Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Building the IoT Supply Chain of Trust
Professor John HaineUniversity of BristolChair, IoT Security Foundation
https://iotsecurityfoundation.org/
Emergency services
Emergency Services
Cellular LPWA Short rangeradio
Internet
Cloud Service PlatformsInfra operators
Infra Operators
Fleet operatorsFleet
Operators
Data service providers
Data Service Providers
Who is responsible for securing the IoT?
Who secures the device?Open Source
Device Hardware
Sensor
Actuator
TPM
Commsmodule
Firmware
ODM –Develops
and makes device
Software developerSoftware developers
Software developerChip
vendor
Software developer
Commsmodule vendor
“Brand Owner” –markets and
supports service
UsersSoftwar
e develop
er
IP vendor
Encryption keys
Is there a secure software development lifecycle?
How are credentials & firmware inserted/updated
Is hardware security implemented? Do all suppliers implement secure
processes? How do you know? Has security been audited/tested? How do suppliers deal with a
breach? …?
Who secured this device?
ODM –Develops and makes device
Software developerSoftware developers
Software developerChip
vendor
Software developer
Commsmodule vendor
“Brand Owner” –markets and
supports service
Users
• Overall security depends on each player’s performance
• Relationships need to be contractual, with SLAs
• How do you satisfy your customer that what you supply is secure?
• We need a Chain Of Trust between each party in the supply chain
• The need is urgent• This is not a technology problem• Regulation would be slow and late
Who secures the IoT?
ODM –Develops and makes device
Software developerSoftware developers
Software developerChip
vendor
Software developer
Commsmodule vendor
“Brand Owner” –markets and
supports service
Users
Bring together all the parties in the supply chain from firmware development through to system procurer and end user
Discover and promote Best Practice for securing IoTdevices, systems and services
Define & operate a framework for auditable (self‐)certification
Promote a service mark for members that provably apply best practice
The IoT Security Foundation
Building a supply chain of trust
We are not a standards body
We want to help our constituents build secure products, systems, and services
Based on existing standards and best practice where possible– ETSI, GSMA, 3GPP, IETF, PRPL, Oasis, ARM, AIoTI, …– We are happy to work with additional partners
A “one stop shop” for how‐to information Operating an industry‐driven scheme to foster trust between
suppliers, customers, and consumers
Initiated following a successful conference at Bletchley Park, May 2015
Launched September, first Plenary November 2015 Major conference at Royal Society December 2015 At end‐May 2016, over 60 members, initial WGs in
operation, first documents in draft Aiming to publish first guideline documents and launch
certification scheme December 6, 2016
History
Members
Board
Plenary Group
Working Groups
Structure and operations
Best Practice guidelines
Self‐Certification scheme
Audit
Standards
Industry/ Society needs
Security breaches
Working Group 1: (Self ‐) Certification
Working Group 2: Connected Consumer Products
Working Group 3: Security Patching & Updating for Constrained Products
Working Group 4: Framework for Responsible Disclosure
Working Group 5: IoT Security Landscape
Initial work streams
Example WG1 document contents4 EXAMPLE CERTIFICATION QUESTIONNAIRE 74.1 Node Hardware & Physical Security 74.2 Node Software & Firmware 84.2.1 Node application 84.2.2 Node Operating System 104.3 Node Wired & Wireless Network Interfaces 114.4 Authentication and Authorisation 124.5 Encryption and key management 134.6 Configuration 134.7 Web User Interface 144.8 Mobile User Interface 144.9 Privacy 154.10 Cloud, Network and Update Services 154.11 Business Processes 164.12 Secure Supply Chain and Production 174.13 General 18
Output of process
Completed questionnaire with all questions answered…
Evidence of conformance ‐ think “Technical Construction File”
Possibility of audit by customer, IoTSF, or trusted third party
Licence to use “Safe to Connect” service mark for the product or service
IoT Security FoundationMake it safe to connectOur mission is to help secure the Internet of Things, in order to aid its adoption and maximise its benefits. To do this we will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.
SECURITY FIRST...designed in at the start
FIT FOR PURPOSE...right sized for the application
RESILIENT...throughout operating life