The webinar will cover Internet of Things, outline the various types of IoT devices and environments, cover some examples of IoT based cyberattacks, and cover the various current standards and frameworks available to help guide security in this space.
Main points covered:
• Definition of IoT
• Sample use cases for IoT
• Risks around IoT
• Standards/frameworks for IoT
• Security options for IoT
Presenter:
Our presenter for this webinar is Anthony English, who has worked in IT and Information Security for more than 25 years and in the healthcare, law enforcement, IT consulting, lottery and gaming and education sectors. From managing a global information security program to implementing structured 27001 and 27032 programs, he has covered the broad range of applied security.
Link to the recorded webinar:
Challenges in the Internet of Things – Standards and Security
1.
2. IoT – what is it?
Protect Revenue, Assist Governance and Ensure Business Continuity
3. IoT – what is it?
Protect Revenue, Assist Governance and Ensure Business Continuity
Endpoint
Devices
• Cars, farm resources, medical devices, smart TV’s, etc.
• Buildings, Infrastructure, Utilities (typically SCADA)
Gateways
• Short range communication devices such as routers using 802.x, Bluetooth, etc.
• Link from end devices to external networks
Telecomms /
Internet links
• Cellular, Fiber, Dedicated links, etc.
• Link gateways to the service level
Service Level
• End user, Big Data, Automation, etc.
5. IoT – Medical
Protect Revenue, Assist Governance and Ensure Business Continuity
Wireless Implantable Medical Devices:
• Cochlear implants
• Pacemakers
• Insulin Pumps
• Gastric Stimulators, etc.
Medical Devices/Tools/Networks:
• CAT Scan Machines
• Bedside Data Systems
• Portable ICU units, etc.
6. IoT – End user: Automotive
Protect Revenue, Assist Governance and Ensure Business Continuity
7. IoT – Smart Cities
Protect Revenue, Assist Governance and Ensure Business Continuity
Smart Cities
People
Management,
etc.
Environmental,
power grid,
etc.,
Monitoring
Traffic &
parking
Management
8. IoT – Food Supply
Protect Revenue, Assist Governance and Ensure Business Continuity
Preparation Transit Shelf Life
Pick and
Prep
Pack Transport Distribute Consumers
9. IoT – Utilities
Protect Revenue, Assist Governance and Ensure Business Continuity
Power
Distribution
Building/Co
mmercial
IndustrialHome Use
Multi-
Tenant
Bldg.
19. IoT – Protocols and Frameworks
Protect Revenue, Assist Governance and Ensure Business Continuity
The following is a list of some of the protocols used by IoT:
1) Infrastructure – RPL, IPv4/IPv6, 6LowPAN
2) Identification – EPC, URIs, IPv6
3) Comms/Transport – Bluetooth, LPWAN, WiFi
4) Discovery – DNS-SD, mDNS
5) Data Protocols – Websocket, AMQP, CoAP, MQTT
6) Device Management – OMA_DM, TR-069
7) Semantic – JSON-LD
8) Multi-layer Frameworks – Weave, Homekit, IoTivity
20. IoT – Protocols and Frameworks
Protect Revenue, Assist Governance and Ensure Business Continuity
21. IoT – Protocols and Frameworks
Protect Revenue, Assist Governance and Ensure Business Continuity
22. IoT – Protocols and Frameworks
Protect Revenue, Assist Governance and Ensure Business Continuity
23. IoT – Protocols and Frameworks
Protect Revenue, Assist Governance and Ensure Business Continuity
24. IoT – What else can be done?
Protect Revenue, Assist Governance and Ensure Business Continuity
25. IoT – Blockchain as a Protective Measure
Protect Revenue, Assist Governance and Ensure Business Continuity
BlockChain Network
IoT
Transaction
Node
(Including
Miner)
IoT
Transaction
Node
IoT
Transaction
Node
IoT
Transaction
Node
(Incuding
Miner)
26. BlockChainClients
IoT – Blockchain as a Protective Measure
Protect Revenue, Assist Governance and Ensure Business Continuity
IoT
Transaction
Node
IoT
Transaction
Node
IoT
Transaction
Node
IoT
Transaction
Node
(Incuding
Miner)
Blockchain Service
27. ISO/IEC 27032
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events
IoT is pervasive to say the least. Today, the number and types of devices that include a WiFi or Bluetooth connection and that enable other devices to connect to them via these methods in order to transmit or receive (or both) data increases every day. Home thermostats and security system, appliances such as refrigerators, medical devices from implants to home care devices and hospital devices such as MRI machines, personal wearable devices such as fitness trackers, smart TV’s and other entertainment devices, printers, automobiles, and more. The great things about technology and its evolution is how we can now connect with all of the very different devices… this is also a bit of a problem….
IoT has proven to be very useful for supporting automation and remote data gathering and process management. So much so that new human impactful disciplines have evolved and others have been enhanced; these bring technology directly into contact with human needs such as food crop management, supply chain logistics, smart cities, and more.
The medical community has been moving to wireless capable devices for some time now since it enables better medicine. Previously difficult to manage implanted devices, for example, can now be managed via a wireless link. A specific example is pacemakers: they can now be checked and even tuned with a wireless connection whenever a patient requires it. Hospital devices such as MRI units can also be managed and even controlled remotely. A nurse at her station in the hospital can, for example, monitor medical status sensing devices hooked up to a patient from her hospital iPad.
In addition to IoT assisting automation on the production line, it is hard to get into a car these days that does not have technology built into it on some level. Whether it is obvious dashboard touchscreens with bluetooth connectivity, a computer controlled engine and drive train, or an app on your smartphone to remotely start your car or see how far along your electric car charge is.
Municipalities are always looking to maximize their annual budgets and IoT is seen as a way to help with this as well as help to manage people, places and things.
Food supply chain is an evolving area of application for IoT and is helping with key areas of food supply management such as food grading and preparation, food transport, and food waste reduction overall.
Utilities are embracing IoT and its capabilities although a more specialized approach called the Supervisory Control and Data Acquisition (SCADA) is the preferred method of automating power grid systems. Devices such as Smart Meters, building HVAC systems and others can all be considered part of IoT.
IoT is used in manufacturing to further automate the production of goods. Examples include everything from tracking robots assembling automobiles to autonomous forklifts moving product in warehouses.
IoT is also in a lot of homes these days – from alarm systems and thermostats to wearable tech such as Fitbits. And all of this can be monitored and managed from a smart phone.
The footprint of the IoT operating system must be small because it is being deployed on devices with limited processing and storage capabilities typically. Microsoft Windows IoT was formerly known as Windows Embedded. Google is trying to address security weaknesses in IoT with its Brillo OS. Contiki is an open source OS for IoT. This is just a sample of the number of OS’s that are out there for IoT….
Because IoT enabled devices are available in many forms and formats and because they are distributed across the spectrum of users from corporations to at home consumers, and because there are a number of operating systems and even unique hardware platforms (such as Raspberry Pi) on which to run small footprint OS’ that can connect to an IoT, the security challenges are many and security remains a moving target in IoT.
So what’s the problem? A botnet which uses IoT devices (DVR recorders, etc.) called “Reaper” is currently estimated at 28,000 devices worldwide but experts warn it could grow at any time due to the fact that it uses IoT devices; this is a follow on to the Mirai IoT botnet. A similar type of botnet was used a little over a year ago to bring down Internet connections across the East Coast of North America. The US Department of Homeland Security issued a special bulletin in October of 2017 advising of the risks of IoT device exploits.
Because IoT is becoming pervasive at an accelerated rate, IoT connected and sometimes, for example, even medically critical devices such as pacemakers became vulnerable very quickly. With a large number of OS’ out there for IoT devices to use, it is no wonder that there are security weaknesses in this realm.
Do these look familiar? Some should but others may not and this is not even an exhaustive list of protocols used by IoT networks and devices. The protocol structure is not even really well matched to the OSI Reference Model that is used in computer networking. For frameworks (the last bullet above), there are some open source frameworks available.
And, of course, OWASP is hot on the IoT security testing and secure design highway.
The ISO (or IOS) is building out a set of IoT standards as well.
And NIST has looked at its previous guidance documents and noted which of those are applicable to IoT and then also augmented their library with additional IoT documentation.
The Center for Internet Security (CIS) has released guidance for securing IoT. CIS produces some of my favourite practical hardening guidance for technology.
Because IoT crosses many domains and is not unique to any one user or technology demographic, protecting against improper use or exploitation is a multi-faceted effort. Ensuring your devices and network are properly protected is a good start: up to date anti-malware; ensuring your network perimeter is properly protected with DMZ’s/up to date access point and router software/properly configured firewalls and routers with no default password or settings; ensure you keep yourself and your co-workers trained on security and its threats; ensuring your IoT enabled devices/systems are kept up to date as well. Products like smart firewalls can protect your entire home network with anti-malware, network scanning, and safe site filtering.
Each device in this diagram hosts the ledger and can participate in blockchain transactions including mining. Each ahs a private key or can generate one in order to participate in network transactions. This results in: a network of autonomous IoT devices, a ledger of transactions wherein any IoT device can create a transaction via cryptographic features and a distributed database wherein all IoT devices have an up to date version of the ledger. This model is not really possible today due to the overhead required on each IoT device.
In this model a cloud based blockchain service contains transaction and mining nodes and these are also on premise at the client endbut API queries are used form the client end to the blockchain service in the cloud. No ledger would be stored at the client end.