Cyber Security

Continuing on from our observations from Day 1, we noted several key points at the ETSI annual conference relating to cybersecurity policies.

Some future plans for standards and certifications under CSA include future candidate schemes in areas of IoT and IACS (industrial automation control system). As ENISA develops a candidate scheme for 5G network, several items need to be considered. One is the 5G context. This concerns what subset of 5G architecture, for the certification to be applied. Another is identifying scheme elements that support 5G evaluation and certification. Currently, we can expect a draft version of the NIS Directive v2 soon. Interestingly, the new directive introduces responsibilities for ENISA to be more involved in standardization. In response, ENISA developed its strategic objectives to maintain an inventory of standardization organizations and their activities and products. The goal is to then act as a cybersecurity reference point for the EU and participate in relevant standardization actives.

In the context of EU5G, the Network Equipment Security Assurance Scheme was submitted to ENISA for EU adoption. NESAS seeks to provide a security baseline for network equipment in the scope of mobile infrastructure. In particular, NESAS looks at if the equipment is developed to meet secure by design guidelines and does satisfy defined security requirements. Although NESAS is not a certification scheme, GSMA is currently looking at how certification components can be added.

We are also seeing some trends of transitioning from current schemes to CSA schemes. ANSSI is looking to provide EU-wide recognition for certified products and services. One example is ANSSI seeking to provide equivalent services of EUCS to the market. This may be achieved by leveraging consistency such as CSA levels, resistance tests, and applicable EU legislation.

A framework for European cybersecurity assessment (conformity) was proposed. The goal is to increase involvement and transparency to every member state, even those not offering certification or heavily involved in conformity assessment. The agreed new approach would then push for a horizontal regulation on cybersecurity (i.e. – it will capture all cybersecurity needs during vertical regulations to avoid fragmented conformant assessment across industries.

For SMEs, the SBS SME Compatibility Test for Standards was piloted. It provides an overall perception of SME compatibility of a given standard. As SMEs are essential parts of the supply chain, this may be a necessary starting point for improving standards.

Some updates on RED (Radio Equipment Directive) are the proposed applicable requirements. One interesting update is the essential requirements in article 3(3). Currently, Q3 2021 is the expected Commission adoption of a delegated act under Article 3(3)(d/e/f) of RED. This came from the Commission’s consideration of mandatory requirements to be proposed for market access of certain wireless products. For manufactures, this means they will need to demonstrate features to ensure protection of networks, privacy and data protection, and/or protection from frauds as conditions for market access.

The RED Article 3(3)(i) is the proposed next step after RED 3(3)(d/e/f). It concerns the software for the radio equipment. Currently, ETSI had developed a solution proposal on how to test for the new requirements and communicated it to the Commission.

The topic of cybersecurity policy presented challenges in standardizations. In which, we’d like to highlight that all schemes and legislation must provide some improvements to baseline security. Parallel schemes do not necessarily de-value, rather it is important that any parallel schemes will then allow manufactures to submit evidence transferred from 1 of the overlapping schemes to prove compliance.

At the recent ETSI annual conference, several cybersecurity domains were discussed. In this article, we’ll look at the latest development in IoT.

With the increasing adoption of 5G technology, the European Commission had requested ENISA to develop a candidate European Cybersecurity Certification scheme for 5G network. The EU 5G will be an extension of the EU toolbox for 5G security as it seeks to address certain risks, as part of a broader risk mitigation strategy. While ENISA is still processing both ECUU and ECUS schemes, we can expect the finalized version of ECUS in Q4 2021.

As the European Commission and Cybersecurity Group under the CSA start the discussion on a candidate for a cybersecurity certification scheme for connected devices, we can expect such scheme will be aligned to EU legislative frameworks and other European Cybersecurity Certification Schemes. In the EU, it’d be consistent with EU Cybersecurity Certification Schemes such as the European Common Criteria Scheme and the European Cloud Services Cybersecurity Certification Scheme. We believe combining multiple schemes may provide a holistic approach to certification. For example, using the IoT scheme for products and the EUCS scheme for supporting services may complement the standalone IoT scheme approach. As of now, we are expecting the URWP for European Cybersecurity Certification to be published in Q3 2021 where we can then understand how the European Commission would issue the request to the EU Cybersecurity Agency. Right now, we know the scope for such scheme will capture IoT devices in residential, industrial, and any other settings. The assurance levels will be the same three levels provided under the CSA. As the European Commission emphasizes the need for standardization, standards development in EU member states and internationally will need to be integrated into the EU Cybersecurity Certification Scheme for IoT.

We are also seeing exciting updates to EN303 645. EN provides a common baseline across the European and global markets for all consumer IoT. Currently, the focus for Q2 2021 is on developing assessment specifications (TS 103 701) to test against provisions of EN303 645. As this standard matures, we can expect alignment to standards and legislation under development for IoT.

General cybersecurity assessment frameworks often serve as a horizontal solution; however, to cover the general assurance requirements (such as assurance levels defined by the CSA) and to the specific field of application such as IoT, some guidance is provided on how to integrate EN17640 into a certification scheme. EN 17640 as a general evaluation methodology that when integrated into a certification scheme to fit the scheme assurance requirements, it raises some interesting questions. One is the extent of assessments required for each level. Currently, dEN 17640 editors and CEN/CLC JTC 13/WG 3 are working to publish this standard in September of 2021. Interesting to note is the future outlook of possible application in the Radio Equipment Directive Certification scheme.

The GCF also had some interesting updates on its Consumer IoT Security Accreditation programme based on EN303 645. Currently, its phase 1 provides self-accreditation for non-constrained devices. This involves the manufactures submitting a security compliance declaration covering the first 3 IoT Security Provisions defined by ETSI Cyber (EN 303 645). We are expecting development work for phase 2 to focus on extending assessment coverage to include constrained IoT and using TS 103 701 Test Specification as a baseline for conformity assessment to EN 303 645. For now, product manufactures should make sure no universal default passwords are used, implement a way to manage reports of vulnerabilities, and keep software updated for phase 1.

Another aspect of EN303 645 adoption is from the Cybersecurity Labelling Scheme from CSA Singapore. This scheme consists of 4 tiers. Although participation is voluntary, security-critical devices such as Wi-Fi routers will obtain at least tier 1 in Singapore. As more nations launch their schemes, we have to more mindful of fragmentations. For this particular scheme, it is done by leveraging EN303 645 and TS103701 for tier 4 testing.

Our observation was the importance of the collaborative effort in developing mutually recognized standards. For product manufactures in the global market, this provides value in that manufacturers do not have to choose which standard to be compliant for to operate in many jurisdictions.

The encryption debate is in full swing as we once again face the real challenge that governments need access to all of our data, on all devices in real-time including the ability to monitor all communications for signs of a threat to citizens and the nation.

From a policy perspective, we as consumers and citizens need to better understand the risks and exposures we might face. First of all, we are not talking about lawful access where a warrant is used to monitor the activities of a specific user or target of interest. We are talking about the open blatant use of techniques that will allow for wholesale capture and recording of all of your data transmissions.

Governments are asking that tech companies add a capability that will allow them to gain unfettered access to these servers to capture data at will and share or process this data with unknown sources including not having to provide notification to the end user. Psst some companies have already been doing this for years and just not telling you. This started in the 70s using an obscure ruling as precedent to now have all companies collect data as the “owner” of the data. It is buried in the EULA in pure legal speak that you clicked on to get access to their service.

Think about that for a second, would you like the government to monitor all of your banking transactions? What about the sexting with your spouse or significant other, or your company files stored on personal cloud storage services. Could this be used against you? Could you be charged or arrested? These are the big unknowns of such a broad data collection and history has proven that data collection schemes were used for nefarious reasons when needed by governments of questionable intentions.

We need to ask for openness on the intention of the data capture, who is impacted, what does this mean for service providers, and who it is the data being shared with. A policy framework should require that all proposed encryption schemes being recommended be peer evaluated to ensure that the design does not lead itself to backdoors, data collection, or meta data deciphering.

I would advise all citizens and business owners to learn more about this topic and get engaged in the discussion. These laws will change your life regardless if you realized it or not.

We need to have voice our concern before it is too late, in some jurisdictions it already might be. I also want to lying to stop and agencies to just come open on the topic. Just be truthful to Canadians of the data collection and when and where it is happening so we can make informed decisions to use the technology or not.

Here are some links worth checking out:

  1. Government recommendations for security and privacy – What is government of CA really asking for?
  2. Keys under door mats – What top crypto experts think of the issues at hand and potential risks
  3. “I have nothing to hide” – Good insight to personal privacy in the digital age

Please reach out to your MP or MPP and ask them what their stance is on the topic and what they are prepared to do to protect your privacy.

To everyone that attending the IoT Ottawa Virtual Meetup thank-you for taking the time to attend this session and for participating. It was a good discussion and I hope it was helpful for those of you that attended. It is good to see that events like these can still be held despite the current conditions.

For those of you that were not able to make it to the Meetup here is the abstract of the presentation:

One of the biggest barriers for the adoption of the IoT products is the potential security and privacy risks. To help overcome this reluctance vendors need to ensure that they are clearly demonstrating to the market they have implemented security and privacy in their solution. This workshop will provide an understanding how to secure an IoT solution leveraging a risk based approach using standards. We are going to present how IoT projects should be approached to ensure both security and privacy requirements are included at design time and be validated during the development lifecycle. This is based on countless projects where we have worked on evaluating IoT products in multiple sectors to identify design and process issues including formal testing to T200 and UL2900.

We will share the best practices for the following:

  1. Design considerations
  2. Setting up a governance function
  3. How to operate a Secure Development Lifecycle (SDLC)
  4. Operational Considerations
  5. Testing and Verification

Other topics of discussion include:

  1. Latest developments in the global market for security and privacy requirements
  2. Strategy considerations

This session will be provided as a workshop to help SME’s hopefully address their security and privacy issues. Please bring your questions and concerns.

As mentioned, I am providing the presentation, the IoT attack surface poster and worksheet for the presentation. I am also hoping to provide the video of the session available at a later date as well.

Note: I will be posting the worksheet a bit later but wanted to share the presentation and poster right away.

Please reach out for any clarifications or questions you may have and most of all be safe everyone!

IoT Threat Poster

IoT Ottawa – Blueprint for IoT Security

 

It is hard to believe that we are days away from the 10 year anniversary of our humble beginnings. We have come so far from the company that I started in my basement. Back then it was just a dream of starting something small as an independent consultant but wanting to share my expertise in cyber to help clients. Now we have grown to a team of 7 and have offices in a great part of town in Ottawa, Canada and global clients. We are bursting at the seams and have already expanded our office footprint. With next year poised for more growth we will be expanding again and adding more R&D capacity in the process.

I have learned lots during my tenure as both a business owner and executive, and have made some good and bad decisions along the way. I never shy away from admitting my mistakes especially some questionable partners and sub-contractors – but life and business are about learning and I am grateful for the lessons.  I am humbled and blessed by our staff, clients, and partners we currently have as without you none of this would exist.

We will be refining our services as we shift the company from consulting to formal testing and evaluation and secure product development.Our capabilities will be expanding in the next year including our Hut6 platform to offer more services. With our growth in education, healthcare, and industrial our next 10 years looks very promising and with our current team in place we are definitely going to make this happen.

For all of you who believed in me and my dream thank-you! Lets make the next 10 years better than the first as we enter the teenager years of the company.

//Faud

The last few months have been hectic as many of the standards groups are pushing to get security and privacy aspects of IoT under control. As we get ready to whine down the year lets look at where we are:

a. ISO/IEC 27030 IoT Security and Privacy – This standard has now moved to Committee Draft (CD) and as the editor I am really proud of my editing team and global experts to get us her rather quickly. I believe this international standard will set the bar for IoT products globally and is highly anticipated by many groups and organizations globally.

b. ISO/IEC 27042 IoT Basline – This standard is currently a New Work Item Proposal (NWIP) and will be going to voting in the next few months. This is the result of a Adhoc Group that studied this and determined that we need a baseline for vendors who are entering the IoT product field. The goal is that this would be just a starting point and not the finish line for securing the product and organization but would provide regulators the guidance they need for products.

c. IoT Platform is group that has developed as result of work completed by the Internet Society in Canada. As a result of this work, a platform of regulators has formed and continues to expand how to ensure that IoT products are secure both now and in the future. As a result of this many nations will be making formal announcements to aspects that products should have. In Canada this has posted by Office of Consumer Affairs (OCA) and details are located here. I believe that this is good starting point but an hope that vendors will realized these aspects alone do not make a secure product that only happens when security and privacy become an embedded part of the organization and is driven into the development processes. I also hope that our regulators hold vendors to a higher sense of responsibility for security and products going forward.

d. CSA T200 has been released as an Express Standard and over the next 24 months we hope to develop the final version that will be used as the baseline for products and organizations in Canada and the US for meeting or exceeding regulatory requirements for IoT products. In the future we are looking for the implementation of a cyber label on products for security. More to come on this in the future.

e. IEC 30149 IoT Trustworthiness is still very much a work in progress as many experts are still trying to determine what consitutes trust. While one faction believes it is result of SDLC, I am very much of the opinion that this is not the case but view of the organization that includes the development processes. The approach must be based on an approach such as ISO 42010 that will allow any organization to determine the specific attributes to trust for their company and products being developed.

Here is the content for the IoT Checklist:

1. Ask how the device is collecting, using, and sharing your data

  • Is the device collecting my data? How is the device collecting my data?
  • Is the device using my data? How is the device using my data?
  • Is the device sharing my data? How is the device sharing my data?
  • With whom is the device sharing my data?
  • Is the device collecting data I do not want shared, such as my location?
  • Is there an option for me to opt out of the device collecting, sharing or using my data?
  • Will I be able to opt out of additional or future features that collect data, without opting out of security updates?

2. Ask about the device’s lifecycle, if it can function offline, and if there is product support available

  • How long can I expect the device to work?
  • How long are security patches and upgrades expected to be available for this product?
  • What kind of support is available should I experience problems with the device or suspect the device has been compromised?
  • Will the device work without an Internet connection? Can I use the product if the Internet is down? What features work offline?
  • Will the device work if the manufacturer ceases to exist?

3. Ask if the device you are buying is from a reputable manufacturer

  • Does the company have a good track record when it comes to protecting its customers’ privacy and security?
  • Check for media coverage online about whether or not this company has experienced a security breach in the past. If so, what was the impact on its consumers? What measures did the company take to prevent future security breaches?
  • Are there independent user reviews of the product I can consult?

For more tips on how to approach a business or manufacturer about your privacy and security concerns, check out this tip sheet.

Lots of progress this past year and lots more to come. I do see a shift that regulators globally are moving towards requirements for IoT companies. I hope it is a wake up call for vendors that due to the lack of security controls and the growing attack surface that IoT vendors will see a day where their products will undergo formal testing and evaluation to enter certain markets globally.

 

Today, TwelveDot is starting a multiyear R&D project with Carleton University in Ottawa, Canada and several other medical partners. The goal of this research to create a risk framework for evaluating the usage of IoT technologies in hospitals, clinics and other out patient services. As the technology/cyber partner for this research project, we are excited to be bringing our expertise in IoT and assessment to this project, and are look forward to working with all healthcare providers to make these environments much safer from a cyber perspective.

Lets help the healthcare professionals focus on getting our sick citizens well again and reduce the attack surface of the products and services they use.

 

Today our CEO presented at IoT613 an Ottawa based conference focused on all things IoT. There was also a developer day before the conference as well. The conference had really good attendance including several vendors or other organizations working in this area. If you are interested in this topic plan to attend the conference next year, speakers provide a range of views and experiences.

Our presentation focused on how to evaluate IoT products and solutions for both security and privacy. The lack of education in this area is of concern as many product companies are amping up their marketing to “assure” of product safety but yet many products have never undergone formal testing and certification nor do many even have secure by design or privacy by design approaches. Security for most IoT vendors is an after thought. When purchasing one of these products assume that security and privacy testing has not been conducted.

If you did not make it out to the presentation please find it attached, we hope that it helps to be better understand the issues.

IoT613 – TwelveDot – May 9 2019

Our CEO and President will be on a International Panel to discuss labeling for cyber for consumer and business products in the Canadian marketplace. As the Chair for the ISOC Labeling group for the IoT Security and Privacy Multistakeholder Process, Faud will be discussing what consumers and businesses need to consider when purchasing products and services and the current development of related standards and projects in Canada.

Please reach out on Twitter or LinkedIn to connect at the show. Hope to see you there.

Link to CES Session

 

 

This past week I was fortunate to be invited as a guest speaker for the 1st Internet Society meeting on IoT security. This meeting was well attended from government, private sector companies and academia. It was a means to get on the same page to issues at hand and how do we as users, developers and government secure the Internet and IoT.

The key issues at hand include:

1. Awareness to the issue of IoT Security for Canadian, not just individuals but organizations who want to deploy IoT technologies

2. What exists now from standards and best practice perspective and what approaches can be used

3. What can be done to ensure the next generation of these devices is not a source of another DDoS or other malware on the Internet.

As promised, I am including my presentation and mind map that was presented. Please feel free to share this as necessary, the more groups and individuals who are talking about this subject the better.

For more information check out ISOC here.

ISOC Ottawa_v1

IoT Attack Surface_MindMap