Category Archives: IoT

Meeting Report – ISO/IEC SC27 Gjovik, Norway

We just wrapped up another week of ISO meetings for SC 27 this past week in Gjovik, Norway. A few updates to share:

  1. We are making progress on ISO 27030 Security and Privacy for IoT. We just completed our WD1 review that focused mainly on structure but also had some privacy inputs from experts from Singapore and India. Our Japanese experts did identify many new controls to be added including the request that we need to ensure that our control format needs needs to align to 27002.
  2. Our next stage is WD2 and we are hoping the experts continue to provide more content to build out a strong version of the document for one more WD version.
    Based on suggestions from the vendors in attendance, it seems that vendors want a checklist of a few items that would indicate that their device is secure. While this might help the vendor community it is not the right approach as cyber security consists of many moving parts that includes how a company operates and the product they product, not just a device in the IoT context.
  3. From a privacy front, it seems that GDPR caused quite the impact on the vendor community. As a result many of bigger names have grouped together to write a proposal for a standard for data privacy where the vendor would own the data not the user. This will include a clause that allows this standard to supersede any local or global regulations. While just a discussion it does represent a very concerning perspective for governments who are fighting to protect citizen data.
  4. Finally, it seems that there is a theme from large cloud service providers to want to remove any requirements in ISO standards. This started in SC38 which has no should or shalls, it is all maybe’s and could be on a good day if your lucky. If your cloud service provider claims conformance to these standards it is sham. Make sure you investigate the claims of any vendor and what they have really implemented from a security and privacy controls. As usual it is a case of buyer beware when purchasing services even from the big guys.

It was good to see so many experts from different national bodies and liaison organizations in attendance to the IoT meetings and sessions. Standards Norway did a great job of hosting and Gjovik and the surrounding region are really beautiful at this time of the year. Hope to get back and visit more of this country and their friendly citizens.

Facebooktwittergoogle_plusredditpinterestlinkedin
airplane taking off

Mayday: The Call for Cybersecurity Reform in Aviation

If the first big cybersecurity breach of 2018 has taught us anything, it’s that even multinational tech companies need help navigating the realm of cybersecurity. Intel knew about Spectre and Meltdown since June of 2017 and eight months of inactivity is not sufficient post-breach protocol.

If the tech industry is struggling to grasp cybersecurity’s severity, what does this mean for other industries? As tech and financial institutions recognize the importance of cybersecurity, other industries need to address the digital elephant in the room.

If we think about the most vulnerable industries to cyber-attack, the answer may both figuratively and literally fly over our heads. The aviation industry is one of those most influential industries in the global economy and one of the most susceptible right now to cyber-attack. As the number of digital components in the cockpit has increased, so too has the attack surface of all aircraft and air traffic control systems.

In the United States alone, the civil aviation industry accounts for over five percent of the US economy generating $1.6 trillion in economic activity per year. While a cyber-attack impacting the economy is frightening enough, the most alarming notion is that hackers have the ability to make airplanes vanish from radar systems or even crash. Even smaller scale cyber attacks can have a significant impact. A simple Denial-of-Service for airport services or flight delays can have massive cost implications and impact goods, people and information. With dollars and lives at risk, it’s important to understand where and why certain threat vectors in the aviation industry exist.

Mind the ‘air’ gap.

Traditionally, component parts and systems in aviation have been made up of air gapped technologies making them near to impossible to breach. As society has evolved and shifted to a more connected digital environment, we’ve seen a similar paradigm shift in aviation. Even critical components such as engines, hydraulics and flight management systems are now being monitored using IoT approaches to services. While this has made flying easier for pilots and cozier for passengers, it has also made systems exponentially more vulnerable to cyber-attack – specifically after switching from fly-by-wire to fly-by-wireless systems.

With fly-by-wireless technology, aircraft are controlled with fewer, more centralized units by

using higher throughput multicore, multiprocessor computers and commercial off-the-shelf components. While this increases efficiency, it also means that the aircraft, cockpit, cabin crew and passengers are using many of the same communications constituents. Wi-Fi, passenger information, avionics and more are all controlled by a centralized system making a single cyber-attack easier and all the more catastrophic. Not only that, but since aircraft parts are manufactured by different sources, malware could infiltrate these systems as early their journey through the supply chain.

As aviation security measures struggle to keep up with aviation technology, a number of threat vectors have surfaced. The most common in the industry include: air traffic control, aircraft IP networks, aircraft communications addressing and reporting systems (ACARS), aircraft interfaces, reservations, document control, electronic flight bags (EFB) and baggage handling. Since all airline and airport operations differ slightly, determining to what level these vectors exist and how to protect them requires a Threat & Risk Assessment (TRA) and Risk Registry (RR). With a TRA conducted and RR in place, organizations can prepare cybersecurity methodology for both pre- and post- breach conditions.

Keep airways breach-free.

You can summarize an effective cybersecurity policy in two words: be proactive. Setting up pre-breach methodology is equally as important as having post-breach methodology in place. The greatest victory is the battle not fought and there is too much at stake for the aviation industry to wage war with cyber criminals.

The harsh reality is that airlines need to prioritize as it is too expensive to protect all assets from all threats. While a TRA and RR provide the framework for an airline’s individual security needs, the mercurial nature of cyber threats requires ongoing monitoring and maintenance of the methodology in place. Pre-breach methodology should follow international standards and consider the full breach picture by understanding the risk of data exposure, breach prevention and incident response.

In an ideal world, incident response wouldn’t be a part of breach methodology, but hackers are a cunning bunch. Defenses are sometimes broken and airlines need to be prepared. Post-breach methodology is about timely mitigation and since it takes businesses an average of 100 to 200 days to detect intrusion, timeliness seems to be a widespread issue.

The key to prevention and detection is ensuring technical controls are in place and that policies and procedures governing security practices are well communicated to protect and secure assets. The ability to detect and perform an incident response that follows a breach aids greatly in tightening security practices by identifying methods that will prevent further compromise in the future.

Airlines need to realize that this can’t be done alone. Whether it’s through the public or private sector, airlines need to partner with experts that understand the ever-changing cybersecurity landscape. The best security partner helps you implement procedures to handle this swiftly and independently and can also be called to assist in emergency situations.

A commercial plane wouldn’t take off without landing gear nor would it fly without a channel connected to air traffic control. Whether it’s physical or digital, a preflight checklist is required to ensure safety of both the flight crew and passengers. Cybersecurity isn’t a risk the aviation sector can afford to take.

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT World 2017

I have spent the last week in Santa Clara attending the IoT World conference hoping to see what was new and exciting in the world of IoT. After tracking this sector for a while now it has been interesting to see all the new platforms (512 and counting) and startups that have popped up.

While I found the keynotes a great window on possible new products by companies I did get a sense that security and privacy did not get the air time it deserves. I attended many of the security sessions and, while interesting, they were more focused on product plugs versus real discussions on how to design and build security into a product. It was more buy my product or platform and you will be secure. That is scary proposition especially when vendor generated standards are used as guideline for self assessment. Lets be clear folks, vendors have their best interest at heart not yours when it comes to security.

I was also troubled by vendors stating that if customers just pay more they can add  security. This is the wrong view from an executive and security perspective. The right view, in my humble opinion, should be here is what we identified as the threat profile for our products and solutions and here is how we designed security and privacy into our products and services from day one. Oh and it did not significantly increase the price of the product!

I really wanted to tell some of the top brass that lawyers are attending ISO security standards meetings globally and are planning to use standards such as those in ISO/IEC SC 27 and IEC 62443 as the base line for controls that will be expected in IoT solutions. In the event of a compromise or data breach and the ensuing lawsuit, these same corporations will be held to task on how they meet these requirements and controls. So by all means keep working on your vendor association standards but realize the actual yardstick are the ISO/IEC standards.

On the more positive side of conference, I really liked that NASA is going out its way to make software freely available to community. The breadth of expertise that has gone into some of this software is quite remarkable. I was also really impressed with the Samsung Artik HW and platform and how far it has developed in a short time. It really is making its mark as a contender in IIoT, smart cities and power generation sectors. I even signed up for the developer program and plan to buy some of the dev boards so we can start evaluating this platform for some of our projects. Other notable things were the use of embedded tags and sensors on products, and how to test just about every component being designed and built. If you are in Santa Clara next year, I recommend that you attend the vendor exhibit for next year’s show to see all the development and new products. It would of been good to see Apple and other product companies show where they going in these areas but I will keep my fingers crossed for next year.

Facebooktwittergoogle_plusredditpinterestlinkedin

Hive Sense Update

Well we finally got data flowing from our network and the hives. It was a long winter and while we tried to get all the components wired and tested Mother Nature had other ideas for us. That included snowing, sleet, and even rain. We also found the maximum useable temperatures for plastic conduit and other parts we used to setup the infrastructure. Not to mention on our last day we had one of our team get serious sun burned and it was 35C in May! Yet despite all of these challenges we got streaming data.

As of yesterday, we have been collecting data since 8:36 AM EST Thursday May 18th. It was interesting to realized that bees dont need to sleep and are working all night apparently. As we progress the program we will be adding new features. The beekeepers at Algonquin College (aka the professors from the Culinary program) have informed us the they will be add 5 more hives this weekend. We are looking forward to having more data points and also as different genius of bees. It will be interesting to see what differences if any to the behaviour over the summer.

One more note, we will be testing a mobile app over the summer that will provide a real time of the bee hives that you can shared your teams and bee enthusiasts. More on that later.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.

Facebooktwittergoogle_plusredditpinterestlinkedin

Our Future Security Practitioners 

Yesterday, I had opportunity to speak to the Electronic Technologist class at a local college on cyber security. It was great to see all the cool things they were building but also have an open discussion on how they can help to build the next generation of secure IoT products and solutions. It was also refreshing to hear how many of them recognize their privacy and were concerned about the amount of data collected on them. Recently, I was told that youth don’t care about their identities and protecting it — it is all about getting free access. I was really disturbed by this especially when I am teaching my kids to more vigilant about the services they use and information they share.

I spent 2+ hours with students from CEGEP and I have to say I don’t know who was more excited about the conversation them or me. It is always great talking to next generation of tech workers but with electronics a big part of my childhood I love being around breadboards, signal and power generators and multimeters.

Thank-you Marc for making this happen. I had a great time with the students yesterday. Also a big shout out to Madame Bijou who helped me on the presentation graphics. Not bad for a 10 year old!

Facebooktwittergoogle_plusredditpinterestlinkedin

What Makes Industrial Control Systems a Target for Attack?

There is a great article from Trend Micro on why attackers target Industrial Control Systems (ICS) and how the Industrial Internet of Things (IIoT) will affect it. This is worth knowing as ICS is used to describe dissimilar types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.  ICS are used in almost every industrial sector and critical infrastructure from manufacturing, transportation, energy, and water treatment to running the power grid, regulating energy use in a building or managing the process of brewing beer.

At a presentation I gave at Cyber Security 2017: Securing the Smart City of the Future I spoke about the anatomy of an attack but didn’t get into the details as to the motivation or technicalities. ICS have been with us for more than a few years but recent modernization has created new ways for these systems to communicate with their controller. This has improved overall productivity but not security. New security issues have arisen that can be exploited by cybercriminals including:

  • Components that were not meant to be for public access are now accessible via the Internet.
  • Security and privacy features that were not considered by solution architects and engineers at design time.
  • Threat modelling not conducted either by the component manufacture or the solution provider.
  • Products that are not required to be fully tested or assessed to provide a minimum level of assurance or security.
  • Installations that were not formally evaluated for cyber risk prior to deployment.
  • An implicit trust at the systems operational level that all components are safe.

Increased aggressive targeting of these will impact many areas including smart cities, smart manufacturing, smart infrastructure projects and even our soon to be smart homes and cars unless we can get control of these issues. In many cases of these attacks data risk is the least of our worries as they could potentially result in injury or death. To deal with this comprehensively everyone in the product and service chain must play their part:

  1. Manufacturers need to ensure that their products are designed with security, privacy and safety in mind. This includes a multitude of aspects depending on the product being developed. Only through comprehensive threat modelling at design time will they fully understand how attacks can happen in the field and the necessary controls that will be required.
  1. Implementers need to conduct security testing and evaluation at all stages of the project to ensure that systems are not misconfigured or prone to attack once in the field.
  1. Customers whether they are a city manager, a building manager or an information security manager need to better understand the risks to their specific deployments including how to perform Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs).

Always remember that security is more than a technology you can just implement. Attempting to protect bad coding and engineering practices with a badly configured firewall will just end up in an attack succeeding.

Lastly, the authors of the article reference the NIST Security Guide for ICS, I would recommend that you also look at IEC 62443. Why? It was written so that an ICS company (vendor, implementer or purchaser) could be evaluated and tested against stringent controls for risk. This wide series of standards covers the breath of deployment and in-field issues that need to be considered and assessed against. It forces all parties involved to get their act together and ensure they have important aspects such as integrating activities across the Software Development Life Cycle (to help discover and reduce vulnerabilities early and build security in) and operational security policies and procedures. You might be surprised how many don’t.

Facebooktwittergoogle_plusredditpinterestlinkedin

The Smart City Under Attack – CBoC Presentation

I recently got an opportunity to speak at the Conference Board of Canada’s Securing the Smart City of the Future. It was great to be able to speak to those dealing with the daunting challenge of managing the issues related to security, privacy and safety risks while still providing smart city services.

It is clear that the potential benefits of fully-connected smart cities fed by sensors and data are significant especially when seen in the advance of the Internet of Things (IoT). These benefits could tackle some of the greatest problems with urbanization such as traffic congestion, inefficient use of energy, and pollution. As great as these potential benefits are so are the risks and unanswered questions that the integration of new technology brings. Countries looking to implement smart city initiatives need to have a national policy that mandates aspects of security, privacy and safety. This policy should include the following as a minimum:

  • Requirements for an Information Security Management System (ISMS).
  • City breach plans for emergency services, vendors, citizens, etc.
  • Security tested components and solutions that are validated prior to release.
  • “Assurance” from solution providers and vendors for their products/services.
  • Buyers requesting that products and solutions be evaluated.
  • Demand Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs) for all solutions prior to deployment by City Managers.
  • Respect for the privacy of citizens.

The security breaches in the recent past and the ongoing increase in cyber attacks and crime have made one thing very clear: In building the smart cities of tomorrow we need to be smart! Bearing this in mind, what is the biggest barrier to smart city entry?

The biggest barrier seems to be security and privacy of the sensors and data – the very things that make a city smart. The concern seems to be around data breach and how to minimize the exposure of the sensors in-field. However, in the past year or so there seems to have been a shift in the mind set of what is more important: a $5 sensor or the data we collect on people and objects. Clearly the data protection is more important. An example would be smart city projects in Canada that want to provide more real-time information to citizens about services and conditions. It requires them to track citizens to offer this service which means that there are substantial privacy concerns. The client can share lots of data but if it becomes compromised the city collecting it is liable under new legislation in Canada. Cities are taking the time to understand the risks and prepare for the eventuality of data breach and invasion of privacy.

You can see presentation that I gave below. As always if you have any questions about the presentation, please do not hesitate to contact us for clarification.

 

CB0C A Smart City Under Attack – TwelveDot

Facebooktwittergoogle_plusredditpinterestlinkedin

Maker Faire Ottawa

 

img_4118

This past weekend we participated in Maker Faire Ottawa which is an all-ages gathering of tech enthusiasts, crafters, educators, tinkerers, hobbyists, engineers, science clubs, authors, artists, students, and commercial exhibitors. The location for this second Faire was the Aberdeen Pavilion in Ottawa’s historic fairgrounds and this year we got a booth to demo Hive Sense.  As you may know we are helping Algonquin College with bee research and wanted to provide the community with an update on the project. img_4122

It was great to see so many people with knowledge of the problem and we enjoyed the dialogue we were able to have with so many local professional and amateur bee keepers. We are currently working on building out a new service infrastructure and web site for our project and hope to have four to five hives monitored prior to the snow flying. Once these hives are monitored we will announce it on all our channels so you can track the progress and see the data.

Maker Faire is, according to the organizers, the Greatest Show (and Tell) on earth so it was not surprising to have had lots of cool projects again this year. While there were many 3D printing demos and projects it was nice to see groups and clubs engaging kids in robotics and coding as this is a great way to start playing with open source technology at an early age. There were programs even for big kids so there was no need to feel left out or to worry lol.

We had many attendees drop by our booth to learn about the concept of our project. Many were not technologists, engineers, or even web savvy individuals but they dropped in to see what the project was all about. It was also nice to hear from all the people who remembered their grandfather’s hives or when they lived on a farm. We keep forgetting that about 40 years ago a big part of our economy was agriculture driven especially in the Ottawa Valley.

We are looking forward to the 2017 event and being able to show what we have learned and how to get involved with the project in the future so… stay tuned.

If you have any questions in the mean time please do not hesitate to reach out to us for this or other IoT projects.

img_4112

Facebooktwittergoogle_plusredditpinterestlinkedin