Upload
roland-atoui
View
215
Download
0
Embed Size (px)
Citation preview
Is there an alternative for certifying trustworthy “Things” in the IoT ecosystem ?
Roland AtouiPrincipal Security & Certification Program ManagerJava Card & IoT Security
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
2
Agenda
IoT - Overview
IoT - Security Threats & Standardization
IoT & Trust
Exploring CC on IoT
So What ?
1
2
3
4
5
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
What is IoT ?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. • 3
Do We Have a Standard Architecture ?
Core Network Devices Applications Gateway
Controls Things
Sensors Status & Info
Servers
Sense Data Acquisition Communicate Data Store & Event Processing Visualize/Analyze
4Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Why Do We Need to Secure IoT ?
END TO END SECURITY
Device DomainNetwork DomainService Domain
• Tampering (physical)• Availability• Destruction• Mutual authentication•…
Trus
t Bou
ndar
y
Trus
t Bou
ndar
y
• Availability• Repudiation• Confidentiality• Integrity• Mutual authentication•….
• Confidentiality• Availability•…
PHYSICAL Attacks
MITM Attacks
SERVER Attacks
Network Attacks
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 5
What Standards Are Addressing IoT Technology ?
6
IETF: generic network and security protocol
oneM2M: generic horizontal service architecture
IEEE: low level protocols
Device Management: OMA, BBF
Secure Elements: ETSI SCP (UICC), GP (IoT TF,
TEE, eSE), TCG (TPM)
• SDO‘s with a generic approach• SDO‘s with a special scope
references
Messaging protocol: OASIS MQTT
Global Standards: ISO/IEC
Global Standards: ITU
LiaisonGSMA MNO perspective on
IoT as new business
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Any Security Standard Methodologies Pretenders ?
STRIDEISO 27KOWASP Top 10 • Spoofing (Authentication)• Tampering (Integrity)• Repudiation (non-repudiation)• Information Disclosure (Confidentiality)• Elevation of Privilege(Authorization)
DREAD
DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY
• ISMS – ISO 27001• IoT:
ISO/IEC JTC1/Working Group 10
SC 27
• I1 Insecure Web Interface • I2 Insufficient Authentication/Authorization • I3 Insecure Network Services • I4 Lack of Transport Encryption • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Software/Firmware • I10 Poor Physical Security
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 7
ISO 29100• Privacy risk management
How do we build an IoT Threat/Risk Model ?
IoT Thing AData Assets
IoT Thing BData Assets
Data flows
Threats on Data Flows
Threats on Thing A
Threats on Thing B
Countermeasures/ Mitigation of threats strategy Residual
Uncovered ThreatsAccepted Risks
Requirements
SFRs
Devices
Applications
Gateway
Servers Devices
Applications
Gateway
Servers
Data flows/assetsEvents, Messages, App Data, Registration Data, Auth Data, App Code, other data…
SARs
SARs
Requirements
Requirements
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 8
Why Threat Modeling ? And What About Trust ?
Identify the scope of attacks on IoT devices and their ecosystem
Address the security by design and test your devices accordingly
Achieve End to End security (maybe)
Threat modeling helps you mainly:
Who will ensure that your assets, privacy, reputation or revenue is protected ?
Could we establish an End to End Trust ?
How IoT Things can be evaluated ?
But what about Trust ?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 9
How To Trust a “Thing” ?
Core Network Devices Applications Gateway
Control Things
Sensors Status & Info
Servers
Thing Trusted Enrollment
System Trusted Auditing & Risk Management
Trusted Online Revocation
Trusted Remote Management
Independent Security Certification
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 10
Exploring CC on IoT
IoT community/users could express their SFRs and SARs on the IoT devices and their ecosystem covering all the life-cycle phases. Through an IoT dedicated PP or several PPs.
IoT vendors could claim compliance to these requirements
IoT evaluators could evaluate the IoT devices and their ecosystem and provide a certain assurance level that the IoT devices actually meet the claims.
CC is a framework where:
So let’s start exploring…
But IoT is an ecosystem and CC never managed to provide confidence to such a huge ecosystem
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 12
How Could CC Patterns Apply ?
Smart Meter Gateway PP (BSI-CC-PP-0073)
Security Module for a Smart Meter Gateway PP (BSI-CC-PP-0077)
• TOE is the gateway including a security module
• Gateway Function:– Securely relay metering data (collect, process, store,
redistribute).
• Security Module Function:– Provide cryptographic services
– Tamper resistant.
– Key Management
EAL 4+ASSETS Session Keys
THREATS
SECURITY OBJECTIVES
ASSUMPTIONS SECURITY POLICIES
Secu
re M
assa
ging
al
gorit
hm (A
ES ?
Key
Si
ze ?
...)
Secu
re k
ey
gene
ratio
n (T
RNG?
,
Sign
atur
e ge
nera
tion
prot
ocol
Security Assurance Requirements
Flaw
Re
med
iatio
n
Test
s cov
erin
g Se
curit
y Fu
nctio
nalit
y
Guid
ance
Do
cum
ents
Integrity Confidentiality
Smart Meter Gateway
Man in the Middle Attack / (communication gateway <-> server)
Force Role based Access Control Force Trusted Channel
Replay attack
Conformant with FIPS 140-2 for Trusted channel
The Gateway Admin is trustworthy
Smart Meter Gateway
Authenticity
Could We Do Better ? IoT to TOE ?
IoT Thing AData Assets
IoT Thing BData Assets
Data flows
SFRs
Devices
Applications
Gateways
Servers Devices
Applications
Gateways
Servers
SARs
SARs
TOE ?
Composite TOE ?
Sensor s Status & Info
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 13
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 14
Potential PP for IoT Platform ?• Generic security analysis (based on STRIDE, OWASP,
…) addressing the IoT domains providing inputs to the PP (Device, Network and Service Domains). SDO’s will be the main entry point for threats identification and security requirements definition.
• Organizational Security Policies and Assumptions could rely on several standards to provide a robust IoT environment such as ISO27001, HIPAA, ISO27017/18,…
• Cover IoT life-cycle security (from manufacturing to operational phase)
• Demonstrable compliance to PP Assumptions could be modified, SO’s could be modified.
• SFRs and SARs are adaptable to accepted risks for each market
• The Security Requirements depend on the Threats and Assumptions which will themselves depend on the assets values, the environment of the product and the attacker’s profile.
ASSETSRoles
THREATS
SECURITY OBJECTIVES (Platform & Environment)
ASSUMPTIONS ORGANIZATIONAL SECURITY POLICIES
Secu
rity
Requ
irem
ents
A
Secu
rity
Requ
irem
ents
B
Secu
rity
Requ
irem
ents
D
Secu
rity
Requ
irem
ents
C
Security Assurance Requirements
Secu
rity
Requ
irem
ents
F
SAR
B
SAR
C
SAR
A
UsersIntegrity
Availability
Confidentiality
Authenticity
Potential IoT Security Functional Requirements ?SFR GROUP SFRs SAMPLES Correspondent SFRs CC COMPONENTSGeneric Device SFRs Unique ID
Non-modifiable IDDevice SW & data integrity
FIA_ATD.1, FIA_USB.1, FIA_UID.2FDP_SDI.2FPT_FLS.1, FPT_INI.1
Gateways & Directly Connected Device SFRs
Data storage EncryptionData IntegrityAccess Control
FCS_COP.1FDP_SDI.2FDP_ACC,FDP_ACF,
Gateway specific SFRs Integrity of the list of device adaptersManagement operations acknowledgment and logging
FDP_SDI.2FMT_SMF.1, FMT_MSA.1FAU_SAR.1, FAU_SAS.1
IoT Server/Cloud SFRs Remove/wipe registration credentials after usageAuthenticate the Cloud (HTTPS)
FDP_RIP.1
FTP_TRP.1, FCS_COP.1Communication Protocols SFRs Encrypt all data flows FCS_COP.1
Management Device SFRs Secure boot protection, Role-based access control
FPT_INI .1 (extended)FMT_MSA.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 15
PP IoT – Umbrella PP ?
Device DomainNetwork DomainService Domain
Trus
t Bou
ndar
y
Trus
t Bou
ndar
y
Secure Element
Gateway
PP Java Card
PP SM Gateway, PP
Network Device, PP
TEE
PP IoT
WLAN/LAN
PP WLAN, PP VPN
Server
PP Server Virtualization
Smart Device
PP TEE, PP Mobile Device
Application
PP DBMS, PP App SW
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 16
One CC evaluation costs relatively a lot, what happens when we have several evaluations including dependencies (Maintenance, Life-cycle,…)? TTM issues…
If until now no governments are involved, who will drive the market demand ? Why ? When ?
Who will be responsible of IoT evaluation, how different stakeholders can communicate if there are multiple ones ?
How CC recognizes the ISMS accreditations such as ISO27K ? To what extent ?
It the product is trustworthy does it mean that we are safe ?
Cost and Time effective evaluation
Will there be a demand for IoT products evaluation ?
Communications between products owners
Accreditations vs CC
What level of Trust CC can provide ?
What Are The Main Challenges ?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 17
Develop IoT evaluation best practices, adapted evaluations, improve certificates maintenance, etc.
Govs will sooner or later be involved. IoT brings huge benefits to govs on different sectors. Vendors/Operators/SPs are also very motivated and end-to-end security is their first concern.
Can be inspired by the Smart Card composite evaluation process – Apps (SPs) on OS (Platform Dev) on IC (HW manufacturer).
Create a particular relationship with other IT Security standards (ISO27K for instance)
IoT is still premature therefore CC can probably grow up with the technology providing efficient assurance or trust.
Cost and Time effective evaluation
Will there be a demand for IoT products evaluation ?
Communications between products owners
Accreditations vs CC
What level of Trust CC can provide ?
How Could We Overcome These Challenges ?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 18
Security is still premature
Interoperability is still not fulfilled
The Ecosystem is still uncontrolled
If … The Internet Of Things is still a new wild civilization !
The required level of Trust/Assurance is vague
The IoT ecosystem goes beyond the practical CC scope
No efforts have been yet employed in this sense
Then… The CC applied to IoT is still an undiscovered civilization !
Let’s try to build “Trustworthy” Things by design before it is too late !
Is it too early ?
Will it remain a nice dream ?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 19
So What ?
Else…
Thank you for your attention !
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 20
Roland Atoui | Security & Certification Program ManagerPhone: +33146856394 | Mobile: +33618834611
Email:[email protected] IoT and Java Card