Sunday, January 24, 2021

Cyber: Cyber Security for Consumer Internet of Things (IoT)

 


Still olden but golden, when it comes to IoT Connected Devices


I have briefly touched upon IoT (Internet of Things) at my blog previously:

Fast moving wireless world

https://trewmte.blogspot.com/2014/10/fast-moving-wireless-world.html

The Internet of Things (IoT)

https://trewmte.blogspot.com/2016/03/the-internet-of-things-iot.html

The Rise of (IoT) Domestic Appliance Forensic Examiners

https://trewmte.blogspot.com/2016/03/the-rise-of-iot-domestic-appliance.html

Smart Phones with Smart Homes

https://trewmte.blogspot.com/2016/06/smart-phones-with-smart-homes.html

eSIM - Observing Possible Outcomes Part 1

https://trewmte.blogspot.com/2019/12/esim-observing-possible-outcomes-part-1.html


I am adding update reference materials available on IoT and Cyber, if you haven't seen this info or weren't aware, which you might find useful.

ETSI in February 2019 released the first globally applicable standard for consumer IoT security:

etsi-releases-first-globally-applicable-standard-for-consumer-iot-security?jjj=1611490283528

This publicised event introduced the ETSI Stand ts_103645v010101 (2019)

CYBER; Cyber Security for Consumer Internet of Things

ts_103645v010101p.pdf

In 2020 ETSI updated the standard ts_103645v020102 with enhanced baseline requirements:

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements

ts_103645v020102p.pdf

The object of these standards is to improve security and privacy. A common default password for all products are to be scrubbed with a unique default password per device applied instead. Moreover, it should not be possible to enable the password set at default in the first place once user changed. Apparently, many IoT (consumer) products on the market may still not (even today) meet this password objectives or other more basic requirements that have been stated in this newly released standard. 

Measures vendor companies should understake range from adopting simple installation and user guidance with good documentation in support; good hardware/software security engineering practice; for personal privacy the standard sets out protection objectives for all sensitive personal data required to be stored securely - that is both on devices, themselves, and in any related services e.g. in the cloud. Any personal data should be encrypted and should be protected against attack; and with clear instructions how consumers can easily delete their personal data.

Whilst this standard provides consumers with confidence in their IoT product, it equally has been designed to allow vendors companies sufficient flexibility to enable them to innovate and find the best solution for security and privacy for their particular IoT products. Password protection, encryption, and safe deletion are some solutions. Others could be block-off network ports; close-off software not being used; avoidance of exploited data (OOR) by adoption of a validation approach; secure-boot mechanisms (hardward-based); with ease and secure device software updates (e.g. use- menu selection or autonomic/automated (e.g. ZTP etc)). These are possible solutions.

I did like that ETSI had included specific demands about disclosure in this standard for vendor companies to identify, act upon and promptly report vulnerabilities.

However, from a cyber aspect, the ETSI Technical Committee on Cybersecurity (TC CYBER) has overseen and published over 50 cyber standards, some of which are referenced below:

ETSI TS 103 744 V1.1.1 (2020-12)Published

CYBER; Quantum-safe Hybrid Key Exchanges


ETSI TS 103 523-1 V1.1.1 (2020-12)Published

CYBER; Middlebox Security Protocol; Part 1: MSP Framework and Template Requirements


ETSI TS 103 718 V1.1.1 (2020-10)Published

CYBER; External encodings for the Advanced Encryption Standard


ETSI TR 103 644 V1.2.1 (2020-09)Published

CYBER; Observations from the SUCCESS project regarding smart meter security


ETSI TS 103 485 V1.1.1 (2020-08)Published

CYBER; Mechanisms for privacy assurance and verification


ETSI TR 103 619 V1.1.1 (2020-07)Published

CYBER; Migration strategies and recommendations to Quantum Safe schemes


ETSI EN 303 645 V2.1.1 (2020-06)Published

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements


ETSI TS 103 645 V2.1.2 (2020-06)Published

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements


ETSI TR 103 306 V1.4.1 (2020-03)Published

CYBER; Global Cyber Security Ecosystem


ETSI TR 103 644 V1.1.1 (2019-12)Published

CYBER; Increasing smart meter security


ETSI TR 103 618 V1.1.1 (2019-12)Published

CYBER; Quantum-Safe Identity-Based Encryption


ETSI TR 103 331 V1.2.1 (2019-09)Published

CYBER; Structured threat information sharing


ETSI TS 103 523-3 V1.3.1 (2019-08)Published

CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security


ETSI TS 103 523-3 V1.2.1 (2019-03)Published

CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security


ETSI TS 103 645 V1.1.1 (2019-02)Published

CYBER; Cyber Security for Consumer Internet of Things


ETSI TR 103 370 V1.1.1 (2019-01)Published

CYBER; Practical introductory guide to Technical Standards for Privacy


ETSI TS 103 457 V1.1.1 (2018-10)Published

CYBER; Trusted Cross-Domain Interface: Interface to offload sensitive functions to a trusted domain


ETSI TR 103 642 V1.1.1 (2018-10)Published

CYBER; Security techniques for protecting software in a white box model


ETSI TS 103 523-3 V1.1.1 (2018-10)Published

CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control


ETSI TR 103 617 V1.1.1 (2018-09)Published

CYBER; Quantum-Safe Virtual Private Networks


ETSI TR 103 305-1 V3.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls


ETSI TR 103 305-2 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing


ETSI TR 103 305-3 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations


ETSI TR 103 305-5 V1.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 5: Privacy enhancement


ETSI TR 103 305-4 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms


ETSI TR 103 306 V1.3.1 (2018-08)Published

CYBER; Global Cyber Security Ecosystem


ETSI TS 103 458 V1.1.1 (2018-06)Published

CYBER; Application of Attribute Based Encryption (ABE) for PII and personal data protection on IoT devices, WLAN, cloud and mobile services - High level requirements


ETSI TS 103 307 V1.3.1 (2018-04)Published

CYBER; Security Aspects for LI and RD Interfaces


ETSI TS 103 532 V1.1.1 (2018-03)Published

CYBER; Attribute Based Encryption for Attribute Based Access Control


ETSI TR 103 456 V1.1.1 (2017-10)Published

CYBER; Implementation of the Network and Information Security (NIS) Directive


ETSI TS 102 165-1 V5.2.3 (2017-10)Published

CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA)


ETSI TR 103 570 V1.1.1 (2017-10)Published

CYBER; Quantum-Safe Key Exchanges


ETSI TR 103 421 V1.1.1 (2017-04)Published

CYBER; Network Gateway Cyber Defence


ETSI TR 103 306 V1.2.1 (2017-03)Published

CYBER; Global Cyber Security Ecosystem


ETSI TS 103 307 V1.2.1 (2016-10)Published

CYBER; Security Aspects for LI and RD Interfaces


ETSI TR 103 305-2 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing


ETSI TR 103 305-3 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations


ETSI TR 103 305-4 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms


ETSI TR 103 305-1 V2.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls


ETSI TR 103 331 V1.1.1 (2016-08)Published

CYBER; Structured threat information sharing


ETSI TR 103 304 V1.1.1 (2016-07)Published

CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services


ETSI TR 103 369 V1.1.1 (2016-07)Published

CYBER; Design requirements ecosystem


ETSI EG 203 310 V1.1.1 (2016-06)Published

CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection


ETSI TS 103 307 V1.1.1 (2016-04)Published

CYBER; Security Aspects for LI and RD Interfaces


ETSI TR 103 303 V1.1.1 (2016-04)Published

CYBER; Protection measures for ICT in the context of Critical Infrastructure


ETSI TS 103 487 V1.1.1 (2016-04)Published

CYBER; Baseline security requirements regarding sensitive functions for NFV and related platforms


ETSI TR 103 308 V1.1.1 (2016-01)Published

CYBER; Security baseline regarding LI and RD for NFV and related platforms


ETSI TR 103 306 V1.1.1 (2015-11)Published

CYBER; Global Cyber Security Ecosystem


ETSI TR 103 309 V1.1.1 (2015-08)Published

CYBER; Secure by Default - platform security technology


ETSI TR 103 305 V1.1.1 (2015-05)Published

CYBER; Critical Security Controls for Effective Cyber Defence

No comments: