the legislative roadmap & impact on iot security · 3 security legislation now europe gdpr...
TRANSCRIPT
![Page 1: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/1.jpg)
1
The Legislative Roadmap & Impact on IoT Security
Haydn Povey – Founder & [email protected]
Founding Member
![Page 2: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/2.jpg)
2
Security Requirements Shifting
Security is now the leading barrier for IoT adoption*
Over 70% of enterprise customer would purchase more IoT devices if security addressed*
Less that 4% of new IoT devices include sufficient security**
Massive lack of cybersecurity skills across industry
Applications need to remain secure across entire lifecycle to comply with new legislation
*Bain & Co.“Cybersecurity Is the Key to Unlocking Demand in the Internet of Things” (2018)** ABI Research 2018
1 TrillionIoT connections 2017 - 2035
$5+ trillion global GDP impact
>2 zettabytesof data just from consumer devices
![Page 3: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/3.jpg)
3
Security Legislation Now
EuropeGDPR – In effect with fines of €20M or 4% global revenue
UK Government (DCMS) – Legislated enforcement within 3 years with GDPR type fines
ETSI – Reiterating UK DCMS guidelines
EU (ENISA) – >150 baseline recommendations
North AmericaCalifornia - Passed IoT security law. Effective from January 1, 2020
USA - NIST evolving cybersecurity act
AsiaSingapore – Government publicly outlined its approach to IoT security (2018)
Japan – Rules created consisting of industrial, academic and government
Korea – The Ministry of Science and ICT and the Internet & Security Agency certification
China – Official standards released by government-sponsored working group
![Page 4: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/4.jpg)
4
GDPR Legislation Is Applicable to IoT
Privacy Legislation
IoT is subject to GDPR legislation
Minimum fine €10M or 2% of annual turnover – whichever is the larger
Deliberate actions fine €20M or 4% of annual turnover - whichever is larger
EU-centric law driving global design criteria
Loss of consumer data can no longer be tolerated. There is a legal demand to ensure all consumer data is encrypted whether static, in flight or in action, and managed in a highly constrained manner by all devices.
![Page 5: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/5.jpg)
5
First ever EU Rapid Alert issued for dangerous
product related to data protection & privacy
“The mobile application accompanying the watch has
unencrypted communications …and the server enables
unauthenticated access to data… A malicious user can
… locate the child through GPS.”
European Commission
7 Feb 2019
How many organizations could withstand a total
recall of fixed function products?
Driving Existential Threats
https://www.theregister.co.uk/2019/02/04/european_commission_security_risks_kids_smartwatch/
![Page 6: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/6.jpg)
6
Evolving Legislation
Legislation is being driven by the industries lack of ability to self regulate with best practice. Hence legislation offers a “least bad” solution
Current guidance is in the form of Best Practice– Legislation to give Best Practice “teeth” will follow
– Many retailers and industry stakeholders pushing for stronger legal frameworks
– Punishments inline with GDPR regulations are expected in the 2021+ timeframe
Guiding Principals for Legislation– Reducing burden on consumers and supply chain by standardizing expectations
– Transparency to enable informed choices
– Measurability to enable comparison and judgement
– Facilitation dialog and sharing ideas
– Resilience in design to limit damage and exposure when systems are compromised
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf
![Page 7: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/7.jpg)
7
Secure by Design
1) No default passwords
2) Implement a vulnerability disclosure policy
3) Keep software updated
4) Securely store credentials and security-sensitive data
5) Communicate securely
6) Minimise exposed attack surfaces
7) Ensure software integrity
8) Ensure that personal data is protected
9) Make systems resilient to outages
10)Monitor system telemetry data
11)Make it easy for consumers to delete personal data
12)Make installation and maintenance of devices easy
13)Validate input data
![Page 8: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/8.jpg)
8
Secure by Design
1) No default passwords ✓
2) Implement a vulnerability disclosure policy
3) Keep software updated ✓
4) Securely store credentials and security-sensitive data ✓
5) Communicate securely ✓
6) Minimise exposed attack surfaces ✓
7) Ensure software integrity ✓
8) Ensure that personal data is protected ✓
9) Make systems resilient to outages ✓
10)Monitor system telemetry data
11)Make it easy for consumers to delete personal data ✓
12)Make installation and maintenance of devices easy ✓
13)Validate input data ✓
The right tools simplify Secure by Design
Embedded Trust
C-Trust for IAR Embedded Workbench
IAR Embedded Workbench
![Page 9: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/9.jpg)
9
1) No Default Passwords
Whilst much work has been done to eliminate reliance on passwords and providing alternative methods of authenticating users and systems, some IoT products are still being brought to market with default usernames and passwords from user interfaces through to network protocols. This is not an acceptable practice and it should be discontinued.
All IoT device passwords must be unique and not resettable to any universal factory default value.
Ensure that default passwords and even default usernames are changed during the initial setup, and that weak, null or blank passwords are not allowed.
Ensure password recovery or reset mechanism is robust and does not supply an attacker with information indicating a valid account.
Protect against ‘brute force’ and/or other abusive login attempts
Password/Username information shall be salted, hashed and/or encrypted.
Large scale PKI (Public Key Infrastructure) is a far more scalable & secure solution
![Page 10: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/10.jpg)
10
MCU Public Key Certificate
To communicate securely with the device we require the public certificate
The certificate holds the Public Key (Kpub) of the MCU
The certificate authenticates the Public Key of the MCU through the signature
The Certificate has been issued by a Certificate Authority (CA) which forms part of the Chain of Trust
CertificateAuthorities’
KPri
MCU
Certificate
Signature
MCU Name
MCU’s KPub
Certificate AuthoritiesName
Public
Private
Sign
![Page 11: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/11.jpg)
11
Example Certificate Chain of Trust
Root Name
KPub
Issuer Name (Same as Root Name)
Issuer Sig (root)
KP
ri
Root’s KPri
used to self-sign(i.e. Root Cert)
OEM Name
KPub
Issuer Name
Issuer Sig
KP
ri
Root Certificate (CA)
Root’s KPri
also signs Interm Cert
IntermediateOEM Certificate
Ref
eren
ceIs
suer
OEM Prod Name
Prod KPub _
Issuer Name
Issuer Sig
Pro
d K
Pri
ProductOEM Certificate
Intermediate Kpri
signs Prod Cert
Signature verifiedby Issuer KPub
OEM Prod KPri securely stored in MCU
(Authentication)
OEM Prod Certificate stored in MCU
(Authentication)
Product MCU
Ref
eren
ceIs
suer
Pro
d K
Pu
b
![Page 12: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/12.jpg)
12
Simplified Tools for Chain of Trust
![Page 13: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/13.jpg)
13
Enabling Security Best Practices
IoT Security Foundation www.iotsecurityfoundation.org– Initially UK-centric, now the global forum for IoT Security
Working Groups– Self Certification – Enabling OEMs to rapidly certify products– Trustmark – Effective communication of trust & confidence– Compliance Validation & Test – Ensuring devices meet formal test – Update & Patching Best Practice – Delivering updates to constrained devices– Vulnerability Disclosure – Best practices to identify and manage exploits– Connected Consumer Products – Evolving consumer devices– Smart Buildings – Evolving building requirements
Over 100 membersand growing…
![Page 14: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/14.jpg)
14
Delivering IoT Security Compliance
![Page 15: The Legislative Roadmap & Impact on IoT Security · 3 Security Legislation Now Europe GDPR –In effect with fines of €20M or 4% global revenue UK Government (DCMS) –Legislated](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fdd167a3289dd0f4b3aff44/html5/thumbnails/15.jpg)
15
The Legislative Roadmap & Impact on IoT Security
Haydn Povey – Founder & [email protected]
Founding Member