IATC - Certification and Labeling in IoT - Richard Manning

all right good afternoon everyone this is the b-sides I'm the cavalry track if you are still talking please exit the room unless you are this gentleman here Richard Manning this is the certification and labeling of IOT I'd like to go ahead and do a few quick announcements here one our sponsors we would like to thank our sponsors especially in our inner circle sponsors that's critical sac and valley male and a couple of our stellar sponsors secure code warrior paranoids and the NSA thank you all very much without their sponsorship and so many others including the help of volunteers this would not be possible so thank you another reminder cell phones please turn off your cell

phones during this talk it is streamed so we do need you to go ahead and keep and mute those right now thank you without further ado Richard thank you so hi I'm Richard Manning from the NCSC in the UK and thanks have me today so I'm gonna be talking to you briefly about the work the UK entered to a degree the Europeans are doing on IRT security and certification what we're doing now and potentially where you can help us in the future bit of background to myself to the gang here today I've only been building this project directly for the last three months I foolishly are somebody asked me doing help an IRT I said yes and Here I am so

a lot of help from colleagues Paul colleague Peter who was going to come present today before he can make it because of an illness and David voyages who presented on this with Bo last year so will help me understand this so therefore we got any really technical questions I'm going to bat them off for to the my colleagues back in the UK but I'm happy to help answer questions at the end if need be now babies actually got an MBE from the Queen's service to cyber earlier this year so I'm fingers crossed I'm hoping this presentation does the safe myself so a bit of background the NCSC hoo-wee so we are the national cybersecurity center in the UK now prior

to the NCSC there are lots of different departments agencies in the UK all doing something in the world of cyber or computer security as we all want to call it properly and we will have very confusing names like CSG CP ni o CP where the C in the s-mint cyber or security or computers or something like that described by various seniors and share stakeholders in the UK as an alphabet soup of team names so back in 2016 we form the NCSC as one unit to take on responsibility to be the technical authority for all things cyber in the UK and our main headline aim is to make the UK the safest place to live and work online and that underpinned

basically everything we do in the NCSC so what about myself what do what do we do so I work for a part of NCSC called economy and society and our focus is to enable all UK people and all relations to be less vulnerable and more resilient that's a pretty broad remit but and we don't use one technique to achieve those aims we offer a range of guidance tools services bespoke engagements the tribes will deliver that feel free to go to our website lots of guidance and tools and stuff there obviously it's UK specific but a lot of the board underpinning science behind it it's applicable anywhere and the stuff you can download you use as you see fit as well as

guidance and things that we also get involved behind the scenes with various policy and standards of which I want to come on to in a second in relation to IOT but we know this isn't a silver bullet we know that it wasn't one thing to make everything secure otherwise we had all done it by now but it's one thing that should hopefully make the world a better place when it comes to IOT security so during this session now I'm gonna give a brief recap of what we've done in the past in relation to IT security in the UK the work we're currently doing and some of what we're doing within within Europe around standards and finally I meet

talking about our next stage is what we're doing we've got us the legislation further standards and further working and there's some question in there that you might want to get involved in further down the line so previously what we've done so last year we published the UK code of practice and IT security which I've come on to the next slide now that basically have 13 points and three that will make up what we call the baseline these are effectively no default passwords a vulnerability reporting methodology and a defined end of life for a given product now that was developed with extensive input for the wider community Josh and Bo evolved about earlier on as well and hopefully

the as a general theme that matches lots of other standards and the UK with our parent now David Rogers presented on this lost here last year has been doing the same thing around the world my colleague Peter presented on this RSA and event LSA earlier this year so we can try to continue that engagement with the wider community to try and to make sure that what we're doing isn't completely elf sorts with the rest of the world and we know from we know from the new stories IIT security still hasn't been fixed so we're still doing stuff there it's always in the news so we're gonna continue onwards so they just mentioned last year on the

left-hand side there we produce the code of practice it was a delivered by a department called DCMS depart for Digital Culture Media and Sport also known as the ministry of fun in the UK that's available online police force it downloaded it's been translated into numerous languages as well so you can read it in any language you really feel like it we published that last year then earlier this year we started a consultation or to do for the next stages of Jesus guidance what can we do next and we asked board Li three sets of questions first set about the type of approach we could take and the type of labeling scheme that we're proposing we

also asked some questions about what the impact be if we did those things and finally we asked a question about how we can enforce such a proposal now we've got some really good we've got some really good feedback on that and the feedback closed earlier that's it that's all few months ago 50-plus organizations came back to us which incorporated most of the big trade bodies in the UK most online and domestic high street retailers that deliver consumer IOT devices we're currently reviewing that feedback with the aim of producing a paper highlighting what we found out end of this year what I can do now is clearly detail some of the key of the core findings of the key further points

two big stats there which are quite useful eighty-four percent are in favor of us focusing on this baseline those are the highlighted points in the middle there which is quite handy because that's what we want to start really so their volumes in line we thought we want to do 96 percent which i think is quite significant to school are in favor of government regulation in this space well it doesn't show you is that there's lots and lots of disparity in how we regulate so whilst they're happy with that they want some speculation how we do it where we do it that's very much up for debate and different retailers different manufacturers or a different opinion in

in that there so other highlights that came out of that because out of that consultation which will be published later on lots of people were looking for further clarification and definition on the technical terms of IOT you look at any IT standard any website now nearly everybody defines I see slightly differently and if we're going to regulate stuff we need to sort try and rally around a shared definition they want clarification a definition of how again to apply legislation would it be UK specific weather trends will go further and overseas and then there's more detail required on things like the technical invitation of such IOT are we talking about devices that can connect directly to the Internet devices that

connect through some kind of hub or devices already become smart or IOT like a violent app where's the line being drawn and what we can make away against we also had lots of questions around things like passwords so we say this you know port default passwords there's some IOT devices and don't use passwords in the common sense the word ZigBee devices there's some implications which don't use a password it's actually shared keys and other things is that the same yes no discussion we want to move on to a definition on what we meant by vulnerability disclosure lots of discussions here and during this week about what that actually means in fact is but if we're going to again if

we're gonna regulate we need to be clearer on what that actually means a good question that came up with security updates versus puller updates again this is a good indication of the maturity of the market lots of people are making things smart that haven't been smart before washing machines toasters these are companies which have not been involved in any of this come interview before so they don't know well they haven't got their heads around in a maturity way of what they what we mean by this so we need to be clearer about what we mean by updating software and and while I get base a toaster I mean once you buy it it works and off you go

is that right we know that's not probably do I answer but toaster manufacturers for example on in that head space yet other questions that were raised up or about implementation if we implemented any sort of rules and regulations when were they how would that work would there be a voluntary period would it be a couple of years of this is what's going to happen and then regulate after two years lots of questions around supply chain Development chains I put up that you buy in the shops today that's obviously had probably a year maybe maybe two years with a development and delivery time to get to your to your store or where do we regulate and regulate at the retailer's

point of sale or do they later manufacture and how does that affect any standards that we've put in place the actual label we're talking about as well if we start labeling how does that going to look how would a consumer understand all the label means and do we need to do so much basically say a traffic light system red amber green for different things how does that work in practice otherwise deal was proposed was negative labeling do we just promote or do we just talk about the products which don't pass the certification arguments to inform for that as well and then there were also lots of questions about regulator actuals or the assessment some companies or someone relations wanted us

to push for independence of lab based assessment of products some companies were much more Pro favor of self self assertion lots of frozen cons for both of those but those are things up for discussion and then finally yeah there was a good question that was raised to us about the top three two of the points Vaughn ability Scotia and skewness offer updated as of an end-of-life requirement they're more policy or procedural requirements it's very hard to test that a testing people passwords you can technically test you can dive into the code and see if there any passwords in there potentially not so much the other two but they can book how do you get confidence that they're doing that do

are we going to ask for audits of these manufacturers how does that work in fats as well so that's the consultations hatless just finished now the aim of going into some kind of like legislation into this year early next year so I don't why I'm not going to go into this too much detail this is a good indication of this is a slider board for my colleagues in DCMS and it shows this whole willingness to try and ratify or try move towards a common standard you see the top there's an I so this is effectively where things could lead to this is not defined this isn't never something going to happen but what it shows that you got lots of different

government agencies in Europe BSI in Germany and din and different industry groups different manufacturers all working together in different groups to try and get a grip of IOT security and how it can affect them now I was at a meeting a few weeks ago we're trying to merge certain standards together and whilst here there was also discussion about actual specific wording or implementations the general feeling was yeah let's all try and do the same things try and make it easier for manufacturers and consumers so value around one standard if possible otherwise it gets too confusing and I'll show you some confusion later on about why it needs to be fixed but the underlying defending this yeah consensus

is there it's just a matter of trying us all get it all into one place so as I'm I just mentioned we've done some mapping of the various standards now it's against the UK code of practice but there's there's lots of stuff in there which is non UK specific and it's a really good example this paper link to the bottom there is a really good example of how an IT Standards exists and how they interact David did this for his company he's done a blog to talk about it and I was updated this week incorporates various changes to the policies and standards we've talked about and how they interact with each other and as you see in the

middle there lots of people are saying the same things different ways good security word of plea basic so recommend you have a look at that report there and see how the different IT standards are working together we're going to keep updating this report for as long as you need to until there is some kind of simulation between the different standards this will still be abated which I'll give some classification of what's going on so leading into what we're doing next so like I said we've done this consultation effort to get our understanding of what we're trying to do we're working with the Europeans or twice all value around some common standards our aim is to push for some UK

data station next year we saw that ball rolling in government in the early next year the white paper and and think that now as you hope you understand trying to get policy or solicitation of food government it's never the easiest thing to do but we're confident we can get something done next year depending on who who's in power we're also going to continue to work with the Europeans to again get make that to a European standard as well however as we get closer to certification or legislation we still got some questions we need to answer based on the left-hand side there we need to understand the manufacturers are delivering what they say they're living and they're not explaining lip

service to these sort of requirements we need to understand how they gain confidence in such certification how to build that into into the process so that we know we're doing and importantly when I make sure that the floor doesn't become a ceiling this is a phrase at Peter the first two so we know the baseline reports baseline requirements they're quite low level they're quite basic we knew we couldn't go in there with a full 13 requirements of secure comms and some of that manufacturers have just just wouldn't wouldn't work this rate with that but when I keep pushing that ball upwards I try to make it better for the manufacturer to meet those needs and

to do that we need to aren't we need to push these two things on the bond the axes here so we need to make vendors consumers different stakeholders we need to educate the mobile cybersecurity that their devices different ways to do that and down the bottom there we need to make them care more about social security and to do that there are various methods we can do carrot or stick really and different types of approaches there to third place and eventually we push the ball higher and higher and higher until we get to the lofty heights of perfect security for IOT which might might take a few years potentially so I'm having to take questions on this if you want to now I'm

also running a discussion about how we achieve these next steps potentially internationally and even in EU and you can UK a publicly owned discussion later on today if anyone's interested I've bit more background what we've said and done a bit more information about the NCSC and how it relates to us thank you very much this charts talk to you and any questions I'll come over you at the microphone the first bullet point how can we ensure all manufacturers act responsibly so is there legislation or is there a governing body that is actually measuring how the manufacturers are complying with these guidance so that's the next step really not the moment no there isn't there could be quite easily but which I work

out what the best approach is to do that do you once like independent do you want the government based body independent labs there's lots of ways to solve that problem but actually each have their pros and cons so yeah that's when the key point to need to understand how best to do that the different sounds out there for gaining confidence in products but are they the right thing for this kind of sector

this might be jumping into this afternoon's discussion but how do you anticipate sort of working with Annie SEZ as you know they are looking to so to implement this new cybersecurity act and I am my understanding is consumer IOT is gonna be one of the early areas that they're looking for for certifications there so how does the NCSC plan day so we're we're working with them already very much so and we know there's different time scales in play and we also you might have heard of exit we're not quite sure how that's going to impact all this so we're we're working with both camps really do I make sure that a lot of the guns a lot of common

technology the common requirements are going to be the same a lot of the stuff from the anisa stuff is based on what we've done before we're feeding that up so in theory Andy so it comes in and that's the bigger thing we can just point to that and it will still meet our requirements you might stop doing icons I don't know Lots option there but we are very much tied into that that piece of work and support it just they're working at different time scales so Aneesa might take a couple of years we might do I was in a year and we're not personally if I probably I'm not fast which one okay it's Providence in the end end of

the day I want my consumers to be able to purchase IOT stuff which is secure yeah we're working together quite heavily any more questions thank you very much Richard thank you [Applause]