iso - All Articles - CISO Platform2024-03-28T16:27:46Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/isoSurvey of IoT Security Standardshttps://www.cisoplatform.com/profiles/blogs/survey-of-iot-security-standards2017-02-18T10:00:00.000Z2017-02-18T10:00:00.000ZArvind Tiwaryhttps://www.cisoplatform.com/members/ArvindTiwary<div><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">IoT security is being approached by many organizations and from different perspectives . In this post we give a birds eye view of the players.This is not intended to be comprehensive. We will supplement this in time with deeper dive at different layers of the ISO 7 layer model.</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="http://www.cisoplatform.com/profiles/blogs/survey-of-iot-security-standards" target="_blank"><img width="750" src="{{#staticFileLink}}8669812466,original{{/staticFileLink}}" class="align-full" alt="8669812466?profile=original" /></a></span></p><p></p><p></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">FTC</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The US Federal Trade Commission has a mandate around products sold in the USA and they have a position paper . They approach the issue from a manufacturer liability and good practice point of view. <a href="https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices">https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Oct 21 2016 Dyn DDOS attack accelerated the FTC activity. In Jan 2017 they also launched a <a href="https://www.ftc.gov/news-events/press-releases/2017/01/ftc-announces-internet-things-challenge-combat-security">IoT Home Inspector</a> challenge for ideas on protecting smart homes.</span></p><p></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;">NIST</span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> The National Institute of Standards and Technology (NIST) under U.S. Department of Commerce publishes the FIPS standards applicable under the Federal Information Security Management Act (FISMA).NIST is actively developing a high level IoT guide covering organizational process and roles . See <a href="https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program">https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program</a>.</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">IoT Security Foundation</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> A new organization tries to holistically address IoT security thru best practices guide and planned self certification schemes the <a href="https://iotsecurityfoundation.org/best-practice-user-mark/">Best Practice User Mar</a>k. They explicitly reject the idea that the manufacturer is solely responsible and are far more realistic about the roles of various players. For more check <a href="https://iotsecurityfoundation.org" target="_blank">https://iotsecurityfoundation.org</a></span></p><p></p><p></p><p><a href="{{#staticFileLink}}8669812873,original{{/staticFileLink}}"><img width="750" src="{{#staticFileLink}}8669812873,original{{/staticFileLink}}" class="align-full" height="155" alt="8669812873?profile=original" /></a></p><p></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;"><a href="http://www.iiconsortium.org/index.htm">IIC Industrial Internet Consortium</a></span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Industrial Internet Consortium works on use cases for industrial IoT and vouhts all the global heavy hitters as members. Its initiatives to securely connect, control and integrate assets and systems of assets with people, processes and data using common architectures, interoperability and open standard, <a href="http://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf">The Industrial Internet Security Framework (IISF)</a> is the most in-depth cross-industry-focused security framework comprising expert vision, experience and security best practices. I</span></p><p><span style="font-family:arial, helvetica, sans-serif;font-size:12pt;"> </span></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;"><a href="https://prplfoundation.org/">Prpl Foundation</a></span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Prpl Foundation works on next generation open source software from data centre to device. prplwrt complements open WRT with carrier grade features. They have a framework note for IoT security, a guide for critical areas in embedded computing and a 2016 report on Smart home security. See <a href="https://prpl.works/application-note-july-2016/">https://prpl.works/application-note-july-2016/</a>. Purple works is pragmatic about security and collaborating with CABA in evolving IoT security .</span> <br /> <span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> <a href="http://www.caba.org/">Continental Automated Buildings Association (CABA)</a> is an international not-for-profit industry association dedicated to the advancement of intelligent home and intelligent building technologies</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">( <span id="docs-internal-guid-1fec7675-928f-b085-a3db-cc84bae89b15"><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/top-it-security-conferences-in-the-world">Top IT Security Conferences In The World</a> )</span></span></span></p><p></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;"><a href="https://www.bitag.org/">Broadband Internet Technical Advisory Group (BITAG</a>)</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Broadband Internet Technology Advisory Group’s report studies the plague of IoT insecurity and makes recommendations to deal with it. It’s short, well-researched .<a href="https://www.bitag.org/report-internet-of-things-security-privacy-recommendations.php">The report</a> motivates its recommendations with over 150 informative references and footnotes on IoT risks, vulnerabilities and remedies. It covers the home segment.</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;"><a href="https://www.owasp.org/index.php/About_OWASP#The_OWASP_Foundation">OWASP</a></span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Open Web Application Security Project is well regarded for their work. The top 10 threats issued by OWASP have been very well received. They approach cybersecurity esp at the web applications (HTTP, https) layer. Recently they have started a project for IoT. See</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> <a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project">https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;"><a href="http://www.ipso-alliance.org/about-us/">IPSO</a></span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The IPSO Alliance has been working for some time on data and functions for Smart Objects <a href="https://github.com/IPSO-Alliance/pub/tree/master/reg">IPSO Smart Object Guidelines</a> provide a common design pattern, an object model, that can effectively use the IETF CoAP protocol to provide high level interoperability between Smart Object devices and connected software applications on other devices and services.They have broadened work from smart objects to include security. See</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> <a href="http://www.ipso-alliance.org/ipso-community/resources/technical-advisory-board/security-privacy-identity-working-group/">http://www.ipso-alliance.org/ipso-community/resources/technical-advisory-board/security-privacy-identity-working-group/</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">AllSeen</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">AllSeen alliance includes AllJoyn and Open Connectivity Foundation. AllJoyn is an open source software framework that makes it easy for devices and apps to discover and communicate with each other. The The AllJoyn system provides a security framework for applications to authenticate each other and send encrypted data between them. <a href="https://allseenalliance.org/framework/documentation/learn/core/security2_0">The AllJoyn framework provides end-to-end application level security. </a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><span class="font-size-4"><strong><a href="https://otalliance.org/">OTA alliance</a></strong></span><br /></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The online trust alliance (OTA) works on consumer trust and online brand reputation, including privacy, identity theft and internet governance. They are a successor to efforts to combat spam emails thru Email Senders and Provider Coalition (ESPC). They have developed a <a href="https://otalliance.org/initiatives/internet-things">IoT trust framework .</a></span></p><p></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;"><a href="https://www.ietf.org/">IETF</a></span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Internet Engineering Task Force makes the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet. They are responsible for numerous standards around security including X.509 Public key etc. The following draft or RFC are among interesting ones to watch</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">OtrF</span></strong></span></p><pre><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://www.ietf.org/id/draft-pei-opentrustprotocol-03.txt">Open Trust Protocol (OTrP)</a>, a protocol to install, update, and delete applications and to manage security configuration in a Trusted Execution Environment (TEE)</span></pre><pre><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></pre><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">MUD</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The draft <a href="https://tools.ietf.org/html/draft-lear-mud-framework-00">Manufacturers Usage Description</a> is a RFC intended to help reduce the vulnerability surface using a simple network policy ( whitelisting approach). It aims to reduce scope for malware injection and over the air firmware updates being hijacked. It also tries to cover devices no longer actively maintained by the original manufacturer.</span></p><h1><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://datatracker.ietf.org/doc/rfc7925/">DICE</a> Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things</span></h1><h1><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://datatracker.ietf.org/wg/ace/documents/">ACE</a> <b>Authentication and Authorization for Constrained Environments (ace)</b></span></h1><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">Author:</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">Arvind Tiwary, Chair- IoT Forum</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://www.linkedin.com/in/tiwaryarvind/">https://www.linkedin.com/in/tiwaryarvind/</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="http://event.cisoplatform.com/guide-rsa-usa-2016/" target="_blank"><img width="750" src="{{#staticFileLink}}8669805055,original{{/staticFileLink}}" class="align-full" height="262" alt="8669805055?profile=original" /></a> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p></div>