1

The Legislative Roadmap & Impact on IoT Security

Haydn Povey – Founder & CEOhaydn.povey@securethingz.com

Founding Member

2

Security Requirements Shifting

Security is now the leading barrier for IoT adoption*

Over 70% of enterprise customer would purchase more IoT devices if security addressed*

Less that 4% of new IoT devices include sufficient security**

Massive lack of cybersecurity skills across industry

Applications need to remain secure across entire lifecycle to comply with new legislation

*Bain & Co.“Cybersecurity Is the Key to Unlocking Demand in the Internet of Things” (2018)** ABI Research 2018

1 TrillionIoT connections 2017 - 2035

$5+ trillion global GDP impact

>2 zettabytesof data just from consumer devices

3

Security Legislation Now

EuropeGDPR – In effect with fines of €20M or 4% global revenue

UK Government (DCMS) – Legislated enforcement within 3 years with GDPR type fines

ETSI – Reiterating UK DCMS guidelines

EU (ENISA) – >150 baseline recommendations

North AmericaCalifornia - Passed IoT security law. Effective from January 1, 2020

USA - NIST evolving cybersecurity act

AsiaSingapore – Government publicly outlined its approach to IoT security (2018)

Japan – Rules created consisting of industrial, academic and government

Korea – The Ministry of Science and ICT and the Internet & Security Agency certification

China – Official standards released by government-sponsored working group

4

GDPR Legislation Is Applicable to IoT

Privacy Legislation

IoT is subject to GDPR legislation

Minimum fine €10M or 2% of annual turnover – whichever is the larger

Deliberate actions fine €20M or 4% of annual turnover - whichever is larger

EU-centric law driving global design criteria

Loss of consumer data can no longer be tolerated. There is a legal demand to ensure all consumer data is encrypted whether static, in flight or in action, and managed in a highly constrained manner by all devices.

5

First ever EU Rapid Alert issued for dangerous

product related to data protection & privacy

“The mobile application accompanying the watch has

unencrypted communications …and the server enables

unauthenticated access to data… A malicious user can

… locate the child through GPS.”

European Commission

7 Feb 2019

How many organizations could withstand a total

recall of fixed function products?

Driving Existential Threats

https://www.theregister.co.uk/2019/02/04/european_commission_security_risks_kids_smartwatch/

6

Evolving Legislation

Legislation is being driven by the industries lack of ability to self regulate with best practice. Hence legislation offers a “least bad” solution

Current guidance is in the form of Best Practice– Legislation to give Best Practice “teeth” will follow

– Many retailers and industry stakeholders pushing for stronger legal frameworks

– Punishments inline with GDPR regulations are expected in the 2021+ timeframe

Guiding Principals for Legislation– Reducing burden on consumers and supply chain by standardizing expectations

– Transparency to enable informed choices

– Measurability to enable comparison and judgement

– Facilitation dialog and sharing ideas

– Resilience in design to limit damage and exposure when systems are compromised

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf

7

Secure by Design

1) No default passwords

2) Implement a vulnerability disclosure policy

3) Keep software updated

4) Securely store credentials and security-sensitive data

5) Communicate securely

6) Minimise exposed attack surfaces

7) Ensure software integrity

8) Ensure that personal data is protected

9) Make systems resilient to outages

10)Monitor system telemetry data

11)Make it easy for consumers to delete personal data

12)Make installation and maintenance of devices easy

13)Validate input data

8

Secure by Design

1) No default passwords ✓

2) Implement a vulnerability disclosure policy

3) Keep software updated ✓

4) Securely store credentials and security-sensitive data ✓

5) Communicate securely ✓

6) Minimise exposed attack surfaces ✓

7) Ensure software integrity ✓

8) Ensure that personal data is protected ✓

9) Make systems resilient to outages ✓

10)Monitor system telemetry data

11)Make it easy for consumers to delete personal data ✓

12)Make installation and maintenance of devices easy ✓

13)Validate input data ✓

The right tools simplify Secure by Design

Embedded Trust

C-Trust for IAR Embedded Workbench

IAR Embedded Workbench

9

1) No Default Passwords

Whilst much work has been done to eliminate reliance on passwords and providing alternative methods of authenticating users and systems, some IoT products are still being brought to market with default usernames and passwords from user interfaces through to network protocols. This is not an acceptable practice and it should be discontinued.

All IoT device passwords must be unique and not resettable to any universal factory default value.

Ensure that default passwords and even default usernames are changed during the initial setup, and that weak, null or blank passwords are not allowed.

Ensure password recovery or reset mechanism is robust and does not supply an attacker with information indicating a valid account.

Protect against ‘brute force’ and/or other abusive login attempts

Password/Username information shall be salted, hashed and/or encrypted.

Large scale PKI (Public Key Infrastructure) is a far more scalable & secure solution

10

MCU Public Key Certificate

To communicate securely with the device we require the public certificate

The certificate holds the Public Key (Kpub) of the MCU

The certificate authenticates the Public Key of the MCU through the signature

The Certificate has been issued by a Certificate Authority (CA) which forms part of the Chain of Trust

CertificateAuthorities’

KPri

MCU

Certificate

Signature

MCU Name

MCU’s KPub

Certificate AuthoritiesName

Public

Private

Sign

11

Example Certificate Chain of Trust

Root Name

KPub

Issuer Name (Same as Root Name)

Issuer Sig (root)

KP

ri

Root’s KPri

used to self-sign(i.e. Root Cert)

OEM Name

KPub

Issuer Name

Issuer Sig

KP

ri

Root Certificate (CA)

Root’s KPri

also signs Interm Cert

IntermediateOEM Certificate

Ref

eren

ceIs

suer

OEM Prod Name

Prod KPub _

Issuer Name

Issuer Sig

Pro

d K

Pri

ProductOEM Certificate

Intermediate Kpri

signs Prod Cert

Signature verifiedby Issuer KPub

OEM Prod KPri securely stored in MCU

(Authentication)

OEM Prod Certificate stored in MCU

(Authentication)

Product MCU

Ref

eren

ceIs

suer

Pro

d K

Pu

b

12

Simplified Tools for Chain of Trust

13

Enabling Security Best Practices

IoT Security Foundation www.iotsecurityfoundation.org– Initially UK-centric, now the global forum for IoT Security

Working Groups– Self Certification – Enabling OEMs to rapidly certify products– Trustmark – Effective communication of trust & confidence– Compliance Validation & Test – Ensuring devices meet formal test – Update & Patching Best Practice – Delivering updates to constrained devices– Vulnerability Disclosure – Best practices to identify and manage exploits– Connected Consumer Products – Evolving consumer devices– Smart Buildings – Evolving building requirements

Over 100 membersand growing…

14

Delivering IoT Security Compliance

15

The Legislative Roadmap & Impact on IoT Security

Haydn Povey – Founder & CEOhaydn.povey@securethingz.com

Founding Member