in a nutshell
As part of an effort to provide enterprise users and their vendors with better guidance on deploying the Internet of Things (seeIoT“) Technology, Information and Communication Media Development Agency (“imda“) published Annex C: Case Studies on Smart Buildings (informative) (“Annex C“) to IoT Cyber Security Guide. Annex C provides a starting point for companies in the facilities management industry to reassess their cyber security needs and infrastructure using smart systems.
As part of the threat modeling checklist, Annex C recommends the following:
- Identification of protected objects
- Defining security issues considering threats, vulnerabilities, operational environments, assumptions, etc.
- Conducting a risk assessment
- Determining Security Objectives
- Defining Security Requirements with a Vendor Disclosure Checklist
It is important to note that users of this guide should customize the contents of Appendix C according to their business needs.
In March 2020, IMDA released the IoT Cyber Security Guide (“guide“) To provide guidance to enterprise users and vendors for deploying IoT technologies in a secure manner. This guide covers cybersecurity aspects of acquiring, developing, operating, and maintaining IoT systems.
To further support the Real Estate Transformation Map, the Building and Construction Authority, with the support of IMDA, is transforming facilities management (SeeFM”) industry by adopting smart FM system. In this vein, IMDA proposed Annex C containing a smart building case study given threat modeling.
Moreover, IMDA emphasizes the importance of business. (2) regularly review and adapt security frameworks and policies;
Appendix C provides non-exhaustive, high-level details for five of the seven items in the threat modeling checklist provided in the guide. The outline of each item is as follows.
SECTION 1: IDENTIFICATION OF PROTECTION
Annex C lists protected objects (“Up“) has two system boundaries: (1) Proximity Network (“PN”); (2) Commercial Building Networks. The security needs of these assets, along with other identified assets (usually assets and data flows interconnected to IoT Edge gateways within the PN), are assessed with respect to the triad of confidentiality, integrity, and availability .
Annex C also seeks to remind companies that three attributes are critical to the security of the smart building ecosystem: operational technology, safety, resilience and reliability. This is especially true when the device layer contains physical systems such as elevators and escalators.
Section 2: Defining Security Issues
Annex C identifies concerns that contribute to system accessibility and system sensitivity to assets under the TOP. Under each security problem, Annex C sets out the threats, vulnerabilities, operating environment, and assumptions for defining the security problem.
As an example, taking the IoT cloud as an asset, Annex C considers:
(a) For system accessibility, attack surfaces such as API calls, HTTPS traffic, storage SW, memory, VMs, OS, firmware, middleware, and server software, considering all stages of the system lifecycle.
(b) In relation to system vulnerabilities, refer to “OWASP® Top 10 Application Security Risks” for relevant known vulnerabilities from prominent vulnerability repositories such as https://www.cve.org/; Scan.
Section 3: Conducting a Risk Assessment
Annex C emphasizes that any risk assessment is context dependent. In this case, Annex C first provides a rating related to (1) the accessibility and susceptibility of the system and (2) the capabilities of an attacker, classifying the risk as high, medium or low according to the rationale given. . The checklist then provides a prioritized assessment for threat mitigation for each asset, considering the above factors holistically.
Taking the same assets in the IoT cloud as an example, the accessibility of the system is rated as High because it is hosted in the public cloud. Similarly, a system’s susceptibility is rated “High” because it may contain certain vulnerabilities.
In terms of attacker capabilities, the IoT cloud is ranked “High” because it is valuable to a wide variety of attackers (script kiddies, criminals, hacktivists, terrorists, etc.) who may have high capabilities and resources. is attached.
Taken together, this places IoT cloud assets as a high priority item for mitigation in subsequent sections.
Section 4: Defining Security Objectives
Annex C considers the definition of security goals, including: (1) Ensuring confidentiality of sensitive data; (2) provide appropriate access controls; (3) Ensure system integrity. (4) Prevention of security breaches due to multi-tenancy, etc.
Section 5: Defining Security Requirements
A template of common security considerations for vendors is provided. Firms should determine the suitability and applicability of the checklist and adjust it as necessary. Appendix C also highlights the commercial practice of having technology solution providers elaborate on how they address the security requirements listed in Section 4.
Commentary
The proliferation of the internet and technology has enabled companies to harness data from previously isolated operational technology networks in buildings to aid in the decision-making process. However, this also means that these networks are exposed to common IoT vulnerabilities. References to Annex C provide a starting point for companies in the FM industry to use smart systems to reassess their cybersecurity needs and infrastructure.
IMDA notes that Annex C is a case study to illustrate good practices for voluntary adoption. We are happy to provide advice tailored to your specific needs on how to better protect your cybersecurity objectives.
For more information and what this development means for you, please contact your regular Baker McKenzie representative.
*****
© 2022 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is a member firm of Baker & McKenzie International, a global law firm incorporated with limited liability and with member firms worldwide. In accordance with common terminology used in professional services organizations, references to “principal” mean a partner or equivalent of such law firm. Similarly, references to “offices” mean offices of such law firm. This may be “attorney advertising” which requires notice in some jurisdictions. Previous results are no guarantee of similar results.
