STRIDE - intelliFLEX

Autonomous Security Deep Dive May 21, 2019 1 2019 NXM Labs Inc. - Confidential Self-Sovereign Security for Machines Our conversation today will be centered on: 1. Internet security is necessary not sufficient for IoT 2. Security is not possible without identity 3. Devices divided into hierarchy of controllers and controlled 4. Data ownership not an issue when anonymized 5. Access rights and control more important than ownership 6. RBAC and ABAC both needed to control IAM for machines 7. Securing hardware, software, data and communication 8. Abstraction of NXMs embedded end to end encryption 2

2019 NXM Labs Inc. - Confidential 1. Internet Security IoT Security Secure email might be a better model Two decades ago Blackberry secured the emails with 3DES BES and BIS where the system components, PIN was identifier Blackberry as the first C-IoT (Cellular IoT) Secure manufacturing was essential in making it all work Good Practice 3 Certificatio n 2019 NXM Labs Inc. - Confidential Regulation

2. Identity is Essential in Security Replacing physical PIN with self defined identity PIN to PIN messaging becoming Blackberry messenger This could be a model for P2P communication using identity Trust and data integrity are the two by-products of DSA Firmware could be customized based on identity and time Identity and PKI should be loosely coupled but 1-1 and any time Discrete dissemination of identity could result in PAN for device DLT would allow good behavior and act as control plane Identity recovery would allow for life time identity 4 2019 NXM Labs Inc. - Confidential 3. Hierarchical Control RBAC based on a single administrator graph Devices are self-governing meaning they are the final arbitrator Graph of connection means that the first peer would be the admin Peer admin is complementary to system admin not replacing Reversing the paradigm of ownership H2M, M2M in 4 phases:

1. 2. 3. 4. 5 Centralized Identity Federated Identity User-Centric Identity Self-Sovereign Identity 2019 NXM Labs Inc. - Confidential 4. Access and Control not Ownership Removing PII from data Ownership is an issue when PII is mixed with the data It is also an issue if pattern matching and data machine learning leak PII Who does the connected car data belong to? The shared ownership makes application of data rights difficult

IAM for machines could allow for access rights RBAC and ABAC The best model would be publish and subscribe for stakeholders Allows fine grain control if the data is encrypted, public, private, protected Machine administrator can control/sell extended access rights to data 6 2019 NXM Labs Inc. - Confidential 5. Attribute Based Access Control Data context can eliminate a lot of AI computation NameSpace doing a lot of heavy work here as main context Machine identity does not mean a single mission for the machine P2P in the control plane implementation User plane triple blind implementation for data dissemination Approximate geographic area pre defined in the control plane MQTT path aggregation predefined by definition and unlimited Manual definition allowing for automated machine control NameSpace allows ownership of the NameSpace by organization

7 2019 NXM Labs Inc. - Confidential 6. Role Based Access Control Mainly in the control plane Originally two roles defined admin and user for individuals Groups, stakeholders and consortium access control under NXM Identity and key management all done through the blockchain Immutable nature of blockchain allows for auditing over time Four types of implementation are possible: 1. 2. 3. 4. 8 NXM system IBM Hyperledger white lable Kubernetes, Docker, Hashicorp private instances

Distributed decentralized consortium with others using Min/Max 2019 NXM Labs Inc. - Confidential 7. Single Methodology For securing hardware, software, data, communication Machine security needs hardware security Secure boot, secure update using firmware CI/CD per identity Application level security relying on kernel space separation Data is E2E encrypted, communication over secure channels Inventory of things will allow for batches/lots treated differently Identity would be more reliable over time Concrete ID Convenience trumps security Complexity is the enemy of trust 9 2019 NXM Labs Inc. - Confidential 8. NXM Automotive Router

10 2019 NXM Labs Inc. - Confidential Onboarding Preparation is the main key to eliminate complexity Onboard Inventory FOTA Secure Boot Access CID:Pub Data schema PKI Identity CUPS

NameSpace Initial 11 Role based Attributes Meta data Register 2019 NXM Labs Inc. - Confidential In Keeping with Other Standards Regulations are coming 12

2019 NXM Labs Inc. - Confidential UK Code of Practice Code of practice for consumer IoT security 1. No default passwords 13 2. Implement a vulnerability disclosure policy 3. Software updated 8. Ensure that personal data is protected 7. Ensure

software integrity 6. Minimize exposed attack surfaces 5. Communicate securely 4. Securely store credentials and securitysensitive data 9. Make systems resilient to outages

10. Monitor system telemetry data 11. Make it easy for consumers to delete personal data 12. Make installation and maintenance of devices easy 13. Validate input data

2019 NXM Labs Inc. - Confidential What is the direction for IoT implementations? Internet of secure things or a secure cloud of things? 20 years ago, the internet was a technical issue with some political implications. Today, it is a political issue with many technical components. Good Practice Regulation 14 Certificatio n Certificatio n 2019 NXM Labs Inc. - Confidential

Regulation Good Practice CUPS Control User Plane Separation Control Plane: Device Onboarding, Device Management, Roles & Attribute Based Access User Plane: Application Data, Sensor Data, Aggregated Data, Meta data, Analysis Peer to Peer: Control Plane Role & Attribute Based Access Controls (P2P, RBAC, ABAC) Triple Blind: User Plane data dissemination model for: device broker user encryption MQTT: Message Queuing Telemetry Transport in publish and subscribe (pub-sub) data model NameSpace: Systematic data-model description for configuring telematics in the user plane Services: Pre-configured data-model segmentation for data by NameSpace definition Path: MQTT path abstraction used to send device data to the broker for consumption 15 2019 NXM Labs Inc. - Confidential CUPS in 5G LTE as inspiration

Used as a model for CUPS in Cellular Internet of Things (CIoT) Layer 1 Layer 3 Layer 2 16 BMC PDC P 25.322 RLC TD D 25.321 MAC

FDD CP RR C Physical Layer Control Plane Broadcast Packet Switched Circuit Switched 2019 NXM Labs Inc. - Confidential UP

User Plane CUPS using DLT for IoT Simpler model than LTE implementation Layer 1 Layer 2 Layer 3 CP Control Plane DLT IP RF MAC

overlay Physical Layer UP User Plane Wir e 17 MQTT Pub-Sub 2019 NXM Labs Inc. - Confidential EE2EE Embedded End to End Encryption in a Cloud Infrastructure

Encryption for: Secure boot/update of firmware, application, data and communication Encrypted during: Transmission, storage, viewing and processing in/to/via the cloud/fog Encrypted only: For the devices that have been registered in the system and in inventory Encrypted at: Late onboarding stage when the device is for the first time connected Encrypted with: Agile Crypto to enable resetting the encryption and repurposing the IoT Encryption key: Managed by the digital ledger with Private key never leaving the IoT Encryption strength: Defining one-way hierarchy for security from carrier grade to consumer Encryption implementation: Defining access level using both roles and attributes 18 2019 NXM Labs Inc. - Confidential Bifurcation of Data CID is the only link for full and complete view of data Delimitation of the control plane interactions by behavior Anonymized data access without sacrificing control Delegated control based on rules similar to MUD Late onboarding similar to Intel SDO

Device management similar to ARM Pelion Has the advantages of re-purposing, admin extension of roles Agile crypto allows for changes over-time Quake makes it Quantum-safe 19 2019 NXM Labs Inc. - Confidential Questions 20 2019 NXM Labs Inc. - Confidential

Recently Viewed Presentations

  • The Nucleus -

    The Nucleus -

    snRNP, snoRNP, telomerase assembly. PML bodies. Promyelocyticleukemia. Transcription silencing complexes. PIKA. Polymorphic interphase karyosomal association. Proteins associated with DNA damage repair
  • Modes of selection

    Modes of selection

    Selection Does Not Mean Evolution!!! Evolution is a change in the frequencies of alleles in a population. Selection can lead to evolution if the difference in reproductive success is tied to genetic variation
  • 2011 Senior Thesis Projects - University of Notre Dame

    2011 Senior Thesis Projects - University of Notre Dame

    It is my hope that my thesis contributes to a better understanding of what the Mass actually is—the celebration of the same Eucharist that was instituted at the Last Supper, a true and real sacrifice offered to God for the...
  • Creation Apologetics

    Creation Apologetics

    Dr. Gish, ICR "Ono što vidim uvjerava me da Bog postoji. Ono što ne mogu vidjeti, to potvrđuje." Albert Einstein ...
  • The Global Effort to Understand Carbon Dioxide

    The Global Effort to Understand Carbon Dioxide

    The Global Effort to Understand Carbon Dioxide ... Switzerland - Bern CO2 Symposium 1985 - Kandersteg, Switzerland - International Conference of Atmospheric CO2 1989 - Hinterzarten, Germany - International Conference on Analysis and Evaluation of Atmospheric CO2 Data Past and...
  • CPR/First Aid Lesson 02 Emergency Action Steps CPR/FA

    CPR/First Aid Lesson 02 Emergency Action Steps CPR/FA

    CPR/FA Lesson 2 * Call (cont) If you are the only person at the scene, shout for help. If no one arrives, you must decide whether to Call First, or Care First. CPR/FA Lesson 2 * Call First or Care...
  • Turnitin - CLAS Users

    Turnitin - CLAS Users

    A Quick Intro and Demo Michael D. Martinez Department of Political Science October 12, 2009 A little bit of "why" A bigger bit on "how" How to access Turnitin E-Learning Stand-alone Turnitin input and options Turnitin output A little bit...
  • ROUNDWORMS Kingdom Animalia - Phylum Nematoda --Unsegmented worms

    ROUNDWORMS Kingdom Animalia - Phylum Nematoda --Unsegmented worms

    ROUNDWORMS Kingdom Animalia - Phylum Nematoda--Unsegmented worms--Pseudocoelom ("false coelom")-- body cavity contains organs Digestive tract with 2 openings: mouth & anus Feeding Free-living - predators Parasites - humans and animals Reproduction: Sexual reproduction, Separate sexes (male & female) Roundworms &...