Security

This project started back in the Fall of 2016 in a boardroom in Seattle, Washington. The goal was to help a national utility company ensure that IoT based products were not weaponized while deployed. Their challenge to the team: How could a product assessment team help them given that there was national standards for things like a building code and electrical products.

Over the course of 18 months, a framework was created and validated using a pilot program with vendors who were considered SMBs in the IoT space. Several of these companies were only a few years old with very little in the way of process and procedure but were building a name for their products.

The program has three main phases:

    1. A self assessment;
    2. An audit based on claims made in the self-assessment, and;
    3. Formal testing (blackbox, white box, and grey box).

We were able to identify that most companies could complete the first phase in about 4 hours, the audit was typically completed in a day and testing was taking about one month. As the approach was not a “one-and-done” approach but a method to show maturity having a company enter the program would allow for the mapping of next target controls that need to be required.

This was how we started when we wrote the Expression version of T200, now fast forward 12 months and we have now added the following:

  • Add a baseline that maps to all international baselines for IoT based product companies;
  • Scope of testing is the solution not just the device;
  • Does not invalidate other programs or certifications already received for cyber but compliments them;
  • Created a supplement to deal with OT systems;
  • Defined the audit details that will be significant for both the auditor and organization being audited, and;
  • Providing a roadmap for young product companies to quickly map their current controls to those based on international standards and best practices to build maturity.

We believe that this standard will help SMBs who make products and services as it focuses not only on a product but how the company operates securely. This standard has been registered in both Canada (under Standards Council of Canada) and the United States (ANSI) so it will have applicability to many sectors including healthcare, OT, and automotive.

More information will be provided once the final version is published, which we anticipate in Spring of 2021. If you have any questions in the meantime please contact us.

It is hard to believe that we are days away from the 10 year anniversary of our humble beginnings. We have come so far from the company that I started in my basement. Back then it was just a dream of starting something small as an independent consultant but wanting to share my expertise in cyber to help clients. Now we have grown to a team of 7 and have offices in a great part of town in Ottawa, Canada and global clients. We are bursting at the seams and have already expanded our office footprint. With next year poised for more growth we will be expanding again and adding more R&D capacity in the process.

I have learned lots during my tenure as both a business owner and executive, and have made some good and bad decisions along the way. I never shy away from admitting my mistakes especially some questionable partners and sub-contractors – but life and business are about learning and I am grateful for the lessons.  I am humbled and blessed by our staff, clients, and partners we currently have as without you none of this would exist.

We will be refining our services as we shift the company from consulting to formal testing and evaluation and secure product development.Our capabilities will be expanding in the next year including our Hut6 platform to offer more services. With our growth in education, healthcare, and industrial our next 10 years looks very promising and with our current team in place we are definitely going to make this happen.

For all of you who believed in me and my dream thank-you! Lets make the next 10 years better than the first as we enter the teenager years of the company.

//Faud

If your Toronto and are tracking IoT security and privacy you need to head to the Internet Governance Forum (IGF) on Feb. 27th and the ISOC Multistakeholder events on Feb. 28th. Our CEO will be on a Panel for the IGF to discuss Labeling and will be presenting the Draft report on Labeling at the ISOC meeting the following day.

There will be many open discussions on the current of regulations and requirements that are being developed both in Canada and globally.

Details to IGF event are here

Detail to ISOC event are here

Bring your questions, issues, and problems to our open discussions. We hope to see you there.

 

Our CEO and President will be on a International Panel to discuss labeling for cyber for consumer and business products in the Canadian marketplace. As the Chair for the ISOC Labeling group for the IoT Security and Privacy Multistakeholder Process, Faud will be discussing what consumers and businesses need to consider when purchasing products and services and the current development of related standards and projects in Canada.

Please reach out on Twitter or LinkedIn to connect at the show. Hope to see you there.

Link to CES Session

 

 

This past weekend, I was very fortunate to be the keynote speaker at the China-Canada IoT and Blockchain Innovation and Development Summit in Markham (Toronto). It was great to see so many attendees who are interested in IoT and Blockchain and the potential for how we might be able to address security and privacy in IoT.

With the announcement of the Canada China IoT and Blockhain Research Institute it will greatly help Canadian and China organizations who want to expand their reach for products/services in these regions and be able have a source for testing, evaluation and business development. We are proud to be part of this and we look forward to helping companies secure their IoT solutions.

As a proud member of SDChain, TwelveDot is looking forward to growing the SDChain network which is already at 120K users and counting. As we get closer to building the SDK’s and expanding our platform, trustworthiness is going to be key element of providing security and privacy to IoT product/service users globally.

As many of you have requested a copy of my presentation I am providing it here: SDChain Keynote_v1

 

On June 20th, 2017, RISC will be held in Bangalore, India. It is a one day cyber security conference focused on issues around IoT security. Delegates will have the opportunity to attend a wide array of sessions to learn more security concepts and approaches to creating more secure IoT products and solutions.

Our CEO will giving a keynote presentation entitled “IoT Security – Preventing a Global Disaster”. While it sounds ominous it really focuses learning from the bad and what we can do as an industry to correct this before it becomes really dangerous.

Hope to you see you there.

 

I was asked to present at the Cyber Security 2017: Securing the Smart City of the Future conference which is taking place on February 27 – 28th in Ottawa. This is a Conference Board of Canada event and will be providing insights from the experts on smart cities, and the impact that they will have on urban life and business in the future. My presentation on Monday, February 27th (Plenary 3)  is called “Protecting the Smart City from Cyber Attack”. If you are working on an IoT or cyber security project, you should attend as there will be lots of good discussion and you will get an insight into the many risks of and considerations for the numerous aspects of a secure smart city.

Here is my discussion outline:

This session will discuss the approaches that must be considered by policy makers, technology companies, and city managers when assessing new technologies to be deployed as part of the smart city infrastructure. Cities do not want to be attacked nor have their devices used to attack other cities or foreign governments. It will take planning and foresight to reduce these risks. Standards are being developed that will help with both architecture aspects and how to assess the security and privacy risks.

Hope to you see you there and don’t forget to bring your questions!

As your probably aware, last year around this time we were accepted in to a soft landing program run under Invest Ottawa and the Hague Security Delta. My trips were quite educational and I got to meet a lot of companies in a very short period. Due to my success at these meetings, CanadExport has written an article on the trip and the programs for small businesses.

Given the current state of our world, we as SMBs in Canada need to find open markets to sell our goods and services. We also have a great support system to help us in this journey in the trade commissioners. I would personally recommend you reach out them and using their vast knowledge of local markets and ability to facilitate your first meetings. It will save you effort and frustration. If you ever want to pick my brain on your strategy on global markets please reach out to me. I will share my contacts and my experience with you.

The article on Hague visit is located here: http://tradecommissioner.gc.ca/canadexport/0001082.aspx?lang=eng

Well it has been good start to our 6th year in business. We would like to thank all our customers and partners both old and new who are contributing to our success. Without you we do not exist and most importantly get to build stronger more secure companies and products for our clients.

I wanted to bring your attention that on Feb. 7th I will be in Toronto to give a presentation to CIA Plus. My topic will be about IoT Challenges and Issues and Standards. If your in the Toronto area this evening please drop by and join our open discussion on security and IoT.

I will be joined by on my panel with Sangam Manikkayam of Symantec, Bob Martin of Cisco and Victor Garcia of the Schulich School of Business. It will be very informative if you or your organization are considering IoT projects this year. I will provide the security and privacy aspects you should consider when planning or getting ready to launch a new IoT project. If you are able to attend more information can be found here: https://www.meetup.com/CIA-Plus-TO-the-business-of-Cloud-IoT-and-Analytics/events/236370120/

In the meantime, if you have any security questions or concerns for IoT please do not hesitate to reach out to us.

Updated: Feb. 13, 2017

I would to take this opportunity to thank all of those that came out on an icy night in Toronto to the CIA Plus Meet Up. My only regret was the lack of time to discuss all the topics in depth. We did have some good discussion after in the networking portion of the meeting and key topics of discussion worth mentioning are how does one who has no experience in security and privacy conduct threat modeling? The other is finding the resources necessary to support these projects.

While there is publicly available information on threat modeling, you may have need to find a cyber security partner or consultancy that has this expertise in these areas to help you with a project to teach you approach, tools and train your staff. They should be able to provide the baseline elements to implement these aspects in your organization including the after project support, should you required it.

The second point about security resources is a bit more difficult as the number of technical security experts for IoT is limited. If you are looking to hire a security resource(s) look for reference-able projects that include aspects of technical architectures in mobile, cloud and distributed systems. Experience in these key areas will provide the necessary basis to conduct risk assessments against IoT architectures.

As discussed please find the following:

1. A copy of the presentation
2. A IoT mind map
3. The threat poster

Also please find an article from reporter, Denis Deveau, who was in the audience. Thank-you Denise for the coverage of this event.

IoT-Threats-and-RisksCIA Plus – Feb 7 – Final SWG_5_IoT_Technologies_MindMap

Earlier, this year, we were accepted into the The Canada-Netherlands Cyber and Security Technologies Soft Landing Platform. As a result, I am wrapping up my second visit to the Hague Security Delta (HSD) from another full week of meetings with potential clients and partners. It has been a wonderful experience and I wanted to take this opportunity to thank all of those who have helped us. Special gratitude goes out the following individuals and groups who helped us in this program:

1. Canadian Embassy staff Robyn in the Netherlands for several introductions.
2. Innovation Quarter staff Chris, Philip and Martijn for taking me out when I was jet lagged to show me sights, educate me to conducting business in NL and most of all providing introductions to companies.
3. Martin@HSD for many introductions and connecting me with the Netherlands Foreign Investment Agency
4. Bernadette formerly of InvestOttawa who provided the intro to Innovation Quarter

Over the next few months we are hopeful to see the fruits of our labour in NL. If this goes real well, we could be setting up our first international office in the Hague as well. If your a SMB in Canada looking for new markets realize that there are programs and people who are there to help you in the Netherlands. Canada and the Netherlands have a great relationship as a result of WWII and this mutual friendship should not be underestimated. Please feel free to reach out to me if you would like more details and contact information on the program.