The document discusses communicating cybersecurity requirements in the context of IoT. It outlines learning outcomes around understanding IoT security needs like privacy, safety, resilience, confidentiality, authentication and integrity. It then discusses how to have a conversation about these needs using examples like smart cameras and smart lamp posts. The key is to ask what risks are being addressed, what specifically is being protected, and to involve IT/cybersecurity experts to conduct risk assessments and recommend security controls.
2. Learning Outcome
1) Understand cybersecurity requirements in context of IoT
a) Safety
b) Privacy
c) Resilience
d) Confidentiality
e) Authentication
f) Integrity
2) Communicate with IT/cybersecurity team
#ISSLearningDay2018
4. #ISSLearningDay2018
I want to put up smart
camera to capture objects
and faces, analyzing faces
down to race, gender and
age.
Err…
No, security risk …
20. Pacemaker
20
A pacemaker is a small, battery-operated
device that senses when your heart is
beating irregularly or too slowly. It sends a
signal to your heart that makes your heart
beat at the correct pace.
(Barnaby Jack, the director of embedded
device security for computer security firm
IOActive), developed software that
allowed him to remotely send an electric
shock to anyone wearing a pacemaker
within a 15m radius.
21. #ISSLearningDay2018
The hackers could deliberately run the battery flat, or conduct “administration of inappropriate
pacing”. Both could, in the worst case, result in the death of an affected patient.
30. Collect & Transfer of Confidential Data
#ISSLearningDay2018
facial recognition
biometric data
mothership
Don’t want these data to be copied/stolen
Data Confidentiality
34. Collect & Transfer of Confidential Data
#ISSLearningDay2018
facial recognition
biometric data
mothership
Don’t want these data to be modified
Data Integrity
35. If we are afraid of losing…
then what can we do?
Conduct risk assessment
Get the IT/cybersecurity expert to do the job
#ISSLearningDay2018
36. Conduct Risk Assessment
• To understand the chances of losing …
• To understand the impact if we lost it
• With the assessment, we determine if
• we can afford to do nothing and accept the risk or
• we need to mitigate the risk to reduce the chances of losing…
#ISSLearningDay2018
37. What do we do to mitigate the risk?
If we cannot accept the risk
#ISSLearningDay2018
Design & implement Security Control
38. What is Security Control?
• Similar to finance, when they separate doer and checker,
they put in place – internal control.
• Security controls are safeguards or countermeasures to
protect your information asset (including physical for IoT)
• Example,
• Anti-virus software in our computer is a security control protect
our information against compromise by malware.
#ISSLearningDay2018
40. (1) Break down ecosystem into
components
#ISSLearningDay2018
Source: http://linuxgizmos.com/intel-extends-its-internet-of-things-ecosystem/
41. (1) Break down ecosystem into domains
• IoT asset (IoT physical and software aspect)
• Communication and network (between IoT and
mothership)
• Identity and access management (mutually between IoT
and mothership)
• Operation security
#ISSLearningDay2018
43. In summary, ask the right questions
1. What are we afraid of losing? What do we want? …
a) Privacy
b) Safety
c) Resilience
d) Confidentiality
e) Authentication
f) Integrity
2. Could you (IT/cybersecurity) help to assess the risks of
losing …?
3. Could you recommend security controls to protect …?
#ISSLearningDay2018