Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigation Principles PROPOSAL OICA/CLEPA

Published byBarrie Doyle Modified over 5 years ago

Similar presentations

Presentation on theme: "Mitigation Principles PROPOSAL OICA/CLEPA"— Presentation transcript:

1 Mitigation Principles PROPOSAL OICA/CLEPA

2 Approach Taken Piloted by mapping sample (38) threat examples against the 7 “protection objectives” of the Extended CIA model (see Appendix) Confidentiality Integrity Availability Non-repudiation Authenticity Accountability Authorization Defined mitigation principles for the threat examples based on ‘clusters’ of “protection objectives” combinations (see Appendix) Attempted to pitch the language to not define a specific solution, nor be too high level to appear unconsidered Further work is recommended to reference specific recognized artifacts Extended analysis to all threat examples Communized mitigation principles where feasible

3 Conclusion 18 ‘individual’ mitigation mechanisms proposed (see next slide) Some are compounded to mitigate specific threat examples Excluded are potential mitigations where the Threat might be considered to be in the scope of ‘Safety’ rather than ‘Security’ Mitigation mechanisms can be used for different threats However, mitigation mechanisms may not be able to be applied to all aspects of the ecosystem It seems to result in a manageable amount of mitigation mechanisms

4 Proposed Mitigations Mitigations
Access to files and data shall be authorized Best practices for backend systems shall be followed (e.g. OWASP, ISO group) Confidential data shall be encrypted Cybersecurity best practices for software and hardware development shall be followed Cybersecurity best practices shall be followed for storing private keys Data protection best practices shall be followed for storing private and sensitive data. Data protection regulations of individual countries shall be adhered to. Data shall be (end-to-end) authenticated and integrity protected Internal messages shall contain a freshness value Internal/Diagnostic messages shall be authenticated and integrity protected Measures to detect intrusion are recommended Measures to detect unauthorized privileged access are recommended Measures to ensure the availability of data are recommended Organizations shall ensure the defined security procedures are followed Software and configuration shall be authenticated and integrity protected The certification policy for V2X communication shall be followed. V2X messages shall be Authenticated and Integrity protected V2X messages shall contain a freshness value V2X messages should be checked for plausibility

5 APPENDIX

6 Mitigation principles for sample (38) Threat examples (first pass)
Authentication / Integrity 3x V2X messages shall be authenticated and integrity protected. 5x Software shall be authenticated and integrity protected 1x Only authenticated and integrity protected configuration shall be used 1x Data shall be authenticated and integrity protected 1x Data shall be (end-to-end) authenticated and integrity protected. 1x Data exchanged between the backend and vehicle shall be authen- ticated and integrity protected 1x Internal messages shall be authenticated and integrity protected 1x Diagnostic messages shall be authenticated and integrity protected Authorization 6x Access to files and data shall be authorized Confidentiality 2x Confidential data shall be encrypted Other 1x Internal messages shall contain a freshness value Same? (Software) Same? (Data) Same? (Internal messages)

7 Mitigation principles for sample (38) Threat examples (consolidated)
Authentication / Integrity 3x V2X messages shall be authenticated and integrity protected. 6x Software and configuration shall be authenticated and integrity protected 3x Data shall be (end-to-end) authenticated and integrity protected. 2x Internal/Diagnostic messages shall be authenticated and integrity protected Authorization 6x Access to files and data shall be authorized Confidentiality 2x Confidential data shall be encrypted Other 1x Internal messages shall contain a freshness value

8 Mitigation principles for sample (38) Threat examples (further review)
Best practices 10x Best practices for backend systems shall be followed (e.g. OWASP, ISO group) 2x Cybersecurity best practices shall be followed for storing private keys Miscellaneous 2x Measures to ensure the availability of data are recommended Measures to detect unauthorized privileged access are recommended Measures to detect intrusion are recommended Organizations shall ensure the defined security procedures are followed

Download ppt "Mitigation Principles PROPOSAL OICA/CLEPA"

Similar presentations

Protection of personal mobile computer devices Information Security Isaac Fernandes, mci12009 Sofia Nunes, mci12014.

Protection of personal mobile computer devices Information Security Isaac Fernandes, mci12009 Sofia Nunes, mci12014.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Agenda Scope of Requirement Security Requirements

Agenda Scope of Requirement Security Requirements
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Definitions of Business, E- Business, and Risk  Business: An organization involved in trade of goods and/or services to the consumers  E-Business: Application.

Definitions of Business, E- Business, and Risk  Business: An organization involved in trade of goods and/or services to the consumers  E-Business: Application.
MagicNET: Security System for Protection of Mobile Agents.

MagicNET: Security System for Protection of Mobile Agents.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester 2008-2009.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Information Security What is Information Security?

Information Security What is Information Security?
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,

14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Chapter 2 Securing Network Server and User Workstations.

Chapter 2 Securing Network Server and User Workstations.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

Similar presentations

Ads by Google