IETF Logo Mail Archive

Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-use-cases-04: (with DISCUSS)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 24 February 2015 14:35 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5BC1A1B28; Tue, 24 Feb 2015 06:35:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g79P6i5UFEFG; Tue, 24 Feb 2015 06:35:27 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22F281A0203; Tue, 24 Feb 2015 06:35:27 -0800 (PST)
Received: by lbiz12 with SMTP id z12so25040224lbi.11; Tue, 24 Feb 2015 06:35:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=plukhzTzuU5YYKKZPYaJvNb/IcIVcn5HTszKzqZPpbs=; b=cPNOVPyA9w5gfsRSNSyX9Zo/ID3rWKFuN8o8F+dXPNnjBESG1j7UuQnPju4VES0SLF huvyjY0xMNEGWjR2g20fo90zBFdJfh7PpAQ5qNP2MIngoSEy88VT/4/Rt7CoBV64ML6h pNrOAZ0hE8e5QT8LQwzeLQ+zC5ktZ4UZ7AP0aAFJFKuUyEmS/PmIDvgCt9j7QypMnuNT ItxWEYnjns2+5RQlfMvjvVOL0fjiDgWmpSz4yrYu8MQ35I0X+DDvHA/if20MllKs1t2o 4JYXy+8AiiQJ3VZdH9HpczxVDE4ZFJsU6Zv0EObioNxFOol3uZWnOOUMBHzYVgN76WLH RAVQ==
MIME-Version: 1.0
X-Received: by 10.112.97.106 with SMTP id dz10mr14609970lbb.4.1424788525576; Tue, 24 Feb 2015 06:35:25 -0800 (PST)
Received: by 10.112.167.101 with HTTP; Tue, 24 Feb 2015 06:35:25 -0800 (PST)
In-Reply-To: <38EB3E83-5B43-41E0-BA20-F6C355308D41@jacobs-university.de>
References: <20150219154359.13340.37635.idtracker@ietfa.amsl.com> <38EB3E83-5B43-41E0-BA20-F6C355308D41@jacobs-university.de>
Date: Tue, 24 Feb 2015 09:35:25 -0500
Message-ID: <CAHbuEH7u9-SLkQJg5qBqafZvJJNbwhh=Wtv8RwrsP+8A3f0Z4w@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "Sehgal, Anuj" <s.anuj@jacobs-university.de>
Content-Type: multipart/alternative; boundary="001a11345b12f2778f050fd66d1f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/aE6BexicZ2hbYB4uE-BGJlIw_Qo>
Cc: "draft-ietf-opsawg-coman-use-cases.all@ietf.org" <draft-ietf-opsawg-coman-use-cases.all@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, The IESG <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, "ted.lemon@nominum.com" <ted.lemon@nominum.com>
Subject: Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-use-cases-04: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 14:35:31 -0000

Hello,

Thank you for taking to time to add in the additional text, this hits the
points needed and addresses my discuss.  One of the sections has a run-on
sentence, so I'll try to help fix that below.  Please let me know when the
updates are made and I will clear my discuss.

On Tue, Feb 24, 2015 at 8:51 AM, Sehgal, Anuj <s.anuj@jacobs-university.de>
wrote:

> Hi,
>
> The following inline comments are an overview of the actions taken
> to resolve the issues raised by Kathleen and Ted.
>
> > On 19 Feb 2015, at 4:43 pm, ext Kathleen Moriarty <
> Kathleen.Moriarty.ietf@gmail.com> wrote:
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Thanks for your work on this draft, I just have some security stuff I'd
> > like to discuss that should be easy to resolve as some text is provided.
> >
> > In section 4.5, it is critical to also include a statement on security in
> > addition to privacy.  Medical devices with network attachments could be
> > used to kill someone.
> >
> http://abcnews.go.com/Health/dick-cheneys-fear-heart-device-hacks-justified-experts/story?id=20633284
> >
> > Suggest changing this text from:
> >   In both cases, however,
> >   it is crucial to protect the privacy of the people to which medical
> >   devices are attached.  Even though the data collected by a heart beat
> >   monitor might be protected, the pure fact that someone carries such a
> >   device may need protection.  As such, certain medical appliances may
> >   not want to participate in discovery and self-configuration protocols
> >   in order to remain invisible.
> > To:
> >   In both cases, however,
> >   it is crucial to protect the safety and privacy of the people to which
> > medical
> >   devices are attached.  Security precautions to protect access
> > (authentication, encryption, integrity protections, etc.) to such devices
> > may be critical to protecting the safety of the individual. Even though
> > the data collected by a heart beat
> >   monitor might be protected, the pure fact that someone carries such a
> >   device may need protection.  As such, certain medical appliances may
> >   not want to participate in discovery and self-configuration protocols
> >   in order to remain invisible.
>
> Adopted text in Section 4.5 - Medical Applications.
>
> > General statement:
> > Many of the other use case scenarios also have safety as a concern,
> > requiring security protections (Confidentiality, Integrity,
> > Availability).  Sensors used to control environmental settings is another
> > example where air regulation might include detection of harmful things in
> > the air (carbon monoxide).  I'm sure there are other safety concerns that
> > motivate security protections in each of the use cases, it's not just
> > privacy (which is important).  What if a sensor was tampered with to
> > report or not report something detected?  That's not covered in the
> > discussion on availability related problems in 4.6, but does represent
> > another set of security considerations that could lead to safety issues.
> > More text on access control considerations for NMS may help.
>
> I propose adding the following text to the respective sections.
>
> Section 4.1 - Environmental Monitoring
>
> Since many applications of environmental monitoring sensors are likely
> to be in areas that are important to safety (flood monitoring, nuclear
> radiation monitoring, etc.) it is important for management protocols
> and network management systems (NMS) to ensure appropriate security
> protections.

These protections include

>  not only access control, integrity and
> availability of data, but also provide appropriate mechanisms that can
> deal with situations that might be categorized as emergencies or when
> tampering with sensors/data might be detected.
>
> Section 4.2 - Infrastructure Monitoring
>
> Since infrastructure monitoring is closely related to ensuring safety,
> management protocols and systems must provide appropriate security
> protections to ensure confidentiality, integrity and availability of
> data.
>
> Section 4.3 - Industrial Applications
>
> Management protocols and NMSs must ensure appropriate access control
> since different users of industrial control systems will have varying
> levels of permissions.  E.g., while supervisors might be allowed to
> change production parameters, they should not be allowed to modify the
> functional configuration of devices like a technician should.  It is
> also important to ensure integrity and availability of data since
> malfunctions can potentially become safety issues.  This also implies
> that management systems must be able to react to situations that may
> pose dangers to worker safety.
>
> Section 4.5 - Medical Applications
>
> In both cases, however, it is crucial to protect the safety and
> privacy of the people to which medical devices are attached. Security
> precautions to protect access (authentication, encryption, integrity
> protections, etc.) to such devices may be critical to safeguarding the
> individual. The level of access granted to different users also may
> need to be regulated. For example, an authorized surgeon or doctor
> must be allowed to configure all necessary options on the devices,
> however, a nurse or technician may only be allowed to retrieve data
> that can assist in diagnosis. Even though the data collected by a
> heart beat monitor might be protected, the pure fact that someone
> carries such a device may need protection. As such, certain medical
> appliances may not want to participate in discovery and
> self-configuration protocols in order to remain invisible.
>
> Section 4.6 - Building Automation
>
> It is also important for a building automation NMS to take safety and
> security into account.  Ensuring privacy and confidentiality of data,
> such that unauthorized parties do not get access to it, is likely to
> be important since users' individual behaviors could be potentially
> understood via their settings.  Appropriate security considerations
> for authorization and access control to the NMS is also important
> since different users are likely to have varied levels of operational
> permissions in the system.  E.g., while end users should be able to
> control lighting systems, HVACs, etc., only qualified technicians
> should be able to configure parameters that change the fundamental
> operation of a device.  It is also important for devices and the NMS
> to be able to detect and report any tampering they might detect, since
> these could lead to potential user safety concerns, e.g., if sensors
> controlling air quality are tampered with such that the levels of
> Carbon Monoxide become life threatening.  This implies that a NMS
> should also be able to deal with and appropriately prioritize
> situations that might potentially lead to safety concerns.
>
> Section 4.8 - Transport Applications
>
> Since transport applications of the constrained devices and networks
> deal with automotive vehicles, malfunctions and misuse can potentially
> lead to safety concerns as well.  As such, besides access control,
> privacy of user data and timeliness management systems should also be
> able to detect situations that are potentially hazardous to safety.
> Some of these situations could be automatically mitigated, e.g.,
> traffic lights with incorrect timing, but others might require human
> intervention, e.g., failed traffic lights.  The management system
> should take appropriate actions in these situations.  Maintaining data
> confidentiality and integrity is also an important security aspect of
> a management system since tampering (or malfunction) can also lead to
> potentially dangerous situations.
>
>
>
> Hopefully this text is enough to resolve these issues.
>

Yes, thank you!
Kathleen

>
> Regards,
> Anuj
>
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email