Tag Archives: standards

IoT Security @ Ottawa Meetup

Wow! A verMeetupy informative evening in front of a full house at the Ottawa Meetup IoT Security Meetup (standing room only actually)! Big thanks to Pascal and Jacques!

Our very own Faud Khan delivered, according those present, ” a very informative and entertaining presentation” on IoT Security.

IMG_0830-1024x730

“Absolutely super informative presentation and a great showcase of the depth of TwelveDot’s knowledge and experience in the security field.”

The presentation explored how to make security and privacy part of  the daily business ritual so as to significantly reduce the cyber exposure of products, solutions and the business itself.  As such it provided a look at:

• ISO standardization of IoT

• Security considerations for your organization

• Security considerations at design and development

• Testing and evaluation of IoT solutions

• Privacy considerations and practices

 

FYI – Elements of the presentation are:

IoT Technologies Mind Map – SWG_5_IoT_Technologies_MindMap

IoT Threats and Risks Poster – IoT Threats and Risks

Presentation Slide Deck IoT Security – IoT Meetup Ottawa Presentation Slide Deck – June 28_2016

Q&A: 

  1. When can we get access to ISO/IEC 30141 Reference Architecture? The information will be available Fall/Winter of 2016. You can keep track of development at the ISO site.
  2. What is scope of IoT Reference Architecture? The scope according to ISO 30141 is “This International Standard specifies IoT Conceptual Model, Reference Model, and Reference Architecture from different architectural views, common entities, and high-level interfaces connecting the entities.”
  3. What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. More details are can be found here.
  4. Why do we have to pay to meet these standards? Doesn’t it harm the whole process? ISO needs a means to pay for the system even after Canada pays it’s membership into ISO. The base 27000 is free but others like 27001 etc. do cost a little -$35.
  5. Who do you call first if you get breached? Do not call your security guy! You should contact your lawyer and have your lawyer contact your security people. This ensures client confidentiality and attorney client privilege.
  6. Have you looked at Intel IoT development kits with security infrastructure built into target software? Intel libraries maybe investigated more than open source libraries but they are still vulnerable — always do your due diligence on any solution.
  7. For 3rd party libraries we use well known libraries and black duck to test etc…beyond that are there other practices that you recommend? Take advantage of the hashes publishers use ( one way hashes ), ensure they are validated prior to use. Likewise ensure ensure you monitoring them via CERT and other vulnerability disclosure services to ensure that you are notified to new vulnerabilities.
  8. What is your minimum recommendation when trying to implement a security plan? Encourage Threat Modelling at the design stage, identify your data at risk, have in-depth knowledge to how you are processing data, storing and transporting it. Conduct a PIA using ISO 29134 you can find lots of details on this at the PCO site. Privacy Commissioner of Canada PIA
  9. Can security be a marketable aspect of a product? Absolutely. Security is a very important part of any product and can be a huge selling point for any product provided it is implemented properly. With breach laws in the world changing as an executive you need to show due diligence using the process outlined which provides the outputs necessary.
  10. Is there any industry forum etc assisting ISO standard development? Prior to beginning new project ISO implements a study period to reach out to the community and create liaison relationships. Specific, to IoT WG10, what liaison relationships with ITU-T, IIC, IEEE, and many more. This ensures these standards are not created in a bubble.
  11. What do you think about open source standards ( block chains in particular ). Block chains can be used in applications, tracking ownership or documentation, physical and digital assets. It holds lots of promise however, many countries look to ISO to provide the necessary guidance on standards. In the case of block chains the current open standard is being proposed as the base standard for ISO. As this project is just starting we are a long way from determining if it will be adopted as the benchmark.
  12. Are any big security companies involved with ISO standards? Many large security companies and non-security companies are involved with ISO standards. The list is much too long for this blog but most large technology companies are current members of national committees.

We hope this information helps. If you need more guidance on securing your products and solutions please reach out to us.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Ottawa IoT Meetup – June 28th

This month I have the honour of being the presenter at the YOW IoT Meetup and I hope to see you there. Please bring all your questions. I look forward to providing guidance and suggestions to your projects. Here is the outline for my discussion:

Security and Privacy for IoT: A Standards Based Approach

IoT has the promise to change our lives and provide interactions that were previously unheard of – with upwards of 20 billion devices connected. However, one of biggest barriers to adoption is security and privacy.

Daily reports of compromised networks and systems have become common place and many IoT services and solutions will be based on this same architectures and techniques – risky! The only way to change the IoT security landscape is to change our approach to design.

Our discussion will explore how to make security and privacy part of your daily ritual with the aim to significantly reduce the cyber exposure of your products and solutions. As we are quite active in the development of both IoT and security standards, we use a standards based approach to solving these problems.

International standards provide a global yardstick from which to base build and design solutions. In the age of IoT, even small companies are being forced to think globally.

We will look at:

  • ISO standardization of IoT
  • Security considerations for your organization
  • Security considerations at design and development
  • Testing and evaluation of IoT solutions
  • Privacy considerations and practices

We will record all the questions we get and post them for all to see. I am sure that you will agree with me  that it is important to share as I believe the same root issues and problems are being experienced by many product and solutions organizations.

Facebooktwittergoogle_plusredditpinterestlinkedin

Cloud of Suspicion

I know everyone is sick of hearing about the cloud or anything cloud including myself. Now that this has become primary in standards circles it is getting personal. I believe, and can prove, that the term is a new marketing buzz word for outsourcing around SaaS, PaaS, and IaaS. In this context, I have been in the “cloud” business for over 15 years. My career began working as a developer for security code on a IBM 370. The mainframe was the first cloud solution and provided large companies the ability to provide a “private” cloud service with great security controls. At the same time most carrier networks have been offering “cloud” solutions since the 50’s/60’s.

Fast forward 15 years, companies large and small are now claiming to invent the cloud; it is almost laughable. What is scary is number of new standards in this area that completely disregard the many great standards that address  operation of these environments that have been created, adopted, and implemented. I do agree that they need refreshing to reflect the implementation of the new technologies but these are amendments not new standards.

Now we are spending lots of time, money and super human effort to redesign the wheel…….why?

I love when a rep from a cloud vendor states how new and revolutionary cloud technology is. Many of the management and deployment tool have become highly specialized, however they are not new. After designing and building a MSSP offering for 5 years, we had to create our own custom tools and techniques to accomplish this. We still used VM’s, shared HW and SW, it was a cloud service but without the hype.

Hopefully, over time tech folks are going to see through the mist and realize they are only staring face-to-face with an outsource solution provider. The concepts for selecting one have not changed but regulations for privacy and auditing have.

Facebooktwittergoogle_plusredditpinterestlinkedin