Physical Security, IoT & The Role of Open Standards
•Download as PPT, PDF•
1 like•591 views
Our 8th FREE Webinar in the 2016 Smart Buildings Series, Kindly Sponsored by Tridium… "Physical Security, IoT & The Role of Open Standards" This is a Q&A Webinar with Per Björkdahl, Chairman of the ONVIF Steering Committee discussing Open Standards in the Physical Security Industry.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Physical Security, IoT & The Role of Open Standards
Similar to Physical Security, IoT & The Role of Open Standards (20)
More from Memoori
More from Memoori (20)
Recently uploaded
Recently uploaded (20)
Physical Security, IoT & The Role of Open Standards
- 1. Physical Security, IoT & The Role of Open Standards Q&A with Per Björkdahl, ONVIF Chairman Any Questions? Please type them in…
- 2. 2 ONVIF is committed to providing and promoting open interfaces to the security industry for effective interoperability of IP-based physical security products. The cornerstones of ONVIF are: Standardization of communication between IP-based physical security products Interoperability regardless of brand Openness to all companies and organizations Liaison with International standardization IEC & ISO IEC TC79 WG12 Video (IEC 62676-2-3:2013 IEC TC/) WG11 Access Control (IEC 60839-11-1) IEC TC9 WG46 CCTV in trains (IEC62580-2) ISO JTC1 HEVC (H.265) About ONVIF
- 3. 3 MISSION To provide and promote open Interfaces to the security industry for effective Interoperability. VISION All Security Systems share one Interface. ONVIF Mission & Vision
- 4. 4 ONVIF Development: 2008 to present 2008/10 ONVIF founded by Axis, Sony & Bosch, Core Specification 1.0 2009/05 Release of test tool and conformance procedure 2009/07 First conformant product launched 2009/10 100 members 200 products 2010/03 Scope extended to Access control 2010/12 Core specification 2.0 & Device Test Tool 1.02 2011/09 300 members 1000 products 2011/12 Device Test Tool 11.1 Profile S released 2012/08 400 members 2000 products 2013/04 1200 Profile S products 2013/12 Profile C released 2014/04 500 members 2700 Profile S products 2014/07 Profile G released 2014/12 Profile Q release candidate 2015/03 Client test tool released 2015/10 500+ members 5009 products 2015/07 Profile A release candidate 2016/05 ≈ 490 members 6´500 products 2011/12 EN 50132-5-2 IP Video Transmission Protocols Based on Webservices 2013/11 IEC 62676-2-3 IP Video Transmission Protocols Based on Webservices 2011/02 IEC60839-11-31 EACS IP Transmission Protocols Based on Webservices 2016/07 Profile Q released 2016/12 Profile A planned release
- 5. 5 - Availability vs. protection - Different threatscape than a PC - Unmanaged devices - Customers are not cyber mature - IoT vendors are not cyber mature Internet of Things – Cyber challenges
- 6. 6 Security is vital to IoT “It is a process, not a product” “Bruce Schneier”
- 7. 7 IoT are easier to hardened compared PC Outofthebox hardening Independent researchers Cyber awareness is increasing IoT– Cyber challenges going forward
- 8. 8 The message is loud and clear security products that can’t connect to an IP network disappear from the market sooner than later! Two possible developments Limited utilization of standards •Isolated system silos from one manufacturer •Proprietary systems •Manufacturer lock in •Limited interoperability Full utilization of standards •True IoT •Openness, •Unlimited interoperability the Role of Standards
- 9. 9 True IoT is not possible without standards Standards are not only technical Standards are also Procedures Together they can achieve security Let’s not take a leap backwards Security by obscurity is not preferred the Role of Standards
- 10. 10 Security is a Permanent working group in ONVIF Certificate-based Client Authentication Keystore TLS server General design goals What is ONVIF doing about security
- 11. New Website! http://www.memoori.com/ Next Webinar: 12th Sept - “Demystifying the IoT in Smart Buildings”
Editor's Notes
- First, let me briefly introduce ONVIF, what we are and what we do.
- This is our Mission and Vison. I think we can all agree that we are beyond the point of no return when it comes to expected interoperability. In this scenario Cyber security and IT security are extremely important but perhaps not so often talked about!
- During 2015 ONVIF has increased its efforts to be recognized as a thought leader and establish itself as an industry organization for manufacturers in the physical security industry. ONVIF is frequently quoted in security media and articles are re-published ONVIF specifications for both Video and Access control have been included in the newest IEC standards for Video Security Systems and Electronic Access Control
- Availability vs Protection An IoT device is a single service device, a.k.a. micro service. The service it provides adds value to a system but does not have enough value to make it the primary attack target. It does not hold the customer database nor is it the primary corporate web server. In order to maximize the service value you may need to increase availability. Availability increases the attack exposure area the thus the risks. Protection on the other hand may add deployment cost and system limitations, possibly reducing the service value. Customers and solution providers needs to make a calculated risk analysis to find the appropriate balance between the two. Different type of threat Due to the nature of an IoT device it does not expose the same types of threats/risks as clients and servers. - The service may expose risks for privacy and data integrity. - The vast amount of devices, inadequate hardening combined with easy physical access makes the devices a valuable attack platform. A malicious agent in the device may be a preparation for a larger targeted attack. Understanding the risks and threatscape around IoT helps focus the protection measures on the important stuff. Unmanaged devices Once deployed it is easy to forget an IoT device compared to a PC, tablet or server. This increases the risk of an IoT device not being monitored or patched. During deployment the device may have limited amount of known vulnerabilities, but a later discovered vulnerability can quickly be exploited if the device is exposed to direct Internet access. Also, IoT devices may have a short life-cycle and the vendor stops supplying patches and updates. These things needs to be taken into considerations. Customers are not cyber mature Many customers are neglecting or underestimating cyber threats. Majority of IoT devices do have some standard hardening capabilities such as password protection. A strong password will protect from more than 95% of attacks becoming a successful breach. Nevertheless, there are many examples where customers do not bother with basic hardening such as setting the password. Poor password management is the single most common reason behind a successful breach. IoT Vendors are not cyber mature Cyber immature vendors does not have to mean that the devices are insecure. But it increases the risk of products being shipped with unsecure interfaces and poor pre-configurations, exposing unnecessary risks for the owner. One driving factor behind this is that even though customers are concerned over cyber threats - they do seldom explicitly request or discuss cyber risks. Cyber immature customers drive vendors to focus on the device feature value.
- You can spend thousands of dollars securing your infratsructure! All it takes is that a password gets out and you are toast! It is hard to protect the system from intended breach from insider (social hacking) Bruce Schneier is an American cryptographer, computer security and privacy specialist, and writer. Another quote is If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. It is the combination of technology and procedures that creates the process that protects you! Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.
- IoT are easier to cyber hardened compared to clients and servers IoT device have less internal services and interface to protect Majority of devices are protected by infrastructure only accessible through cloud/server services IoT devices do not have users installing insecure applications, opening email attachments or surf suspicious sites Some manufacturers provides a Hardening Guide for their products where they recommend different settings depending on environment and end customer infrastructure and policies. Out-of-the-box hardening Almost all successful breaches are due to people mistakes and misconfiguration. By addressing out-of-the-box hardened, pre-shipped configurations, enhanced user interfaces and hardening guides, vendors can help customer archive sufficient standard protection. Additional tools and services will help management, configuration and monitoring. We see an increasing growth of encryption infrastructure and simplified certificate management that will make it easier to deploy communication protection. Independent researchers As the volume of IoT devices and services increases it will attract more independent researcher, consultants and white-hat hackers. They will help expose (unknown) device vulnerabilities before they may be exploited. We will also see more media coverage that will highlighting threats, risks and best practices. Cyber awareness Both customers and vendors are becoming more aware of cyber threats. This will push vendors to put more effort on cyber threat issues. Not only to device vulnerabilities but to configuration, management and maintenance.