IoT Security Safety Framework - METI
Transcript of IoT Security Safety Framework - METI
1
1
2
3
4
5
6
7
8
IoT Security Safety Framework 9
Securing the Trustworthiness of Mutual Connections between Cyberspace and Physical Space 10
11
(Draft) 12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 29
2
30
Table of Contents 31 1. Necessity of this Framework .............................................................................................................. 3 32
1-1 The second layer in CPSF (mutual connections between cyberspace and physical space) ..................... 3 33 1-1-1 An introduction to CPSF.................................................................................................................. 3 34 1-1-2 The positioning of the second layer .................................................................................................. 3 35
1-2 Purpose of the Framework................................................................................................................... 5 36 2. Intended readers of the Framework .................................................................................................. 6 37 3. Basic Structure of the Framework ..................................................................................................... 6 38
3-1 Concepts in the background of the basic structure ............................................................................... 6 39 3-2 Organization of hidden risks in devices and systems connecting physical space and cyberspace .......... 7 40
3-2-1 The first axis: degree of difficulty of recovery from the incident ......................................................... 7 41 3-2-2 The second axis: the degree of economic impact of the incident (conversion into monetary value) ........ 9 42 3-2-3 Categorization of devices and systems connecting physical space and cyberspace ............................. 10 43
3-3 Organization of the desired security and safety requirements ............................................................ 11 44 3-3-1 The first perspective: Confirmation requirements before operation (manufacturing phase).................. 12 45 3-3-2 The second perspective: Confirmation requirements during operation ............................................... 13 46 3-3-3 The third perspective: Confirmation requirements for operator (operator’s license etc.) ...................... 13 47 3-3-4 The fourth perspective: Other requirements of mechanisms, such as social support ............................ 14 48
4. How to utilize the Framework ......................................................................................................... 14 49 50 51
3
1. Necessity of this Framework 52 1-1 The second layer in CPSF (mutual connections between cyberspace and physical space) 53
1-1-1 An introduction to CPSF 54
In an industrial society where cyberspace and physical space are highly integrated, the processes that 55
generate value, namely products and services (the supply chains), are changing from the conventional 56
rigid, linear supply chains to flexible supply chains based on diverse mutual connections. The 57
Cyber/Physical Security Framework (CPSF) is the compilation of concepts for securing the security 58
of the new industrial society by organizing the security issues in this kind of new value creation process 59
and the measures to resolve them. The CPSF stated that “The security of physical data produced by 60
IoT devices – and its digitization, transport, storage, and analysis – is very different from interactions 61
between two trusted entities in a conventional supply chain. Often this IoT data is used to generate 62
new data through automated analysis. Data is also used to create physical products and services in 63
physical space by controlling physical IoT devices. All these interactions and more must be secured 64
and controlled by value creation process participants”, established three different anchor points of 65
trustworthiness, the first layer placing the anchor point of trustworthiness in mutual connections 66
between companies, the second layer placing the anchor point of trustworthiness in mutual connections 67
between cyberspace and physical space, and the third layer placing the anchor point of trustworthiness 68
in the mutual connections in cyberspace, identified the security issues for the economy and society 69
overall centered on these anchor points, and compiled measures to overcome those security issues. 70
71 1-1-2 The positioning of the second layer 72
The second layer is a border between cyberspace and physical space, and information in that border 73
being converted accurately, in other words, securing the accuracy of the transcription and translation 74
function, is deemed to be the anchor point of trustworthiness in the second layer. Generally, a border 75
between cyberspace and physical space is established by systems of the, so-called, “IoT”, comprised, 76
for example, of sensors and actuators which are responsible for aforementioned transcription and 77
translation function. Devices and systems connecting physical space and cyberspace such as IoT offer 78
benefits for corporate activities and economic activities of people and organizations that use them, 79
while on the other hand, in the case that an incident has occurred, people and organizations that use 80
them incur losses and bear liabilities. Therefore, securing security of IoT devices and systems is at the 81
core of the security measures in the second layer. 82
4
On the other hand, security issues in the second layer are not uniform. Even in the CPSF, multiple 83
cases like the following have been shown. 84
As a result of cyberattacks on functions of sensors, data in physical space are not properly 85
transcribed and wrong data are provided to the cyberspace, trust of operations implemented 86
using such data will be lost 87
Due to wrong instructions from cyberspace and/or cyberattacks on IoT devices, control of the 88
devices in the physical space is executed in an erroneous form, therefore problems in safety 89
such as physical harm to employees and damage to devices occur 90
Functions of IoT devices and systems is suspended due to cyberattacks, etc. 91
Furthermore, the CPSF mentions issues in management of IoT devices and systems connecting 92
cyberspace and physical space as follows. 93
In organizations, it is necessary to consider multilayered measures for physical security in 94
accordance with the importance of the role borne by IoT devices, such as separating the areas 95
where critical IoT devices are installed from other areas in order to control access at the border 96
and monitoring the critical area with surveillance cameras or other appropriate tools to detect 97
any unauthorized actions. 98
Some IoT devices such as installed in households by individuals are difficult for organizations 99
to control, so it is necessary to consider the risks of theft and loss when taking measures. 100
Therefore, when implementing security measures in the second layer it is necessary to take into 101
account not only a diversity of issues related to IoT devices and systems but also a diversity of 102
environment in which IoT devices and systems are utilized. With respect to those diversities, the CPSF 103
organizes the risk sources and measure requirements through the three layers approach, and presents 104
examples of security measures for handling the measure requirements. It deems that it is necessary to 105
respond with a combination of measures from the perspective of functional safety and cybersecurity 106
measures, based on the major premise that safety is secured. 107
108
5
Figure 1: The three layers model in the CPSF and the trustworthiness in each layer 109
110 1-2 Purpose of the Framework 111
As also mentioned in the IoT Security Guidelines,1 IoT devices used for simple information services 112
are different from those used in factories and social infrastructure systems, in security level, purpose, 113
and priority. It is thought that going forward, along with expansion of utilization of the IoT, actual 114
security measures with respect to individual and specific IoT devices and systems in each field of use 115
will proceed taking into account the peculiarities and diversity of each respective field. In that process, 116
a uniform means of comprehensively grasping the issues concerning the security and safety of devices 117
and systems connecting cyberspace and physical space is lacking, so there are concerns that unique 118
security and safety measures, etc. are established through separate review processes in the respective 119
fields/industries. There is a danger that if inconsistencies arise in the respective measures, the costs of 120
accepting and managing new mechanisms as a society will increase. 121
122
The Framework aims to avoid situations like the above by focusing on new risks brought about by 123
the new mechanisms connecting cyberspace and physical space, and presenting the means of 124
categorizing forms of risk and the security and safety measures for responding to those risks. In other 125
words, its purpose is to provide the “basic common infrastructure” to enable players in different 126
fields/industries to share the scheme contributing to the review of the security and safety in devices 127
and systems connecting cyberspace and physical space, or in other words IoT devices and systems, to 128
enable society to effectively accept the new mechanisms of IoT. Note that in the Framework, the 129
1 The IoT Acceleration Consortium, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry; formulated in July 2016
6
Internet of Things (IoT) is interpreted to be the representative example of devices and systems 130
connecting cyberspace and physical space, but we can conclude that the Framework covers all aspects 131
of devices and systems connecting cyberspace and physical space. 132
133 2. Intended readers of the Framework 134
People who are intending to realize new mechanisms and services by constructing mechanisms 135
connecting cyberspace and physical space to must be aware that their security issues will also 136
necessarily be diverse due to the fact that those mechanisms and services are realized in a variety of 137
forms, and must take appropriate security measures taking into account that diversity. The more 138
innovative the new mechanisms and services are, the greater the need to take comprehensive measures 139
responding to the anticipated variety of issues, so that the new mechanisms and services will be 140
accepted in our society. 141
Therefore, the Framework intends to be used as a reference when an entity realizing new mechanisms 142
and services attempts to take security measures for the new risks, and when an entity utilizing those 143
kinds of mechanisms and services perceives the associated risks itself through understanding of the 144
Framework , respectively; for example, readers of the type shown below are intended. 145
People who are intending to utilize the IoT to realize new mechanisms and services connecting 146
cyberspace and physical space 147
People developing IoT devices and systems utilized with those kinds of new mechanisms and 148
services 149
People who are intending to realize systems and environments for appropriately managing those 150
kinds of new mechanisms and services 151
People who are receiving those kinds of new mechanisms and services 152
153
3. Basic Structure of the Framework 154 3-1 Concepts in the background of the basic structure 155
There are a variety of forms of new mechanisms connecting cyberspace and physical space and a 156
variety of security issues arising from them; furthermore, the types of harm in the case that an incident 157
actually occurs are extremely diverse. In the case that uniform security requirements are set with 158
respect to the devices and systems that comprise those kinds of mechanisms, even supposing those 159
requirements have been satisfied, they cannot sufficiently respond to the diverse security issues. In 160
other words, we cannot conclude that this is a situation in which users are protected appropriately. 161
7
The key point when reviewing the second layer security measures is what kind of approach to take 162
with respect to this diversity. 163
As a technique for approaching the point of contention regarding the “diversity” of new mechanisms 164
and services connecting cyberspace and physical space, the Framework utilizes three axes 165
consolidating the basic concepts pertaining to ascertaining the risks and the measures to those risks 166
with regards to the devices and systems comprising these mechanisms (hereinafter referred to as 167
“devices and systems connecting physical space and cyberspace”), categorizes them, and organizes 168
the content of the appropriate measures to make proposals to enable them to be compared and reviewed. 169
170 3-2 Organization of hidden risks in devices and systems connecting physical space and 171
cyberspace 172
Events in which an impact arises in the case that security issues of devices and systems connecting 173
physical space and cyberspace actually led to occurrence of an incident are extremely diverse. There 174
are cases of the kind that have an impact on human life, cases pertaining to privacy, cases pertaining 175
to damage of assets, cases pertaining to the living environment, etc. In other words, hidden risks in 176
devices and systems connecting physical space and cyberspace are diverse. 177
However, when reviewing security measures for devices and systems connecting physical space and 178
cyberspace, carrying out organization for each event that receives an impact due to incident occurrence 179
conversely makes those concepts more complex. Therefore, it is necessary to focus on a small number 180
of standards abstracted by extracting some common items from the events that receive an impact, so 181
that the hidden risks in the devices and systems connecting physical space and cyberspace can be 182
organized in a simple form. 183
For that reason, the Framework decided to abstract and organize a variety of events receiving an 184
impact on a variety of human lives/bodies, privacy/honor, assets, living environments, and economic 185
activities, or the impact of harmful rumors, etc. into the following two standards and establish them as 186
two axes carrying out categorization of the hidden risks in the devices and systems connecting physical 187
space and cyberspace. 188
189 3-2-1 The first axis: degree of difficulty of recovery from the incident 190
This first axis ascertains risks based on difficulty of recovery from the incident. Regarding the 191
difficulty of recovery, firstly it is necessary to think about the impact on human lives/bodies more than 192
anything else. Needless to say, if human life is lost it cannot be recovered. Furthermore, in the case 193
8
that a severe physical disability occurs as a result of the incident, there are quite a few cases in which 194
it cannot be concluded that a full recovery is possible. Even supposing recovery is possible, there are 195
cases in which early recovery is possible and cases in which recovery takes time. This kind of 196
evaluation criteria regarding whether or not recovery from the incident is possible and, in the case that 197
recovery is possible, whether or not early recovery is possible, is established as the first axis. 198
This first axis stands in the same position as the basic concepts of regulatory mechanisms establishing 199
the safety measures and prohibited actions that are forcibly required by the legal structures in the fields 200
of such as product safety, industrial safety and it also secured consistency with the existing system 201
structures. 202
As shown the above, the first axis firstly organized the concepts based on the point of contention of 203
avoiding situations in which recovery of human lives/bodies is impossible, but information pertaining 204
to privacy/honor of individual people includes sensitive information that would cause damage to the 205
concerned individual that could not be recovered once the information was revealed, so events of the 206
kind pertaining to the protection of information that caused unrecoverable damage to this kind of 207
concerned individual can also be organized into issues that can be ascertained by the first axis. 208
Note that risks can be interpreted using both the degree of the impact of the incident and the 209
probability of occurrence of the incident but the Framework takes the approach of carrying out the 210
categorization based on the degree of the impact in the case that an incident has occurred, without 211
considering the probability of occurrence, which is comparatively difficult to compute, so that 212
categorization taking into account the diversity of the devices and systems connecting physical space 213
and cyberspace can be carried out easily. 214
Figure 2: Image of the degree of difficulty of recovery from the incident 215
216
degree of difficulty of recovery
from the incident
9
3-2-2 The second axis: the degree of economic impact of the incident (conversion into monetary 217 value) 218
The second axis standardizes monetary value converted from the size of the impact of the incident, 219
excluding the aspect of the possibility and difficulty of recovery from the impact of the incident. 220
This standard does not take into consideration the difficulty of recovery from the impact of incidents 221
in the kinds of cases pertaining to human lives/bodies and serious privacy/honor issues discussed in 3-222
2-1; rather it supposes that it is possible to ascertain the recovery from that impact converted into a 223
monetary value, and decided to ascertain events such as damage to assets, impacts on economic 224
activities and society, etc. by mapping them onto the second axis. 225
The second axis should be considered independently from the first axis, and even if there are devices 226
and systems connecting physical space and cyberspace that are ascertained to have a low degree of 227
difficulty of recovery in the first axis, they might be categorized as devices and systems which have 228
an extremely high degree of economic impact on the second axis. On the other hand, there is a high 229
likelihood that devices and systems connecting physical space and cyberspace that are ascertained to 230
have a high degree of difficulty of recovery in the organization in the first axis will be applicable to a 231
proper level in the context of actually being converted to monetary value in the form of compensation 232
money, etc. 233
Figure 3: Image of the degree of the economic impact of the incident 234
235
degree of economic impact
of the incident
10
Figure 4: Organization of the privacy/honor that can be organized in the first axis 236
237 3-2-3 Categorization of devices and systems connecting physical space and cyberspace 238
Based on the aforementioned two axes, it is possible to map the devices and systems connecting 239
physical space and cyberspace based on the hidden risks in said devices and systems. 240
For example, it is possible to categorize nine segments (categories) in accordance with the risks, by 241
organizing the risks from the perspective of difficulty of recovery in the form of limited damage 242
(recovery is easy), serious damage (recovery is not easy), and severe damage (recovery is difficult) on 243
the first axis, and organizing the risks from the perspective of economic impact in the form of limited 244
economic impact, serious economic impact, and catastrophic economic impact on the second axis. 245
This category can be utilized when reviewing appropriate measures for the respective devices and 246
systems. As stated above, the security issues of devices and systems connecting physical space and 247
cyberspace are diverse, so the appropriate measures in the respective devices and systems are not 248
uniform either. However, there is a tendency for the impact of an incident to be larger for devices and 249
systems generally categorized on the top right by carrying out a review based on this category, so 250
stronger measures are thought to be necessary, while on the other hand it is possible to organize those 251
categorized on the bottom left so that it is sufficiently possible to use minor measures. The details are 252
stated in 3-3. 253
Note that here we carried out a mapping of the devices and systems as an example, but focusing on 254
the functions provided by the devices and systems comprising the services to carry out the mapping 255
could also be considered. The units of the devices and systems can be established optionally when 256
11
carrying out the mapping. Furthermore, even if it was the same device, its importance and issues, the 257
impact of the incident, etc. differ greatly depending on its purpose, including what kinds of systems it 258
will be used with, what kind of role it will have in the systems, the skills possessed by the people who 259
will use it, etc. For that reason, it is necessary to note that even for the same device the mapping 260
destination can differ depending on the form of use, etc. 261
Figure 5: Image of the categorization of devices and systems connecting physical space and 262
cyberspace 263
(* Even for the same device, the mapping destination can differ depending on the form of use, etc. 264
For example, cases in which Device g and Device h are the same device with a different form of use, 265
etc. are possible.) 266
267 3-3 Organization of the desired security and safety requirements 268
As stated in 3-2-3 above, it is possible to utilize the first axis and the second axis to categorize the 269
devices and systems connecting physical space and cyberspace based on their risks, but it is difficult 270
to review specific measures for the acceptance of new mechanisms and services by our society with 271
this mapping alone. For that reason, the Framework establishes the third axis for the perspectives of 272
desired security and safety requirements, in order to comprehensively organize the security measures 273
of devices and systems connecting physical space and cyberspace. 274
degree of difficulty of recovery
from the incident
degree of economic
impact of the incident
12
The third axis is orthogonal to the plane formed by the first axis and the second axis, constitutes the 275
so-called third dimension, and fulfills the role of showing the perspectives of the desired security and 276
safety requirements in the respective categories organized by the first axis and the second axis. 277
The third axis organizes the means of securing security and safety from the following four 278
perspectives. 279
Figure 6: Image of the perspectives of the desired security and safety requirements based on the 280
category 281
282 3-3-1 The first perspective: Confirmation requirements before operation (manufacturing phase) 283
At the phase the devices and systems connecting physical space and cyberspace are manufactured 284
and actual provided for utilization before, it is required to confirm that the necessary security and safety 285
measures have been taken for the devices and systems themselves, and/or that the producers, suppliers, 286
and inspectors of said devices and systems, and in some cases the production equipment and factories 287
satisfy the necessary ability or capacity conditions, etc. 288
Regarding the security and safety measures, there are cases in which their content is established by 289
the suppliers themselves and cases in which they are forcibly established by laws and regulations, etc. 290
Furthermore, the methods for confirming that their content has been satisfied also take a variety of 291
Confirmation requirements before operation
Confirmation requirements during operation
Confirmation requirements for operator (Operatorʼs license etc.)
Other requirements of mechanisms, such as social support
degree of difficulty of recovery
from the incident
degree of economic
impact of the incident
Perspective of security
and safety requirements
13
forms, including self-declaration, certification by a third party, etc., and the actual confirmation method 292
is established based on the desired expertise and objectivity of the confirmation level. 293
294 3-3-2 The second perspective: Confirmation requirements during operation 295
Even if the security and safety measures is confirmed before operation of the devices and systems, 296
there is a possibility that unanticipated problems on the devices and systems will occur due to 297
breakdowns that occur during operation, implemented updates and maintenance of software, etc. In 298
order to confirm whether those kinds of problems have occurred, it is required to inspect the devices 299
and systems after commencement of operation, taking into consideration their life cycle and service 300
period. 301
These are security and safety measures during operation, so it is possible to secure a higher level of 302
security and safety for devices and systems. On the other hand, it is necessary to satisfy the condition 303
that the owners and operators of the devices and systems be involved or the ownership rights and/or 304
management rights of the devices and systems remain on the supplier side, etc. In order to seek reliable 305
implementation, it is necessary to prepare more social mechanisms, such as clarifying the roles and 306
responsibility demarcation points in each stakeholder, etc. Note regarding the inspections here as well 307
that a variety of forms of inspection can be adopted, such as voluntary inspections, inspections by third 308
parties, etc. 309
310 3-3-3 The third perspective: Confirmation requirements for operator (operator’s license etc.) 311
In the case that the impact of an incident that occurs due to misuse or erroneous operation, etc. of the 312
devices and systems is not at a level that can be permitted with the security and safety measures for 313
the devices and systems alone, it is required to confirm that the persons carrying out the operation and 314
management of the devices and systems possess the abilities necessary to operate and manage said 315
devices and systems appropriately. For example, in the case of automobiles, the person driving is 316
required to obtain a driver’s license proving that they possess a certain level of skill and knowledge, 317
and social mechanisms have been constructed for the acceptance by society of skills that bring about 318
large benefits socially even though the impact would be large in the case that an incident occurred. 319
320
14
3-3-4 The fourth perspective: Other requirements of mechanisms, such as social support 321
In the case that an impact of an incident occurred would be extremely large, meaning that it would 322
not easy for the owners and/or users of said mechanisms to compensate individually , it is required to 323
prepare a social safety net, such as making enrolment in insurance mandatory in advance, etc. 324
For example, in the case of automobiles, a person who owns and drives an automobile is required to 325
acquire a driver’s license, and in addition it is mandatory to enroll in Compulsory Automobile Liability 326
Insurance. Due to this, a social safety net has been constructed so that even in the case that the financial 327
resources of a driver who caused an accident are not sufficient, a minimum level of compensation is 328
provided to any persons who were harmed. 329
330
Note that, for example, in order to avoid occurrence of an incident due to misuse and erroneous 331
operation by a user, it is necessary to conduct a review based on the characteristics of the devices and 332
systems into whether it is appropriate to realize this through confirmation of the abilities of the person 333
carrying out the operation and management, as in the third perspective, or appropriate to impose an 334
obligation to provide information such as instruction manual to the user before the sale, as in the first 335
perspective. 336
Furthermore, each perspective was established based on differences in the concepts for the content 337
concerning security and safety requirements, so even for the same perspective the individual security 338
and safety measures that are specifically required are not uniform. 339
Therefore, it is necessary to note that supposing the perspectives and content of the security and 340
safety requirements is converted into implementation costs, in the case that the costs of the category 341
which only requires the security and safety requirements until the second perspective and the category 342
that requires all of the security and safety requirements until the fourth perspective are compared, the 343
costs of the former will not necessarily be lower. It is possible to make the Framework more 344
sophisticated by organizing in detail the specific security and safety requirements in each perspective 345
in each field. 346
347
4. How to utilize the Framework 348
It is predicted that new mechanisms and services realized by connecting cyberspace and physical 349
space will be created in a variety of forms going forward. Utilizing the Framework enables entities 350
intending to realize those services to carry out categorization of devices and systems connecting 351
15
physical space and cyberspace based on the hidden risks in the devices and systems, ascertain the 352
perspectives of the desired security and safety requirements for each category, and make comparisons 353
among categories. Due to this, even in the case that the reviews were carried out with separate 354
processes, it is possible to secure the consistency of the perspectives and content of the security and 355
safety measures required in the respective devices and systems responding to the new mechanisms and 356
services to some extent. 357
What must be noted when doing this is that the characteristic and size of the impact in the case that 358
an incident has occurred differs depending on the purpose of the IoT devices and systems. 359
In other words, the Framework does not determine certain perspectives of security and safety 360
requirements with respect to certain specific devices; it is a framework for appropriately analyzing the 361
impact in the case that an incident has occurred from the perspective of the user of the mechanisms 362
and services, categorizing them in accordance with the first axis and the second axis, and utilizing the 363
third axis in accordance with that category to appropriately review the perspectives and content of the 364
security and safety requirements. 365
In order to utilize the Framework effectively, it is required to organize use cases to refine the means 366
of categorization using the first axis and the second axis, and to develop an environment in which the 367
perspectives and content of the security and safety requirements can be compared using the third by 368
accumulating use cases. Therefore, going forward, it is necessary to put in place the fundamental 369
conditions for proceeding with the development of a systematic response to appropriately implement 370
security and safety measures in a society where the IoT is widely utilized and cyberspace and physical 371
space are highly integrated, by organizing specific mechanisms and services as use cases based on the 372
Framework. 373