Understanding and Mitigating IoT Security Hazards
1 like257 views
Mark Benson discusses understanding and mitigating security hazards in the IoT. He outlines that IoT poses both great threats and opportunities over the next 10 years. There are three main challenges to IoT security: resource constraints of devices, novel deployment topologies across networks, and new usage modes as devices are deployed, updated and retired. Security must be designed into products from the beginning and continuously improved over time as the landscape changes. Benson advocates for establishing secure processes throughout the product lifecycle to develop secure products and maintain brand integrity.
Understanding and Mitigating IoT Security Hazards
- 1. Understanding and Mitigating IoT Security Hazards Mark Benson, CTO @markbenson IoT Developers Conference, 7 May 2015
- 2. The IoT threat and opportunity Recent Economist survey: Expect their company to be using IoT within 3 years “IoT is our single biggest threat AND biggest opportunity over the next 10 years” – Brand-name fortune 500 board of directors *Source: ABI Research, Cisco, Craig Hallum Es9mates 0 2 4 6 8 10 12 14 16 18 20 $0 $50 $100 $150 $200 $250 Devices Billions Market Size Billions Big Data Analy4cs (53% CAGR) Connected Device PlaCorms (33% CAGR) PlaCorms (33% CAGR) Applica4on Enablement PlaCorms (32% CAGR) Value Added Services (26% CAGR) System Integra4on Services (24% CAGR) Hardware (23% CAGR) Connec4vity (12% CAGR) Internet-‐connected devices (Cisco Es4mate) 95%
- 3. The Internet of Things? More like the Internet of Attack Vectors • Attack surfaces are expanding rapidly • Physical access to systems is becoming easier • Consumer privacy concerns are rising • Consequences of a breach are becoming more severe (critical infrastructure, brand deterioration, data privacy issues, etc.) • Product companies are being forced outside of their comfort zones • Three dimensions that make IoT security challenging…
- 4. 1. Resource constraints MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP DTLS/UDP CoAP Binary Data MAC/PHY IP DTLS/UDP CoAP Binary Data SensorMAC/PHY Binary DataRest Use Motion Motion Motion Use Use Use Rest Rest Enterprise Web Services IoT Data Platform Gateway or Aggregator Sensing Node Has moderate resource constraints Has severe resource constraintsDeals with resource constraintsHas virtually no resource constraints Network MAC/PHY Binary Data Network
- 5. 2. Deployment topologies Gateway IoT Cloud Gateway On-prem Gateway IoT CloudOn-prem Gateway IoT CloudOn-prem Analytics Analytics Sensors Short RF Gateways On-prem SW Long-haul Cloud Platform Analytics platform A. No cloud D. Closed network C. Multi-site E. Comprehensive B. Standard Local Display
- 6. 3. Usage modes • Device cloud registration * Secure authentication * Secure API transports * Secure storage Initialization Operation Modification Retirement1 2 3 4 • Secure flash * OTP parts * Secure boot * Secure provisioning • Secure firmware updates * Disable test/debug interfaces * Factory defaults fallback * Disable test interfaces • Secure change of ownership • Device de-registration process • Optionally reenable retired devices • Secure encryption key deletion Things to note about IoT usage modes that affect security: 1. Some modes are normal and standard solu5ons exist 2. Some modes are new and standards are s5ll emerging 3. Some modes are becoming more vulnerable due to resource constraints
- 7. Usage Modes Sim ple NovelStandard D eploym entTopologies C om plex Resource Constraints High Low The IoT security problem area A. High resource constraints B. Complex deployment topologies C. Novel usage modes Mo’ IoT, mo’ problems
- 8. The 4th dimension: time Now we have a Tesseract The difficulty with IoT security is that the landscape is constantly changing, even aYer products are deployed Security should be designed for from the beginning and embraced as a journey throughout It starts with a process… Modes Topologies Constraints Time
- 9. The web you should be weaving Secure processes => secure products => secure brand integrity Security Requirements Planning Design Implementation Verification Validation Deployment Operations Risk Analysis Threat Modeling Secure Design Practices Security-Focused Design Reviews Secure Coding Practices Third Party Security Audit Security-Focused Testing User Testing to Expose Weakpoints Penetration Testing Secure Deployment Practices Operational Risk Assessment Incident Response Preparedness Vulnerability Management Training and awareness Information Security Management System (ISMS) policies, procedures, and compliance audits Corporate strategy, governance, metrics, and optimization
- 10. Conclusion Takeaways: 1. Security processes. Have a security architecture from the beginning and evolve throughout (constraints, topologies, modes) 2. Technology selection. Make informed technology selections from the beginning that are aligned with security goals for the company and product 3. Operations planning. Plan and prepare for how you will respond if and when a security incident occurs in the field Checklists • http://owasp.org/ • http://builditsecure.ly/ Embrace the journey