IoT Security Safety Framework - METI

1

1

2

3

4

5

6

7

8

IoT Security Safety Framework 9

Securing the Trustworthiness of Mutual Connections between Cyberspace and Physical Space 10

11

(Draft) 12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28 29

2

30

Table of Contents 31 1． Necessity of this Framework .............................................................................................................. 3 32

1-1 The second layer in CPSF (mutual connections between cyberspace and physical space) ..................... 3 33 1-1-1 An introduction to CPSF.................................................................................................................. 3 34 1-1-2 The positioning of the second layer .................................................................................................. 3 35

1-2 Purpose of the Framework................................................................................................................... 5 36 2． Intended readers of the Framework .................................................................................................. 6 37 3． Basic Structure of the Framework ..................................................................................................... 6 38

3-1 Concepts in the background of the basic structure ............................................................................... 6 39 3-2 Organization of hidden risks in devices and systems connecting physical space and cyberspace .......... 7 40

3-2-1 The first axis: degree of difficulty of recovery from the incident ......................................................... 7 41 3-2-2 The second axis: the degree of economic impact of the incident (conversion into monetary value) ........ 9 42 3-2-3 Categorization of devices and systems connecting physical space and cyberspace ............................. 10 43

3-3 Organization of the desired security and safety requirements ............................................................ 11 44 3-3-1 The first perspective: Confirmation requirements before operation (manufacturing phase).................. 12 45 3-3-2 The second perspective: Confirmation requirements during operation ............................................... 13 46 3-3-3 The third perspective: Confirmation requirements for operator (operator’s license etc.) ...................... 13 47 3-3-4 The fourth perspective: Other requirements of mechanisms, such as social support ............................ 14 48

4． How to utilize the Framework ......................................................................................................... 14 49 50 51

3

1． Necessity of this Framework 52 1-1 The second layer in CPSF (mutual connections between cyberspace and physical space) 53

1-1-1 An introduction to CPSF 54

In an industrial society where cyberspace and physical space are highly integrated, the processes that 55

generate value, namely products and services (the supply chains), are changing from the conventional 56

rigid, linear supply chains to flexible supply chains based on diverse mutual connections. The 57

Cyber/Physical Security Framework (CPSF) is the compilation of concepts for securing the security 58

of the new industrial society by organizing the security issues in this kind of new value creation process 59

and the measures to resolve them. The CPSF stated that “The security of physical data produced by 60

IoT devices – and its digitization, transport, storage, and analysis – is very different from interactions 61

between two trusted entities in a conventional supply chain. Often this IoT data is used to generate 62

new data through automated analysis. Data is also used to create physical products and services in 63

physical space by controlling physical IoT devices. All these interactions and more must be secured 64

and controlled by value creation process participants”, established three different anchor points of 65

trustworthiness, the first layer placing the anchor point of trustworthiness in mutual connections 66

between companies, the second layer placing the anchor point of trustworthiness in mutual connections 67

between cyberspace and physical space, and the third layer placing the anchor point of trustworthiness 68

in the mutual connections in cyberspace, identified the security issues for the economy and society 69

overall centered on these anchor points, and compiled measures to overcome those security issues. 70

71 1-1-2 The positioning of the second layer 72

The second layer is a border between cyberspace and physical space, and information in that border 73

being converted accurately, in other words, securing the accuracy of the transcription and translation 74

function, is deemed to be the anchor point of trustworthiness in the second layer. Generally, a border 75

between cyberspace and physical space is established by systems of the, so-called, “IoT”, comprised, 76

for example, of sensors and actuators which are responsible for aforementioned transcription and 77

translation function. Devices and systems connecting physical space and cyberspace such as IoT offer 78

benefits for corporate activities and economic activities of people and organizations that use them, 79

while on the other hand, in the case that an incident has occurred, people and organizations that use 80

them incur losses and bear liabilities. Therefore, securing security of IoT devices and systems is at the 81

core of the security measures in the second layer. 82

4

On the other hand, security issues in the second layer are not uniform. Even in the CPSF, multiple 83

cases like the following have been shown. 84

As a result of cyberattacks on functions of sensors, data in physical space are not properly 85

transcribed and wrong data are provided to the cyberspace, trust of operations implemented 86

using such data will be lost 87

Due to wrong instructions from cyberspace and/or cyberattacks on IoT devices, control of the 88

devices in the physical space is executed in an erroneous form, therefore problems in safety 89

such as physical harm to employees and damage to devices occur 90

Functions of IoT devices and systems is suspended due to cyberattacks, etc. 91

Furthermore, the CPSF mentions issues in management of IoT devices and systems connecting 92

cyberspace and physical space as follows. 93

In organizations, it is necessary to consider multilayered measures for physical security in 94

accordance with the importance of the role borne by IoT devices, such as separating the areas 95

where critical IoT devices are installed from other areas in order to control access at the border 96

and monitoring the critical area with surveillance cameras or other appropriate tools to detect 97

any unauthorized actions. 98

Some IoT devices such as installed in households by individuals are difficult for organizations 99

to control, so it is necessary to consider the risks of theft and loss when taking measures. 100

Therefore, when implementing security measures in the second layer it is necessary to take into 101

account not only a diversity of issues related to IoT devices and systems but also a diversity of 102

environment in which IoT devices and systems are utilized. With respect to those diversities, the CPSF 103

organizes the risk sources and measure requirements through the three layers approach, and presents 104

examples of security measures for handling the measure requirements. It deems that it is necessary to 105

respond with a combination of measures from the perspective of functional safety and cybersecurity 106

measures, based on the major premise that safety is secured. 107

108

5

Figure 1: The three layers model in the CPSF and the trustworthiness in each layer 109

110 1-2 Purpose of the Framework 111

As also mentioned in the IoT Security Guidelines,1 IoT devices used for simple information services 112

are different from those used in factories and social infrastructure systems, in security level, purpose, 113

and priority. It is thought that going forward, along with expansion of utilization of the IoT, actual 114

security measures with respect to individual and specific IoT devices and systems in each field of use 115

will proceed taking into account the peculiarities and diversity of each respective field. In that process, 116

a uniform means of comprehensively grasping the issues concerning the security and safety of devices 117

and systems connecting cyberspace and physical space is lacking, so there are concerns that unique 118

security and safety measures, etc. are established through separate review processes in the respective 119

fields/industries. There is a danger that if inconsistencies arise in the respective measures, the costs of 120

accepting and managing new mechanisms as a society will increase. 121

122

The Framework aims to avoid situations like the above by focusing on new risks brought about by 123

the new mechanisms connecting cyberspace and physical space, and presenting the means of 124

categorizing forms of risk and the security and safety measures for responding to those risks. In other 125

words, its purpose is to provide the “basic common infrastructure” to enable players in different 126

fields/industries to share the scheme contributing to the review of the security and safety in devices 127

and systems connecting cyberspace and physical space, or in other words IoT devices and systems, to 128

enable society to effectively accept the new mechanisms of IoT. Note that in the Framework, the 129

1 The IoT Acceleration Consortium, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry; formulated in July 2016

6

Internet of Things (IoT) is interpreted to be the representative example of devices and systems 130

connecting cyberspace and physical space, but we can conclude that the Framework covers all aspects 131

of devices and systems connecting cyberspace and physical space. 132

133 2． Intended readers of the Framework 134

People who are intending to realize new mechanisms and services by constructing mechanisms 135

connecting cyberspace and physical space to must be aware that their security issues will also 136

necessarily be diverse due to the fact that those mechanisms and services are realized in a variety of 137

forms, and must take appropriate security measures taking into account that diversity. The more 138

innovative the new mechanisms and services are, the greater the need to take comprehensive measures 139

responding to the anticipated variety of issues, so that the new mechanisms and services will be 140

accepted in our society. 141

Therefore, the Framework intends to be used as a reference when an entity realizing new mechanisms 142

and services attempts to take security measures for the new risks, and when an entity utilizing those 143

kinds of mechanisms and services perceives the associated risks itself through understanding of the 144

Framework , respectively; for example, readers of the type shown below are intended. 145

People who are intending to utilize the IoT to realize new mechanisms and services connecting 146

cyberspace and physical space 147

People developing IoT devices and systems utilized with those kinds of new mechanisms and 148

services 149

People who are intending to realize systems and environments for appropriately managing those 150

kinds of new mechanisms and services 151

People who are receiving those kinds of new mechanisms and services 152

153

3． Basic Structure of the Framework 154 3-1 Concepts in the background of the basic structure 155

There are a variety of forms of new mechanisms connecting cyberspace and physical space and a 156

variety of security issues arising from them; furthermore, the types of harm in the case that an incident 157

actually occurs are extremely diverse. In the case that uniform security requirements are set with 158

respect to the devices and systems that comprise those kinds of mechanisms, even supposing those 159

requirements have been satisfied, they cannot sufficiently respond to the diverse security issues. In 160

other words, we cannot conclude that this is a situation in which users are protected appropriately. 161

7

The key point when reviewing the second layer security measures is what kind of approach to take 162

with respect to this diversity. 163

As a technique for approaching the point of contention regarding the “diversity” of new mechanisms 164

and services connecting cyberspace and physical space, the Framework utilizes three axes 165

consolidating the basic concepts pertaining to ascertaining the risks and the measures to those risks 166

with regards to the devices and systems comprising these mechanisms (hereinafter referred to as 167

“devices and systems connecting physical space and cyberspace”), categorizes them, and organizes 168

the content of the appropriate measures to make proposals to enable them to be compared and reviewed. 169

170 3-2 Organization of hidden risks in devices and systems connecting physical space and 171

cyberspace 172

Events in which an impact arises in the case that security issues of devices and systems connecting 173

physical space and cyberspace actually led to occurrence of an incident are extremely diverse. There 174

are cases of the kind that have an impact on human life, cases pertaining to privacy, cases pertaining 175

to damage of assets, cases pertaining to the living environment, etc. In other words, hidden risks in 176

devices and systems connecting physical space and cyberspace are diverse. 177

However, when reviewing security measures for devices and systems connecting physical space and 178

cyberspace, carrying out organization for each event that receives an impact due to incident occurrence 179

conversely makes those concepts more complex. Therefore, it is necessary to focus on a small number 180

of standards abstracted by extracting some common items from the events that receive an impact, so 181

that the hidden risks in the devices and systems connecting physical space and cyberspace can be 182

organized in a simple form. 183

For that reason, the Framework decided to abstract and organize a variety of events receiving an 184

impact on a variety of human lives/bodies, privacy/honor, assets, living environments, and economic 185

activities, or the impact of harmful rumors, etc. into the following two standards and establish them as 186

two axes carrying out categorization of the hidden risks in the devices and systems connecting physical 187

space and cyberspace. 188

189 3-2-1 The first axis: degree of difficulty of recovery from the incident 190

This first axis ascertains risks based on difficulty of recovery from the incident. Regarding the 191

difficulty of recovery, firstly it is necessary to think about the impact on human lives/bodies more than 192

anything else. Needless to say, if human life is lost it cannot be recovered. Furthermore, in the case 193

8

that a severe physical disability occurs as a result of the incident, there are quite a few cases in which 194

it cannot be concluded that a full recovery is possible. Even supposing recovery is possible, there are 195

cases in which early recovery is possible and cases in which recovery takes time. This kind of 196

evaluation criteria regarding whether or not recovery from the incident is possible and, in the case that 197

recovery is possible, whether or not early recovery is possible, is established as the first axis. 198

This first axis stands in the same position as the basic concepts of regulatory mechanisms establishing 199

the safety measures and prohibited actions that are forcibly required by the legal structures in the fields 200

of such as product safety, industrial safety and it also secured consistency with the existing system 201

structures. 202

As shown the above, the first axis firstly organized the concepts based on the point of contention of 203

avoiding situations in which recovery of human lives/bodies is impossible, but information pertaining 204

to privacy/honor of individual people includes sensitive information that would cause damage to the 205

concerned individual that could not be recovered once the information was revealed, so events of the 206

kind pertaining to the protection of information that caused unrecoverable damage to this kind of 207

concerned individual can also be organized into issues that can be ascertained by the first axis. 208

Note that risks can be interpreted using both the degree of the impact of the incident and the 209

probability of occurrence of the incident but the Framework takes the approach of carrying out the 210

categorization based on the degree of the impact in the case that an incident has occurred, without 211

considering the probability of occurrence, which is comparatively difficult to compute, so that 212

categorization taking into account the diversity of the devices and systems connecting physical space 213

and cyberspace can be carried out easily. 214

Figure 2: Image of the degree of difficulty of recovery from the incident 215

216

degree of difficulty of recovery

from the incident

9

3-2-2 The second axis: the degree of economic impact of the incident (conversion into monetary 217 value) 218

The second axis standardizes monetary value converted from the size of the impact of the incident, 219

excluding the aspect of the possibility and difficulty of recovery from the impact of the incident. 220

This standard does not take into consideration the difficulty of recovery from the impact of incidents 221

in the kinds of cases pertaining to human lives/bodies and serious privacy/honor issues discussed in 3-222

2-1; rather it supposes that it is possible to ascertain the recovery from that impact converted into a 223

monetary value, and decided to ascertain events such as damage to assets, impacts on economic 224

activities and society, etc. by mapping them onto the second axis. 225

The second axis should be considered independently from the first axis, and even if there are devices 226

and systems connecting physical space and cyberspace that are ascertained to have a low degree of 227

difficulty of recovery in the first axis, they might be categorized as devices and systems which have 228

an extremely high degree of economic impact on the second axis. On the other hand, there is a high 229

likelihood that devices and systems connecting physical space and cyberspace that are ascertained to 230

have a high degree of difficulty of recovery in the organization in the first axis will be applicable to a 231

proper level in the context of actually being converted to monetary value in the form of compensation 232

money, etc. 233

Figure 3: Image of the degree of the economic impact of the incident 234

235

degree of economic impact

of the incident

10

Figure 4: Organization of the privacy/honor that can be organized in the first axis 236

237 3-2-3 Categorization of devices and systems connecting physical space and cyberspace 238

Based on the aforementioned two axes, it is possible to map the devices and systems connecting 239

physical space and cyberspace based on the hidden risks in said devices and systems. 240

For example, it is possible to categorize nine segments (categories) in accordance with the risks, by 241

organizing the risks from the perspective of difficulty of recovery in the form of limited damage 242

(recovery is easy), serious damage (recovery is not easy), and severe damage (recovery is difficult) on 243

the first axis, and organizing the risks from the perspective of economic impact in the form of limited 244

economic impact, serious economic impact, and catastrophic economic impact on the second axis. 245

This category can be utilized when reviewing appropriate measures for the respective devices and 246

systems. As stated above, the security issues of devices and systems connecting physical space and 247

cyberspace are diverse, so the appropriate measures in the respective devices and systems are not 248

uniform either. However, there is a tendency for the impact of an incident to be larger for devices and 249

systems generally categorized on the top right by carrying out a review based on this category, so 250

stronger measures are thought to be necessary, while on the other hand it is possible to organize those 251

categorized on the bottom left so that it is sufficiently possible to use minor measures. The details are 252

stated in 3-3. 253

Note that here we carried out a mapping of the devices and systems as an example, but focusing on 254

the functions provided by the devices and systems comprising the services to carry out the mapping 255

could also be considered. The units of the devices and systems can be established optionally when 256

11

carrying out the mapping. Furthermore, even if it was the same device, its importance and issues, the 257

impact of the incident, etc. differ greatly depending on its purpose, including what kinds of systems it 258

will be used with, what kind of role it will have in the systems, the skills possessed by the people who 259

will use it, etc. For that reason, it is necessary to note that even for the same device the mapping 260

destination can differ depending on the form of use, etc. 261

Figure 5: Image of the categorization of devices and systems connecting physical space and 262

cyberspace 263

(* Even for the same device, the mapping destination can differ depending on the form of use, etc. 264

For example, cases in which Device g and Device h are the same device with a different form of use, 265

etc. are possible.) 266

267 3-3 Organization of the desired security and safety requirements 268

As stated in 3-2-3 above, it is possible to utilize the first axis and the second axis to categorize the 269

devices and systems connecting physical space and cyberspace based on their risks, but it is difficult 270

to review specific measures for the acceptance of new mechanisms and services by our society with 271

this mapping alone. For that reason, the Framework establishes the third axis for the perspectives of 272

desired security and safety requirements, in order to comprehensively organize the security measures 273

of devices and systems connecting physical space and cyberspace. 274


from the incident

degree of economic

impact of the incident

12

The third axis is orthogonal to the plane formed by the first axis and the second axis, constitutes the 275

so-called third dimension, and fulfills the role of showing the perspectives of the desired security and 276

safety requirements in the respective categories organized by the first axis and the second axis. 277

The third axis organizes the means of securing security and safety from the following four 278

perspectives. 279

Figure 6: Image of the perspectives of the desired security and safety requirements based on the 280

category 281

282 3-3-1 The first perspective: Confirmation requirements before operation (manufacturing phase) 283

At the phase the devices and systems connecting physical space and cyberspace are manufactured 284

and actual provided for utilization before, it is required to confirm that the necessary security and safety 285

measures have been taken for the devices and systems themselves, and/or that the producers, suppliers, 286

and inspectors of said devices and systems, and in some cases the production equipment and factories 287

satisfy the necessary ability or capacity conditions, etc. 288

Regarding the security and safety measures, there are cases in which their content is established by 289

the suppliers themselves and cases in which they are forcibly established by laws and regulations, etc. 290

Furthermore, the methods for confirming that their content has been satisfied also take a variety of 291

Confirmation requirements before operation

Confirmation requirements during operation

Confirmation requirements for operator (Operatorʼs license etc.)

Other requirements of mechanisms, such as social support


from the incident

degree of economic

impact of the incident

Perspective of security

and safety requirements

13

forms, including self-declaration, certification by a third party, etc., and the actual confirmation method 292

is established based on the desired expertise and objectivity of the confirmation level. 293

294 3-3-2 The second perspective: Confirmation requirements during operation 295

Even if the security and safety measures is confirmed before operation of the devices and systems, 296

there is a possibility that unanticipated problems on the devices and systems will occur due to 297

breakdowns that occur during operation, implemented updates and maintenance of software, etc. In 298

order to confirm whether those kinds of problems have occurred, it is required to inspect the devices 299

and systems after commencement of operation, taking into consideration their life cycle and service 300

period. 301

These are security and safety measures during operation, so it is possible to secure a higher level of 302

security and safety for devices and systems. On the other hand, it is necessary to satisfy the condition 303

that the owners and operators of the devices and systems be involved or the ownership rights and/or 304

management rights of the devices and systems remain on the supplier side, etc. In order to seek reliable 305

implementation, it is necessary to prepare more social mechanisms, such as clarifying the roles and 306

responsibility demarcation points in each stakeholder, etc. Note regarding the inspections here as well 307

that a variety of forms of inspection can be adopted, such as voluntary inspections, inspections by third 308

parties, etc. 309

310 3-3-3 The third perspective: Confirmation requirements for operator (operator’s license etc.) 311

In the case that the impact of an incident that occurs due to misuse or erroneous operation, etc. of the 312

devices and systems is not at a level that can be permitted with the security and safety measures for 313

the devices and systems alone, it is required to confirm that the persons carrying out the operation and 314

management of the devices and systems possess the abilities necessary to operate and manage said 315

devices and systems appropriately. For example, in the case of automobiles, the person driving is 316

required to obtain a driver’s license proving that they possess a certain level of skill and knowledge, 317

and social mechanisms have been constructed for the acceptance by society of skills that bring about 318

large benefits socially even though the impact would be large in the case that an incident occurred. 319

320

14

3-3-4 The fourth perspective: Other requirements of mechanisms, such as social support 321

In the case that an impact of an incident occurred would be extremely large, meaning that it would 322

not easy for the owners and/or users of said mechanisms to compensate individually , it is required to 323

prepare a social safety net, such as making enrolment in insurance mandatory in advance, etc. 324

For example, in the case of automobiles, a person who owns and drives an automobile is required to 325

acquire a driver’s license, and in addition it is mandatory to enroll in Compulsory Automobile Liability 326

Insurance. Due to this, a social safety net has been constructed so that even in the case that the financial 327

resources of a driver who caused an accident are not sufficient, a minimum level of compensation is 328

provided to any persons who were harmed. 329

330

Note that, for example, in order to avoid occurrence of an incident due to misuse and erroneous 331

operation by a user, it is necessary to conduct a review based on the characteristics of the devices and 332

systems into whether it is appropriate to realize this through confirmation of the abilities of the person 333

carrying out the operation and management, as in the third perspective, or appropriate to impose an 334

obligation to provide information such as instruction manual to the user before the sale, as in the first 335

perspective. 336

Furthermore, each perspective was established based on differences in the concepts for the content 337

concerning security and safety requirements, so even for the same perspective the individual security 338

and safety measures that are specifically required are not uniform. 339

Therefore, it is necessary to note that supposing the perspectives and content of the security and 340

safety requirements is converted into implementation costs, in the case that the costs of the category 341

which only requires the security and safety requirements until the second perspective and the category 342

that requires all of the security and safety requirements until the fourth perspective are compared, the 343

costs of the former will not necessarily be lower. It is possible to make the Framework more 344

sophisticated by organizing in detail the specific security and safety requirements in each perspective 345

in each field. 346

347

4． How to utilize the Framework 348

It is predicted that new mechanisms and services realized by connecting cyberspace and physical 349

space will be created in a variety of forms going forward. Utilizing the Framework enables entities 350

intending to realize those services to carry out categorization of devices and systems connecting 351

15

physical space and cyberspace based on the hidden risks in the devices and systems, ascertain the 352

perspectives of the desired security and safety requirements for each category, and make comparisons 353

among categories. Due to this, even in the case that the reviews were carried out with separate 354

processes, it is possible to secure the consistency of the perspectives and content of the security and 355

safety measures required in the respective devices and systems responding to the new mechanisms and 356

services to some extent. 357

What must be noted when doing this is that the characteristic and size of the impact in the case that 358

an incident has occurred differs depending on the purpose of the IoT devices and systems. 359

In other words, the Framework does not determine certain perspectives of security and safety 360

requirements with respect to certain specific devices; it is a framework for appropriately analyzing the 361

impact in the case that an incident has occurred from the perspective of the user of the mechanisms 362

and services, categorizing them in accordance with the first axis and the second axis, and utilizing the 363

third axis in accordance with that category to appropriately review the perspectives and content of the 364

security and safety requirements. 365

In order to utilize the Framework effectively, it is required to organize use cases to refine the means 366

of categorization using the first axis and the second axis, and to develop an environment in which the 367

perspectives and content of the security and safety requirements can be compared using the third by 368

accumulating use cases. Therefore, going forward, it is necessary to put in place the fundamental 369

conditions for proceeding with the development of a systematic response to appropriately implement 370

security and safety measures in a society where the IoT is widely utilized and cyberspace and physical 371

space are highly integrated, by organizing specific mechanisms and services as use cases based on the 372

Framework. 373

IoT Security Safety Framework - METI

Documents

Transcript of IoT Security Safety Framework - METI