beijing - remarks to web of things security - frank reusch
TRANSCRIPT
7/12/2016 1
Remarks toWeb of Things securityFrank Alexander ReuschLemonbeat GmbHF2F Meeting W3C, Web of Things12th July 2016, BeijingBeihang University
„LU JINRONG / Shutterstock.com
Disclaimer This document does not constitute an offer to sell or a solicitation of an offer to buy any securities. This document and the information contained herein are for information purposes only and do not constitute a prospectus or an offer to sell or a solicitation of an offer to buy any securities in the United States. Any securities referred to herein have not been and will not be registered under the U.S. Securities Act of 1933, as amended (the "Securities Act"), or the laws of any state of the United States, and may not be offered, sold or otherwise transferred in the United States absent registration or pursuant to an available exemption from registration under the Securities Act. Neither the Company nor one of its shareholders intends to register any securities referred to herein in the United States. No money, securities, or other consideration is being solicited, and, if sent in response to the information contained herein, will not be accepted. This document does not constitute an offer document or an offer of securities to the public in the U.K. to which section 85 of the Financial Services and Markets Act 2000 of the U.K. applies and should not be considered as a recommendation that any person should subscribe for or purchase any securities as part of the Offer. This document is being communicated only to (i) persons who are outside the U.K.; (ii) persons who have professional experience in matters relating to investments falling within article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (as amended) (the "Order") or (iii) high net worth companies, unincorporated associations and other bodies who fall within article 49(2)(a) to (d) of the Order (all such persons together being referred to as "Relevant Persons"). Any person who is not a Relevant Person must not act or rely on this communication or any of its contents. Any investment or investment activity to which this communication relates is available only to Relevant Persons and will be engaged in only with Relevant Persons. This document should not be published, reproduced, distributed or otherwise made available, in whole or in part, to any other person without the prior consent of the company.
New…• Microprocessors with more power and memory for constrained devices• Customer boards (new design or Redesign)• Field devices with new functions• networks with autonomously communication• Batteries of today or smaller, increasing capacity• Integration hubs on top include multiple protocols• physical communications (e.g. IEEE 802.11 ah)• areas of knowledge for developers• fields for customer training (New products are more complex and therefore need of explanation)• need for awareness within industry and product design regarding what technology can do• market players and cooperations• Standards and real interoperabilityAltogether. Over years.
IoT is a turning point in historyThis period is marked by a variety of linked activities with a high degree of novelty.
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 3
Web of Things
Internet of Things World wide web
Industry BuildingAutomation SmartEnergy Smart Cities Mobility LocalHealth Environ-ment Agriculture Smart Garden SmartHome PublicSafety Logistics
Standards prevent wild ad hoc development. Isolated silos coming to their end. Based on standards, everyone can focus on good customer solutions. Through combining success strategies of the Web with IoT there are a lot of new opportunities. Increasing complexity means a higher security risk.
W3C gives IoT a structure. The prerequisite for enormous growth is fulfilled.
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 4
Everybody talks about security. But sometimes different terms are mixed.Security• Protection of an object against external influences• “protection of a person, building, organization, or country against threats such as crime or attacks by foreign countries:,…” (Cambridge.org/dictionary)• “things done to make people or places safe” (Merriam-Webster)Safety• Protection against an object (for example, protection against failures)• “protected, or free from danger etc”; “providing good protection (Cambridge.org)Privacy• „the quality or state of being apart from company or observation” or “freedom from unauthorized intrusion”,„the state of being alone” or “the state of being away from public attention” (Merriam-Webster)
Definitions
Examples:• Protection of data against access• Protection of a network against unauthorized access
Examples:• Protection of an person against failures or functional disorder of a device (e.g. local health)
That´s a challenge:• New services require the provision of private information (position/ current whereabouts, financial data etc.)
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 5
Interdependencies and the triangle of conflicting priorities
Security
Safety Privacy
Cost
Quality Time
What is blocking the enhancement of current security levels in the IoT? Lack of expertise (21 %) Budget constraints (19 %) Upper management buy-in (17 %)
Source: IOT Analytics – Research and Survey results; Security of Things World Conference, Berlin, June 2016
Lack of knowledge about advanced security processes andtechnology (15 %)
Competiting priorities (10 %) Organizational culture attitude about security (10%)
Lack of knowledge about advanced security processes andtechnology (15 %)
Competiting priorities (10 %) Organizational culture attitude about security (10%)
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 6
Constrained budgetConflicting aims
Unrealistic timelines
Qualified people
Budget meet the requirements
Ambitious but realistic goals
Efficient, interoperable, integrated, supplier independent, cheap, secure
Expensive, inefficient, inflexible, not secure
TODAY: CONVENTIONAL BUILDING AUTOMATION INFRASTRUCTURE FUTURE: BUILDING AUTOMATION INFRASTRUCTURE
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 7
Lemonbeat technology in the field of building automation –potential architecture
Autonomous devices network without central control. Internet access is not mandatory
Mix between old and new technologies improves effort for security
Cloud/Platform(„collect, store, analyze datato provideoperational efficiency“)
Lemonbeat via radio, ethernet etc. (Direct communication to management level)Traditional communikation with various protocols
Multiple vendorsDifferent types/functions/protocols of devices
Primary equipment,Heating, cooling,..with longtime lifecycle
Radio
Ethernet
Connector(Without intelligence,low cost)
Radio
Controller Heating:e.g. redesign ofControl board
Integrationplatform
Transformation of Building automation /Complexity of intermediate steps to real WOT
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 8
Ethernet
How is IoT security different from traditional systemsecurity?
Higher system complexity (49 %) Distributed security across the network (49 %) A novel hardware / software integration (44 %) New software architecture (18 %)
Source: IOT Analytics
Why are additional measures in the security of IoT necessary?
9
The traditional scope of IT security is not sufficient for the IoT.
Field level increases the potential attack surfaces (examples)
Purchasing Production CRM R&D
connectors
connectorsconnectors
Radio
Ethernet
Radio Ethernet
Impostor Email CEO FraudBusiness Email Compromise (BEC)
Big Dataread datafrom memory
1.Access toCustomersdata2.auto-reloadfunction3.Authorizedpasswordchange
Denial ofService
Man-in-the-Middle attack
Sniffer / Replay
StealingDongle (read key)
1. Buffer-Overflow2. Linking return adressto malware
Access afterbrute force attack
Social Network
Predictive AnalyticsPreventive Analytics13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 10
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 11
Most known security breaches
Who is responsible in security ?
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 12
Source: IOT Analytics
Here´s the answer of participants of a Security conference:
Who holds responsibility will differ. If the company is • Device manufacturer, OEM:
• Product Manager• CTO• For partly activities, everyone is responsible
• Customer in the area of B2B:• Process owner• Department which is responsible for an use case• partly activities, everyone is responsible
Security is the result of many diverse activities in the value chain
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 13
Many stages in the value chain are involved to ensure this topic Each involved person is responsible for their own part. This includes a look to the left and to the right side.Their task area is defined and cooperation with other is matched (adoption) The result is a chain of tasks and responsibilities The end customer receives 100% quality when all people in the chain do their job properly (TQM).
Chip Manufacturer Device Manufacturer Automobile Manufacturer
Partner
OEM (e.g. Chips)
Device manufacturerSystem integrator
Waterfall Agile Guidelines
UniversitiesResearch institutes
Require-ments Design Prototyping Review OptimizationSoftware developerOther vendors
Security is a result of some complex activities
Seriesproduction ContinuousImprovement
Policy Demand Concept Training Review ContinuousImprovement
Program-Management
Software
Hardware
Knowledge
Build / Test automation
RequirementsDesign
DevelopmentTesting
ImplementationMaintenance
Plan Goals Collaboration Identity Mission Coaching
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 14
Value chain / company processes Results
Not every use case is critical, and not in each critical use case are all aspects critical
Is a similar approach to "risk based testing" feasible?How can a "risk based security" work?Is a multistage approach feasible?
• Step 1: Basic security• Step 2: Critical based security design
The following objectives might be important:1. Prevention2. Deterrence3. Automatism in case of attack
How much security is needed?
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 15
Use case Security Safety Privacy Building Automation 1 2 2 Smart Energy 1 1 3 Local Health 1 1 1 Smart Home 1 2 1
Exemplary rating
IEEE
IETFW3C
Current activities of the world leading organisations
Web Authentication Working Group
Web ApplicationSecurity
Web CryptographyWorking Group
Web Payments
Web Security Interest Group
Privacy Interest Group
Technical Architecture Group Web of Things (WOT)
XML Security
Hardware Based Secure Service Community Groupand other
Industry Connections Security Group IEEE Std 1686-2013 Standard for Intelligent Electronic Devices (IED) Cyber Security Capabil.
Technical Committee on Security and Privacy
Malware Working Group)
IEEE Anti-Malware Support Service (AMSS)Malware MetaDataExchange Format (MMDEF) Working Group
IEEE Std 1363.1-2008 Standard Specification for Public-Key Cryptographic Techniques IEEE Std 1363.3-2013 Standard for Identity-Based Cryptographic Techniques
IEEE Std 2600-2008 Standard for ….Hardcopy Device and System Security
IEEE Std 1667-2015 Standard for Discovery, Authentication, and Authorization in Host Attach-ments of Storage Devices Decentralized regu-lations eg. 802.11 ah,…
NIST
Advanced Encryption Standard, e.g. AES 128
IoT Security Foundation“promote knowledge and clear best practice “
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 16
ISO/IEC 27001NIST Interagency Report (NISTIR) 7977 ISO/IEC 19790:2012 Security requirements for cryptographic modules
GSMA IoT Security GuidelinesGSMA
ETSI TR 103 306:Global Cyber Security Ecosystem ETSIENISAeg Critical Infrastructure and Services
No claim to completeness
DNS-based Authentication of Named Entities IP Security Maintenance and Extensions
Transport Layer Security Secure Inter-Domain Routing
Javascript Object Signing and Encryption Keying and Authentication for Routing Protocols
Open Authentication Web Security Securing Neighbor Discovery
Current situation:• There are a variety of documents, guidelines and best practices relating to security.• The know-how is distributed and at first glance very intransparent.• The level of knowledge of each developer varies greatly.One suggestion:• One central hosted libary with all necessary knowledge regarding IoT Security („The living wall“).• and structured links to original sources and connected areas.• Free access for all developers.• True to the meaning of open source constant adaptation and enlargement.
Knowledge is an important driver for IoT Security
13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 17
Thank you !