panel on icwmc / vehicular «challenges on security and trust … · 2016. 9. 11. · panel:...
TRANSCRIPT
ICWMC 2015, Malta, Oct 2015Panel: Challenges on Security and Trust
Panel on ICWMC / VEHICULAR «Challenges on Security and Trust in
Mobile Environments» ICWMC 2015, 11-16 October 2015, St.
Julians, Malta Panelists - Pascal Urien, Télécom ParisTech, France - Markus Ullmann, BSI, Germany - Josef Noll, University Graduate Center (UNIK), Norway
1
ICWMC 2015, Malta, Oct 2015Panel: Challenges on Security and Trust
Main findings on Security and Trust
l Who is the trust entity? l government, «Google» l car manufacturer, e.g. Volvo
«if you have an accident with your automated car, we pay».
l trust is often traded for convenience: «it’s convenient and easy, I’ll trust»
l Believe is more important than Service Level Agreement (SLA) l «believe they are doing a
reasonable job»
l expectation & history driven l SLA is not an agreement:
«accept or leave» l Privacy
l attack on security and privacy is a business
l no (real) alternatives to the convenient services
l Expectations l governments/EU to take
care of a minimum of privacy l identify responsibility l create awareness l awareness boosts
alternatives
2
Panel on ICWMC / VEHICULAR «Challenges on Security and Trust in Mobile Environments»
ICWMC 2015, 11-16 October 2015, St. Julians, Malta
Security and Trust measures for IoT infrastructures
3
Oct 2015, Josef NollNeed for Measurable Security and Privacy
DNV report 2013, DNV GL report 2014
Technology Outlook 2020 / Transformative Technologies
l Technology applications in Maritime, Renewables & Electricity, Health Care, Oil & Gas and Food & Water industries l sensors will drive automated data
management l from passive data to automated
decisions l automated decision tools by 2020
l Maritime: «policy driven» l Health care: «trust» on sensor and
mobile apps4
“In any change management
process, the challenge is
communicating ris
k,” (Peter
Bjerager, DNV GL)
“Only 59% of th
e public
trust th
e energy
industry,” (
Edelman Trust
Barometer 2013)
Oct 2015, Josef NollNeed for Measurable Security and Privacy
Trust-based privacyl “With whom to
collaborate?” l Share data? l Trust-based
privacy l Information
and your social life
5
Context RolesIdentities
Topic
Company trust network
0.90.90.5
0.30.9
Thanks to Vladimir Oleshchuk for ideas and discussions
4. PR OPOSE D F R A M E W O R K
This chapter elaborates the proposed cloud based Internet of Things framework. Figure 2 illustrates the
proposed framework that contains the following four layers: Node layer, Network layer, Middleware
layer and Application layer. A brief overview of each layer is as follows.
Node layer Node layer contains hundreds of nodes such as devices, sensors and actuators distributed
over the whole railway infrastructure. Some of them are very small in size having limited battery capacity
and are used for collect and forward data only, e.g. the temperature sensors. Some of the devices can
aggregate and filter data. The nodes deliver collected data to the middleware layer and some of them
receive feedback or suggestions from the middleware layer and thereby can perform actions, e.g. actuate a
mechanical device.
Network layer In order to communicate, each node is equipped with one or multiple communication
interfaces. Some of the nodes work alone, while some other work in a group. Nodes working in a group
may form a network within themselves and such network can be permanent or ad-hoc one. The
middleware layer may supervise the formation of the network by defining its characteristics for example
its topology, interconnectivity etc.
Middleware layer It contains computing machines containing powerful hardware and software
components. The middleware layer communicated with application interfaces. Depending on the
F igure 2. The layered representation of the proposed framework.
4. PR OPOSE D F R A M E W O R K
This chapter elaborates the proposed cloud based Internet of Things framework. Figure 2 illustrates the
proposed framework that contains the following four layers: Node layer, Network layer, Middleware
layer and Application layer. A brief overview of each layer is as follows.
Node layer Node layer contains hundreds of nodes such as devices, sensors and actuators distributed
over the whole railway infrastructure. Some of them are very small in size having limited battery capacity
and are used for collect and forward data only, e.g. the temperature sensors. Some of the devices can
aggregate and filter data. The nodes deliver collected data to the middleware layer and some of them
receive feedback or suggestions from the middleware layer and thereby can perform actions, e.g. actuate a
mechanical device.
Network layer In order to communicate, each node is equipped with one or multiple communication
interfaces. Some of the nodes work alone, while some other work in a group. Nodes working in a group
may form a network within themselves and such network can be permanent or ad-hoc one. The
middleware layer may supervise the formation of the network by defining its characteristics for example
its topology, interconnectivity etc.
Middleware layer It contains computing machines containing powerful hardware and software
components. The middleware layer communicated with application interfaces. Depending on the
F igure 2. The layered representation of the proposed framework.
A
B C
D
E
FG
• Measurable trust? Transient Trust? • Value chains: from sensors to systems
Multi-Metrics—JosefNoll,Oct2015http://newSHIELD.eu
MeasurableSecurity,PrivacyandDependability
» Systemconsistsofsub-
systemsconsistsof
components
» Component/Sub-system
Criticality
» MultiMetricsapproach
– Systemsecurityvs
Applicationsecuritydemand
6
sub-system 2(s,p,d)
Comp. 1 Comp. 2 Comp. 3
Multi-MetricsMM
M
sub-system 1(s,p,d)
system(s,p,d)
Multi-Metrics (weighted subsystems)
ideal
good
accep.
critical
failure
criticality
VEHICULAR 2015 13.10.2015 Folie 1
Markus Ullmann
Challenges on Security and Trust in Mobile Environments
VEHICULAR 2015 13.10.2015 Folie 2
Modern Vehicles
Much more then Chassis + Cabine Wheels Engine Gearbox ...
VEHICULAR 2015 13.10.2015 Folie 3
Modern Vehicle: + Network of Controllers
Future Direction: Automated Driving
VEHICULAR 2015 13.10.2015 Folie 4
Real Attacks on Vehicles (1 of 2)
VEHICULAR 2015 13.10.2015 Folie 5
Real Attacks on Vehicles (2 of 2)
VEHICULAR 2015 13.10.2015 Folie 7
What is needed to enhance Protection of Vehicles against Cyber Attacks?
Vehicle Manufacturer Are Vehicular Networks - as they are (LIN-, CAN- Bus, …)
prepared for integrating wireless technologies to support online services?
=> Are new network structures needed for vehicles ? Security by design principle based on a dedicated security
methodology ? Pentesting of automotive networks and interfaces by third
parties ? Standardized security requirements ? „Formal“ evaluation and certification of dedicated security
components/separation techniques ? …
Vehicle Customer/Buyer Protection against cyber attacks is part of buying decision ?
Panel on ICWMC / VEHICULAR Topic: Challenges on Security and
Trust in Mobile Environments
Secure and Trusted Mobile Payments
for Smart Cities
About Mobile Payments
• Payments thanks to (connected) mobiles
• Huge market, $$$$$$$$$
• Different from legacy magnetic stripe or EMV (chip) payments – The mobile is your payment card
– Connected device
– With a screen
– Able to establish user approval for transaction
• Trust and Security are the main issues
The Google Wallet 2 (2012)
Acquirer’s Bank
Customer’s Issuer Bank
MasterCard
Google Virtual prepaid card
Card Network
Google Issuer
Google Acquirer
Customer‘s Cards
Card Not Present transaction (CNP)
Cloud of PVC Bank Cards
Tokenisation (2013)
The Target stores hack fall 2013 exposed up to 40 million credit and debit cards and personal data for up to 70 million customers
ApplePay (2014): A Token Requestor
Getting Started with Apple Pay, Version 1.0, 2014
Google Vault (2015): a SD Card
• SD card • Only two files: WFILE and
RDFILE • Cryptographic
procedures • GB of storage • MB of throughput • NFC controller
6
Android Pay (2015)
Samsung Pay (2015): Samsung KNOX
Secure Elements In the Cloud (2015)