- From: Pfaff, Oliver <oliver.pfaff@siemens.com>
- Date: Wed, 1 Jul 2015 11:01:04 +0000
- To: "public-wot-ig@w3.org" <public-wot-ig@w3.org>
- Message-ID: <B842481327FC5344B501EC1921E8538E0132B3EB@DEFTHW99EL2MSX.ww902.siemens.net>
The June issue of the ISSA Journal had an interesting article on Securing the Industrial Internet of Things<http://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0615.pdf> (also attached) This text elaborates on one part of our problem space: 'things' in form of investment or capital goods (such industrial devices) owned by legal entities. This also is the space into which IIC looks. The contents essentially provide a problem statement a la "you cannot use the old recipes to do new tricks" and gives some overview of the landscape Smallprint: apart from the text to which I wanted to point, I suggest to make use of the "legal entity vs. individually-owned thing" differentiation in our security&privacy work. I believe that will help. Consider authorization as an example: - In case of legal entity-owned resources (your company's controllers or sensors) it is natural to first formulate authorization strategies (policies) and then use them to decide about requests - this relies on a priori policies - In case of individually-owned resources (your jpegs at GDrive) the best current practices use a posteriori policies instead: an online print service asks for a resource (the access request), Google asks you if okay, you decide (the "policy") and Google memorizes your decision I'd expect that we will see a priori as well as a posteriori policing strategies in the things/device space again - for legal entity-owned vs. individually-owned things/devices Best regards, Oliver
Attachments
- application/pdf attachment: Melzer - Securing the Industrial Internet of Things.pdf
Received on Wednesday, 1 July 2015 11:01:43 UTC