SlideShare a Scribd company logo

Io t security defense in depth charles li v1 20180425c

C
Charles Li

The document discusses IoT security defense in depth. It notes that early IoT devices from the 1980s lacked many security measures that are now common, like network perimeter defense and endpoint protection. As IoT expands to include more devices, endpoints and attack surfaces, threats have become more aggressive and relentless. Effective IoT security requires an understanding of both IT and OT security practices. The document advocates a defense in depth approach with security controls at multiple layers, including the network, host, application, gateway, controllers and data/devices. Both technical and administrative measures are needed.

Technology
Related topics:
Cyber-Security
1 of 27
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
IoT Security Defense in Depth Dr. Charles Li IBM GBS
• The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage • A true story about an astronomer-turned-sysadmin at Berkeley in the 1980s who decides to track down a 75 cent accounting discrepancy in server usage, and turns into a year-long hunt to track down a sneaky computer spy operating for the KGB. • Covers several severe holes in Unix security, but emphasizes that the weakest link in security is almost always from human operators A Story in 1980s Where is the Defense in Depth? Where are the endpoints? Where are the perimeter and network defense? That was in 1980s.
1McAfeeLabsThreat Report, December 2017 https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2017.pdf;; 2SymantecInternet Security Threat Report 2017, volume22: https://www.symantec.com/security- center/threat-report.; 3From Q2 2017 to Q3 2017; 4From 2016 to 2017; Note: Averagenumber per breach, M = million Fraud Hacking Ransom- ware Cyber- espionage Targeted attacks Theft / loss Insider (malicious, accidental) 1.1B identitiesexposed 2016 due to data breach2 increasein mobile malware samples1 in one year4 190%57.6M new malware samples1 in a single quarter3 445new threats per minute, or 7.5 per second1 The Era of Aggressive, Relentless Threats
Expanding Endpoints and Attack Surfaces Human attack surface Server attack surface Network and application attack surface Workstation attack surface Mobile, IoT attack surface Database attack surface Complex Virtual Defense Perimeter Cloud, mobile and IoT proliferation Fragments Defense Perimeter
Industrial Security Incidents - What’s Being Published Information Technology(IT) attacks Data loss Operation Technology(OT) attacks Human & environmental harm Process interruption Process manipulation
Information Technology (IT), Operation Technology (OT) & Internet of Things (IoT)
IoT = Industrial Domain+ Consumer Domain Source: electronicdesign.com
Information Technology Operation Technology Internet of Things Different looks - Different security
IoT – Increased Interconnection Source: TU München, Prof. Dr. Alfons Kemper
IoT Security Requires Both IT and OT Security IT Security OT Security IoT Security Energy, Environment & Utility, Transportation, Oil & Gas, (Waste-) Water, Manufacturing, Chemical & Pharmac, Medical Instruments, Mining • IT Security is for the Corporate network, e.g. Web- and Email-Server, desktops/laptops, network components • OT Security is for Operational Technology (OT) networks, e.g. SCADA, HMI, PLC, RTU, machines, … • In OT, all Hardware and Software form an entity – no part can be change without vendor certification • The IT-OT represents Security measures that can be used in IT and OT. These have to passive components which can’t disrupt the industrial process • IoT Security requires understanding of both IT and OT Security
Key IT-OT Differences Summary Operational Technology (OT) ▪ Mission critical ▪ Security focus on Safety & Reliability ▪ Maximum attack impact on humans: Life threatening ▪ Security priorities: A -> I -> C ▪ Interruption due to security measures: Not accepted ▪ Communication behavior: Defined and predictable ▪ Change Management: If possible only at maintenance ▪ Penetration tests: Only passive whitebox* ▪ Equipment life cycle: > 15 years ▪ Usual investments: >100M ▪ Processing requirements: milliseconds to seconds ▪ Low response time requirement ▪ Individual architecture (changing) Information Technology (IT) ▪ Business critical ▪ Security focus on Data Confidentially ▪ Maximum attack impact on humans: Annoyance ▪ Security priorities: C -> I -> A ▪ Interruption due to security measure: Accepted ▪ Communication behavior: Complex, s/t unpredictable ▪ Change Management: Anytime, whenever needed ▪ Penetration tests: Active Backbox* and whitebox* types ▪ Equipment life cycle: 3-5 years ▪ Usual investments: 50k – 20M ▪ Processing requirements: minutes to days ▪ High throughput required ▪ Standardized architecture
IoT Platform and Security
Data Applications Connectivity to more users, devices, and data than ever before Web Applications Systems Applications APIs Mobile Applications Infrastructure and Devices Datacenters PCs Mobile Cloud Services IoT On Premises Off PremisesUnstructuredStructured Users Auditors Suppliers Consultants Contractors Employees Partners Customers Systems Applications Partners Structured Laptops It’s time to expand from infrastructure to information-centric security Employees Unstructured APIs Off Premises Customers Mobile Applications
• Development and deployment of applications • Interaction between devices (Things) and cloud applications • Remote data collection and analysis • Provide secure connectivity • Monitor, manage and control connected devices and infrastructure • Integration with 3rd party systems An IoT Platform: An Integrated Suite of Components
IoT Platform Reference Framework Devices / Sensors / Network / Things / Applications Connectivity Data Integration / Ingestion Storage, Analytics, and Query Visualization Security Lots of technologies, vendors, and approaches for each component Source: Rouge Group LLC.
• Initial design was for private communication network then moved to IP network and later on the Internet • Firmware updates are hard or nearly impossible after installations • Started with basic security then found the security flaws and attached more complex security requirements later • Low security devices from early design are still out there and used in compatible fall-back mode IoT Security Challenges
Many Aspects of IoT Security Silicon IoT Devices Networks Solution & Applications Cloud End-end IoT security Gateways Leverage in silicon security & trusted modules Mutual identity validation device- cloud: Secure tokens or client-side certificates Secure communications: TLS v1.2, HTTPS Encrypted data Application access control & user management Visibility of threats: Security dashboard Incident response: policies Solution or industry specific security Authentication Authorization Access Control Data encryption Firewall ISO27k compliance Physically Secure datacenters Operational controls Edge security: Trusted gateways Auto device registration
A Secure IoT Platform - IBM Watson IoT Platform Authentication Identity & Credentials Authorization Privileges Access Control Application resource access Data isolation Data Security Encryption at rest Encryption in-flight Authenticated by IBM ID With Access governed by Roles Flexibility of trusted gateways providing limited device management and registration capabilities Secured Connectivity: • MQTT over TLS or • HTTPS over TLS Watson IoT Platform Console Secured by security authorisation token or certificates User/operators REST and Real-time APIs 10101 01010 10101 Authenticated by IBM ID With Access governed by Roles Flexibility of trusted gateways providing limited device management and registration capabilities Data encryption Secured by API key IoT Device AIoT Device AIoT Devices IoT Device AIoT Device AApplications IoT Device AIoT Device AIoT Gateway IoT Device A Other examples – AWS IoT, Microsoft Azure IoT, Google Cloud Platform, ThingWorx IoT Platform, CISCO IoT Cloud Connect, HPE Universal of Things (IoT) Platform
IT-OT Convergence For Security Operations Prioritized incidents Embedded Intelligence DATA SOURCES INCL. INDUSTRIAL PROTOCOLS Operation Network: Control Systems/ SCADA, Historian, HMI, PLC. Field level: PLC, sensors, analog protocols Corporate IT: Security data on networks, hosts.
Risk and Security Threats in IoT vs IT Information Technology (IT) Attacks on data-center hosted data and services • Exposure to IT networks from OT networks • Human error or sabotage of operations systems • Unprotected (or under protected) components in network • DDoS or mis-information attack • Attack from mobile-based remote maintenance apps • Technical malfunctions of components Operational Technology (OT) Damage to plant, equipment, quality and output • Loss of production • Loss of intellectual property • Capital Loss • Triggering safety procedures or interfering with safety systems • Deterioration of product quality IoTSecuritylayers. Alargeattacksurface
IoT Rising Threats: Diligent and Persistent with Defense in Depth
IoT Growth Prediction https://www.weforum.org/agenda/2015/11/is-this-future-of-the-internet-of- things/?utm_content=buffer10b03&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
• The Mirai Botnet (aka Dyn Attack) • The Hackable Cardiac Devices from St. Jude • The Owlet WiFi Baby Heart Monitor Vulnerabilities • The TRENDnet Webcam Hack • The Jeep Hack The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/
IoT Security: Defense in Depth Network Host Application Gateway Controllers Data/Devices IT Security IoT Security Network Host Application Data Physical – Technical – Administrative Security Controls
Questions or Discussions? Dr. Charles Li Charles.Li@ibm.com, 202 330 1009 Lead of Integration and Innovation IBM GBS Cybersecurity and Biometrics
#1 – Authorization: IoT device or server has proper authorization to send or receive that stream of data #2 – Open Ports; An IoT device is dangoursly vulnerable when it’s sitting and listening to an open port out to the internet #4 – Encryption: You need end to end encryption between devices and servers IoT Basic Security Measures

More Related Content

PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PDF
Trends in IIoT and OT Security
Oliver Pfaff
 
PPTX
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
PDF
IoT/M2M Security
Yu-Hsin Hung
 
PPTX
Iot security amar prusty
amarprusty
 
PDF
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Security Testing for IoT Systems
Security Innovation
 
Trends in IIoT and OT Security
Oliver Pfaff
 
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
IoT/M2M Security
Yu-Hsin Hung
 
Iot security amar prusty
amarprusty
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 

What's hot (20)

PDF
IoT and IIoT - Security Challenges and Innovative Approaches
Shashi Kiran
 
PDF
Security Aspects in IoT - A Review
Asiri Hewage
 
PDF
Nozomi networks-solution brief
Nozomi Networks
 
PPTX
Iot Security, Internet of Things
Bryan Len
 
PPTX
Nozomi Fortinet Accelerate18
Nozomi Networks
 
PDF
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
PPTX
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
PDF
IoT Hardware Teardown, Security Testing & Control Design
Priyanka Aash
 
PDF
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
PPTX
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
 
PDF
IoT Security
Narudom Roongsiriwong, CISSP
 
PDF
[CLASS 2014] Palestra Técnica - Michael Firstenberg
TI Safe
 
PDF
IT vs. OT: ICS Cyber Security in TSOs
Community Protection Forum
 
PPTX
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
PDF
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
PDF
[CLASS 2014] Palestra Técnica - Samuel Linares
TI Safe
 
PDF
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Community Protection Forum
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
PPTX
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
IoT and IIoT - Security Challenges and Innovative Approaches
Shashi Kiran
 
Security Aspects in IoT - A Review
Asiri Hewage
 
Nozomi networks-solution brief
Nozomi Networks
 
Iot Security, Internet of Things
Bryan Len
 
Nozomi Fortinet Accelerate18
Nozomi Networks
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
IoT Hardware Teardown, Security Testing & Control Design
Priyanka Aash
 
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
 
IoT Security
Narudom Roongsiriwong, CISSP
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
TI Safe
 
IT vs. OT: ICS Cyber Security in TSOs
Community Protection Forum
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
[CLASS 2014] Palestra Técnica - Samuel Linares
TI Safe
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Community Protection Forum
 
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Ad

Similar to Io t security defense in depth charles li v1 20180425c (20)

PDF
IoT security Q3 2020 overview
Anastasiia Konoplova
 
PDF
IoT – Breaking Bad
NUS-ISS
 
PDF
Cybersecurity in the Age of IoT - Skillmine
Skillmine Technology Consulting
 
PPTX
IoT security
YashKesharwani2
 
PPTX
Security of IOT,OT And IT.pptx
MohanPandey31
 
PPTX
IoT and the industrial Internet of Things - june 20 2019
John D. Johnson
 
PPTX
Iot cyber security
sajid mehmood
 
PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
 
PDF
Securing your IoT Implementations
TechWell
 
PDF
The Internet of Things – Good, Bad or Just Plain Ugly?
Yasmin AbdelAziz
 
PPTX
Introduction to IOT security
Priyab Satoshi
 
PDF
The Convergence of IT, Operational Technology and the Internet of Things (IoT)
Jackson Shaw
 
PDF
Bridgera enterprise IoT security
Ron Pascuzzi
 
PDF
Is IoT Security A Challenge? Surefire Target Plan Explained | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PPTX
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
ClicTest
 
PPT
Lecture About Internet of Things, this ppt about basic knowladge about internet
ALAMGIRHOSSAIN256982
 
PDF
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
Martin Ruubel
 
PDF
From IT to IoT: Bridging the Growing Cybersecurity Divide
Priyanka Aash
 
PDF
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
PPTX
The Internet of Everything is Here
Lancope, Inc.
 
IoT security Q3 2020 overview
Anastasiia Konoplova
 
IoT – Breaking Bad
NUS-ISS
 
Cybersecurity in the Age of IoT - Skillmine
Skillmine Technology Consulting
 
IoT security
YashKesharwani2
 
Security of IOT,OT And IT.pptx
MohanPandey31
 
IoT and the industrial Internet of Things - june 20 2019
John D. Johnson
 
Iot cyber security
sajid mehmood
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
 
Securing your IoT Implementations
TechWell
 
The Internet of Things – Good, Bad or Just Plain Ugly?
Yasmin AbdelAziz
 
Introduction to IOT security
Priyab Satoshi
 
The Convergence of IT, Operational Technology and the Internet of Things (IoT)
Jackson Shaw
 
Bridgera enterprise IoT security
Ron Pascuzzi
 
Is IoT Security A Challenge? Surefire Target Plan Explained | USCSI®
United States Cybersecurity Institute (USCSI®)
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
ClicTest
 
Lecture About Internet of Things, this ppt about basic knowladge about internet
ALAMGIRHOSSAIN256982
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
Martin Ruubel
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
Priyanka Aash
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
The Internet of Everything is Here
Lancope, Inc.
 
Ad

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
KodekX | Application Modernization Development
KodekX
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
A Presentation on Artificial Intelligence
memembruh336
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Io t security defense in depth charles li v1 20180425c

  • 1. IoT Security Defense in Depth Dr. Charles Li IBM GBS
  • 2. • The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage • A true story about an astronomer-turned-sysadmin at Berkeley in the 1980s who decides to track down a 75 cent accounting discrepancy in server usage, and turns into a year-long hunt to track down a sneaky computer spy operating for the KGB. • Covers several severe holes in Unix security, but emphasizes that the weakest link in security is almost always from human operators A Story in 1980s Where is the Defense in Depth? Where are the endpoints? Where are the perimeter and network defense? That was in 1980s.
  • 3. 1McAfeeLabsThreat Report, December 2017 https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2017.pdf;; 2SymantecInternet Security Threat Report 2017, volume22: https://www.symantec.com/security- center/threat-report.; 3From Q2 2017 to Q3 2017; 4From 2016 to 2017; Note: Averagenumber per breach, M = million Fraud Hacking Ransom- ware Cyber- espionage Targeted attacks Theft / loss Insider (malicious, accidental) 1.1B identitiesexposed 2016 due to data breach2 increasein mobile malware samples1 in one year4 190%57.6M new malware samples1 in a single quarter3 445new threats per minute, or 7.5 per second1 The Era of Aggressive, Relentless Threats
  • 4. Expanding Endpoints and Attack Surfaces Human attack surface Server attack surface Network and application attack surface Workstation attack surface Mobile, IoT attack surface Database attack surface Complex Virtual Defense Perimeter Cloud, mobile and IoT proliferation Fragments Defense Perimeter
  • 5. Industrial Security Incidents - What’s Being Published Information Technology(IT) attacks Data loss Operation Technology(OT) attacks Human & environmental harm Process interruption Process manipulation
  • 6. Information Technology (IT), Operation Technology (OT) & Internet of Things (IoT)
  • 7. IoT = Industrial Domain+ Consumer Domain Source: electronicdesign.com
  • 8. Information Technology Operation Technology Internet of Things Different looks - Different security
  • 9. IoT – Increased Interconnection Source: TU München, Prof. Dr. Alfons Kemper
  • 10. IoT Security Requires Both IT and OT Security IT Security OT Security IoT Security Energy, Environment & Utility, Transportation, Oil & Gas, (Waste-) Water, Manufacturing, Chemical & Pharmac, Medical Instruments, Mining • IT Security is for the Corporate network, e.g. Web- and Email-Server, desktops/laptops, network components • OT Security is for Operational Technology (OT) networks, e.g. SCADA, HMI, PLC, RTU, machines, … • In OT, all Hardware and Software form an entity – no part can be change without vendor certification • The IT-OT represents Security measures that can be used in IT and OT. These have to passive components which can’t disrupt the industrial process • IoT Security requires understanding of both IT and OT Security
  • 11. Key IT-OT Differences Summary Operational Technology (OT) ▪ Mission critical ▪ Security focus on Safety & Reliability ▪ Maximum attack impact on humans: Life threatening ▪ Security priorities: A -> I -> C ▪ Interruption due to security measures: Not accepted ▪ Communication behavior: Defined and predictable ▪ Change Management: If possible only at maintenance ▪ Penetration tests: Only passive whitebox* ▪ Equipment life cycle: > 15 years ▪ Usual investments: >100M ▪ Processing requirements: milliseconds to seconds ▪ Low response time requirement ▪ Individual architecture (changing) Information Technology (IT) ▪ Business critical ▪ Security focus on Data Confidentially ▪ Maximum attack impact on humans: Annoyance ▪ Security priorities: C -> I -> A ▪ Interruption due to security measure: Accepted ▪ Communication behavior: Complex, s/t unpredictable ▪ Change Management: Anytime, whenever needed ▪ Penetration tests: Active Backbox* and whitebox* types ▪ Equipment life cycle: 3-5 years ▪ Usual investments: 50k – 20M ▪ Processing requirements: minutes to days ▪ High throughput required ▪ Standardized architecture
  • 12. IoT Platform and Security
  • 13. Data Applications Connectivity to more users, devices, and data than ever before Web Applications Systems Applications APIs Mobile Applications Infrastructure and Devices Datacenters PCs Mobile Cloud Services IoT On Premises Off PremisesUnstructuredStructured Users Auditors Suppliers Consultants Contractors Employees Partners Customers Systems Applications Partners Structured Laptops It’s time to expand from infrastructure to information-centric security Employees Unstructured APIs Off Premises Customers Mobile Applications
  • 14. • Development and deployment of applications • Interaction between devices (Things) and cloud applications • Remote data collection and analysis • Provide secure connectivity • Monitor, manage and control connected devices and infrastructure • Integration with 3rd party systems An IoT Platform: An Integrated Suite of Components
  • 15. IoT Platform Reference Framework Devices / Sensors / Network / Things / Applications Connectivity Data Integration / Ingestion Storage, Analytics, and Query Visualization Security Lots of technologies, vendors, and approaches for each component Source: Rouge Group LLC.
  • 16. • Initial design was for private communication network then moved to IP network and later on the Internet • Firmware updates are hard or nearly impossible after installations • Started with basic security then found the security flaws and attached more complex security requirements later • Low security devices from early design are still out there and used in compatible fall-back mode IoT Security Challenges
  • 17. Many Aspects of IoT Security Silicon IoT Devices Networks Solution & Applications Cloud End-end IoT security Gateways Leverage in silicon security & trusted modules Mutual identity validation device- cloud: Secure tokens or client-side certificates Secure communications: TLS v1.2, HTTPS Encrypted data Application access control & user management Visibility of threats: Security dashboard Incident response: policies Solution or industry specific security Authentication Authorization Access Control Data encryption Firewall ISO27k compliance Physically Secure datacenters Operational controls Edge security: Trusted gateways Auto device registration
  • 18. A Secure IoT Platform - IBM Watson IoT Platform Authentication Identity & Credentials Authorization Privileges Access Control Application resource access Data isolation Data Security Encryption at rest Encryption in-flight Authenticated by IBM ID With Access governed by Roles Flexibility of trusted gateways providing limited device management and registration capabilities Secured Connectivity: • MQTT over TLS or • HTTPS over TLS Watson IoT Platform Console Secured by security authorisation token or certificates User/operators REST and Real-time APIs 10101 01010 10101 Authenticated by IBM ID With Access governed by Roles Flexibility of trusted gateways providing limited device management and registration capabilities Data encryption Secured by API key IoT Device AIoT Device AIoT Devices IoT Device AIoT Device AApplications IoT Device AIoT Device AIoT Gateway IoT Device A Other examples – AWS IoT, Microsoft Azure IoT, Google Cloud Platform, ThingWorx IoT Platform, CISCO IoT Cloud Connect, HPE Universal of Things (IoT) Platform
  • 19. IT-OT Convergence For Security Operations Prioritized incidents Embedded Intelligence DATA SOURCES INCL. INDUSTRIAL PROTOCOLS Operation Network: Control Systems/ SCADA, Historian, HMI, PLC. Field level: PLC, sensors, analog protocols Corporate IT: Security data on networks, hosts.
  • 20. Risk and Security Threats in IoT vs IT Information Technology (IT) Attacks on data-center hosted data and services • Exposure to IT networks from OT networks • Human error or sabotage of operations systems • Unprotected (or under protected) components in network • DDoS or mis-information attack • Attack from mobile-based remote maintenance apps • Technical malfunctions of components Operational Technology (OT) Damage to plant, equipment, quality and output • Loss of production • Loss of intellectual property • Capital Loss • Triggering safety procedures or interfering with safety systems • Deterioration of product quality IoTSecuritylayers. Alargeattacksurface
  • 21. IoT Rising Threats: Diligent and Persistent with Defense in Depth
  • 23. Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
  • 24. • The Mirai Botnet (aka Dyn Attack) • The Hackable Cardiac Devices from St. Jude • The Owlet WiFi Baby Heart Monitor Vulnerabilities • The TRENDnet Webcam Hack • The Jeep Hack The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities/
  • 25. IoT Security: Defense in Depth Network Host Application Gateway Controllers Data/Devices IT Security IoT Security Network Host Application Data Physical – Technical – Administrative Security Controls
  • 26. Questions or Discussions? Dr. Charles Li Charles.Li@ibm.com, 202 330 1009 Lead of Integration and Innovation IBM GBS Cybersecurity and Biometrics
  • 27. #1 – Authorization: IoT device or server has proper authorization to send or receive that stream of data #2 – Open Ports; An IoT device is dangoursly vulnerable when it’s sitting and listening to an open port out to the internet #4 – Encryption: You need end to end encryption between devices and servers IoT Basic Security Measures