Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 UL and the UL logo are trademarks of UL LLC © 2016
The Security of Things IoT security – it’s in the stars! Maarten Bron Director Innovations October 19th 2016
2
Setting the Standards
3
‘Safety’ expressed as combination of:
A bit of history…
“Protecting millions of homes, offices, and government buildings”
Forced entry resistance
Covert attack resistance
Key control
4
A bit of history - how to measure ‘safety’? Tools
Hammer 1.36 kg Screwdriver 380 mm Drill bit HSS 6.4 mm Electric drill @1900 RPM
Method Pass criteria Picking 10 minutes
Impressioning 10 minutes
Forcing 5 minutes
Drilling 5 minutes
Sawing 5 minutes
Prying 5 minutes
Pulling 5 minutes
Punching 5 minutes
• Safety is not forever! • Experience of the tester
really matters… • …so does the tooling!
5
Fast forward: from Safety to Security!
“Security” Physical properties
Logical properties
Procedures
is the result of
The ‘Hardware’: • Silicon • Circuit Board • Case, housing
The ‘Software’: • Application • OS • Firmware • Wired Logic
Chip
• Version control • Key management • Security during
manufacturing
6
How to measure ‘security’?
Formally defined risk Subjectively defined risk
Formalised methodology
Informal methodology
Common Criteria / ISO15408
ISO13491
FIPS140-2
PCI PTS
Instead, think of: • Laser beams • Template attacks • Code review • Crypto analysis • Side channel • Software obfuscation
Not with drills and screwdrivers anymore…
7
This also works great for IoT, doesn’t it?
8
First, you need a standard… Evolution of safety and security standards
Products
Smart Products
Connected Smart Products
Safety
+ Security
+ Cyber Security
“UL 437”
“PCI-PTS”
“UL 2900”
9
• Banking • Government • Healthcare • Industry 4.0 • Insurance
Then, you need a demand driver…
ü Cyber Security ü Security ü Safety
Knowledge
Money
Time
Cost of Compliance
“With over 60% of businesses suffering a cyber breach last year, protection against this type of attack must form part of each business’s risk assessment and it’s strongly advisable to have sufficient insurance cover in place.”
www.thememo.com
Why?
Because security comes at a cost!
Regulatory compliance as a way to enforce security is great… …in regulated environments!
But who regulates the Internet?
10
Demand driver in non regulated domains?
$500
$750
Without additional information, which one do you choose?
What if one is more secure? How would you know? How much would you care?
11
Star rating programs…
…have been used to change consumer purchase behavior in the past...
Why not for security?
12
IoT Security Metrics
• Devices can be defined by three things • Interfaces (Input / Output) • Processing attack surface • System architecture
• The more interfaces, and larger attack surface, the less secure a system can objectively be considered
• Specifics of the architecture either help or hinder security (reducing the ‘vulnerability surface’)
13
Star rating examples
Specification RouterX RouterY
Operating System Linux Kernel 3.18.23 Linux Kernel 3.18.23
FTP server Root privilege Separate user privilege (Disabled by default)
Credentials Admin / Password Device unique printed on serial number sticker
VPN Based on WolfSSL v3.9.0 (root, hardcoded default cert)
Based on WolfSSL v3.9.0 (User privilege, no default cert, disabled by default)
Random number generator
/dev/urandom (no seed, not stateful)
/dev/random (seeded at manufacturing, stateful between boots)
Web Interface Over HTTP, exposed on WAN Over HTTPS, WAN access disabled by default
FW updates? No commitment For 2 years, updates cryptographically authenticated
Star Rating 0 Stars 4 Stars (Until 2018) For the period of FW updates
14
Star Rating Example
• So is RouterY more secure than RouterX? • Yes – through good configuration and design
• Even though both do the same thing, and have no current vulnerabilities • And we can objectively demonstrate this without costly pentesting
• Does this mean RouterY is secure? • No! Will still need patching, but the vendor has committed to that • Not meeting this commitment means reduced ratings into the
future
• Does this mean Router will be compromised / vulnerable first? • Not necessarily – the star rating is about levels of resistance • ‘More secure’ does not mean ‘will not fail’
15
To conclude!
Security is hard, which makes it costly!
IoT Security is a commercial problem… Commercial problems need commercial solutions!
Existing ways to enforce security may not work in unregulated space. It’s in the stars?
From Safety to Security to Cyber Security…
16
Maarten Bron Director Innovations – UL Transaction Security Division [email protected]
Thank you!
17
UL2900SeriesofStandards
GeneralProductTes8ng
IndustryProductTes8ng
UL2900-1So#wareCybersecurity
Organiza8onandProcessAssessment
Implementa8onAssessment
UL2900-2-1MedicalDevices
UL2900-2-2IndustrialControlSystem
UL2900-2-3Ligh<ng–InPlanning
UL2900-3GeneralProcessRequirementsInPlanning
UL2900-4GeneralImplementa<onReqsInPlanning
Published on March 30, 2016
UL2900-2-4XX–InPlanning
The technical criteria in UL 2900 are based on existing industry best
practices and guidance documents as well as IEC, ISO, and other international standards work to create repeatable & reproducible test criteria for product/
software security evaluations.