT, as well as creating and facilitating new business mode. The Security WG is planned to establish to determine the security policy. 15 NEC Corporation 2015 NEC Group Internal Use Only

CSA(Cloud Security Alliance) It promotes the use of best practices for providing security assurance within Cloud Computing. CSA develops the security guidance document to be broad catalog of best practices. It operates the popular cloud security provider certification program. CSA has launched new security guidance for early adopters of the IoT in April 2015. It describes about the security controls. key challenges and recommended IoT 16 NEC Corporation 2015 NEC Group Internal Use Only

Recommended Security Controls by CSA 17 NEC Corporation 2015 NEC Group Internal Use Only

IIC(Industrial Internet Consortium) IIC is formed to enable and accelerate creation of the Industrial Internet. Not a standard organisation but evaluates existing standards and specifies security and privacy framework based on the open architecture. It prepares testbeds to drive new products, processes and services and supports to create ecosystem for new business. The Security Working Group defines a security and privacy framework to be applied to technology adopted by the IIC. The framework will establish best practices and to be used to identify security gaps in existing technology. IIC released Security Framework draft in Oct.2015. 18 NEC Corporation 2015 NEC Group Internal Use Only

IoT Security Standards at each Layers 19 NEC Corporation 2015 NEC Group Internal Use Only

IoT Security Life Cycle 20 NEC Corporation 2015 NEC Group Internal Use Only

Summary There many IoT related open security challenges exist Since IoT is multi-application/service environments Unified security approach need to be arrived Security need to be considered from the design phase IoT Security Life cycle need to be in-place to identify & mitigate the existing and new security Collective standardisation effort among different SDOs will make Secure IoT implementation 21 NEC Corporation 2015 NEC Group Internal Use Only

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback