introductionof ccdsfinal).pdfguideline wg iotvuln. r&d unit no1, no2 ccds secretariat office car...
TRANSCRIPT
Copyright 2016 Connected Consumer Device Security Council Proprietary 1
Introduction of CCDS
- Toward Trustful IoT Life -
Connected Consumer Device Security Council (CCDS)
Tsukasa Ogino, Representative Director
Copyright 2016 Connected Consumer Device Security Council Proprietary 2
Contents
• Recognition of Current issues
• CCDS Overview
• CCDS R&D
• CCDS Security Guideline Development
• CCDS IoT Vulnerability Testing PF Development
• CCDS other activities
Copyright 2016 Connected Consumer Device Security Council Proprietary 3
ISSUE: Threats from Cooperated Devices
If even Single App is safe, but may be vulnerable in cooperated situation
3
AV, HomeAppliance Apps
OtherConsumerDevices
Energy, HEMSApps
ITS, VehicleApps Medical,
HealthcareApps
Server Cooperation
AppsCooperation
Intrusion via vulnerable app,Crack to cooperative app
A consumer device infected malware spread to other device and apps
Malware
Intrusion
Difference of security levelsbetween each apps domains
Copyright 2016 Connected Consumer Device Security Council Proprietary 4
Trust(safety and security)Level Difference
安心・安全
安心・安全
Domain AProduct
Domain CProduct
Domain BProduct
①Different Level of RequirementFor Safety and Security Level
by product domains
安心・安全
連携 連携
②Total Security Level will be leveled
at the lowest productWhen connected
Required or Demanding Level
Actual Product Level
Copyright 2016 Connected Consumer Device Security Council Proprietary 5
Value and Cost Balance
IoT service value
>Security
Protection Cost
Countermeasure
Also countermeasure by architecture and Usability
Quality
Keep Higher Quality
Function and Architecture
Cost Up by complex architecture
Comply Important Requirement
such as Safety
SafetyISO/IEC 61508 SIL 1~4
ISO 26262 ASIL QM, A~D, etc
SecurityISO/IEC 15408/CC EAL 1~7
FIPS 140-2 Level 1~4ETIS ITS/C2C-CC TAL 1~4, etc
Different Priority and Judgement levelProduct domain by domain
Copyright 2016 Connected Consumer Device Security Council Proprietary 6
CCDS Overview
• Name: General Incorporated Association: Connected Consumer Device Security Council
• Establishment: October 6, 2014• Chairman: Hideyuki Tokuda (Professor of Keio University, Cabinet Security Advisor)• Representative Director: Tsukasa Ogino (Specially Appointed Professor, Kyoto University)
• Managing Director: Kosuke Ito (Zero-one Laboratory)• Directors: Atsuhiro Goto (Professor, Institute of Information Security, SIP: PD)
Katsutoshi Hasegawa (President, eSOL Co., Ltd.)Hiroyuki Hattori (President, Witz Co., Ltd.)
• Number of members: 129(Official members or higher: 43, General members: 62, Academic members: 14, Liaison members: 10)
• Main businesses:1. Internal/external trend investigation on security in various field of consumer devices, and
interchange/cooperation with internal/external organizations2. Development of security technology which satisfies safety and security of consumer devices3. Development of security design process, development/preparation of verification method
guidelines and promotion of international standardization4. Preparation/control of consumer device verification environment, verification business and
human resource development on security, public relations/dissemination activity, etc.
Copyright 2016 Connected Consumer Device Security Council Proprietary 7
SCOPE:
AV Network Medical/HealthcareNetwork
Home Gateway
HEMS Network
Power, Utility
HomeAppliance
EV/HV
SmartMeter
PV
HEMSConsole
WearableDevices
Healthcareserver
Care Robots
ITS&Vechile Safety
Telematics, Eco,Drive Recorder, etc.
New Services
AfterDevices
ECU
V2X Communication
PotableDevices
Road SideUNIT
Automated Driving
4K・8KContents
HomeServer
HEMScompany
ContentsProvider
Medical, Healthcare
Cloud
Vehicle andTraffic Control
Convenienceお弁当セール
Public AreaDevices
ATM Remote Monitor/ Maintenance
Office AreaNetwork
MFPMedical, Healthcare
Devices
BatteryNetwork
Appliance
Embedded/IoT/M2M in general, Connected Consumer Deviceswhich are not operated (monitored and controlled) by professionals
Copyright 2016 Connected Consumer Device Security Council Proprietary 8
R&D Center
Review Committee
IoT Security Guideline WG
IoT Vuln. R&D UnitNo1, No2
CCDSSecretariat Office
CarSub WG
ATMSub WG
POSSub WG
Home NWSub WG
Vulnerability Testing Center
Car-A: Vuln. Testing Tool for Com Unit (Navigation)
ATM: ①Tool for ATM,②Tool for USB Test PF
POS: Vuln. Testing tool for Open POS (Tablet type)
Home GW: Vuln. Testing Tool for Home NW Devices
Car-B: Vuln. Testing Tool for Body control ECUs
Platform for Vuln. Testing operation for IoT system
Administration
CCDS Organization
Usability WG SecurityTech. WG
Device Security
TechnologyWG
Copyright 2016 Connected Consumer Device Security Council Proprietary 9
R&D Units activities
• Unit 1 (stationed in Okinawa):
– Unit Leader: Dr. Inoue, Assoc. Prof. of Hiroshima City Univ.
– R&D in Car Hacking (CAN) hacking, USB Hacking, Feedback fuzz data processing function on fuzzing tool, etc.
• Unit 2:
– Unit Leader: Dr. Ogino, Kyoto Univ.
– R&D in Home GW vulnerability research, Auto Vulnerability checker for Android apps, etc.
Copyright 2016 Connected Consumer Device Security Council Proprietary 10
Cyber Security Policy for Vitalizing Society and its sustainable development by NISC
出典:NISC:サイバーセキュリティ戦略(案)より
Security By Design (SBD)System Design with Security Consideration from planning and design stage
Preparation of the general guidelinesto affect security on IoT system
Enforcement of the technology development and proof trialin consideration of the characteristic (long life cycle, limit of the processing capacity) of the IoT system, importance of the hardware genuine nature
Copyright 2016 Connected Consumer Device Security Council Proprietary 11
CCDS External Cooperation
IoT Security Guideline Dev.
IoT Vuln. Evaluation PF Dev.
・Design Process Guide = Security by Design・Security Testing Guide ->International Std.
toward the safe and secure IoT service/product development!
・Vulnerability Testing Tool Development・Testing Scenario DevelopmentDeveloping the Security Testing Platform
WG on the Development Guideline for the Smart-society
Copyright 2016 Connected Consumer Device Security Council Proprietary 12
PLAN: Security Development Guideline Definition
EmbeddedDomain
Cyber System Domain
V2X, Probe
Remote Access,Control
for Automated Drv.
Vehiclecommon part
Health Data
Wearable Comm.
HealthcareDevices
common part
Remote Access,Control
HEMS Cooperation
Home Appliance
common part
Public Space Devices(ATM, etc.)
EmbeddedSystems
common part(Base) Cooperated
Servicescommon part
Arrange basicitems for
embed devices
Discuss Integratedsituation includes
cyber space
Office Devices (MFP, etc.)
Arrange each common partAs a beginning,
Discuss for each Apps
Security Development Guideline
Per Domains Common
Copyright 2016 Connected Consumer Device Security Council Proprietary 13
CCDS consumer device security guideline for each field v1.0
Since threats for each product field vary, security actions are summarized in view of each field based on IPA "Development guideline of connecting world" to easily
disseminate the security-by-design concept in the industry.
Purpose
Target field
Onboard unitIoT gateway
Major contents of guideline・ Target system configuration
・ Anticipated security threat
・ Security action in each phase of product life cycle
(Relationship with IPA "Development guideline of connecting world")
・Threat analysis/risk evaluation method
・ 3rd party security evaluation for entire product and security measure function
Financial terminal(ATM)Accounting terminal(POS)
Onboard system configuration POS system configurationATM system configurationIoT-GW: Home GW case
English Version are coming soon!
Copyright 2016 Connected Consumer Device Security Council Proprietary 14
Position of guideline for each CCDS field (private opinion)
CCDSOnboard
unit
CCDSIoT-GW
CCDSATM
CCDSOpen POS
IoT security guideline
IoT Promotion Consortium
MIC and METI
IoT service provider
IoT platform/network provider
IoT system vendor
IoT security general
frameworkNISC
Safe and secure IoT system development guidelinewhich can be used across product fields
(checklist)
Specific threat or risk point in view of each product field
Summary of security review points from design stage
Cooperation for
industry deployment
Security guideline for all layers of IoT service relevant persons
Cyber security strategy
NISCClarification of general basic requirements related to
design, building and operation of the IoT system
International deployment of Japanese idea
Proposal of IoT system development by Security-by-
design concept
Refer to review
for cooperation.
Proposal
Reference
Development guideline of connecting
world
Copyright 2016 Connected Consumer Device Security Council Proprietary 15
Founding the 3rd Party Security V&V Evaluation Center
Okinawa Pref.
CCDS重要生活機器連携セキュリティ協議会
IoT Vuln. Testing Ctr. R&D Center
IoT Security Guideline Development WG
Testing Tool Dev.
Testing DBDev. & Ope
Vuln. EvaluationPlatform
Testing Process Dev.
Trial Testing(Training)
3rd Party Testing Service
IPA
Venders in Okinawa
Automotives
Home
Financial TerminalsATM/POS
Evaluation Testing Platform System
On-Board Head Units, Body Control ECUs
Home GW, IoT GWfor sensor network
ATM/POS
IoT Evaluation Test ScenarioAnd Test result Integration
Participants from Major Brands
Certification Authority(Future)
FY2015~FY2017
Working Group on Development Guideline
for Smart-Society
3rd Party Security V&V Evaluation Ctr
(Future)
V&V: Verification and ValidationVuln: Vulnerability
Copyright 2016 Connected Consumer Device Security Council Proprietary 16
CCDS IoT Vulnerability Testing Units
BBTower
Omron SW
JVC Kenwood
Hitachi Omron
IoT Vuln. Testing Platform System
Automotives
Home HITACHI
ATM
POS(Point of Sales)
Aisin CC
Review Committee
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Test Tool Development TeamProduct Testing Team
Copyright 2016 Connected Consumer Device Security Council Proprietary 17
Other CCDS activities
• Usability WG
– Objective: Discussing UI design as a part of security countermeasures to keep the IoT devices in secured
• Collaboration with HCD-net(人間中心設計推進機構)– Leader: Ueyes’ Design
– Kicked off in Aug., 2016., participating about 20 members
• Device Security Technology SWG
– Objective:
• Building comprehensive security countermeasure technologies MAP (categorizing) for IoT devices
• Envisioning to develop the Implementation Guideline for IoTsecurity countermeasures in future
– Leader: SELTECH, Deputy Leader: DNP (Dai-Nippon-Printing)
– Kicked off in Jun., 2016., participating about 35 members