As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.
Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.
What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.
The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.
When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.
Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?
I recently got an opportunity to speak at the Conference Board of Canada’s Securing the Smart City of the Future. It was great to be able to speak to those dealing with the daunting challenge of managing the issues related to security, privacy and safety risks while still providing smart city services.
It is clear that the potential benefits of fully-connected smart cities fed by sensors and data are significant especially when seen in the advance of the Internet of Things (IoT). These benefits could tackle some of the greatest problems with urbanization such as traffic congestion, inefficient use of energy, and pollution. As great as these potential benefits are so are the risks and unanswered questions that the integration of new technology brings. Countries looking to implement smart city initiatives need to have a national policy that mandates aspects of security, privacy and safety. This policy should include the following as a minimum:
- Requirements for an Information Security Management System (ISMS).
- City breach plans for emergency services, vendors, citizens, etc.
- Security tested components and solutions that are validated prior to release.
- “Assurance” from solution providers and vendors for their products/services.
- Buyers requesting that products and solutions be evaluated.
- Demand Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs) for all solutions prior to deployment by City Managers.
- Respect for the privacy of citizens.
The security breaches in the recent past and the ongoing increase in cyber attacks and crime have made one thing very clear: In building the smart cities of tomorrow we need to be smart! Bearing this in mind, what is the biggest barrier to smart city entry?
The biggest barrier seems to be security and privacy of the sensors and data – the very things that make a city smart. The concern seems to be around data breach and how to minimize the exposure of the sensors in-field. However, in the past year or so there seems to have been a shift in the mind set of what is more important: a $5 sensor or the data we collect on people and objects. Clearly the data protection is more important. An example would be smart city projects in Canada that want to provide more real-time information to citizens about services and conditions. It requires them to track citizens to offer this service which means that there are substantial privacy concerns. The client can share lots of data but if it becomes compromised the city collecting it is liable under new legislation in Canada. Cities are taking the time to understand the risks and prepare for the eventuality of data breach and invasion of privacy.
You can see presentation that I gave below. As always if you have any questions about the presentation, please do not hesitate to contact us for clarification.
CB0C A Smart City Under Attack – TwelveDot
Wow! A very informative evening in front of a full house at the Ottawa Meetup IoT Security Meetup (standing room only actually)! Big thanks to Pascal and Jacques!
Our very own Faud Khan delivered, according those present, ” a very informative and entertaining presentation” on IoT Security.
“Absolutely super informative presentation and a great showcase of the depth of TwelveDot’s knowledge and experience in the security field.”
The presentation explored how to make security and privacy part of the daily business ritual so as to significantly reduce the cyber exposure of products, solutions and the business itself. As such it provided a look at:
• ISO standardization of IoT
• Security considerations for your organization
• Security considerations at design and development
• Testing and evaluation of IoT solutions
• Privacy considerations and practices
FYI – Elements of the presentation are:
IoT Technologies Mind Map – SWG_5_IoT_Technologies_MindMap
IoT Threats and Risks Poster –
Presentation Slide Deck IoT Security – IoT Meetup Ottawa Presentation Slide Deck – June 28_2016
- When can we get access to ISO/IEC 30141 Reference Architecture? The information will be available Fall/Winter of 2016. You can keep track of development at the ISO site.
- What is scope of IoT Reference Architecture? The scope according to ISO 30141 is “This International Standard specifies IoT Conceptual Model, Reference Model, and Reference Architecture from different architectural views, common entities, and high-level interfaces connecting the entities.”
- What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. More details are can be found here.
- Why do we have to pay to meet these standards? Doesn’t it harm the whole process? ISO needs a means to pay for the system even after Canada pays it’s membership into ISO. The base 27000 is free but others like 27001 etc. do cost a little -$35.
- Who do you call first if you get breached? Do not call your security guy! You should contact your lawyer and have your lawyer contact your security people. This ensures client confidentiality and attorney client privilege.
- Have you looked at Intel IoT development kits with security infrastructure built into target software? Intel libraries maybe investigated more than open source libraries but they are still vulnerable — always do your due diligence on any solution.
- For 3rd party libraries we use well known libraries and black duck to test etc…beyond that are there other practices that you recommend? Take advantage of the hashes publishers use ( one way hashes ), ensure they are validated prior to use. Likewise ensure ensure you monitoring them via CERT and other vulnerability disclosure services to ensure that you are notified to new vulnerabilities.
- What is your minimum recommendation when trying to implement a security plan? Encourage Threat Modelling at the design stage, identify your data at risk, have in-depth knowledge to how you are processing data, storing and transporting it. Conduct a PIA using ISO 29134 you can find lots of details on this at the PCO site. Privacy Commissioner of Canada PIA
- Can security be a marketable aspect of a product? Absolutely. Security is a very important part of any product and can be a huge selling point for any product provided it is implemented properly. With breach laws in the world changing as an executive you need to show due diligence using the process outlined which provides the outputs necessary.
- Is there any industry forum etc assisting ISO standard development? Prior to beginning new project ISO implements a study period to reach out to the community and create liaison relationships. Specific, to IoT WG10, what liaison relationships with ITU-T, IIC, IEEE, and many more. This ensures these standards are not created in a bubble.
- What do you think about open source standards ( block chains in particular ). Block chains can be used in applications, tracking ownership or documentation, physical and digital assets. It holds lots of promise however, many countries look to ISO to provide the necessary guidance on standards. In the case of block chains the current open standard is being proposed as the base standard for ISO. As this project is just starting we are a long way from determining if it will be adopted as the benchmark.
- Are any big security companies involved with ISO standards? Many large security companies and non-security companies are involved with ISO standards. The list is much too long for this blog but most large technology companies are current members of national committees.
We hope this information helps. If you need more guidance on securing your products and solutions please reach out to us.
This month I have the honour of being the presenter at the YOW IoT Meetup and I hope to see you there. Please bring all your questions. I look forward to providing guidance and suggestions to your projects. Here is the outline for my discussion:
Security and Privacy for IoT: A Standards Based Approach
IoT has the promise to change our lives and provide interactions that were previously unheard of – with upwards of 20 billion devices connected. However, one of biggest barriers to adoption is security and privacy.
Daily reports of compromised networks and systems have become common place and many IoT services and solutions will be based on this same architectures and techniques – risky! The only way to change the IoT security landscape is to change our approach to design.
Our discussion will explore how to make security and privacy part of your daily ritual with the aim to significantly reduce the cyber exposure of your products and solutions. As we are quite active in the development of both IoT and security standards, we use a standards based approach to solving these problems.
International standards provide a global yardstick from which to base build and design solutions. In the age of IoT, even small companies are being forced to think globally.
We will look at:
- ISO standardization of IoT
- Security considerations for your organization
- Security considerations at design and development
- Testing and evaluation of IoT solutions
- Privacy considerations and practices
We will record all the questions we get and post them for all to see. I am sure that you will agree with me that it is important to share as I believe the same root issues and problems are being experienced by many product and solutions organizations.
We hope you enjoy episode 7 in our series of podcasts on cybersecurity
Hosts: Cid Parato and Faud Khan
Topics of this episode:
- What is the data that you are protecting or storing in the cloud?
- Benchmarks to compare cloud service providers
- Policies and Procedures – Implement an ISMS to ensure policies and procedures align to corporate objectives
- Data Centre Evaluation ( location, service platform, what are their rules for data )
- Access to Data ( who has access from provider side and your side, authentication )
For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.
A big Thx goes out to Jack Wiles for sound editing.
This past week we had our 4th meeting of the ISO/IEC WG10 on IoT meetings. We are working towards writing ISO 30141 Reference Architecture for IoT. While, it is not easy to get many global experts to agree on such a broad topic it good to see so many of us attempting to find a common ground on IoT. We have had many issues over the years and it has take a while to over come of the conception concerns to what is required. However, it seems that we have started to work towards a common goal and are now more focused.
Some of the more contentious issues are:
- What does a conceptual model need to contain? With so many experts from a diverse backgrounds it is not easy. You get fixated in your vertical and its needs but we need to come with a model that represents the basic common elements to all IoT Systems. We are getting there but we still need to agree on level this diagram should represent.
- Terms and definitions is another one but if you have been around standards this is quite normal. With the content constantly changing in a Working Draft (WD) so to does the terms to ensure alignment to content and context of the topic.
- Dealing with other Standards Development Organizations (SDO)s and their view of IoT. While we need to respect each others perspective of IoT, we have to be keenly aware that we do not duplicate the work of others. This is much harder for IoT given the breath of technologies that it encompasses.
I was grateful to our Chinese hosts from WSN who did invite me as a security expert to a panel on IoT. This event got lots of local press coverage and it was attended by over 200 delegates. One question from the audience was about security and what do companies need to do better. My usual response it that if your building something make sure you threat profile and have a SDLC that includes security and privacy at every stage of development. It will go a long way to ensure your product/service is more secure in-field.