Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Coordination of Threat Analysis in ICT
Ecosystems
Antonio Kung, CTO Trialog
25 rue du Général Foy, 75008 Paris, France
www...
Speaker: Antonio Kung
 Engineering background
 Chair of citizen approach to data
initiative
 EIP-SCC: European Innovati...
Ecosystems are complex
ITU workshop on 5G security19 March 2018
Security
Privacy
SafetySmart
grid
Transport
Health
Smart
C...
Ecosystem Security and Data Protection Concerns
ITU workshop on 5G security19 March 2018 4
Stakeholder
Legal
Compliance
Co...
Ecosystem Cybersecurity: What we Need
ITU workshop on 5G security19 March 2018 5
Ecosystem
Stakeholders
Ecosystem Assets
E...
Ecosystem Cybersecurity: What we Have
ITU workshop on 5G security19 March 2018 6
Ecosystem
Stakeholder 1
Ecosystem
Stakeho...
Example of Ecosystem: AutoMat
http://www.automat-project.eu
ITU workshop on 5G security19 March 2018 7
Example of Ecosystem: AutoMat
ITU workshop on 5G security
 Four types of stakeholders
19 March 2018 8
Storage provider
Au...
Ecosystem Design
ITU workshop on 5G security
 Personal data
ecosystem
 Interoperability
 Common description
– CVIM (Com...
Ecosystem Risk Analysis
ITU workshop on 5G security
 Risk analysis includes
 security risk analysis (e.g. ISO/IEC 27005)...
Ecosystem Interoperability
ITU workshop on 5G security
 Interoperability
includes
 Functional
interoperability
 Cyberse...
Different Types of Interoperability
ITU workshop on 5G security19 March 2018 12
Different descriptionDifferent description...
Need for Consistent Individual Cybersecurity Framework
ITU workshop on 5G security19 March 2018 13
Service provider
Cybers...
Cybersecurity Capabilities
ITU workshop on 5G securitySlide 14
Secure processing Protect data processing
Transparency info...
Agreement Cybersecurity Capabilities
ITU workshop on 5G security1519 March 2018
Providing evidence of
capability
provide e...
Threats
ITU workshop on 5G security16
STRIDE threat categories
Spoofing Spoofing marketplace
Tampering
Integrity and compl...
Incidents
ITU workshop on 5G security17
Incident Description Severity
Massive
personal data
breach
Public report of
potent...
Measures
ITU workshop on 5G securitySlide 18
ISO 27001 Categories of controls Control
Information security
policies
Manage...
Conclusions
ITU workshop on 5G security
 Need for ecosystem design viewpoint
 Need for ecosystem risk analysis
 Need fo...
Example of 5G Ecosystem
ITU workshop on 5G security19 March 2018 20
5G Mobile operator
IoT Device operator
Mobile platform...
Questions?
www.trialog.com
ITU workshop on 5G security19 March 2018 21
Upcoming SlideShare
Loading in …5
×

Coordination of Threat Analysis in ICT Ecosystems

141 views

Published on

This presentation discussed Coordination of Threat Analysis in ICT Ecosystems. The presentation was given at ITU Workshop on 5G Security in Geneva, Switzerland, on 19 March 2018. Find more information about this workshop here: https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20180319/Pages/programme.aspx

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Coordination of Threat Analysis in ICT Ecosystems

  1. 1. Coordination of Threat Analysis in ICT Ecosystems Antonio Kung, CTO Trialog 25 rue du Général Foy, 75008 Paris, France www.trialog.com ITU workshop on 5G security19 March 2018 1
  2. 2. Speaker: Antonio Kung  Engineering background  Chair of citizen approach to data initiative  EIP-SCC: European Innovation Platform on Smart Cities and Communities  Data protection / Privacy standards wiki for Ipen  Ipen.trialog.com  ITU-T  SG17 – Cybersecurity framework for intelligent transport system  FG-DPM – Security and privacy framework  ISO/IEC  Projects – 27550 Privacy engineering – 27030 Security and privacy guidelines for the IoT – 27570 Privacy guidelines for smart cities – 20547-4 Big data Security and privacy  Study periods – Big data security and privacy processes – Big data implementation security – Framework privacy preference management (Joint ITU-ISO) ITU workshop on 5G security19 March 2018 2
  3. 3. Ecosystems are complex ITU workshop on 5G security19 March 2018 Security Privacy SafetySmart grid Transport Health Smart Cities Big data IoT Ecosystems Domains Concerns 3
  4. 4. Ecosystem Security and Data Protection Concerns ITU workshop on 5G security19 March 2018 4 Stakeholder Legal Compliance Concern Management Concern System Lifecycle Concern Demand side Policy maker Compliance Check / Follow standards Transparency Operator Regulation for security Regulation for privacy Security and data protection risk analysis Agreement with other operators Security-by-design Privacy-by-Design Supply side Supplier Operators Requirements
  5. 5. Ecosystem Cybersecurity: What we Need ITU workshop on 5G security19 March 2018 5 Ecosystem Stakeholders Ecosystem Assets Ecosystem Cybersecurity capabilities Provide to protect Ecosystem Policy makers Verify/Certify (or Direct – Control – Evaluate)
  6. 6. Ecosystem Cybersecurity: What we Have ITU workshop on 5G security19 March 2018 6 Ecosystem Stakeholder 1 Ecosystem Stakeholder 2 Ecosystem Stakeholder 2 Ecosystem Stakeholder 2 Asset 1 Asset 2 Asset 3 Asset 4 Cybersecurity capability 1 Cybersecurity capability 2 Cybersecurity capability 3 Cybersecurity capability 4 Provides to protect Provides to protect Provides to protect Provides to protect Ecosystem Policy makers Verify/Certify
  7. 7. Example of Ecosystem: AutoMat http://www.automat-project.eu ITU workshop on 5G security19 March 2018 7
  8. 8. Example of Ecosystem: AutoMat ITU workshop on 5G security  Four types of stakeholders 19 March 2018 8 Storage provider Automotive manufacturer Marketplace Service provider
  9. 9. Ecosystem Design ITU workshop on 5G security  Personal data ecosystem  Interoperability  Common description – CVIM (Common vehicle information model) 19 March 2018 9 Storage manager Automotive manufacturer 1 Vehicle A data capturing CVIM Vehicle B data capturing Automotive manufacturer 2 Vehicle C data capturing CVIM Vehicle A owner data vault Vehicle B owner data vault Vehicle C owner data vault
  10. 10. Ecosystem Risk Analysis ITU workshop on 5G security  Risk analysis includes  security risk analysis (e.g. ISO/IEC 27005)  privacy impact analysis (e.g. ISO/IEC 29134) 19 March 2018 10 Storage Provider Risk analysis Automotive manufacturer Risk analysis Marketplace Risk analysis Service provider Risk analysis Ecosystem Risk analysis
  11. 11. Ecosystem Interoperability ITU workshop on 5G security  Interoperability includes  Functional interoperability  Cybersecurity interoperability 19 March 2018 11 Marketplace 2Marketplace 1 Service provider Service provider 2Service provider 1 Marketplace Storage provider 2Storage provider 1 Marketplace Marketplace 1Marketplace 1 Storage provider Automotive manufacturer 2 Automotive manufacturer 1 Storage provider Storage provider 2Storage provider 1 Automotive manufacturer
  12. 12. Different Types of Interoperability ITU workshop on 5G security19 March 2018 12 Different descriptionDifferent description Service Provider Market place2 Capability Market place1 Capability No interoperability Common descriptionCommon description Service Provider Market place2 Same capability Market place1 Same capability Interoperability of capabilities Common descriptionCommon description Service Provider Market place2 Different capability Market place1 Different capability Interoperability of descriptions
  13. 13. Need for Consistent Individual Cybersecurity Framework ITU workshop on 5G security19 March 2018 13 Service provider Cybersecurity framework • Capabilities • Agreement • Risks - Incidents - Consequences • Measures MarketplaceService provider Marketplace Cybersecurity framework • Capabilities • Agreement • Risks - Incidents - Consequences • Measures
  14. 14. Cybersecurity Capabilities ITU workshop on 5G securitySlide 14 Secure processing Protect data processing Transparency information Provide information how data processing is protected Data controller responsibility Verifies whether service provider has data controller responsibility 19 March 2018 Marketplace capability Service provider capability Secure processing Protect data pipeline and processing Owner consent Capability for vehicle owner to provide consent on personal data processing Consent revocation Capability for vehicle owner to withdraw from data pipeline Transparency information Capability to provide information on data processing chain Secure connection to service providers Capability to provide data to service provider securely Secure connection to storage providers Capability to retrieve data from storage manager securely Data processor responsibility Verifies whether marketplace has data processor responsibility
  15. 15. Agreement Cybersecurity Capabilities ITU workshop on 5G security1519 March 2018 Providing evidence of capability provide evidence of cybersecurity compliance to marketplace Getting evidence of capability obtain evidence of marketplace cybersecurity compliance Marketplace agreement Service provider agreement Providing evidence of capability provide evidence of cybersecurity compliance to service provider Getting evidence of capability obtain evidence of service provider cybersecurity compliance
  16. 16. Threats ITU workshop on 5G security16 STRIDE threat categories Spoofing Spoofing marketplace Tampering Integrity and completeness of data obtained from marketplace Information disclosure Eavesdropping data during communication Eavesdropping metadata (e.g. log of interactions with marketplace) Incorrect management of data processing chain leading to leaks (e.g. incorrect deletion) Denial Of Service Massive access to marketplace LINDDUN threat categories Linkability Anonymisation not carried out correctly Attempt from external parties to re-identify vehicle owner by using other datasets New linkability threat not taken into account 19 March 2018 Marketplace Threats Service provider Threats STRIDE threat categories Spoofing Spoofing storage provider Spoofing service provider Tampering Integrity and completeness of data provided to service provider Repudiation Service provider repudiation Information disclosure Eavesdropping data during communication Eavesdropping metadata (e.g. log of interactions with storage provider and with service provider) Incorrect management of data pipeline leading to leaks (e.g. incorrect deletion) Denial Of Service Massive access to marketplace by faked service providers Elevation of privilege Incorrect management of vehicle owner privacy rules (expressed in obtained metadata) LINDDUN threat categories Linkability Anonymisation not carried out correctly New linkability threat not taken into account [
  17. 17. Incidents ITU workshop on 5G security17 Incident Description Severity Massive personal data breach Public report of potential massive personal data leak because of improper operation at service provider level Maximum Massive denial of service Service provider can no longer operate. Significant 19 March 2018 Marketplace Incidents Service provider Incidents Incident Description Severity Case of personal data breach Public reporting that personal data vault has been accessed or that it has been processed against consent or privacy rules Significant Massive business data leak. Public report of potential massive business data leak because of improper operation at marketplace level Maximum Massive personal data breach Public report of potential massive personal data leak because of improper operation at marketplace level. Maximum Massive denial of service Marketplace can no longer operate. Significant
  18. 18. Measures ITU workshop on 5G securitySlide 18 ISO 27001 Categories of controls Control Information security policies Management direction. Data management policies Human resource security During employment Internal cybersecurity preparedness External cybersecurity preparedness Access control System and application access control Secure access to marketplace provider Cryptography Cryptographic controls Anonymisation of data sets Operation security Operational procedures and responsibilities Operation procedures for data processing Logging and monitoring Logging capabilities Control of operational software Operation procedures for transparency. Technical vulnerability management Plausibility check Communication security Information transfer Secure transmission of data System acquisition, development and maintenance Security in development and support processes Secure data processing capabilities Cybersecurity monitoring capabilities Information security incident management Management of information security incidents and improvements Alerting data processing chain Information security aspects of business continuity management Information security continuity Assurance of service provider cybersecurity capabilities Periodic review of service provider cybersecurity capabilities Compliance Compliance with legal and contractual requirements GDPR and cybersecurity compliance verification Information security reviews Periodic review of interoperability 19 March 2018 ISO 27001 Categories of controls Control Information security policies Management direction. Data management policies Human resource security During employment Internal cybersecurity preparedness External cybersecurity preparedness Access control Business requirements for access control Requirements for service provider access System and application access control Secure access from service provider Secure access to cloud storage provider Cryptography Cryptographic controls Confidentiality of personal data vaults Anonymisation of data sets Operation security Operational procedures and responsibilities Operation procedures for data search and processing Logging and monitoring Logging capabilities Control of operational software Operation procedures for transparency. Communication security Information transfer Secure transmission of data System acquisition, development and maintenance Security in development and support processes Secure data pipeline capabilities Cybersecurity monitoring capabilities Information security incident management Management of information security incidents and improvements Alerting data processing chain Information security aspects of business continuity management Information security continuity Assurance of cloud storage manager cybersecurity capabilities Periodic review of cloud storage manager cybersecurity capabilities Compliance Compliance with legal and contractual requirements GDPR and cybersecurity compliance verification Information security reviews Periodic review of interoperability Marketplace MeasuresService provider measures
  19. 19. Conclusions ITU workshop on 5G security  Need for ecosystem design viewpoint  Need for ecosystem risk analysis  Need for interoperability of cybersecurity capabilities  Need for Coordination of cybersecurity capabilities between different stakeholders of an ecosystem  Ecosystem vision must be better explained at standardisation level 19 March 2018 19
  20. 20. Example of 5G Ecosystem ITU workshop on 5G security19 March 2018 20 5G Mobile operator IoT Device operator Mobile platform operator Service provider
  21. 21. Questions? www.trialog.com ITU workshop on 5G security19 March 2018 21

×