Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos

Similar documents
[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

IoT & SCADA Cyber Security Services

Who s Protecting Your Keys? August 2018

Innovation policy for Industry 4.0

SECURITY & PRIVACY DOCUMENTATION

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Internet of Things Toolkit for Small and Medium Businesses

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

The Common Controls Framework BY ADOBE

Cloud Security Standards Supplier Survey. Version 1

Internet of Things Security standards

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Cloud Security Standards

The NIS Directive and Cybersecurity in

Managing the Unmanageable: A Risk Model for the Internet of Things

Strong Security Elements for IoT Manufacturing

HIPAA Regulatory Compliance

Cloud Security Standards and Guidelines

Secure Technology Alliance Response: NIST IoT Security and Privacy Risk Considerations Questions

locuz.com SOC Services

CyberArk Privileged Threat Analytics

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Security Information & Policies

LBI Public Information. Please consider the impact to the environment before printing this.

Comprehensive Database Security

Security by Default: Enabling Transformation Through Cyber Resilience

Securing Institutional Data in a Mobile World

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Google Cloud & the General Data Protection Regulation (GDPR)

Securing IoT with the ARM mbed ecosystem

A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage

Office 365 Buyers Guide: Best Practices for Securing Office 365

Keynote: The Future of Data Leakage Prevention

Cybersecurity Auditing in an Unsecure World

IEEE-SA Internet of Things - Security & Standards

Privileged Account Security: A Balanced Approach to Securing Unix Environments

How to Create, Deploy, & Operate Secure IoT Applications

Security and Privacy Governance Program Guidelines

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

SOC 3 for Security and Availability

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Website Privacy Policy

6 Vulnerabilities of the Retail Payment Ecosystem

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

How do you decide what s best for you?

I. INFORMATION WE COLLECT

Privacy Policy. I. How your information is used. Registration and account information. March 3,

A company built on security

Next Generation Privilege Identity Management

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

External Supplier Control Obligations. Cyber Security

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Managing SaaS risks for cloud customers

The Internet of Things and Security

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

CIS Top 20 #13 Data Protection. Lisa Niles: CISSP, Director of Solutions Integration

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Connected Medical Devices

HIPAA Federal Security Rule H I P A A

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Carbon Black PCI Compliance Mapping Checklist

01.0 Policy Responsibilities and Oversight

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

The role of ICT in managing the complex Smart Grid Infrastructure. Nampuraja Enose Infosys Labs

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Avanade s Approach to Client Data Protection

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Digital Renewable Ecosystem on Predix Platform from GE Renewable Energy

Data Protection Policy

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Identity Management as a Service

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Trusted Platform for Mobile Devices: Challenges and Solutions

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Regulation and the Internet of Things

The Potential for Blockchain to Transform Electronic Health Records ARTICLE TECHNOLOGY. by John D. Halamka, MD, Andrew Lippman and Ariel Ekblaw

Addressing the elephant in the operating room: a look at medical device security programs

How AlienVault ICS SIEM Supports Compliance with CFATS

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

align security instill confidence

Security and Privacy in Car2Car Adhoc Networks

Fujitsu World Tour 2018

5G networks use-cases in 4G networks

Simplifying Information Sharing Across Security Boundaries. Deep-Secure Overview 12 th November 2013, Prague. Presentation to.

Sparta Systems TrackWise Solution

MaaS360 Secure Productivity Suite

Trust Harris for LTE. Critical Conditions Require Critical Response

PKI is Alive and Well: The Symantec Managed PKI Service

Introduction to Device Trust Architecture

HIPAA Security and Privacy Policies & Procedures

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

Standard CIP Cyber Security Electronic Security Perimeter(s)

Data Backup and Contingency Planning Procedure

Transcription:

Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos Cloud Security Alliance, 2015

Agenda 1. Defining the IoT 2. New Challenges introduced by the IoT 3. IoT Privacy Threats 4. Some IoT Use Cases Cloud Security Alliance, 2015

Defining the IoT Let s look at how ITU-T Y.2060 defines the IoT IoT: a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. Device: a piece of equipment with the mandatory capabilities of communication and the optional capabilities of sensing, actuation, data capture, data storage and data processing. Thing: an object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks. Source: ITU-T Y.2060 The IoT enables the collection of data using sensors that can be deployed or embedded just about anywhere

New Challenges Introduced by the IoT Increased privacy concerns that are often confusing Sale of data to third parties How to assure the privacy of those that haven t opted in? Platform security limitations that make basic security controls challenging (e.g., softwarebased security modules) How secure is the data resident on these devices? Ubiquitous mobility that makes tracking and asset management a challenge Can these devices be stolen and reverse-engineered? Exposes key material Mass quantities that make routine update and maintenance operations a challenge If they are not updated how long before data can be compromised? Cloud-based operations that make perimeter security less effective Privacy concerns are also based on the challenges associated with keeping information secure within the IoT

IoT Privacy Threat Discussion Cloud Security Alliance, 2015

IoT Privacy Threats Unanticipated leakage of personal or sensitive information can occur by aggregating data from many different systems and sensors, or the merging of personal data that has been collected under differing consumer privacy preferences and expectations. Consider merging records obtained from two separate systems Unauthorized tracking of people s locations can occur through usage pattern tracking based on asset usage time and duration. Technology tied to your car (e.g., usage monitoring)? Unauthorized tracking of people s behaviors and activities can occur through examination of location-based sensing data that exposes patterns and allows analysis of activities, often collected without explicit notice to the individual. Consider sensors spread throughout a city

IoT Privacy Threats Unlawful surveillance through persistent remote monitoring capabilities offered by small-scale IoT devices Who s watching you? Inappropriate profiles and categorizations of individuals can be created through examination of network and geographic tracking Malicious parties can steal identities and money based on leakage of sensitive information How do we handle a ubiquitous monitoring society where communications and surveillance capabilities can be embedded in anything?

IoT Use Case Discussion Cloud Security Alliance, 2015

Some IoT Use Cases A physician establishes a communication session with a smart home/home monitor. Are medical data transferred securely? Are the home monitoring equipment sufficiently secured against unauthorized access? A patient s blood donation is handled by an online analyzer Is the tracking number for the donor protected? Will the patient be notified directly of any finding? What are the trust mechanisms? Will the patient s pharmacy or doctor be messaged on any particular finding? Will any other organizations be notified? In an emergency, multiple first responders are dispatched. Is medical data transferred securely to the correct ambulance? Can responders communicate patient data securely? Is security, trust and privacy managed by multiple trust chains that offer the same level of assurance? Are patient records purged after the patient has been dispatched?

Some IoT Use Cases Two major companies that collect consumer data are merging together. How do the companies ensure that aggregation of consumer data does not allow for profiles of individuals inconsistent with original consent What happens when silo d data stores are aggregated together? Vehicle owners opt-in to electronic marketing campaigns that provide targeted advertisements while driving through locations Is the data sold to third parties? Can law enforcement gain access to this data for investigative purposes?

Technology solutions can help solve a part of the problem Vehicle-to-Vehicle (V2V) PKI Extends the traditional PKI architecture to add privacy-enhancing features Adds various components to the PKI that will issue billions of certificates to vehicles Location Obscurer Proxy Pseudonym CA Linkage Authority Supports the provision of certificates with lifetimes that may be as short as 5 minutes The goal is to ensure that no one (even the PKI) can correlate a vehicle to a PKI certificate Mitigates the ability for anyone to track your location or past activities via your certificate Courtesy Federalregistry.org

???? Cloud Security Alliance, 2015

Backups Recommended IoT Security Controls Cloud Security Alliance, 2015

IoT Security Controls Required IoT security controls span the device itself as well as the environment that the device operates within Cloud Security Alliance, 2015.

IoT Security Controls 1. Analyze privacy impacts to stakeholders and adopt a Privacy-by- Design approach to IoT development and deployment 2. Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System 3. Implement layered security protections to defend IoT assets 4. Implement data protection best-practices to protect sensitive information 5. Define lifecycle controls for IoT devices 6. Define and implement an authentication/authorization framework for the organization s IoT Deployments 7. Define and implement a logging/audit framework for the organization s IoT ecosystem

Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design approach to IoT development and deployment Important to consider the potential privacy ramifications to all stakeholders prior to putting the system into an operational state. Analysis should be undertaken to understand the indirect privacy ramifications of the various IoT component operations. Examine privacy of data-in-aggregate vs. privacy of the data collected by a single system to identify potentially serious privacy concerns Companies should reevaluate their personal data breach notification program to cover the aspects related to IoT. In the case of the IoT, it is critically important that trade-offs between functionality, security and privacy be made early on in the design process in order to ensure that all objectives are met equally. Stakeholders should be made aware of when data is provided to third parties, the controls used to secure it, and how and when the data is disposed of.

Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design approach to IoT development and deployment (continued) If it is found that a device collects, processes or stores Privacy Protected Information (PPI), more stringent controls will be required. These controls should be a mix of policy-based and technical. For example: Provisioning of the device may require more administrative approvals A review by Internal Audit or Compliance should be conducted to determine if it is viable to have PPI data on IoT devices Data stored on the device should be encrypted using sufficiently strong cryptographic algorithms Data transmitted from/to the device should be encrypted using sufficiently strong cryptographic algorithms Access to the device, both physical and logical, should be restricted to authorized personnel

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback