Write My Paper Button

WhatsApp Widget

Task – Security and Privacy in IoT Solution Introduction You are working for a small company, Salfardo Smart Solutions (3S), which advertises itself as providing Internet of Things systems, network, and payment solutions,

adminUncategorized

Assessment task details and instructions

Task – Security and Privacy in IoT Solution Introduction

You are working for a small company, Salfardo Smart Solutions (3S), which advertises itself as providing Internet of Things systems, network, and payment solutions, amongst other IT solutions. The company has just set up, and the director has employed you as its sole IoT security and privacy expert who has training across the field of IoT connectivity, security, and privacy.

3S, being new, has no formal procedures yet laid out for anything.
3S has just been contracted by a private healthcare centre, British Healthcare Centre (BHC), to provide them with support in setting up an integrated Internet of Medical Things (IoMT) and electronic payment system for their healthcare services.
About British Healthcare Centre (BHC)

BHC is a collection of three healthcare centres spread across a county. The healthcare centres intend to provide state-of-the-art real-time healthcare services including remote patient monitoring and in-house patient care by collecting and analysing data from IoT devices. Due to its unique smart facilities, BHC has a rapidly growing patient base for advanced healthcare facilities. In setting systems, BHCs do not want to rely on taking cash payments from customers and have plans to become more organised by offering electronic payments. To this end they have contracted with 3S to develop a solution and have agreed on the following high-level requirements:

  • BHC want to keep track of all incorporated IoT devices for data collection and monitoring.
  • BHC want to be able to accept payment by debit/credit card and related smart payment methods.
  • BHC want to introduce an insurance-based payment method for customers.
  •  BHC want to store patients’ health and payment data.
  • BHC want to ensure the security of infrastructure and the privacy of sensitive data.

The Understanding
Additionally, the following understanding was gathered, and 3S made the following notes on the discussion with BHC:
Customers who make insurance payments will have their lifestyle choices and health records tracked, and in return are awarded special discounts for compliance with the best health routine. This is tied to the customer’s private information – their personal identifying information.
The BHC chief operating officer does not want to keep travelling between the centres to monitor the physical, network, applications, and data processing conditions. The centres will be integrated at one site, for simplicity and security, and so that everything can be monitored from one place. There is plenty of spare space on one site that is suitable for secured monitoring systems.

BHCs are interested in keeping their systems in-house as much as possible. They are also willing to employ cloud systems as a part of the deployed infrastructure. This should be no worry as BHC
 
is looking for a fairly viable solution. The core database where patient data is stored along with all core health services purchases etc. can be at one site.
BHC would prefer not to employ any additional staff to manage the proposed solution, though BHC staff may have to undergo training in certain areas.
BHC will have no technician/ administrator to manage the centres, – 3S should be able to administer and maintain the network and systems remotely.
A check has shown that there will be no problem getting suitable reliable internet access at any of the sites.

On developing a suitable plan and proposed solution, BHC will likely follow up and ask 3S to implement and maintain their system which will be a lucrative deal for 3S.

Task:

Your part of developing the solution is to produce a report on the underlying information and security technologies – systems and networks, – other aspects, and their compliance with the NIST guidelines, PCI-DSS (IoT), CIS-CSC-IoT companion guide, and the Data Protection Act (DPA) 2018 – General Data Protection Regulation (GDPR). This will then be fed back into a larger study, including costings, that BHC and 3S will produce internally to be used to further pursue the business opportunity.
Complete a report that comprises the following parts:

  1. Design Architecture – (20%)
  2. Threat Scenarios – (20%)
  3. Compliance with PCI-DSS Requirements (IoT guidelines) – (20%)
  4. CIS Critical Security Controls IoT Companion Guide (v8) – (20%)
  5. Compliance with the Data Protection Act – GDPR (10%)
  6.  Conclusions and Recommendations – (10%)

Each part may have subsections, which should be suitably named. The numbering of sections and subsections is encouraged for better navigation and in-document referencing.

Do not repeat. Use forward and backward references within your document where appropriate to indicate where related matters are covered.
Consider throughout, best practices relating to:

–    Intrusion Detection and Prevention, including firewalls
–    Access Control and Management
–    Security in transit and in storage
–    Backups and Business Continuity planning
–    Key management and access

Design Architecture – 

Design and Architect an integrated system that can provide synchronous health services to the patients. You should include IoT devices for at least five health monitoring scenarios. You should also design a payment system for BHC to cover the three centres.
List and detail the technologies and solutions that you would choose. List the security capabilities of chosen/ incorporated IoT devices (provide appropriate references).

Present a logical connectivity/ network diagram that covers the three sites, and detail how the centres would operate. More than one diagram might be useful to show different aspects without crowding one diagram.

Threat Scenarios – 

What are the main threats against the proposed IoMT solution, including the information risk? Please note that IoT threat definitions are not acceptable. You should describe how your proposed solution can be at risk. Reference external sources which indicate the most likely threats against this sort of implementation in the healthcare environment. You should also briefly talk about the potential mitigation techniques incorporated in the proposed solution.

Compliance with PCI-DSS –

Detail what is required, technically and non-technically (where there is an appropriate response) for each of the 12 PCI-DSS requirements (IoT security, where necessary). Use forward/backward referencing to different sections in your report to show how these requirements are met. Where useful, the use of diagrams and/or figures is encouraged.

CIS-Critical Security Controls –

There are 56 Safeguards (‘Sub-Controls’) for CIS-CSC Implementation Group 1 (IG1) which are known for providing basic cyber hygiene against the most common attacks.

For each CIS-Critical Security Control that has an IG1 Safeguard, briefly detail a solution – Address at least one IG1 Safeguard per control. You can use forward/backward referencing in your report to show how these controls are implemented, and security is ensured.
Note: Only 15 of the 18 CSCs have an IG1 Safeguard. For some safeguards, there is nothing specific to IoT.

Compliance with the DPA-GDPR – 

Identify and detail how the solution will be compliant with DPA-GDPR. Provide references for best practices.

Conclusions and Recommendations –

This may include main points that are considered of importance, main points for us (3S), or main points to pass on to BHC. This is your opportunity to use your judgment as an expert and add further value

Related Posts