TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the...
Transcript of TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the...
![Page 1: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/1.jpg)
TRUSTWORTHINESS & SECURITY MATURITY MODEL
FREDERICK HIRSCH
SYDNEY INDUSTRY DAY
Frederick Hirsch 1
![Page 2: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/2.jpg)
THE WORLD IS CHANGING
Frederick Hirsch 2(2) Reimaged the V850 controller (BCM) Gateway – had a checksum on the images but it wasn’t used
(1) Took over the Radio (RAD) thru guessable pwd
3a
3b
(3a) With re-imaged BCM the Radio can send arbitrary CAN Bus Commands (2015) (3b) (2016) spoofed
TPM speed messages…
![Page 3: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/3.jpg)
RISK
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 3
* Hubbard, Seiersen; How to Measure Anything in Cybersecurity Risk
![Page 4: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/4.jpg)
UNCERTAINTY
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 4
Uncertainty
![Page 5: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/5.jpg)
CONSEQUENCES
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 5
Outcomes
![Page 6: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/6.jpg)
APPROACH
• Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”
• Uncertainty → Probability
• Outcome → Quantified Loss
Frederick Hirsch 6
Intent, Action, Assurance
![Page 7: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/7.jpg)
BUILDING ON PREVIOUS WORK
Frederick Hirsch 7
Security Framework
(IISF)
Connectivity Framework (IICF)
VocabularyReference Architecture (IIRA)
![Page 8: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/8.jpg)
RECENT PUBLICATIONS
Frederick Hirsch 8
Dec 2017 Sept 2018 June 2019 July 2019
Safety Challenges AI Managing & AssessingJournal of Innovation: Trustworthiness
https://www.iiconsortium.org/white-papers.htm
![Page 9: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/9.jpg)
ASSURANCE AND EVIDENCE
Frederick Hirsch 9
![Page 10: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/10.jpg)
SECURITY MATURITY MODEL (SMM)
Frederick Hirsch 10
https://www.iiconsortium.org/smm.htm
https://www.iiconsortium.org/pdf/IoT_SMM_Practitioner_Guide_2019-02-25.pdf
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_FINAL_Updated_V1.1.pdf
![Page 11: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/11.jpg)
SECURITY MATURITY VS. SECURITY LEVEL
Frederick Hirsch 11
• Security maturity is a measure of the
understanding of the current security
level, its necessity, benefits and cost of
its support.
• Security level is a measure of
confidence that system vulnerabilities
are addressed appropriately and that
the system functions in an intended
manner.
![Page 12: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/12.jpg)
MANY FRAMEWORKS BUT NO SINGLE STANDARD
12
![Page 13: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/13.jpg)
SMM STRUCTURE AND TABLES
Frederick Hirsch 13
![Page 14: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/14.jpg)
TEMPLATE AND TABLES
Frederick Hirsch 14
<Practice-Name>
<Practice Description>
Comprehensiveness Level 1
Comprehensiveness Level 2
Comprehensiveness Level 3
Comprehensiveness Level 4
Objective Objective Description Objective Description Objective Description Objective Description
General considerations
Level Description Level Description Level Description Level Description
What needs to be done to achieve this level Considerations
What needs to be done to achieve this level Considerations
What needs to be done to achieve this level Considerations
What needs to be done to achieve this level Considerations
Indicators of accomplishment Considerations
Indicators of accomplishment Considerations
Indicators of accomplishment Considerations
Indicators of accomplishment Considerations
Levels include all the considerations of the lower levels
![Page 15: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/15.jpg)
ACTIONABLE
• Practitioner’s Guide
• Profiles
• Mappings
• Training
Frederick Hirsch 15
![Page 16: TRUSTWORTHINESS & SECURITY MATURITY MODELRISK • Risk - “A state of uncertainty where some of the possibilities involve a loss, catastrophe, or some other undesirable outcome.”*](https://reader036.fdocuments.in/reader036/viewer/2022070901/5f479d08b62826397630d394/html5/thumbnails/16.jpg)
THANK YOU
Frederick Hirsch, Fujitsu
@fjhirsch
fjhirsch.com
IIC Journal of Innovation, Trustworthiness:
https://www.iiconsortium.org/news/journal-of-innovation-2018-sept.htm
Security Maturity Model Practitioner’s Guide:
https://www.iiconsortium.org/smm.htm
Frederick Hirsch 16