IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or...
Transcript of IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or...
![Page 1: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/1.jpg)
© 2019 GlobalPlatform Confidential
IoT Initiative in GlobalPlatform
Gil Bernabeu, Technical Director
ETSI IoT week – 24 October
![Page 2: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/2.jpg)
2
Lots of Guidance – Which is Best?
There are multiple security recommendations, frameworks and best practice guidelines
available to IoT device manufacturers
Which to follow?
What are the specific security requirements of different vertical markets?
IoT device manufacturers are not security experts
Regulation is here!Mapping of IoT Security Recommendations, Guidance and Standards to the UK’s Code of Practice for Consumer IoT Security
![Page 3: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/3.jpg)
3
Lots of ‘Things’ are Getting Connected…
![Page 4: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/4.jpg)
4
…And This Creates One of the Largest Attack Surfaces in the Enterprise Environment
7 Billion enterprise IoT devices deployed by
2020
1 in 4odds of a
data breach for an
enterprise
$3.6Mnaverage cost of a security incident
$5Bncost to
industry of ransomwarein 2017
![Page 5: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/5.jpg)
5
The Inflection Point of IoT Keeps Moving Back
IoT Units Installed Base Grand Total
Source: http://www.cisco.com/c/en/us/solutions/service‐provider/visual‐networking‐index‐vni/index.html
3.8b 4.9b6.4b
25b+
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
100bNokia
80bIDC
74.5bIHS
Today9.1b
IT/OT Scale Challenge
IoT Security Concerns
![Page 6: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/6.jpg)
6
Breakdown
317 new devicesper second
10min to connect
6.6person days of
effort per second
208.3Mperson‐days of effort per year
![Page 7: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/7.jpg)
7
GlobalPlatform is Addressing These Challenges!
Introducing
A collaborative initiative to standardizesecurity for IoT devices and services
![Page 8: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/8.jpg)
8
IoTopia: An Implementation Guide Based on 4 Key Pillars
![Page 9: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/9.jpg)
Security by Design
![Page 10: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/10.jpg)
10
A Secure Device Baseline
• Manufacturers have an industry set of certifiable common capabilities – Security by Design
• Chip vendors/ manufacturers are best positioned to provide a set of baseline capabilities related to security
• Baseline device requirements are critical to support IoT - Lifecycle Management • IoTopia plan to define ~30 verifiable device and network security parameters
![Page 11: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/11.jpg)
11
Moving to Testable Parameters For Certification
![Page 12: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/12.jpg)
Device Intent
![Page 13: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/13.jpg)
13
Access Switch forwards
Device emits a URI
Expressing Manufacturer Usage Descriptions (MUD)
https://example.com/mud/…
MUDFileServer
Device MUDManager
Internet
Access Switch
MUD controller queries manufacturer
DHCP, LLDP,or 802.1X
Radiushttps
Enterprise Network
The goal of MUD is to provide a means for end devices to signal to the network what sort of access and network functionality they require to properly function. The initial focus is on access control.
https://datatracker.ietf.org/doc/rfc8520/
![Page 14: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/14.jpg)
14
Expressing Manufacturer Usage Descriptions
https://example.com/mud/…
MUDFileServer
Device MUDManager
Internet
Access Switch
Radius https
Enterprise Network
ITAdmin Approval
Manufacturer JSON file returned
Enterpriseconfiguration
created
Devices Segmented
![Page 15: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/15.jpg)
15
The Benefits of MUD
Customer
Manufacturer
• Reduces threat surface of exploding number of devices
• Almost no additional CAPEX
• Avoids lateral infections in the network
• Eases and scales access management decisions
• Reduces manufacturer product risk at almost no cost
• Will increase customer satisfaction and reduce support costs
• Avoids the front page
• Standards-based approach
![Page 16: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/16.jpg)
Device Onboarding
![Page 17: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/17.jpg)
17
The Network Administrator’s Problem – The Number of Types of Things
$
$
![Page 18: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/18.jpg)
18
Current Options for Secure Device Identification
Out of the boxNetwork
identification“SSID?”
Device gets trust anchor Device enrolls Operational
State
Proof of Ownership
Nothing Out of band Out of band Manual/OOB/ IPSK
Nothing Not needed Nothing EAP with username and password
Mfg Cert/Trust anchor
Round robin or 802.11u/aq
ZSJ or BRSKI or EST over (HTTP, CoAP, EAP)
Current WiFi
Current wired
New approach
Trusted IntroductionZSJ: Zero Touch Secure Join
![Page 19: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/19.jpg)
19
Results
• Device starts with a manufacturer certificate and trust anchor• Device now has deployment certificate and trust anchor• Network authorizes the device• Process can be automated [scale]
Standards-based secure onboarding process via BRSKI/ANIMA
![Page 20: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/20.jpg)
Lifecycle Management
![Page 21: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/21.jpg)
21
Devices Need to be Managed Throughout Their Lifecycle
• Proper lifecycle management limits hacks• Some manufacturers are requiring customers to implement software (SW) updates
as part of warranty and even operation• Now regulators are requiring IoT device maintenance
• Manufacturers provide SW patches and support throughout a device's lifecycle• They require the ability to track SW patches as well as end-user implementation• Helps manufacturers implement product end-of-life (EoL)• Lifecycle management
![Page 22: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/22.jpg)
22
Device Lifecycle
• Reference the NIST framework to create lifecycle management• Lifecycle management involves: –device makers– network vendors – IT staff– in some countries, regulators
• Monitoring, and enforcing SW updates and SW patch ability• Defining and supporting EoL and EoS related to devices• Support IoT industry tiers and relative requirements
![Page 23: IoT Initiative in GlobalPlatform · 2019-11-05 · configuration created Devices ... Round robin or 802.11u/aq ZSJ or BRSKI or EST over (HTTP, CoAP, EAP) Current WiFi Current wired](https://reader030.fdocuments.us/reader030/viewer/2022041003/5ea4ff97c6f0d4107f6ba25e/html5/thumbnails/23.jpg)
23
IoTopia Launch – We Have Already Started!
Public Website
Information is available at www.globalplatform.org
IoT Solutions World Congress
Official public announcement of IoTopia will take place on
Wednesday, 30 October in Barcelona at the IoT Solutions
World Congress.
GlobalPlatform panel discussion on IoT Security challenges with
NIST, GSMA and ENISA as participants.
GlobalPlatform Fall Meetings
For GlobalPlatform members, the IoTopia Technical Committee
launch meeting is on Tuesday, 19 November in Madrid.
This initial meeting is OPEN TO ALL MEMBERS.
IoTopia Committee
IoTopia Committee is open to Full and Participant Members