SlideShare une entreprise Scribd logo

Supply Chain Security and Compliance for Embedded Devices & IoT

Source Code Control Limited
Source Code Control Limited

Areas of risk that can be engineered into embedded devices and Internet of Things

Logiciels
1  sur  7
Télécharger pour lire hors ligne
Supply Chain Security and Compliance for Embedded Devices & IoT Written by Martin Callinan – Director, Source Code Control Limited and, David Phillips - BSI Panel Chair – IST15/09 – International Standards for IT Asset Management January 2016 This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Introduction The use of software powered embedded devices is poised for massive growth over the next few years as medical devices, automotive and consumer electronics industries all embrace the Internet of Things (IoT). Not only will the fields embracing IoT be diverse, but also the devices themselves will be diverse, from everyday computers and tablets to sensors, light switches, thermostats and the infrastructure supporting them. The IoT industry will rely on software to run a small army of embedded devices. In order for technology companies to meet the demand and pace of development much of the software used will rely on open source technologies, with the final software assembled from an even deeper universe of IoT code libraries and web-based protocols accessing a mesh of fast-evolving resources. The subject of this article: the scale of our dependency on buried computing assets – both the devices and the code we take for granted – will soon reach new dimensions. Can we keep control? New Scope of Security Controls for New IoT Device Capabilities The ever-upgrading platforms we know today will manifest in IoT tomorrow as an explosion of software and hardware, many with convoluted intellectual property sources. Each week chip builders announce smarter ways to architect ARM® and other cores, achieving another step change in embedded processor power available to IoT designs. Today’s tiny computer platforms can hold richer and more capable functions than we believe possible with negligible demands on power – they are so small, cheap and reliable, we can forget these assets are even there. Furthermore, just as micro-code in Intel® PC processors updates without our knowledge, the IoT code and functions I use expand silently over my lifetime, evolving as I renew domestic appliances and personal property. This poses developers with colossal questions how to protect people, IP rights and data rights for us under in a chaotic ecosystem. More than ever, we need intelligent policies and good practices, so assets are identified and controlled throughout these dynamic infrastructures now proliferating in our homes and lives. Developing from a Secure Foundation When designing a device, it is important to engineer in security and quality controls from the ground up. For technology organisations there will be third party suppliers of hardware and software that will become part of the device shipping to end customers. It is not uncommon for organisations to trust manufacturers to deliver secure technology. However, with the fast pace of developments and the pressure to deliver solutions to market many organisations outsource parts of the manufacturing process to unverified partners and in doing so lose control of product and component assembly.
Agile Design with Multiple Interfaces Is More Vulnerable Traditionally computing platforms have been engineered either for relatively closed systems for specific uses, or else for more general use but having network interfaces founded on closely specified hardware and software, tight protocols and with segmented networks enabling security services to operate effectively. We also tend to use them with well-known classes of software applications. Although problems with security vulnerabilities arise, the conditions under which they arise can be readily described (even by relative novices) and clear warnings issued, for example by:-  Warning users of a specific kind of platform;  Naming familiar applications or executable files installed, that may contain the vulnerability;  Specifying a network, URL or open port by which threats attack and ultimately compromise the system. The fact these are familiar scenarios, or one of a few major classes has worked in our favour to highlight and contain vulnerabilities of classical traditional client computer platform environments. However, in the new era of agile device development, IoT devices are generally much more fragmented platform-types that don’t conform to labels we are familiar with. Their executables and applications are nowhere near as visible and often contain multiple communications interfaces – and these can easily be non-conformant, for example, the growing variety of pseudo-implementations of Bluetooth-like wireless data communications. At the outset then, we should recognise that due to the diversity of IoT, without action we will all find describing and sharing the conditions that can lead to a vulnerability to be very much harder. Grey Market and Counterfeit Embedded Devices Taking embedded devices as an example there is a significant grey market for components or complete platforms such as a network device which would have an embedded processor with an operating system most likely based on Linux which can be booted and application’s code then loaded to control the device. There are numerous risks associated with using grey market components and devices: 1. Quality and reliability E.g.: http://hackaday.com/2014/10/22/watch-that-windows-update- ftdi-drivers-are-killing-fake-chips/ 2. Traceability – markets such as defence and aerospace require traceability of components 3. Unable to meet requirements for standards such as ISO9001 SAE9120 4. Malware – what is in embedded code on the devices? What is the provenance of the code? Governance Framework Existing standards do offer many of the elements of governance to assist agile IoT developments. Some examples ready to come to the rescue are the policies, procedures and repeatable process (may of which can be automated) for identification of software found in the ISO/IEC 19770-series of standards. It is now much easier to conquer one of the first barriers to effective data for managing complex software assets categories, thanks to public access to an internationally agreed vocabulary, key principles and rich definitions specifically created to help achieve this improvement in control.
Developer toolkits – even pro-suites – can be weak at managing software and libraries as proper assets, lacking well-formed definitions of key asset properties required for their proper management (standardised licence classifications, entitlements, usage metrics, platform/version IDs). However, many can be configured properly – if we apply these new definitions. It is then possible to achieve good baseline reports for controlling secure asset use, cut risk and spot unexpected non-compliance. Stakeholders using such reports also talk the same language: so where are the foundation principles for confidently managing our increasingly complex software and platform assets? Help is now at hand in Part 5 of the ISO/IEC 19770-series - an internationally agreed industry standard providing clear and common vocabulary and a structured approach for effectively managing IT assets (both software and hardware) and for building trustworthy data for control and showing good governance. (Outside the embedded world this series is already popular with managers, auditors and practitioners seeking to improve CMDBs, CI records and reporting.) - The new publically available Part 5 vocab is readily available here (by accepting ISO copyright): http://standards.iso.org/ittf/PubliclyAvailableStandards/c068291_ISOIEC_19770-5_2015.zip This accessible standard offers vocabulary and more to assist in building trustworthy asset management for security, risk reduction, confident licensing or service negotiations and for cutting waste and cost. As well as applying these improved definitions and processes, we also need responsible managers making up the chain of governance in IoT. Managers must require controls and conduct verifications of these practices within their part of the IoT supply chain. Organisations with such a Management System can benefit from stating their allegiance to a good Standard and by driving good governance from the top down, citing their conformance – starting with regular self-assessment. In time, potentially more industry infrastructure may help these good practices to interwork effectively across the many different components making up our exploding IoT universe. Supply Chain Governance Organisations should look to adopt supply chain security. Every supplier of components (hardware, software or firmware) should have quality assurance over their source and credentials of suppliers. A striking driver in the current market is the torrent of ‘Maker’ Kit variants. These offer anyone prototyping embedded controllers – including many quite suited to IoT applications - an increasing choice, ever cheaper as each new feature emerges (Bluetooth LE for example). Kick-starter teams now offer capable sub $9 computer platforms. These initiatives are wonderful for prototyping and a side effect is the aggressive cutting of supply costs of very powerful chips and interface components. Yet there are a number of areas that can be increasingly overlooked when sourcing components: 1) At ground-level, smart choices begin with the Embedded/Electronics Hardware Designer. Careful choices of components build-in safe electronic components. Confidence in a platform begins at the lowest level - in the support chips – many of which themselves contain intelligent processors and bare-metal code. Increasingly, embedded designers rely on modules which can include - Network modules - Wireless modules - Single-wire / Near Field Communications modules - Co-Processors and FPGAs
2) Firmware engineers also choose the embedded processor architecture for IoT devices, and so firmware professionals also have a key role in controlling sourcing of: - Main processor - Security feature sets (such as secure boot capability) - Embedded Architectures and their associated reference designs. The latter often come with technology guarantees which can be a good sign of assurance. For example, more and more processor architectures experience end of life each year, whereas others such as Freescale (now NXP) offer certain architectures with come with many years of guarantee and designers can use this to judge whether they will offer greater confidence of support as reliable IoT solutions. 3) Supply Chain Officers – purchasing staff will need to aware of the risks of these new classes of module, system-on-chip and powerful component so they can apply rules and corresponding procedures for appropriate sourcing controls and batch identifications 4) Production/Inventory Controllers – will need to implement controlled MRP systems that make use of batch data through manufacturing, support traceability and retain identities. 5) Inspection and Testing Offices – will need to apply centralised data to their test procedures 6) Embedded Firmware Programmers – will need to have checks and balances on versions of code, components of code, libraries and software and ensure similar traceability of version, recognising these may not correspond with manufactured PCB revisions. Supply chain risk across the manufacture of devices Responsible suppliers of embedded into professional/industrial IoT are now offering a Production Readiness service – this can help convert such fast prototype kit designs into reliable platforms that are proven for volume deployment. For a handy checklist, try the 9 success factors for reliable production of embedded, as suggested by UK’s BitBox Ltd, whose platforms cover many M2M and private-cloud IoT, some protecting >100,000 nodes: http://www.bitbox.co.uk/design-services/arduino-volume-electronics-production
Open Source Software Policy Most companies Open Source Software in their in-house or third party sourced do not have a fully defined open source software policy or a cohesive view of what should be in an open source software policy. Without a clearly defined policy companies will leave themselves exposed to risks such as security, licence compliance or operational risk. It is not a straightforward task creating a policy and it is not a one off task but rather that something that is always evolving to reflect developments in the open source software industry. The high level steps to creating a policy are:  Identify key stakeholders o Developers o DevOps o Legal o Human resources o Management: CTO, CIO, CEO…. o Software architects o Security CISO, CSO..  Elect and executive sponsor  Secure stakeholders buy in  Define the company's strategy o Reduce IT costs o Leverage open source communities for skills and faster development o Contribute back to open source communities  Risk management o Security o Licence compliance o Operational risk  Scope o What is covered? o Who is covered?  Open source software approval process  Audits of source code and processes  Source code maintenance and related service level agreements  Create a draft policy  Get widespread review and acceptance, starting with your stakeholders  Validate  Communication plan  Maintain and evolve The open source software policy should be a positive contribution to the organisation and employees should want to be engaged with the policy rather than the process being viewed as
placing an unnecessary burden on an individual’s job role due to lack of understanding behind the project. Open Source Software Development Open source software is now broadly used in the development of software applications. The ability to re-use components of code already created allows development teams to create more code, with more functionality, faster. It also promotes the adoption of standards and makes applications more interoperable. Although open source software components typically require no licensing fee, it does come at a cost. This cost is uncertainty – or perceived uncertainty in many cases. That is, uncertainty of the ownership structure, of the licensing terms, of the stability of the code. Most software developers will be meticulous about what components they use from the perspective of functionality as they want to build code that works. However, those open source software components could have inherent business risks associated with them which should not be solely down to individual developers to be responsible for. Those risks are:  Legal risk/licence IP compliance – Open source software components licence analysis discovers legal obligations as well as potential intellectual property (IP) risks.  Security vulnerabilities - Uncovers security vulnerabilities contained within Open Source components.  Operational risk - Ensuring Open source software components meet required technical and architectural standards.  Community support – Is there a sustainable community support open source components Organisations in house developing should have open source software policies that govern how developers use open source software components. One way to address the code risk is a source code review or audit prior to releasing an application. However, there is an increased difficulty and cost applying fixes to deployed embedded devices as are found in IoT devices. It is imperative risk monitoring of components is undertaken all the way through the software development cycle. The earlier issues and vulnerabilities are located, the less impact it will have on development and the cost overhead of managing risks as a whole and ultimately on meeting business deadlines. Equate finding licensing irregularities, problematic IP, or potential security vulnerabilities in a software application to finding a bug in a software application. The earlier it is discovered the less expensive and impactful it is to correct. An efficient process would include pro-active source code monitoring. This will lead to a more continuous compliance model. In this model there is monitoring of open source software components throughout the development cycle. The first stage would be to implement software component package pre-approval which if implemented well should head off issues from a risky component being integrated in an application. This is where a developer must have approval from a designated manager to use a third party open source component in their code. As stated earlier there would need to be a policy guiding the manager in their decision to accept or reject the request. Typical information that would enable a decision to be made would be  Project & package information
o Project name, URL, licence, author(s), type, exportability, etc.  Usage model o Distribution model  Binary, source, hosted, internal only, etc. o Types of derivatives  Modified, linked, loosely coupled o Organisation specific information  Business unit  Business justification o Support and maintenance  What is the community behind the component  How many commits have there been recently Conclusion IoT is about seamless experience of the benefits of connecting the information in our daily lives. This necessarily leads to an IoT comprised varied and powerful hardware and code that should flow in our homes and lives without the end-user worrying about software discovery or identification or control… Yet these controls will necessarily become more challenging due to the diverse nature of IoT elements and the very nature of IoT data interactions. Also, the very promise of IoT is that we enjoy these benefits without users needing to stop to inspect this maze of technology, register sources or credentials. Indeed, it will not be as easy for us to spot or intervene against vulnerabilities. So we will be much more reliant on others and on new kinds of controls and the good standards, policies, process, procedure and proven methods covered above. We must conclude, with IoT bringing fresh asset management challenges there is a pressing need to apply these good controls from the ground up and a tangible value add for both industry and users. Fortunately, we do have at the ready extensive toolkits, resources and valuable proven methods as we’ve shown. Many are quite suited to be reapplied to the new world of IoT and achieve for us all a high level of confidence in end-to-end security and compliance. If we draw on these lessons our IoT, even with all its fluid new embedded ecosystems, can bring within it the effective controls needed for well-protected interactions and trustworthy operation.

Recommandé

IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
Intel® Software
 
chile-2015 (2)
chile-2015 (2)chile-2015 (2)
chile-2015 (2)
Massimiliano Falcinelli
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
Accelerating Our Path to Multi Platform Benefits
Accelerating Our Path to Multi Platform BenefitsAccelerating Our Path to Multi Platform Benefits
Accelerating Our Path to Multi Platform Benefits
Intel IT Center
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principles
ardexateam
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
Paris Open Source Summit
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Onward Security
 

Recommandé

IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
Intel® Software
 
chile-2015 (2)
chile-2015 (2)chile-2015 (2)
chile-2015 (2)
Massimiliano Falcinelli
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
Accelerating Our Path to Multi Platform Benefits
Accelerating Our Path to Multi Platform BenefitsAccelerating Our Path to Multi Platform Benefits
Accelerating Our Path to Multi Platform Benefits
Intel IT Center
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principles
ardexateam
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
Paris Open Source Summit
 
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT Equipment
Onward Security
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
Kaspersky Lab
 
IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]
Leonardo De Moura Rocha Lima
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT Cybersecurity
Onward Security
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
Onward Security
 
Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealth
rcnossen
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
Seungjoo Kim
 
How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks
Abaram Network Solutions
 
IoT security compliance checklist
IoT security compliance checklist IoT security compliance checklist
IoT security compliance checklist
PriyaNemade
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
Sharpe Smith
 
Securing your IoT Implementations
Securing your IoT ImplementationsSecuring your IoT Implementations
Securing your IoT Implementations
TechWell
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
Byod+ +bring+your+own+device
Byod+ +bring+your+own+device Byod+ +bring+your+own+device
Byod+ +bring+your+own+device
J
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
SyedImranAliKazmi1
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Reducing Cost and Complexity with Industrial System Consolidation
Reducing Cost and Complexity with Industrial System ConsolidationReducing Cost and Complexity with Industrial System Consolidation
Reducing Cost and Complexity with Industrial System Consolidation
Intel IoT
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for Shopfloor
IRJET Journal
 
Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it
Moon Technolabs Pvt. Ltd.
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
IoT613
 
Track f evolving trusted platforms - arm
Track f evolving trusted platforms - armTrack f evolving trusted platforms - arm
Track f evolving trusted platforms - arm
chiportal
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
University of Ontario Institute of Technology (UOIT)
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
Nirmal Misra
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
Stéphane Roule
 

Contenu connexe

Tendances

Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealth
rcnossen
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
Sharpe Smith
 
Securing your IoT Implementations
Securing your IoT ImplementationsSecuring your IoT Implementations
Securing your IoT Implementations
TechWell
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
SyedImranAliKazmi1
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Reducing Cost and Complexity with Industrial System Consolidation
Reducing Cost and Complexity with Industrial System ConsolidationReducing Cost and Complexity with Industrial System Consolidation
Reducing Cost and Complexity with Industrial System Consolidation
Intel IoT
 
Track f evolving trusted platforms - arm
Track f evolving trusted platforms - armTrack f evolving trusted platforms - arm
Track f evolving trusted platforms - arm
chiportal
 

Tendances (20)

The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
 
IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]IoT Security: Cases and Methods [CON5446]
IoT Security: Cases and Methods [CON5446]
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT Cybersecurity
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
 
Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealth
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
 
How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks
 
IoT security compliance checklist
IoT security compliance checklist IoT security compliance checklist
IoT security compliance checklist
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
 
Securing your IoT Implementations
Securing your IoT ImplementationsSecuring your IoT Implementations
Securing your IoT Implementations
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
 
Byod+ +bring+your+own+device
Byod+ +bring+your+own+device Byod+ +bring+your+own+device
Byod+ +bring+your+own+device
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Reducing Cost and Complexity with Industrial System Consolidation
Reducing Cost and Complexity with Industrial System ConsolidationReducing Cost and Complexity with Industrial System Consolidation
Reducing Cost and Complexity with Industrial System Consolidation
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for Shopfloor
 
Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
 
Track f evolving trusted platforms - arm
Track f evolving trusted platforms - armTrack f evolving trusted platforms - arm
Track f evolving trusted platforms - arm
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
 

Similaire à Supply Chain Security and Compliance for Embedded Devices & IoT

Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
Nirmal Misra
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
Stéphane Roule
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
jeffevans62972
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
odiliagilby
 
The Tools of Industry 4.0
The Tools of Industry 4.0The Tools of Industry 4.0
The Tools of Industry 4.0
Osama Shahumi
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
Symantec
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
Ivan Carmona
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Dalton Valadares
 

Similaire à Supply Chain Security and Compliance for Embedded Devices & IoT (20)

Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
Is Your Network Ready for the Age of IoT?
Is Your Network Ready for the Age of IoT?Is Your Network Ready for the Age of IoT?
Is Your Network Ready for the Age of IoT?
 
137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
INTEROPERABILITY, FLEXIBILITY AND INDUSTRIAL DESIGN REQUIREMENTS IN THE IoT
INTEROPERABILITY, FLEXIBILITY AND INDUSTRIAL DESIGN REQUIREMENTS IN THE IoTINTEROPERABILITY, FLEXIBILITY AND INDUSTRIAL DESIGN REQUIREMENTS IN THE IoT
INTEROPERABILITY, FLEXIBILITY AND INDUSTRIAL DESIGN REQUIREMENTS IN THE IoT
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
 
The Tools of Industry 4.0
The Tools of Industry 4.0The Tools of Industry 4.0
The Tools of Industry 4.0
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principles
 
Intel SoC as a Platform to Connect Sensor Data to AWS
Intel SoC as a Platform to Connect Sensor Data to AWSIntel SoC as a Platform to Connect Sensor Data to AWS
Intel SoC as a Platform to Connect Sensor Data to AWS
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
 
Preparing the Data Center for the Internet of Things
Preparing the Data Center for the Internet of ThingsPreparing the Data Center for the Internet of Things
Preparing the Data Center for the Internet of Things
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Iot App Demt (2).pdf
Iot App Demt (2).pdfIot App Demt (2).pdf
Iot App Demt (2).pdf
 
F5 Networks: The Internet of Things - Ready Infrastructure
F5 Networks: The Internet of Things - Ready InfrastructureF5 Networks: The Internet of Things - Ready Infrastructure
F5 Networks: The Internet of Things - Ready Infrastructure
 
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
Achieving Data Dissemination with Security using FIWARE and Intel Software Gu...
 

Plus de Source Code Control Limited

OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINALOpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
Source Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Source Code Control Limited
 

Plus de Source Code Control Limited (7)

OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINALOpenUK A4 x 8pp Re-use Principles June 2016 FINAL
OpenUK A4 x 8pp Re-use Principles June 2016 FINAL
 
Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?Open Source Software GPL Compliance – Should Organisations Care?
Open Source Software GPL Compliance – Should Organisations Care?
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
Venture Capitalists Tech Investment Hidden Risks
Venture Capitalists Tech Investment Hidden RisksVenture Capitalists Tech Investment Hidden Risks
Venture Capitalists Tech Investment Hidden Risks
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 
e-HealthWhitepaper
e-HealthWhitepapere-HealthWhitepaper
e-HealthWhitepaper
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 

Dernier

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Dernier (20)

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 

Supply Chain Security and Compliance for Embedded Devices & IoT

  • 1. Supply Chain Security and Compliance for Embedded Devices & IoT Written by Martin Callinan – Director, Source Code Control Limited and, David Phillips - BSI Panel Chair – IST15/09 – International Standards for IT Asset Management January 2016 This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Introduction The use of software powered embedded devices is poised for massive growth over the next few years as medical devices, automotive and consumer electronics industries all embrace the Internet of Things (IoT). Not only will the fields embracing IoT be diverse, but also the devices themselves will be diverse, from everyday computers and tablets to sensors, light switches, thermostats and the infrastructure supporting them. The IoT industry will rely on software to run a small army of embedded devices. In order for technology companies to meet the demand and pace of development much of the software used will rely on open source technologies, with the final software assembled from an even deeper universe of IoT code libraries and web-based protocols accessing a mesh of fast-evolving resources. The subject of this article: the scale of our dependency on buried computing assets – both the devices and the code we take for granted – will soon reach new dimensions. Can we keep control? New Scope of Security Controls for New IoT Device Capabilities The ever-upgrading platforms we know today will manifest in IoT tomorrow as an explosion of software and hardware, many with convoluted intellectual property sources. Each week chip builders announce smarter ways to architect ARM® and other cores, achieving another step change in embedded processor power available to IoT designs. Today’s tiny computer platforms can hold richer and more capable functions than we believe possible with negligible demands on power – they are so small, cheap and reliable, we can forget these assets are even there. Furthermore, just as micro-code in Intel® PC processors updates without our knowledge, the IoT code and functions I use expand silently over my lifetime, evolving as I renew domestic appliances and personal property. This poses developers with colossal questions how to protect people, IP rights and data rights for us under in a chaotic ecosystem. More than ever, we need intelligent policies and good practices, so assets are identified and controlled throughout these dynamic infrastructures now proliferating in our homes and lives. Developing from a Secure Foundation When designing a device, it is important to engineer in security and quality controls from the ground up. For technology organisations there will be third party suppliers of hardware and software that will become part of the device shipping to end customers. It is not uncommon for organisations to trust manufacturers to deliver secure technology. However, with the fast pace of developments and the pressure to deliver solutions to market many organisations outsource parts of the manufacturing process to unverified partners and in doing so lose control of product and component assembly.
  • 2. Agile Design with Multiple Interfaces Is More Vulnerable Traditionally computing platforms have been engineered either for relatively closed systems for specific uses, or else for more general use but having network interfaces founded on closely specified hardware and software, tight protocols and with segmented networks enabling security services to operate effectively. We also tend to use them with well-known classes of software applications. Although problems with security vulnerabilities arise, the conditions under which they arise can be readily described (even by relative novices) and clear warnings issued, for example by:-  Warning users of a specific kind of platform;  Naming familiar applications or executable files installed, that may contain the vulnerability;  Specifying a network, URL or open port by which threats attack and ultimately compromise the system. The fact these are familiar scenarios, or one of a few major classes has worked in our favour to highlight and contain vulnerabilities of classical traditional client computer platform environments. However, in the new era of agile device development, IoT devices are generally much more fragmented platform-types that don’t conform to labels we are familiar with. Their executables and applications are nowhere near as visible and often contain multiple communications interfaces – and these can easily be non-conformant, for example, the growing variety of pseudo-implementations of Bluetooth-like wireless data communications. At the outset then, we should recognise that due to the diversity of IoT, without action we will all find describing and sharing the conditions that can lead to a vulnerability to be very much harder. Grey Market and Counterfeit Embedded Devices Taking embedded devices as an example there is a significant grey market for components or complete platforms such as a network device which would have an embedded processor with an operating system most likely based on Linux which can be booted and application’s code then loaded to control the device. There are numerous risks associated with using grey market components and devices: 1. Quality and reliability E.g.: http://hackaday.com/2014/10/22/watch-that-windows-update- ftdi-drivers-are-killing-fake-chips/ 2. Traceability – markets such as defence and aerospace require traceability of components 3. Unable to meet requirements for standards such as ISO9001 SAE9120 4. Malware – what is in embedded code on the devices? What is the provenance of the code? Governance Framework Existing standards do offer many of the elements of governance to assist agile IoT developments. Some examples ready to come to the rescue are the policies, procedures and repeatable process (may of which can be automated) for identification of software found in the ISO/IEC 19770-series of standards. It is now much easier to conquer one of the first barriers to effective data for managing complex software assets categories, thanks to public access to an internationally agreed vocabulary, key principles and rich definitions specifically created to help achieve this improvement in control.
  • 3. Developer toolkits – even pro-suites – can be weak at managing software and libraries as proper assets, lacking well-formed definitions of key asset properties required for their proper management (standardised licence classifications, entitlements, usage metrics, platform/version IDs). However, many can be configured properly – if we apply these new definitions. It is then possible to achieve good baseline reports for controlling secure asset use, cut risk and spot unexpected non-compliance. Stakeholders using such reports also talk the same language: so where are the foundation principles for confidently managing our increasingly complex software and platform assets? Help is now at hand in Part 5 of the ISO/IEC 19770-series - an internationally agreed industry standard providing clear and common vocabulary and a structured approach for effectively managing IT assets (both software and hardware) and for building trustworthy data for control and showing good governance. (Outside the embedded world this series is already popular with managers, auditors and practitioners seeking to improve CMDBs, CI records and reporting.) - The new publically available Part 5 vocab is readily available here (by accepting ISO copyright): http://standards.iso.org/ittf/PubliclyAvailableStandards/c068291_ISOIEC_19770-5_2015.zip This accessible standard offers vocabulary and more to assist in building trustworthy asset management for security, risk reduction, confident licensing or service negotiations and for cutting waste and cost. As well as applying these improved definitions and processes, we also need responsible managers making up the chain of governance in IoT. Managers must require controls and conduct verifications of these practices within their part of the IoT supply chain. Organisations with such a Management System can benefit from stating their allegiance to a good Standard and by driving good governance from the top down, citing their conformance – starting with regular self-assessment. In time, potentially more industry infrastructure may help these good practices to interwork effectively across the many different components making up our exploding IoT universe. Supply Chain Governance Organisations should look to adopt supply chain security. Every supplier of components (hardware, software or firmware) should have quality assurance over their source and credentials of suppliers. A striking driver in the current market is the torrent of ‘Maker’ Kit variants. These offer anyone prototyping embedded controllers – including many quite suited to IoT applications - an increasing choice, ever cheaper as each new feature emerges (Bluetooth LE for example). Kick-starter teams now offer capable sub $9 computer platforms. These initiatives are wonderful for prototyping and a side effect is the aggressive cutting of supply costs of very powerful chips and interface components. Yet there are a number of areas that can be increasingly overlooked when sourcing components: 1) At ground-level, smart choices begin with the Embedded/Electronics Hardware Designer. Careful choices of components build-in safe electronic components. Confidence in a platform begins at the lowest level - in the support chips – many of which themselves contain intelligent processors and bare-metal code. Increasingly, embedded designers rely on modules which can include - Network modules - Wireless modules - Single-wire / Near Field Communications modules - Co-Processors and FPGAs
  • 4. 2) Firmware engineers also choose the embedded processor architecture for IoT devices, and so firmware professionals also have a key role in controlling sourcing of: - Main processor - Security feature sets (such as secure boot capability) - Embedded Architectures and their associated reference designs. The latter often come with technology guarantees which can be a good sign of assurance. For example, more and more processor architectures experience end of life each year, whereas others such as Freescale (now NXP) offer certain architectures with come with many years of guarantee and designers can use this to judge whether they will offer greater confidence of support as reliable IoT solutions. 3) Supply Chain Officers – purchasing staff will need to aware of the risks of these new classes of module, system-on-chip and powerful component so they can apply rules and corresponding procedures for appropriate sourcing controls and batch identifications 4) Production/Inventory Controllers – will need to implement controlled MRP systems that make use of batch data through manufacturing, support traceability and retain identities. 5) Inspection and Testing Offices – will need to apply centralised data to their test procedures 6) Embedded Firmware Programmers – will need to have checks and balances on versions of code, components of code, libraries and software and ensure similar traceability of version, recognising these may not correspond with manufactured PCB revisions. Supply chain risk across the manufacture of devices Responsible suppliers of embedded into professional/industrial IoT are now offering a Production Readiness service – this can help convert such fast prototype kit designs into reliable platforms that are proven for volume deployment. For a handy checklist, try the 9 success factors for reliable production of embedded, as suggested by UK’s BitBox Ltd, whose platforms cover many M2M and private-cloud IoT, some protecting >100,000 nodes: http://www.bitbox.co.uk/design-services/arduino-volume-electronics-production
  • 5. Open Source Software Policy Most companies Open Source Software in their in-house or third party sourced do not have a fully defined open source software policy or a cohesive view of what should be in an open source software policy. Without a clearly defined policy companies will leave themselves exposed to risks such as security, licence compliance or operational risk. It is not a straightforward task creating a policy and it is not a one off task but rather that something that is always evolving to reflect developments in the open source software industry. The high level steps to creating a policy are:  Identify key stakeholders o Developers o DevOps o Legal o Human resources o Management: CTO, CIO, CEO…. o Software architects o Security CISO, CSO..  Elect and executive sponsor  Secure stakeholders buy in  Define the company's strategy o Reduce IT costs o Leverage open source communities for skills and faster development o Contribute back to open source communities  Risk management o Security o Licence compliance o Operational risk  Scope o What is covered? o Who is covered?  Open source software approval process  Audits of source code and processes  Source code maintenance and related service level agreements  Create a draft policy  Get widespread review and acceptance, starting with your stakeholders  Validate  Communication plan  Maintain and evolve The open source software policy should be a positive contribution to the organisation and employees should want to be engaged with the policy rather than the process being viewed as
  • 6. placing an unnecessary burden on an individual’s job role due to lack of understanding behind the project. Open Source Software Development Open source software is now broadly used in the development of software applications. The ability to re-use components of code already created allows development teams to create more code, with more functionality, faster. It also promotes the adoption of standards and makes applications more interoperable. Although open source software components typically require no licensing fee, it does come at a cost. This cost is uncertainty – or perceived uncertainty in many cases. That is, uncertainty of the ownership structure, of the licensing terms, of the stability of the code. Most software developers will be meticulous about what components they use from the perspective of functionality as they want to build code that works. However, those open source software components could have inherent business risks associated with them which should not be solely down to individual developers to be responsible for. Those risks are:  Legal risk/licence IP compliance – Open source software components licence analysis discovers legal obligations as well as potential intellectual property (IP) risks.  Security vulnerabilities - Uncovers security vulnerabilities contained within Open Source components.  Operational risk - Ensuring Open source software components meet required technical and architectural standards.  Community support – Is there a sustainable community support open source components Organisations in house developing should have open source software policies that govern how developers use open source software components. One way to address the code risk is a source code review or audit prior to releasing an application. However, there is an increased difficulty and cost applying fixes to deployed embedded devices as are found in IoT devices. It is imperative risk monitoring of components is undertaken all the way through the software development cycle. The earlier issues and vulnerabilities are located, the less impact it will have on development and the cost overhead of managing risks as a whole and ultimately on meeting business deadlines. Equate finding licensing irregularities, problematic IP, or potential security vulnerabilities in a software application to finding a bug in a software application. The earlier it is discovered the less expensive and impactful it is to correct. An efficient process would include pro-active source code monitoring. This will lead to a more continuous compliance model. In this model there is monitoring of open source software components throughout the development cycle. The first stage would be to implement software component package pre-approval which if implemented well should head off issues from a risky component being integrated in an application. This is where a developer must have approval from a designated manager to use a third party open source component in their code. As stated earlier there would need to be a policy guiding the manager in their decision to accept or reject the request. Typical information that would enable a decision to be made would be  Project & package information
  • 7. o Project name, URL, licence, author(s), type, exportability, etc.  Usage model o Distribution model  Binary, source, hosted, internal only, etc. o Types of derivatives  Modified, linked, loosely coupled o Organisation specific information  Business unit  Business justification o Support and maintenance  What is the community behind the component  How many commits have there been recently Conclusion IoT is about seamless experience of the benefits of connecting the information in our daily lives. This necessarily leads to an IoT comprised varied and powerful hardware and code that should flow in our homes and lives without the end-user worrying about software discovery or identification or control… Yet these controls will necessarily become more challenging due to the diverse nature of IoT elements and the very nature of IoT data interactions. Also, the very promise of IoT is that we enjoy these benefits without users needing to stop to inspect this maze of technology, register sources or credentials. Indeed, it will not be as easy for us to spot or intervene against vulnerabilities. So we will be much more reliant on others and on new kinds of controls and the good standards, policies, process, procedure and proven methods covered above. We must conclude, with IoT bringing fresh asset management challenges there is a pressing need to apply these good controls from the ground up and a tangible value add for both industry and users. Fortunately, we do have at the ready extensive toolkits, resources and valuable proven methods as we’ve shown. Many are quite suited to be reapplied to the new world of IoT and achieve for us all a high level of confidence in end-to-end security and compliance. If we draw on these lessons our IoT, even with all its fluid new embedded ecosystems, can bring within it the effective controls needed for well-protected interactions and trustworthy operation.