Governance

A short history

This project started from a request back in 2016 from national energy provider company wanting to ensure that the IoT based devices they were recommending to clients were safe for use and could not be weaponized. This came to be as their in-house legal team we getting nervous hearing about all the device compromises on a daily basis.

This organization was known to the CSA Group standards teams and the reach out happened in the Fall of 2016 in a former site of CSA in Seattle suburb near Redmond. This meeting focused on the current nature of standardization and the complete lack of certification that looked at both the companies and the products they created from a maturity perspective. Hence the concept of the T200 was born and I was fortunate to be part of that discussion and in the develop of the T200.

Now happens next is bit strange for standards developers, specifically when creating new standards you do that market scan, determine weaknesses, etc. In essense a study period to better understand the market. However, CSA with our help decided to build a cyber assessment program. Yep, that is what we did and tried it a few times to better understand the overall impact to the vendor (regardless of size) and their ability to meet a baseline. This was a challenge and was not easy, it resulted in a lot more grey hairs. However, after 18 months of developing a process and validating it with vendors on both sides of the border, we had something. Not a small something but a concept that was field tested and ready for prime time!

Now based on this and with support of the folks at our energy company and CSA, a NOI (Notice of Intent) was filed with Standards Council of Canada. It was met with some challenges by other SDOs that other “certifications” existed and this was not required. However, I was called up from pinch hit for the CSA on this as I wrote the seed document used for the NOI filing. My position on my argument was easy. There is no certification scheme that considers a company and the products they create from maturity model perspective. Needless to say, CSA was granted the project and we began our work in earnest to build our committee.

I will not get into all the trials in tribulations for a standards development process as it long, boring, and I don’t need to make this blog any longer than it needs to be ;). We assembled a mix of expert in both Canada and the US and developed the core content and 200+ controls that would be included in the initial version. This included adding a last minute supplement to meet the specific needs of the energy sector for both NERC and FERC compliance. It was tough and we got it done and published in May of 2022.

T200 Foundations

Here is what is contained in the standard, and why it is a game changer:

  • It starts with a vendor self -assessment, then initial Maturity Level is assigned.
  • Next up an audit verification of the self-assessment claims, then Maturity Level is updated to reflect any issues identified.
  • Finally a penetration test for the primary solution of the vendor including all components (device, cloud, apps). The final overall Maturity Level is assigned to the organization.

Are are some of the details on this approach.

  1. Maturity Levels:
    • Level One – Global baseline controls for a device
    • Level Two – Low security maturity for cyber risk and safety related solutions
    • Level Three – Midrange security level for cyber risk and safety related solutions
    • Level Four – Highest security maturity level for cyber risk and safety related solutions
  2. Six Domains of Coverage
    • Governance – Practices that organize, manage, and measure software security initatives within an organization
    • Intelligence – Practices that result in corporate knowledge used in carrying out software security activities
    • Software Development Lifecycle – Practices associated with analysis and assurance of particular software development artifacts and processes
    • Deployment – Practices that work together with traditional network security and software maintenance organizations
    • General – Practices related to an organizations approach to cyber security and data protection
    • IoT Solution – Practices considered during the development of IoT products/solutions
  3. Eighteen Practice Areas (these align to the Domains)
    • Governance – Strategies and Metrics, Compliance and Policy, and Training
    • Intelligence – Attack Models, Security Features and Design, Standards and Requirements
    • Software Development Lifecycle – Architecture Analysis, Code Review, and Security Testing
    • Deployment – Penetration Testing, Software Environment, Configuration Management and Vulnerability Management
    • General – Asset Management, Trustworthiness, and Security Operations
    • IoT Solution – Security by Design, Data Protection, and Security Feature Set
  4. The Entire Process for T200 Certification (this will depend on the lab conducting the evaluation)
    • Complete a NDA or similar
    • Complete a self-assessment questionnaire
    • Submit the self-assessment questionnaire for evaluation and grading
    • Audit of vendor
    • Audit Findings report
    • Testing and evaluation (product/service)
    • Testing and evaluation report
    • Attestation label filed for product/solution

This process makes it easy for vendors to undergo the evaluation but at the same time it allows any organization to chose the target Maturity Level for a vendor to target.

What has been identified is the ability to meet requirements for supply chain and third party providers for any sector and it aligns to the ISO/IEC standards for IoT Baseline and Security/Privacy, the NIST IoT baseline, ETSI 303 645, and UK regulatory requirements. Harmonization was a key aspect of this project and ensuring we were tracking too and preventing fragmentation was key to our success. Security is not a one and done process but an ongoing lifecycle. You either buy into this approach or you don’t. It is only way to ensure the changing landscape of cyber risks are being identified and mitigated.

Here is a link to the standard: CAN/CSA T200

 

 

It was a great privilege to part of this group and lead the discussion. While our discussion was only the beginning, organizations have to wake up to the fact that they are under attack for IP they have or have access to. While they might not be able to see this impact everyday it does exist and the attack surface can be devices or relationship based. As a business executive, educate yourself on how your organization might be targeted and what mitigations you can put in place to minimize the attack surface. Training and awareness for your staff, will be at the core of any program you develop. If you were unable to make the recent Internet Society – Canada Chapter Webinar here are some further details that might be of interest.

Here is the list  our distinguished panelist:

Gentry Lane – CEO and Founder, ANOVA Intelligence
Tyson Macaulay – Chief Security Officer and VP of Field Engineering @ Rockport Networks
Jeremy Depow – Director, Policy and Stakeholder Relations CyberNB
Mary Anne – Intelligence Officer, Canadian Security Intelligence Agency (CSIS)

Here is the link the video:

Protecting Innovative Canadian Sectors from Foreign Threats

I have also included links to resources provided by Gentry Lane, CEO & Founder, Anova Intelligence.

https://admin.govexec.com/media/diux_chinatechnologytransferstudy_jan_2018_(1).pdf

https://www.hsdl.org/?view&did=812268

China’s National Cybersecurity Center

For anyone who is part of a startup or even considering one, this book is a must read:

https://startupsecure.io/

How can an ISMS help your SMB?

When you mention ISO executives start to see dollar signs and resource allocation not business benefit for the future. For SMBs, who might be struggling especially with challenges of operating under COVID how do you attempt to take on such a big endeavour?

First of all, if your an SMB you don’t have to start off with a full ISMS implementation day one. Start with the basics such as completing a company Threat and Risk Assessment (TRA) and Privacy Impact Assessment(PIA). The outputs from these will help map where your “assets at risk are” and where you need to put your resources and efforts early on. With this completed, you can then start to plan your strategy to a full ISO 27001 implementation over a period of several years as the company grows and develops.

By doing this early in a companies development you will be able to get better control over your business operations. If your a technology firm you can use the ISMS to differentiate against competitors as the first question many customers will ask is “what do you do for security and privacy?”. By starting the foundation of an ISMS it will show your commitment to security and risk management for the business.

Depending on the sector your in, many now require complex RFP’s that are security focused and you have to provide assurances that your company is able to operate at a secure state. Your ISMS implementation will aid greatly in meeting this requirement. It will help to complete your RFPs faster and better rate of success against your competitors who choose not to go this route.

Impact of a data breach

With the cost breaches going up and updated regulatory requirements mandating reporting and fines the damage to your company reputation is ever increasing. By implementing an ISMS you can show that you have put in the necessary controls to minimize the impact of a data breach but also have the means to quickly triage, contain, and mitigate the risks. Organization without this approach struggle during a data breach and over 60% of breached companies go out of business within 2 years as they fail to regain customer trust.

By securing your data a company reduces the potential for exposure and for litigation.

Compliance

By the simply process of documenting what actions need to be taken, when and by whom, employees are better able to understand what they can and can’t do for situations. This includes the many regulation, laws, and contractual obligations for security and privacy. With the implementation of an ISMS you can quickly scale and grow a company and still meet or exceed market requirements for security.

Attracting Investment

Many small tech companies will be looking to grow the company with external investments. With may startup companies looking for capital having a means to differentiate yourself will be key. Not only are investors looking for market potential, the financials, and legal but also how secure is the product/solution and the organization. Having an ISMS will show managements dedication to a secure business and developing secure solutions for the market.

Targeting ISO 27001 accreditation

For the typical organization, implementing a ISO 27001 can take up to 24 months depending on the size and complexity of the business. For startups, putting the framework for an ISMS will greatly reduce the impact and cost of move towards certification. Especially, if this is required for contract awarding. With a base ISMS implemented an organization can complete this certification aspect in about 6 months and with the reward of meeting your contractually obligations will make it worth the effort and revenue growth.

With the dramatic growth of IoT globally in all sectors, medical was not going to be bypassed but instead there was going to be significant growth in new products/services for medical.

With some of these new solutions come more capabilities and freedoms for patients who can now still be fully monitored without patient care. With an aging population and global pandemic, the timing cannot be better for the uptake of these technologies.

Now the part that makes everyone uncomfortable is how to protect the privacy of the patient and ensure that there is no inherit cyber risks of using the product. i.e. can it be weaponized.

Over the past couple of years, we have been working with many health products companies globally to help with securing these solutions. This includes a 3-years research project on IoT for Medical Devices. This has led to a methodology that allows us to formally assess a solution. Now this is not just what some would call penetration testing but a lot more than that. We create a testing environment that includes power supplies, SDRs, packet generators for various protocols, wireless sniffers and countless other tools. We also have a playbook that is used to test all classes of products.

Based on this, if you are looking to test and evaluate health devices here is some guidance, we would like to share with you.

  1. Determine the market you looking to sell the product into, this will determine the minimum testing and evaluation that will have to be provided. In Canada that would be Health Canada and in the US that is the FDA. Both have very specific requirements for products under this classification so make sure you understand the documentation you will require.
  2. Determine the standards to be used for evaluation, this may include one or more of the following:
    • UL2900-1-1 or UL2900-2-1
    • CSA T200
    • ISO 14971
    • IEC 80001-1
  3. These standards will determine the test cases on how each aspect is to be assessed and verified. Keep in mind, these tests and tools must be repeatable, and all outputs of testing need to be collected for validation and auditing. When creating each test case ensure you are using a scientific methodology approach. You will have to provide to reviewers how and why of each test case. You can even take screen recordings and captures to record impacts to devices under test.
  4. Some of these testings will not be easy, especially if you do not know aspects of system design, hardware testing, and tools such as logic analysers. It will also take longer than you anticipated as well. Plan your project scope accordingly.
  5. Packet capture everything and spend enough time to analyze these. Many times, we found some intel on the devices by them being “chatty” on the wire. This includes sending nuggets of information in headers and data fields unencrypted which can be used against a device. You have got to love metadata!

As you work towards medical certification keep in mind you can do these tasks both in-house and using a 3rd party. If you are using a 3rd party, make sure they are accredited. Using a consultant for pen testing might save you some money but will not potentially pass a regulatory review.

TwelveDot currently provides a complete solution which includes testing hardware, firmware, network communication, mobile and web application and the cloud platform that exceeds current FDA and UL2900 requirements for testing and evaluation. We are working with global medical equipment companies to evaluate and secure their solutions. Please contact us to learn more.

 

We recently held our 2nd in the series of the CIO Africa MasterClass series to continue our conversation on helping CIOs to share strategies for dealing the COVID-19 shutdown and WFH.

Our keynote was from Dr. Coker of Rack Center Limited who offered the following guidance:

  1. You need a Business Continuity Plan – This is regardless of the size of your business
  2. You need a Disaster Recovery Plan – To ensure you restore critical business functions as quickly as possible
  3. Resilience – A business needs to have a capability to deal with uncertainty, without this situations such as the COVID-19 shutdown will have dramatic impacts your business.

These topic points served as the basis for our discussion and questions, let’s look at some of these topics in depth.

Carole Karema (Equity Bank, Rwanda) built on these topics with examples of how the Rwandan banking system ensured that they were not only able to offer basic services but expanded online services and features for clients and businesses. For businesses impacted by a local and global slowing economy, having a lifeline to help with cash flow and load repayment provides several options to business owners and executives.

Nixon Mageka (Policy Expert, Kenya) also talked about the important of health services and education during these times and how to keep the fabric our family’s health supported for non COVID related illnesses. We have all had to learn to working remotely and that mean having your little ones interrupt meetings to show you something or just needed the attention they deserve. They have no idea why your sitting on the phone all day when they need their stuffy’s that just out of reach on shelf. The are confused why you’re always home and why they can’t go the park or to play with their friends any more. The stress on all everyone is going to have impacts to us all long term. That includes the social isolation that we are all feeling. Our society impacts will be long and somethings will change for ever.

I quickly noted that work from home also really illustrated an issue we are facing in Canada that those with Internet and those from lower income families who don’t have device and possibly internet are being impacted. Those kids are not really accounted for during these outages. Many school boards in Canada scrambled to find both technology and internet to provide these services to those less fortunate.
From a security perspective we need to keep our security hygiene in place as well. This includes; not installing pirated software, having an up to date anti-malware application, not clicking on all emails that might sound urgent, and making sure we have backups of your devices and critical data. While some home users are using private property they devices may still be used to attack the other digital assets of the company. Make sure you know who to contact at your company if you believe you have experiences a cyber issue.

In closing, we had another successful session with some of Africa’s though leaders on technology and business. They shared some key points with attendees on current topics of operating you business under COVID. In the future, we will be expanding our faculty members and courses being offered keep an eye out for these announcements.

I will be providing the link to the session video once available.