Post on 14-Jul-2020
TRUSTWORTHINESS & SECURITY MATURITY MODEL
FREDERICK HIRSCH
SYDNEY INDUSTRY DAY
Frederick Hirsch 1
THE WORLD IS CHANGING
Frederick Hirsch 2(2) Reimaged the V850 controller (BCM) Gateway – had a checksum on the images but it wasn’t used
(1) Took over the Radio (RAD) thru guessable pwd
3a
3b
(3a) With re-imaged BCM the Radio can send arbitrary CAN Bus Commands (2015) (3b) (2016) spoofed
TPM speed messages…
RISK
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 3
* Hubbard, Seiersen; How to Measure Anything in Cybersecurity Risk
UNCERTAINTY
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 4
Uncertainty
CONSEQUENCES
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 5
Outcomes
APPROACH
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 6
Intent, Action, Assurance
BUILDING ON PREVIOUS WORK
Frederick Hirsch 7
Security Framework
(IISF)
Connectivity Framework (IICF)
VocabularyReference Architecture (IIRA)
RECENT PUBLICATIONS
Frederick Hirsch 8
Dec 2017 Sept 2018 June 2019 July 2019
Safety Challenges AI Managing & AssessingJournal of Innovation: Trustworthiness
https://www.iiconsortium.org/white-papers.htm
ASSURANCE AND EVIDENCE
Frederick Hirsch 9
SECURITY MATURITY MODEL (SMM)
Frederick Hirsch 10
https://www.iiconsortium.org/smm.htm
https://www.iiconsortium.org/pdf/IoT_SMM_Practitioner_Guide_2019-02-25.pdf
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_FINAL_Updated_V1.1.pdf
SECURITY MATURITY VS. SECURITY LEVEL
Frederick Hirsch 11
• Security maturity is a measure of the
understanding of the current security
level, its necessity, benefits and cost of
its support.
• Security level is a measure of
confidence that system vulnerabilities
are addressed appropriately and that
the system functions in an intended
manner.
MANY FRAMEWORKS BUT NO SINGLE STANDARD
12
SMM STRUCTURE AND TABLES
Frederick Hirsch 13
TEMPLATE AND TABLES
Frederick Hirsch 14
<Practice-Name>
<Practice Description>
Comprehensiveness Level 1
Comprehensiveness Level 2
Comprehensiveness Level 3
Comprehensiveness Level 4
Objective Objective Description Objective Description Objective Description Objective Description
General considerations
Level Description Level Description Level Description Level Description
What needs to be done to achieve this level Considerations
What needs to be done to achieve this level Considerations
What needs to be done to achieve this level Considerations
What needs to be done to achieve this level Considerations
Indicators of accomplishment Considerations
Indicators of accomplishment Considerations
Indicators of accomplishment Considerations
Indicators of accomplishment Considerations
Levels include all the considerations of the lower levels
ACTIONABLE
• Practitioner’s Guide
• Profiles
• Mappings
• Training
Frederick Hirsch 15
THANK YOU
Frederick Hirsch, Fujitsu
@fjhirsch
fjhirsch.com
IIC Journal of Innovation, Trustworthiness:
https://www.iiconsortium.org/news/journal-of-innovation-2018-sept.htm
Security Maturity Model Practitioner’s Guide:
https://www.iiconsortium.org/smm.htm
Frederick Hirsch 16