Add to my Schedule Holeman Lounge Borderless Cyber Track (BC)
Oct 08, 2019 02:15 PM - 02:45 PM (UTC)
20191008T1415 20191008T1445 UTC BC Track: Improving IoT Safety using Standards to Improve IoT Security The Internet of Things (IoT) is growing faster than our ability to safeguard ourselves. As IoT becomes ubiquitous, it is important to consider the safety impacts of cyber-physical systems. In the inte... Holeman Lounge Borderless Cyber USA / Washington, D.C. / 8-10 October 2019 events@oasis-open.org

The Internet of Things (IoT) is growing faster than our ability to safeguard ourselves. As IoT becomes ubiquitous, it is important to consider the safety impacts of cyber-physical systems. In the interest of public safety, future cybersecurity systems will adapt to threats in real time based on the standards being developed today.


This talk will cover identify several key industry standards and how they will contribute to IoT safety. It will conclude with a vision of how future IoT systems will be safer by tieing these activities together.



The Internet of Things (IoT) is growing faster than our ability to safeguard ourselves. As IoT becomes ubiquitous, it is important to consider the safety impacts of cyber-physical systems. In the interest of public safety, future cybersecurity systems will adapt to threats in real time based on the standards being developed today.


The downsides of ignoring safety will be discussed with some IoT examples from the transportation, healthcare, factory, and utility sectors. After setting the stage on the importance of cybersafety using Fear, Uncertainty, and Doubt (FUD), I'll argue against using FUD and present the proven risk management scientific principles that should be used instead for all security decision making. Instead decisions will be done algorithmically based on proven scientific methods using security policy, risk tolerance, and the potential safety/financial impacts of the threat. Factor Analysis of Information Risk (FAIR) is a practical framework for understanding, measuring and analyzing information risk, and ultimately, for enabling well-informed decision making. The talk will give a brief introduction to FAIR and the Open Group standards related to it, as well as how it applies to IoT.


Modern software systems involve increasingly complex and dynamic supply chains. Lack of systemic transparency into the composition and functionality of these systems contributes substantially to cybersecurity risk. This talk will cover the work underway in a NTIA Working Group on Software Transparency and the use cases for Software Bill of Materials (SBoM).


The third principle necessary for IoT safety is responding to a cyber-attack at machine speed. The talk will cover why that is important to IoT and what should be done to achieve response in cyber-relevant time. The economic benefits of automation and machine-speed response will be presented. The OASIS OpenC2 standards for command & control (C2) will be discussed and how those standards will facilitate automation in IoT, particularly in conjunction with several other OASIS standards on sharing threat intelligence (STIX/TAXII) and playbooks (CACAO). The talk will conclude with a vision of how future IoT systems will be safer by tying these activities together.


Key take-aways:

  • Attendees will learn about several standards that will help make IoT safer.Attendees will learn how to make more informed decisions based on risk tolerance.

     
  • Attendees will learn about the use cases for Software Bill of Materials (SBoM), and they will leave desiring their suppliers to provide SBoM and desiring to create SBoM's for any software they supply.

     
  • Attendees will learn about the use cases for OpenC2, STIX/TAXII, and CACAO in the context of IoT safety.