Month: May 2016

ICSA Internet of Things Security Certification Requirements

ICSA recently announced an Internet of Things testing and certification program. It has six components (highlights in brackets) –

  1. cryptography (FIPS 140-2 crypto algos by default, secure PRNGs)
  2. communications (PKI auth, all traffic must be authorized)
  3. authentication (secure auth, protect auth data, no privilege escalation)
  4. physical security (tamper detection, defense, disable)
  5. platform security (secure boot, secure remote upgrade, DoS defense)
  6. alert/logging (log upgrades, attacks, tampering, admin access)

Their IoT security requirements framework is found here.

This is a great list. I think another dimension to think about is usability of the security – many products come with security options buried so deep in documentation or UI, that a regular user may not configure the device securely and leave it more open than intended – this has historically been true of a variety of webcams, SCADA systems, wifi routers and other devices.


WebServices Composition with AWS

Some interesting diagrams on composition of a data processing pipeline with AWS here –

The services:
Amazon Cognito: Identity and Security
AWS Lambda: Serverless Data Compute
Amazon Kinesis: Massive data ingestion
Amazon S3: Virtually unlimited storage
Amazon Redshift: Petabyte-scale data analysis
On Redshift, here’s a comment from Nokia:” where their volume of data “literally broke the database”, prompting them to look for more scalable solutions.

Security Competition Open Sourced

Facebook made a Capture The Flag (CTF) cybersecurity competition open source and available this week  at .

There are several other CTF projects on github. I like that this approach to cybersecurity gets one thinking like an attacker. The problem is that the attack surface in highly connected systems is not obvious or easily modeled.

How about CTF competitions for IoT Security? There was one in March –