Beijing - Remarks to Web of Things security - Frank Reusch

7/12/2016 1

Remarks toWeb of Things securityFrank Alexander ReuschLemonbeat GmbHF2F Meeting W3C, Web of Things12th July 2016, BeijingBeihang University

„LU JINRONG / Shutterstock.com

Disclaimer This document does not constitute an offer to sell or a solicitation of an offer to buy any securities. This document and the information contained herein are for information purposes only and do not constitute a prospectus or an offer to sell or a solicitation of an offer to buy any securities in the United States. Any securities referred to herein have not been and will not be registered under the U.S. Securities Act of 1933, as amended (the "Securities Act"), or the laws of any state of the United States, and may not be offered, sold or otherwise transferred in the United States absent registration or pursuant to an available exemption from registration under the Securities Act. Neither the Company nor one of its shareholders intends to register any securities referred to herein in the United States. No money, securities, or other consideration is being solicited, and, if sent in response to the information contained herein, will not be accepted. This document does not constitute an offer document or an offer of securities to the public in the U.K. to which section 85 of the Financial Services and Markets Act 2000 of the U.K. applies and should not be considered as a recommendation that any person should subscribe for or purchase any securities as part of the Offer. This document is being communicated only to (i) persons who are outside the U.K.; (ii) persons who have professional experience in matters relating to investments falling within article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (as amended) (the "Order") or (iii) high net worth companies, unincorporated associations and other bodies who fall within article 49(2)(a) to (d) of the Order (all such persons together being referred to as "Relevant Persons"). Any person who is not a Relevant Person must not act or rely on this communication or any of its contents. Any investment or investment activity to which this communication relates is available only to Relevant Persons and will be engaged in only with Relevant Persons. This document should not be published, reproduced, distributed or otherwise made available, in whole or in part, to any other person without the prior consent of the company.

New…• Microprocessors with more power and memory for constrained devices• Customer boards (new design or Redesign)• Field devices with new functions• networks with autonomously communication• Batteries of today or smaller, increasing capacity• Integration hubs on top include multiple protocols• physical communications (e.g. IEEE 802.11 ah)• areas of knowledge for developers• fields for customer training (New products are more complex and therefore need of explanation)• need for awareness within industry and product design regarding what technology can do• market players and cooperations• Standards and real interoperabilityAltogether. Over years.

IoT is a turning point in historyThis period is marked by a variety of linked activities with a high degree of novelty.

13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 3

Web of Things

Internet of Things World wide web

Industry BuildingAutomation SmartEnergy Smart Cities Mobility LocalHealth Environ-ment Agriculture Smart Garden SmartHome PublicSafety Logistics

Standards prevent wild ad hoc development. Isolated silos coming to their end. Based on standards, everyone can focus on good customer solutions. Through combining success strategies of the Web with IoT there are a lot of new opportunities. Increasing complexity means a higher security risk.

W3C gives IoT a structure. The prerequisite for enormous growth is fulfilled.


Everybody talks about security. But sometimes different terms are mixed.Security• Protection of an object against external influences• “protection of a person, building, organization, or country against threats such as crime or attacks by foreign countries:,…” (Cambridge.org/dictionary)• “things done to make people or places safe” (Merriam-Webster)Safety• Protection against an object (for example, protection against failures)• “protected, or free from danger etc”; “providing good protection (Cambridge.org)Privacy• „the quality or state of being apart from company or observation” or “freedom from unauthorized intrusion”,„the state of being alone” or “the state of being away from public attention” (Merriam-Webster)

Definitions

Examples:• Protection of data against access• Protection of a network against unauthorized access

Examples:• Protection of an person against failures or functional disorder of a device (e.g. local health)

That´s a challenge:• New services require the provision of private information (position/ current whereabouts, financial data etc.)


Interdependencies and the triangle of conflicting priorities

Security

Safety Privacy

Cost

Quality Time

What is blocking the enhancement of current security levels in the IoT? Lack of expertise (21 %) Budget constraints (19 %) Upper management buy-in (17 %)

Source: IOT Analytics – Research and Survey results; Security of Things World Conference, Berlin, June 2016

Lack of knowledge about advanced security processes andtechnology (15 %)

Competiting priorities (10 %) Organizational culture attitude about security (10%)

Lack of knowledge about advanced security processes andtechnology (15 %)

Competiting priorities (10 %) Organizational culture attitude about security (10%)


Constrained budgetConflicting aims

Unrealistic timelines

Qualified people

Budget meet the requirements

Ambitious but realistic goals

Efficient, interoperable, integrated, supplier independent, cheap, secure

Expensive, inefficient, inflexible, not secure

TODAY: CONVENTIONAL BUILDING AUTOMATION INFRASTRUCTURE FUTURE: BUILDING AUTOMATION INFRASTRUCTURE


Lemonbeat technology in the field of building automation –potential architecture

Autonomous devices network without central control. Internet access is not mandatory

Mix between old and new technologies improves effort for security

Cloud/Platform(„collect, store, analyze datato provideoperational efficiency“)

Lemonbeat via radio, ethernet etc. (Direct communication to management level)Traditional communikation with various protocols

Multiple vendorsDifferent types/functions/protocols of devices

Primary equipment,Heating, cooling,..with longtime lifecycle

Radio

Ethernet

Connector(Without intelligence,low cost)

Radio

Controller Heating:e.g. redesign ofControl board

Integrationplatform

Transformation of Building automation /Complexity of intermediate steps to real WOT


Ethernet

How is IoT security different from traditional systemsecurity?

Higher system complexity (49 %) Distributed security across the network (49 %) A novel hardware / software integration (44 %) New software architecture (18 %)

Source: IOT Analytics

Why are additional measures in the security of IoT necessary?

9

The traditional scope of IT security is not sufficient for the IoT.

Field level increases the potential attack surfaces (examples)

Purchasing Production CRM R&D

connectors

connectorsconnectors

Radio

Ethernet

Radio Ethernet

Impostor Email CEO FraudBusiness Email Compromise (BEC)

Big Dataread datafrom memory

1.Access toCustomersdata2.auto-reloadfunction3.Authorizedpasswordchange

Denial ofService

Man-in-the-Middle attack

Sniffer / Replay

StealingDongle (read key)

1. Buffer-Overflow2. Linking return adressto malware

Access afterbrute force attack

Social Network

Predictive AnalyticsPreventive Analytics13.07.2016 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 10


Most known security breaches

Who is responsible in security ?


Source: IOT Analytics

Here´s the answer of participants of a Security conference:

Who holds responsibility will differ. If the company is • Device manufacturer, OEM:

• Product Manager• CTO• For partly activities, everyone is responsible

• Customer in the area of B2B:• Process owner• Department which is responsible for an use case• partly activities, everyone is responsible

Security is the result of many diverse activities in the value chain


Many stages in the value chain are involved to ensure this topic Each involved person is responsible for their own part. This includes a look to the left and to the right side.Their task area is defined and cooperation with other is matched (adoption) The result is a chain of tasks and responsibilities The end customer receives 100% quality when all people in the chain do their job properly (TQM).

Chip Manufacturer Device Manufacturer Automobile Manufacturer

Partner

OEM (e.g. Chips)

Device manufacturerSystem integrator

Waterfall Agile Guidelines

UniversitiesResearch institutes

Require-ments Design Prototyping Review OptimizationSoftware developerOther vendors

Security is a result of some complex activities

Seriesproduction ContinuousImprovement

Policy Demand Concept Training Review ContinuousImprovement

Program-Management

Software

Hardware

Knowledge

Build / Test automation

RequirementsDesign

DevelopmentTesting

ImplementationMaintenance

Plan Goals Collaboration Identity Mission Coaching


Value chain / company processes Results

Not every use case is critical, and not in each critical use case are all aspects critical

Is a similar approach to "risk based testing" feasible?How can a "risk based security" work?Is a multistage approach feasible?

• Step 1: Basic security• Step 2: Critical based security design

The following objectives might be important:1. Prevention2. Deterrence3. Automatism in case of attack

How much security is needed?


Use case Security Safety Privacy Building Automation 1 2 2 Smart Energy 1 1 3 Local Health 1 1 1 Smart Home 1 2 1

Exemplary rating

IEEE

IETFW3C

Current activities of the world leading organisations

Web Authentication Working Group

Web ApplicationSecurity

Web CryptographyWorking Group

Web Payments

Web Security Interest Group

Privacy Interest Group

Technical Architecture Group Web of Things (WOT)

XML Security

Hardware Based Secure Service Community Groupand other

Industry Connections Security Group IEEE Std 1686-2013 Standard for Intelligent Electronic Devices (IED) Cyber Security Capabil.

Technical Committee on Security and Privacy

Malware Working Group)

IEEE Anti-Malware Support Service (AMSS)Malware MetaDataExchange Format (MMDEF) Working Group

IEEE Std 1363.1-2008 Standard Specification for Public-Key Cryptographic Techniques IEEE Std 1363.3-2013 Standard for Identity-Based Cryptographic Techniques

IEEE Std 2600-2008 Standard for ….Hardcopy Device and System Security

IEEE Std 1667-2015 Standard for Discovery, Authentication, and Authorization in Host Attach-ments of Storage Devices Decentralized regu-lations eg. 802.11 ah,…

NIST

Advanced Encryption Standard, e.g. AES 128

IoT Security Foundation“promote knowledge and clear best practice “


ISO/IEC 27001NIST Interagency Report (NISTIR) 7977 ISO/IEC 19790:2012 Security requirements for cryptographic modules

GSMA IoT Security GuidelinesGSMA

ETSI TR 103 306:Global Cyber Security Ecosystem ETSIENISAeg Critical Infrastructure and Services

No claim to completeness

DNS-based Authentication of Named Entities IP Security Maintenance and Extensions

Transport Layer Security Secure Inter-Domain Routing

Javascript Object Signing and Encryption Keying and Authentication for Routing Protocols

Open Authentication Web Security Securing Neighbor Discovery

Current situation:• There are a variety of documents, guidelines and best practices relating to security.• The know-how is distributed and at first glance very intransparent.• The level of knowledge of each developer varies greatly.One suggestion:• One central hosted libary with all necessary knowledge regarding IoT Security („The living wall“).• and structured links to original sources and connected areas.• Free access for all developers.• True to the meaning of open source constant adaptation and enlargement.

Knowledge is an important driver for IoT Security


Thank you !

Documents

Beijing - Remarks to Web of Things security - Frank Reusch