Category Archives: IoT

Maker Faire Ottawa

 

img_4118

This past weekend we participated in Maker Faire Ottawa which is an all-ages gathering of tech enthusiasts, crafters, educators, tinkerers, hobbyists, engineers, science clubs, authors, artists, students, and commercial exhibitors. The location for this second Faire was the Aberdeen Pavilion in Ottawa’s historic fairgrounds and this year we got a booth to demo Hive Sense.  As you may know we are helping Algonquin College with bee research and wanted to provide the community with an update on the project. img_4122

It was great to see so many people with knowledge of the problem and we enjoyed the dialogue we were able to have with so many local professional and amateur bee keepers. We are currently working on building out a new service infrastructure and web site for our project and hope to have four to five hives monitored prior to the snow flying. Once these hives are monitored we will announce it on all our channels so you can track the progress and see the data.

Maker Faire is, according to the organizers, the Greatest Show (and Tell) on earth so it was not surprising to have had lots of cool projects again this year. While there were many 3D printing demos and projects it was nice to see groups and clubs engaging kids in robotics and coding as this is a great way to start playing with open source technology at an early age. There were programs even for big kids so there was no need to feel left out or to worry lol.

We had many attendees drop by our booth to learn about the concept of our project. Many were not technologists, engineers, or even web savvy individuals but they dropped in to see what the project was all about. It was also nice to hear from all the people who remembered their grandfather’s hives or when they lived on a farm. We keep forgetting that about 40 years ago a big part of our economy was agriculture driven especially in the Ottawa Valley.

We are looking forward to the 2017 event and being able to show what we have learned and how to get involved with the project in the future so… stay tuned.

If you have any questions in the mean time please do not hesitate to reach out to us for this or other IoT projects.

img_4112

Facebooktwittergoogle_plusredditpinterestlinkedin

RIoT Control – A Book Review

riot-control

Coming soon to a bookstore (or Kindle) near you is… a first of a kind book on how to approach security for the Internet of Things (IoT). This book is an assessment of how to control and manage Risk and the Internet of Things – RIoT Control. It is targeted at executives, engineers and architects either responsible for considering or implementing IoT solutions within their organizations. It is also a useful read for entrepreneurs, risk managers, security practitioners, businesses line managers and anyone not interested in the operational details of IoT security but wanting to understand the problem.

I was fortunate and honoured that Tyson Macaulay, the author, asked me to be a reviewer of this book. In the process I was able to learn even more about this increasingly important topic for cyber security practitioners. Tyson and I have been working together for several years on IoT security under ISO and have represented Canada internationally for over five years to create the baseline considerations (or controls) that should be considered for IoT implementations. Over this time I have realized how broad a topic IoT is, how challenging its issues are and how complex some of the solutions are for some sectors.

Implementing cyber security controls in some of sectors is not going to be easy to say the least. Companies are going to have to shift their mindset to building an adaptive and strong “culture” of cyber security in order to be able to succeed in IoT. One of the key barriers to adoption right now is security and privacy considerations. Product and service providers are going to have to prove to customers that their products are both designed and tested to a specific security level. The daily news of products or solutions that have been compromised is proof positive of the need to secure these solutions comprehensively. Even the NSA and FBI are hiring highly skilled hackers to be able to compromise networks and data of users of IoT solutions.

RIoT Control walks the reader through the process of IoT cyber security considerations and gives many useful examples to help the reader better understand the concepts. It provides the necessary background and details that designers and implementers need to consider for new IoT products and solutions. And yes, security and privacy need to be considered at the design and concept stage.

The list of the chapters contained in the book are:

Chapter 1 – Introduction to IoT

Chapter 2 – Anatomy of IoT

Chapter 3 – Requirements and Risk Management

Chapter 4 – Business and Organizational Requirements

Chapter 5 – Operational and Process Requirements Framework

Chapter 6 – Safety Requirements in the IoT

Chapter 7 – Confidentiality and Integrity

Chapter 8 – Availability and Reliability Requirements

Chapter 9 – Identity and Access Control Requirements

Chapter 10 – Usage Context and Environmental Requirements

Chapter 11-  Interoperability, Flexibility and Industrial Design Requirements

Chapter 12 – Threats and Impacts to the IoT

Chapter 13 – RIoT Control

I hope you enjoy reading this book as much as I did. In this book Tyson has done a great job of explaining the business and security concepts of IoT to executives, architects, engineers and anyone else responsible for IoT in a comprehensive way. In doing so he provides the necessary background for building a cyber security IoT practice and ensures that customers are provided a higher level of assurance to products and services they are selecting for IoT.

If  you want to buy this  book, for your convenience, here is the link to RIoT Control on Amazon.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT Security @ Ottawa Meetup

Wow! A verMeetupy informative evening in front of a full house at the Ottawa Meetup IoT Security Meetup (standing room only actually)! Big thanks to Pascal and Jacques!

Our very own Faud Khan delivered, according those present, ” a very informative and entertaining presentation” on IoT Security.

IMG_0830-1024x730

“Absolutely super informative presentation and a great showcase of the depth of TwelveDot’s knowledge and experience in the security field.”

The presentation explored how to make security and privacy part of  the daily business ritual so as to significantly reduce the cyber exposure of products, solutions and the business itself.  As such it provided a look at:

• ISO standardization of IoT

• Security considerations for your organization

• Security considerations at design and development

• Testing and evaluation of IoT solutions

• Privacy considerations and practices

 

FYI – Elements of the presentation are:

IoT Technologies Mind Map – SWG_5_IoT_Technologies_MindMap

IoT Threats and Risks Poster – IoT Threats and Risks

Presentation Slide Deck IoT Security – IoT Meetup Ottawa Presentation Slide Deck – June 28_2016

Q&A: 

  1. When can we get access to ISO/IEC 30141 Reference Architecture? The information will be available Fall/Winter of 2016. You can keep track of development at the ISO site.
  2. What is scope of IoT Reference Architecture? The scope according to ISO 30141 is “This International Standard specifies IoT Conceptual Model, Reference Model, and Reference Architecture from different architectural views, common entities, and high-level interfaces connecting the entities.”
  3. What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. More details are can be found here.
  4. Why do we have to pay to meet these standards? Doesn’t it harm the whole process? ISO needs a means to pay for the system even after Canada pays it’s membership into ISO. The base 27000 is free but others like 27001 etc. do cost a little -$35.
  5. Who do you call first if you get breached? Do not call your security guy! You should contact your lawyer and have your lawyer contact your security people. This ensures client confidentiality and attorney client privilege.
  6. Have you looked at Intel IoT development kits with security infrastructure built into target software? Intel libraries maybe investigated more than open source libraries but they are still vulnerable — always do your due diligence on any solution.
  7. For 3rd party libraries we use well known libraries and black duck to test etc…beyond that are there other practices that you recommend? Take advantage of the hashes publishers use ( one way hashes ), ensure they are validated prior to use. Likewise ensure ensure you monitoring them via CERT and other vulnerability disclosure services to ensure that you are notified to new vulnerabilities.
  8. What is your minimum recommendation when trying to implement a security plan? Encourage Threat Modelling at the design stage, identify your data at risk, have in-depth knowledge to how you are processing data, storing and transporting it. Conduct a PIA using ISO 29134 you can find lots of details on this at the PCO site. Privacy Commissioner of Canada PIA
  9. Can security be a marketable aspect of a product? Absolutely. Security is a very important part of any product and can be a huge selling point for any product provided it is implemented properly. With breach laws in the world changing as an executive you need to show due diligence using the process outlined which provides the outputs necessary.
  10. Is there any industry forum etc assisting ISO standard development? Prior to beginning new project ISO implements a study period to reach out to the community and create liaison relationships. Specific, to IoT WG10, what liaison relationships with ITU-T, IIC, IEEE, and many more. This ensures these standards are not created in a bubble.
  11. What do you think about open source standards ( block chains in particular ). Block chains can be used in applications, tracking ownership or documentation, physical and digital assets. It holds lots of promise however, many countries look to ISO to provide the necessary guidance on standards. In the case of block chains the current open standard is being proposed as the base standard for ISO. As this project is just starting we are a long way from determining if it will be adopted as the benchmark.
  12. Are any big security companies involved with ISO standards? Many large security companies and non-security companies are involved with ISO standards. The list is much too long for this blog but most large technology companies are current members of national committees.

We hope this information helps. If you need more guidance on securing your products and solutions please reach out to us.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedin

For the Bees

IMG_3609This past weekend we (TwelveDot Labs that is) participated in our first Ottawa Random Hacks of Kindness (RHOK) after being a sponsor for the past three years.

Algonquin’s School of Hospitality and Tourism is on a mission to better help students to understand the “food to fork” concept and the impact the changing environment is having on the human food chain. And we were happy to partner with Algonquin College on a bee hive monitoring project .

We had to do a lot over the weekend and not a lot of time to do it in (about 14 hours) but we managed to get sensors logging into our database. All of this was done with a team of only eight! Without the hard work and efforts of Kirin, Kaelan, Bernard, Ying, Cid, Jared and Alf,  this project would not have come together in such a short period. We were, and remain, truly grateful to all of them for giving up their weekend for this project. We also had significant assistance from Dave of Algonquin College who is both a chef and understudy beekeeper. He  provided very useful details on how bees live and our impact on them in general and every time we open a hive.

That said, we know that there are many other hackathons that have similar projects and even commercial monitoring solutions for monitoring bee hives right now.  We also know that there are no solutions which are purpose-built for research and non-intrusive to the bee environment. The goal of our project was to develop a solution that included these two aspects in the overall design. Over the course of the weekend we:

  1. Used an Arduino (an open-source prototyping platform based on easy-to-use hardware and software) based platform to connect our sensors.
  2. Designed a base mobile User Experience (UX).
  3. Setup and configured a time-series database.
  4. Fine tuned our sensors for data collection via the code.
  5. Created a web site to document our project.
  6. Developed a design to incorporate sensors non-intrusively to a bee hive – we actually did this in the last hour of the event!bee-plate

Our goal going forward will be to continue this work with Algonquin as bees are important to our food chain. We are doing this for bees as much as we are doing it for ourselves.

In the coming months we will be proving all the initial design and data collected for bee research and hope to have our own data available as well. If you want to know more  about our work and progress, we invite you to go to our project website.

Lastly, do not hesitate to contact us to find out if we can help your field research project.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Ottawa IoT Meetup – June 28th

This month I have the honour of being the presenter at the YOW IoT Meetup and I hope to see you there. Please bring all your questions. I look forward to providing guidance and suggestions to your projects. Here is the outline for my discussion:

Security and Privacy for IoT: A Standards Based Approach

IoT has the promise to change our lives and provide interactions that were previously unheard of – with upwards of 20 billion devices connected. However, one of biggest barriers to adoption is security and privacy.

Daily reports of compromised networks and systems have become common place and many IoT services and solutions will be based on this same architectures and techniques – risky! The only way to change the IoT security landscape is to change our approach to design.

Our discussion will explore how to make security and privacy part of your daily ritual with the aim to significantly reduce the cyber exposure of your products and solutions. As we are quite active in the development of both IoT and security standards, we use a standards based approach to solving these problems.

International standards provide a global yardstick from which to base build and design solutions. In the age of IoT, even small companies are being forced to think globally.

We will look at:

  • ISO standardization of IoT
  • Security considerations for your organization
  • Security considerations at design and development
  • Testing and evaluation of IoT solutions
  • Privacy considerations and practices

We will record all the questions we get and post them for all to see. I am sure that you will agree with me  that it is important to share as I believe the same root issues and problems are being experienced by many product and solutions organizations.

Facebooktwittergoogle_plusredditpinterestlinkedin

Here’s why the hack we are participating in RHOK!

For several years now we have been supporting Random Hacks of Kindness (RHOK) as a sponsor. We did this because RHOK is a hackathon for social good: it brings together volunteer developers and tech-savvy do-gooders to work with charities, community groups and social enterprises. And for us it has been hacking good as it is the type of event that really highlights the role private companies can and need to play in their local communities.

This year, however, we decided to hack our support into participation and put in a team to help the cause hands-on. Our decision was motivated by a request from the RHOK organizers to be more active in the cause and I agreed to do so long as our project was Internet of Things (IoT) based. It was also time that we ate some of our own “dog food”. FYI: the term “eating your own dog food,” in the software industry, means using the code you’re developing for your own daily needs: basically, being a user as well as a developer or, in our case, a sponsor and a participant.

I met with my team so that we could begin prepping for our IoT project. I asked Brett Tackaberry, a good friend of mine who is very active in the Ottawa community, to go out and find a project. And found one he did and not just any project but one that has sensors, research and will run for a long time – at least we believe so. So far we have ordered the sensors, come up with a high level architecture and designed a User Experience (UX) for the Version 1. We are cheating a little here but had no choice as one weekend is not enough to prepare and build the prototype of our IoT solution!

You may be asking “What is this solution?” Well you will have to follow us on Twitter for updates to see what we are building. If you happen to be in the Ottawa area on the weekend of June 24th, I invite you to drop in to RHOK to see us and possibly help us or others out on our projects. You will also have the chance to see how matching up organisations that have a social impact with skilled technologists, who want to make a difference, can lead to developing open-source solutions to the challenges facing society today and tomorrow.

As a small R&D group, TwelveDot Labs is primarily focused on R&D in mobile, cloud and IoT. We are hired to evaluate  security for IoT technologies and on building cool technology solutions that incorporate both security and privacy. We intend to do for RHOK what we do for our clients: deliver a solution that works, is secure and private, and is, above all cost effective.

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT is Active and Moving. Are you?

IoT is Active and Moving. Are you? 

The U.S. Department of Commerce recently cited that 200 billion connected devices will be deployed by 2020 with an accompanying economic impact in the trillions by 2025. This Internet of Things (IoT) represents a major transformation in a digital world that has the potential to affect everyone and every business.  As a result many companies are moving ahead on IoT projects with little consideration to the security or privacy issues that accompany IoT.

Many companies however do not have a specific solution in place to secure IoT devices, and some may not know if they have security policies on their devices. ForeScout® Technologies, Inc. recently announced the findings of its new “Enterprise Internet of Things (IoT) Survey.” This survey of 350+ Information Technology (IT) professionals assessed their organizations’ IoT security practices. The research revealed that while the majority of respondents acknowledge the growing number of IoT devices on their networks, they are unaware of how to properly secure them. Moreover, 85 percent of survey respondents lacked confidence in their ability to see connected devices as soon as they joined their networks, and almost a quarter of survey respondents said that they weren’t confident at all. When connected devices are left out of the security sphere, an organization’s attack surface becomes that much more vulnerable. The excuses for this scenario are many and the users of these companies solutions are potential digital crime victims; many of whom are never notified or even aware of the risks and dangers.

Today there is an added risk: spying.  As the Internet of Things (IoTs) become more commonplace more valuable data will be accessible through an ever-widening selection of entry points. Not only to hackers alone, but also to spy agencies like the National Security Agency (NSA).  So what is a developer or solution provider to do? Well it starts at the concept stage of considering how data is collected, processed, stored and destroyed. This is not only a software consideration but also hardware. At a high-level here is where you need start:

  1. What does your company policies and procedures state about your systems development life cycle (SDLC)?
  2. Does your SDLC provide at design/concept stage allocations for a Privacy Impact Assessment (PIA)  and Technical Risk Assessment (TRA) ? 
  3. Are your developers/programmers given security training?
  4. Do you perform background checks on developers/programmers?
  5. Where do you store your source code? And who has access to it?
  6. Where are your components sourced from and have you validated the firmware on these components and integrated circuits?
  7. Have you assessed the Third Party libraries for security issues and coding practices?
  8. Did you perform “threat modelling” of the proposed solution?

All of these aspects need to be considered as they are a benchmark for all of your solutions and must become part of your business culture. This also includes documenting all aspects of these elements, especially for meetings that deal with design decisions. Maintain a decision log/registry that is tied to the project. This can be referenced if and when a breach happens. It can also save your a$$ to provide you did the due diligence at design time. Your dev-ops, designers, and testers need to eat, think and breath private and secure design. Doing this up front will not only greatly reduce costs in the back end for support but also help avoid possible lawsuits.

At TwelveDot our goal is to help companies that are struggling to secure their mobile, cloud and IoT solutions. Connect with us to see how we can help you solve your security challenges.

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP5: Considerations for IoT

We hope you enjoy episode 5 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Threat Modelling – How is your device going to be attacked
– Code Assessment and Third Party Libraries    Risk and security aspects around application code and checking third party libraries against known common vulnerabilities
–  Infield Patching and Support-  often overlooked when thinking about cybersecurity
–  Manufacturers and SDLC – all organizations need to consider security and implementing an SDLC and formal evaluation process around device
–  Field Monitoring –  Guidelines and standards need to be addressed but also monitoring for suspicious activity in the field.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

Facebooktwittergoogle_plusredditpinterestlinkedin

Talking IoT Standards in Shanghai

This past week we had our 4th meeting of the ISO/IEC WG10 on IoT meetings. We are working towards writing ISO 30141 Reference Architecture for IoT. While, it is not easy to get many global experts to agree on such a broad topic it good to see so many of us attempting to find a common ground on IoT. We have had many issues over the years and it has take a while to over come of the conception concerns to what is required. However, it seems that we have started to work towards a common goal and are now more focused.

Some of the more contentious issues are:

  1. What does a conceptual model need to contain? With so many experts from a diverse backgrounds it is not easy. You get fixated in your vertical and its needs but we need to come with a model that represents the basic common elements to all IoT Systems. We are getting there but we still need to agree on level this diagram should represent.
  2. Terms and definitions is another one but if you have been around standards this is quite normal. With the content constantly changing in a Working Draft (WD) so to does the terms to ensure alignment to content and context of the topic.
  3. Dealing with other Standards Development Organizations (SDO)s and their view of IoT. While we need to respect each others perspective of IoT, we have to be keenly aware that we do not duplicate the work of others. This is much harder for IoT given the breath of technologies that it encompasses.

IMG_2884

I was grateful to our Chinese hosts from WSN who did invite me as a security expert to a panel on IoT. This event got lots of local press coverage and it was attended by over 200 delegates. One question from the audience was about security and what do companies need to do better. My usual response it that if your building something make sure you threat profile and have a SDLC that includes security and privacy at every stage of development. It will go a long way to ensure your product/service is more secure in-field.

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT613 – Talking all things IoT 

Last week we attended the IoT613 conference in Ottawa, ON, Canada with our partner and good friends over at bv02. We setup a demo of a solution that we joint built last year on the use of iBeacons to engage customers. The interest in IoT and security were really great and it was refreshing to see how many people are thinking about security in this space. 
 
The next generation of companies have to think security and privacy day one. Using techniques such as threat modelling and TRAs to understand the risks then evaluating the features that can be added day one verses those that can wait for future revisions. You can always quantify these risks and make better decisions that balance both usability and security. 
 
Here are some quick points to get you started:
 
  1. Before you complete your initial product design determine all the cyber and physical aspects that be used to compromise all elements of your solution. This includes the people and suppliers who will come into contact with your product prior to service delivery. This is known a TRA or Technical Risk Assessment these need to into the bits & bites of the solution not just an overview. 
  2. Ensure you have a System Development Lifecycle (SDLC) that includes security. Reference ISO 27034 Application Security as your guide…yes it works with Agile. Get your developers trained and setup to run a formal development and secure testing process. If necessary, use a 3rd party to test the final revision.  
  3. Test for a specific level of assurance you can provide users and customers. Your testers need to be trained on how to locate security bugs in your software as well as dealing with those that are reported to your organization. 
  4. Evaluate all 3rd party libraries for vulnerabilities
  5. Make security part of your company culture
 
This is just the start of setting up a stringent cyber security program. However, it will make huge strides in getting you on the road to a Secure By Design model. Thanks to everyone who dropped by to say “Hi” and learn about our service and solutions. See you next year. 
 
Facebooktwittergoogle_plusredditpinterestlinkedin