IETF Logo Mail Archive

Re: [saag] draft-moore-iot-bcp-00 (Best Current Practices for Securing Internet of Things (IoT) Devices)

Adrian Hope-Bailie <adrian@hopebailie.com> Fri, 11 November 2016 08:16 UTC

Return-Path: <adrian@hopebailie.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793A9129A45 for <saag@ietfa.amsl.com>; Fri, 11 Nov 2016 00:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gwAjRGuttkKN for <saag@ietfa.amsl.com>; Fri, 11 Nov 2016 00:16:34 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89E8E1295DC for <saag@ietf.org>; Fri, 11 Nov 2016 00:16:34 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id c184so58333550wmd.0 for <saag@ietf.org>; Fri, 11 Nov 2016 00:16:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TMO2aLQ3fre9bRMsjpgnxAqXgznbswi/IxCkwwyqxQc=; b=E5/iwOgnN8EBleFVShx9DAu0b4/fODDHxpzdp4oi8d9DCT1tjwq+r7dKGUiiGWhEr2 Zvmy9j3vlCMn3+Us2YVFm6fhEF6rUjLH0rVv1Ln8VKJMVJUUstYmYhxzcbgNmTpPcko9 d+Nb3cGeeRKv+6NhRciJGtGnUZ5sy3qEJlmok=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TMO2aLQ3fre9bRMsjpgnxAqXgznbswi/IxCkwwyqxQc=; b=jXlUqXPzMN9TByTSRplzrC6AFyd4w+ArqsBlfbKbc9ZhehXZRV/cVRVMjzhIdcqTLd ZEuQA3IueQ00nvTKo0NltoBJGHR6LoZdMSIiXNyzbFWRqPqUGU6PuR7Y4wY3yHmpe9Fe 53b0GOAO83ChhMv0YSw3eIICChdQky4OvaukM7DNmaJFWomk9mrNBaRIH8ykeMfzXTMV nwbS9CAz0EaXnHUd7/8j6Mw/YoZ8Ltdjk932NpoXIN5AA4tQgsnsn5Xe01+0CO3jYvz7 /ZdG4EUsUikAfIU64rNDah9+w6kkYcDWMllRVzNz4DZxUlQvZXgJt83dj82ScPH0sIeD halw==
X-Gm-Message-State: ABUngveLD1x0H0Dpg0KxkPY63Nn99C9pva/R2Mp4Al7OqDuQCDjCueP3mlvgFk8ISzC5yrHv1/f3rA3KvVl4jg==
X-Received: by 10.194.105.104 with SMTP id gl8mr9120229wjb.83.1478852192938; Fri, 11 Nov 2016 00:16:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.115.6 with HTTP; Fri, 11 Nov 2016 00:16:32 -0800 (PST)
In-Reply-To: <1478850654823.89451@cs.auckland.ac.nz>
References: <63ae04d9-9a31-498c-3333-2801a72338f0@network-heretics.com> <99b43920-ee16-3cb2-731b-941718749cf5@afrinic.net> <CACsn0cmce8ZpDThPGA01PgnLfkyD3GyjJJVayiCaFikDUnZ77w@mail.gmail.com> <d0ec0ef0-67d8-0f14-c64e-537cab031b2c@gmx.net> <1478850654823.89451@cs.auckland.ac.nz>
From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Fri, 11 Nov 2016 10:16:32 +0200
Message-ID: <CA+eFz_+9dsFvaVfw32ra1RJuS1wBGi_mQavjx3aBiQ7yknqNMA@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary="001a1130d28aa2bf210541021bd0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Gw9dSRSZXDPYKK5Kg_bjAjz7dqA>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] draft-moore-iot-bcp-00 (Best Current Practices for Securing Internet of Things (IoT) Devices)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 08:16:36 -0000

How does your average consumer know if they're buying an Internet of
Shi^H^H^HThings device or proper SCADA gear?

Surely half the problem is educating price sensitive consumers about how to
distinguish from well-priced good hardware and cheap crap?

All the guidelines in the world will not stop people building crap to try
and sell it cheap

On 11 November 2016 at 09:50, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Hannes Tschofenig <hannes.tschofenig@gmx.net> writes:
>
> >We probably have do a bit of document scoping. Many embedded devices do
> not
> >run Linux since they have no MMU. I would like to have guidelines that
> also
> >consider those ~50 billion of currently deployed devices as well.
>
> I think that would definitely be useful.  We should distinguish between, at
> least, desktop-PC equivalents (anything capable enough to Linux, in which
> case
> just use any standard Unix good-housekeeping rules, you don't necessarily
> need
> the same thing just with IoT stamped on it), and then real SCADA/embedded,
> where you've got a single binary blob comprising the RTOS and the
> application(s) it runs, no MMU, and barely anything else.
>
> There's also a split in engineering terms between an Internet of
> Shi^H^H^HThings device (take the cheapest Arm-based reference design,
> shovel
> Linux 2.6.x and equally old, unpatched binaries onto it, and throw it out
> to
> the public), and what I'd consider proper SCADA gear, stuff that's been
> properly designed and engineered, with environmental protection, fault-
> checking, and so on, something that won't break the first time you sneeze
> near
> it, or that needs constant tending just to keep it going.  IoS devices have
> very different goals (cheap and quick, and if it breaks the vendor doesn't
> really care) from SCADA (long engineering cycles, time to do it right but
> often political impediments to doing so, and companies that have to stand
> behind their products, often for decades after they've shipped).
>
> So the first question would be, how do you divide things up in order to
> decide
> what goals need to be met, and what goals can actually be met?
>
> Peter.
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email