Still olden but golden, when it comes to IoT Connected Devices
I have briefly touched upon IoT (Internet of Things) at my blog previously:
Fast moving wireless world
https://trewmte.blogspot.com/2014/10/fast-moving-wireless-world.html
The Internet of Things (IoT)
https://trewmte.blogspot.com/2016/03/the-internet-of-things-iot.html
The Rise of (IoT) Domestic Appliance Forensic Examiners
https://trewmte.blogspot.com/2016/03/the-rise-of-iot-domestic-appliance.html
Smart Phones with Smart Homes
https://trewmte.blogspot.com/2016/06/smart-phones-with-smart-homes.html
eSIM - Observing Possible Outcomes Part 1
https://trewmte.blogspot.com/2019/12/esim-observing-possible-outcomes-part-1.html
I am adding update reference materials available on IoT and Cyber, if you haven't seen this info or weren't aware, which you might find useful.
ETSI in February 2019 released the first globally applicable standard for consumer IoT security:
etsi-releases-first-globally-applicable-standard-for-consumer-iot-security?jjj=1611490283528
This publicised event introduced the ETSI Stand ts_103645v010101 (2019)
CYBER; Cyber Security for Consumer Internet of Things
In 2020 ETSI updated the standard ts_103645v020102 with enhanced baseline requirements:
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
The object of these standards is to improve security and privacy. A common default password for all products are to be scrubbed with a unique default password per device applied instead. Moreover, it should not be possible to enable the password set at default in the first place once user changed. Apparently, many IoT (consumer) products on the market may still not (even today) meet this password objectives or other more basic requirements that have been stated in this newly released standard.
Measures vendor companies should understake range from adopting simple installation and user guidance with good documentation in support; good hardware/software security engineering practice; for personal privacy the standard sets out protection objectives for all sensitive personal data required to be stored securely - that is both on devices, themselves, and in any related services e.g. in the cloud. Any personal data should be encrypted and should be protected against attack; and with clear instructions how consumers can easily delete their personal data.
Whilst this standard provides consumers with confidence in their IoT product, it equally has been designed to allow vendors companies sufficient flexibility to enable them to innovate and find the best solution for security and privacy for their particular IoT products. Password protection, encryption, and safe deletion are some solutions. Others could be block-off network ports; close-off software not being used; avoidance of exploited data (OOR) by adoption of a validation approach; secure-boot mechanisms (hardward-based); with ease and secure device software updates (e.g. use- menu selection or autonomic/automated (e.g. ZTP etc)). These are possible solutions.
I did like that ETSI had included specific demands about disclosure in this standard for vendor companies to identify, act upon and promptly report vulnerabilities.
However, from a cyber aspect, the ETSI Technical Committee on Cybersecurity (TC CYBER) has overseen and published over 50 cyber standards, some of which are referenced below:
ETSI TS 103 744 V1.1.1 (2020-12)Published
CYBER; Quantum-safe Hybrid Key Exchanges
ETSI TS 103 523-1 V1.1.1 (2020-12)Published
CYBER; Middlebox Security Protocol; Part 1: MSP Framework and Template Requirements
ETSI TS 103 718 V1.1.1 (2020-10)Published
CYBER; External encodings for the Advanced Encryption Standard
ETSI TR 103 644 V1.2.1 (2020-09)Published
CYBER; Observations from the SUCCESS project regarding smart meter security
ETSI TS 103 485 V1.1.1 (2020-08)Published
CYBER; Mechanisms for privacy assurance and verification
ETSI TR 103 619 V1.1.1 (2020-07)Published
CYBER; Migration strategies and recommendations to Quantum Safe schemes
ETSI EN 303 645 V2.1.1 (2020-06)Published
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
ETSI TS 103 645 V2.1.2 (2020-06)Published
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
ETSI TR 103 306 V1.4.1 (2020-03)Published
CYBER; Global Cyber Security Ecosystem
ETSI TR 103 644 V1.1.1 (2019-12)Published
CYBER; Increasing smart meter security
ETSI TR 103 618 V1.1.1 (2019-12)Published
CYBER; Quantum-Safe Identity-Based Encryption
ETSI TR 103 331 V1.2.1 (2019-09)Published
CYBER; Structured threat information sharing
ETSI TS 103 523-3 V1.3.1 (2019-08)Published
CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security
ETSI TS 103 523-3 V1.2.1 (2019-03)Published
CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security
ETSI TS 103 645 V1.1.1 (2019-02)Published
CYBER; Cyber Security for Consumer Internet of Things
ETSI TR 103 370 V1.1.1 (2019-01)Published
CYBER; Practical introductory guide to Technical Standards for Privacy
ETSI TS 103 457 V1.1.1 (2018-10)Published
CYBER; Trusted Cross-Domain Interface: Interface to offload sensitive functions to a trusted domain
ETSI TR 103 642 V1.1.1 (2018-10)Published
CYBER; Security techniques for protecting software in a white box model
ETSI TS 103 523-3 V1.1.1 (2018-10)Published
CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control
ETSI TR 103 617 V1.1.1 (2018-09)Published
CYBER; Quantum-Safe Virtual Private Networks
ETSI TR 103 305-1 V3.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls
ETSI TR 103 305-2 V2.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing
ETSI TR 103 305-3 V2.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations
ETSI TR 103 305-5 V1.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 5: Privacy enhancement
ETSI TR 103 305-4 V2.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms
ETSI TR 103 306 V1.3.1 (2018-08)Published
CYBER; Global Cyber Security Ecosystem
ETSI TS 103 458 V1.1.1 (2018-06)Published
CYBER; Application of Attribute Based Encryption (ABE) for PII and personal data protection on IoT devices, WLAN, cloud and mobile services - High level requirements
ETSI TS 103 307 V1.3.1 (2018-04)Published
CYBER; Security Aspects for LI and RD Interfaces
ETSI TS 103 532 V1.1.1 (2018-03)Published
CYBER; Attribute Based Encryption for Attribute Based Access Control
ETSI TR 103 456 V1.1.1 (2017-10)Published
CYBER; Implementation of the Network and Information Security (NIS) Directive
ETSI TS 102 165-1 V5.2.3 (2017-10)Published
CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA)
ETSI TR 103 570 V1.1.1 (2017-10)Published
CYBER; Quantum-Safe Key Exchanges
ETSI TR 103 421 V1.1.1 (2017-04)Published
CYBER; Network Gateway Cyber Defence
ETSI TR 103 306 V1.2.1 (2017-03)Published
CYBER; Global Cyber Security Ecosystem
ETSI TS 103 307 V1.2.1 (2016-10)Published
CYBER; Security Aspects for LI and RD Interfaces
ETSI TR 103 305-2 V1.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing
ETSI TR 103 305-3 V1.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations
ETSI TR 103 305-4 V1.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms
ETSI TR 103 305-1 V2.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls
ETSI TR 103 331 V1.1.1 (2016-08)Published
CYBER; Structured threat information sharing
ETSI TR 103 304 V1.1.1 (2016-07)Published
CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services
ETSI TR 103 369 V1.1.1 (2016-07)Published
CYBER; Design requirements ecosystem
ETSI EG 203 310 V1.1.1 (2016-06)Published
CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection
ETSI TS 103 307 V1.1.1 (2016-04)Published
CYBER; Security Aspects for LI and RD Interfaces
ETSI TR 103 303 V1.1.1 (2016-04)Published
CYBER; Protection measures for ICT in the context of Critical Infrastructure
ETSI TS 103 487 V1.1.1 (2016-04)Published
CYBER; Baseline security requirements regarding sensitive functions for NFV and related platforms
ETSI TR 103 308 V1.1.1 (2016-01)Published
CYBER; Security baseline regarding LI and RD for NFV and related platforms
ETSI TR 103 306 V1.1.1 (2015-11)Published
CYBER; Global Cyber Security Ecosystem
ETSI TR 103 309 V1.1.1 (2015-08)Published
CYBER; Secure by Default - platform security technology
ETSI TR 103 305 V1.1.1 (2015-05)Published
CYBER; Critical Security Controls for Effective Cyber Defence
No comments:
Post a Comment