Month: May 2016

ICSA Internet of Things Security Certification Requirements

ICSA recently announced an Internet of Things testing and certification program. It has six components (highlights in brackets) –

  1. cryptography (FIPS 140-2 crypto algos by default, secure PRNGs)
  2. communications (PKI auth, all traffic must be authorized)
  3. authentication (secure auth, protect auth data, no privilege escalation)
  4. physical security (tamper detection, defense, disable)
  5. platform security (secure boot, secure remote upgrade, DoS defense)
  6. alert/logging (log upgrades, attacks, tampering, admin access)

Their IoT security requirements framework is found here.

This is a great list. I think another dimension to think about is usability of the security – many products come with security options buried so deep in documentation or UI, that a regular user may not configure the device securely and leave it more open than intended – this has historically been true of a variety of webcams, SCADA systems, wifi routers and other devices.


WebServices Composition with AWS

Some interesting diagrams on composition of a device data processing pipeline with AWS are at –

The services listed are:
Amazon Cognito: Identity and Security. Gets token with role for API access by a certain user.
Amazon Kinesis: Massive data ingestion. Uses token auth, but token signing can be a easiest.
AWS Lambda: Serverless Data Compute. Supposed to save on EC2 instance costs ( at the expense of lock-in ).
Amazon S3: Virtually unlimited storage. This is what really makes AWS tick.
Amazon Redshift: Petabyte-scale data analysis
It does not say what data goes to S3 and what data goes to the database.
On Redshift, here’s a comment from Nokia:” where their volume of data “literally broke the database”, prompting them to look for more scalable solutions.
There is a tension between “servers” and “services”, which goes back to IAAS vs PAAS distinction. PAAS can be faster to develop with reduced focus on server maintenance. However the number of PAAS concepts to deal with is neither small nor particularly inviting, as instead of a single server, one now has to deal with multiple services, each has to be authenticated, priced,  guarded for possible misuse and each has the potential for surprises. A key to simplicity is how composable the services are.

Security Competition Open Sourced

Facebook made a Capture The Flag (CTF) cybersecurity competition open source and available this week  at .

There are several other CTF projects on github. I like that this approach to cybersecurity gets one thinking like an attacker. The problem is that the attack surface in highly connected systems is not obvious or easily modeled.

How about CTF competitions for IoT Security? There was one in March –