Your SlideShare is downloading. ×
ISSA-UK Securing the Internet-of-Things by Adrian Wright
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ISSA-UK Securing the Internet-of-Things by Adrian Wright


Published on

Securing The 'Internet of Things' …

Securing The 'Internet of Things'

Once upon a time the Internet was all about connecting people via their computers. Then along came mobile which allowed people to connect while on the move. But as more and simpler devices are coming equipped with an IP connection, the people have largely left the room leaving all sorts of devices talking directly to each other and to higher systems via the web, without human intervention or supervision.
Predictions say that by 2020 some 30 to 50 billion ‘things’ will be connected to the internet, from simple widgets like temperature sensors and domestic water meters, to more critical devices such as power plant telemetry and ATMs. The security implications are obvious but cannot be assumed to have been addressed, which raises some key questions we need to discuss.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ISSA-UK Chapter MeetingLondon13th June 2013Adrian WrightVP Research - ISSA-UKCEO - Secoda Risk ManagementSecuring The Internet of Things
  • 2. Securing The Internet of ThingsHitchhikers Guide to the Thingiverse1New World? Or a New Term?2Technology Drivers & Enablers34 Security ChallengesSummary & Debate5
  • 3. Start with a great quote:And a critical observation for good measure:
  • 4. Privacy anyone?
  • 5. "The Internet of Things is not a concept; it is a network. The true technology-enabled Network of all networks". Edewede Oriwoh(bio: )
  • 6. What is it?• Once upon a time the Internet was about connecting people via theircomputers• Then mobile allowed people to connect while on the move• As simpler devices come equipped with IP connections, people havelargely left the room leaving all sorts of devices talking directly to eachother and to higher systems via the web, without human intervention orsupervision• By 2020 30-50 billion ‗things‘ will be connected to the internet, fromsimple widgets like temperature sensors & domestic water meters tomore critical devices like medical monitors, power plant telemetry &ATMs• This is called M2M (Machine to Machine) communication, as distinctfrom H2H (Human to Human) & dubbed ―The Internet of Things‖* (IoT)• Today 9 bn devices connected to the internet, incl 6 bn mobile devices* Term initially used by Kevin Ashton in 1999 (About Kevin Ashton: )
  • 7. Implications• IoT = Future where everyday physical objects will be connected to theInternet and will be able to identify themselves to other devices• IoT = Integration of the physical and virtual world• IoT = Significant, as when a physical object is represented in the virtualworld it can be connected to other virtually represented objects & data• IoT = Object can be monitored & managed based on presetparameters• IoT = Huge revenue opportunity to mobile operators. $1.2 trillion by2020* Most profit coming from app devt rather than deliveringconnectivity• Image:* GSMA report Oct 2011 with AT&T, Deutsche Bank, KT, Telenor Connexion, Vodafone & Machina Research. Link to Report here:
  • 8. Its already hereHowever:• Existing M2M solutions highly fragmented & typicallydedicated to a single application (e.g. fleet management,meter reading, vending machines).• Multitude of technical solutions & dispersedstandardisation activities result in slow development ofglobal M2M market.• Standardisation is key enabler to remove technical barriers& ensure interoperable M2M services & networks• M2M / IoT has huge potential but currently comprises aheterogeneous collection of established & emerging (oftencompeting) technologies & standards (although moves areafoot here). This is because the concept applies to & hasgrown from, a wide range of market sectors.
  • 9. Market example – smart parking
  • 10. Things everywhereLink to article:
  • 11. Concepts & Jargon• Things: Physical entities whose identity, state (or surroundings) capable ofbeing relayed to an internet-connected IT infrastructure. Almost anything towhich you can attach a sensor — a cow in a field, a container on a cargovessel, the air-conditioning unit in your office, a lamppost in the street — canbecome a node in the Internet of Things.• Sensors: Components of things that gather and/or disseminate data e.g.location, altitude, velocity, temperature, illumination, motion, power, humidity,blood sugar, air quality, soil moisture - you name it.– Not ‗computers‘ as such but have processor, memory, storage, inputs and outputs,OS, app s/w– Key point is increasingly cheap, plentiful, can communicate either directly withinternet or with other internet-connected devices• Comms: (local-area) All IoT sensors require some means of relaying data tothe outside world. Plethora of short-range or local area, wireless technologiesavailable incl RFID, NFC, Wi-Fi, Bluetooth, Wireless M-Bus + wired Ethernet
  • 12. Concepts & Jargon (cont.)Libeliums customisable Waspmotesensor/comms board (left) and theWaspmote Plug & Sense enclosure (right),with connections for sensors, antennas, asolar panel and USB PC connectivity• Comms: (wide-area) links, existing mobilenetworks GSM, GPRS, 3G, LTE or WiMAX &satellite connections.– New wireless networks ultra-narrowbandSIGFOX & TV white-space NeulNETemerging specifically for M2M connectivity.– Fixed things in convenient locations coulduse wired Ethernet or phone lines for wide-area connections• Server: (on premise) Some M2Minstallations (smart home or office) use localserver to collect & analyse data - both realtime and episodically - from assets on thelocal area network.– These on-premise servers or simplergateways usually also connect cloud-basedstorage & services.
  • 13. Concepts & Jargon (cont.)• Local scanning device: Things with short-rangesensors will often be located in a restricted area butnot permanently connected to a local area network– (RFID-tagged livestock on a farm, or credit-card-totingshoppers in a mall, for example). In this case, localscanning devices extract data and transmit it onwardsfor processing• Storage & analytics: IoT will require massive,scalable, storage & processing capacity– Will almost invariably reside in the cloud, except forspecific localised or security-sensitive cases.– Service providers will need access here to curate thedata & tweak analytics, but also for LoB processessuch as customer relations, billing, technical support• User-facing services:– Subsets of data & analyses from the IoT available tousers or subscribers, presented (hopefully) via easilyaccessible navigable interfaces on full spectrum ofsecure client devices
  • 14. Network-level paradigm shift• IoT data transfer patterns differ fundamentally from those in the classichuman-to-human.• M2M communications will feature orders of magnitude more nodesthan H2H, most of which will create low-bandwidth, upload-biasedtraffic.• Many M2M applications will need to deliver and process information inreal time, or near-real-time, and many nodes will have to be extremelylow-power or self-powered (eg. solar powered) devices.• Will require billions of new IP addresses we simply don‘t have. IPv6required but it will have to be lightweight (likely with trimmed-downsecurity attributes)
  • 15. M2M Your Life
  • 16. When will it all happen?Link to original paper:
  • 17. Gartner Hype CycleLink to image source:
  • 18. “We can learn every trick in our adversaries play book - except the onetheyre using right now”
  • 19. What‘s changed security-wise?• Underlying principle of M2M communications isnt particularly new.– Similar technology has been used for decades at power stations, water utilities,building control and management systems, usually in the more recognisable form ofsupervisory control and data acquisition (SCADA) systems.• However these systems are typically custom implementations– Often running proprietary operating systems, and without any particular standard tofollow. Assumption is usually that they‘re behind a firewall• CT scanners, MRI scanners, dialysis machines - theyre on an internet.– They talk IP, and they have massively vulnerable operating systems. Theyre runningembedded versions of Windows• Smart meters, ATMs, SCADA systems, rollout of patches and updates– Tends to be slower than you would normally have compared with your home PC,where you get a normal update every week or so or every month– theres a lightweight version of IPv6 you can use on M2M type of communications, butits not full IPv6• Sheer scale and numbers of things to secure…
  • 20. Control MaturityUnconsciouslyUncontrolledConsciouslyUncontrolledUnconsciouslyControlledConsciouslyControlledUnaware of what IoT isNo strategy / policyNo definitionNo deployment visibility orcontrolSome strategy & policySome definition & insightNo education & awarenessNo process for identifying ,controlling & managingdeploymentsNo strategy & policyNo definition & insightBut no deployments due toother reasons:Culture / fixed mindset / rigidcommand & controlWell communicatedstrategy & policyGoverns appropriate useGood awarenessVisibility & control of allcloud-based programmes
  • 21. PRISM R‘ UsLink to original work:
  • 22. FUD corner• The security implications are obvious, where hackers might able to do anythingfrom running up people‘s electricity bills to shutting down an oil pipeline.– We‘ve already had a preview of this with the Stuxnet SCADA story and M2M / TheInternet of Things will take us infinitely deeper into that territory…• Denial of service (DoS) could have new consequences.– Many field-based devices will be powered from batteries. Hit them with long burstsof spurious requests and you‘ll kill their power.• Encrypting information tends to be a processor-intensive task– Meaning devices need to be selective as to what to encrypt, as opposed to thewebs trend toward full end-to-end encryption.– Unless nanotechnology and battery manufacturing increases as per Moores Law,its going to be a huge issue.• You dont want to have devices with any kind of identification left lying around– Need effective disposal or self-disposal processes built into protocols. Oncedecommissioned theyll need to ‘mission impossible’ – like, self destruct remotely• Slow transition from IPv4 networks to IPv6 could harm M2M uptake.– With IPv4 addresses nearing exhaustion, networks simply wont have enoughaddresses to assign to the explosion of devices unless they transition to IPv6
  • 23. No security standard…anytime soon• "Its either going to take a standard for the industry to agree on, or avery powerful vendor to make things work, so that everyone kind ofsays, Well, that works, so Im just going to use that for the pure ease ofuse. It might be completely proprietary, but all we really care about isthat stuff works and stuffs secure, in that order, unfortunately."• ―Its entirely possible that despite the work by research groups,standards and possibly security could be circumvented entirely if apowerful enough company stepped up‖• "We can be sure of one thing: The lion‘s share of IoT growth over thenext 3-5 years is going to occur in market segments where the value istangible – and these are almost wholly seen in the business-centricmarketplace". Alex Brisbourne
  • 24. Things to ponder & worry about:1. Is this a new problem, or just a new take on an existing one?2. Are there enough IP addresses available for these billions of things? Or willwe be forced into IPv6, carrier-grade NAT, or end up putting large numbers ofdevices behind each public IP address, and what are the security implicationsof those choices?3. The dumber the connected device, the more basic the security attributes ofthe device are likely to be. So how will the billions of such devices be security-monitored and updated to maintain security in the face of emerging threats?4. What are the implications for protecting critical infrastructure and cyber-warfare/espionage? Could hackers shut off all our water, drain our bankaccounts, melt our ice cream and turn all the traffic lights to red?5. Flooding the market with low-cost, mass-market devices usually meansbuying them from economies like China or Vietnam. With the Huawei debateescalating, how can we be certain of no hidden trapdoors inside thesewidgets?6. With the PRISM scandal, will Privacy become an obsolete concept?
  • 25. Help!Link to original work:
  • 26. adrian.wright@issa-uk.orgadrian.wright@secoda.com44 (0)8456 4 27001