General News

Well folks, we just completed 12 years at TwelveDot and it has been quite the ride for both the company and myself. We have had  a lot of changes over the years with both the company and how we operate. This was due to a changing focus with our customers and how we had approached offering our services. I would have never thought that I would get to meet so many new contacts, work in new sectors such as aviation, healthcare, and education, and get to travel the world over doing so. To all of our current and former clients thank-you for believing in us. To those we still have to meet, we look forward to the day we can satisfy your cyber needs.

Starting this month and going forward, I will be posting updates as we look to change some of the operational aspects of the business. These are not significant just changing with the times to again meet the demand of the market and need for specialized services.

I will also beginning a series on the CSA/ANSI T200 standard that was published last year. We were pivotal in both developing and writing this standard and we are hoping that it will really become a baseline for all IoT devices to be evaluated using a maturity model approach. This standard already is aligned to the ISO standard on a IoT baseline (ISO/IEC 27402) and the ETSI baseline (303 645) for Europe. We made harmonization a key aspect of this standard to allow vendors to get assessed under one program that would have global recognition. More on this later including the many organizations who are already recognizing this standard for testing and evaluation of IoT products.

I will also be announcing a book I am working on later this year as well. It represents the 10 plus years of work we have done for IoT both as research and as product evaluators.

With the post-COVID generation upon us, we look forward to contributing to more International standards work and projects that help to build on our recognized achievements to date. To our staff, this would not have happened without you and I am grateful for all our staff both current and previous.

//Faud

As a security consultancy firm, our job is to provide guidance on security best practices to facilitate the protection of privacy and data for all the clients we serve. We believe strong encryption should be a global effort for national security, personal security and privacy, and free expression. In particular, the use of end-to-end encryption is currently what keeps our information assets secure across the web. For those who are not familiar with end-to-end encryption and why it is important in all aspects of security, here’s a great video resource https://www.youtube.com/watch?v=ADg7x2Buw0s

To extend our effort in advocating strong encryption adoption, we would like to vocalize our membership in the Global Encryption Coalition community. As stated by Global Encryption Coalition, “several governments and law enforcement agencies are trying to ban or weaken encryption for everyone”. The premise is that “They (the governments) want to require companies using encryption to create backdoors to catch criminals or wrongdoers”. We believe in a global movement to strengthen and preserve the use of strong encryption. As part of a global coalition, the movement calls on governments and the private sector to reject efforts to undermine encryption and to pursue policies with the adoption of strong encryption.

While members of the Global Encryption Coalition recognize crime prevention as a universal priority, undermining encryption efforts would also mean greater threats in the global economy and at the expense of users’ security privacy.

As Edward Snowden once said, “If you weaken encryption, people will die. This year alone, after the fall of the government of Afghanistan, we saw how crucial encryption is in keeping ordinary people safe. … Encryption makes us all safer. From families protecting photographs of their kids, to personal healthcare information, encryption keeps our private information private”.

The current trend of technical measures proposed to “break” end-to-end encryption all have one thing in common: each of them involves creating a form of “backdoor access” to “moderate” the data sent. The opportunities for misuse of such “backdoors” can be disastrous.

What this means for Canadians

The ruling by the Supreme Court of Canada stated that speech, including controversial or repugnant speech, has social value and should be protected from unjustified state monitoring. We did see attempts, despite criticism, from the government to enact “online harm laws” to restrict yet-to-be-defined “hurtful” online content, with the targeted categories in terrorist content, content that incites violence, hate speech, intimate images shared non-consensually, and child sexual exploitation content. What Canadians need to know is that such law will require internet giants and platforms utilizing end-to-end encryption to inspect all online content traversing. This also means communication between anyone, including privileged communications between physicians and their clients, will need to be examined by “breaking” encryption and thus undermining personal security and privacy. Canadians and businesses need to be aware of how ongoing privacy and security laws relate to the security of their personal data and any client data housed.

While cyber security is a broad discipline and requires collaboration between all stakeholders, we would like to highlight the importance of strong encryption usage in all sectors of business and the user data housed. We recommend reading this article published by the Global Encryption Coalition, where it highlights the security impact of “breaking” end-to-end encryption. You can find the article at this link – https://www.globalencryption.org/2020/11/breaking-encryption-myths/

Continuing on from our observations from Day 1, we noted several key points at the ETSI annual conference relating to cybersecurity policies.

Some future plans for standards and certifications under CSA include future candidate schemes in areas of IoT and IACS (industrial automation control system). As ENISA develops a candidate scheme for 5G network, several items need to be considered. One is the 5G context. This concerns what subset of 5G architecture, for the certification to be applied. Another is identifying scheme elements that support 5G evaluation and certification. Currently, we can expect a draft version of the NIS Directive v2 soon. Interestingly, the new directive introduces responsibilities for ENISA to be more involved in standardization. In response, ENISA developed its strategic objectives to maintain an inventory of standardization organizations and their activities and products. The goal is to then act as a cybersecurity reference point for the EU and participate in relevant standardization actives.

In the context of EU5G, the Network Equipment Security Assurance Scheme was submitted to ENISA for EU adoption. NESAS seeks to provide a security baseline for network equipment in the scope of mobile infrastructure. In particular, NESAS looks at if the equipment is developed to meet secure by design guidelines and does satisfy defined security requirements. Although NESAS is not a certification scheme, GSMA is currently looking at how certification components can be added.

We are also seeing some trends of transitioning from current schemes to CSA schemes. ANSSI is looking to provide EU-wide recognition for certified products and services. One example is ANSSI seeking to provide equivalent services of EUCS to the market. This may be achieved by leveraging consistency such as CSA levels, resistance tests, and applicable EU legislation.

A framework for European cybersecurity assessment (conformity) was proposed. The goal is to increase involvement and transparency to every member state, even those not offering certification or heavily involved in conformity assessment. The agreed new approach would then push for a horizontal regulation on cybersecurity (i.e. – it will capture all cybersecurity needs during vertical regulations to avoid fragmented conformant assessment across industries.

For SMEs, the SBS SME Compatibility Test for Standards was piloted. It provides an overall perception of SME compatibility of a given standard. As SMEs are essential parts of the supply chain, this may be a necessary starting point for improving standards.

Some updates on RED (Radio Equipment Directive) are the proposed applicable requirements. One interesting update is the essential requirements in article 3(3). Currently, Q3 2021 is the expected Commission adoption of a delegated act under Article 3(3)(d/e/f) of RED. This came from the Commission’s consideration of mandatory requirements to be proposed for market access of certain wireless products. For manufactures, this means they will need to demonstrate features to ensure protection of networks, privacy and data protection, and/or protection from frauds as conditions for market access.

The RED Article 3(3)(i) is the proposed next step after RED 3(3)(d/e/f). It concerns the software for the radio equipment. Currently, ETSI had developed a solution proposal on how to test for the new requirements and communicated it to the Commission.

The topic of cybersecurity policy presented challenges in standardizations. In which, we’d like to highlight that all schemes and legislation must provide some improvements to baseline security. Parallel schemes do not necessarily de-value, rather it is important that any parallel schemes will then allow manufactures to submit evidence transferred from 1 of the overlapping schemes to prove compliance.

At the recent ETSI annual conference, several cybersecurity domains were discussed. In this article, we’ll look at the latest development in IoT.

With the increasing adoption of 5G technology, the European Commission had requested ENISA to develop a candidate European Cybersecurity Certification scheme for 5G network. The EU 5G will be an extension of the EU toolbox for 5G security as it seeks to address certain risks, as part of a broader risk mitigation strategy. While ENISA is still processing both ECUU and ECUS schemes, we can expect the finalized version of ECUS in Q4 2021.

As the European Commission and Cybersecurity Group under the CSA start the discussion on a candidate for a cybersecurity certification scheme for connected devices, we can expect such scheme will be aligned to EU legislative frameworks and other European Cybersecurity Certification Schemes. In the EU, it’d be consistent with EU Cybersecurity Certification Schemes such as the European Common Criteria Scheme and the European Cloud Services Cybersecurity Certification Scheme. We believe combining multiple schemes may provide a holistic approach to certification. For example, using the IoT scheme for products and the EUCS scheme for supporting services may complement the standalone IoT scheme approach. As of now, we are expecting the URWP for European Cybersecurity Certification to be published in Q3 2021 where we can then understand how the European Commission would issue the request to the EU Cybersecurity Agency. Right now, we know the scope for such scheme will capture IoT devices in residential, industrial, and any other settings. The assurance levels will be the same three levels provided under the CSA. As the European Commission emphasizes the need for standardization, standards development in EU member states and internationally will need to be integrated into the EU Cybersecurity Certification Scheme for IoT.

We are also seeing exciting updates to EN303 645. EN provides a common baseline across the European and global markets for all consumer IoT. Currently, the focus for Q2 2021 is on developing assessment specifications (TS 103 701) to test against provisions of EN303 645. As this standard matures, we can expect alignment to standards and legislation under development for IoT.

General cybersecurity assessment frameworks often serve as a horizontal solution; however, to cover the general assurance requirements (such as assurance levels defined by the CSA) and to the specific field of application such as IoT, some guidance is provided on how to integrate EN17640 into a certification scheme. EN 17640 as a general evaluation methodology that when integrated into a certification scheme to fit the scheme assurance requirements, it raises some interesting questions. One is the extent of assessments required for each level. Currently, dEN 17640 editors and CEN/CLC JTC 13/WG 3 are working to publish this standard in September of 2021. Interesting to note is the future outlook of possible application in the Radio Equipment Directive Certification scheme.

The GCF also had some interesting updates on its Consumer IoT Security Accreditation programme based on EN303 645. Currently, its phase 1 provides self-accreditation for non-constrained devices. This involves the manufactures submitting a security compliance declaration covering the first 3 IoT Security Provisions defined by ETSI Cyber (EN 303 645). We are expecting development work for phase 2 to focus on extending assessment coverage to include constrained IoT and using TS 103 701 Test Specification as a baseline for conformity assessment to EN 303 645. For now, product manufactures should make sure no universal default passwords are used, implement a way to manage reports of vulnerabilities, and keep software updated for phase 1.

Another aspect of EN303 645 adoption is from the Cybersecurity Labelling Scheme from CSA Singapore. This scheme consists of 4 tiers. Although participation is voluntary, security-critical devices such as Wi-Fi routers will obtain at least tier 1 in Singapore. As more nations launch their schemes, we have to more mindful of fragmentations. For this particular scheme, it is done by leveraging EN303 645 and TS103701 for tier 4 testing.

Our observation was the importance of the collaborative effort in developing mutually recognized standards. For product manufactures in the global market, this provides value in that manufacturers do not have to choose which standard to be compliant for to operate in many jurisdictions.

As we start another new year in business, I wanted to take this opportunity to thank all our customers, partners, and staff for the outstanding work we have accomplished to date. Over the past 8 years we have accomplished quite a bit with a small team and as we move into our ninth year we are expecting significant growth and expansion throughout the year.

Here is some of the small list of our accomplishments:

  1. Developed a proprietary method for evaluation mobile applications (2011)
  2. Developed a proprietary method for evaluating IoT solutions (mobile, cloud, and devices) (2014)
  3. Developed a platform for secure file transfers for clients and partners (2015)

This year, we look forward to launching an ISMS assessment app and platform to help us create more secure businesses using a tired and proven framework for cyber security. This will aid in our continued expansion into all corners of the globe with support by our partners.

Recently we have jointed SDChain as a advisor. SDChain envisions that IoT data from the physical world, should be sharable via a fast and cost-effective digital blockchain network where data producers and data users conduct digital asset exchange, within an open partnership ecosystem, based on globally standardized IoT six-domain model.

We look forward to sharing and securing the world one company and app at time. Join us for the journey.

 

Earlier, this year, we were accepted into the The Canada-Netherlands Cyber and Security Technologies Soft Landing Platform. As a result, I am wrapping up my second visit to the Hague Security Delta (HSD) from another full week of meetings with potential clients and partners. It has been a wonderful experience and I wanted to take this opportunity to thank all of those who have helped us. Special gratitude goes out the following individuals and groups who helped us in this program:

1. Canadian Embassy staff Robyn in the Netherlands for several introductions.
2. Innovation Quarter staff Chris, Philip and Martijn for taking me out when I was jet lagged to show me sights, educate me to conducting business in NL and most of all providing introductions to companies.
3. Martin@HSD for many introductions and connecting me with the Netherlands Foreign Investment Agency
4. Bernadette formerly of InvestOttawa who provided the intro to Innovation Quarter

Over the next few months we are hopeful to see the fruits of our labour in NL. If this goes real well, we could be setting up our first international office in the Hague as well. If your a SMB in Canada looking for new markets realize that there are programs and people who are there to help you in the Netherlands. Canada and the Netherlands have a great relationship as a result of WWII and this mutual friendship should not be underestimated. Please feel free to reach out to me if you would like more details and contact information on the program.

Over the past few months, we have been working with the Chang School at Ryerson to develop a one day seminar on cyber security. The goal is to get more executives and board members comfortable talking about security and ensuring they have strong security strategies regardless of sector. The staff at Ryerson have been great at supporting our ideas and concepts and are helping this course become a reality. From an educational perspective, these are the key aspects that will be discuss during the session:

  1. Principles of a Cyber Security Strategy
  2. A Case Study
  3. Implementing a Risk Management Process
  4. Preparing for a Breach including a drafting a Breach and Cyber Security Playbook

There will be lots of open discussions and examples on these topics and you can pick my brain on these issues specific to your company or sector. I am looking forward to spending the day exchanging, learning and sharing. Bring your questions and problems and I hope to see you on Sept.24th. More details to the course and registration are located here http://ow.ly/QeiK2.

 

Faud Khan