- Toward Trustful IoT Life -

Transcription

1 CCDS Introduction - Toward Trustful IoT Life - Connected Consumer Device Security Council (CCDS) Kosuke Ito, Secretary General Copyright 2015 Connected Consumer Device Security Council Proprietary 1

2 ISSUE: Threats from Cooperated If even Single App is safe, but may be vulnerable in cooperated situation A consumer device infected malware spread to other device and apps Difference of security levels between each apps domains Malware AV, Home Appliance Apps Energy, HEMS Apps ITS, Vehicle Apps Apps Cooperation Medical, Healthcare Apps Other Consumer Intrusion 2 Server Cooperation Intrusion via vulnerable app, Crack to cooperative app 2 Copyright 2015 Connected Consumer Device Security Council Proprietary 2

3 Trust(safety and security)level Difference 1Different Level of Requirement For Safety and Security Level by product domains Required or Demanding Level Actual Product Level 安 心 安 全 Domain A Product 連 携 安 心 安 全 Domain B Product 連 携 安 心 安 全 Domain C Product 2Total Security Level will be leveled at the lowest product When connected Copyright 2015 Connected Consumer Device Security Council Proprietary 3

4 Lack of Security Standard for IoT Increasing the threats on IoT systems Lack of Security Standard for IoT Func. Safety Security Nuclear Plant Basic Domain IEC61513 Organization Basic Domain Certification Program by CSSC in JP Industrial System IEC61511 (CSMS) Not yet defined IEC Automotive IEC ISO ISO (ISMS) Lack of Guideline or Standard for Consumer IoT systems Healthcare Medical Home App IEC IEC60335 Not yet defined Not yet defined Test Tool Development supported by Okinawa Pref. Elec./ Electronic Control System IEC62061 Security Func. Product/parts Discuss By IPA ISO セキュリティ 評 価 認 証 CSSC: 技 術 研 究 組 合 制 御 システムセキュリティセンター IPA: 独 立 行 政 法 人 情 報 処 理 推 進 機 構 JIPDEC 一 般 財 団 法 人 日 本 情 報 経 済 社 会 推 進 協 会 Copyright 2015 Connected Consumer Device Security Council Proprietary 4

5 Overview of Automotive Standardization JARI ITSに 関 する 国 際 的 な 標 準 化 の 取 り 組 み Copyright 2015 Connected Consumer Device Security Council Proprietary 5

6 Value and Cost Balance IoT service value > Security Protection Cost Function and Architecture Cost Up by complex architecture Comply Important Requirement such as Safety Safety ISO/IEC SIL 1~4 ISO ASIL QM, A~D, etc Security ISO/IEC 15408/CC EAL 1~7 FIPS Level 1~4 ETIS ITS/C2C-CC TAL 1~4, etc Countermeasure Also countermeasure by architecture and Usability Quality Keep Higher Quality Different Priority and Judgement level Product domain by domain Copyright 2015 Connected Consumer Device Security Council Proprietary 6

7 CCDS Overview Name: Connected Consumer Device Security council Est: October 6 th, 2014 Chairman: Dr. Hideyuki Tokuda Prof. of Keio University Special Advisor of Cyber Security to the Cabinet Representative Director: Dr. Tsukasa Ogino Kyoto University Director: Dr. Atsuhiro Goto Prof. of Inst. Of Information Security Director: Katsutoshi Hasegawa (President, esol Inc.) Director: Hiroyuki Hattori (Director, Witz Member: 74(Principal/Regular:30, General:33, Academic:11) Copyright 2015 Connected Consumer Device Security Council Proprietary 7

8 SCOPE: Embedded/IoT/M2M in general, Connected Consumer which are not operated (monitored and controlled) by professionals Power, Utility EV/HV HEMS Network Smart Meter Battery Automated Driving V2X Communication PV HEMS Console Home Appliance Road Side UNIT ITS&Vechile Safety AV Network 4K 8K Contents Network Appliance Home Server ECU Home Gateway Medical/Healthcare Network Care Robots Medical, Healthcare Healthcare server After Telematics, Eco, Drive Recorder, etc. Potable New Services Convenience Wearable Cloud HEMS company Contents Provider Medical, Healthcare Vehicle and Traffic Control Copyright 2015 Connected Consumer Device Security Council Proprietary 8 お 弁 当 セ ー ル ATM Public Area Office Area Network MFP Remote Monitor / Maintenance 8

9 Goal and Activities Activities 1. Definition of secure development guidelines for consumer devices and discuss global standardization Goal Among daily usage of the consumer devices, unexpected device behavior affects injury, risk one s life, financial property. Our goal is to make the connected consumer devices working cooperative with safety and security. For the sustainable goal, we promote security awareness and reference point of good practices to all stakeholder company and organization in each domains. 2. Discuss certification scheme based on secure development guideline 3. Discuss the way of assurance for basically consumer safety and security 4. Development of vulnerabilities validation in cooperated consumer devices 5. Building test beds for verify attacks and countermeasures 6. Human resource development through those activities 7. Along with standards of development and security, we support development of validation tools and verification environment Copyright 2015 Connected Consumer Device Security Council Proprietary 9

10 CCDS External Cooperation IoT Security Guideline Dev. Design Process Guide = Security by Design Security Testing Guide ->International Std. 安 心 安 全 なサービス 製 品 開 発 を 目 指 す! Connected World Development Guideline WG IoT Vuln. Evaluation PF Dev. Vulnerability Testing Tool Development Testing Scenario Development Developing the Security Testing Platform Copyright 2015 Connected Consumer Device Security Council Proprietary 10

11 Cyber Security Policy for Vitalizing Society and its sustainable development by NISC Security By Design (SBD) System Design with Security Consideration from planning and design stage Preparation of the general guidelines to affect security on IoT system Enforcement of the technology development and proof trial in consideration of the characteristic (long life cycle, limit of the processing capacity) of the IoT system, importance of the hardware genuine nature 出 典 :NISC:サイバーセキュリティ 戦 略 ( 案 )より Copyright 2015 Connected Consumer Device Security Council Proprietary 11

12 PLAN: Secure Development Guideline Definition Per Domains Secure Development Guideline Common V2X, Probe Remote Access, Control Vehicle common part Arrange basic items for embed devices Discuss Integrated situation includes cyber space for Automated Drv. Embedded Domain Health Data Wearable Comm. Remote Access, Control HEMS Cooperation Healthcare common part Home Appliance common part Embedded Systems common part (Base) Cooperated Services common part Office (MFP, etc.) Public Space (ATM, etc.) Cyber System Domain As a beginning, Discuss for each Apps Arrange each common part Copyright 2015 Connected Consumer Device Security Council Proprietary 12

13 Founding the 3 rd Party Security V&V Evaluation Center 国 内 大 手 企 業 が 参 加 Automotives On-Board Head Units, Body Control ECUs Home Okinawa Pref. CCDS 重 要 生 活 機 器 連 携 セキュリティ 協 議 会 IoT Vuln. Testing Ctr 年 度 ~2017 年 度 R&D Center IPA Connected World Development Guideline Working Group Home GW, IoT GW for sensor network IoT Security Guideline Development WG Certification Authority (Future) Financial Terminals ATM/POS ATM/POS Testing Tool Dev. Testing DB Dev. & Ope Vuln. Evaluation Platform Evaluation Testing Platform System IoT Evaluation Test Scenario And Test result Integration Testing Process Dev. Trial Testing (Training) 3 rd Party Testing Service 3 rd Party Security V&V Evaluation Ctr (Future) Venders in Okinawa V&V: Verification and Validation Vuln: Vulnerability Copyright 2015 Connected Consumer Device Security Council Proprietary 13