wie man zu Security Anforderungen kommt · 2019-11-26 · •14 years; Alcatel/ Alcatel·Lucent...

© KUGLER MAAG CIE GmbH

13. Neu-Ulmer Test-Engineering-Day 2018

Security Risikoanalysen – wieman zu Security Anforderungenkommt

Dr. Thomas Liedtke03. Mai 2018

AgendaSecurity Risk Analyses – Security Requirements

Kugler Maag CIE GmbH | Dr. Thomas Liedtke

─ Introduction

─ What‘s going on?

─ Security | Definitions

─ Security Risk Analysis | Standards

─ Creation of Requirements

─ Some concrete Samples

─ Outlook | Privacy

• since 2017 Kugler Maag Cie GmbH; Principal

• Latest subjects:

• Functional safety, security, privacy

• 2007 – 2017 ICS AG; leader of the business unitresearch & development

• Senior project leader development of safety critical systems

• Leader competence centers/ external training

• Implementation of Software maturity models

• IT-security agent acc. BSI Grundschutz and ISO 27001

• Internal operating privacy agent

• before:

• PhD Computer Science/ Mathematics University ofStuttgart

• 14 years; Alcatel/ Alcatel·Lucent

• Fixed networks/ quality department/ SPI/ SEPG (CMM)/ prject leader of large projects

• Mobile networks. Development Department leader, senior project leader (GPRS/ UMTS/ GSM/…)

• Intelligent optical networks: industrial project lead, supply chain leader

• Leader of the RSLC (Repair Service Logistic Center)

• Membership

• ZVEI Automotive Cybersecurity

• VDA Cybersecurity DIN NA052-00-32-11AK and ISO TC22/SC32/WG11

• GI leader working group Privacy by Design

IntroductionThomas Liedtke (PhD)


Consulting Services based on our Automotive Expertise

• Founded 2004 in Kornwestheim (near Stuttgart, Germany)

• Branch office in USA, Troy, MI

• 70 Employees

• Experts with profound Automotive expertise in Engineering and Service Management, 10 years in average

• Management Consultants with 25 years and more experience in Automotive

• Broad network based on integrity and trust at every management level from executives to practitioners

• Worldwide customer projects


Integrated Services Generate Highest Added Value for our Customer

Organizational Change, Process & Performance Improvement, Automotive SPICE® Implementation, Agile Business Transformation, …

Management Training, Agile Transformation, Functional Safety, SCRUM Master, Automotive SPICE® Assessor, CMMI, …

Readiness Checks for Organizational Change and Agile, Compliance with Automotive SPICE® & CMMI, Functional Safety Audits, Security Audits

Quality Management, Project Management, Requirements Engineering, Functional Safety & Security Engineering, Configuration Management, Service Management, …

Assessment

Consulting

Training

Support


We Know the Automotive Industry – Some Customer




─ Introduction







• Security Incidents can impair the availability of sytems

• Consequences: limitation of usage and decrease of safety up to Denial of Service (DoS)

• Reliability defines the likelihood of lack of security

• Often cited examples:

• SCADA (Supervisory Control And Data Acquisition): attack by unsecure communication channel (e.g. Australien Maroochy Water Breach [SM08])

• Automotive: attack via unsecure interfaces (e.g. Jeep Hack s. [CMK+11])

How is Security looking like?Malicious Control System Cyber Security Attack


News -1Car wash: standard passwords for critical machines within IoT??


News -2Medical devices are going into the internet

https://nakedsecurity.sophos.com seen on 24.03.2017Kugler Maag CIE GmbH | Dr. Thomas Liedtke

https://nakedsecurity.sophos.com/

News -3Critical infrastructure

Kugler Maag CIE GmbH | Dr. Thomas Liedtke http://www.nlg.nhs.uk/ eingesehen am 02.11.2016

http://www.nlg.nhs.uk/

News -4Lessons learned??


http://www.nlg.nhs.uk/ eingesehen am 16.05.2017

http://www.nlg.nhs.uk/

Jeep Cherokee HackJuly 2015

Kugler Maag CIE GmbH | Dr. Thomas Liedtke https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/



─ Introduction







• Safety: danger for life and physical condition

• Information Security: protection of information and information systems: „CIA“

• IT-/ Data Security: protection of security controls

• Cybersecurity: security of electronical data

• Privacy: „intimacy“; protection of „PII“, protectiongoal for data: „PMD“

• Data protection: data security of PII data

• Risk Management: relevant in all areas

• Compliance: regulations by law

CIA = Confidentiality, Integrity, Availability

PII = Personal Identifiable Information

PMD = Prediction, Manageability, Disassociability

… where security is a subject.Overview | Terms


Safety

Risik

Management

CompliancePrivacy

Information

Security

Data

protection

IT-/ Data

Security

Cybersecurity

• Risk = Probability materialization x (potential) Impact in case of risk becomes true

• Risik reduction by

• Reducing probability or

• Limitation of consequences of unavoidable faults

• Risik acceptance of residual risk

Risk Acceptance – „standard“ definition of Risk


Stuxnet: malware to disturb the SCADA system Simatic S7 (Siemens). System was planned to beapplied in Teheren in finish equipment for nuclear program/ Uran centrifuges :

• 10 years of development time with 5-10 developers

• 1 year duration to be reverse engiineered by experts

• knowledge necessary about several vulnerabilities distributed over different companys

• Complex way of distribution

Completely underestimated (on this time):

• Size of SW part in production plants

• Technical possibilities to load malware in proprietary systems

• Size of high motivation of the attacker (s.o.)

• Potential Impact and Harm

Crack of Ages: Security | Lessons LearnedStuxnet, June 2010


Informationsecurity: protection/ hardiness against (intended) attacks (incl. accidents/ hazards) on confidentiality, integrity and availability of information

Cybersecurity: ability to protect or defend the use of cyberspace from cyber-attacks

• Safeguarding functional correctness in case of active attacks (system, control, protection of access, …)

• Likelihood instead of probability

• Weaknesses are searched purposely and exploited (or traded)

• Security shall not disturb safety („better safe than sorry“)

• Performance (e.g. coded vs. cypher messages, energy, …)

• Additional organizational measurements are necessary (e.g. authentication, key management, …)

• Advanced computer controlled safety features are increasing attack surface of safety criticalactions (e.g. CAN-message-injection)

• Continuous (prompt) adaption of systems to ward new threats

• Conflicting interests | inductive | bottom up | anticipation

Fragile -> Robust -> Antifragile. Emergence. „fit for the future“

Security (Information/ Cyber)Characterization

Hacking:

• Finding of extraordinary and not nearby solutions

• Talent of finding alternative applications hided for other people

• Development needs criminal energy to develop secure products

• Security engineering processes are not enough

• Application of standards, using common well-known methods is the opposite of attackers behaviour

• Three groups of hackers:

• Researcher are publishing weaknesses and security vulnerabilities

• IT-security companies publishing weaknesses and security vulnerabilites for marketing

• group of attackers following commercial illegal purposes

Design for manufacturing (hiding interfaces, using simple tools) not secure against third group

Cracking:

• Decipher of software

Hacking ≤≥ CrackingDefinition


Hackers mindset completely different to developpers mindset

• Strategy of hackers

• How would you start hacking?

• Top of Functional Targets

• Immobilization

• Odometer manipulation

• Chip tuning

• Targets

• Scalable threats (fleets, …)

• keys

• Attackers/ adversaries

• Professional high skilled and motivated people

• A lot of hacks can be done with low budget

Considerations towards Security


Conflict of interestExamples: implementation attack, side channel attack, re-engineering, …

Kugler Maag CIE GmbH | Dr. Thomas LiedtkeBildquelle: Artikel zum Thema Funkschlüssel vom 11.08.2016 auf heise online



─ Introduction







„Es kommt nicht darauf an, die Zukunft vorauszusagen, sondern auf die Zukunft vorbereitet zu sein.“

Perikles (490 – 429 v. Chr.)

Safety

• Loss of body and life

• Impact x probability

• quantifiable

• Sum of probabilities = 100%

• Risk treatment limited

Security

• Loss of CIA

• Impact/ harm x likelihood

• Vulnerabilities can beexploited by threats

• Risk treatment possible

• Taking overresponsibility

Privacy

• Loss of privacy/ trust

• Adverse impact x likelihood

• Problematic data actioncauses an adverse effector problem to individuals

Risk AnalysisDifferent purpose - simplified

Management Consulting / Jörg Diringer / Ver. PA8

• BSI-Standard 200-3 Risk Analysis based on IT-Grundschutz

• public, 23 pages; focus:

• objects for those the implementation of the IT-Grundschutz is not suficient.

• Assessments with as less as possible effort

• Evaluation of hazards | controls: completeness, power of mechanisms, reliability

• ISO/ IEC 27005: Information Security RiskManagement

• 68 pages, capturing typical hazards, threats and vulnerabilities

• Risk treatment similar to BSI 200-3

• NIST SP 800-30: Guide for Conducting RiskAssessments

• 95 pages, capturing 62443-3-2 till step DRAR 6

• Contains appendixes to Threat Events, evaluation ofvulnerabilities, impacts

• ISO/ IEC 29134: Privacy Impact Assessment PIA (Privacy Risk Assessment)

• DIN VDE V 0831-104: guideline for IT-security basedon IEC 62443 (transportation)

• ISA-IEC 62443-3-2: Security risk assessment forsystem design. 34 pages

• TR 20004: Security Techniques – Refining Software Vulnerability Analysis for ISO/ IEC 15408 and ISO/ IEC 18045

• CORAS Model-Driven Risk Analysis. Risk evaluationwith diagrams. Inspired by UML

• NIST 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems

• IEC 31030 Risk Management – Risk Assessment Techniques

• HAZOP, Preliminary Hazard Analysis, FMEA, FTA, …

Standards related to Risk ManagementSecurity Risk Analysis


Likelihood of entry:

• Likelihood of threat:

• possible access (assumptions of encryption), experiences of attackers, ressources, motivation

• Likelihood of weakness:

• Size of attack vector: existence in system, complexity of system

• Awareness level of well-known weaknesses have higher likelihoods to be exploited

• Awareness level of system components (TLS, busses, …)

• Scaleability of the exploit: large number of affected systems will increase the likelihood

Potential harm/ damage:

• Finance, legal, contractual, property, image, scaleability (DOS) …

Risk DefinitionSecurity


BSI 200-3: Risikoanalyse auf der Basis von IT-GrundschutzEinbettung Risikoanalyse in Sicherheitsprozess

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [BSI200-3]

Informationsklassifikation:

• keine, intern, vertraulich, geheim

Schutzziele

• Vertraulichkeit (C) (keine Offenbarung/ Verfügbarkeit für nicht-autorisierte Individuen/ Berechtigungsvergabe)

• Z.B. öffentlich/ intern/ vertraulich/ geheim (Risiko: Spionage)

• Integrität (I) (Richtigkeit und Vollständigkeit/ Änderungshoheit)

• Z.B. anfassen/ ändern. (Risiko: Manipulation)

• Verfügbarkeit (A) (Verfügbarkeit für autorisierte Instanzen/ Redundanz)

• Z.B. Netze/ Internetprovider/ (Risiko: Zugriffsverlust)

Schadensszenarien

• Verstoß gegen Gesetze

• Beeinträchtigung des informationellen Selbstbestimmungsrechts

• Beeinträchtigung der persönlichen Unversehrtheit

• Beeinträchtigung der Aufgabenerfüllung

• Negative Innen- und Außenwirkung

• Finanzielle Auswirkungen

Schutzbedarfskategorien

• Normal/ gering

• Hoch

• Sehr hoch

Definition & KlassifikationInformationen, typische Schutzziele, typische Schadensszenarien


Handlungsalternativen nach BSI 200-3:

• Risiko-Reduktion (Risiko-Modifikation): Ist es sinnvoll, das Risiko durch weitere Sicherheitsmaßnahmen zu reduzieren?

• Risiko-Vermeidung: Ist es sinnvoll, das Risiko durch eine Umstrukturierung des Geschäftsprozesses oder des Informationsverbunds zu vermeiden?

• Risiko-Transfer (Risiko-Teilung): Ist es sinnvoll, das Risiko an eine andere Institution zu übertragen, beispielsweis durch den Abschluss eines Versicherungsvertrags oder durch Outsourcing?

• Risko-Übernahme/ Risiko-Akzeptanz

Risk Treatment ISO 27005 | BSI 200-3


niedrig 5 4 3 2 1

mittel 10 8 6 4 2

hoch 15 12 9 6 3

sehr hoch 20 16 12 8 4

katastrophal 25 20 15 10 5

Schadens-

klasse Eintritts-

Wahrschlkt.

sehr

wahrscheinlichwahrscheinlich möglich

unwahr-

scheinlich

nahezu

ausgeschlossen

Risikomatrix

Definition Risikomatrix




─ Introduction







SAE = Society of Automotive Engineers

• January 2016, 128 pages (69 main content + appedices). Non-public

• Surface Vehicle Recommended Practice

• References to ISO 26262, MS SDL, ISO/ IEC 15408 (CC), NIST 800-53, ISO 12207, ISO 27001/ 2, NIST 800-30, ISO/ TS 16949:2009, EVITA, BSI 100-4, MITRE DBs, NIST DBs

• Purpose:

• Provide a cybersecurity process framework and guidance to help organizations identify and assess cybersecurity threats and design cybersecurity into cyber-physical vehicle systems throughout the entire development lifecycle process.

• Defines a complete lifecycle process framework that can be tailored and utilized within each organization’s development processes to incorporate cybersecurity into cyber-physical vehicle systems from concept phase through production, operation, service, and decommissioning.

• Provides high-level guiding principles.

• Provides information on existing tools and methods.

• Provides the foundation for further standards development.

SAE International J3061TM Cybersecurity Guidebook for Cyber-Physical Vehicle Systems

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [SAEJ3061]

• 6 (!) pages, but derived (incl. family names and control names/ labels) from NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

• Sample list of 14 security control families and 5 privacy control families

• Environmental scope includes design, manufacturing, customer operation, maintenance, and disposal

• Small sample of an overlay developed for the vehicle industry

• Can be derived from existing security control baseline, if an appropriate baseline exists

• Existing baselines, which exist primarily for information systems rather than cyber-phyiscal vehicle systems, probably overlook key assumptions or may be based on false assumption, and a specific overlay for vehiclesystems would remedy this

• The task of creating a full formal overlay template for the vehicle industry with all associateddocumentation is beyond the scope of SAE J3061

• Table 28: sample list of potential security control families & controls for vehicle industry*

• Table 29: sample list of potential privay control families & controls for vehicle industry

SAE International J3061TM

Appendix D: Security & Privacy Controls Description and Application

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [SAEJ3061]* 14 out of 17 security-related areas, with regard to protecting the confidentiality, integrity, and availability [FIPS-199]

• Access Control: Policy, Permitted Actions withoutIdentification or Authentification, Remote Access, Wireless Access, Access Control for Mobile Devices

• Awareness and Training: … security training due tolegal or regulatory issues; privacy training if applicable; security as part of lifecycle process, …

• Audit and Acountability: Policy, Audit Events, Review, Analysis and Reporting

• Security Assessment and Authorization: … ContinuousMonitoring, Penetration test, …

• Configuration Management: Policy, Change Control, Security Impact Analysis

• Identification and Authentication: Device Identificationand Authentication, Identifier Management, …

• Incident Response: Incident Handling, Monitoring, …

• Media Protection: Policy and Procedures, Media Sanitization

• Physical Environmental Protection: …, Access Control for Transmission Medium, Monitoring Physical Access

• Planning: Security Planning Policy and Procedures

• Risk Assessment: …, Vulnerability Scanning, …

• System and Services Acquisition: Developer Security Testing and Evaluation, Supply Chain Protection, Tamper Resistance and Detection, ComponentAuthenticity

• System and Communications Protection: Denial ofService Protection, Boundary Protection, Cryptographic Protection, Fail in Known State, Wireless Link Protection, …

• System and Information Integrity: Malicious Code Protection, Information System Monitoring, Security Alerts, SW, Firmware and Information Integrity, Memory Protection


Table 28: sample list of potential security control families & controls for vehicle industry


The privacy controls are specifically targeted at vehicle systems and components, includingoperation, maintenance, and disposal and are in addition to an already established company privacyprogram

• Authority and Purpose: Purpose Specification: describes any privacy information that will bemaintained within the vehicle and why

• Accountability, Audit, and Risk Management: Privacy Impact and Risk Assessment (Privacy impactand risk assessment from the collection, storage, and disposal of any privacy information used in the vehicle), Privacy Requirements for Contractors and Service Providers, Privacy Awareness and Training

• Data Minimization and Retention: Data Retention and Disposal (Destroys or anonymizes stored in a vehicle component to prevent loss, theft, misues, or unauthorized access)

• Individual Participation and Redress: Consent & Individual Access (… to understand theconsequences of data collection and the means for customers to accept or decline the collection

• Security: Inventory of Personally Identifiable Information (maintains an inventory of programs and vehicle systems that collect, use, and/ or maintain privacy information


Table 29: sample list of potential privacy control families & controls for vehicle industry


NIST = National Institute of Standards and Technology Special Publication

• Revision 4: April 2013

• Unified information security framework

• 17 Control Families, 240 Security and Privacy Controls for protecting information assets fromsecurity threats

• Definition of low, medium and high impact information systems acc. FIPS 200 [FIPS-200]

• Description of tailoring and overlay control customization processes

• Tailoring: process of customizing a baseline set of controls to achieve a more focused and relevant securitycapability for an organization (e.g. recommended collections of controls)

• Overlay:

• Specialized list of controls that adresses the specialized requirements, technologies, or unique environments (e.g. fortransportation industry)

• Fully specified set of controls, enhancements, and supplemental guidance

• Current state-of-the-practice safeguards and countermeasures for information systems

• Security controls reviewed at least annually

NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [NIST800-53]

• Title: Road Vehicles – Cybersecurity

• Current status: WD (working draft)

• Host: ISO/ TC 22/ SC 32 – WG 11

• Scheduled for 2019

• Scope:• This document specifies requirements for cybersecurity risk management for road vehicles, their components and

interfaces, throughout engineering (e.g. concept, design, development), production, operation, maintenance, and decommissioning.

• A framework is defined that includes requirements for a cybersecurity process and a common language for communicating and managing cybersecurity risk among stakeholders.

• This document is applicable to road vehicles that include electrical and electronic (E/E) systems, their interfaces and theircommunications. This document does not prescribe specific technology or solutions related to cybersecurity.

• Privacy and Data Protection will be captured as well

• Under discussion: Definition of CAL (Cybersecurity Assurance Level). Proposed vector: Privacy (GDPR), Safety, Operational, Financial, Extensions. Range 0.. x

Emerging Standard ISO/ SAE 21434The first joint standard of ISO and SAE, expected in 2019


Cybersecurity Relevance Status

Cybersecurity Scoping Questions




─ Introduction







ISA99/ IEC 62443: International Automation and Control Systems Security

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [ISA99]

ISA 99/ IEC 62443: Industrial Automation and Control Systems (IACS) Security | Industrial communication networks – Network and system security

• References for development, operations and acquisition of IT systems in electrical, elektronical and programmable transportaion signal systems

• Risks by reason of malicious attacks

• Additional requirements for systems derived by threats against security

• Division of a system into zones and conduits → consideration of components

ISA99/ IEC 62443Security Level

Security Assurance

Level

Definition (62443-3-2; Annex A)

Violation Means Skills Resources Motivation

SL 0 No specific requirements or security protection necessary

SL 1 Intentional/ coincidental

SL 2 Intentional Simple Generic Low Low

SL 3 Intentional Sophisticated IACS specific Moderate Moderate

SL4 Intentional Sophisticated IACS specific Extended High

IEC 62443-3-2: Security for industrial automation and control systems; Security riskassessment for system design


Common Attack Pattern Enumeration and Classification (CAPEC):

• The CAPEC- data base documents Attack patternswith unique CAPEC-ID, potential weaknesses (CWE-ID), Likelihood of exploitation and impact/ harm ofdifferent aspects of a sstem like e.g. integrity and availability

• Number of documented attack patterns: 504 (08.04.2016)

Common Vulnerabilities and Exposures (CVE):

• The CVE- data base documents Vulnerabilities of products and software with unique CVE-ID and relatedweakness CWE-ID

• Number of dokumented weaknesses: 74.931 (08.04.2016)

Common Weakness Enumeration (CWE):

• The CWE- data base documents Weaknesses or rather programming errors with unique CWE-ID, countermeasures and attack pattern (CAPEC-IDs), which are possible by related weakness

• Number of documented weaknesses: 719 (08.04.2016)

Threat Analysis – MITRE

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [MITRE]

Ask questions like

• How can an attacker change the authentication data?

• What is the impact if an attacker can read the user profile data?

• What happens if access is denied to the user profile database?

• Spoofing Identity

• Tampering with data

• Repudiation

• Information Disclosure

• Denial of Service

• Elevation of Privilege

STRIDEThreat Model (MSDN; Microsoft 2002)

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [Eis2017]



─ Introduction







Data privacy = protection of PII (personal identifiable information)

(Additional) security objectives:

• Predictability: a reliable sense of what is orrcuring with PII in a system

• Manageability: access and amendment, accountability, minimization, quality and integrity, …

• Disassociability: active protection of an individual‘s identity or associated activities from exposure

• Privacy as an attribute of a trustworthy system

Introduction of a Privacy Risk Assesment based on likelihood, that an operation performed by a system would create a problem for individuals → Problematic data action

There are security issues unrelated to privacy just as there are privacy issues unrelated to security

• Problems that can result from unauthorized access to PII are generally well-recognized (e.g. identity theft)

• Problems from authorized processing may be less visible or not as well understood (e.g. discriminatory/ stigmatizing effects)

Risk: lost of privacy objective → lost of Privacy → lost of trust,

Privacy by Design | Privacy by Default | Physical enhancement techniques | Privacy is law

PrivacyCharacterization


„Gripes“ using „new“ media1973

[DoH1973]

German Census of population„Wie Sie heißen, ist uns egal. Ihr Name hilft uns beim Zählen“

25. Mai 1987

„Don‘t count us – count your days“

Mai-Demo 1987 in Berlin

EU-GDPR (EU-General Data Protection Regulation)– Recital 78Effective by 2018, May 25th

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [EU-DSGVO16]

EU-GDPR (EU-General Data Protection Regulation) – Article 25Data protection by design and by default | Effective by 2018, May 25th

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [EU-DSGVO16]

BSI (Bundesamt für Sicherheit in der Informationstechnik)IND: Industrielle IT IND.1: ICS-Betrieb

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [BSI]

BSI: „Stand der Technik“

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [BSI]

Data oriented strategies:

• Minimise: select before you collect; anonymisation and usepseudonyms.

• the amount of personal data that is processed should be restricted to the minimal amount possible

• Hide: Vertraulichkeit: encryption of date; mix networks; unlink certain related events; anonymisation; pseudonyms

• any personal data, and their interrelationships, should be hidden from plain view

• Separate: no specific patterns known

• that personal data should be processed in a distributed fashion, in separate compartments whenever possible

• Aggregate: aggregation over time; dynamic locationgranularity; k-anonymity; differential privacy; …

• Personal data should be processed at the highest level of aggregation and with the least possible detail in which it is (still) useful

Process oriented strategies:

• Inform: privacy preferences platform P3P; data breachnotifications, …

• Data subjects should be adequately informed whenever personal data is processed

• Control; User-centric identity management; end-to-end encryption support control

• The control strategy states that data subjects should be provided agency over the processing of their personal data

• Enforce: access control; Datenschutzmanagement; Digitales Rechtemanagement; Lizenzen

• A privacy policy compatible with legal requirements should be in place and should be enforced. This relates to the accountability principle

• Demonstrate: Datenschutzmanagementsysteme; Protokolle; Audits

• requires a data controller to be able to demonstrate compliance with the privacy policy and any applicable legal requirements

Privacy by Design Strategy patternsENISA Report

Kugler Maag CIE GmbH | Dr. Thomas Liedtke [ENISA14]

Datenschutzfördernde (datenschutzfreundliche) Techniken: Techniken, die den Datenschutz in Informations- und Kommunikationssystemen soweit wie möglich fördern und durchsetzen, zumindest aber unterstützen

„Privacy Enhancing Technologies are a coherent system of ICT measures that protects privacy [...] by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data; all without losing the functionality of the data system.“ (Wikipedia)

PETs (Privacy Enhancing Techniques)


• Issued January 2017, U.S. Department of Commerce

• Available free of charge https://doi.org/10.6028/NIST.IR.8062

• Extend: 49 pages

Main purpose:

• “provide an introduction to how systems engineering and risk management could be used to develop more trustworthy systems that include privacy as an integral attribute”

• “guidance on repeatable and measurable approaches to bridge the distance between privacy principles and their effective implementation in systems“

Target audience:

• People involved in developing systems and evaluating risks

NIST = National Institute of Standards of Technology Internal Report

NIST IR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems


https://doi.org/10.6028/NIST.IR.8062

• Separate leadership with unique skill sets is required for privacy and security

• A coordinated approach does not necessarily mean an identical approach

• Security typically recognized as one of the FIPPs

• There are security issues unrelated to privacy just as there are privacy issues unrelated to security

NIST IR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems. Information Security U.S. Department of Commerce


Loss of CIALoss ofPrivacy

• Supplement to FIPPs

• Predictability: • designing systems so that stakeholders are not surprised by

the handling of PII

• Publication on how PII is managed

• Manageability:• Sufficient granularity to administrate individuals

information

• Disassociability:• Privacy risk can result from exposures within an authorized

perimeter

• Ability to complete transactions without associating information with individuals

3.1 Introducing Privacy Engineering Objectives


• [DoH73] „Records Computers and the rights of Citizens“; Report of the Secretary‘s Advisory Committee on Automated Personal Data Systems. U.S. Department of Health, Education & Welfare. July 1973. https://www.justice.gov/opcl/docs/rec-com-rights.pdf

• [EVITA] “E-safety vehicle intrustion protected applications”; Link: https://www.evita-project.org/

• [FIPS-199] „Standards for Security Categorization of Federal Information and Information Systems”; Link: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

• [FIPS-200] „Minimum Security Requirements for Federal Information and Information Systems”; Link: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

• [NIST800-53] „Security and Privacy Controls for Federal Information Systems and Organizations“; Link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

• [SAEJ3061] „Surface Vehicle Recommended Practice“; Cybersecurity Guidebook for Cyber-Physical Vehicle Systems

Literatur | Referenzen


https://www.justice.gov/opcl/docs/rec-com-rights.pdf

https://www.evita-project.org/

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

• [BDSG] “Bundesdatenschutzgesetz“; Link: https://www.gesetze-im-internet.de/bdsg_1990/

• [BSI-GSK] Bundesamt für Sicherheit in der Informationstechnik: “IT-Grundschutzkatalogkataloge”

• [BSI-KritisV] „Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz“(BSI-Kritisverordnung); Link https://www.gesetze-im-internet.de/bundesrecht/bsi-kritisv/gesamt.pdf

• [BSI200-3] “BSI-Standard 200-3: Risikoanalyse auf der Basis von IT-Grundschutz”

• [CAV11] “Privacy by Design - The 7 Foundational Principles”; Ann Cavoukian. Published January 2011 by the Information and Privacy Commissioner of Ontario; Link: https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf

• [CORAS] „Model-Driven Risk Analysis“; Link: http://coras.sourceforge.net/

• [DoH73] „Records Computers and the rights of Citizens“; Report of the Secretary‘s Advisory Committee on Automated Personal Data Systems. U.S. Department of Health, Education & Welfare. July 1973. https://www.justice.gov/opcl/docs/rec-com-rights.pdf

• [DSAnpUG-EU] „Datenschutz-Anpassungs- und –Umsetzungsgesetz EU-DSAnpUG-EU“, Gesetzesentwurf Drucksache 110/17 02.02.2017, http://www.bundesrat.de/SharedDocs/drucksachen/2017/0101-0200/110-17.pdf?__blob=publicationFile&v=5

• [ENISA14] “Privacy and Data Protection by Design – from policy to engineering”; December 2014 by European Union Agency for Network and Information Security; Link: https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design

• [ePrivacy] "Verordnung über Privatsphäre und elektronische Kommunikation";https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications

• [EU-DSGVO] „EU-Datenschutzgrundverordnung“; Amtsblatt der Europäischen Union L 119; Link: http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=DE

• [GIIL16] “Data-Mining, Privacy Preserving – Einleitung”; GI-Informatiklexikon; eingesehen13.07.2016; Link: https://www.gi.de/service/informatiklexikon/detailansicht/article/data-mining-privacy-preserving.html

• [Hoe14] “Privacy Design Strategies”; Jaap-Henk Hoepmann, 29th IFIP TC 11 International Conference, SEC 2014 Marrakech, Marocoo, June 2-4, 2014 Proceedings p446-459.

• [IEC-31010] „Risk Management – Risk Assessment Techniques“

• [IEC-62443-3-2] „Security for industrial automation and control systems; Security riskassessment for system design“

• [IEC-62443-3-3] „Industrial communication networks – Network and system security –Part 3-3: System security requirements and security levels“

• [ISO-27k]: ISO/ IEC-27000-Normenreihe: „Sicherheitsstandards der IT Sicherheit“. Herausgegeben von der International Organization for Standardization (ISO) und der International Electrotechnical Commission (IEC)

• [ISO27005] „Information Technology – Security Techniques – Information Secuirty Risk Management“

• [ISO29100] ISO/ IEC 29100: „Information technology – Security techiniques – Privacy framework“: Link: http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

• [ISO29134] "Information technology -- Security techniques -- Guidelines for privacyimpact assessment“

• [IT-SIG] „Gesetz zur Erhöhung der Sicherheit informationstechnischer Gesetze vom 17. Juli 2015“

• [NIST800-30] NIST SP 800-30: „Guide for Conducting Risk Assessments“. Information Security U.S. Department of Commerce

• [NISTIR 8062] NISTIR 8062: „An Introduction to Privacy Engineering and Risk Management in Federal Systems“. Information Security U.S. Department of Commerce; Link: http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

• [OWASP17] https://www.owasp.org/index.php/Top_10-2017_Top_10

• [Tele16] “Handreichung zum “Stand der Technik” im Sinne des IT-Sicherheitsgesetzes (ITSIG)“. TeleTrusT – Bundesverband IT Sicherheit e.V. 2016

• [TR20004] Technical Report ISO/ IEC TR 2004: „Information technology – Security techniques – Refining Software vulnerability analysis under ISO/ IEC 15408 und ISO/ IEC 18045“

• [VDE0831-104] “Elektrische Bahn-Signalanlagen – Teil 104: Leitfaden für die IT-Sicherheit auf Grundlage IEC 62443“

Literatur | Referenzen


https://www.gesetze-im-internet.de/bdsg_1990/

https://www.gesetze-im-internet.de/bundesrecht/bsi-kritisv/gesamt.pdf

https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf

http://coras.sourceforge.net/

https://www.justice.gov/opcl/docs/rec-com-rights.pdf

http://www.bundesrat.de/SharedDocs/drucksachen/2017/0101-0200/110-17.pdf?__blob=publicationFile&v=5

https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design

https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=DE

https://www.gi.de/service/informatiklexikon/detailansicht/article/data-mining-privacy-preserving.html

http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip

http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

https://www.owasp.org/index.php/Top_10-2017_Top_10

© KUGLER MAAG CIE GmbH

Thank you very much.Are you ready for the future?

Thomas Liedtke (PhD)[email protected]: +49 173 6764093

wie man zu Security Anforderungen kommt · 2019-11-26 · •14 years; Alcatel/ Alcatel·Lucent...

Documents

Transcript of wie man zu Security Anforderungen kommt · 2019-11-26 · •14 years; Alcatel/ Alcatel·Lucent...