1
How do Policy and regulatory initiatives address the topic of IoT
Security?INDIA
Dinesh Chand Sharma(Seconded European Standardization Expert In INDIA)
ETSI Headquarters
Security Week| 14‐June‐2016| Slide 2
Agenda ICT in India
Govt. Initiative towards M2M & IOT
Security ‐ Stakeholders
Cyber & Telecom Security
M2M & IoT Security
Smart City & Cyber Security
Security Standards
Conclusion
Security Week| 14‐June‐2016| Slide 3
ICT in India India has ~67% share of the global IT outsourcing market
155 (total 300) major ISPs in India,
302 M internet Users, 99.2M Broadband Users
10 Telecom Wireless Network Operators, 100% FDI allowed in Telecom
1B+ Mobile Subscription and India Contributes 13% of Global Mobility
Subscribers (Active subs)
Lowest voice rates in the world, Contributes 6.1%* to India’s GDP
2nd largest private sector investment in infrastructure – Rs. 800,000
Crores (~106 Billion Euro)
Among the highest contributors to govt.: nearly 70,000 crores p.a. (~95 B
Euro)
Security Week| 14‐June‐2016| Slide 4
Government of India & Ministry of Urban Development
Digital India programme of the Government is aimed to take the power of digital to the next level.
Machine to Machine (M2M)/Internet of Things (IoT) is expected to be a key enabler and particularly relevant in view of Government resolve to Digital India, Make in India and to develop 100 Smart Cities.
Ministry of Communication & IT and having two departments: Department of Telecom (DoT) and Department of Electronics & IT (Deity)
DoT: Bharatnet project will get telecom infrastructure to be put in place up to village panchayat making them ready to get full advantage of ICT including M2M, Released the ‘National Telecom M2M Roadmap’ with the objective of impetus to growth of M2M ecosystem
Deity: Responsible for Digital India Program and released IoT policy
DSCI and DeitY run a Training program Cyber Forensics: to tackle cybercrime
Govt. Initiative towards M2M & IOT
Security Week| 14‐June‐2016| Slide 5
InstitutionalGoI
Government of India
Ministry of Home AffairsMinistry of
Communication and IT
LEA State Police ,Central Police,
CBIIntelligence‐IB,RAW,NIA
Ministry of Defence
CERT‐Army
CSG‐DDP
CIRT‐Navy
DIARA
DEITY
DoT
NCIIPC
NTRO
NICICERT
CCA
STQC
CDAC
NeGD
C-DoTTEC
Industry/Associations
NASSCOM
DSCI
TSDSI
IB‐CART
ISEA
CFL CDAC KERELA
Academia
Centre For Excellence(IIT Delhi, IIIT Delhi, Amrita Centre For Cyber Security Systems &Networks, CDAC Hyderabad
Security ‐ Stakeholders
GISFI
NWG-17 CMS
NATGRID
NISG
Ministry of External Affairs
Ministry of Commerce
National Security
Council (NSC)
National Security
Advisor (NSA)
JWG (PPP)4 CoE
National Cyber Security
Coordination Centre (NCCC)
ISAC
IoT4SCTF
Security Week| 14‐June‐2016| Slide 6
Cyber Security Government unveiled a National Cyber Security Policy in July 2013
Designate a national nodal agency to coordinate all matters related to cyber security in the country
All organizations (Public & Private) to designate a senior official as Chief Information Security Officer,
Adoption of global practices on cyber security and compliance
Compliance with Conformity Assessment Certification
Adopt open standards for interoperability & data exchange and Promote tested & certified products based on open standards
Promotion of research and development in cyber security reducing supply chain risk.
Existing Indian Computer Emergency Response Team (CERT‐IN) to handle the 24x7 proactive responses to hackers, cyber‐attacks, intrusions and restoration.
24x7 National Critical Information Infrastructure Protection Centre (NCIIPC) to function as nodal agency for critical information infrastructure protection
Security Week| 14‐June‐2016| Slide 7
Telecom Security DoT in May 2011 issued a notification to include Security conditions for Telecom networks
across pan India ‐ License condition were amended and a chapter on Security updated:
LICENSEE shall have organizational policy on security and security management
LICENSEE shall audit its network or get the network audited once in a financial year
Induct only those network elements which got tested IT and IT related elements against ISO/IEC 15408 standards,
Information Security Management System against ISO 27000 series Standards,
Telecom and Telecom related elements against 3GPP security standards, 3GPP2 security standards etc.
Rs 50 crore (6.5M Euro) penalty provision per occasion for any security breach
Remote Access (RA) to network to be provided only to approved locations abroad through approved location(s) in India
Establishment of Telecom Security Council of India (TSCI): Telecom Information Sharing and Analysis Centre (T‐ISAC): Set up by the TSPs in October, 2015
The testing and certification shall be done in India by Authorized & Certified Labs/Agency in India from April’2017 [first date was April’2011]: Setting up of Telecom Test Lab in India : WIP
Lawful Intercept: IT Act Section 69: Gives authorities the power of "interception or monitoring or decryption of any information through any computer resource.
State Level agencies monitor the traffic and National Intelligence Grid (NATGRID) and Central Monitoring System (CMS) : Centralized data center: 2, 21 Regional Monitoring Center & 195 ISF Server : WIP
Security Week| 14‐June‐2016| Slide 8
M2M Security: DoT M2M Roadmap 1(2) GSMA paper of embedded SIM, ETSI and OneM2M standards are referred
Security related guidelines which MSP shall try to incorporate in overall service design covers:
Only point to point data, SMS and voices services to predefined numbers shall be enabled on M2M SIM.
Enable security of Embedded Sensors to protect from computer worms, viruses or other Malware by implementation of security features like e. g. MILS (Multiple Independent Levels of SECURITY AND SAFETY).
Additional security in sensors may be incorporated by IMEI & SIM PAIR LOCKING so that sensor shall work with the SIM configured by MSP.
Transfer of SIM and use of Pre‐activated SIM are not permitted
Data Security:
M2M data within telecom operator’s domain: Existing License are sufficient to address it and LEA will be applicable in case of M2M
Policy formulation: Road Ahead
KYC Norms for M2M services and Security and Lawful Interception for M2M: WIP
Security Week| 14‐June‐2016| Slide 9
M2M Security: DoT M2M Roadmap 2(2) M2M data within M2M service provider’s domain:
M2M security framework is closely interlinked to interface and architecture standards, on which OneM2M Partnership Project and TEC working groups are currently deliberating.
Security at sensor/ device level:
M2M device should use only genuine IMEIs & ESNs due to security concerns and non‐genuine IMEIs & ESNs should not be allowed in devices.
Security at Network level:
M2M will result in availability of large number of devices on Internet or public network and any unauthorized access to/ by these devices may have serious implications. MSPs and TSPs need to device suitable mechanism for their respective network protection.
Location and Connectivity Guidelines:
From security perspective, there is a strong case for all M2M Gateways and application servers, servicing the customers in India, to be physically located in India. But MSP with small customer base in the country may find it difficult to have complete back‐end technical setup due to lack of economy of scale. All such relevant factors need consideration and physical location shall be in consonance with decisions in other services.
Proposed to establish a APEX body which shall take necessary steps to enforce encryption, quality, security and privacy standards for M2M communication.
Create Test Bed Facilities for Conformity to security and lawful interception standards: TEC
Security Week| 14‐June‐2016| Slide 10
IoT Security: DeitY IoT Policy Chapter on Standards
Device security and Safety standards (for example: Protection to humans from EMF and other health hazards)
Data Privacy, Data Accuracy & Integrity: The privacy law to be made congruent with the evolving IoT paradigm.
To facilitate development of IoT solutions with relevant changes in Telecom policies for ensuring robust security and privacy
To be on the Steering committee of IEEE world Forum on IoT or similar forums to take part in formation of standards and security parameters.
Security Week| 14‐June‐2016| Slide 11
Smart City & Cyber Security: MoUD 1(3)Government of India’s has a mission mode project of deploying 100 Smart Cities in India.
98 cities were identified and submitted their smart city proposal to the Ministry of Urban Development, Total 33 cities has qualified for the Phase 1 implementation and for rest challenge program is ongoing
National Security Council Secretariat, Government of India in consultation with the Industry (NASSCON, DSCI) prepared a Cyber Security Model Framework for Smart Cities and released in May 2016:
This Model framework may be considered while implementing solutions for setting up Smart Cities
Architecture of “Information Technology” systems deployed in Smart city need to be open, interoperable and scalable. The reference architecture of lnformation Technology (lT) infrastructure in Smart city suggested by
National lnstitute of Standards and Technology (NIST) serves as a common starting point for system planning while promoting interoperable functional building blocks, which are required in a smart city.
Central data center shall support multi‐tenancy with adequate authentication and Role based access control mechanism.
Security Week| 14‐June‐2016| Slide 12
Smart City & Cyber Security: MoUD 2(3) Application Program lnterfaces (APls) should be published and the lT systems shall
be running on standard protocols like JSON / XML or REST etc.
The smart city architecture should be capable of managing heterogeneous data. The following communication protocols could be used for the different layers for data flow; Between applications and back end systems: HTTP, SQL, FTP, SNMP, SOAP, XML, SSH, SMTP
Between back end systems and field devices: Message Queue Telemetry Transport (MQTT), xMPP, RESTful HTTP, Constrained Application Protocol (CoAP), SNMP, lPv4/6, BACnet, LoNworks, Low Power Wide Area Network (LoRa), Fixed, 4Gl5G, Wi‐Fi, WiMax,2Gl3G From field devices: ZigBee olP, ETSI LTN, lPv4/6,6LowPAN, ModBus, Wi‐Fi, 802.15.4, enocean, LoRA, RFID, NFC, Bluetooth, DashT' Fixed, ISM & short‐range bands.
The entire lnformation Technology (lT) infrastructure deployed as part of Smart city should follow standards like ISO 2700'1, ISO 22301, ISO 37120, ISO 3712, ISO 27017, ISO 27018, BSI PAS 180,BSl PAS 18'1, BSI PAS'182, for Wi‐Fi
access – PEAP (Protected Extensible Authentication Protocol), 3rd Generation Partnership Project (3GPP), etc. as appropriate.
The guidelines to secure Wi‐Fi networks (ADSL Modems) as published by Department of Telecom must be followed.
Security Week| 14‐June‐2016| Slide 13
Smart City & Cyber Security: MoUD 3(3) All devices and systems deployed in Smart city should be hardened and have the
ability to be upgraded remotely for firmware through encrypted image files with authentication mechanism to complete the operation.
Data centre shall be implemented with capabilities like
Firewalls, lntrusion detection & lntrusion prevention systems, Web Application Firewalls, Behavioralanalysis systems for anomaly detection, Correlation engine, Denial of Service prevention device, Advanced Persistent Threal notification mechanism, Federated ldentity and access management system, etc.
All "applications' and "apps" will undergo static and dynamic security testing before deployment and be tested with respect to security on regular basis at least once in a year‘
All applications ‐ "Apps" deployed as part of Smart city be hosted in lndia
Security Week| 14‐June‐2016| Slide 14
Security Standards @ BIS
BIS LITD 17 which is a mirror committee of IEC/ISO/JTC 1/SC 27 & 37 looks after the Security standardization activities
IS/ISO/IEC 9796 : PART 2 & 3 ON Digital Signature Schemes
IS/ISO/IEC 13335 : PART 1 Management Of ICT Security
IS 14356:1996 on Guide For Protection Of Information Resources
IS 14990 : PART 1,2&3, IS 15580:2012, IS 15671:2006 for Evaluation Criteria For It Security
IS/ISO/IEC 24762:2008 for ICT Disaster Recovery Services
ISO 27000, 1,3,4,5,6 for Information Security Management Systems
ISO 27033: Part 1, 3, 4 &5, ISO 27034‐Part1, ISO 27035, ISO 27036‐Part 1 & 3
Identity and Protection authentication ISO 9798.
Cryptographic standards ( ISO 15946) its applications and process review Encryption algorithm ( ISO 18033)
Standards on Intrusion detection system (ISO 18043)
ISO 17065 (Requirements for bodies certifying products, processes and services).
IS 3292 – Security Standard for Power Control Systems
Adopted at BIS Under Consideration
Security Week| 14‐June‐2016| Slide 15
Standards in Telecom, @ DSCI & IDRBT ,
Telecom Standards Development Society, India (TSDSI) is in the process to establish a Working Group on Security.
DoT/TEC NWG 17 working with ITU SG‐17
Closely follow 3GPP Work
3GPP SA3 Technical Report describing a new security assurance and evaluation framework for mobile network products
3GPP Security Assurance Methodology (SECAM), which aims at providing common and testable baseline security properties for the different network product classes
Mobility Management Entity (MME) test‐cases and Technical Specifications: General and MME specific
GSMA Network Equipment Security Assurance Group (NESAG) now known as Security Assurance Group (SECAG)
GISFI has a Security and Privacy WG active since 2008
DSCI Security Framework (DSF©) : comprised of 16 disciplines that are organized in four layers.
This document compiles practices under each discipline.
It brings a fresh outlook to the security initiatives of an organization by focusing on each individual discipline of security.
Institute for Development and Research in Banking Technology (IDRBT)’s
Security Framework for Banking industry
Standards – Telecom @ DSCI , IDRBT
Security Week| 14‐June‐2016| Slide 16
Conclusion Cyber Security
— Regulatory and Policy Framework exist ‐ Standards Development activities to start
Telecom Security
— 3GPP Specification shall conclude fast, Setting up of Lab need huge cost and efforts, it could be a last extension up to April 2017
M2M/IoT Security
— M2M Roadmap & IoT Policy include Security Provisions however policy framework yet to be released by Govt and standards work shall speed up at TSDSI.
Smart City & Cyber Security
— Model Framework Released, SCP WIP
Security Standards
— IT standards exist @ BIS, Telecom/M2M/IoT Standards adoption: WIP
Security Week| 14‐June‐2016| Slide 17
Contact Details:Dinesh Chand Sharma
(Seconded European Standardization Expert in India)Director – Standardization, Policy and Regulation
European Business Technology Centre, DLTA Complex, South Block, 1st Floor, 1, Africa Avenue, New Delhi
110029Mobile: +91 9810079461, Tel: +91 11 3352 1500,
1
www.eustandards.in