1

Auditing the
IoT Security
BY ARIFFUDDIN AIZUDDIN
 2
Disclaimer

 This presentation was prepared for ISACA Malaysia CYBERSECURITY, IT ASSURANCE &
GOVERNANCE CONFERENCE 2017
 The contents of this presentation were taken from public available references. Some of the
sources of the contents are being adopted and adapted to suit to the presentation.
 Certain commercial entities, equipment, or materials may be identified in this presentation in
order to describe the IOT Security Audit adequately. Such identification is not intended to imply
the recommendation or endorsement nor it is intended to imply that these entities, materials, or
equipment are necessarily the best available for the purpose.
 All registered trademarks belong to their respective organizations.
 3
CONTENTS

 IoT Security Introduction

 IoT Security Principles
 IoT Security Risks Assessment
 IoT Security Measures and Controls
 IoT Security Audit, Assessment and
Evaluation

Source: IOT Security Foundation

 4
Internet of Things Security
SECURITY FIRST APPROACH
...designed in at the start
FIT FOR PURPOSE
...right sized for the application
RESILIENCE
...through operating life
Source: https://iotsecurityfoundation.org/

IoT Security an Introduction

 5
IoT - The situation & InSight

 Connect, Communicate, Remote Manage an Calculable number of networked,

automated device via Internet. From Data Acquisition, Data Aggregation to Data
Analysis.
 From factory floor to hospital operation rooms to home – Complexity - Cyber to Physical -
OT, IT, Cyber & IOT.
 Transition from closed network to Enterprise Network to Public Internet. To & From - Data
Centre (Cloud, Private Cloud, Embedded Cloud, Internet and Application), Gateway,
IoT Devices, Sensors
 Increasing Reliance to Intelligent, Interconnected Device in every aspect of our lives
 Need to protect billions of them from intrusion and interference - Security, Privacy, Safety
& Trust – From Vulnerabilities & Threats (Malicious and Accidentals)
 Unique constraints of embedded devices. M-to-H and M-to-M (Sensors/Smart Object)
 6

IoT Security References

 7
Available and Published Frameworks

These are publications can be adapted and adopted:

 Publications : IoT Security Compliance Framework, Connected Consumer Products, Vulnerability
Disclosure, Best Practice User Mark - https://iotsecurityfoundation.org/best-practice-guidelines/
 Securing the Internet of Things: A Proposed Framework -
http://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html
 OWASP Internet of Things Project – OWASP -
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
 Security framework for IoT devices - Alan Grau - http://www.embedded.com/design/safety-and-
security/4440943/Security-framework-for-IoT-devices
 IoT Trust Framework - Security, Privacy & Sustainability by Online Trust Alliance (OTA) -
https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework_july12.pdf
 8
IoT Security Guidelines & Best Practices

These guidelines and best practices are the core references. It is recommended for these
guidelines to be referred in details.
 GSMA IoT Security Guidelines - http://www.gsma.com/connectedliving/gsma-iot-security-
guidelines-complete-document-set/. It provides guidelines for IoT Service Providers, IoT Device
Manufacturers, IoT Developers and Network Operators.
 IoT Security Guidance – OWASP - https://www.owasp.org/index.php/IoT_Security_Guidance.
Assessment and Testing Framework.
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
 Security Guidance for Early Adopters of the Internet of Things (IoT) by CSA -
https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopt
ers_of_the_Internet_of_Things.pdf
 IoT Security Foundation - https://iotsecurityfoundation.org/wp-content/uploads/2015/09/IoTSF-
Establishing-Principles-for-IoT-Security-Download.pdf
 9
IoT Security Interest Group, Communities
and Collaboration Network
 IoT Security Foundation: https://iotsecurityfoundation.org/
 IoT Security Wiki: https://iotsecuritywiki.com/
 These are some of the prominent vendors/developers of IoT that we shall closely follows:
 https://azure.microsoft.com/en-us/documentation/articles/iot-security-architecture/ by
Microsoft Azure.
 Securing the Internet of Things: A Proposed Framework:
http://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html
 Trusted Computing Group. http://www.trustedcomputinggroup.org/wp-
content/uploads/IOT_Security_Architects_Guide_TCG.pdf
 Symantec IoT reference architecture:
https://www.symantec.com/content/en/us/enterprise/white_papers/iot-security-reference-
architecture-wp-en.pdf
IoT Security Misconception - It’s all about 10
the device

 It’s not just about the device or the network or the clients; there are MANY surface
areas involved in IoT eco-system. Each of these need to be evaluated and assessed
 The network and the cloud must be secured to face the growing security
challenges.
 We need to embrace the umbrella and collaborative approach to IoT security. We
need to build security into the IoT ecosystem and the ecosystem that supports the
foundation of the Internet of Things which requires teamwork from all stakeholders.
 No single control is enough to stop an attack. A multi-layered approach has to be
taken, right from when the device is switched on.
 Security must be addressed throughout the lifecycle of the device, from design to
operation as it is connected through the network and in the cloud.
 11
Securing IoT eco-system

 Securing IoT depends on the security of:

 Device, network and ecosystem incorporating trusted service management, data management
and compliance with regulation.
 Evaluating risk and risk assessment
 Need to understand all the potential vulnerabilities. Evaluation processes should cover privacy,
safety, fraud, cyberattacks and IP theft. Evaluating risk is not easy as cybercriminals are continually
working on launching new threats.
 Security by design.
 It is the key factor that device security is duly considered at the development stage. This should
include end-to-end points and countermeasures, including tamperproof hardware and software.
 Securing the data.
 Strong authentication, encryption and securely managed encryption keys need to be included to
secure information stored on the device and in motion.
 Lifecycle management.
 Security is not a one-off process and then you can forget about it. It is imperative that IoT devices are
protected for the lifecycle of the device, be it a standalone product or integrated.
 12
IoT Eco-systems - Defined

Interoperability
Reference Integration
APIs Frameworks
Implementations

Infrastructure Processors Platforms

Device Type IoT Protocols

Aggregation Mesh Networking

Operating Systems
 13

IoT Security Principles

 14
OWASP IoT Security Principle

 Principles provided by OWASP;

https://www.owasp.org/index.php/Principles_of_IoT_Security
 OWASP Listed 16 Principles:
1. Assume a Hostile Edge 9. Limit what you can
2. Test for Scale 10.Lifecycle Support
3. Internet of Lies 11.Data in Aggregate is Unpredictable
4. Exploit Autonomy 12.Plan for the Worst
5. Expect Isolation 13.The Long Haul
6. Protect Uniformly 14.Attackers Target Weakness
7. Encryption is Tricky 15.Transitive Ownership
8. System Hardening 16.N:N Authentication
 15
Security Approach - Multi-layer approach

Start from the beginning –

at initial design with Firewalling and Update &
Code Signing
trusted computing IPS Patches
baseline

Device
Authentication –
Secure Code
machine
authentication

Secure Booting
Access Control –
Protected
Anti-Cloning
Firmware
CSA – Defense in Depth security protections 16
for IoT assets

Application Device Network Physical Human

Layer Level Layer Layer Layer
 A Holistic approach - Security controls at 17
each elements/components : 1/2

 The Internet of Things Device Security – Implements Device and Embedded Security Mechanism –
Device specific Security Profiles, Devices Authentication, Authorization, Confidentiality and
Device/Data Integrity Protection. Ensure that they are authorized, and secure and regularly updated
with the latest firmware, software and patches. Securely disposing of IoT assets at the end of the life-
cycle. Implement life-cycle management approach for IoT devices.
 The Cloud – Implement the cloud security guidelines. Security Guidance for Critical Areas of Focus in
Cloud Computing V3.0 are available from CSA.
 The Mobile Application Security - Mobile application should perform cryptographic verification and
validation of other components. Apply Mobile Security Guidelines (from OWASP Mobile Security
Project) and Application Security Guidelines.
 Communication Networks (Wired and Wireless), Network Interfaces, ports and Gateways Security -
From the sensor to the collector, connectivity authentication between the device, and on the IoT
infrastructure cannot be compromised. At multi-service network layer, security services must be there
to protect these inherently insecure endpoints. Security services at the core network must be
hardened to protect against IoT threats.
 A holistic approach - Security controls at 18
each elements/components : 2/2

 The Software – Implement code review and repeat testing. Ensure software assurance and management
responsible for software risk. Established structural quality analysis, software quality and security education.
 Physical Security - Security elements such as access badges, cameras, phones, and gates, will be digital
nodes on the IoT. Integrating physical security on the network, by detect, deter, and analyse security events.
Use tempered proof devices as security mechanism.
 OS & Protocols – For the OS & protocol selection process, all aspects of deployment, operation,
management, and security must be considered including the IoT implementation environment. Use of
protocols that offer security as core security mechanisms.
 Big Data Analytic - Securing the big data life cycle requires (1) authentication and authorization of users,
applications, and databases (2) Privileged user access and administration (3) Encryption of data at rest and
in motion (3) Data redaction and masking for both production and nonproduction environments (4)
Separation of responsibilities and roles (5) Implementing least privilege (6) Transport security (7) API security
(8) Monitoring, auditing, alerting, and reporting.
 IoT System Secured by Design 19
•Symmetric •Secure Hashing
encryption with
•Non-Repudiation –
secure key
Digital Signature
management
•Asymmetric
Encryption with
secure key
exchange
Confidentiality Integrity

Openness Availability
•Alternative Sources:
•Power sources
•Open Standard •Network sources,
•Verifiable/Assessment •Storage sources,
•Fail Secure •Compute sources.
 20
End to End Security Solutions at Each Layer
CLOUD + Application(App); Private Cloud + App; Embedded Cloud; Data Analysis
Internet (Data Centre, Big Data, Data Service Centre) (Descriptive,
Diagnostic,
Predictive &
Wired/Wireless Network – Transmission and Connectivity (One to One; Prescriptive)
One to Many; Many to Many) – Gateway to Cloud

GATEWAY (Field GW, Cloud GW, Device Cloud GW) External

Data Data;
Aggregation Enterprise
Wired/Wireless Network – Transmission and Connectivity (One to Data;
One; One to Many; Many to Many) – Devices to Gateway Smart
Sensor
/Devices
IoT DEVICES AND NODES Data

Wired/Wireless Network – Transmission and Connectivity (One to One; Data

One to Many; Many to Many) – Sensor to Devices/Nodes Acquisition

SENSORS AND SENSORS HUB


ROBUST IoT SECURITY SOLUTIONS
 Secured IoT System Architecture
 Strong Authentication Platform
 Encryption Technologies
 Mobile Security
 Managed PKI Services & SSL Certificates
 Dynamic Key Management (for
Authentication & Encryption)
 Secured Provisioning of Key Credentials &
Tokens
21
 Big Data Encryption
 Server Protection
 Cloud Application Security
 Secured Device Access
 Sensitive Data Security
 Communication Encryption
 Protected Firmware/Software Integrity
 22

IoT Security Risk

Assessment
 23
IoT Security Risk Management Framework

IoT RISK MANAGEMENT

IoT THREAT & VULNERABILITIES ANALYSIS

THREAT AGENT ATTACK SURFACE/VECTOR SECURITY WEAKNESSES

IDENTIFICATION ASSESSMENT ASSESMENT

TECHNICAL IMPACT

BUSINESS/OPERATIONAL IMPACT
 24
Risk Assessment - Process
 25

IoT Security Issues &

Concerns

IoT Security Issues & Concerns (1/3)
1. Ecosystem Access Control
• Authentication
• Session Management
• Implicit Trust Between Components
• Enrolment Security
• Decommissioning System
• Lost Access Procedure
2. Device Memory
• Cleartext usernames
• Cleartext password
• Third party credentials
• Encryption Key
3. Device Physical Interfaces
• Firmware extraction
• User CLI
• Admin CLI
• Privilege escalation
• Reset to insecure states
4. Device Web Interface
• SQL Injection
• Cross-site scripting
• Username enumeration
• Weak password
• Account lockout
• Known credentials
26
5. Device Firmware
• Hard-coded password
• Sensitive URL disclosure
• Encryption Key
6. Device Network Security
• Information disclosure
• User CLI
• Administrative CLI
• Injection
• Denial of service

IoT Security Issues & Concerns (2/3)
7. Administrative Interface
• SQL injection
• Cross-site scripting
• Username enumeration
• Weak passwords
• Account lockout
• Known credentials
8. Local Data Storage
• Unencrypted data
• Data encrypted with discovered keys
• Lack of data integrity check
9. Cloud Web Interface
• SQL injection
• Cross-site scripting
• Username enumeration
• Weak passwords
• Account lockout
• Known credentials
10. Third-party Backend API s
• Unencrypted PII sent
• Encrypted PII sent
• Device information leakage
• Location leakage
27
11. Mobile Application
• Implicitly trusted by device or cloud
• Known credentials
• Insecure data storage
• Lack of transport encryption
12. Vendor Backend API
• Inherent trust of cloud or mobile application
• Weak authentication
• Weak access control
• Injection attack
 28
IoT Security Issues & Concerns (3/3)

13. Ecosystem Communication

• Health checks
• Heartbeat
• Ecosystem commands
• De provisioning
• Update pushes

14. Network Traffic

• LAN
• LAN to Internet
• Short range
• Non-standard
 29

IoT Security Threat &

Vulnerability Analysis
 30
IoT Threats are unavoidable

First and Foremost it is important for us to recognize all types of threats in IoT eco-system.
 Examples of key threats.
 Phishing - The fraudulent practice of sending emails pretending to be from a
reputable company in order to entice individuals to reveal sensitive information.
 IoT Application hacking
 DOS attacks - Temporarily or indefinitely crash a network.
 DDoS attacks - Designed to make an online service unavailable by flooding it with
traffic from multiple sources.
 Physical intrusion - Physical intrusion is when a device and its components are
actually tempered with.
 31
Cyber Threats for Embedded Devices

 Internet-based attacks are on the rise and an increasing number of these attacks
target embedded devices. Cyber-criminals, hacking bots, industrial or international
espionage agents, and even terrorist groups are now targeting industrial, military,
automotive, and medical devices as well as utility systems.
 Reported attacks against industrial devices include:
 Automotive manufacturing plant shutdown resulting from a cyber-attack
 Pipeline monitoring system that failed due to a DoS attack
 Train system delays caused by hackers
 Sewage spill caused by a control system hacked by an insider
 Proliferation of malware targeting industrial automation systems including Stuxnet,
Flame, Havex and BlackEnergy
Source: http://www.iconlabs.com/prod/product-family/floodgate-security-framework
 32
More Examples of Real IoT Threats

Manipulation of Connected Cars

 Researchers show on the vulnerability of connected cars when they hacked into a Toyota Prius
and a Ford Escape using a laptop plugged into the vehicle’s diagnostic port. This allowed the
team to manipulate the cars headlights, steering, and breaking.
Threats to Medical Devices
 Researchers released study on the vulnerability of medical devices. The study revealed major
security flaws that could pose serious threats to the health and safety of patients. They found that
they could remotely manipulate devices, including those that controlled dosage levels for drug
infusion pumps and connected defibrillators.
The Dangers of the Smart Grid
 It is discovered a flaw in hardened grid and router provider RuggedCom’s devices. By
decrypting the traffic between an end user and the RuggedCom device, an attacker could
launch attacks to compromise the energy grid.
Source: http://www.safenet-inc.com/data-protection/securing-internet-of-things-iot
 33
Threats Mitigation Process

 Security Risks need to be

mitigated through effective, safe, Enumerate
and secure dynamic the threats

management of the system.

 Threats Mitigation process include: Mitigate the
threats
 Enumerate the threats
 Mitigate the threats
 Validate the mitigations Validate the
mitigations
 34
CSA IoT Threat Modelling - Steps
Step 2: Create a
Step 1: Identify Step 3: Decompose
System/Architecture
Assets the IoT System
Overview

Step 4: Identify and Step 3a: Define a

Step 5: Rate the
Document the Protective
Threats
Threats Architecture
 35

IoT Security Assessment

Framework - OWASP
Adopting OWASP IoT Security Assessment 36
Internet of Things Top Ten IoT Security Project
A complete IoT Security Review

 Review all aspects of Internet of Things

 Top Ten Categories
 Covers the entire device
 Without comprehensive coverage like
this, it would be like getting your
physical check up but only checking
one arm
 We must cover all surface area to get
a good assessment of overall security
 37

IoT Security Controls &

Measures
 38
Current IoT Security Measure - Insufficient

 Perimeter defences are insufficient and we must engineer a comprehensive security

throughout system processes. In highly automated systems, connected devices must
assure the trust by assuring the authenticity. Currently some automated and
coordinated IoT systems do not challenge the authenticity of the source of the
commands that they act upon.
 IoT need high-assurance credential solutions, strong authentication platforms,
encryption technologies, mobile security, managed PKI services and SSL certificates
meet the needs of organisations with advanced requirements of complex IoT
ecosystems.
 Security and privacy by design must be a priority from the onset of IoT product and
system development and be addressed holistically. It must be forethought versus an
afterthought, focusing on end-to-end security and privacy.
 39
Secure
Input Validation
Monitoring

Control Secure Login

Output
Securitisation
Measure –
Secure Coding IoT
& Secure Secure System; Secure Error
Development Secure Storage
Secure Handling

Life Cycle Coding;

Development
Lifecycle
Secure Resource
Authentication
Management

Secure
Authorisation
Communication
Secure Session
Management
 SECURITY LIFE CYCLE
40
MANAGEMENT

SECURITY AUDIT &

Control CONTINOUS
MONITORING
Measure –
Throughout the
VULNERABILITY
IoT Life Cycle MANAGEMENT

RISK ASSESSMENT &

MANAGEMENT

SECURITY
EVALUATION &
ASSESSMENT

SECURITY
CONTROL
&
MEASURES
 Security Features for Embedded Device
41
Secure Boot

Hardware Integration (TPM/TEE, Crypto,

This is a Security Secure Code Update
Features recommended
to be implemented in Data Security
Embedded Device
Authentication

Source:
http://www.automation.
com/pdf_articles/Intern
et_of_Secure_Things.pdf
Secure ID)
Secure Communication
Protection Against Cyber Attack

Intrusion Detection & Security Monitoring

Embedded Security Management

Device Tempering Detection

 42

CSA
Recommended
Security Controls
 43
CSA Recommended Security Controls (1/3)

Cryptography, Key Management, Crypto Module, Libraries, and Protocols

Crypto Material Variable Key Management

Crypto Primitives and Controls
•Symmetric Key, •Secure Key Storage,
Confidentiality/Encryption Integrity & Authentication •Asymmetric Keys •Key Agreement,
•Symmetric cryptography •Message Authentication Code •MAC Key, •Zeroise mechanism,
•Asymmetric cryptography (MAC), •Credentials, •Secure Key Transport,
•Secure Hashing, •Random Number, •Key Material Accounting,
•Digital Signature, •Trust Anchor •Trust Anchor
Self-Test security •Random Number Generator, Management,
mechanism. •Entropy Source/Pool
•Entity •PKI
•Data Origin;
Non-repudiation

Protocols (cryptographic, network and wireless), (application and management layer)

 44
CSA Recommended Security Controls (2/3)

IOT Devices (Layers Security, Specific Security Operation Management

Device Security Profile)
Application: Authorization, SIEM Integration,
Authentication, Data Confidentiality,
Data Integrity Incident Response,

Network: Authorization, Authentication, Assets Management & Accounting,

Datagram and Signaling Confidentiality,
Signaling Integrity Lifecycle controls,

Device: Authorization, Authentication, Availability Needs & Constraints

Device Confidentiality, Device/Data
Integrity Threat Sharing
 45
CSA Recommended Security Controls (3/3)

IOT Secure Access Control

Logging/Audit Physical Security Security by Design,
Discovery
Discovery Identity, Tamper Processes and
Audit Generation, Sources, evidence, Standards
Role,
Audit Data Identity/Trust Tamper Privacy by Design,
Access, establishment, Privilege Permission, response,
Privacy Principles
Audit Data Proxy Trust, Data/Resource Detachment, & Framework,
Collection, Ownership,
Virtualization
Audit Data White List, Detection & configuration &
Trust Removal,
Remote Storage, Response, Standards,
Black List,
Audit Data Device Facility or Secure Software
Interoperability Access Engineering
Storage Room
Rule/Constraints Lifecycle
46
 47
IDENTITY & ACCESS MANAGEMENT

ACCESS CONTROL Authenticity of Parts

IoT Security
IAM Identity of Source

PHYSICAL

LOGICAL
Framework AUTHENTICATION
(MULTIFACTOR)
Identity of Destination
AUTHORISATION
NEED TO LEAST
UNIQUE ID
KNOW PRIVILEGE

ACCOUNTING
(TRACK & MONITOR)

NON-REPUDIATION
DATE TIME GEO-
TIME ZONE
STAMP LOCATION
 48
Data Identification, Classification, Security
by CSA

Logging Data - EVENTS

Data In
Data At
Transit Logging - Metadata
Rest (DAR)
(DIT)
Security
Security
Data Integrity and Aggregation
Policies
Data In Data Loss
Use (DIU) Prevention
Security (DLP)
 49

IoT Security Assessment

and Evaluation
 50
IoT Security Testing

 A comprehensive security assessment, a testing methodology must be adopted. Current initiatives by OWAPS
is highly recommended for each and every IoT stakeholders to implement. OWASP has published their IoT
Security Testing: ttps://www.owasp.org/index.php/IoT_Testing_Guides based on 10 categories; It is to help
testers to assess IoT devices and applications in the IoT ecosystems
 IoT Security Testing should be comprehensive end-to-end. Minimum example of testing that should be
included are:
 Embedded Device Security Testing
 Wireless Protocol Assessments
 Cloud / Web Services Testing
 Firmware Security Assessments
 Application Security Testing
 Infrastructure Security Testing
 51

IoT Security Plan &

Business Continuity
 52
CSA - IoT Security Plan

 1. Communications Planning
 2. Physical Security Planning
 3. Logical Security Planning
 4. Establish baseline for Audit able behavior
 5. Establish an Authentication/Authorization Plan
 6. Determine critically of device(s) and/or information supported by device(s)
 7. Develop deployment and bootstrap validation tests
 8. Update Enterprise Architecture documentation
 9. Information Sharing Plan
 10. Establish privacy requirements and controls
 11. Establish a safety requirements and mitigations
 53

IoT Security Audit

Framework
 54
IOTSF Compliance Framework

The Framework has utility in a number of scenarios including:

❖ For organisation - to plan, manage, review and document security practice during the

development of products, systems or services. May declare in its marketing for professional
integrity and a “duty of care” to customers. IoTSF provides a user mark for organisations which
follow its guidelines which can be used without cost at their discretion.
❖ As part of the product/technology/service development process - to assess the
security posture of its own suppliers.
❖ For procuring products, systems and services from a supplier which declares it has used

the Framework may audit the evidence assembled, using either internal resources or a Trusted
Third Party (“T3P”). A T3P - where the documented evidence would expose sensitive
information such as intellectual property or commercial aspects.
❖ In future, for audit process - lead to the Framework-user being permitted to use a “Trust

Mark” as a qualified public symbol of conformance to best practice.

 55
IOTSF Compliance Class

Class 0: where compromise to the data generated or level of control provided is likely to result in
little discernible impact on an individual or organisation.
Class 1: where compromise to the data generated or level of control provided is likely to result in
no more than limited impact on an individual or organisation.
Class 2: in addition to class 1, the device is designed to resist attacks on availability that would
have significant impact an individual or organisation, or impact many individuals, for example by
limiting operations of an infrastructure to which it is connected.
Class 3: in addition to class 2, the device is designed to protect sensitive data including sensitive
personal data.
Class 4: in addition to class 3, where the data generated or level of control provided or in the
event of a security breach have the potential to affect critical infrastructure or cause personal
injury.
 56
IOTSF Compliance Class Levels of
integrity, availability and confidentiality

Compliance Security Objective

Class

Integrity Availability Confidentiality

Class 0 Basic Basic Basic
Class 1 Medium Medium Basic
Class 2 Medium High Medium
Class 3 Medium High High
Class 4 High High High
 57
IOTSF Definition of
Levels of integrity, availability and confidentiality

Integrity
o Basic - resist low level threat sources (TS) - little capability and priority
o Medium - resist medium level TS - very little, focused capability, researchers with significant capability
o High - resist substantial level threat sources
Availability
o Basic - lack of availability - cause minor disruption
o Medium –lack of availability - limited impact
o High – lack of availability - significant impact
Confidentiality
o Basic – processing public information
o Medium – sensitive information - Personally Identifiable Information - compromise limited impact
o High - very sensitive information - sensitive personal data - compromise - significant impact
 58
IOT Security Audit – Using IOTSF
Compliance Framework – 13 Major Clauses
Business Security Processes and Responsibility
Device Hardware & Physical Security
Device Application
Device Operating System
Device Wired and Wireless Interfaces
Authentication and Authorisation
Encryption and Key Management for Hardware
Web User Interface
Mobile Application
Privacy
Cloud and Network Elements
Secure Supply Chain and Production
Configuration
IOTSF – Example - 2.3.3 Compliance 59
Applicability - Device Application
1.

Compliance
Req. No Requirement Class Category Applicability
A-Consumer B-Enterprise Response Evidence

2.3.3.1 The product has measures to prevent 1 and Mandatory TBD in Compliance/Partial Link to
unauthenticated software and files being above future Compliance/Non- Evidence
loaded onto it. In the event that the product is release Compliance
intended to allow un-authenticated software,
such software should only be run with limited
permissions and/or sandbox.
2.3.3.2 Where remote software upgrade can be 2 and Advisory
supported by the device, when vulnerabilities above
are discovered, the software fix for the device
is promptly made available.
 60
Summary

 We have been expose of common exposure and risks of IoT System

 Introduce several Security Controls for the IoT System
 Understand the IoT System resiliency, health and safety requirements
 Understand the assessment, testing and monitoring effectiveness of the
control measure over time
 Briefly introduce to IOTSF compliance framework – can be use for auditing
 We will be able to prioritize the audits in accordance to criticality and
sensitivity
 61
Questions & Answers

Ariffuddin Aizuddin
ariffuddin.aizuddin@gmail.com
+60133862831