Measurable Security - a discussion of potential approaches

Business intelligence is moving towards the real-time handling of information, coming from both internal and external business processes. Inclusion of sensor data in automatic process control has been a topic in industry for quite a while, but was mainly limited to closed systems. Trends in collaborative industries like oil & gas show that sensor data might contribute to automatic processes in different domains, fostered by the vision of the Internet of Things. The presentation will address the challenges of communication across domains, focussing on the challenges of new infrastructures, new ways of communication and new devices. Two main trends are visible: (i) wireless sensors contributing to automated processes and (ii) the move of control into mobile devices. The example of "bring your own device" (BYOD) is used to exemplify the trends of devices accessing processes and information in your enterprise. In the upcoming years not only phones, tablets and computers will demand access, but also sensors and embedded system will deliver and request information. Sensors will contribute to automated processes, and thus require a knowledge management. Classic threats as insufficient authentication and loss of devices are addressed through an approach of integrating, managing and securing mobile devices. Such a short-sighted approach, as suggested by leading IT companies, is deemed to fail. A paradigm shift in handling security is required, addressing the need for securing information instead of securing infrastructure. The paradigm shift includes the need for measurable security, and addresses a metrics-based approach for a quantitative assessment of both the potential attack scenario and the security measures of the infrastructure. Our suggested approach is based on the semantic description of both a potential attack scenario, the security-related aspects of my sensors/systems and semantic policies. The outcome is a methodology for measurable security, and provides composable security for sensor systems. The approach is currently applied in the areas of Railway Security and UAV operation through the European Artemis project nSHIELD (http://newSHIELD.eu)