Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-use-cases-04: (with DISCUSS)
"Sehgal, Anuj" <s.anuj@jacobs-university.de> Tue, 24 February 2015 13:51 UTC
Return-Path: <s.anuj@jacobs-university.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ABF01A1A82; Tue, 24 Feb 2015 05:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.16
X-Spam-Level:
X-Spam-Status: No, score=-1.16 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PxMPrzGgc5n1; Tue, 24 Feb 2015 05:51:23 -0800 (PST)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01A741A0378; Tue, 24 Feb 2015 05:51:23 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id C640B734; Tue, 24 Feb 2015 14:51:21 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id cWaFvUO8Djsx; Tue, 24 Feb 2015 14:51:12 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Tue, 24 Feb 2015 14:51:20 +0100 (CET)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 4DE6520036; Tue, 24 Feb 2015 14:51:20 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id qmuvMtRHY0ZJ; Tue, 24 Feb 2015 14:51:18 +0100 (CET)
Received: from exchange.jacobs-university.de (shubcas03.jacobs.jacobs-university.de [10.70.0.153]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "exchange.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by hermes.jacobs-university.de (Postfix) with ESMTPS id 8E36620031; Tue, 24 Feb 2015 14:51:17 +0100 (CET)
Received: from SXCHMB01.jacobs.jacobs-university.de ([fe80::c1f:c30f:99ac:df0c]) by SHUBCAS05.jacobs.jacobs-university.de ([::1]) with mapi id 14.03.0224.002; Tue, 24 Feb 2015 14:51:17 +0100
From: "Sehgal, Anuj" <s.anuj@jacobs-university.de>
To: ext Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-use-cases-04: (with DISCUSS)
Thread-Index: AQHQTFsqtesxW4DlN02d4UBGqHidrJz/yHEA
Date: Tue, 24 Feb 2015 13:51:17 +0000
Message-ID: <38EB3E83-5B43-41E0-BA20-F6C355308D41@jacobs-university.de>
References: <20150219154359.13340.37635.idtracker@ietfa.amsl.com>
In-Reply-To: <20150219154359.13340.37635.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.50.244.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A211D3EF4D7D8545B518BBB4166B7886@jacobs.jacobs-university.de>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/zWqjjXabuxC_414pCh6Hugl3utA>
Cc: "draft-ietf-opsawg-coman-use-cases.all@ietf.org" <draft-ietf-opsawg-coman-use-cases.all@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, The IESG <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, "ted.lemon@nominum.com" <ted.lemon@nominum.com>
Subject: Re: [OPSAWG] Kathleen Moriarty's Discuss on draft-ietf-opsawg-coman-use-cases-04: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 13:51:26 -0000
Hi, The following inline comments are an overview of the actions taken to resolve the issues raised by Kathleen and Ted. > On 19 Feb 2015, at 4:43 pm, ext Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> wrote: > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thanks for your work on this draft, I just have some security stuff I'd > like to discuss that should be easy to resolve as some text is provided. > > In section 4.5, it is critical to also include a statement on security in > addition to privacy. Medical devices with network attachments could be > used to kill someone. > http://abcnews.go.com/Health/dick-cheneys-fear-heart-device-hacks-justified-experts/story?id=20633284 > > Suggest changing this text from: > In both cases, however, > it is crucial to protect the privacy of the people to which medical > devices are attached. Even though the data collected by a heart beat > monitor might be protected, the pure fact that someone carries such a > device may need protection. As such, certain medical appliances may > not want to participate in discovery and self-configuration protocols > in order to remain invisible. > To: > In both cases, however, > it is crucial to protect the safety and privacy of the people to which > medical > devices are attached. Security precautions to protect access > (authentication, encryption, integrity protections, etc.) to such devices > may be critical to protecting the safety of the individual. Even though > the data collected by a heart beat > monitor might be protected, the pure fact that someone carries such a > device may need protection. As such, certain medical appliances may > not want to participate in discovery and self-configuration protocols > in order to remain invisible. Adopted text in Section 4.5 - Medical Applications. > General statement: > Many of the other use case scenarios also have safety as a concern, > requiring security protections (Confidentiality, Integrity, > Availability). Sensors used to control environmental settings is another > example where air regulation might include detection of harmful things in > the air (carbon monoxide). I'm sure there are other safety concerns that > motivate security protections in each of the use cases, it's not just > privacy (which is important). What if a sensor was tampered with to > report or not report something detected? That's not covered in the > discussion on availability related problems in 4.6, but does represent > another set of security considerations that could lead to safety issues. > More text on access control considerations for NMS may help. I propose adding the following text to the respective sections. Section 4.1 - Environmental Monitoring Since many applications of environmental monitoring sensors are likely to be in areas that are important to safety (flood monitoring, nuclear radiation monitoring, etc.) it is important for management protocols and network management systems (NMS) to ensure appropriate security protections that ensure not only access control, integrity and availability of data, but also provide appropriate mechanisms that can deal with situations that might be categorized as emergencies or when tampering with sensors/data might be detected. Section 4.2 - Infrastructure Monitoring Since infrastructure monitoring is closely related to ensuring safety, management protocols and systems must provide appropriate security protections to ensure confidentiality, integrity and availability of data. Section 4.3 - Industrial Applications Management protocols and NMSs must ensure appropriate access control since different users of industrial control systems will have varying levels of permissions. E.g., while supervisors might be allowed to change production parameters, they should not be allowed to modify the functional configuration of devices like a technician should. It is also important to ensure integrity and availability of data since malfunctions can potentially become safety issues. This also implies that management systems must be able to react to situations that may pose dangers to worker safety. Section 4.5 - Medical Applications In both cases, however, it is crucial to protect the safety and privacy of the people to which medical devices are attached. Security precautions to protect access (authentication, encryption, integrity protections, etc.) to such devices may be critical to safeguarding the individual. The level of access granted to different users also may need to be regulated. For example, an authorized surgeon or doctor must be allowed to configure all necessary options on the devices, however, a nurse or technician may only be allowed to retrieve data that can assist in diagnosis. Even though the data collected by a heart beat monitor might be protected, the pure fact that someone carries such a device may need protection. As such, certain medical appliances may not want to participate in discovery and self-configuration protocols in order to remain invisible. Section 4.6 - Building Automation It is also important for a building automation NMS to take safety and security into account. Ensuring privacy and confidentiality of data, such that unauthorized parties do not get access to it, is likely to be important since users' individual behaviors could be potentially understood via their settings. Appropriate security considerations for authorization and access control to the NMS is also important since different users are likely to have varied levels of operational permissions in the system. E.g., while end users should be able to control lighting systems, HVACs, etc., only qualified technicians should be able to configure parameters that change the fundamental operation of a device. It is also important for devices and the NMS to be able to detect and report any tampering they might detect, since these could lead to potential user safety concerns, e.g., if sensors controlling air quality are tampered with such that the levels of Carbon Monoxide become life threatening. This implies that a NMS should also be able to deal with and appropriately prioritize situations that might potentially lead to safety concerns. Section 4.8 - Transport Applications Since transport applications of the constrained devices and networks deal with automotive vehicles, malfunctions and misuse can potentially lead to safety concerns as well. As such, besides access control, privacy of user data and timeliness management systems should also be able to detect situations that are potentially hazardous to safety. Some of these situations could be automatically mitigated, e.g., traffic lights with incorrect timing, but others might require human intervention, e.g., failed traffic lights. The management system should take appropriate actions in these situations. Maintaining data confidentiality and integrity is also an important security aspect of a management system since tampering (or malfunction) can also lead to potentially dangerous situations. Hopefully this text is enough to resolve these issues. Regards, Anuj
- [OPSAWG] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Sehgal, Anuj
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Ted Lemon
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Sehgal, Anuj
- Re: [OPSAWG] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty