introduction of ccds · guideline wg iot vuln. r&d unit no1, no2 ccds secretariat office car...
Post on 03-Jul-2018
246 Views
Preview:
TRANSCRIPT
Copyright 2016 Connected Consumer Device Security Council Proprietary 1
Introduction of CCDS
- Toward Trustful IoT Life -
Connected Consumer Device Security Council (CCDS)
Tsukasa Ogino, Representative Director
Copyright 2016 Connected Consumer Device Security Council Proprietary 2
Contents
• Recognition of Current issues
• CCDS Overview
• CCDS R&D
• CCDS Security Guideline Development
• CCDS IoT Vulnerability Testing PF Development
• CCDS other activities
Copyright 2016 Connected Consumer Device Security Council Proprietary 3
ISSUE: Threats from Cooperated Devices
If even Single App is safe, but may be vulnerable in cooperated situation
3
AV, HomeAppliance Apps
OtherConsumerDevices
Energy, HEMSApps
ITS, VehicleApps Medical,
HealthcareApps
Server Cooperation
AppsCooperation
Intrusion via vulnerable app,Crack to cooperative app
A consumer device infected malware spread to other device and apps
Malware
Intrusion
Difference of security levelsbetween each apps domains
Copyright 2016 Connected Consumer Device Security Council Proprietary 4
Trust(safety and security)Level Difference
安心・安全
安心・安全
Domain AProduct
Domain CProduct
Domain BProduct
①Different Level of RequirementFor Safety and Security Level
by product domains
安心・安全
連携 連携
②Total Security Level will be leveled
at the lowest productWhen connected
Required or Demanding Level
Actual Product Level
Copyright 2016 Connected Consumer Device Security Council Proprietary 5
Value and Cost Balance
IoT service value
>Security
Protection Cost
Countermeasure
Also countermeasure by architecture and Usability
Quality
Keep Higher Quality
Function and Architecture
Cost Up by complex architecture
Comply Important Requirement
such as Safety
SafetyISO/IEC 61508 SIL 1~4
ISO 26262 ASIL QM, A~D, etc
SecurityISO/IEC 15408/CC EAL 1~7
FIPS 140-2 Level 1~4ETIS ITS/C2C-CC TAL 1~4, etc
Different Priority and Judgement levelProduct domain by domain
Copyright 2016 Connected Consumer Device Security Council Proprietary 6
CCDS Overview
• Name: General Incorporated Association: Connected Consumer Device Security Council
• Establishment: October 6, 2014
• Chairman: Hideyuki Tokuda (Professor of Keio University, Cabinet Security Advisor)
• Representative Director: Tsukasa Ogino (Specially Appointed Professor, Kyoto University)
• Managing Director: Kosuke Ito (Zero-one Laboratory)
• Directors: Atsuhiro Goto (Professor, Institute of Information Security, SIP: PD)Katsutoshi Hasegawa (President, eSOL Co., Ltd.)
Hiroyuki Hattori (President, Witz Co., Ltd.)
• Number of members: 129(Official members or higher: 43, General members: 62, Academic members: 14, Liaison members: 10)
• Main businesses:
1. Internal/external trend investigation on security in various field of life devices, and
interchange/cooperation with internal/external organizations
2. Development of security technology which satisfies safety and security of life devices
3. Development of security design process, development/preparation of verification method
guidelines and promotion of international standardization
4. Preparation/control of life device verification environment, verification business and human
resource development on security, public relations/dissemination activity, etc.
Copyright 2016 Connected Consumer Device Security Council Proprietary 7
SCOPE:
AV Network Medical/HealthcareNetwork
Home Gateway
HEMS Network
Power, Utility
HomeAppliance
EV/HV
SmartMeter
PV
HEMSConsole
WearableDevices
Healthcareserver
Care Robots
ITS&Vechile Safety
Telematics, Eco,Drive Recorder, etc.
New Services
AfterDevices
ECU
V2X Communication
PotableDevices
Road SideUNIT
Automated Driving
4K・8KContents
HomeServer
HEMScompany
ContentsProvider
Medical, Healthcare
Cloud
Vehicle andTraffic Control
Convenienceお弁当セール
Public AreaDevices
ATM Remote Monitor/ Maintenance
Office AreaNetwork
MFPMedical, Healthcare
Devices
BatteryNetwork
Appliance
Embedded/IoT/M2M in general, Connected Consumer Deviceswhich are not operated (monitored and controlled) by professionals
Copyright 2016 Connected Consumer Device Security Council Proprietary 8
R&D Center
Review Committee
IoT Security Guideline WG
IoT Vuln. R&D UnitNo1, No2
CCDSSecretariat Office
CarSub WG
ATMSub WG
POSSub WG
Home NWSub WG
Vulnerability Testing Center
Car-A: Vuln. Testing Tool for Com Unit (Navigation)
ATM: ①Tool for ATM,②Tool for USB Test PF
POS: Vuln. Testing tool for Open POS (Tablet type)
Home GW: Vuln. Testing Tool for Home NW Devices
Car-B: Vuln. Testing Tool for Body control ECUs
Platform for Vuln. Testing operation for IoT system
Administration
CCDS Organization
Usability WGSecurity
Tech. WG
Device Security
TechnologyWG
Copyright 2016 Connected Consumer Device Security Council Proprietary 9
R&D Units activities
• Unit 1 (stationed in Okinawa):
– Unit Leader: Dr. Inoue, Assoc. Prof. of Hiroshima City Univ.
– R&D in Car Hacking (CAN) hacking, USB Hacking, Feedback fuzz
data processing function on fuzzing tool, etc.
• Unit 2:
– Unit Leader: Dr. Ogino, Kyoto Univ.
– R&D in Home GW vulnerability research, Auto Vulnerability
checker for Android apps, etc.
Copyright 2016 Connected Consumer Device Security Council Proprietary 10
Cyber Security Policy for Vitalizing Society and its sustainable development by NISC
出典:NISC:サイバーセキュリティ戦略(案)より
Security By Design (SBD)System Design with Security Consideration from planning and design stage
Preparation of the general guidelinesto affect security on IoT system
Enforcement of the technology development and proof trialin consideration of the characteristic (long life cycle, limit of the processing capacity) of the IoT system, importance of the hardware genuine nature
Copyright 2016 Connected Consumer Device Security Council Proprietary 11
CCDS External Cooperation
IoT Security Guideline Dev.
IoT Vuln. Evaluation PF Dev.
・Design Process Guide = Security by Design・Security Testing Guide ->International Std.
toward the safe and secure IoT service/product development!
・Vulnerability Testing Tool Development・Testing Scenario DevelopmentDeveloping the Security Testing Platform
WG on the Development Guideline for the Smart-society
Copyright 2016 Connected Consumer Device Security Council Proprietary 12
PLAN: Security Development Guideline Definition
EmbeddedDomain
Cyber System Domain
V2X, Probe
Remote Access,Control
for Automated Drv.
Vehiclecommon part
Health Data
Wearable Comm.
HealthcareDevices
common part
Remote Access,Control
HEMS Cooperation
Home Appliance
common part
Public Space Devices(ATM, etc.)
EmbeddedSystems
common part(Base) Cooperated
Servicescommon part
Arrange basicitems for
embed devices
Discuss Integratedsituation includes
cyber space
Office Devices (MFP, etc.)
Arrange each common partAs a beginning,
Discuss for each Apps
Security Development Guideline
Per Domains Common
Copyright 2016 Connected Consumer Device Security Council Proprietary 13
CCDS life device security guideline for each field v1.0
Since threats for each product field vary,
security actions are summarized in view
of each field based on IPA "Development
guideline of connecting world" to easily
disseminate the security-by-design
concept in the industry.
Purpose
Target field
Onboard unit
IoT gateway
Major contents of guideline
・ Target system configuration
・ Anticipated security threat
・ Security action in each phase of product
life cycle
(Relationship with IPA "Development
guideline of connecting world")
・Threat analysis/risk evaluation method
・ 3rd party security evaluation for entire
product and security measure functionFinancial terminal(ATM)
Accounting terminal(POS)
Onboard system configuration POS system configurationATM system configurationIoT-GW: Home GW case
English Version are coming soon!
Copyright 2016 Connected Consumer Device Security Council Proprietary 14
Position of guideline for each CCDS field (private opinion)
CCDS
Onboard
unit
CCDS
IoT-GW
CCDS
ATM
CCDS
Open
POS
IoT security
guideline
IoT Promotion
Consortium
MIC and METI
IoT service
provider
IoT platform
/network
provider
IoT system
vendor
IoT security
general
framework
NISC
Safe and secure IoT system development guideline
which can be used across product fields
(checklist)
Specific threat or risk point in view
of each product field
Summary of security review points
from design stageCooperation
for
industry
deployment
Security guideline for all layers of IoT service
relevant persons
Cyber security
strategy
NISCClarification of general basic requirements related to
design, building and operation of the IoT system
International deployment
of Japanese idea
Proposal of IoT system
development by Security-by-
design concept
Re
fer to
revie
w fo
r
co
op
era
tion
.
Proposal
Reference
Development
guideline of
connecting
world
Copyright 2016 Connected Consumer Device Security Council Proprietary 15
Founding the 3rd Party Security V&V Evaluation Center
Okinawa Pref.
CCDS重要生活機器連携セキュリティ協議会
IoT Vuln. Testing Ctr. R&D Center
IoT Security Guideline
Development WG
Testing
Tool Dev.
Testing DB
Dev. & Ope
Vuln.
Evaluation
Platform
Testing
Process Dev.
Trial Testing(Training)
3rd Party
Testing
Service
IPA
Venders in Okinawa
Automotives
Home
Financial Terminals
ATM/POS
Evaluation Testing
Platform System
On-Board Head Units, Body Control ECUs
Home GW, IoT GWfor sensor network
ATM/POS
IoT Evaluation Test ScenarioAnd Test result Integration
Participants from Major Brands
Certification
Authority
(Future)
FY2015~FY2017
Working Group on
Development Guideline
for Smart-Society
3rd Party Security
V&V Evaluation Ctr
(Future)
V&V: Verification and ValidationVuln: Vulnerability
Copyright 2016 Connected Consumer Device Security Council Proprietary 16
CCDS IoT Vulnerability Testing Units
BBTower
Omron SW
JVC Kenwood
Hitachi Omron
IoT Vuln. Testing Platform System
Automotives
Home HITACHI
ATM
POS(Point of Sales)
Witz
Review Committee
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Copyright 2016 Connected Consumer Device Security Council Proprietary 17
Other CCDS activities
• Usability WG
– Objective: Discussing UI design as a part of security
countermeasures to keep the IoT devices in secured
• Collaboration with HCD-net(人間中心設計推進機構)
– Leader: Ueyes’ Design
– Kicked off in Aug., 2016., participating about 20 members
• Device Security Technology SWG
– Objective:
• Building comprehensive security countermeasure technologies MAP
(categorizing) for IoT devices
• Envisioning to develop the Implementation Guideline for IoT
security countermeasures in future
– Leader: SELTECH, Deputy Leader: DNP (Dai-Nippon-Printing)
– Kicked off in Jun., 2016., participating about 35 members
top related