Transcript Cybersecurity-related Standards Activities in TIA

Document No:
GSC16-GTSC9-03
Source:
TIA
Contact:
Eric Barnhart ([email protected])
GSC Session:
GTSC-9
Agenda Item:
4.2: Cybersecurity
CYBERSECURITY-RELATED
STANDARDS ACTIVITY IN THE
TELECOMMUNICATIONS
INDUSTRY ASSOCIATION
Eric Barnhart, Division Chief
Georgia Tech Research Institute
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
GSC16-GTSC9-03
TIA Cybersecurity Background
• TIA focus on Critical Infrastructure Protection and Homeland
Security includes efforts in Network Security
• TIA TR-51 (Smart Utility Networks) views TR-50 (Smart Device
Communications) as logical group to address security in parallel
with deference to ITU-T SG17 (cybersecurity) from ITU Focus Group
SMART
• TIA urges caution in establishing any USA government mandated
security certification programs (TIA comments in US FCC PS
Docket No. 10-93)
– more data is needed with rapidly evolving needs
– certification programs may not be most effective protection
– Government mandated certification program could stifle needed
flexibility
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
2
GSC16-GTSC9-03
Highlight of Current Activities
• TIA TR-50 (Smart Device
Communications) established Security
Ad Hoc Group in February, 2011
– Supports TR-50 and its other subcommittees to contribute
requirements, architecture, protocols, etc. related to the topic
of security in Smart Device Communications.
– Reviews/approves all ballots by TR-50 and its
subcommittees to ensure that any architectures, protocols,
or specifications meet the requirements set by the SDC
Security Ad Hoc Group for secure solutions.
– Architecture, protocols, or specifications should support
options that can be exported without restriction from
countries for which TIA serves as a regional Standards
Development Organization (SDO).
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
3
GSC16-GTSC9-03
Highlight of Current Activities
• TIA TR-50 Smart Device Communications Security Ad Hoc Group
Activity includes development of:
– Data-in-Transit Use Cases to support progress toward Machine-to-Machine
(M2M) Multilayer Distributed Security Architecture (MMDSA)
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
4
GSC16-GTSC9-03
Highlight of Current Activities
• TIA TR-50 Smart Device Communications
Security Ad Hoc Group Activity:
– Developing M2M Threat Analysis Overview to drive architecture
development in tandem with Use Cases
– Includes Operating System and Applications layer
considerations; User Data considerations; and Network
considerations.
– Methodology includes measures of threat Likelihood and Impact.
Product of these factors produces Risk Assessment Level:
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
5
GSC16-GTSC9-03
TIA Strategic Direction
• TIA supports cyber security objectives and
study items of ITU-T Study Group 17 as
captured in Question 4/17- Cybersecurity
• TIA 2011 Goals and Positions include:
– Government and industry must partner to
increase the number of dialogues between
domestic and foreign experts to discuss
international best practices
– Support cybersecurity policies that keep
markets open and minimize barriers to trade
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
6
GSC16-GTSC9-03
Challenges
• With M2M Cybersecurity in TR-50 (Smart Device
Communications) as current TIA cybersecurity focal
point, extend focus as appropriate to address needs:
– TR-30 Multimedia Access, Protocols and Interfaces
– TR-41 User Premises Telecommunications Systems
– TR-45 Mobile and Personal Communications Systems
Standards
– TR-47 Terrestrial Mobile Multimedia Multicast
– TR-48 Vehicular Telematics
– TR-49 Healthcare ICT
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
7
GSC16-GTSC9-03
Challenges
• Embracing user community (including verticals)
is vital
• User needs are particularly important to
understand with regard to risks and security
demands – examples include energy
management and healthcare ICT
• Export control and harmonization issues
demand attention
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
8
GSC16-GTSC9-03
Next Steps / Actions
• In TIA TR-50 Smart Device
Communications Security Ad Hoc Group:
– Continue focus on Data In Transit
• Multilayer Security
• Security Zone Definitions
– Continue focus on Data At Rest
• Trusted Environments
– Continue focus on Threat Analysis
• Risk Analysis
• Financial Impact
• Attack Trees
– Examine Test Bed needs to investigate cybersecurity
issues
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
9
GSC16-GTSC9-03
Supplementary Slides
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
10
GSC16-GTSC9-03
Supplementary Comments on
M2M SDC Threat Assessment
In order to quantify vulnerability, we assign numeric values to multiple
factors. Vulnerability is calculated as the product of likelihood and impact
(after NIST, OWASP,SANS Institute, and other similar approaches for IT
risk management).
• Likelihood factor ranges from 1 through 4 with the following levels
defned:
–
1 = “Low Likelihood” being the least likely due to little or no motivation, opportunity
and/or capability
–
2 = “Moderate Likelihood” being of moderate likelihood, with average motivation,
opportunity and/or capability
–
3 = “Substantial Likelihood” being substantial likelihood, with high motivation,
opportunity and/or capability
–
4 = “Severe Likelihood” being the most likely as an agent with high motivation,
opportunity and capability.
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
11
GSC16-GTSC9-03
Supplementary Comments on
M2M SDC Threat Assessment
Criteria assigning likelihood levels include assessing the attacker,
motivation, opportunity, and capability:
Attacker Characteristic: Threat sources
which can be detailed as:
“0” No agent present
“1” Individual criminal, hacker, disgruntled
employee
“2” Competitor
“3” Extremist, Organized Crime
“4” Terrorist or Nation State
Opportunity: including proximity,
security, standards:
“0” No Opportunity
“1” Little
“2” Limited
“3” Substantial
“4” High
Halifax, 31 Oct – 3 Nov 2011
Motivation: including financial, political,
emotional, revenge as well as constraints
such as detection, and risk involved:
“0” No motivation
“1” Low
“2” Moderate
“3” Substantial
“4” High
Capability: including education,
knowledge, access, specialized
equipment and reverse engineering:
“0” None
“1” Little
“2” Limited
“3” Substantial
“4” High
ICT Accessibility For All
12
GSC16-GTSC9-03
Supplementary Comments on
M2M SDC Threat Assessment
Impact characterizes the implications/seriousness of a successful
attack, with the following levels:
•
1 = minor impact or no effect to the stakeholder
•
2 = serious impact, including impacting revenue streams,
processes, support systems
•
3 = wide spread impact, causing irreparable damage to key
systems and processes
•
4 = severe impact causing damage to systems and processes
that support infrastructure requirements.
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
13