IoT Security and Privacy

Slides:

Advertisements

Similar presentations

Spencer Henson & Oliver Masakure International Food Economy Research Group Department of Food, Agricultural & Resource Economics University of Guelph.

Advertisements

The State of Security Management By Jim Reavis January 2003.

Regulation & Implementation of Mobile Internet Quality of Service: Role & Scope of Civil Society Organisations PRESENTATION BY: NEHA TOMAR, RESEARCH ASSOCIATE,

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Software Industry Issues Mark Lange Microsoft EMEA March 1, 2005.

Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.

The Internet of Things and Consumer Protection

IoT Primer Stephen Bates | Energy Huntsville: Tues 15 Dec

Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.

CABA’s CONNECTED CONSUMER ROADMAP

IoT Trust Framework leading to self regulation code of conduct and certification models Craig Spiezle Executive Director & President Online.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

5 th ITU Green Standards Week Nassau, The Bahamas December 2015 Taming The IoT Security & Privacy Beast Craig Spiezle, Executive Director, Online.

Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.

FROM PRINCIPLE TO PRACTICE: Implementing the Principles for Digital Development Perspectives and Recommendations from the Practitioner Community.

Survey Results from HostingCon Next Gen Partner Ecosystems Research Conducted & Presented by Theresa Caragol.

What Next? Photo: Jodi Bieber/Save the Children. © National Nutrition Council, Madagascar Building on our unique contribution, achievements & learnings,

© 2016 Global Market Insights, Inc. USA. All Rights Reserved IoT in Manufacturing Market grow at 20% CAGR from 2017 to 2024: Global.

Security and resilience for Smart Hospitals Key findings

Today’s managers & leaders are challenged unlike any of the past generations in their roles.

© 2016 Global Market Insights, Inc. USA. All Rights Reserved IoT Infrastructure Market Price, Trends, Industry Outlook & Forecast

Application Of Cloud Computing On Cooperative Supply Chain Management

CS457 Introduction to Information Security Systems

THE DIGITAL JOURNEY What IP means for technology enabled care

A policy framework for an open and trusted Internet

Privacy and Public Policy Implications of IoT

Performing Risk Analysis and Testing: Outsource or In-house

Implications of IoT for Emerging Economies – Strategic Significance, Pitfalls, Challenges and Opportunities Rajeev Tatkar.

#ConnectedHomeHuman&Habitat

MGMT 452 Corporate Social Responsibility

Preventative Measures

ISSeG Integrated Site Security for Grids WP2 - Methodology

What is it ? …all via a single, proven Platform-as-a-Service.

Security of In-Vehicle Software

Attention CFOs How to tighten your belt and still survive May 18, 2017.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES NAMED AFTER MUHAMMAD AL-KHWARIZMI THE SMART HOME IS A BASIC OF SMART CITIES: SECURITY AND METHODS OF.

5 OCTOBER 2015 MANILA, PHILIPPINES

Information Technology Sector

Internet-of-somewhat-dubious-Things

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Page 1 Fundamentals of Information Systems.

ASSET - Automotive Software cyber SEcuriTy

OTA & IoT A Shared & Collaborative Responsibility 24 October 2017

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

Internet of Things (IoT)

Why the Multistakeholder Approach Works

Introduction to Business & Marketing

Customer Services Single view of the customer, enabling wide variety of customer requests to be dealt with at the point of contact Self-Service Portal.

Consumer Empowerment through Education

NRENs and IoT Security: Challenges and Opportunities

GlobAL Public Procurement Conference September 2018

Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.

Circular Economy -Public Consultation – Results

Contact Center Security Strategies

Progress of the preparations for a White Paper on Adaptation to Climate Change Water Directors’ meeting Slovenia June 2008 Marieke van Nood, Unit.

Child Online Protection in Egypt’s National ICT Strategy

Sameer Sharma, ITU 7 August, 2018 Dhaka, Bangladesh.

Beekeeper: Path to Growth

A Shared and Collaborative Responsibility

Taking care of our people Being good neighbours

Brian O’Neill Dublin Institute of Technology 9/10 May Florence

The Impact of Digitization on Global Alignment of Product Safety Regulations ICPHSO International Symposium November 12, 2018.

The Internet of Things (IoT)

Trust by Design: The Internet of Things

IoT: Privacy and Security

Collaborative regulation in the digital economy

Presentation transcript:

IoT Security and Privacy Assessing the impact on networks and the consumer Rajnesh Singh Regional Bureau Director for Asia-Pacific singh@isoc.org For ISOC External Use

The number of IoT devices and systems connected to the Internet will be more than 2.5x the global population by 2020 (Gartner).

As more and more devices are connected, privacy and security risks increase. Used with permission. http://www.geekculture.com/joyoftech/joyarchives/2340.html

The challenges we face

New devices, new vulnerabilities The Internet Society 1/1/2019 New devices, new vulnerabilities The attributes of many IoT devices present new and unique security challenges compared to traditional computing systems. Device Cost/Size/Functionality Volume of identical devices (homogeneity) Long service life (often extending far beyond supported lifetime) No or limited upgradability or patching Physical security vulnerabilities Access Limited user interfaces (UI) Limited visibility into, or control over, internal workings Embedded devices Unintended uses BYOIoT Industry is not adequately addressing fundamental security, privacy and life-safety issues. Many manufacturers are new to the networking and Internet arena, and lack experience. There are STRONG competitive pressures for speed to market and cost reduction. Security and privacy cost money, require specialized skills, and slow down the development process. The proliferation of devices, and corresponding interactions with other devices, increase the “surface” available for cyberattack. Poorly secured devices affect the security of the Internet and other devices globally, not just locally.

Key Challenge: IoT Ecosystem Three Dimensions: Combination of devices, apps, platforms & services Data flows, touch points & disclosures Lack of defined standards Impacts on Sustainability Issues: Lifecycle supportability Data retention / ownership

Who is responsible? Developers and users of IoT devices and systems have a collective obligation to ensure they do not expose others and the Internet itself to potential harm To scale up we need a collective approach, addressing security challenges on all fronts.

What we’re doing about it

There are two ways to view IoT Security Inward Security Focus on potential harms to the health, safety, and privacy of device users and their property stemming from compromised IoT devices and systems Outward Security Focus on potential harms that compromised devices and systems can inflict on the Internet and other users Example of outward risk: A home appliance may continue to function well as far as the direct user is concerned, and s/he may be unaware that it is part of a botnet participating in a DDoS attack Toaster example: - Someone may use it against you, and remotely decide to burn your hands our even your house (inward security related issue) Your toaster works ok but is being used for a major DDOS attack (outward) At ISOC, our focus is on the impact that IoT security and privacy has on the Internet and other users.

Online Trust Alliance IoT Security & Privacy Trust Framework Measureable principles vs. standards development Consumer grade devices (home, office and wearables) Address known vulnerabilities and IoT threats Actionable and vendor neutral June 2015 kick off, consensus driven process with input from industry and policy-makers Multi-stakeholder working group – 100 plus participants Face-To-Face meetings / Public Call for Comments Ongoing refinement Working Group Focus https://otalliance.org/iot/

Online Trust Alliance IoT Security Resources The Framework is broken down into 4 key areas: Security Principles (1-12) – Applicable to any device or sensor and all applications and back-end cloud services. These range from the application of a rigorous software development security process to adhering to data security principles for data stored and transmitted by the device, to supply chain management, penetration testing and vulnerability reporting programs. Further principles outline the requirement for life-cycle security patching. User Access & Credentials (13-17) – Requirement of encryption of all passwords and user names, shipment of devices with unique passwords, implementation of generally accepted password reset processes and integration of mechanisms to help prevent “brute force” login attempts. Privacy, Disclosures & Transparency (18-33) – Requirements consistent with generally accepted privacy principles, including prominent disclosures on packaging, point of sale and/or posted online, capability for users to have the ability to reset devices to factory settings, and compliance with applicable regulatory requirements including the EU GDPR and children’s privacy regulations. Also addresses disclosures on the impact to product features or functionality if connectivity is disabled. Notifications & Related Best Practices (34-40) - Key to maintaining device security is having mechanisms and processes to promptly notify a user of threats and action(s) required. Principles include requiring email authentication for security notifications and that messages must be communicated clearly for users of all reading levels. In addition, tamper-proof packaging and accessibility requirements are highlighted.

ISOC “IoT Trust by Design” Campaign 1 Work with manufacturers and suppliers to adopt and implement the OTA IoT Trust Framework 2 Mobilize consumers to drive demand for security and privacy capabilities as a market differentiator 3 Encourage policy and regulations to push for better security and privacy features in IoT Consumers We want to raise awareness of the privacy and security risks and encourage consumers to voice their concerns Policymakers and Regulators We want policymakers to create a policy environment that favors strong security and privacy features in IoT products and services

Activity highlights OTA IoT Trust Framework implementation Best practices and toolkits Implementation guide Training for ISOC and community Global, regional and local partnerships Security-minded IoT alliances Certification organizations Civil society organizations Organizations that review consumer products Internet Society community Research Paper on IoT Security for Policymakers Policy research: mapping the IoT policy/regulatory landscape Economic study on IoT security externalities Study on “consumer grade” IoT markets, to better understand manufacturing trends and consumer behaviour Outreach to policy makers Regional engagement in strategic countries Global and regional events Workshops and capacity building Thought pieces and articles

Thoughts and suggestions?