Monday, January 15, 2018

IoT Security - accept and handle failure

IoT as well as Industrial IoT (IIoT) present a couple of specific key requirements in order to build secure and reliable networks and systems operated in smart grid, smart city or manufacturing. Because of agility, size and the vast number of endpoints, automation and orchestration are important success criterions. But there is much more to consider: We need to accept and handle failure and security breaches. Survivability, resilience, isolation, and self-healing are essential characteristics and quality requirements for the underlying system architecture. Of course, network security is the sound basis for a scalable security architecture with strict network access control and secure onboarding as inherent features. This is the precondition for visibility and context awareness to address security intelligence in order to respond to threat automation and malware sophistication at all levels of the stack.

Tuesday, January 02, 2018

IoT Security - a primer


Security is a crucial requirement, a core building block, a success criterion, and an enabler for IoT at the same time. With scalability and extensibility, security represents an important quality attribute within the overall IoT architecture. Linking a vast number of devices and inter-connecting networks leads to complex systems that needs to be protected comprehensively and holistically.
Security impacts all layer of the IoT architecture. It starts with the security of the endpoints and impacts the data and processes in the cloud. Of course, the security of the network connecting all nodes is imperative to the success. In this regard, IoT security comprises the security of the network as well as the security of the connected devices, intermediate subsystems, such as gateways, and systems consuming the data finally. Beside connectivity and communication, security is important for all deployment and management processes.
First of all, there is no silver bullet, no unique approach to implement IoT security comprehensively. Beside all the technical requirements, there are always constraints and side effects such as cost pressure, time schedules, available resources, expertise and so on. Nevertheless, there is a set of essential requirements which must be considered from the beginning.

Objectives and Key Requirements

The overall goal is to protect the entire system which represents an IoT installation. The more granular security requirements, often called security attributes, are confidentiality, availability, integrity, and privacy. The relevance of these core attributes depends on the system, the environment, the actuators and their functions. In an installation where customer data is used, confidentiality and privacy are especially important. A smart meter installation would be a perfect example. Data management, processing, and distribution are becoming increasingly important for customers who want to control and ensure their privacy. In several countries, this is already regulated by law. Technologies and procedures to protect end user’s privacy are evolving. Anonymization of user data is only one approach. More advanced technologies follow an approach to conceal user identities and their network activity from surveillance and traffic analysis by separating identification and routing.
In the industrial environment, availability and integrity are high priority. Furthermore, safety cannot longer be separated from security. In some scenarios, IoT systems might be part of the critical infrastructure which even raises the bar for security. In these domains, security appliances and functions must not hinder the performance of the critical applications.
The following table contains the four key attributes:
Requirement / Attribute
Objective
Availability
Ensures that data is timely and reliable available to authorized entities when it is needed
Integrity
Protect data from modification without authorization to ensure accuracy and completeness
Confidentiality
Protect disclosure and data access from unauthorized entities
Information and Data Privacy
Management of data according to legal regulations and public expectations

From an individual perspective, privacy is the right to control what information may be collected, processed and stored and by what entity, and to whom that information may be disclosed.


The recommended approach to identify the essential requirements is a risk-assessment of all assets that are part of the given IoT system. Depending on the outcome which is impacted by financial, safety and other consequences, requirement documentation can be compiled. In addition, requirements derived from regulations, policies and standards will complete the specification.

Saturday, December 30, 2017

Monday, December 18, 2017

Is it really AI?

We do read a lot about Artificial Intelligence (AI) these days. AI seems to get in nearly everything. Just pick the right chip and you can put the AI sticker on your product. But is it really that easy? Where is the difference between AI and Machine Learning? And, is the term Intelligence the correct notion anyhow to describe a computer based system? Is it a qualitative or quantitative property?
Depending on the answer, is it something we can measure?

Saturday, January 05, 2013

Happy New Year! 
Alles Gute für 2013, Gesundheit, Glück und Erfolg!


Thursday, January 27, 2011

Security Architecture – moving forward with an approach to outline a framework

It is a key success criteria in system development and architecture to improve and extend models, procedures and underlying frameworks. This is especially needed when it comes to cyber security of complex systems. I started recently to improve my framework for a robust security architecture. Many stakeholders tend to start with the details in such complex systems which may result in missing overall requirements and ramifications. Security in the scope of vast, distributed systems needs to be specified, designed, implemented and operated based on a solid framework – let’s call it a Security Architecture. I have seen many approaches in order to cover this tricky task. Many of them tend to be too complex. Unfortunately, complexity is not a driver for security (in contrast to simplicity). On the other hand, it’s a tough job to keep the Security Architecture for huge systems simple. Beside the need for a simple approach, transparency and clearness in the scope of Security Architecture are important attributes that should be addresses as key-objective. Security controls need to be structured and encapsulated in the relevant components of the Security Architecture in a clear and traceable manner. I prefer a structure consisting of the following main components:

  1. Security Infrastructure [ Communication and Network Security, Perimeter Security, …]
  2. System Security Services [ Access Control, Identity Management, Credential Management, Audit, Backup and Recovery, …]
  3. Application Security [ Operation Systems, Databases, Web and Application Server, SaaS, Enterprise Applications, Collaboration, and Messaging, … ]
  4. Service Security [ System Maintenance, System Operation, Change Management, Incident Management, Event Management and Forensics, Stakerholder & User Feedback, ...]
  5. Security Management [ Policies and Roles, Risk Management, Training and Awareness, Secure Coding, Design Principles, Algorithms]
The components 1-4 are the basic layers of the Security Architecture. A more vertical component is Security Management which covers and affects all the other 4 essential parts of the Security Architecture.

Wednesday, December 22, 2010

Ein gesegnetes Weihnachtsfest!




















Merry Christmas and Good Times in 2011!