© Cloud Security Alliance, 2016 Brian Russell, Leidos Co-Chair, IoT WG 2 March 2016
Agenda © Cloud Security Alliance, 2016 IoT WG Goals 2015 Accomplishments 2016 Plan
Looking Back at Branched off from Mobile WG 2.Published “Security Guidance for Early Adopters of the IoT” 3.Published “Summary Guidance for IoT Identity and Access Management” 4.Co-Published “Cyber Security Guidelines for Smart City Technology Adoption” 5.Collaborated with Federal Communications Commission (FCC) IoT WG 6.Began new document focused on designing and developing IoT devices securely
Security Guidance for Early Adopters of the IoT © Cloud Security Alliance, Released April 2015 with over 35 volunteers contributing content Guidance reviewed by both FCC and DHS as input into IoT security strategies GlobalSign Review of our Early Adopters Guidance: Overall, I'm impressed by the guidance the CSA has put forward with explicit technical details around cryptography and PKI. Until recently, much of the conversation surrounding IoT security has been abstract or generic, so it's exciting to see this concrete advice being released by industry thought leaders.
Summary Guidance for IoT Identity and Access Management © Cloud Security Alliance, Led by Arlene Mordeno, Edgile from IoT WG First in a series of smaller documents aimed at specific aspects of IoT security
Cyber Security Guidelines for Smart City Technology Adoption © Cloud Security Alliance, Demonstrated IoT WG desire to collaborate with other organizations Co-published by both Securing Smart Cities and CSA Focused on high level secure acquisition guidance for smart city officials Technology Selection Technology Implementation, Operation & Maintenance Technology Disposal
Collaboration with FCC IoT Security Working Group © Cloud Security Alliance, FCC Technological Advisory Group (TAG) includes an IoT Security WG Focused on consumer technology FCC needed answers to six questions: 1.What are the underlying technologies (e.g., WiFi, ZigBee, GPRS, LTE) that dominate the IoT space? and what security vulnerabilities and challenges do they present in the IoT environment? 2.What other security challenges face IoT consumer products? For example, to what extent does lack of physical security pose a threat to unsupervised IoT devices? Explain. 3.What is the industry doing to secure and protect battery-operated and resource- constrained (i.e., minimum computing power and memory) M2M devices, which cannot encrypt its data? 4.How are the IoT/M2M stakeholders addressing those security challenges and vulnerabilities, and what are the gaps? 5.What is the potential impact of these security challenges on the future of IoT/M2M industry, the end user and the economy, especially when IoT devices become fully integrated in all of our systems, including our critical infra.? 6.What role could the FCC play in facilitating positive changes in the security, privacy and resiliency of M2M/IoT devices and systems?
2016 Plan Secure Design & Development of IoT Devices Connected Vehicle Security Smart Health Research Securing Cloud Services for the IoT
Secure Design and Development of IoT Devices © Cloud Security Alliance, Deep dive into secure design and development approaches for IoT devices In peer review now, with requests to OWASP IoT and others outside of CSA for reviews/edits
Connected Vehicle Security © Cloud Security Alliance, Short term feedback on Connected Vehicle security strategy to be shared with FHWA Connected Vehicles offer the opportunity to reduce collisions and save lives These vehicles are designed to communicate with one another, their environment and even pedestrians Messages are provided with integrity, authenticity and in some cases confidentiality protections Privacy controls are also built-in to the protocols and support systems that CV technology relies upon In all cases, the infrastructure that binds these CV components together must be developed and maintained securely Are the threats identified sufficient? Are planned mitigations appropriate?
Connected Vehicle Security © Cloud Security Alliance, Short term feedback on Connected Vehicle security strategy to be shared with FHWA Connected Vehicles offer the opportunity to reduce collisions and save lives These vehicles are designed to communicate with one another, their environment and even pedestrians Messages are provided with integrity, authenticity and in some cases confidentiality protections Privacy controls are also built-in to the protocols and support systems that CV technology relies upon In all cases, the infrastructure that binds these CV components together must be developed and maintained securely Are the threats identified sufficient? Are planned mitigations appropriate?
Smart Health Research © Cloud Security Alliance, Goal - Bring together health care organizations that are members of the Cloud Security Alliance to discuss security topics related to the introduction and management of IoT devices in health care. Format: Each event is a panel format that focuses on a single IoT-related topic. Panel will consist of up to 4 health care experts selected by CSA from CSA membership organizations. Each event is moderated and lasts one hour and is in a webinar format. Event will be marketed for broad attendance to showcase CSA and member organization thought leadership in this space. Event Results: Event is archived for future viewing. Answers to questions are used as inputs into various CSA IoT WG research activities. Proposed Event Schedule May 2016 Securing Health IoT (Moderated by B. Russell) TBD Handling data remanence with wearables and smart medical devices (Moderated by Aaron Guzman) TBD Empowering Healthcare Ecosystem Using Collaboration Through Healthcare IoT (Moderated by Shyam Sundaram
Securing Cloud Services for the IoT Will become next version of our Security Guidance for Early Adopters document Focused on Cloud Security for the IoT Initial content may include: Cloud IoT Risks and Mitigations Regulations applied to cloud services for the IoT Security Considerations for Big Data Processing and storage Secure Access to Cloud Services Secure Life-cycle management of users and devices through the cloud platform Data Privacy
? ? ? ? © Cloud Security Alliance, 2016