Study report

Security and privacy of the Internet of Things including security certifications aspects

Philippe Cousin (EGM)

WWRF#39 Castelldefels, October 19th, 2017

Study – Key learningsSecurity and privacy of the Internet of Things including security certification aspects

• Survey from July 12th to October5th, 2017• Online questionnaire• Direct interviews

• Representative panel of the IoTvalue chain according to activity, size and markets (103 exploitable answers)

Study methodology

Organization type

1-100

employees

100-500

employees

500-5000

employees

Greater than

5000

employees

Organization size

Markets / Domains

IoT securityperception IoT privacyperception

Security and privacy risks for IoT

Not really

It is a minor issue

It is a major issue, which can

negatively impact the IoT market

It is a critical issue.

Not really

It is a minor issue

It is a major issue, which can

negatively impact the IoT market

It is a critical issue.

Do you think that IoT security and privacy threats should be managed together ?

Yes No

Do you think Users / consumershave a good perception of IoT

securityand privacy risks

Do you think Businesses/services providers have a good perception of IoT security and privacy risks

Security and privacy risks for IoT

Yes No Yes No

Yes No

Do you think that IoT security risks will increase in the future ?

Yes No

Do you think that more secure IoT products provide an added

value in the market ?

Need for action

Yes No

Do you think that actions should be taken to address IoT security and

privacy risks?

Do you think that these action actions should be taken by:

Government Businesses Both in a public private partnerships

Potential approaches

Best practices for secure

development and deployment of

IoT devices and systems

Efficient and effective security

certification processes and tools

Post deployment monitoring of IoT

devices and systems

Increased awareness to users and

consumers on the risk associated

to security threats thus mitigating

the economics of security issue

Processes and tools to provide a

level of trust of the IoT device to

users and other parties in the

complex IoT system. A potential

approach is based on the IoT…

Most suitables approaches to mitigate IoT security and privacy risks

Considering the security certification can be a long a complex processes

using specific approaches like Common Criteria, do you think that

specific framework (more efficient and shorter in time) should be defined for

IoT :

Yes No

Potential approaches

Do you think that the current tools and processes for certification in IoT are

adequate:

Yes No Partially I do not know

Formal methods for testing

Automated testing

Testing able to address…

White box testing, where also…

Better training of testing personnel

Where do you think that security certification should improve for IoT products, services and systems:

Voluntary/Self certif ication

Based on third party testing

Based on a regulatory framework

for specific domains application…

Based on a regulatory framework

for all domains.

Do you think that the security certification should be:

Develop your own competence

and services (first party)

Look for external services

Ready to use external

accredited laboratory (third…

If certification or labelling would be supported or even imposed by EU

regulation would you

Potential approaches

Yes. It would be enough

No. It is not enough but I would not

know what to do next.

No. Monitoring systems to detect

anomalies in IoT deployments…

No. Other solutions

Do you think that security certification of IoT is the final step to ensure

security of IoT devices and systems ?

No. It would not be useful

Yes, but it should be harmonized…

Yes, but it should be specific for…

Yes, but it should be easy to…

Other.

Do you think that the “label” concept would be useful to increase

awareness on the different levels of trust or security robustness of IoT

security products ?

Do you think that security certification is still fragmented at European, Global or domain level ? With fragmented,

we mean that there are different certification processes, different set …

Yes No

IoT devices (e.g., an IoT sensor in a

smart home)

IoT services (e.g., a cloud service)

IoT system (e.g., a smart home)

I do not know.

To which categories, do you think that security certification should be applied

?

Potential approaches

Yes No

Do you think that the development of common and harmonized best

practices for security and privacy in the development of IoT products …

Series1

If yes, do you think that the development of such best practices

should be taken by ?

Standardization body

Working group composed by private and public stakeholders.

Forum of leading companies in the IoT domain

Considering that IoT security and privacy threats are growing every day, do you think that it should be taken an action to identify and maintain the status and awareness of

such threats ? And by whom ?

Government (e.g., an EU agency)

Public Privacy partnership.

Forum of private companies

ARMOUR testing framework

Challenges of IoT Security & Trust

15

Business Logic Vulnerabilities Uncertainty of the expected

behaviour of IoT systems

Large-scale dimension,

heterogeneity, compositionality and

dynamic configuration of IoT systems

Ensuring End-to-End Security

& Privacy Testing

Brussels – December 6th

contribution for IoT Labelling and Certification

1. How to make the testing part of the labelling and certification process cheaper ?

• Built on reusable, configurable security test patterns and automated test generation

• Easy to use by certification bodies and extensible

• The certification scheme comes with the test patterns to be used

2. How to ensure the quality and reproductibility of the assessment?

• The security test patterns should be agreed by the certification authorities

• Test automation ensure the replicability of the results

3. How to deal with change? • Using the automated testing for continuous monitoring and testing at running stage to keep

the certificate alive

16Brussels – December 6th

ARMOUR in a nutshell

Duration 24 months (from Feb 2016 to Jan 2018)

EU funding 2 Millions €

Consortium 8 partners including 5 SMEs, 1 university and 2 research centres

18Brussels – December 6th

MBST Process

Functional

tests

Manual

execution

& scripts for

automation

Test Repository

(TTCN-3, Java…)

Security needs &

requirements

Security

tests

Modeling for test generation

Automatic test

generation

Risk Analysis

SecurityTest

Patterns

Security Test

Objectives

MBT

Tool

19Brussels – December 6th

MBST Approach in 5 steps

20

Vulnerability Analysis

Extracting API & Model Inference

Security test pattern selection

MBT test generation based on

ARMOUR test strategies

Publication in TPLan – test description

and TTCN-3 test scripts&

Test results & Labelling analysis

①

②

③

④

⑤

AIOTI WS Sophia Antipolis 12 september 2017

Follow the ETSI approach and ISO 31000

ETSI, “Methods for testing & specification; risk-basedsecurity assessment and testing methodologies,” 2015

• Database of general security threats in IoT (not included in ISO 31000)

• Compact threats of OneM2M to simplify and adapt to IoT devices also

Identification of vulnerabilities

• The endpoints should be legitimate.Lack of Authentication

• Intermediate entity can store a data packet and replay it at a later stage.Replay attack

• The cryptographic suite and key length must be enough to avoid certain type of attacks,

• such as dictionary attack or force brute.Insecure cryptography

• Several endpoints can access to the server at the same time in order to collapse it.DoS attacks

• Received data are not tampered w ith during transmission; if this does not happen, then any change can be detected.Lack of Integrity

• Transmitted data can be read only by the communication endpoints.Lack of Confidentiality

• Endpoint services should be accessible to endpoints w ho have the right to access them.Lack of Authorization

• Exceptions should be controlled to avoid faults that affects the endpoints.Lack Fault tolerance

Analysing the environment

• Includes understanding the business, regulatory environment, analyse which security level is required in each of them and planning the testing (objective, scope).

• Determinate which level of security is needed in a specific domain by defining several profiles that indicates which level of security must be achieved by the TOE in the context considered to obtain each profile

It needs a low risk in

replay attack if It

wants to fulfils the A

profile

Security risk assessment

• The CWSS metrics can be obtained:

• From testing

• By default taking into account the vulnerability

• By default if they are not applicable to IoT or to our certification procedure(e.g finding confidence, since the scenario is evaluated before beingattacked) (Risk Identification phase)

S= BF * AS * ES

• Risk Estimation phase: we calculate the score for each vulnerability by means of the CWSS formula:

Security risk assessment – Risk evaluation

• We associate CWSS(Common Weakness Scoring System) score intervals with risk levels (low, medium, high and critical) to compare with the profiles.

• We always choose the highest profile fulfilled by each vulnerability.

CWSS Risk Risk

0-30 Low

31-62 Medium

63-84 High

85-100 Critical

Certification - Labelling

• As an output of the general certification process, we obtain a label associated to the risk of the scenario tested.

• Three mains aspects are considered to be included in the label, following the Common Criteria approach

TOE

• Also includes the protocol tested and the context where it has been tested (industry, health, etc.)

Profiles (Level of protection)

• A

• B

• C• D

Certification execution

Common Criteria

EALsTOEPPs

Certification - Labelling

• Visual labelling following the recommendations of ENISA and ECSO. The result of the evaluation need to be communicated appropriately to the user.

• Multidimensional, like security.

• To perform a fast labelling update, we propose the usage of a QR.

Post certification monitoring

Feedback from experts and references has shown

that post certification monitoring or dynamic

certification can be used to complement static

security certification: address unknown security

certification gaps or other unknowns like zero-day

attacks.

Coming Armour report (D4.4) will describe post

certification monitoring as part of the overall analysis

of IoT lifecycle certification.

Conclusion : On the way to MBST for IoT Systems Labelling & Certification

30

Security is number one

challenge in the IoT domain

Model-Based Security

Testing as a core

technology to ensure a

trustable labelling scheme

Collaborations & contributions

AIOTI

IERC

Towards a Trust Label

Processsupported by (large scale) IoT

enhanced security test-bedsoneM2M

Brussels – December 6th

Thank you