Post on 30-Mar-2023
Study report
Security and privacy of the Internet of Things including security certifications aspects
Philippe Cousin (EGM)
WWRF#39 Castelldefels, October 19th, 2017
Study – Key learningsSecurity and privacy of the Internet of Things including security certification aspects
• Survey from July 12th to October5th, 2017• Online questionnaire• Direct interviews
• Representative panel of the IoTvalue chain according to activity, size and markets (103 exploitable answers)
Study methodology
Organization type
1-100
employees
100-500
employees
500-5000
employees
Greater than
5000
employees
Organization size
Markets / Domains
IoT securityperception IoT privacyperception
Security and privacy risks for IoT
Not really
It is a minor issue
It is a major issue, which can
negatively impact the IoT market
It is a critical issue.
Not really
It is a minor issue
It is a major issue, which can
negatively impact the IoT market
It is a critical issue.
Do you think that IoT security and privacy threats should be managed together ?
Yes No
Do you think Users / consumershave a good perception of IoT
securityand privacy risks
Do you think Businesses/services providers have a good perception of IoT security and privacy risks
Security and privacy risks for IoT
Yes No Yes No
Yes No
Do you think that IoT security risks will increase in the future ?
Yes No
Do you think that more secure IoT products provide an added
value in the market ?
Need for action
Yes No
Do you think that actions should be taken to address IoT security and
privacy risks?
Do you think that these action actions should be taken by:
Government Businesses Both in a public private partnerships
Potential approaches
Best practices for secure
development and deployment of
IoT devices and systems
Efficient and effective security
certification processes and tools
Post deployment monitoring of IoT
devices and systems
Increased awareness to users and
consumers on the risk associated
to security threats thus mitigating
the economics of security issue
Processes and tools to provide a
level of trust of the IoT device to
users and other parties in the
complex IoT system. A potential
approach is based on the IoT…
Most suitables approaches to mitigate IoT security and privacy risks
Considering the security certification can be a long a complex processes
using specific approaches like Common Criteria, do you think that
specific framework (more efficient and shorter in time) should be defined for
IoT :
Yes No
Potential approaches
Do you think that the current tools and processes for certification in IoT are
adequate:
Yes No Partially I do not know
Formal methods for testing
Automated testing
Testing able to address…
White box testing, where also…
Better training of testing personnel
Where do you think that security certification should improve for IoT products, services and systems:
Voluntary/Self certif ication
Based on third party testing
Based on a regulatory framework
for specific domains application…
Based on a regulatory framework
for all domains.
Do you think that the security certification should be:
Develop your own competence
and services (first party)
Look for external services
Ready to use external
accredited laboratory (third…
If certification or labelling would be supported or even imposed by EU
regulation would you
Potential approaches
Yes. It would be enough
No. It is not enough but I would not
know what to do next.
No. Monitoring systems to detect
anomalies in IoT deployments…
No. Other solutions
Do you think that security certification of IoT is the final step to ensure
security of IoT devices and systems ?
No. It would not be useful
Yes, but it should be harmonized…
Yes, but it should be specific for…
Yes, but it should be easy to…
Other.
Do you think that the “label” concept would be useful to increase
awareness on the different levels of trust or security robustness of IoT
security products ?
Do you think that security certification is still fragmented at European, Global or domain level ? With fragmented,
we mean that there are different certification processes, different set …
Yes No
IoT devices (e.g., an IoT sensor in a
smart home)
IoT services (e.g., a cloud service)
IoT system (e.g., a smart home)
I do not know.
To which categories, do you think that security certification should be applied
?
Potential approaches
Yes No
Do you think that the development of common and harmonized best
practices for security and privacy in the development of IoT products …
Series1
If yes, do you think that the development of such best practices
should be taken by ?
Standardization body
Working group composed by private and public stakeholders.
Forum of leading companies in the IoT domain
Considering that IoT security and privacy threats are growing every day, do you think that it should be taken an action to identify and maintain the status and awareness of
such threats ? And by whom ?
Government (e.g., an EU agency)
Public Privacy partnership.
Forum of private companies
Challenges of IoT Security & Trust
15
Business Logic Vulnerabilities Uncertainty of the expected
behaviour of IoT systems
Large-scale dimension,
heterogeneity, compositionality and
dynamic configuration of IoT systems
Ensuring End-to-End Security
& Privacy Testing
Brussels – December 6th
contribution for IoT Labelling and Certification
1. How to make the testing part of the labelling and certification process cheaper ?
• Built on reusable, configurable security test patterns and automated test generation
• Easy to use by certification bodies and extensible
• The certification scheme comes with the test patterns to be used
2. How to ensure the quality and reproductibility of the assessment?
• The security test patterns should be agreed by the certification authorities
• Test automation ensure the replicability of the results
3. How to deal with change? • Using the automated testing for continuous monitoring and testing at running stage to keep
the certificate alive
16Brussels – December 6th
ARMOUR in a nutshell
Duration 24 months (from Feb 2016 to Jan 2018)
EU funding 2 Millions €
Consortium 8 partners including 5 SMEs, 1 university and 2 research centres
18Brussels – December 6th
MBST Process
Functional
tests
Manual
execution
& scripts for
automation
Test Repository
(TTCN-3, Java…)
Security needs &
requirements
Security
tests
Modeling for test generation
Automatic test
generation
Risk Analysis
SecurityTest
Patterns
Security Test
Objectives
MBT
Tool
19Brussels – December 6th
MBST Approach in 5 steps
20
Vulnerability Analysis
Extracting API & Model Inference
Security test pattern selection
MBT test generation based on
ARMOUR test strategies
Publication in TPLan – test description
and TTCN-3 test scripts&
Test results & Labelling analysis
①
②
③
④
⑤
AIOTI WS Sophia Antipolis 12 september 2017
Follow the ETSI approach and ISO 31000
ETSI, “Methods for testing & specification; risk-basedsecurity assessment and testing methodologies,” 2015
• Database of general security threats in IoT (not included in ISO 31000)
• Compact threats of OneM2M to simplify and adapt to IoT devices also
Identification of vulnerabilities
• The endpoints should be legitimate.Lack of Authentication
• Intermediate entity can store a data packet and replay it at a later stage.Replay attack
• The cryptographic suite and key length must be enough to avoid certain type of attacks,
• such as dictionary attack or force brute.Insecure cryptography
• Several endpoints can access to the server at the same time in order to collapse it.DoS attacks
• Received data are not tampered w ith during transmission; if this does not happen, then any change can be detected.Lack of Integrity
• Transmitted data can be read only by the communication endpoints.Lack of Confidentiality
• Endpoint services should be accessible to endpoints w ho have the right to access them.Lack of Authorization
• Exceptions should be controlled to avoid faults that affects the endpoints.Lack Fault tolerance
Analysing the environment
• Includes understanding the business, regulatory environment, analyse which security level is required in each of them and planning the testing (objective, scope).
• Determinate which level of security is needed in a specific domain by defining several profiles that indicates which level of security must be achieved by the TOE in the context considered to obtain each profile
It needs a low risk in
replay attack if It
wants to fulfils the A
profile
Security risk assessment
• The CWSS metrics can be obtained:
• From testing
• By default taking into account the vulnerability
• By default if they are not applicable to IoT or to our certification procedure(e.g finding confidence, since the scenario is evaluated before beingattacked) (Risk Identification phase)
S= BF * AS * ES
• Risk Estimation phase: we calculate the score for each vulnerability by means of the CWSS formula:
Security risk assessment – Risk evaluation
• We associate CWSS(Common Weakness Scoring System) score intervals with risk levels (low, medium, high and critical) to compare with the profiles.
• We always choose the highest profile fulfilled by each vulnerability.
CWSS Risk Risk
0-30 Low
31-62 Medium
63-84 High
85-100 Critical
Certification - Labelling
• As an output of the general certification process, we obtain a label associated to the risk of the scenario tested.
• Three mains aspects are considered to be included in the label, following the Common Criteria approach
TOE
• Also includes the protocol tested and the context where it has been tested (industry, health, etc.)
Profiles (Level of protection)
• A
• B
• C• D
Certification execution
Common Criteria
EALsTOEPPs
Certification - Labelling
• Visual labelling following the recommendations of ENISA and ECSO. The result of the evaluation need to be communicated appropriately to the user.
• Multidimensional, like security.
• To perform a fast labelling update, we propose the usage of a QR.
Post certification monitoring
Feedback from experts and references has shown
that post certification monitoring or dynamic
certification can be used to complement static
security certification: address unknown security
certification gaps or other unknowns like zero-day
attacks.
Coming Armour report (D4.4) will describe post
certification monitoring as part of the overall analysis
of IoT lifecycle certification.
Conclusion : On the way to MBST for IoT Systems Labelling & Certification
30
Security is number one
challenge in the IoT domain
Model-Based Security
Testing as a core
technology to ensure a
trustable labelling scheme
Collaborations & contributions
AIOTI
IERC
Towards a Trust Label
Processsupported by (large scale) IoT
enhanced security test-bedsoneM2M
Brussels – December 6th