Cyber Security

Ottawa, ONT (March 9, 2021) – I am very pleased to announce a new partner and joint team relationship with Debbie Mishael Consulting and Mr. Ifeanyi “Frank” Ogochukwu.

I first meet Ifeanyi back in 2015 when we were both working on the ITU project for a specification for monitoring aircraft for transoceanic travel. However, since this point we have been a panelist on the CIO MasterClass Africa series to help CIO and executives in the African region with support and guidance for dealing with COVID. We look forward to our continued joint collaboration on projects related to aviation, IT, and cybersecurity in the future.

Debbie Mishael Consulting has offices in both Nigeria and South Africa.

Engr. Ifeanyi a licensed Air Traffic Safety Electronics Specialist, IT Ambassador, Microsoft Hero, has over 30 years’ experience in Strategy, Aviation and IT/ Telecoms Critical Infrastructure Management, Implementation and Operations, Project Management, Security and SME Business;. He is an Aeronautical Telecommunications Engineering and Business Administration graduate from the Nigerian College of Aviation Technology and the University of Abuja respectively; also received with distinction a Master’s degree in Communications Management from the University of Rwanda and United Kingdom Telecommunications Academy; Masters in Information Technology and Post Graduate Diploma in Transport Management from the Ladoke Akintola University of Technology, Ogbomosho; a Post Graduate Certificate – IT and Telecoms Law from Buckinghamshire University, United Kingdom and IT Business Manager Certification from Belmont University and MDE Enterprises. Engr. Ifeanyi is also the Chief Technology Strategist, Debbie Mishael Consulting; Regional Director Africa, Sasaran Technologies; Instructor/ Lecturer – Digital Bridge Institute, International Centre for Communications Studies, Lagos Campus, Nigeria and Convener, CIO MasterClass Africa

Over the years, He has attained higher executive management responsibilities and broadened my corporate and social responsibilities. As the General Manager/ Chief Information Officer, Nigerian Airspace Management he delivered innovative safety mission critical systems, infrastructure and platforms for the safety and security of air navigation including capacity building. He was the Project Co-ordinator, NAMA multi million dollars (USD) World Bank West Central African Air Transport Safety and Security Program and International Telecommunications Union (ITU): Chairman/Lead Working Group 4 (WG 4) of the Focus Group on Aviation Applications in the cloud for Flight Data Monitoring ( FG AC).- Flight Tracking and Data Streaming Managed a team comprising of experts from a multi-stakeholder international global aviation, airlines, telecommunications, and satellites organizations focused on “feasibility of using recent developments in commercial aeronautical data link services, as well as reusing existing infrastructure, for real-time flight data streaming where appropriate”.

He was the Lead in the design and implementation of the NAMA TRACON Radar VSAT Network, Aviation Regulator Airport Metro Fibre Project; Airspace Security Vulnerability Assessment; Business Process Automation; ADS – C/CPDLC and Project Manager, SITA ATC Communications Consultancy amongst others. Global Advisory Board Member – EC Council (The International Council of Electronic Commerce Consultants ); Consulted for AIREON on Nigeria Spaced based Automatic Dependent Surveillance ( S-ADS-B) Initiative; Consulting for Unify on Unmanned Traffic Management System (UTMS).

His professional qualifications include but not limited to the following: Satellite Communications, ATSEP License Rating (Surveillance Systems: Rating 1: Secondary Surveillance and Processing Systems and Rating 2:Mode S Radar and ADS-B), Aviation Critical Infrastructure Testing and Quality Assurance, Advanced Performance Programme, Implementation Course on Safety Management System (SMS), Performance Based Navigation (PBN) , Aeronautical Information Management (AIM), Communications Navigation Surveillance /Air Traffic Management (CNS/ATM) for Engineering, Aviation Security and Critical infrastructure Protection, Prince 2 Project Management Certification, TRACON Sky Wan (Installation Basics, VSAT Station Commissioning, VSAT Network Commissioning, VSAT Network Operator, Configuration of IP over SkyWan VSAT, Configuration of Frame Relay over Sky Wan VSAT), Data Communications (LAN, TCP/IP, Wide Area Network, ATM) and Certified Management Trainer; PMI Agile Project Management Programme, PMI Project Management Professional Programme, Certified Information Security Consultant (CISC); Certified Professional Hacker; Certified Professional Forensic Analyst.

Ifeanyi has led several engagements with expertise encompassing: Organizational Strategy; Technology Strategy, Implementation and Operations; Aviation Infrastructure Development and Implementation; Security Strategy; IT Management, Operations and Support; Revenue Assurance; Human Capital Development; Policy/Regulatory Development and Advisory.

For more details please contact us at info(at)twelvedot.com.

 

 

The encryption debate is in full swing as we once again face the real challenge that governments need access to all of our data, on all devices in real-time including the ability to monitor all communications for signs of a threat to citizens and the nation.

From a policy perspective, we as consumers and citizens need to better understand the risks and exposures we might face. First of all, we are not talking about lawful access where a warrant is used to monitor the activities of a specific user or target of interest. We are talking about the open blatant use of techniques that will allow for wholesale capture and recording of all of your data transmissions.

Governments are asking that tech companies add a capability that will allow them to gain unfettered access to these servers to capture data at will and share or process this data with unknown sources including not having to provide notification to the end user. Psst some companies have already been doing this for years and just not telling you. This started in the 70s using an obscure ruling as precedent to now have all companies collect data as the “owner” of the data. It is buried in the EULA in pure legal speak that you clicked on to get access to their service.

Think about that for a second, would you like the government to monitor all of your banking transactions? What about the sexting with your spouse or significant other, or your company files stored on personal cloud storage services. Could this be used against you? Could you be charged or arrested? These are the big unknowns of such a broad data collection and history has proven that data collection schemes were used for nefarious reasons when needed by governments of questionable intentions.

We need to ask for openness on the intention of the data capture, who is impacted, what does this mean for service providers, and who it is the data being shared with. A policy framework should require that all proposed encryption schemes being recommended be peer evaluated to ensure that the design does not lead itself to backdoors, data collection, or meta data deciphering.

I would advise all citizens and business owners to learn more about this topic and get engaged in the discussion. These laws will change your life regardless if you realized it or not.

We need to have voice our concern before it is too late, in some jurisdictions it already might be. I also want to lying to stop and agencies to just come open on the topic. Just be truthful to Canadians of the data collection and when and where it is happening so we can make informed decisions to use the technology or not.

Here are some links worth checking out:

  1. Government recommendations for security and privacy – What is government of CA really asking for?
  2. Keys under door mats – What top crypto experts think of the issues at hand and potential risks
  3. “I have nothing to hide” – Good insight to personal privacy in the digital age

Please reach out to your MP or MPP and ask them what their stance is on the topic and what they are prepared to do to protect your privacy.

To everyone that attending the IoT Ottawa Virtual Meetup thank-you for taking the time to attend this session and for participating. It was a good discussion and I hope it was helpful for those of you that attended. It is good to see that events like these can still be held despite the current conditions.

For those of you that were not able to make it to the Meetup here is the abstract of the presentation:

One of the biggest barriers for the adoption of the IoT products is the potential security and privacy risks. To help overcome this reluctance vendors need to ensure that they are clearly demonstrating to the market they have implemented security and privacy in their solution. This workshop will provide an understanding how to secure an IoT solution leveraging a risk based approach using standards. We are going to present how IoT projects should be approached to ensure both security and privacy requirements are included at design time and be validated during the development lifecycle. This is based on countless projects where we have worked on evaluating IoT products in multiple sectors to identify design and process issues including formal testing to T200 and UL2900.

We will share the best practices for the following:

  1. Design considerations
  2. Setting up a governance function
  3. How to operate a Secure Development Lifecycle (SDLC)
  4. Operational Considerations
  5. Testing and Verification

Other topics of discussion include:

  1. Latest developments in the global market for security and privacy requirements
  2. Strategy considerations

This session will be provided as a workshop to help SME’s hopefully address their security and privacy issues. Please bring your questions and concerns.

As mentioned, I am providing the presentation, the IoT attack surface poster and worksheet for the presentation. I am also hoping to provide the video of the session available at a later date as well.

Note: I will be posting the worksheet a bit later but wanted to share the presentation and poster right away.

Please reach out for any clarifications or questions you may have and most of all be safe everyone!

IoT Threat Poster

IoT Ottawa – Blueprint for IoT Security

 

It is hard to believe that we are days away from the 10 year anniversary of our humble beginnings. We have come so far from the company that I started in my basement. Back then it was just a dream of starting something small as an independent consultant but wanting to share my expertise in cyber to help clients. Now we have grown to a team of 7 and have offices in a great part of town in Ottawa, Canada and global clients. We are bursting at the seams and have already expanded our office footprint. With next year poised for more growth we will be expanding again and adding more R&D capacity in the process.

I have learned lots during my tenure as both a business owner and executive, and have made some good and bad decisions along the way. I never shy away from admitting my mistakes especially some questionable partners and sub-contractors – but life and business are about learning and I am grateful for the lessons.  I am humbled and blessed by our staff, clients, and partners we currently have as without you none of this would exist.

We will be refining our services as we shift the company from consulting to formal testing and evaluation and secure product development.Our capabilities will be expanding in the next year including our Hut6 platform to offer more services. With our growth in education, healthcare, and industrial our next 10 years looks very promising and with our current team in place we are definitely going to make this happen.

For all of you who believed in me and my dream thank-you! Lets make the next 10 years better than the first as we enter the teenager years of the company.

//Faud

The last few months have been hectic as many of the standards groups are pushing to get security and privacy aspects of IoT under control. As we get ready to whine down the year lets look at where we are:

a. ISO/IEC 27030 IoT Security and Privacy – This standard has now moved to Committee Draft (CD) and as the editor I am really proud of my editing team and global experts to get us her rather quickly. I believe this international standard will set the bar for IoT products globally and is highly anticipated by many groups and organizations globally.

b. ISO/IEC 27042 IoT Basline – This standard is currently a New Work Item Proposal (NWIP) and will be going to voting in the next few months. This is the result of a Adhoc Group that studied this and determined that we need a baseline for vendors who are entering the IoT product field. The goal is that this would be just a starting point and not the finish line for securing the product and organization but would provide regulators the guidance they need for products.

c. IoT Platform is group that has developed as result of work completed by the Internet Society in Canada. As a result of this work, a platform of regulators has formed and continues to expand how to ensure that IoT products are secure both now and in the future. As a result of this many nations will be making formal announcements to aspects that products should have. In Canada this has posted by Office of Consumer Affairs (OCA) and details are located here. I believe that this is good starting point but an hope that vendors will realized these aspects alone do not make a secure product that only happens when security and privacy become an embedded part of the organization and is driven into the development processes. I also hope that our regulators hold vendors to a higher sense of responsibility for security and products going forward.

d. CSA T200 has been released as an Express Standard and over the next 24 months we hope to develop the final version that will be used as the baseline for products and organizations in Canada and the US for meeting or exceeding regulatory requirements for IoT products. In the future we are looking for the implementation of a cyber label on products for security. More to come on this in the future.

e. IEC 30149 IoT Trustworthiness is still very much a work in progress as many experts are still trying to determine what consitutes trust. While one faction believes it is result of SDLC, I am very much of the opinion that this is not the case but view of the organization that includes the development processes. The approach must be based on an approach such as ISO 42010 that will allow any organization to determine the specific attributes to trust for their company and products being developed.

Here is the content for the IoT Checklist:

1. Ask how the device is collecting, using, and sharing your data

  • Is the device collecting my data? How is the device collecting my data?
  • Is the device using my data? How is the device using my data?
  • Is the device sharing my data? How is the device sharing my data?
  • With whom is the device sharing my data?
  • Is the device collecting data I do not want shared, such as my location?
  • Is there an option for me to opt out of the device collecting, sharing or using my data?
  • Will I be able to opt out of additional or future features that collect data, without opting out of security updates?

2. Ask about the device’s lifecycle, if it can function offline, and if there is product support available

  • How long can I expect the device to work?
  • How long are security patches and upgrades expected to be available for this product?
  • What kind of support is available should I experience problems with the device or suspect the device has been compromised?
  • Will the device work without an Internet connection? Can I use the product if the Internet is down? What features work offline?
  • Will the device work if the manufacturer ceases to exist?

3. Ask if the device you are buying is from a reputable manufacturer

  • Does the company have a good track record when it comes to protecting its customers’ privacy and security?
  • Check for media coverage online about whether or not this company has experienced a security breach in the past. If so, what was the impact on its consumers? What measures did the company take to prevent future security breaches?
  • Are there independent user reviews of the product I can consult?

For more tips on how to approach a business or manufacturer about your privacy and security concerns, check out this tip sheet.

Lots of progress this past year and lots more to come. I do see a shift that regulators globally are moving towards requirements for IoT companies. I hope it is a wake up call for vendors that due to the lack of security controls and the growing attack surface that IoT vendors will see a day where their products will undergo formal testing and evaluation to enter certain markets globally.

 

Today, TwelveDot is starting a multiyear R&D project with Carleton University in Ottawa, Canada and several other medical partners. The goal of this research to create a risk framework for evaluating the usage of IoT technologies in hospitals, clinics and other out patient services. As the technology/cyber partner for this research project, we are excited to be bringing our expertise in IoT and assessment to this project, and are look forward to working with all healthcare providers to make these environments much safer from a cyber perspective.

Lets help the healthcare professionals focus on getting our sick citizens well again and reduce the attack surface of the products and services they use.

 

Today our CEO presented at IoT613 an Ottawa based conference focused on all things IoT. There was also a developer day before the conference as well. The conference had really good attendance including several vendors or other organizations working in this area. If you are interested in this topic plan to attend the conference next year, speakers provide a range of views and experiences.

Our presentation focused on how to evaluate IoT products and solutions for both security and privacy. The lack of education in this area is of concern as many product companies are amping up their marketing to “assure” of product safety but yet many products have never undergone formal testing and certification nor do many even have secure by design or privacy by design approaches. Security for most IoT vendors is an after thought. When purchasing one of these products assume that security and privacy testing has not been conducted.

If you did not make it out to the presentation please find it attached, we hope that it helps to be better understand the issues.

IoT613 – TwelveDot – May 9 2019

Our CEO and President will be on a International Panel to discuss labeling for cyber for consumer and business products in the Canadian marketplace. As the Chair for the ISOC Labeling group for the IoT Security and Privacy Multistakeholder Process, Faud will be discussing what consumers and businesses need to consider when purchasing products and services and the current development of related standards and projects in Canada.

Please reach out on Twitter or LinkedIn to connect at the show. Hope to see you there.

Link to CES Session

 

 

This past week I was fortunate to be invited as a guest speaker for the 1st Internet Society meeting on IoT security. This meeting was well attended from government, private sector companies and academia. It was a means to get on the same page to issues at hand and how do we as users, developers and government secure the Internet and IoT.

The key issues at hand include:

1. Awareness to the issue of IoT Security for Canadian, not just individuals but organizations who want to deploy IoT technologies

2. What exists now from standards and best practice perspective and what approaches can be used

3. What can be done to ensure the next generation of these devices is not a source of another DDoS or other malware on the Internet.

As promised, I am including my presentation and mind map that was presented. Please feel free to share this as necessary, the more groups and individuals who are talking about this subject the better.

For more information check out ISOC here.

ISOC Ottawa_v1

IoT Attack Surface_MindMap

 

As we start another new year in business, I wanted to take this opportunity to thank all our customers, partners, and staff for the outstanding work we have accomplished to date. Over the past 8 years we have accomplished quite a bit with a small team and as we move into our ninth year we are expecting significant growth and expansion throughout the year.

Here is some of the small list of our accomplishments:

  1. Developed a proprietary method for evaluation mobile applications (2011)
  2. Developed a proprietary method for evaluating IoT solutions (mobile, cloud, and devices) (2014)
  3. Developed a platform for secure file transfers for clients and partners (2015)

This year, we look forward to launching an ISMS assessment app and platform to help us create more secure businesses using a tired and proven framework for cyber security. This will aid in our continued expansion into all corners of the globe with support by our partners.

Recently we have jointed SDChain as a advisor. SDChain envisions that IoT data from the physical world, should be sharable via a fast and cost-effective digital blockchain network where data producers and data users conduct digital asset exchange, within an open partnership ecosystem, based on globally standardized IoT six-domain model.

We look forward to sharing and securing the world one company and app at time. Join us for the journey.