ICCC16 - Presentation - Roland_Atoui(ORACLE)

Is there an alternative for certifying trustworthy “Things” in the IoT ecosystem ?

Roland AtouiPrincipal Security & Certification Program ManagerJava Card & IoT Security

Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

2

Agenda

IoT - Overview

IoT - Security Threats & Standardization

IoT & Trust

Exploring CC on IoT

So What ?

1

2

3

4

5


What is IoT ?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. • 3

Do We Have a Standard Architecture ?

Core Network Devices Applications Gateway

Controls Things

Sensors Status & Info

Servers

Sense Data Acquisition Communicate Data Store & Event Processing Visualize/Analyze

4Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

Why Do We Need to Secure IoT ?

END TO END SECURITY

Device DomainNetwork DomainService Domain

• Tampering (physical)• Availability• Destruction• Mutual authentication•…

Trus

t Bou

ndar

y

Trus

t Bou

ndar

y

• Availability• Repudiation• Confidentiality• Integrity• Mutual authentication•….

• Confidentiality• Availability•…

PHYSICAL Attacks

MITM Attacks

SERVER Attacks

Network Attacks

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 5

What Standards Are Addressing IoT Technology ?

6

IETF: generic network and security protocol

oneM2M: generic horizontal service architecture

IEEE: low level protocols

Device Management: OMA, BBF

Secure Elements: ETSI SCP (UICC), GP (IoT TF,

TEE, eSE), TCG (TPM)

• SDO‘s with a generic approach• SDO‘s with a special scope

references

Messaging protocol: OASIS MQTT

Global Standards: ISO/IEC

Global Standards: ITU

LiaisonGSMA MNO perspective on

IoT as new business


Any Security Standard Methodologies Pretenders ?

STRIDEISO 27KOWASP Top 10 • Spoofing (Authentication)• Tampering (Integrity)• Repudiation (non-repudiation)• Information Disclosure (Confidentiality)• Elevation of Privilege(Authorization)

DREAD

DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY

• ISMS – ISO 27001• IoT:

ISO/IEC JTC1/Working Group 10

SC 27

• I1 Insecure Web Interface • I2 Insufficient Authentication/Authorization • I3 Insecure Network Services • I4 Lack of Transport Encryption • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Software/Firmware • I10 Poor Physical Security


ISO 29100• Privacy risk management

How do we build an IoT Threat/Risk Model ?

IoT Thing AData Assets

IoT Thing BData Assets

Data flows

Threats on Data Flows

Threats on Thing A

Threats on Thing B

Countermeasures/ Mitigation of threats strategy Residual

Uncovered ThreatsAccepted Risks

Requirements

SFRs

Devices

Applications

Gateway

Servers Devices

Applications

Gateway

Servers

Data flows/assetsEvents, Messages, App Data, Registration Data, Auth Data, App Code, other data…

SARs

SARs

Requirements

Requirements


Why Threat Modeling ? And What About Trust ?

Identify the scope of attacks on IoT devices and their ecosystem

Address the security by design and test your devices accordingly

Achieve End to End security (maybe)

Threat modeling helps you mainly:

Who will ensure that your assets, privacy, reputation or revenue is protected ?

Could we establish an End to End Trust ?

How IoT Things can be evaluated ?

But what about Trust ?


How To Trust a “Thing” ?

Core Network Devices Applications Gateway

Control Things

Sensors Status & Info

Servers

Thing Trusted Enrollment

System Trusted Auditing & Risk Management

Trusted Online Revocation

Trusted Remote Management

Independent Security Certification


Exploring CC on IoT

IoT community/users could express their SFRs and SARs on the IoT devices and their ecosystem covering all the life-cycle phases. Through an IoT dedicated PP or several PPs.

IoT vendors could claim compliance to these requirements

IoT evaluators could evaluate the IoT devices and their ecosystem and provide a certain assurance level that the IoT devices actually meet the claims.

CC is a framework where:

So let’s start exploring…

But IoT is an ecosystem and CC never managed to provide confidence to such a huge ecosystem



How Could CC Patterns Apply ?

Smart Meter Gateway PP (BSI-CC-PP-0073)

Security Module for a Smart Meter Gateway PP (BSI-CC-PP-0077)

• TOE is the gateway including a security module

• Gateway Function:– Securely relay metering data (collect, process, store,

redistribute).

• Security Module Function:– Provide cryptographic services

– Tamper resistant.

– Key Management

EAL 4+ASSETS Session Keys

THREATS

SECURITY OBJECTIVES

ASSUMPTIONS SECURITY POLICIES

Secu

re M

assa

ging

al

gorit

hm (A

ES ?

Key

Si

ze ?

...)

Secu

re k

ey

gene

ratio

n (T

RNG?

,

Sign

atur

e ge

nera

tion

prot

ocol

Security Assurance Requirements

Flaw

Re

med

iatio

n

Test

s cov

erin

g Se

curit

y Fu

nctio

nalit

y

Guid

ance

Do

cum

ents

Integrity Confidentiality

Smart Meter Gateway

Man in the Middle Attack / (communication gateway <-> server)

Force Role based Access Control Force Trusted Channel

Replay attack

Conformant with FIPS 140-2 for Trusted channel

The Gateway Admin is trustworthy

Smart Meter Gateway

Authenticity

Could We Do Better ? IoT to TOE ?

IoT Thing AData Assets

IoT Thing BData Assets

Data flows

SFRs

Devices

Applications

Gateways

Servers Devices

Applications

Gateways

Servers

SARs

SARs

TOE ?

Composite TOE ?

Sensor s Status & Info



Potential PP for IoT Platform ?• Generic security analysis (based on STRIDE, OWASP,

…) addressing the IoT domains providing inputs to the PP (Device, Network and Service Domains). SDO’s will be the main entry point for threats identification and security requirements definition.

• Organizational Security Policies and Assumptions could rely on several standards to provide a robust IoT environment such as ISO27001, HIPAA, ISO27017/18,…

• Cover IoT life-cycle security (from manufacturing to operational phase)

• Demonstrable compliance to PP Assumptions could be modified, SO’s could be modified.

• SFRs and SARs are adaptable to accepted risks for each market

• The Security Requirements depend on the Threats and Assumptions which will themselves depend on the assets values, the environment of the product and the attacker’s profile.

ASSETSRoles

THREATS

SECURITY OBJECTIVES (Platform & Environment)

ASSUMPTIONS ORGANIZATIONAL SECURITY POLICIES

Secu

rity

Requ

irem

ents

A

Secu

rity

Requ

irem

ents

B

Secu

rity

Requ

irem

ents

D

Secu

rity

Requ

irem

ents

C

Security Assurance Requirements

Secu

rity

Requ

irem

ents

F

SAR

B

SAR

C

SAR

A

UsersIntegrity

Availability

Confidentiality

Authenticity

Potential IoT Security Functional Requirements ?SFR GROUP SFRs SAMPLES Correspondent SFRs CC COMPONENTSGeneric Device SFRs Unique ID

Non-modifiable IDDevice SW & data integrity

FIA_ATD.1, FIA_USB.1, FIA_UID.2FDP_SDI.2FPT_FLS.1, FPT_INI.1

Gateways & Directly Connected Device SFRs

Data storage EncryptionData IntegrityAccess Control

FCS_COP.1FDP_SDI.2FDP_ACC,FDP_ACF,

Gateway specific SFRs Integrity of the list of device adaptersManagement operations acknowledgment and logging

FDP_SDI.2FMT_SMF.1, FMT_MSA.1FAU_SAR.1, FAU_SAS.1

IoT Server/Cloud SFRs Remove/wipe registration credentials after usageAuthenticate the Cloud (HTTPS)

FDP_RIP.1

FTP_TRP.1, FCS_COP.1Communication Protocols SFRs Encrypt all data flows FCS_COP.1

Management Device SFRs Secure boot protection, Role-based access control

FPT_INI .1 (extended)FMT_MSA.1


PP IoT – Umbrella PP ?

Device DomainNetwork DomainService Domain

Trus

t Bou

ndar

y

Trus

t Bou

ndar

y

Secure Element

Gateway

PP Java Card

PP SM Gateway, PP

Network Device, PP

TEE

PP IoT

WLAN/LAN

PP WLAN, PP VPN

Server

PP Server Virtualization

Smart Device

PP TEE, PP Mobile Device

Application

PP DBMS, PP App SW


One CC evaluation costs relatively a lot, what happens when we have several evaluations including dependencies (Maintenance, Life-cycle,…)? TTM issues…

If until now no governments are involved, who will drive the market demand ? Why ? When ?

Who will be responsible of IoT evaluation, how different stakeholders can communicate if there are multiple ones ?

How CC recognizes the ISMS accreditations such as ISO27K ? To what extent ?

It the product is trustworthy does it mean that we are safe ?

Cost and Time effective evaluation

Will there be a demand for IoT products evaluation ?

Communications between products owners

Accreditations vs CC

What level of Trust CC can provide ?

What Are The Main Challenges ?


Develop IoT evaluation best practices, adapted evaluations, improve certificates maintenance, etc.

Govs will sooner or later be involved. IoT brings huge benefits to govs on different sectors. Vendors/Operators/SPs are also very motivated and end-to-end security is their first concern.

Can be inspired by the Smart Card composite evaluation process – Apps (SPs) on OS (Platform Dev) on IC (HW manufacturer).

Create a particular relationship with other IT Security standards (ISO27K for instance)

IoT is still premature therefore CC can probably grow up with the technology providing efficient assurance or trust.

Cost and Time effective evaluation

Will there be a demand for IoT products evaluation ?

Communications between products owners

Accreditations vs CC

What level of Trust CC can provide ?

How Could We Overcome These Challenges ?


Security is still premature

Interoperability is still not fulfilled

The Ecosystem is still uncontrolled

If … The Internet Of Things is still a new wild civilization !

The required level of Trust/Assurance is vague

The IoT ecosystem goes beyond the practical CC scope

No efforts have been yet employed in this sense

Then… The CC applied to IoT is still an undiscovered civilization !

Let’s try to build “Trustworthy” Things by design before it is too late !

Is it too early ?

Will it remain a nice dream ?


So What ?

Else…

Thank you for your attention !


Roland Atoui | Security & Certification Program ManagerPhone: +33146856394 | Mobile: +33618834611

Email:[email protected] IoT and Java Card

tel:+33146856394

tel:+33618834611

Documents

ICCC16 - Presentation - Roland_Atoui(ORACLE)