This period is marked by a variety of linked activities with a high degree of novelty:
- Microprocessors with more power and memory for constrained devices
- Customer boards (new design or Redesign)
- Field devices with new functions
- networks with autonomously communication
- Batteries of today or smaller, increasing capacity
- Integration hubs on top include multiple protocols
- need for awareness within industry and product design regarding what technology can do and other.
These parallel developments require an integrated view of the security of the Internet, embedded devices, and adjoining backend systems.
1. 7/12/2016 1
Remarks to
Web of Things security
Frank Alexander Reusch
Lemonbeat GmbH
F2F Meeting W3C, Web of Things
12th July 2016, Beijing
Beihang University
„LU JINRONG / Shutterstock.com
2. Disclaimer
This document does not constitute an offer to sell or a solicitation of an offer to buy any securities.
This document and the information contained herein are for information purposes only and do not constitute a prospectus or an offer to sell or a solicitation of
an offer to buy any securities in the United States. Any securities referred to herein have not been and will not be registered under the U.S. Securities Act of
1933, as amended (the "Securities Act"), or the laws of any state of the United States, and may not be offered, sold or otherwise transferred in the United
States absent registration or pursuant to an available exemption from registration under the Securities Act. Neither the Company nor one of its shareholders
intends to register any securities referred to herein in the United States.
No money, securities, or other consideration is being solicited, and, if sent in response to the information contained herein, will not be accepted.
This document does not constitute an offer document or an offer of securities to the public in the U.K. to which section 85 of the Financial Services and Markets
Act 2000 of the U.K. applies and should not be considered as a recommendation that any person should subscribe for or purchase any securities as part of the
Offer. This document is being communicated only to (i) persons who are outside the U.K.; (ii) persons who have professional experience in matters relating to
investments falling within article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (as amended) (the "Order") or (iii) high
net worth companies, unincorporated associations and other bodies who fall within article 49(2)(a) to (d) of the Order (all such persons together being referred
to as "Relevant Persons"). Any person who is not a Relevant Person must not act or rely on this communication or any of its contents. Any investment or
investment activity to which this communication relates is available only to Relevant Persons and will be engaged in only with Relevant Persons. This
document should not be published, reproduced, distributed or otherwise made available, in whole or in part, to any other person without the prior consent of the
company.
3. New…
• Microprocessors with more power and memory for constrained devices
• Customer boards (new design or Redesign)
• Field devices with new functions
• networks with autonomously communication
• Batteries of today or smaller, increasing capacity
• Integration hubs on top include multiple protocols
• physical communications (e.g. IEEE 802.11 ah)
• areas of knowledge for developers
• fields for customer training (New products are more complex and
therefore need of explanation)
• need for awareness within industry and product design regarding what technology can do
• market players and cooperations
• Standards and real interoperability
Altogether. Over years.
IoT is a turning point in history
This period is marked by a variety of linked activities with a high degree of novelty.
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 3
4. Web of Things
Internet of Things World wide web
Industry Building
Automation
Smart
Energy
Smart
Cities
Mobility Local
Health
Environ-
ment
Agriculture Smart
Garden
Smart
Home
Public
Safety
Logistics
Standards prevent wild ad hoc development. Isolated silos coming to their end.
Based on standards, everyone can focus on good customer solutions.
Through combining success strategies of the Web with IoT there are a lot of new opportunities.
Increasing complexity means a higher security risk.
W3C gives IoT a structure. The prerequisite for enormous
growth is fulfilled.
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 4
5. Everybody talks about security. But sometimes different terms are mixed.
Security
• Protection of an object against external influences
• “protection of a person, building, organization, or country against threats
such as crime or attacks by foreign countries:,…” (Cambridge.org/dictionary)
• “things done to make people or places safe” (Merriam-Webster)
Safety
• Protection against an object (for example, protection against failures)
• “protected, or free from danger etc”; “providing good protection (Cambridge.org)
Privacy
• „the quality or state of being apart from company or observation” or
“freedom from unauthorized intrusion”,
„the state of being alone” or “the state of being away from public attention”
(Merriam-Webster)
Definitions
Examples:
• Protection of data against access
• Protection of a network
against unauthorized access
Examples:
• Protection of an person against
failures or functional disorder of
a device (e.g. local health)
That´s a challenge:
• New services require the provision
of private information (position/
current whereabouts, financial
data etc.)
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 5
6. Interdependencies and the triangle of conflicting priorities
Security
Safety Privacy
Cost
Quality Time
What is blocking the enhancement of current security levels in the IoT?
Lack of expertise (21 %)
Budget constraints (19 %)
Upper management buy-in (17 %)
Source: IOT Analytics – Research and Survey results; Security of Things World Conference, Berlin, June 2016
Lack of knowledge about advanced security processes and
technology (15 %)
Competiting priorities (10 %)
Organizational culture attitude about security (10%)
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 6
Constrained budget
Conflicting aims
Unrealistic timelines
Qualified people
Budget meet the requirements
Ambitious but realistic goals
7. Efficient, interoperable, integrated, supplier
independent, cheap, secure
Expensive, inefficient, inflexible,
not secure
TODAY: CONVENTIONAL BUILDING AUTOMATION
INFRASTRUCTURE FUTURE: BUILDING AUTOMATION INFRASTRUCTURE
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 7
Lemonbeat technology in the field of building automation –
potential architecture
Autonomous devices network
without central control.
Internet access is not mandatory
8. Mix between old and new technologies improves effort for security
Cloud/Platform
(„collect, store,
analyze data
to provide
operational efficiency“)
Lemonbeat via radio, ethernet etc. (Direct communication to management level)
Traditional communikation with various protocols
Multiple vendors
Different types/functions/
protocols of devices
Primary equipment,
Heating, cooling,..
with longtime lifecycle
Radio
Ethernet
Connector
(Without intelligence,
low cost)
Radio
Controller Heating:
e.g. redesign of
Control board
Integration
platform
Transformation of Building automation /
Complexity of intermediate steps to real WOT
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 8
Ethernet
9. How is IoT security different from traditional system
security?
Higher system complexity (49 %)
Distributed security across the network (49 %)
A novel hardware / software integration (44 %)
New software architecture (18 %)
Source: IOT Analytics
Why are additional measures in the security of IoT necessary?
9
The traditional scope of IT security is not sufficient for the IoT.
10. Field level increases the potential attack surfaces (examples)
Purchasing Production CRM R&D
connectors
connectors
connectors
Radio
Ethernet
Radio Ethernet
Impostor Email
CEO Fraud
Business Email Compromise (BEC)
Big Data
read data
from memory
1.Access to
Customers
data
2.auto-reload
function
3.Authorized
password
change
Denial of
Service
Man-in-the-
Middle attack
Sniffer /
Replay
Stealing
Dongle
(read key)
1. Buffer-Overflow
2. Linking return adress
to malware
Access after
brute force attack
Social Network
Predictive Analytics
Preventive Analytics
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 10
11. 31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 11
Most known security breaches
12. Who is responsible in security ?
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 12
Source: IOT Analytics
Here´s the answer of participants of a Security conference:
Who holds responsibility will differ. If the company is
• Device manufacturer, OEM:
• Product Manager
• CTO
• For partly activities, everyone is responsible
• Customer in the area of B2B:
• Process owner
• Department which is responsible for an use case
• partly activities, everyone is responsible
13. Security is the result of many diverse activities in the value chain
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 13
Many stages in the value chain are involved to ensure this topic
Each involved person is responsible for their own part. This includes a look to the left and to the right side.
Their task area is defined and cooperation with other is matched (adoption)
The result is a chain of tasks and responsibilities
The end customer receives 100% quality when all people in the chain do their job properly (TQM).
Chip Manufacturer Device Manufacturer Automobile Manufacturer
14. Partner
OEM (e.g. Chips)
Device manufacturer
System integrator
Waterfall Agile Guidelines
Universities
Research institutes
Require-
ments Design Prototyping Review OptimizationSoftware developer
Other vendors
Security is a result of some complex activities
Series
production
Continuous
Improvement
Policy Demand Concept Training Review
Continuous
Improvement
Program-
Management
Software
Hardware
Knowledge
Build / Test
automation
Requirements
Design
Development
Testing
Implementation
Maintenance
Plan Goals Collaboration Identity Mission Coaching
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 14
Value chain / company processes Results
15. Not every use case is critical, and not in each critical use case are all aspects critical
Is a similar approach to "risk based testing" feasible?
How can a "risk based security" work?
Is a multistage approach feasible?
• Step 1: Basic security
• Step 2: Critical based security design
The following objectives might be important:
1. Prevention
2. Deterrence
3. Automatism in case of attack
How much security is needed?
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 15
Use case Security Safety Privacy
Building Automation 1 2 2
Smart Energy 1 1 3
Local Health 1 1 1
Smart Home 1 2 1
Exemplary rating
16. IEEE
IETFW3C
Current activities of the world leading organisations
Web Authentication
Working Group
Web Application
Security
Web Cryptography
Working Group
Web Payments
Web Security
Interest Group
Privacy Interest
Group
Technical
Architecture Group
Web of Things
(WOT)
XML Security
Hardware Based
Secure Service
Community Group
and other
Industry
Connections Security
Group
IEEE Std 1686-2013
Standard for Intelligent
Electronic Devices (IED)
Cyber Security Capabil.
Technical Committee on
Security and Privacy
Malware Working
Group)
IEEE Anti-Malware
Support Service
(AMSS)
Malware MetaData
Exchange Format
(MMDEF) Working
Group
IEEE Std 1363.1-2008
Standard Specification for Public-
Key Cryptographic Techniques
IEEE Std 1363.3-2013
Standard for Identity-Based
Cryptographic Techniques
IEEE Std 2600-2008 Standard for
….Hardcopy Device and System
Security
IEEE Std 1667-2015 Standard for
Discovery, Authentication, and
Authorization in Host Attach-
ments of Storage Devices
Decentralized regu-
lations eg. 802.11 ah,…
NIST
Advanced Encryption
Standard, e.g. AES 128
IoT Security
Foundation
“promote knowledge
and clear best practice “
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 16
ISO/IEC 27001NIST Interagency Report
(NISTIR) 7977 ISO/IEC 19790:2012
Security requirements for
cryptographic modules
GSMA IoT Security Guidelines
GSMA
ETSI TR 103 306:
Global Cyber Security Ecosystem
ETSI
ENISA
eg Critical Infrastructure
and Services
No claim to completeness
DNS-based Authentication
of Named Entities
IP Security Maintenance
and Extensions
Transport Layer Security
Secure Inter-Domain
Routing
Javascript Object Signing
and Encryption
Keying and Authentication
for Routing Protocols
Open
Authentication Web Security
Securing Neighbor
Discovery
17. Current situation:
• There are a variety of documents, guidelines and best practices relating to security.
• The know-how is distributed and at first glance very intransparent.
• The level of knowledge of each developer varies greatly.
One suggestion:
• One central hosted libary with all necessary knowledge regarding IoT Security („The living wall“).
• and structured links to original sources and connected areas.
• Free access for all developers.
• True to the meaning of open source constant adaptation and enlargement.
Knowledge is an important driver for IoT Security
31.10.2018 W3C F2F Beijing, Remarks to the security of Web of Things, Reusch 17