[IG-SP] Securing the Industrial Internet of Things

The June issue of the ISSA Journal had an interesting article on Securing the Industrial Internet of Things<http://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0615.pdf> (also attached)

This text elaborates on one part of our problem space: 'things' in form of investment or capital goods (such industrial devices) owned by legal entities. This also is the space into which IIC looks. The contents essentially provide a problem statement a la "you cannot use the old recipes to do new tricks"  and gives some overview of the landscape

Smallprint: apart from the text to which I wanted to point, I suggest to make use of the "legal entity vs. individually-owned thing" differentiation in our security&privacy work. I believe that will help. Consider authorization as an example:
-       In case of legal entity-owned resources (your company's controllers or sensors) it is natural to first formulate authorization strategies (policies) and then use them to decide about requests - this relies on a priori policies
-       In case of individually-owned resources (your jpegs at GDrive) the best current practices use a posteriori policies instead: an online print service asks for a resource (the access request), Google asks you if okay, you decide (the "policy") and Google memorizes your decision
I'd expect that we will see a priori as well as a posteriori policing strategies in the things/device space again - for legal entity-owned vs. individually-owned things/devices

Best regards,
Oliver

Received on Wednesday, 1 July 2015 11:01:43 UTC