Repository for background reading and Links

This month, the National Institute of Standards and Technology (NIST) published the final form of a document that Scott Shorter from Electrosoft coauthored with NIST scientist Michaela Iorga. NIST Interagency Report (NISTIR) 7823, entitled “Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework.” NISTIR 7823 provides test methods for determining compliance with the voluntary industry standards on firmware upgradeability published by the National Electrical Manufacturers Association (NEMA). The NEMA standard provides functional and security requirements for smart meters, upgrade management systems to upgrade firmware in a secure manner. 

NEMA SG-AMI 1-2009 was published 2009-09-25 to “[define] requirements for smart meter firmware upgradeability in the context of an advanced metering infrastructure system for industry stakeholders such as regulators, utilities and vendors.”  It is currently distributed as part of NEMA's Smart Meter Standards Package which is billed as requirements and guidance on electricity meteric within the United States.  The test framework we developed is a very comprehensive test method for a fairly weakly specified standard, and in light of updated NIST guidance on protection of BIOS it is overdue for an update.  Scott Shorter will be blogging this month on the topic of firmware upgradeability as a security feature, the ways that security feature can be abused, and recommended security considerations for when the firmware upgradeability standard is revisited, whether as an update by NEMA or if adopted as an ANSI C.12 standard.

Intro from the document: Our fast-approaching future of driverless cars and “smart” electrical grids will depend on billions of linked devices making decisions and communicating with split-second precision to prevent highway collisions and power outages. But a new report* released by the National Institute of Standards and Technology (NIST) warns that this future could be stalled by our lack of effective methods to marry computers and networks with timing systems.

http://www.nist.gov/pml/div688/timing-031915.cfm

We have addressed some of these issues in the past in industrial controls systems (with real time OS) and (telecom infrastructure) with PTP (precision time protocol). 

The National Cybersecurity Center of Excellence (NCCoE), in partnership with the National Strategy for Trusted Identities in Cyberspace National Program Office, is seeking comments on a new project focused on protecting privacy and security when reusing credentials at multiple online service providers. For example, your social media account login can be used to access your fitness tracker account. In effect, the social media company is vouching for you with the tracker company.

Perhaps there is an identity solution applicable to IoT already in development.  This approach uses blockchain and is funded by some major VCs.

http://www.coindesk.com/onename-raises-seed-funding-fuel-decentralized-identity-protocol/

 

Security guidlines for early adaptors compiled by the Cloud Security Alliance

https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf

IERC - Internet of Things European Research Cluster http://www.internet-of-things-research.eu/index.html
The 2012 Cluster-Book

Interet of Things Comic
http://www.alexandra.dk/uk/services/publications/documents/iot_comic_book.pdf

Xively

Xively (formerly Cosm and before that Pachube (pronounced Patch bay)) is an on-line database service allowing developers to connect sensor-derived data (e.g. energy and environment data from objects, devices & buildings) to the Web and to build their own applications based on that data.(quote from http://en.wikipedia.org/wiki/Xively).

https://xively.com/dev/help (ex pachube)