TWELVEDOT SECURITY DESIGN.BUILD.SECURE

1

AGENDA

• About Us

• The Threat Landscape

• IoT Standards

• Using an ISMS Approach

• Testing and Evaluation

• Privacy Considerations

2

ABOUT US

- YOW based company

- Global customer base

- Focus on Mobile, Cloud and IoT Security

- Sister company focuses on HW/SW R&D

- ISO standards are the basis for all our work

- Active in ISO standards development

- Team of 7+ {partnerships}

3

ABOUT ME

• 20+ years industry experience

• Chief Security Analysis - TwelveDot & TwelveDot Labs

• Financial Services, Government, Telecom, and MSP

• Chair for ISO/IEC SMC-SC27 in Canada

• Convener ISO/IEC SC27 SWG-M and SWG-IoT

• 4 Patents Granted & 6 Pending

4

WHAT WE DID LAST WEEKEND

5

What Are These Two Numbers?

78 178Minutes days

UNDERSTANDING THE THREAT LANDSCAPE

7

NETWORK LAYER

APPLICATION LAYER

DEVICE LAYER {SENSOR/GATEWAY/CONTROLLER/ETC}

THINGS GETTING COMPLICATED

APPROACH TO CYBERSECURITY

A CyberSec Culture

ISMS “lite”A Shift in

Mindset SDLC

Incident Mgmt

Standards

Mgmt Team

ISO STANDARDS

• WG 10 - IoT

• ISO/IEC 30141 IoT Reference Architecture

• ISO/IEC 20924 Use Cases

• TR {TBD} Vocabulary

• ISO {TBD} Interoperability

• SC 27

• Study Groups - what is lacking in the current base

13

HOW TO LEVERAGE STANDARDS

• Help to determine deficiencies in your company process and procedures (next sections)

• Data at risk?

• both for your company and your solutions

• PDAC {Plan, Do, Check, Act}

• Determine executive support for ISMS

• Align to IT and business objectives for the year and planned projects

• Make employees part of this process

14

USING AN ISMS {ISO 27001} APPROACH

• Need to build and implement policies and procedures around security and privacy

• Update your SDLC {yes even startup-up!} ISO 27034 Application Security

• HR hiring practices (i.e. background checks, sec. training ongoing)

• Data handling (source code repositories, clouds, remote access, breach plan, etc)

• These are not one time tasks they are on going

15

NEED TO THINK ABOUT

• Vulnerability management {29147}

• Incident handling {27035}

• Evaluating 3rd party libraries and source code

• HW other component manufactures

16

Say what you do, do what you say and be able to prove it

PRODUCT/SOLUTION CONSIDERATIONS

@Design Stage

• Threat Modelling

• PIA {ISO 29134} and TRA {ISO 27005/8}

• Know where your source code is and who has access to it

• These need to part of your SDLC and every solution you consider

17

PRODUCT/SOLUTION CONSIDERATIONS

@Testing

• Ensure you have regression test cases to deal with old vulns

• Monitor & evaluate 3rd party libraries

• Evaluate component suppliers {firmware}

• Industrial Controls {IEC 62443-x}

18

PRODUCT/SOLUTION CONSIDERATIONS

@Production

• Ensure devices/gateways/PLCs etc have a method for infield updating

• Monitor for attacks against field installations

• Ensure you have a vulnerability mgmt process (29147 & 30111)

19

PRIVACY CONSIDERATIONS

• Conduct an PIA at design stage and when each new major release is developed (ISO 29134}

• Lots of supporting docs at PCO web site

• Create a privacy policy and make your employees, customers, and partners aware of it

• Ensure your development practices align to the privacy policy {many don’t}

• Only collect what you need from any 3rd party

20

PRIVACY CONSIDERATIONS

• If you can use “de-identification techniques” for longer storage data

• Ensure you have a data destruction policy and process

• Ensure you know who has access to your critical data at all times

• Consider employee terminations and the removal of access

21

YOUR TURN

What would your approach be to securing this solution?

Data:Name, age, etcHR, BP, activity, location

Link:BluetoothUSBWiFi - SSL

Data:User personalNon-encrypted HDNo AV nor FW

Link:WiFi - SSL

Cloud Data:User personalNon-encrypted HD

RECAP

• Create a culture of security • Need to purchase standards sorry they are not free • Use good policies and procedures - standards as

the baseline • Educate your staff to security/privacy risks • Create a ISMS “lite” with the audit outputs for your

company • Prepare for the day a breach happens - because it

will

23

THANK-YOU FOR YOUR TIME TODAY

24

WWW.TWELVEDOT.COM

Faud Khan faud.khan@twelvedot.com

RISK MANAGEMENT WORKFLOW

6. Validation

7. Monitoring and audit Information security

risk managementprocess

For an application, systemfacility, environment, or vendor

1. Resource profiling

(Business owner)

Describe the resource andrate risk sensitive

2. Risk assessment

Identify and rate threats,vulnerabilities, and risks(Information security)

3. Risk evaluation

Decision to accept, avoid, transfer, or mitigate risk

(Information security and business owner)

4 Document

Document riskdecisions including except

and mitigation plans(Information security and

business owner)

5. Risk mitigation

Implement mitigation plan withspecified controls

(Resource custodian)

Test the controls to ensure the actual risk exposure matches the

desired risk levels(Information security)

Continually track changes to thesystem the may affect the risk

profile and perform regular audits(Information security and

business owner)

25