Infrastructure

Yesterday, we officially launched CSA P125 Technical Committee on  Operational Technology Functional Safety and Security. This group is compromised of experts who represent organizations in multiple sectors and from both Canada and the United States. Our mandate is primary ensure that both international and regional standards of interest are adopted in both countries.

As our standards will be published under Standards Council of Canada (SCC) and American National Standards Institute (ANSI) they will recognized in both of these markets. As we look forward to providing both vendors and organizations options for selecting and implementing standards and certification options that will reflect a commitment to secure products and solutions by these vendors.

As the co-Chair to this group, I am very fortunate to be in such great company and expertise. As the editor of T200, I am humbled by the expertise we will have available to make our standard reflective of industry needs and requirements. I am looking forward to building relationships with the new members in the years ahead.

As with all new journeys, this one is even more special due to many of the critical aspects of the technologies we are dealing with. Getting to discuss so many new use cases and sectors it the best part of the job. There are so many cool projects and technologies that the layman just never sees but ensuring that many aspects of society continue to operate normally. This group is going to be there to set the bar for security in OT technology.

//Faud

 

This past week I was fortunate to be invited as a guest speaker for the 1st Internet Society meeting on IoT security. This meeting was well attended from government, private sector companies and academia. It was a means to get on the same page to issues at hand and how do we as users, developers and government secure the Internet and IoT.

The key issues at hand include:

1. Awareness to the issue of IoT Security for Canadian, not just individuals but organizations who want to deploy IoT technologies

2. What exists now from standards and best practice perspective and what approaches can be used

3. What can be done to ensure the next generation of these devices is not a source of another DDoS or other malware on the Internet.

As promised, I am including my presentation and mind map that was presented. Please feel free to share this as necessary, the more groups and individuals who are talking about this subject the better.

For more information check out ISOC here.

ISOC Ottawa_v1

IoT Attack Surface_MindMap

 

Recently, I was asked to present to mobile operators in Malaysia on the topic of IPv6 security. As Malaysia is currently considering regulatory requirements to move to IPv6 some of the operators are struggling with being able to understand the security implications of moving to this new protocol.

The key aspects of my talk {which I am attach below} basically consider the following:
1. Create and maintain an ISMS
2. Threat Model all solutions options for architectural changes
3. Monitor at 6to4 for signs of suspicious activity
4. Evaluate security vendors for ability to monitor IPV6 traffic
5. Don’t let the vendors push you around. If they want your money they need to add the security features you want.
6. Evaluate all technology prior to deployment including technical assessments of the each device and platform being introduced to the network.
7. Ensure your lab is stocked with attack code and toolkits
8. Train, train, train your staff to be comfortable with v6
9. Understand we are still learning and will be for a while. Don’t be afraid to discuss your issues with your competitors because I can tell you they are experiencing the same issues.

Thanks again to MCMC for inviting me to share my knowledge. I look forward to visiting Kuala Lumpur again soon.

 

Presentation: IPv6 Security Best Practices – Oct 20_2015_v1

 

Starting next week Canada will be hosting the 3rd meeting of the WG 10 IoT in Ottawa.

These meeting are building towards the completion of ISO 30141 A Reference Architecture for IoT. We have many of the biggest companies, consortiums, special interest groups all in attendance. While, I am attending as an expert my focus is on the security and privacy elements of IoT. Over the summer,  I lead a SRG to develop the draft content for a Conceptual Reference Model (CRM) for this standard. While it is still a work in progress we are making significant strides on a base model.

I will provide more details next week once we begin our sessions and some details on what the major themes are.