IoT

At the recent ETSI annual conference, several cybersecurity domains were discussed. In this article, we’ll look at the latest development in IoT.

With the increasing adoption of 5G technology, the European Commission had requested ENISA to develop a candidate European Cybersecurity Certification scheme for 5G network. The EU 5G will be an extension of the EU toolbox for 5G security as it seeks to address certain risks, as part of a broader risk mitigation strategy. While ENISA is still processing both ECUU and ECUS schemes, we can expect the finalized version of ECUS in Q4 2021.

As the European Commission and Cybersecurity Group under the CSA start the discussion on a candidate for a cybersecurity certification scheme for connected devices, we can expect such scheme will be aligned to EU legislative frameworks and other European Cybersecurity Certification Schemes. In the EU, it’d be consistent with EU Cybersecurity Certification Schemes such as the European Common Criteria Scheme and the European Cloud Services Cybersecurity Certification Scheme. We believe combining multiple schemes may provide a holistic approach to certification. For example, using the IoT scheme for products and the EUCS scheme for supporting services may complement the standalone IoT scheme approach. As of now, we are expecting the URWP for European Cybersecurity Certification to be published in Q3 2021 where we can then understand how the European Commission would issue the request to the EU Cybersecurity Agency. Right now, we know the scope for such scheme will capture IoT devices in residential, industrial, and any other settings. The assurance levels will be the same three levels provided under the CSA. As the European Commission emphasizes the need for standardization, standards development in EU member states and internationally will need to be integrated into the EU Cybersecurity Certification Scheme for IoT.

We are also seeing exciting updates to EN303 645. EN provides a common baseline across the European and global markets for all consumer IoT. Currently, the focus for Q2 2021 is on developing assessment specifications (TS 103 701) to test against provisions of EN303 645. As this standard matures, we can expect alignment to standards and legislation under development for IoT.

General cybersecurity assessment frameworks often serve as a horizontal solution; however, to cover the general assurance requirements (such as assurance levels defined by the CSA) and to the specific field of application such as IoT, some guidance is provided on how to integrate EN17640 into a certification scheme. EN 17640 as a general evaluation methodology that when integrated into a certification scheme to fit the scheme assurance requirements, it raises some interesting questions. One is the extent of assessments required for each level. Currently, dEN 17640 editors and CEN/CLC JTC 13/WG 3 are working to publish this standard in September of 2021. Interesting to note is the future outlook of possible application in the Radio Equipment Directive Certification scheme.

The GCF also had some interesting updates on its Consumer IoT Security Accreditation programme based on EN303 645. Currently, its phase 1 provides self-accreditation for non-constrained devices. This involves the manufactures submitting a security compliance declaration covering the first 3 IoT Security Provisions defined by ETSI Cyber (EN 303 645). We are expecting development work for phase 2 to focus on extending assessment coverage to include constrained IoT and using TS 103 701 Test Specification as a baseline for conformity assessment to EN 303 645. For now, product manufactures should make sure no universal default passwords are used, implement a way to manage reports of vulnerabilities, and keep software updated for phase 1.

Another aspect of EN303 645 adoption is from the Cybersecurity Labelling Scheme from CSA Singapore. This scheme consists of 4 tiers. Although participation is voluntary, security-critical devices such as Wi-Fi routers will obtain at least tier 1 in Singapore. As more nations launch their schemes, we have to more mindful of fragmentations. For this particular scheme, it is done by leveraging EN303 645 and TS103701 for tier 4 testing.

Our observation was the importance of the collaborative effort in developing mutually recognized standards. For product manufactures in the global market, this provides value in that manufacturers do not have to choose which standard to be compliant for to operate in many jurisdictions.

This project started back in the Fall of 2016 in a boardroom in Seattle, Washington. The goal was to help a national utility company ensure that IoT based products were not weaponized while deployed. Their challenge to the team: How could a product assessment team help them given that there was national standards for things like a building code and electrical products.

Over the course of 18 months, a framework was created and validated using a pilot program with vendors who were considered SMBs in the IoT space. Several of these companies were only a few years old with very little in the way of process and procedure but were building a name for their products.

The program has three main phases:

    1. A self assessment;
    2. An audit based on claims made in the self-assessment, and;
    3. Formal testing (blackbox, white box, and grey box).

We were able to identify that most companies could complete the first phase in about 4 hours, the audit was typically completed in a day and testing was taking about one month. As the approach was not a “one-and-done” approach but a method to show maturity having a company enter the program would allow for the mapping of next target controls that need to be required.

This was how we started when we wrote the Expression version of T200, now fast forward 12 months and we have now added the following:

  • Add a baseline that maps to all international baselines for IoT based product companies;
  • Scope of testing is the solution not just the device;
  • Does not invalidate other programs or certifications already received for cyber but compliments them;
  • Created a supplement to deal with OT systems;
  • Defined the audit details that will be significant for both the auditor and organization being audited, and;
  • Providing a roadmap for young product companies to quickly map their current controls to those based on international standards and best practices to build maturity.

We believe that this standard will help SMBs who make products and services as it focuses not only on a product but how the company operates securely. This standard has been registered in both Canada (under Standards Council of Canada) and the United States (ANSI) so it will have applicability to many sectors including healthcare, OT, and automotive.

More information will be provided once the final version is published, which we anticipate in Spring of 2021. If you have any questions in the meantime please contact us.

With the dramatic growth of IoT globally in all sectors, medical was not going to be bypassed but instead there was going to be significant growth in new products/services for medical.

With some of these new solutions come more capabilities and freedoms for patients who can now still be fully monitored without patient care. With an aging population and global pandemic, the timing cannot be better for the uptake of these technologies.

Now the part that makes everyone uncomfortable is how to protect the privacy of the patient and ensure that there is no inherit cyber risks of using the product. i.e. can it be weaponized.

Over the past couple of years, we have been working with many health products companies globally to help with securing these solutions. This includes a 3-years research project on IoT for Medical Devices. This has led to a methodology that allows us to formally assess a solution. Now this is not just what some would call penetration testing but a lot more than that. We create a testing environment that includes power supplies, SDRs, packet generators for various protocols, wireless sniffers and countless other tools. We also have a playbook that is used to test all classes of products.

Based on this, if you are looking to test and evaluate health devices here is some guidance, we would like to share with you.

  1. Determine the market you looking to sell the product into, this will determine the minimum testing and evaluation that will have to be provided. In Canada that would be Health Canada and in the US that is the FDA. Both have very specific requirements for products under this classification so make sure you understand the documentation you will require.
  2. Determine the standards to be used for evaluation, this may include one or more of the following:
    • UL2900-1-1 or UL2900-2-1
    • CSA T200
    • ISO 14971
    • IEC 80001-1
  3. These standards will determine the test cases on how each aspect is to be assessed and verified. Keep in mind, these tests and tools must be repeatable, and all outputs of testing need to be collected for validation and auditing. When creating each test case ensure you are using a scientific methodology approach. You will have to provide to reviewers how and why of each test case. You can even take screen recordings and captures to record impacts to devices under test.
  4. Some of these testings will not be easy, especially if you do not know aspects of system design, hardware testing, and tools such as logic analysers. It will also take longer than you anticipated as well. Plan your project scope accordingly.
  5. Packet capture everything and spend enough time to analyze these. Many times, we found some intel on the devices by them being “chatty” on the wire. This includes sending nuggets of information in headers and data fields unencrypted which can be used against a device. You have got to love metadata!

As you work towards medical certification keep in mind you can do these tasks both in-house and using a 3rd party. If you are using a 3rd party, make sure they are accredited. Using a consultant for pen testing might save you some money but will not potentially pass a regulatory review.

TwelveDot currently provides a complete solution which includes testing hardware, firmware, network communication, mobile and web application and the cloud platform that exceeds current FDA and UL2900 requirements for testing and evaluation. We are working with global medical equipment companies to evaluate and secure their solutions. Please contact us to learn more.

 

To everyone that attending the IoT Ottawa Virtual Meetup thank-you for taking the time to attend this session and for participating. It was a good discussion and I hope it was helpful for those of you that attended. It is good to see that events like these can still be held despite the current conditions.

For those of you that were not able to make it to the Meetup here is the abstract of the presentation:

One of the biggest barriers for the adoption of the IoT products is the potential security and privacy risks. To help overcome this reluctance vendors need to ensure that they are clearly demonstrating to the market they have implemented security and privacy in their solution. This workshop will provide an understanding how to secure an IoT solution leveraging a risk based approach using standards. We are going to present how IoT projects should be approached to ensure both security and privacy requirements are included at design time and be validated during the development lifecycle. This is based on countless projects where we have worked on evaluating IoT products in multiple sectors to identify design and process issues including formal testing to T200 and UL2900.

We will share the best practices for the following:

  1. Design considerations
  2. Setting up a governance function
  3. How to operate a Secure Development Lifecycle (SDLC)
  4. Operational Considerations
  5. Testing and Verification

Other topics of discussion include:

  1. Latest developments in the global market for security and privacy requirements
  2. Strategy considerations

This session will be provided as a workshop to help SME’s hopefully address their security and privacy issues. Please bring your questions and concerns.

As mentioned, I am providing the presentation, the IoT attack surface poster and worksheet for the presentation. I am also hoping to provide the video of the session available at a later date as well.

Note: I will be posting the worksheet a bit later but wanted to share the presentation and poster right away.

Please reach out for any clarifications or questions you may have and most of all be safe everyone!

IoT Threat Poster

IoT Ottawa – Blueprint for IoT Security

 

The last few months have been hectic as many of the standards groups are pushing to get security and privacy aspects of IoT under control. As we get ready to whine down the year lets look at where we are:

a. ISO/IEC 27030 IoT Security and Privacy – This standard has now moved to Committee Draft (CD) and as the editor I am really proud of my editing team and global experts to get us her rather quickly. I believe this international standard will set the bar for IoT products globally and is highly anticipated by many groups and organizations globally.

b. ISO/IEC 27042 IoT Basline – This standard is currently a New Work Item Proposal (NWIP) and will be going to voting in the next few months. This is the result of a Adhoc Group that studied this and determined that we need a baseline for vendors who are entering the IoT product field. The goal is that this would be just a starting point and not the finish line for securing the product and organization but would provide regulators the guidance they need for products.

c. IoT Platform is group that has developed as result of work completed by the Internet Society in Canada. As a result of this work, a platform of regulators has formed and continues to expand how to ensure that IoT products are secure both now and in the future. As a result of this many nations will be making formal announcements to aspects that products should have. In Canada this has posted by Office of Consumer Affairs (OCA) and details are located here. I believe that this is good starting point but an hope that vendors will realized these aspects alone do not make a secure product that only happens when security and privacy become an embedded part of the organization and is driven into the development processes. I also hope that our regulators hold vendors to a higher sense of responsibility for security and products going forward.

d. CSA T200 has been released as an Express Standard and over the next 24 months we hope to develop the final version that will be used as the baseline for products and organizations in Canada and the US for meeting or exceeding regulatory requirements for IoT products. In the future we are looking for the implementation of a cyber label on products for security. More to come on this in the future.

e. IEC 30149 IoT Trustworthiness is still very much a work in progress as many experts are still trying to determine what consitutes trust. While one faction believes it is result of SDLC, I am very much of the opinion that this is not the case but view of the organization that includes the development processes. The approach must be based on an approach such as ISO 42010 that will allow any organization to determine the specific attributes to trust for their company and products being developed.

Here is the content for the IoT Checklist:

1. Ask how the device is collecting, using, and sharing your data

  • Is the device collecting my data? How is the device collecting my data?
  • Is the device using my data? How is the device using my data?
  • Is the device sharing my data? How is the device sharing my data?
  • With whom is the device sharing my data?
  • Is the device collecting data I do not want shared, such as my location?
  • Is there an option for me to opt out of the device collecting, sharing or using my data?
  • Will I be able to opt out of additional or future features that collect data, without opting out of security updates?

2. Ask about the device’s lifecycle, if it can function offline, and if there is product support available

  • How long can I expect the device to work?
  • How long are security patches and upgrades expected to be available for this product?
  • What kind of support is available should I experience problems with the device or suspect the device has been compromised?
  • Will the device work without an Internet connection? Can I use the product if the Internet is down? What features work offline?
  • Will the device work if the manufacturer ceases to exist?

3. Ask if the device you are buying is from a reputable manufacturer

  • Does the company have a good track record when it comes to protecting its customers’ privacy and security?
  • Check for media coverage online about whether or not this company has experienced a security breach in the past. If so, what was the impact on its consumers? What measures did the company take to prevent future security breaches?
  • Are there independent user reviews of the product I can consult?

For more tips on how to approach a business or manufacturer about your privacy and security concerns, check out this tip sheet.

Lots of progress this past year and lots more to come. I do see a shift that regulators globally are moving towards requirements for IoT companies. I hope it is a wake up call for vendors that due to the lack of security controls and the growing attack surface that IoT vendors will see a day where their products will undergo formal testing and evaluation to enter certain markets globally.

 

Yesterday, we officially launched CSA P125 Technical Committee on  Operational Technology Functional Safety and Security. This group is compromised of experts who represent organizations in multiple sectors and from both Canada and the United States. Our mandate is primary ensure that both international and regional standards of interest are adopted in both countries.

As our standards will be published under Standards Council of Canada (SCC) and American National Standards Institute (ANSI) they will recognized in both of these markets. As we look forward to providing both vendors and organizations options for selecting and implementing standards and certification options that will reflect a commitment to secure products and solutions by these vendors.

As the co-Chair to this group, I am very fortunate to be in such great company and expertise. As the editor of T200, I am humbled by the expertise we will have available to make our standard reflective of industry needs and requirements. I am looking forward to building relationships with the new members in the years ahead.

As with all new journeys, this one is even more special due to many of the critical aspects of the technologies we are dealing with. Getting to discuss so many new use cases and sectors it the best part of the job. There are so many cool projects and technologies that the layman just never sees but ensuring that many aspects of society continue to operate normally. This group is going to be there to set the bar for security in OT technology.

//Faud

 

Over the past few months, we co-authored a CABA Whitepaper with BC Hydro’s David Rogers. The goal was to write a document that would help IoT vendors identify standards that should be considered for their IoT solutions and organization. As many buyers and procurement departments are developing requirements for products prior to evaluation and purchase ensuring that vendors, especially early stage companies, better understood the options is going to be key to adoption. With regulatory requirements being developed in many regions the future for products is going to mandate that several product categories undergo formal testing and evaluation. Getting ready for this is going to ease the transition, allow vendors to adapt to the frameworks and expand to new markets globally.

TwelveDot is honoured to have worked with staff of BC Hydro and others to develop this body of work and hope that SMB IoT vendors will benefit from our document and the approach to securing your operations and products. Also a shoutout to the folks at CSA Group for the support during this project. The funding was greatly appreciated.

The whitepaper can be found here: https://www.caba.org

Today our CEO presented at IoT613 an Ottawa based conference focused on all things IoT. There was also a developer day before the conference as well. The conference had really good attendance including several vendors or other organizations working in this area. If you are interested in this topic plan to attend the conference next year, speakers provide a range of views and experiences.

Our presentation focused on how to evaluate IoT products and solutions for both security and privacy. The lack of education in this area is of concern as many product companies are amping up their marketing to “assure” of product safety but yet many products have never undergone formal testing and certification nor do many even have secure by design or privacy by design approaches. Security for most IoT vendors is an after thought. When purchasing one of these products assume that security and privacy testing has not been conducted.

If you did not make it out to the presentation please find it attached, we hope that it helps to be better understand the issues.

IoT613 – TwelveDot – May 9 2019

If your Toronto and are tracking IoT security and privacy you need to head to the Internet Governance Forum (IGF) on Feb. 27th and the ISOC Multistakeholder events on Feb. 28th. Our CEO will be on a Panel for the IGF to discuss Labeling and will be presenting the Draft report on Labeling at the ISOC meeting the following day.

There will be many open discussions on the current of regulations and requirements that are being developed both in Canada and globally.

Details to IGF event are here

Detail to ISOC event are here

Bring your questions, issues, and problems to our open discussions. We hope to see you there.

 

Our CEO and President will be on a International Panel to discuss labeling for cyber for consumer and business products in the Canadian marketplace. As the Chair for the ISOC Labeling group for the IoT Security and Privacy Multistakeholder Process, Faud will be discussing what consumers and businesses need to consider when purchasing products and services and the current development of related standards and projects in Canada.

Please reach out on Twitter or LinkedIn to connect at the show. Hope to see you there.

Link to CES Session