Sunday, January 28, 2018
IoT Security: Essential Requirements
One core requirement in IoT security is trust. Or, the other way around: We cannot trust an IoT device connected to the network unless we know exactly how it works. This is imperative! And it especially relevant with all the encrypted channels we see on the Internet. We might have MitM protection but we do not know what is on the wire and within the encrypted packages.
Friday, January 26, 2018
Real technology needs
There are lot of trends and buzzwords, AI is only one of them. But there are also other needs. One of them is usability in cyber security. Security is important and a critical success criteria for IoT. Security controls and technologies exist. But for an average user it is hard to comprehend and difficult to handle. This has direct impact on the posture of devices attached to the Internet. We definitely need much better usability in security for IoT. This encompasses the entire life cycle: installation, on-boarding, operation, and maintenance.
Monday, January 15, 2018
IoT Security - accept and handle failure
IoT as well as Industrial IoT (IIoT) present a couple of specific key requirements in order to build secure and reliable networks and systems operated in smart grid, smart city or manufacturing. Because of agility, size and the vast number of endpoints, automation and orchestration are important success criterions. But there is much more to consider: We need to accept and handle failure and security breaches. Survivability, resilience, isolation, and self-healing are essential characteristics and quality requirements for the underlying system architecture. Of course, network security is the sound basis for a scalable security architecture with strict network access control and secure onboarding as inherent features. This is the precondition for visibility and context awareness to address security intelligence in order to respond to threat automation and malware sophistication at all levels of the stack.
Tuesday, January 02, 2018
IoT Security - a primer
Security is a crucial requirement, a core building block, a
success criterion, and an enabler for IoT at the same time. With scalability
and extensibility, security represents an important quality attribute within
the overall IoT architecture. Linking a vast number of devices and
inter-connecting networks leads to complex systems that needs to be protected
comprehensively and holistically.
Security impacts all layer of the IoT architecture. It starts
with the security of the endpoints and impacts the data and processes in the
cloud. Of course, the security of the network connecting all nodes is
imperative to the success. In this regard, IoT security comprises the security
of the network as well as the security of the connected devices, intermediate
subsystems, such as gateways, and systems consuming the data finally. Beside
connectivity and communication, security is important for all deployment and
management processes.
First of all, there is no silver bullet, no unique approach to
implement IoT security comprehensively. Beside all the technical requirements,
there are always constraints and side effects such as cost pressure, time
schedules, available resources, expertise and so on. Nevertheless, there is a
set of essential requirements which must be considered from the beginning.
Objectives
and Key Requirements
The overall goal is to protect the entire system which
represents an IoT installation. The more granular security requirements, often
called security attributes, are confidentiality, availability, integrity, and
privacy. The relevance of these core attributes depends on the system, the
environment, the actuators and their functions. In an installation where
customer data is used, confidentiality and privacy are especially important. A
smart meter installation would be a perfect example. Data management,
processing, and distribution are becoming increasingly important for customers
who want to control and ensure their privacy. In several countries, this is
already regulated by law. Technologies and procedures to protect end user’s
privacy are evolving. Anonymization of user data is only one approach. More
advanced technologies follow an approach to conceal user identities and their
network activity from surveillance and traffic analysis by separating
identification and routing.
In the industrial environment, availability and integrity are
high priority. Furthermore, safety cannot longer be separated from security. In
some scenarios, IoT systems might be part of the critical infrastructure which
even raises the bar for security. In these domains, security appliances and
functions must not hinder the performance of the critical applications.
The following table contains the four key attributes:
Requirement
/ Attribute
|
Objective
|
Availability
|
Ensures that
data is timely and reliable available to authorized entities when it is
needed
|
Integrity
|
Protect data
from modification without authorization to ensure accuracy and completeness
|
Confidentiality
|
Protect
disclosure and data access from unauthorized entities
|
Information
and Data Privacy
|
Management
of data according to legal regulations and public expectations
From an
individual perspective, privacy is the right to control what information may
be collected, processed and stored and by what entity, and to whom that
information may be disclosed.
|
The recommended approach to identify the essential requirements
is a risk-assessment of all assets that are part of the given IoT system.
Depending on the outcome which is impacted by financial, safety and other
consequences, requirement documentation can be compiled. In addition,
requirements derived from regulations, policies and standards will complete the
specification.
Saturday, December 30, 2017
Monday, December 18, 2017
Is it really AI?
We do read a lot about Artificial Intelligence (AI) these days. AI seems to get in nearly everything. Just pick the right chip and you can put the AI sticker on your product. But is it really that easy? Where is the difference between AI and Machine Learning? And, is the term Intelligence the correct notion anyhow to describe a computer based system? Is it a qualitative or quantitative property?
Depending on the answer, is it something we can measure?
Would it be feasible to create a questionnaire for machines to found out about AI?
We do read a lot about Artificial Intelligence (AI) these days. AI seems to get in nearly everything. Just pick the right chip and you can put the AI sticker on your product. But is it really that easy? Where is the difference between AI and Machine Learning? And, is the term Intelligence the correct notion anyhow to describe a computer based system? Is it a qualitative or quantitative property?
Depending on the answer, is it something we can measure?
Would it be feasible to create a questionnaire for machines to found out about AI?
Saturday, January 05, 2013
Thursday, January 27, 2011
Security Architecture – moving forward with an approach to outline a framework
It is a key success criteria in system development and architecture to improve and extend models, procedures and underlying frameworks. This is especially needed when it comes to cyber security of complex systems. I started recently to improve my framework for a robust security architecture. Many stakeholders tend to start with the details in such complex systems which may result in missing overall requirements and ramifications. Security in the scope of vast, distributed systems needs to be specified, designed, implemented and operated based on a solid framework – let’s call it a Security Architecture. I have seen many approaches in order to cover this tricky task. Many of them tend to be too complex. Unfortunately, complexity is not a driver for security (in contrast to simplicity). On the other hand, it’s a tough job to keep the Security Architecture for huge systems simple. Beside the need for a simple approach, transparency and clearness in the scope of Security Architecture are important attributes that should be addresses as key-objective. Security controls need to be structured and encapsulated in the relevant components of the Security Architecture in a clear and traceable manner. I prefer a structure consisting of the following main components:
- Security Infrastructure [ Communication and Network Security, Perimeter Security, …]
- System Security Services [ Access Control, Identity Management, Credential Management, Audit, Backup and Recovery, …]
- Application Security [ Operation Systems, Databases, Web and Application Server, SaaS, Enterprise Applications, Collaboration, and Messaging, … ]
- Service Security [ System Maintenance, System Operation, Change Management, Incident Management, Event Management and Forensics, Stakerholder & User Feedback, ...]
- Security Management [ Policies and Roles, Risk Management, Training and Awareness, Secure Coding, Design Principles, Algorithms]
Monday, January 10, 2011
Fachtagung Informationssicherheit im Netz- und Anlagenbetrieb der elektrischen Energieversorgung
TC 57 / WG 15 und IEC 62351
Intro
§ Die Working Group 15 (Data and Communication Security) ist im Rahmen des IEC innerhalb des TC 57 tätig.
§ Das TC 57 [Technical Committee] trägt den Titel “POWER SYSTEMS management and associated information exchange”.
§ Das TC 57 entwickelt internationale Standards für Energie-systeme (EMS, SCADA, DA, Teleprotection und andere):
http://tc57.iec.ch/index-tc57.html
§ Die WG 15 …
… hat ca. 55 Mitglieder und trifft sich zweimal im Jahr.
… ist für die Standards IEC 62351 (Part 1-8) federführend.
… ist für die Security von Protokollen innerhalb des TC 57 verantwortlich (z.B.: IEC 61850, ICCP/TASE.2).
… adressiert auch das Thema End-to-End Security!
TC 57 / WG 15 und IEC 62351
IEC 62351: Inhalt der Teile 1 bis 8 im Überblick
§ Part 1: Einführung (Übersicht zum Thema Cyber Security, Besonderheiten innerhalb der TC 57 Domäne)
§ Part 2: Begrifflichkeiten (Glossary, Ziel: besseres Verständnis basiert immer auf einheitlicher Terminologie)
§ Part 3: Security für Protokolle mit Profilen beruhend auf TCP/IP (z.B.: ICCP/TASE.2, IEC 61850 Client/Server)
§ Part 4: Security für Protokolle mit Profilen beruhend auf MMS [Manufacturing Messaging Specification] (z.B.: ICCP/TASE.2)
§ Part 5: Security für Protokolle der Reihe IEC 60870-5 u. Derivate
§ Part 6: Security für IEC 61850 (GOOSE, SV, MMS), SNTP (RFC 2030) und VLAN [Virtual Local Area Network] Technologien
§ Part 7: Security MIB’s [Management Information Base] für Netzwerk- und Systemmanagement (à TC 57 spezifische MIBs)
§ Part 8: RBAC [Role Base Access Control] für Energiesysteme
(à Rechte, Rollen, Access Control)
TC 57 / WG 15 und IEC 62351
WG 15: Kooperation, Interaktion, Wahrnehmung
§ Die Standards der Reihe IEC 62351 werden in Dokumenten und anderen Standards als relevant für die Security in der Energieversorgung und im Rahmen von Smart Grids erwähnt (Beispiele: NIST, IEC SG3 Roadmap).
§ Das NIST hat IEC 62351 kommentiert (Änderungen erforderlich).
§ Das NIST hat FERC die IEC 62351 Standards als relevant für Cyber Security empfohlen.
§ Die Umsetzung in Produkten ist momentan eher überschaubar.
§ Es gibt eine Vielzahl von Kooperationen und Koordinationen mit anderen Organisationen (z.B.: IEEE, CIGRE, ISA, ISO, …).
§ Mitglieder der WG 15 arbeiten aktiv an Standards wie NERC CIP und NIST IR 7628 „Guidelines for Smart Grid Cyber Security” mit.
TC 57 / WG 15 und IEC 62351
WG 15: Aktivitäten und Ausblick
§ Mehrere Teile des Standards werden momentan überarbeitet und angepasst. (à Machbarkeit, Cipher Suites)
§ Die WG-15 spezifiziert die Security für den Standard 61850-90-5 (“Use of IEC 61850 to transmit synchrophasor information”) mit dem Ziel eines Technical Reports.
§ Die WG-15 arbeitet weiterhin an einem Technical Report (“Security Architecture Guidelines”).
§ Geplante Aktivitäten:
§ Der Teil 9 “Schlüsselmanagement” ist momentan im Status eines NWIP [New Work Item Proposal].
§ Unterstützung der WG-10 (à IED, IEC 61850) bei der Definition der “Security für System Management”.
§ Eventuell Unterstützung des NIST zum Thema “Security Requirements for Field-Deployed Devices” (à IED, Zähler)
TC 57 / WG 15 und IEC 62351
Finale
Vielen Dank für Ihre Aufmerksamkeit!
Dipl.-Ing. Maik G. Seewald
[maseewal@cisco.com]
Frankfurt am Main, 20-Januar-2011
Fachtagung Informationssicherheit im Netz- und Anlagenbetrieb der elektrischen Energieversorgung
Fachtagung Informationssicherheit im Netz- und Anlagenbetrieb der elektrischen Energieversorgung
TC 57 / WG 15 und IEC 62351
Intro
§ Die Working Group 15 (Data and Communication Security) ist im Rahmen des IEC innerhalb des TC 57 tätig.
§ Das TC 57 [Technical Committee] trägt den Titel “POWER SYSTEMS management and associated information exchange”.
§ Das TC 57 entwickelt internationale Standards für Energie-systeme (EMS, SCADA, DA, Teleprotection und andere):
http://tc57.iec.ch/index-tc57.html
§ Die WG 15 …
… hat ca. 55 Mitglieder und trifft sich zweimal im Jahr.
… ist für die Standards IEC 62351 (Part 1-8) federführend.
… ist für die Security von Protokollen innerhalb des TC 57 verantwortlich (z.B.: IEC 61850, ICCP/TASE.2).
… adressiert auch das Thema End-to-End Security!
TC 57 / WG 15 und IEC 62351
IEC 62351: Inhalt der Teile 1 bis 8 im Überblick
§ Part 1: Einführung (Übersicht zum Thema Cyber Security, Besonderheiten innerhalb der TC 57 Domäne)
§ Part 2: Begrifflichkeiten (Glossary, Ziel: besseres Verständnis basiert immer auf einheitlicher Terminologie)
§ Part 3: Security für Protokolle mit Profilen beruhend auf TCP/IP (z.B.: ICCP/TASE.2, IEC 61850 Client/Server)
§ Part 4: Security für Protokolle mit Profilen beruhend auf MMS [Manufacturing Messaging Specification] (z.B.: ICCP/TASE.2)
§ Part 5: Security für Protokolle der Reihe IEC 60870-5 u. Derivate
§ Part 6: Security für IEC 61850 (GOOSE, SV, MMS), SNTP (RFC 2030) und VLAN [Virtual Local Area Network] Technologien
§ Part 7: Security MIB’s [Management Information Base] für Netzwerk- und Systemmanagement (à TC 57 spezifische MIBs)
§ Part 8: RBAC [Role Base Access Control] für Energiesysteme
(à Rechte, Rollen, Access Control)
TC 57 / WG 15 und IEC 62351
WG 15: Kooperation, Interaktion, Wahrnehmung
§ Die Standards der Reihe IEC 62351 werden in Dokumenten und anderen Standards als relevant für die Security in der Energieversorgung und im Rahmen von Smart Grids erwähnt (Beispiele: NIST, IEC SG3 Roadmap).
§ Das NIST hat IEC 62351 kommentiert (Änderungen erforderlich).
§ Das NIST hat FERC die IEC 62351 Standards als relevant für Cyber Security empfohlen.
§ Die Umsetzung in Produkten ist momentan eher überschaubar.
§ Es gibt eine Vielzahl von Kooperationen und Koordinationen mit anderen Organisationen (z.B.: IEEE, CIGRE, ISA, ISO, …).
§ Mitglieder der WG 15 arbeiten aktiv an Standards wie NERC CIP und NIST IR 7628 „Guidelines for Smart Grid Cyber Security” mit.
TC 57 / WG 15 und IEC 62351
WG 15: Aktivitäten und Ausblick
§ Mehrere Teile des Standards werden momentan überarbeitet und angepasst. (à Machbarkeit, Cipher Suites)
§ Die WG-15 spezifiziert die Security für den Standard 61850-90-5 (“Use of IEC 61850 to transmit synchrophasor information”) mit dem Ziel eines Technical Reports.
§ Die WG-15 arbeitet weiterhin an einem Technical Report (“Security Architecture Guidelines”).
§ Geplante Aktivitäten:
§ Der Teil 9 “Schlüsselmanagement” ist momentan im Status eines NWIP [New Work Item Proposal].
§ Unterstützung der WG-10 (à IED, IEC 61850) bei der Definition der “Security für System Management”.
§ Eventuell Unterstützung des NIST zum Thema “Security Requirements for Field-Deployed Devices” (à IED, Zähler)
TC 57 / WG 15 und IEC 62351
Finale
Vielen Dank für Ihre Aufmerksamkeit!
Dipl.-Ing. Maik G. Seewald
[maseewal@cisco.com]
Frankfurt am Main, 20-Januar-2011
Fachtagung Informationssicherheit im Netz- und Anlagenbetrieb der elektrischen Energieversorgung
Wednesday, December 22, 2010
Tuesday, December 14, 2010
Tuesday, October 19, 2010
Friday, October 15, 2010
Security must be based on a solid (security) architecture
We can read a lot about vulnerabilities, malicious code and horrifying threat scenarios these days. And, we can also learn from all these experts how to fight this. Actually, there is nothing about war and weapons (that could help anyhow). Everything is about solid requirement management (covering security from the very beginning), a decent architecture as well as a design which addresses security seriously. Sure, the team must be qualified to handle this. Just some thoughts: A sustainable architecture is composed of discrete elements, called components. Components are the core parts of architecture. Their design and composition is essential to meet the requirement for a sustainable architecture. Beside these factors, security is another success criterion. Components must be secured in accordance with industry recommended practices. Design and implementation must adhere to security principles, design patterns and coding rules. They must be configured according to the security policies of the organization. This must apply for all components the architecture consists of. Remember the weakest link paradigm; one weak component could compromise the security of the whole architecture. Components which expose interfaces to the “outside world”, like user or communication interfaces are especially under attack or even the entry point for an intruder. This must be considered when specifying, designing and developing these entities. And, interfaces must be well-defined to support an integrative approach in order to achieve end-to-end security. The idea behind this is that a system that is composed of components must assure security when sending or receiving message from on or more component to another and even beyond the system.
Wednesday, July 28, 2010
Robustness and resilience of large distributed applications and networks
In the area of clouds and large distributed automation and control networks, we need to deal with a vast number of (growing) endpoints integrated in the (dynamic) system. It is probably a misconception to assume that all these peers could be protected comprehensively at any time. Hence, it must be an important objective that the protection of the entire system must not depend on the security status (pertaining integrity, confidentiality and availability) of each and every endpoint. In other words, a compromised node must not affect or infect the stability and protection of the entire distributed system. This shall be adressed in the system and security architecture and needs to be defined (and tested !) as a crucial requirement. A (layered) defense in depth, as a general design principle, can help to meet this requirement. In addition, intrusion detection, prevention and a quick isolation of the compromised node can help to minimize the overall impact. Plan for failure is the underlying principle to implement this efficiently. Beside these classical security precautions and controls, a robust design as well as adequate redandancy mechanisms for critical subsystems can support the system stability.
Tuesday, June 22, 2010
Security in large distributed networks (aka Smart Grids)
Security is not only a crucial requirement for conventional data and communication networks. It must be also addressed in networks that are installed and operated to automate and manage energy grids in order to achive a Smart Grid. Definitions may vary but the need for security in the area of critical infrastructures is undisputed. Beyond architecture and compliance, real implementation requirements exist. The paper Enhancing IEC 62351 to Improve Security for Energy Automation in Smart Grid Environments presented at the 2010 Fifth International Conference on Internet and Web Applications and Services in Barcelona provides insights.
Wednesday, June 02, 2010
Test your security!
Testing security of distributed systems is a very complex thing (sure, security is complex inherently). This is because of the nature of security requirements which is functional as well as non-functional. To meet such basket of requirements, good practise is highly recommended. The subsequent bullets list the necessary steps in a proposed order to achieve this goal:
- Document all functional and non-functional requirements and develop use case scenarios base on it (a picture helps a lot !)
- Invite security professionals for support and guidance
- Conduct a comprehensive threat assessment based on a well documented system architecture and (preferable) a security architecture (invite all relevant stakeholders: product management, architects, developer, test folks, …)
- The architecture must support flexible patch and update management
- Review the resulting design, at least the security relevant components
- Check on all 3rd party components in detail to identify known weaknesses; if so, look for alternatives
- Provide and teach (!) secure coding and secure design principles to the team
- Make sure that the team has enough time to learn and to apply such rules and principles (project management must plan accordingly!)
- Test all functional security requirements accoring to your test specification (use well documented requirements and use case scenarios to specify test cases)
- Use tools to check your code to identify flaws and derivations from your guidelines mentioned above
- Apply code review if tools are not sufficient
- Use a realistic test environment (set up) to run a kinda black box test based on tools (fuzzer, etc.)
- Test especially all user interface (focus on web based interfaces) as well as communication stacks
- Document all testing results and establish a rating based on criticality
- Communicate and share your experience
Friday, April 23, 2010
Divide and Protect
Divide and conquer is a well-know strategy in software design and architecture. In terms of OOA/OOD it is not really my favorite approach, but this is not the topic of this post.
Divide and protect is one option to secure large distributed systems. The concept of Divide and Protect is about the compartmentation of a system into functional blocks with identical requirements in terms of security and privacy. It supports a defense in depth strategy, and it helps to handle the complexity of large installations. The compartmentation of a given system leads to security zones with different levels of trust that should be outlined in a digram. Based on such diagram (red = not trusted, .., green = trusted), the system architecture can be developed in a comprehensive manner. This is especially true for the communication architecture and the selection of appropriate protocols. By using this approach, non-functional requirements can be addressed in the early beginning of the product development process which means no change (requests) later on.
Divide and protect is one option to secure large distributed systems. The concept of Divide and Protect is about the compartmentation of a system into functional blocks with identical requirements in terms of security and privacy. It supports a defense in depth strategy, and it helps to handle the complexity of large installations. The compartmentation of a given system leads to security zones with different levels of trust that should be outlined in a digram. Based on such diagram (red = not trusted, .., green = trusted), the system architecture can be developed in a comprehensive manner. This is especially true for the communication architecture and the selection of appropriate protocols. By using this approach, non-functional requirements can be addressed in the early beginning of the product development process which means no change (requests) later on.
Thursday, January 21, 2010
Failure is an option
I read about a conference on failing in the Silicon Valley last year (and I was fascinated by this way of thinking immideately). Well, I think this approach to tackle issues and mistakes is one success criterion which makes this exceptional high-tech valley that successful. Ten years ago, I was lucky to work for one year in Santa Clara / Sunnyvale. At this time, the Silicon Valley was the epicentre of the internet boom. I learned a lot about trying out new things and to be innovative in thinking and developing systems. I need to mention from time to time that software development is still a heuristic process. There are no tools to produce exactly that result in terms of code which is intended in the phase of project initialization. It (the mother of all tools) has been promised for years but it has not arrived yet. Sure, there are patterns, models, code fragments, IDE’s and many other helpful things but in the end it is up to a human beeing (the engineer) to compose and develop the solution. And this still works by trial and error in many cases. The most important lesson is to accept failure and to learn from it. This sounds easier than done and means a learning process for the whole team. But this is absolutely necessary in order to handle the complexity of computer science these days in a professional manner. One of my methods to take care of this is to document alternative solutions (to the choosen way of implementing it) for a given project and to outline the reasons for discarding. As an easy rule of thumb: In order to develop solutions successfully, we need to learn how to fail in the right ways.
Tuesday, November 24, 2009
Success criterions for development projects
Many factors do impact the success of development projects these days, much more than a couple of years ago. I have learned to focus on a very limited number (3-4) of key objectives to achieve in large scale projects in order to stay on track. Key objectives are the principles of a project and should be well-know, understood and accepted within the project team. To miss even one of them means failure. If it comes to decision making, the key objectives build a good foundation to move forward. This is a proven approach for projects but also for the development process itself. Here are my four (4) key objectives for successful system development:
- Precise, high quality requirements based on strong user involvement
- A motivated and skilled team with the ability to learn constantly
- Flexible and realistic project management
- An open and innovative environment which understands the fact that software development is a heuristic process and which accepts failure
Saturday, October 31, 2009
Security Architecture – an approach to outline a framework
Security in the scope of vast, distributed systems needs to be specified, designed, implemented and operated based on a solid framework – let’s call it a Security Architecture. I have seen many approaches in order to cover this tricky task. Many of them tend to be too complex. Unfortunately, complexity is not a driver for security (in contrast to simplicity). On the other hand, it’s a tough job to keep the Security Architecture for huge systems simple. Beside the need for a simple approach, transparency and clearness in the scope of Security Architecture are important attributes that should be addresses as key-objective. Security controls need to be structured and encapsulated in the relevant components of the Security Architecture in a clear and traceable manner. I prefer a structure consisting of the following main components:
- Security Infrastructure [ Communication and Network Security, Perimeter Security, …]
- System Security Services [ Access Control, Identity Management, Credential Management, Audit, Backup and Recovery, …]
- Application Security [ Operation Systems, Databases, Web and Application Server, SaaS, Enterprise Applications, Collaboration, and Messaging, … ]
- Service Security [ System Maintenance, System Operation, Change Management, Incident Management, Event Management and Forensics, …]
- Security Management [ Policies and Roles, Risk Management, Training and Awareness, … ]
Subscribe to:
Posts (Atom)
