STRIDE - intelliFLEX

STRIDE - intelliFLEX

Autonomous Security Deep Dive May 21, 2019 1 2019 NXM Labs Inc. - Confidential Self-Sovereign Security for Machines Our conversation today will be centered on: 1. Internet security is necessary not sufficient for IoT 2. Security is not possible without identity 3. Devices divided into hierarchy of controllers and controlled 4. Data ownership not an issue when anonymized 5. Access rights and control more important than ownership 6. RBAC and ABAC both needed to control IAM for machines 7. Securing hardware, software, data and communication 8. Abstraction of NXMs embedded end to end encryption 2

2019 NXM Labs Inc. - Confidential 1. Internet Security IoT Security Secure email might be a better model Two decades ago Blackberry secured the emails with 3DES BES and BIS where the system components, PIN was identifier Blackberry as the first C-IoT (Cellular IoT) Secure manufacturing was essential in making it all work Good Practice 3 Certificatio n 2019 NXM Labs Inc. - Confidential Regulation

2. Identity is Essential in Security Replacing physical PIN with self defined identity PIN to PIN messaging becoming Blackberry messenger This could be a model for P2P communication using identity Trust and data integrity are the two by-products of DSA Firmware could be customized based on identity and time Identity and PKI should be loosely coupled but 1-1 and any time Discrete dissemination of identity could result in PAN for device DLT would allow good behavior and act as control plane Identity recovery would allow for life time identity 4 2019 NXM Labs Inc. - Confidential 3. Hierarchical Control RBAC based on a single administrator graph Devices are self-governing meaning they are the final arbitrator Graph of connection means that the first peer would be the admin Peer admin is complementary to system admin not replacing Reversing the paradigm of ownership H2M, M2M in 4 phases:

1. 2. 3. 4. 5 Centralized Identity Federated Identity User-Centric Identity Self-Sovereign Identity 2019 NXM Labs Inc. - Confidential 4. Access and Control not Ownership Removing PII from data Ownership is an issue when PII is mixed with the data It is also an issue if pattern matching and data machine learning leak PII Who does the connected car data belong to? The shared ownership makes application of data rights difficult

IAM for machines could allow for access rights RBAC and ABAC The best model would be publish and subscribe for stakeholders Allows fine grain control if the data is encrypted, public, private, protected Machine administrator can control/sell extended access rights to data 6 2019 NXM Labs Inc. - Confidential 5. Attribute Based Access Control Data context can eliminate a lot of AI computation NameSpace doing a lot of heavy work here as main context Machine identity does not mean a single mission for the machine P2P in the control plane implementation User plane triple blind implementation for data dissemination Approximate geographic area pre defined in the control plane MQTT path aggregation predefined by definition and unlimited Manual definition allowing for automated machine control NameSpace allows ownership of the NameSpace by organization

7 2019 NXM Labs Inc. - Confidential 6. Role Based Access Control Mainly in the control plane Originally two roles defined admin and user for individuals Groups, stakeholders and consortium access control under NXM Identity and key management all done through the blockchain Immutable nature of blockchain allows for auditing over time Four types of implementation are possible: 1. 2. 3. 4. 8 NXM system IBM Hyperledger white lable Kubernetes, Docker, Hashicorp private instances

Distributed decentralized consortium with others using Min/Max 2019 NXM Labs Inc. - Confidential 7. Single Methodology For securing hardware, software, data, communication Machine security needs hardware security Secure boot, secure update using firmware CI/CD per identity Application level security relying on kernel space separation Data is E2E encrypted, communication over secure channels Inventory of things will allow for batches/lots treated differently Identity would be more reliable over time Concrete ID Convenience trumps security Complexity is the enemy of trust 9 2019 NXM Labs Inc. - Confidential 8. NXM Automotive Router

10 2019 NXM Labs Inc. - Confidential Onboarding Preparation is the main key to eliminate complexity Onboard Inventory FOTA Secure Boot Access CID:Pub Data schema PKI Identity CUPS

NameSpace Initial 11 Role based Attributes Meta data Register 2019 NXM Labs Inc. - Confidential In Keeping with Other Standards Regulations are coming 12

2019 NXM Labs Inc. - Confidential UK Code of Practice Code of practice for consumer IoT security 1. No default passwords 13 2. Implement a vulnerability disclosure policy 3. Software updated 8. Ensure that personal data is protected 7. Ensure

software integrity 6. Minimize exposed attack surfaces 5. Communicate securely 4. Securely store credentials and securitysensitive data 9. Make systems resilient to outages

10. Monitor system telemetry data 11. Make it easy for consumers to delete personal data 12. Make installation and maintenance of devices easy 13. Validate input data

2019 NXM Labs Inc. - Confidential What is the direction for IoT implementations? Internet of secure things or a secure cloud of things? 20 years ago, the internet was a technical issue with some political implications. Today, it is a political issue with many technical components. Good Practice Regulation 14 Certificatio n Certificatio n 2019 NXM Labs Inc. - Confidential

Regulation Good Practice CUPS Control User Plane Separation Control Plane: Device Onboarding, Device Management, Roles & Attribute Based Access User Plane: Application Data, Sensor Data, Aggregated Data, Meta data, Analysis Peer to Peer: Control Plane Role & Attribute Based Access Controls (P2P, RBAC, ABAC) Triple Blind: User Plane data dissemination model for: device broker user encryption MQTT: Message Queuing Telemetry Transport in publish and subscribe (pub-sub) data model NameSpace: Systematic data-model description for configuring telematics in the user plane Services: Pre-configured data-model segmentation for data by NameSpace definition Path: MQTT path abstraction used to send device data to the broker for consumption 15 2019 NXM Labs Inc. - Confidential CUPS in 5G LTE as inspiration

Used as a model for CUPS in Cellular Internet of Things (CIoT) Layer 1 Layer 3 Layer 2 16 BMC PDC P 25.322 RLC TD D 25.321 MAC

FDD CP RR C Physical Layer Control Plane Broadcast Packet Switched Circuit Switched 2019 NXM Labs Inc. - Confidential UP

User Plane CUPS using DLT for IoT Simpler model than LTE implementation Layer 1 Layer 2 Layer 3 CP Control Plane DLT IP RF MAC

overlay Physical Layer UP User Plane Wir e 17 MQTT Pub-Sub 2019 NXM Labs Inc. - Confidential EE2EE Embedded End to End Encryption in a Cloud Infrastructure

Encryption for: Secure boot/update of firmware, application, data and communication Encrypted during: Transmission, storage, viewing and processing in/to/via the cloud/fog Encrypted only: For the devices that have been registered in the system and in inventory Encrypted at: Late onboarding stage when the device is for the first time connected Encrypted with: Agile Crypto to enable resetting the encryption and repurposing the IoT Encryption key: Managed by the digital ledger with Private key never leaving the IoT Encryption strength: Defining one-way hierarchy for security from carrier grade to consumer Encryption implementation: Defining access level using both roles and attributes 18 2019 NXM Labs Inc. - Confidential Bifurcation of Data CID is the only link for full and complete view of data Delimitation of the control plane interactions by behavior Anonymized data access without sacrificing control Delegated control based on rules similar to MUD Late onboarding similar to Intel SDO

Device management similar to ARM Pelion Has the advantages of re-purposing, admin extension of roles Agile crypto allows for changes over-time Quake makes it Quantum-safe 19 2019 NXM Labs Inc. - Confidential Questions 20 2019 NXM Labs Inc. - Confidential

Recently Viewed Presentations

  • Blue PowerPoint Presentation - ScotPHN

    Blue PowerPoint Presentation - ScotPHN

    PowerPoint Presentation ScotPHO, Obesity and health inequalities in Scotland. 2017 ScotPHO, Obesity and health inequalities in Scotland. 2017 PowerPoint Presentation Type 2 Diabetes and deprivation PowerPoint Presentation Adipocyte programming insulin resistance, inflammation and ALP Power and control Size stigma PowerPoint...
  • IOS-Buses-2 -

    IOS-Buses-2 -

    Computer Buses. Introduction. Electrical Considerations. Data Transfer Synchronization. Parallel and Serial Buses. Bus Arbitration. PCI Bus. PCI Express Bus. Other Serial Buses. VME Bus. 10/24/2019. Input/Output Systems and Peripheral Devices (03-2) Other Serial Buses. Other Serial Buses.
  • Dramatic Structure

    Dramatic Structure

    The way plays are written is a special style of writing called dramatic structure.. This style is different from the way a short story, novel, or poem is written. In a play, the talk, or conversation between two or more...
  • Chapter 6: Project Time Management Information Technology Project

    Chapter 6: Project Time Management Information Technology Project

    Project Time Management * Using Software to Assist in Time Management Software for facilitating communications helps people exchange schedule-related information Decision support models help analyze trade-offs that can be made Project management software can help in various time management areas...
  • Presentación de PowerPoint - Teleducación

    Presentación de PowerPoint - Teleducación

    Rate of fascial dehiscence. Length of stay . Regardingouotcomemeasureswere. Firtsaoutcome. Asecondariesoutcomes. Assessment of Bias . Risk of bias was assessed using the Cochrane Collaboration tool for assessing risk of bias in randomized trials.
  • Half-Caste - Biddick Academy

    Half-Caste - Biddick Academy

    an I will tell yu de other half of my story. 35 40 45 50 The poet reprises his earlier joke/pun on a mixed race person being half formed: the "half-caste" uses only half of ear and eye, and offers...
  • Cisco Presentation Guide - RedIRIS

    Cisco Presentation Guide - RedIRIS

    HSRP con Balanceo de carga OSPF/EIGRP Core OSPF/EIGRP para una rápida convergencia Calidad de Servicio en el Campus Comportamientos y necesidades diferentes Con Picos No sensible a pérdidas No sensible a retardo Retransmisión TCP Suave Sensible a pérdidas Sensible a...
  • A importância da Gestão do Conhecimento para os Processos de ...

    A importância da Gestão do Conhecimento para os Processos de ...

    A importância da Gestão do Conhecimento para os Processos de Inovação Mario Costa