the internet of things - the need for...
TRANSCRIPT
![Page 1: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/1.jpg)
NEKs Ekomkonferanse 21Nov2017, Oslo
The Internet of Things - The Need for Standardisation
Josef Noll Department of Technology Systems, University of Oslo
m: +47 9083 8066, e: [email protected]
IoTSec.no - SCOTT.IoTSec.no
![Page 2: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/2.jpg)
Nov2017, Josef NollNeed for standardisation in IoT
“The last time I was connected by wire was at birth” - our when Internet of Things (IoT) meets people
! The changing role of security in HMS -> HMSS ! Internet has changed, IoT will accelerate
➡ the ecosystem of making business ➡ automated processes
! Security in IoT ➡ “teach our sensors to talk Norwegian”
! Standardisation ➡ new paradigm: measurable security ➡ security classes “design”
! related to projects: ➡ Security in IoT for Smart Grids: IoTSec.no ➡ Secure Trusted IoT: SCOTT.IoTSec.no, ➡ Diversity in IoT Security: DiversIoT.IoTSec.no
2
![Page 3: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/3.jpg)
Jun2017, Josef NollSmart Energy - Trust
The Internet of Things (IoT)
! IoT = ➡ Things + ➡ Internet + ➡ Semantics
! Things that communicate ➡ with Things: computer, ➡ understand the meaning, ➡ takes own decisions
3
Source: L. Atzori et al., The Internet of Things: A survey, Comput. Netw. (2010), doi:10.1016/
* security * privacy * dependability * context-aware * personalised
Things
InternetSemantics
![Page 4: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/4.jpg)
Nov2017, Josef NollNeed for standardisation in IoT
IoT - 3rd wave of convergence• 1. wave: All-IP – flat world, global business
• 2. wave: Telecom - IT - Broadcast – from fixed to mobile and quadruple play – Telecom = mobile
• 3. wave: IoT Internet – The business merger
4Collaboration and cooperation drives developments
all-IP
core business
IoT Internet
Community
Telco-IT
“By 2020, business is
dominated by
automated processes”
[DNV-GL 2013]
![Page 5: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/5.jpg)
Jun2017, Noll et al.Economics in IoT 5
http://www.scmagazine.com/iot-security-forcing-business-model-changes-panel-says/article/448668/
![Page 6: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/6.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
National initiative for a more secure future in IoT IoTSec.no - Security in IoT for Smart Grids
X
KjellerOslo
Gjøvik
Halden
«Open World Approach» everything that is not declared closed
is open
Academia
Industry
Interest Org.
Industry
International
![Page 7: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/7.jpg)
Nov2017, Josef NollNeed for standardisation in IoT
Addressing the Threat Dimension for IoT! Hollande (FR), Merkel (DE) had their mobile being
monitored ! «and we believe it is not happening in Norway?
6
[source: www.rediff.com][source: Süddeutsche Zeitung, 18Dec2014]
![Page 8: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/8.jpg)
Nov2017, Josef NollNeed for standardisation in IoT
SignificanceIoT security challenges ! Mirai attack
➡ “security by obscurity” ➡ different security viewpoint
! “it is just the beginning”
7
[Source: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ ]
16Oct2016
I
![Page 9: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/9.jpg)
Feb 2016, Josef NollIoTSec.no
IoTSec.no “Research on IoT security”
“Building the national Security Centre for Smart Grid”
http://IoTSec.no
8
Smart MeterInternet
Communication & IoT for society
2015-2020
project >20 partners
(5 academics)
Open World
ApproachSecurity
by
obscurity
![Page 10: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/10.jpg)
Nov2017, Josef NollNeed for standardisation in IoT 9
teach our sensors to talk Norwegian
![Page 11: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/11.jpg)
SCOTT key message“elevator pitch”
IoT is the game changer and driver for digitalisation, and SCOTT contributes through:
■ Answer the IoT need for a new and more advanced security paradigm through security classes
■ Create a Convincing privacy assessment through privacy labelling
■ Establish a clear link between security and safety
10
largest security
project in EU
largest security
project in EU
largest security
project in EU
57 partners fro
m
12 countries
largest security
project in EU
8 partners fro
m
Norway
Home
80 M€ budget
35 M€ EU&national
Rail
5G
Avionics
Automotive
![Page 12: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/12.jpg)
Jun2017, Josef NollSmart Energy - Trust
The trust matrix! trust as a positive user attitude
➡ engaging voluntarily ! security based trust issues
➡ building trusted systems ! technological factors
➡ data storage, distribution ➡ insight
! human/societal factors ➡ government ➡ family, friends
11
http://SCOTT.IoTSec.no
http://SCOTT-project.eu
![Page 13: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/13.jpg)
Jun2017, Josef NollSmart Energy - Trust
Learn from Industrial Automation and Mobile Networks! “What to secure?”
! Network segregation ➡ Network slicing
! From Confidentiality, Integrity, Availability (CIA)
! to Availability, Integrity, Confidentiality (AIC)
X
HomeservicesService
cloud #1
Applianceservices
Carservices
Healthservices
Software-enabledroutingService
cloud #2
Basic Internet
…
low capacity
VPN #1
![Page 14: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/14.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Security in IoT - our promises● Semantic system description
➡ Understanding the system and describing security through security functionality ➡ Measurable security - the novel security concept
● Security modelling ➡ Development of privacy-aware models and measures ➡ Adopting and enhancing adaptive security for system of systems ➡ Formal languages for semantically proving signalling
● System versus Goal analysis ➡ Application-specific security/privacy, e.g. billing vs ➡ Human/technical interface, security usability
● Operational security for IoT-based critical infrastructure ➡ IoTSec ecosystem -> extended network ➡ Roadmap for Smart Grid Security Centre (SGSC) ➡ (Gap Analysis of security methods for critical infrastructures)
X
ideal
good accep.
critical
failure
criticality
Measurable criticality
to measurable:security, privacy and dependability
![Page 15: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/15.jpg)
Nov2016, Josef NollInnovation through IoT - IoTSec.no - BasicInternet.org
Example of Research: Multi-Metricsv2 - system composition! System consists of sub-systems
consists of components ➡ security ➡ privacy ➡ dependability
X
sub-system 2(s,p,d)
Comp. 1 Comp. 2 Comp. 3
Multi-MetricsMM
M
sub-system 1(s,p,d)
system(s,p,d)
Multi-Metrics (weighted subsystems)
ideal
good accep.
critical
failure
criticality
![Page 16: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/16.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
- Assessment
- Modelling
- Framework - Meas. Security
Accountable security:
High level view of Security in IoT● Goal ● Provide the means for IoT
security ➡ from todays attack to
tomorrows design ➡ security thinking in
organisations ● Trust in Things
➡ Privacy label ● Smart Grid Security Centre
12
Security and Privacy Functionalityour basis:
Security classes & System design
Privacy Label
Christian Josef
Smart Grid Security Centrefacilitated through:
Elahe
ManishAdam Elahe
Habtamu
Seraj
ToktamOlaf
all
Heidi
ØivindHåkon
![Page 17: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/17.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Security and Privacy Functionality
13
![Page 18: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/18.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Security Classes and System design● Security Classes in IoT
➡ Consequence ➡ Exposure
● Consequence ➡ as in risk map
● Exposure ➡ Physical exposure
- people, building, physical ports,… ➡ IT exposure
- ports, firewall, connectivity ● Used to assess the security class
of Systems, sub-systems and components
14
New postulate of security class
Exposure
Consequence
Security Class
Increase weak security:
- watchdog - Attribute based access control
(S-ABAC)
![Page 19: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/19.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Semantic attribute based access control (S-ABAC)● Lifting the security class through S-
ABAC ● Access to information
➡who (sensor, person, service) ➡what kind of information ➡ from where
● Attribute-based access ➡role (in organisation, home) ➡device, network ➡security tokens
● Rules inferring access rights
X
Attributes: roles, access, device, reputation, behaviour, ...
Smart Home Access
Meter reading
Power control
statistical data
Home-logic
Heat pump
Warm water
home owner
Smart grid operator
Admin Cloud
GSM/LTE
![Page 20: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/20.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Methodology: From System description to SPD level
• System: Automatic Meter System (AMS) consists of reader (AMR), aggregator, communications, storage, user access
• Sub-systems: AMR consists of power monitor, processing unit, communication unit
• Component: AMR communication contains of a baseband processing, antenna, wireless link
• Configuration Parameter: Wireless link: f=868 MHz, output power=?, Encryption=?
Is made by Could be
System/Sub-system
Components and
functionalities
SPD Components, SPD functionalities
Metrics description(SPD functionality)
define config. parameters and SPD
values in Metrics
Run SPD Multi-metrics analysis
described by
X
![Page 21: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/21.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Accountable security● Assessment
➡ Comparison desired Class vs Calculated class
➡ PROSA modelling ● Modelling
➡ SPD Metrics, from criticality to SPD value
● Framework ➡ Examples of applicability
● Measurable Security ➡ Security is not 0/1
15
Measurable criticality
to measurable:security, privacy and dependability
ideal
good accep.
critical
failure
criticality
sub-system 2(s,p,d)
Comp. 1 Comp. 2 Comp. 3
Multi-MetricsMM
M
sub-system 1(s,p,d)
system(s,p,d)
Multi-Metrics (weighted subsystems)
![Page 22: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/22.jpg)
SmartGridSecurity Logo
![Page 23: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/23.jpg)
Mission Statement
We help the Utility Companies achieve their smart grid goals with higher resiliency and quicker response times against security threats.
![Page 24: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/24.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Privacy Labelling http://PrivacyLabel.IoTSec.no
● “Measure, what you can measure - Make measurable, what you can’t measure” - Galileo
● Privacy today ➡ based on lawyer terminology ➡ 250.000 words on app terms
and conditions ● Privacy tomorrow
➡ A++: sharing with no others ➡ A: … ➡ C: sharing with ….
● The Privacy label for apps and devices
16
![Page 25: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/25.jpg)
Nov 2017, Chr. Johansen, J. NollIoTSec.no #IoTSecNO High level view on Security for IoT
Answer the Challenges addressed by the EU
X
SCOTT contribution: privacy label?
![Page 26: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/26.jpg)
Nov2017, Josef NollNeed for standardisation in IoT
Helse, Miljø og Sikkerhet! Security affects safety
➡ IoT attack -> car crashes ! Security affects core business
➡ company confidential information ➡ Customer information
‣ Privacy regulative (GDPR May2018): 4% of revenue
➡IoT is corporate governance
17
?safety
Board of directors
CEO
Buz #1 #4#3#2
Finance, HMS security and safety
![Page 27: The Internet of Things - The Need for Standardisationits-wiki.no/images/a/aa/201711_EKOM_IoT_security_Noll.pdf · IoTSec.no #IoTSecNO High level view on Security for IoT Nov 2017,](https://reader035.vdocuments.site/reader035/viewer/2022062919/5ee180b5ad6a402d666c5ca2/html5/thumbnails/27.jpg)
Jun2017, Josef NollSmart Energy - Trust
Conclusions! Things (IoT) are driving the digital societies ! IoT: Business merger
– Internet + Semantics + Things = IoT – Digitisation of the Society
! IoT Security and privacy – new security paradigm – Security classes, accountable security - security and privacy ontology
! competitive advantage e.g.: - Privacy label (A++, A+…D)
18
HomeservicesService
cloud #1
Applianceservices
Carservices
Healthservices
Software-enabledroutingService
cloud #2
Basic Internet
…
low capacity
VPN #1