Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Internet of Things Security - Trust in the supply chain

456 views

Published on

Presentation on the threats to Internet of Things solutions and how you establish trust in the Internet of Things supply chain and where you go to find security frameworks and best practice. Also includes details about the Secure IoT event being in held in Reading, UK on 17 October 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Internet of Things Security - Trust in the supply chain

  1. 1. Connect2  Systems  2017 Trust  in  the  Supply  Chain Duncan Purves duncan@connect2.io
  2. 2. Connect2  Systems  2017 In January 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the Iranian technicians replacing the centrifuges as to the inspectors observing them. Five months later a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until the researchers found a handful of malicious files on one of the systems and discovered the world’s first digital weapon. Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.
  3. 3. Connect2  Systems  2017
  4. 4. Connect2  Systems  2017 Ukraine  -­ technical  components  used  by  the  attackers   § Spear phishing to gain access to the business networks of the oblenergos (regional energy distributors) § Identification of BlackEnergy 3 at each of the impacted oblenergos § Theft of credentials from the business networks § The use of virtual private networks (VPNs) to enter the Industrial Control Systems (ICS) network § The use of existing remote access tools within the environment or issuing commands directly from a remote station similar to an operator HMI § Serial-­‐to-­‐Ethernet communications devices impacted at a firmware level § The use of a modified KillDisk to erase the master boot record of impacted organization systems as well as the targeted deletion of some logs § Utilizing UPS systems to impact connected load with a scheduled service outage § Telephone denial-­‐of-­‐service attack on the call centre From:  “Analysis  of  the  Cyber  Attack  on  the  Ukrainian  Power  Grid”,  TLP:  White,  E-­‐ISAC  and  SANS  |  March  18,  2016
  5. 5. Connect2  Systems  2017 It's  official:  Hearts  can  be  hacked The  FDA  confirmed  that  St.  Jude  Medical's  implantable  cardiac  devices   have  vulnerabilities  that  could  allow  a  hacker  to  access  a  device Once  in,  they  could  deplete  the  battery  or  administer  incorrect  pacing  or   shocks
  6. 6. Connect2  Systems  2017 The  attack  began  creating  problems  for  Internet  users  reaching  an  array  of  sites,   including  Twitter,  Amazon,  Tumblr,  Reddit,  Spotify  and  Netflix. The attack involved Mirai At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it
  7. 7. Connect2  Systems  2017 Hackers  Remotely  Kill  a  Jeep  on  the  Highway
  8. 8. Connect2  Systems  2017
  9. 9. Connect2  Systems  2017 Ransomware  has  carved  itself  a  niche  as  one  of  the  main  cybersecurity  threats  of  2016 While  traditional  ransomware  affects  your  computer  and  locks  your  files IoT  ransomware  has  the  opportunity  to  control  systems  in  the  real  world This  potential  to  cause  far  more  damage  means  that  the  potential  for  hackers  can  charge   much  more,  ultimately  making  it  an  appealing  market  for  them  to  explore
  10. 10. Connect2  Systems  2017 BUSINESS APPLICATIONS OPERATIONS &  MAINTENANCE |    ASSET MANAGEMENT &  MONITORING |  WORK ORDER MANAGEMENT |    SECURITY |  FACILITY MANAGEMENT |  INDUSTRIAL CONTROL |  ENERGY MANAGEMENT |  ENVIRONMENTAL MONITORING IoT  System  – Complex  Assembly  of  System  Elements WIDE AREA COMMUNICATION NETWORK SERVICES MOBILE |    SATELLITE |    FIXED |    WIRELESS |    INTERNET |    LPWAN IP    |    VPN    |    DATA |    SIM  MANAGEMENT |    BILLING SENSORS &  ACTUATORS WIDE AREA INTELLIGENT GATEWAYS &  ROUTERS EDGE OF NETWORK ANALYTICS |  COMPLEX EVENT PROCESSING |  APPLICATIONS |  SWARM COMPUTING SYSTEMINTEGRATION END CUSTOMER SERVICES LOCAL AREA,  PERSONAL AREA,  &  SENSOR NETWORKS EDGE DEVICES HARDWARE |  EMBEDDED SOFTWARE |  SENSOR &  ACTUATOR INTEGRATION |  PROTOCOL CONVERSION APPLICATION SERVICES MESSAGING |    DATA |    ANALYTICS |    INTEGRATION |  EVENT PROCESSING DASHBOARD |    REPORTING DEVICE MANAGEMENT SERVICES SERVER |  APIS |  BOOTSTRAP|  REGISTRATION DEVICE MANAGEMENT APPLICATION CONFIGURATION |  FIRMWARE UPDATE DEVICE &  NETWORK HEALTH MONITORING DATA&  PROTOCOL INTEGRATION&   SECURITYSERVICES ©  Copyright  Connect2  Systems  2017
  11. 11. Connect2  Systems  2017 Trust  in  the  IoT  System Depends  on: § Trust  in  all  the elements § How  they  are  integrated   § How  they  Interact  with  each  other
  12. 12. Connect2  Systems  2017 Trust  Relationship  between  Actors Each  Element  has  actors  that  execute  various  roles  in  the  creation,   integration  and  operation  of  the  system § Trust  flows  down  from  the  operator  to  the  all  parts  of  the  system § But  trust  must  be  built  from  the  bottom  up   Figure  taken  from  the  Industrial  Internet  Consortium;;  Industrial  Internet  of  Things  Volume  G4:  Security  Framework ;;  www.iiconsortium.org/
  13. 13. Connect2  Systems  2017 Trust  must  be  maintained  through  the  System  Lifecycle Requirements Design Development Commissioning Operation End  of  Life   Decommissioning Integrity  of  each  element  of  the  system and  supply  chain  must  be   monitored  to  ensure  that  the  initial  trustworthiness  is  preserved  through   life  of  the  system Threats and  therefore  risk will  not  be  static  over  the  lifetime  of  the  solution § You  need  a  governance structure  that  manages  cybersecurity  supply  chain  risks § To  actively  share  information  and  maintain  strong  relationships  with  your   suppliers and  partners
  14. 14. Connect2  Systems  2017 Permeation  of  Trust § The  trust  lifecycle  starts  with  the  specification  of  requirements  that  result  in  the   delivery  of  capabilities § The  assurance  that  these  capabilities  meet  the  stated  requirements  becomes  the   basis  of  trust  in  the  system Figure  taken  from  the  Industrial  Internet  Consortium;;  Industrial  Internet  of  Things  Volume  G4:  Security  Framework ;;  www.iiconsortium.org/
  15. 15. Connect2  Systems  2017 Specifying  Security  Requirements Unfortunately  many  operators  or  users  do  not  include   security  in  their  specification  of  requirements Many  believe  the  risk  is  of  their  systems  being   hacked/attacked  is  low It  is  very  expensive  and  damaging  to  your  reputation  to   incorporate  security  after  the  event– just  ask  Equifax! You  need  to  evaluate  the  risk  and  incorporate  security  at   the Requirement  and Design  Phase
  16. 16. Connect2  Systems  2017 Managing  Risk § It is not feasible to eliminate all risk from a system § Security investments are balanced against the effect of undesirable outcomes § Balancing must be grounded in a realistic assessment of the threats, the risks they pose and how they might prevent the system from fulfilling its intended functions § Costs must be evaluated and a rational selection of implementation choices made to deliver an acceptable return on investment
  17. 17. Connect2  Systems  2017 Generic  Risk  Model  With  Key  Risk  Factors   Source:  NIST  Special  Publication  800-­30,  Guide  for  Conducting  Risk  Assessments,  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-­30r1.pdf Risk  is  a  function  of  the  likelihood  of  a  threat  event’s  occurrence  and   potential  adverse  impact  should  the  event  occur  
  18. 18. Connect2  Systems  2017 Basic  Steps  in  the  Risk  Assessment  Process Source:  NIST  Special  Publication  800-­30,  Guide  for  Conducting  Risk  Assessments,  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-­30r1.pdf
  19. 19. Connect2  Systems  2017 Attack  Surface  and  Vectors The  elements  of  the  IoT  system  exposed  to  possible  attacks  are  called   its  attack  surface Each  of  these  elements  may  be  vulnerable  via  an  attack  vector § mechanism  by  which  an  attack  can  take  place Attack  vectors  include: § physical  attacks § networks  attacks § attacks  against  software § attacks  on  operators § attacks  on  the  supply  chains  of  the  elements  that  comprise  the   system
  20. 20. Connect2  Systems  2017 OWASP  IoT  Attack  Surface  Areas  Project https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas
  21. 21. Connect2  Systems  2017 Threat  Modelling 1. What  are  you  building? 2. What  can  go  wrong? 3. What  should  you  do  about  those   things  that  can  go  wrong? 4. Did  you  do  a  decent  job  of  analysis? Model   System Find Threats Address   Threats Validate
  22. 22. Connect2  Systems  2017 STRIDE,  developed  by  Microsoft Models  risks  and  evaluates  threats  for  the  IT/IoT  environment Spoofing  identity Ø Where  a  person  or  device  is  using  another  person’s  credentials  such  as  login  and  password Ø A  device  can  use  a  spoofed  device  ID Tampering  with  data Ø Altering  the  data  related  to  a  device,  packets  on  the  wire  (or  wireless),  bits  on  disk  or  in  memory Repudiation Ø Denial  that  a  person  or  device  was  involved  in  a  particular  transaction  or  event Ø Refers  to  the  ability  (or  lack)  to  trace  which  person  or  device  was  responsible  for  an  event Information  disclosure Ø Exposure  of  information  to  individuals  who  are  not  supposed  to  have  access  to  it Ø E.g.  sensor  data  for  a  city  in  the  hands  of  persons  with  intentions  to  launch  an  attack  on  the  city Denial  of  service Ø Making  a  service  unavailable,  often  through  resource  consumption  or  unreliable  execution Elevation  of  privilege Ø An  unprivileged  user  gains  sufficient  access  to  compromise  or  destroy  an  entire  system Ø An  attacker  has  penetrated  all  system  defences  and  become  part  of  the  trusted  system
  23. 23. Connect2  Systems  2017 Addressing  Threats § Mitigating Threats Ø doing  things  to  make  it  harder  to  take  advantage  of  a  threat Ø e.g.  adding  password  controls  that  enforce  complexity  or  expiration § Eliminating Threats Ø Almost  always  achieved  by  eliminating  features § Transferring Threats Ø letting  someone  or  something  else  handle  the  risk Ø e.g.  pass  trust  boundary  enforcement  to  a  firewall  product Ø transfer  risk  to  customers § Accepting the  Risk Ø the  final  approach  to  addressing  threats Ø e.g.  because  the  cost  is  prohibitive
  24. 24. Connect2  Systems  2017 So  where  do  you  go  to  for  advice   and  best  practice?
  25. 25. Connect2  Systems  2017 So  who  are  developing  IoT  Security Best  Practice  Principles  &  Guidelines? § National  Institute  of  Standards  and  Technology (NIST) § IoT  Security  Foundation  (IoT  SF) § GSM  Association  (GSMA) § Industrial  Internet  Consortium  (IIC) § Open  Web  Application  Security  Project  (OWASP) § U.S.  Department  of  Homeland  Security § Broadband  Internet  Technical  Advisory  Group  (BITAG) § Online  Trust  Alliance  (OTA)  -­ IoT  Trustworthy  Working  Group § U.S.  Department  of  Health  and  Human  Services,  Food  and  Drug   Administration § Cloud  Security  Alliance
  26. 26. Connect2  Systems  2017 NIST  Cybersecurity  Framework Provides a policy framework of computer security guidance for how private sector organisations can assess and improve their ability to prevent, detect, and respond to cyber attacks Designed  to foster  risk  and  cybersecurity  management  communications among   both internal and  external organisational  stakeholders Framework  is  a risk-­based approach https://www.nist.gov/cyberframework
  27. 27. Connect2  Systems  2017 NIST  Framework  Core  -­ Function  &  Categories
  28. 28. Connect2  Systems  2017 IoT  Security  Foundation  Principles  &  Best  Practice  Guides
  29. 29. Connect2  Systems  2017 IoT  Security  Foundation
  30. 30. Connect2  Systems  2017 Secure  IoT  Event  -­ 17th October  2017 Internet  of  Things  Security  Event Green  Park  Conference  Centre 100  Longwater  Avenue,  Green  Park,  Reading  RG2  6GP http://tinyurl.com/secureiot Learn  about: § potential  threats  and  risks  to  your  organisation § real  world  examples  of  IoT  attacks  and  the  damage  caused § IoT  security  best  practice  and  frameworks Meet  leading  experts  and  companies  offering  security  products,  solutions  and   services
  31. 31. Connect2  Systems  2017 Secure  IoT  Speakers IoT  Security  at  the  KTN Robin  Kennedy KTN Weaponising  the  IoT Ken  Munro Pen  Test  Partners   Industrial  IoT  -­ How  Secure  is  it? Ray  Evans IBM IoT  Security  Framework Richard  Marshall IoT  Security  Foundation Security  starts  with  a  threat  model Phil  Winstanley   Microsoft IoT Passwords (Past, Present and Future) Edward  Williams Trustwave Hardware-­Level  Intrusion  Detection Professor  Mark  Zwolinski University  of  Southampton Right-­sizing  secure  HW  for  a  range  of  threats  and   assets Erik  Jacobson Arm Device  Management  &  'Over-­The-­Air'  Firmware Upgrade  for  Constrained  Devices Duncan  Purves Connect2  Systems Internet of Things security architecture John  Donnelly Microsoft IoT  security  testing  -­ helping  to  improve  customer   confidence  and  win  new  clients Bryon  Lowen TVS Delivering  trust  through  independent  security   testing  and  certification Laurens  van  Oijen UL The  Art  of  Automation Rob  Dobson,  Campbell   Elder,  Mark  Tootell Device  Authority,   MultiTech  &  InVMA
  32. 32. Connect2  Systems  2017 Thank  you & Questions Duncan  Purves Connect2  Systems duncan@connect2.io

×