1 UL and the UL logo are trademarks of UL LLC © 2016

The Security of Things IoT security – it’s in the stars! Maarten Bron Director Innovations October 19th 2016

2

Setting the Standards

3

‘Safety’ expressed as combination of:

A bit of history…

“Protecting millions of homes, offices, and government buildings”

Forced entry resistance

Covert attack resistance

Key control

4

A bit of history - how to measure ‘safety’? Tools

Hammer 1.36 kg Screwdriver 380 mm Drill bit HSS 6.4 mm Electric drill @1900 RPM

Method Pass criteria Picking 10 minutes

Impressioning 10 minutes

Forcing 5 minutes

Drilling 5 minutes

Sawing 5 minutes

Prying 5 minutes

Pulling 5 minutes

Punching 5 minutes

•  Safety is not forever! •  Experience of the tester

really matters… •  …so does the tooling!

5

Fast forward: from Safety to Security!

“Security” Physical properties

Logical properties

Procedures

is the result of

The ‘Hardware’: •  Silicon •  Circuit Board •  Case, housing

The ‘Software’: •  Application •  OS •  Firmware •  Wired Logic

Chip

•  Version control •  Key management •  Security during

manufacturing

6

How to measure ‘security’?

Formally defined risk Subjectively defined risk

Formalised methodology

Informal methodology

Common Criteria / ISO15408

ISO13491

FIPS140-2

PCI PTS

Instead, think of: •  Laser beams •  Template attacks •  Code review •  Crypto analysis •  Side channel •  Software obfuscation

Not with drills and screwdrivers anymore…

7

This also works great for IoT, doesn’t it?

8

First, you need a standard… Evolution of safety and security standards

Products

Smart Products

Connected Smart Products

Safety

+ Security

+ Cyber Security

“UL 437”

“PCI-PTS”

“UL 2900”

9

•  Banking •  Government •  Healthcare •  Industry 4.0 •  Insurance

Then, you need a demand driver…

ü Cyber Security ü Security ü Safety

Knowledge

Money

Time

Cost of Compliance

“With over 60% of businesses suffering a cyber breach last year, protection against this type of attack must form part of each business’s risk assessment and it’s strongly advisable to have sufficient insurance cover in place.”

www.thememo.com

Why?

Because security comes at a cost!

Regulatory compliance as a way to enforce security is great… …in regulated environments!

But who regulates the Internet?

10

Demand driver in non regulated domains?

$500

$750

Without additional information, which one do you choose?

What if one is more secure? How would you know? How much would you care?

11

Star rating programs…

…have been used to change consumer purchase behavior in the past...

Why not for security?

12

IoT Security Metrics

•  Devices can be defined by three things •  Interfaces (Input / Output) •  Processing attack surface •  System architecture

•  The more interfaces, and larger attack surface, the less secure a system can objectively be considered

•  Specifics of the architecture either help or hinder security (reducing the ‘vulnerability surface’)

13

Star rating examples

Specification RouterX RouterY

Operating System Linux Kernel 3.18.23 Linux Kernel 3.18.23

FTP server Root privilege Separate user privilege (Disabled by default)

Credentials Admin / Password Device unique printed on serial number sticker

VPN Based on WolfSSL v3.9.0 (root, hardcoded default cert)

Based on WolfSSL v3.9.0 (User privilege, no default cert, disabled by default)

Random number generator

/dev/urandom (no seed, not stateful)

/dev/random (seeded at manufacturing, stateful between boots)

Web Interface Over HTTP, exposed on WAN Over HTTPS, WAN access disabled by default

FW updates? No commitment For 2 years, updates cryptographically authenticated

Star Rating 0 Stars 4 Stars (Until 2018) For the period of FW updates

14

Star Rating Example

•  So is RouterY more secure than RouterX? •  Yes – through good configuration and design

•  Even though both do the same thing, and have no current vulnerabilities •  And we can objectively demonstrate this without costly pentesting

•  Does this mean RouterY is secure? •  No! Will still need patching, but the vendor has committed to that •  Not meeting this commitment means reduced ratings into the

future

•  Does this mean Router will be compromised / vulnerable first? •  Not necessarily – the star rating is about levels of resistance •  ‘More secure’ does not mean ‘will not fail’

15

To conclude!

Security is hard, which makes it costly!

IoT Security is a commercial problem… Commercial problems need commercial solutions!

Existing ways to enforce security may not work in unregulated space. It’s in the stars?

From Safety to Security to Cyber Security…

16

Maarten Bron Director Innovations – UL Transaction Security Division maarten.bron@ul.com

Thank you!

17

UL2900SeriesofStandards

GeneralProductTes8ng

IndustryProductTes8ng

UL2900-1So#wareCybersecurity

Organiza8onandProcessAssessment

Implementa8onAssessment

UL2900-2-1MedicalDevices

UL2900-2-2IndustrialControlSystem

UL2900-2-3Ligh<ng–InPlanning

UL2900-3GeneralProcessRequirementsInPlanning

UL2900-4GeneralImplementa<onReqsInPlanning

Published on March 30, 2016

UL2900-2-4XX–InPlanning

The technical criteria in UL 2900 are based on existing industry best

practices and guidance documents as well as IEC, ISO, and other international standards work to create repeatable & reproducible test criteria for product/

software security evaluations.