SlideShare a Scribd company logo
1 of 20
Download to read offline
Scaling Security for IoT
A presentation given
by Bill Harpley to the
Brighton IoT Forum
on March 23rd, 2016
23/03/2016 Bill Harpley 2
02/03/2016 Bill Harpley3
Linux | Cloud | Wireless | IoT
www.astius.co.uk
Overview
• IoT is all about scalability
• In this presentation we will look at two
contrasting views of IoT security:
– Macro level: security of complex physical systems
– Micro level: how to start with a product idea and
scale it up in a secure fashion
23/03/2016 Bill Harpley 4
SECURING BASIC SOCIAL AND
ECONOMIC INFRASTRUCTURE
Scaling Security for IoT
23/03/2016 Bill Harpley 5
Security of large-scale infrastructure
• The diagram shows how traditional
vertical market sectors are embracing
IoT connectivity solutions.
• Cyber-Physical systems – large scale
connected infrastructure which spans
multiple vertical sectors. So how do
you make these secure?
• Significant security challenges in
terms of:
• Different industry standards
• Regulatory regimes
• Legacy infrastructure
• Timing of signals
• Communications protocols
• Proprietary technologies
• System complexity
• Understanding of risks
• Security monitoring
• Co-ordinating multiple agencies
• Many legacy systems were never
intended to be connected to the
Internet and so lack essential security
mechanisms (e.g. SCADA) .
SCADA (Supervisory Control & Data Acquisition) systems are used
to monitor and control industrial processes and buildings. They
were first deployed in the 1960s and some have an expected
working life of up to 20 years.
23/03/2016 Bill Harpley 6
Protecting critical infrastructure
• As more ‘things’ become connected to the Internet,
the threat of large-scale cyber attacks increases.
• Attackers may try to:
– Gain unauthorised access to information.
– Disrupt communication networks and IT services.
– Cause breakdown of physical infrastructure (e.g. energy
distribution grids, major transport hubs).
• Let’s have a look at a topical example!
23/03/2016 Bill Harpley 7
Example: connected cars (1 of 3)
• Cars are evolving from Assisted Driving mode
(ADAS) to fully Autonomous mode (driverless).
• Car makers are cramming their new vehicles with
electronics and software.
– Turning them into mobile data centers.
– Many potential security vulnerabilities.
• Recent report in Information Age that 75% of cars stolen in
France during 2014 were electronically hacked.
• ‘Jeep Hack’ of July 2015 in which vehicle forced off the road
by hackers ( Chrysler recalled 1.4 million cars).
– Rising concern about vulnerability of cars to
cyber-attacks.
23/03/2016 Bill Harpley 8
Example: connected cars (2 of 3)
Source: Cisco
23/03/2016 Bill Harpley 9
Example: connected cars ( 3 of 3)
• Kerbside
infrastructure is
vulnerable to
cyber-attacks.
• Need to protect a
complex “system
of systems”.
• Requires strategy
to be developed at
both local and
national level.
Artist’s visualisation of connected vehicles control point.
Source: US Department of Transport
23/03/2016 Bill Harpley 10
UK Cybersecurity strategy
• Cyber-security features very prominently in Government
thinking.
• Many policy initiatives announced over the last 5 years
– First UK Cyber Security Strategy created in 2009.
– Office of Cyber Security & Information Assurance (OCSIA)
founded in 2010 (located in Cabinet Office)
– National Cyber Security Programme (NSCP) launched in 2010
– CERT-UK began operations in March 2014 (formal incident
reporting).
– 2015 National Cyber Security Plan launched with great fanfare
( budget of £1.9 billion in spending between 2016-2020 )
– Creation of National Centre for Cybersecurity (NCSC) announced
& will open in October 2016.
• Main take-away is that cyber-security is very complex
business which needs leadership at the highest level.
23/03/2016 Bill Harpley 11
NIST notional framework
“Cyber-Physical Systems or ‘smart’ systems are co-engineered interacting networks of physical
and computational components. These systems will provide the foundation of our critical infrastructure, form the
basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will
bring advances in personalized health care, emergency response, traffic flow management, and electric power
generation and delivery, as well as in many other areas now just being envisioned.” – NIST (http://www.nist.gov/cps/)
23/03/2016 Bill Harpley 12
SECURITY SCALING
FOR YOUR GREAT PRODUCT IDEA
Scaling Security for IoT
23/03/2016 Bill Harpley 13
It’s a great idea (but is it secure?)
• Let’s suppose you have a great idea
for a new portable music ‘widget’
• Your aim is to provide people with a
great ‘connected’ user experience
• You build a prototype and show it
to potential customers who are
very enthusiastic
• So you then launch a Kickstarter
campaign with a view to making
100 units
• What security management
problems might you run into?
23/03/2016 Bill Harpley 14
Scaling from 1 to 100
• Let’s say you have manufactured and shipped 100
units to your Kickstarter customers
• Your music widget gets rave reviews … but then 3
customers claim to have found a security flaw
– It could be a flaw in your own design or a fault in a 3rd
party module
– You do the right thing and notify all 100 customers but
they don’t seem too inconvenienced by it
– The three customers that complained return their
widget to you, the problem is “fixed” and the unit is
shipped back to them
– Everyone is happy!
23/03/2016 Bill Harpley 15
Scaling from 100 to 1000
• Congratulations! You have attracted some outside investors
and plan a further production run of 1000 units.
• But now things start to go wrong:
– You never had a plan to manage ‘unique’ items such as MAC
addresses and security keys.
– You did not design the product for high-volume manufacture.
– If customers complain about security faults, manual returns and
upgrades are not an option at this scale.
– You need to design a process of remotely upgrading firmware
on each unit.
• Make sure you fix these problems before committing to the
manufacturing run:
– It will take more effort and extend your ‘time to market’
– But should save money in the long run
23/03/2016 Bill Harpley 16
Scaling from 1000 to 10000
• Your music widget is now very popular! You have built and shipped
10,000 units:
– But the product has attracted the attention of malicious hackers
– You need to routinely issue security patches
– Get this one wrong and it will affect profits and brand image
• At this scale, you will begin to see customers raise many more
“marginal” support issues (including obscure security bugs)
– Fixing these can consume a large proportion of your development and
support budget
– Unsold items in stock will also need to be patched with new firmware
to fix security and other problems
– If you have not planned for these issues you will end up losing money
on each new item sold
• Now try scaling up to 100,000 units …
23/03/2016 Bill Harpley 17
Scale your product
• At each stage of production scaling, you should also plan for the next stage
• Implement the principle of ‘security by design’, starting with your first
production batch
• Design your product for high volume manufacturing runs in order to lower
production costs
• Design for the complete security lifecycle of the product
– If a product stores a lot of personal data at end-of-life (or when
re-sold), can this be easily erased?
– Use your management of security & privacy processes as a way to
differentiate yourself from the competition
• Embrace security ‘best practice’ and certification for products and
processes (e.g. ISO 27000)
• Be aware of regulatory requirements in overseas markets
• Can you afford to design, build and support a secure product at your
intended price point?
23/03/2016 Bill Harpley 18
Conclusions
• We have seen that protecting critical social and economic
infrastructure from cyber-attacks is a major priority for the UK
• We have examined how developing secure IoT products can
present startup businesses with many challenges
• What do these two ends of the scale have in common?
– You need to plan ahead and ask ‘What if …?’
– You need to try and understand the risks
– You need to invest adequate resources to meet your goals
– You need to monitor how well your security strategy is
performing
– Put effective processes in place to manage and contain any
security problems
• Whether working at the micro-scale or the macro-scale,
it’s crucial to develop a security mindset
23/03/2016 Bill Harpley 19
Any questions?
bill.harpley@astius.co.uk
23/03/2016 Bill Harpley 20

More Related Content

What's hot

IoT security reference architecture
IoT security  reference architectureIoT security  reference architecture
IoT security reference architectureElias Hasnat
 
Internet of Things Ecosystem
Internet of Things Ecosystem Internet of Things Ecosystem
Internet of Things Ecosystem CompTIA
 
IoT Systems: Technology, Architecture & Performance
IoT Systems: Technology, Architecture & PerformanceIoT Systems: Technology, Architecture & Performance
IoT Systems: Technology, Architecture & PerformanceAshu Joshi
 
IOT and Big Data - The Perfect Marriage
IOT and Big Data - The Perfect MarriageIOT and Big Data - The Perfect Marriage
IOT and Big Data - The Perfect MarriageDr. Mazlan Abbas
 
Presentacion Wim Elfrink IoT World Forum Chicago
Presentacion Wim Elfrink IoT World Forum ChicagoPresentacion Wim Elfrink IoT World Forum Chicago
Presentacion Wim Elfrink IoT World Forum ChicagoFelipe Lamus
 
Internet of Things (IoT) - Trends, Challenges and Opportunities
Internet of Things (IoT) - Trends, Challenges and OpportunitiesInternet of Things (IoT) - Trends, Challenges and Opportunities
Internet of Things (IoT) - Trends, Challenges and OpportunitiesDr. Mazlan Abbas
 
M2M transitioning to IoT opportunity for telcos. Success references.
M2M transitioning to IoT opportunity for telcos. Success references.M2M transitioning to IoT opportunity for telcos. Success references.
M2M transitioning to IoT opportunity for telcos. Success references.Pedro Menendez-Valdes
 
IoT Smart Home, Connected Car, Health Patents Data Use Cases
IoT Smart Home, Connected Car, Health Patents Data Use CasesIoT Smart Home, Connected Car, Health Patents Data Use Cases
IoT Smart Home, Connected Car, Health Patents Data Use CasesAlex G. Lee, Ph.D. Esq. CLP
 
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)IoT613
 
Oies IoT World Europe 20170615
Oies IoT World Europe 20170615Oies IoT World Europe 20170615
Oies IoT World Europe 20170615Francisco Maroto
 
Iot tunisia forum 2017 internet of things trends_directions and opportunit...
Iot tunisia forum 2017    internet of things trends_directions and opportunit...Iot tunisia forum 2017    internet of things trends_directions and opportunit...
Iot tunisia forum 2017 internet of things trends_directions and opportunit...IoT Tunisia
 
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...Erik G. Hansen
 
Smart Cities Day 1 Secure Cities
Smart Cities Day 1 Secure CitiesSmart Cities Day 1 Secure Cities
Smart Cities Day 1 Secure Cities4 All of Us
 
Industrial Internet of Things (IIoT)
Industrial Internet of Things (IIoT)Industrial Internet of Things (IIoT)
Industrial Internet of Things (IIoT)Versa Technology
 
Who will buy IOT products and why.
Who will buy IOT products and why.Who will buy IOT products and why.
Who will buy IOT products and why.Atanu Roy Chowdhury
 

What's hot (20)

IoT security reference architecture
IoT security  reference architectureIoT security  reference architecture
IoT security reference architecture
 
Industrial IoT is coming
Industrial IoT is comingIndustrial IoT is coming
Industrial IoT is coming
 
Internet of Things Ecosystem
Internet of Things Ecosystem Internet of Things Ecosystem
Internet of Things Ecosystem
 
Intro to IoT-23Sep2015
Intro to IoT-23Sep2015Intro to IoT-23Sep2015
Intro to IoT-23Sep2015
 
IoT Systems: Technology, Architecture & Performance
IoT Systems: Technology, Architecture & PerformanceIoT Systems: Technology, Architecture & Performance
IoT Systems: Technology, Architecture & Performance
 
IOT and Big Data - The Perfect Marriage
IOT and Big Data - The Perfect MarriageIOT and Big Data - The Perfect Marriage
IOT and Big Data - The Perfect Marriage
 
Presentacion Wim Elfrink IoT World Forum Chicago
Presentacion Wim Elfrink IoT World Forum ChicagoPresentacion Wim Elfrink IoT World Forum Chicago
Presentacion Wim Elfrink IoT World Forum Chicago
 
Internet of Things (IoT) - Trends, Challenges and Opportunities
Internet of Things (IoT) - Trends, Challenges and OpportunitiesInternet of Things (IoT) - Trends, Challenges and Opportunities
Internet of Things (IoT) - Trends, Challenges and Opportunities
 
CyberSecurity_for_the_IoT
CyberSecurity_for_the_IoTCyberSecurity_for_the_IoT
CyberSecurity_for_the_IoT
 
M2M transitioning to IoT opportunity for telcos. Success references.
M2M transitioning to IoT opportunity for telcos. Success references.M2M transitioning to IoT opportunity for telcos. Success references.
M2M transitioning to IoT opportunity for telcos. Success references.
 
IoT Smart Home, Connected Car, Health Patents Data Use Cases
IoT Smart Home, Connected Car, Health Patents Data Use CasesIoT Smart Home, Connected Car, Health Patents Data Use Cases
IoT Smart Home, Connected Car, Health Patents Data Use Cases
 
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
 
Oies IoT World Europe 20170615
Oies IoT World Europe 20170615Oies IoT World Europe 20170615
Oies IoT World Europe 20170615
 
Iot tunisia forum 2017 internet of things trends_directions and opportunit...
Iot tunisia forum 2017    internet of things trends_directions and opportunit...Iot tunisia forum 2017    internet of things trends_directions and opportunit...
Iot tunisia forum 2017 internet of things trends_directions and opportunit...
 
IoT
IoTIoT
IoT
 
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
 
Smart Cities Day 1 Secure Cities
Smart Cities Day 1 Secure CitiesSmart Cities Day 1 Secure Cities
Smart Cities Day 1 Secure Cities
 
Understanding IoT
Understanding IoTUnderstanding IoT
Understanding IoT
 
Industrial Internet of Things (IIoT)
Industrial Internet of Things (IIoT)Industrial Internet of Things (IIoT)
Industrial Internet of Things (IIoT)
 
Who will buy IOT products and why.
Who will buy IOT products and why.Who will buy IOT products and why.
Who will buy IOT products and why.
 

Viewers also liked

Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...Capgemini
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Bill Harpley
 
Public policy aspects of Connected and Autonomous Vehicles
Public policy aspects of Connected and Autonomous VehiclesPublic policy aspects of Connected and Autonomous Vehicles
Public policy aspects of Connected and Autonomous VehiclesBill Harpley
 
IoT based on cyber security in defense industry and critical infrastructures
IoT based on cyber security in defense industry and critical infrastructuresIoT based on cyber security in defense industry and critical infrastructures
IoT based on cyber security in defense industry and critical infrastructuresUITSEC Teknoloji A.Ş.
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Mauro Risonho de Paula Assumpcao
 
Principals of IoT security
Principals of IoT securityPrincipals of IoT security
Principals of IoT securityIoT613
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...ClicTest
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsinLabFIB
 
Cyren cybersecurity of things
Cyren cybersecurity of thingsCyren cybersecurity of things
Cyren cybersecurity of thingsChristian Milde
 
Building an 'Internet of Things' ( IoT ) technology cluster in Brighton
Building an 'Internet of Things' ( IoT ) technology cluster in BrightonBuilding an 'Internet of Things' ( IoT ) technology cluster in Brighton
Building an 'Internet of Things' ( IoT ) technology cluster in BrightonBill Harpley
 
Get yourself connected: Google Glass and the Internet of Bling
Get yourself connected: Google Glass and the Internet of BlingGet yourself connected: Google Glass and the Internet of Bling
Get yourself connected: Google Glass and the Internet of BlingBill Harpley
 
Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Iddan Halevy
 
FASTR_Overview2017
FASTR_Overview2017FASTR_Overview2017
FASTR_Overview2017Craig Hurst
 
Myths vs. Truths at St. Vincent's Hospital
Myths vs. Truths at St. Vincent's HospitalMyths vs. Truths at St. Vincent's Hospital
Myths vs. Truths at St. Vincent's HospitalNewellNYC
 
Building the Social Internet of Things
Building the Social Internet of ThingsBuilding the Social Internet of Things
Building the Social Internet of ThingsBill Harpley
 
Designing for IoT and Cyber-Physical System
Designing for IoT and Cyber-Physical SystemDesigning for IoT and Cyber-Physical System
Designing for IoT and Cyber-Physical SystemMaurizio Caporali
 
SAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
SAE 2014 - Cyber Security: Mission Critical for the Internet of CarsSAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
SAE 2014 - Cyber Security: Mission Critical for the Internet of CarsAndreas Mai
 
Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012Joseph Hennawy
 

Viewers also liked (20)

Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
 
Public policy aspects of Connected and Autonomous Vehicles
Public policy aspects of Connected and Autonomous VehiclesPublic policy aspects of Connected and Autonomous Vehicles
Public policy aspects of Connected and Autonomous Vehicles
 
IoT based on cyber security in defense industry and critical infrastructures
IoT based on cyber security in defense industry and critical infrastructuresIoT based on cyber security in defense industry and critical infrastructures
IoT based on cyber security in defense industry and critical infrastructures
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
Principals of IoT security
Principals of IoT securityPrincipals of IoT security
Principals of IoT security
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
 
Cyren cybersecurity of things
Cyren cybersecurity of thingsCyren cybersecurity of things
Cyren cybersecurity of things
 
Building an 'Internet of Things' ( IoT ) technology cluster in Brighton
Building an 'Internet of Things' ( IoT ) technology cluster in BrightonBuilding an 'Internet of Things' ( IoT ) technology cluster in Brighton
Building an 'Internet of Things' ( IoT ) technology cluster in Brighton
 
Get yourself connected: Google Glass and the Internet of Bling
Get yourself connected: Google Glass and the Internet of BlingGet yourself connected: Google Glass and the Internet of Bling
Get yourself connected: Google Glass and the Internet of Bling
 
Build Safe and Secure Distributed Systems
Build Safe and Secure Distributed SystemsBuild Safe and Secure Distributed Systems
Build Safe and Secure Distributed Systems
 
Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010Feasible car cyber defense - ESCAR 2010
Feasible car cyber defense - ESCAR 2010
 
FASTR_Overview2017
FASTR_Overview2017FASTR_Overview2017
FASTR_Overview2017
 
Myths vs. Truths at St. Vincent's Hospital
Myths vs. Truths at St. Vincent's HospitalMyths vs. Truths at St. Vincent's Hospital
Myths vs. Truths at St. Vincent's Hospital
 
Deft
DeftDeft
Deft
 
Building the Social Internet of Things
Building the Social Internet of ThingsBuilding the Social Internet of Things
Building the Social Internet of Things
 
Designing for IoT and Cyber-Physical System
Designing for IoT and Cyber-Physical SystemDesigning for IoT and Cyber-Physical System
Designing for IoT and Cyber-Physical System
 
SAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
SAE 2014 - Cyber Security: Mission Critical for the Internet of CarsSAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
SAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
 
Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012
 

Similar to Scaling IoT Security

TCI 2016 Softwareport
TCI 2016 SoftwareportTCI 2016 Softwareport
TCI 2016 SoftwareportTCI Network
 
Response to Commerce Dept's IoT RFC
Response to Commerce Dept's  IoT RFC Response to Commerce Dept's  IoT RFC
Response to Commerce Dept's IoT RFC Bob Marcus
 
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...Prasanna Hegde
 
Industrial Internet Nothing or Everything
Industrial Internet Nothing or EverythingIndustrial Internet Nothing or Everything
Industrial Internet Nothing or EverythingIxonos Plc
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT SuccessElectric Imp
 
BYOD: Be your own device?
BYOD: Be your own device?BYOD: Be your own device?
BYOD: Be your own device?Michel de Goede
 
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?Utah Tech Labs
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsJason Hong
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of riskMichel de Goede
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Engineering Large Scale Cyber-Physical Systems
Engineering Large Scale Cyber-Physical SystemsEngineering Large Scale Cyber-Physical Systems
Engineering Large Scale Cyber-Physical SystemsBob Marcus
 
Innovation at Meraki
Innovation at MerakiInnovation at Meraki
Innovation at MerakiCisco Canada
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Reshaping Business Through IoT: Key Technology Factors to Consider
Reshaping Business Through IoT: Key Technology Factors to ConsiderReshaping Business Through IoT: Key Technology Factors to Consider
Reshaping Business Through IoT: Key Technology Factors to ConsiderEurotech
 
meet2016: Reshaping Business Through IoT: Key Technology Factors to Consider
meet2016: Reshaping Business Through IoT: Key Technology Factors to Considermeet2016: Reshaping Business Through IoT: Key Technology Factors to Consider
meet2016: Reshaping Business Through IoT: Key Technology Factors to ConsiderRoberto Siagri
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of riskMichel de Goede
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of riskMichel de Goede
 

Similar to Scaling IoT Security (20)

TCI 2016 Softwareport
TCI 2016 SoftwareportTCI 2016 Softwareport
TCI 2016 Softwareport
 
Response to Commerce Dept's IoT RFC
Response to Commerce Dept's  IoT RFC Response to Commerce Dept's  IoT RFC
Response to Commerce Dept's IoT RFC
 
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
SecureWeb3 - Developing a Comprehensive Cybersecurity Strategy for the Decent...
 
Industrial Internet Nothing or Everything
Industrial Internet Nothing or EverythingIndustrial Internet Nothing or Everything
Industrial Internet Nothing or Everything
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
 
Internet of Things: Trends and challenges for future
Internet of Things: Trends and challenges for futureInternet of Things: Trends and challenges for future
Internet of Things: Trends and challenges for future
 
BYOD: Be your own device?
BYOD: Be your own device?BYOD: Be your own device?
BYOD: Be your own device?
 
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
 
Sss14cairns Prismtech
Sss14cairns PrismtechSss14cairns Prismtech
Sss14cairns Prismtech
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of Things
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of risk
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Engineering Large Scale Cyber-Physical Systems
Engineering Large Scale Cyber-Physical SystemsEngineering Large Scale Cyber-Physical Systems
Engineering Large Scale Cyber-Physical Systems
 
Innovation at Meraki
Innovation at MerakiInnovation at Meraki
Innovation at Meraki
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Reshaping Business Through IoT: Key Technology Factors to Consider
Reshaping Business Through IoT: Key Technology Factors to ConsiderReshaping Business Through IoT: Key Technology Factors to Consider
Reshaping Business Through IoT: Key Technology Factors to Consider
 
meet2016: Reshaping Business Through IoT: Key Technology Factors to Consider
meet2016: Reshaping Business Through IoT: Key Technology Factors to Considermeet2016: Reshaping Business Through IoT: Key Technology Factors to Consider
meet2016: Reshaping Business Through IoT: Key Technology Factors to Consider
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of risk
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of risk
 

More from Bill Harpley

Marine and coastal applications of LoRa wireless technology
Marine and coastal applications of LoRa wireless technologyMarine and coastal applications of LoRa wireless technology
Marine and coastal applications of LoRa wireless technologyBill Harpley
 
Connected & Driverless vehicles: the road to Safe & Secure mobility?
Connected & Driverless vehicles: the road to Safe & Secure mobility?Connected & Driverless vehicles: the road to Safe & Secure mobility?
Connected & Driverless vehicles: the road to Safe & Secure mobility?Bill Harpley
 
Cybersecurity in the Age of the Everynet
Cybersecurity in the Age of the Everynet   Cybersecurity in the Age of the Everynet
Cybersecurity in the Age of the Everynet Bill Harpley
 
Hitch-hikers guide to AI for Connected and Autonomous Vehicles
Hitch-hikers guide to AI for Connected and Autonomous VehiclesHitch-hikers guide to AI for Connected and Autonomous Vehicles
Hitch-hikers guide to AI for Connected and Autonomous VehiclesBill Harpley
 
Introduction to Connected Cars and Autonomous Vehicles
Introduction to Connected Cars and Autonomous VehiclesIntroduction to Connected Cars and Autonomous Vehicles
Introduction to Connected Cars and Autonomous VehiclesBill Harpley
 
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...Bill Harpley
 
SME 10-minute guide to digital transformation v1
SME 10-minute guide to digital transformation v1SME 10-minute guide to digital transformation v1
SME 10-minute guide to digital transformation v1Bill Harpley
 

More from Bill Harpley (7)

Marine and coastal applications of LoRa wireless technology
Marine and coastal applications of LoRa wireless technologyMarine and coastal applications of LoRa wireless technology
Marine and coastal applications of LoRa wireless technology
 
Connected & Driverless vehicles: the road to Safe & Secure mobility?
Connected & Driverless vehicles: the road to Safe & Secure mobility?Connected & Driverless vehicles: the road to Safe & Secure mobility?
Connected & Driverless vehicles: the road to Safe & Secure mobility?
 
Cybersecurity in the Age of the Everynet
Cybersecurity in the Age of the Everynet   Cybersecurity in the Age of the Everynet
Cybersecurity in the Age of the Everynet
 
Hitch-hikers guide to AI for Connected and Autonomous Vehicles
Hitch-hikers guide to AI for Connected and Autonomous VehiclesHitch-hikers guide to AI for Connected and Autonomous Vehicles
Hitch-hikers guide to AI for Connected and Autonomous Vehicles
 
Introduction to Connected Cars and Autonomous Vehicles
Introduction to Connected Cars and Autonomous VehiclesIntroduction to Connected Cars and Autonomous Vehicles
Introduction to Connected Cars and Autonomous Vehicles
 
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
 
SME 10-minute guide to digital transformation v1
SME 10-minute guide to digital transformation v1SME 10-minute guide to digital transformation v1
SME 10-minute guide to digital transformation v1
 

Recently uploaded

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Recently uploaded (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 

Scaling IoT Security

  • 2. A presentation given by Bill Harpley to the Brighton IoT Forum on March 23rd, 2016 23/03/2016 Bill Harpley 2
  • 3. 02/03/2016 Bill Harpley3 Linux | Cloud | Wireless | IoT www.astius.co.uk
  • 4. Overview • IoT is all about scalability • In this presentation we will look at two contrasting views of IoT security: – Macro level: security of complex physical systems – Micro level: how to start with a product idea and scale it up in a secure fashion 23/03/2016 Bill Harpley 4
  • 5. SECURING BASIC SOCIAL AND ECONOMIC INFRASTRUCTURE Scaling Security for IoT 23/03/2016 Bill Harpley 5
  • 6. Security of large-scale infrastructure • The diagram shows how traditional vertical market sectors are embracing IoT connectivity solutions. • Cyber-Physical systems – large scale connected infrastructure which spans multiple vertical sectors. So how do you make these secure? • Significant security challenges in terms of: • Different industry standards • Regulatory regimes • Legacy infrastructure • Timing of signals • Communications protocols • Proprietary technologies • System complexity • Understanding of risks • Security monitoring • Co-ordinating multiple agencies • Many legacy systems were never intended to be connected to the Internet and so lack essential security mechanisms (e.g. SCADA) . SCADA (Supervisory Control & Data Acquisition) systems are used to monitor and control industrial processes and buildings. They were first deployed in the 1960s and some have an expected working life of up to 20 years. 23/03/2016 Bill Harpley 6
  • 7. Protecting critical infrastructure • As more ‘things’ become connected to the Internet, the threat of large-scale cyber attacks increases. • Attackers may try to: – Gain unauthorised access to information. – Disrupt communication networks and IT services. – Cause breakdown of physical infrastructure (e.g. energy distribution grids, major transport hubs). • Let’s have a look at a topical example! 23/03/2016 Bill Harpley 7
  • 8. Example: connected cars (1 of 3) • Cars are evolving from Assisted Driving mode (ADAS) to fully Autonomous mode (driverless). • Car makers are cramming their new vehicles with electronics and software. – Turning them into mobile data centers. – Many potential security vulnerabilities. • Recent report in Information Age that 75% of cars stolen in France during 2014 were electronically hacked. • ‘Jeep Hack’ of July 2015 in which vehicle forced off the road by hackers ( Chrysler recalled 1.4 million cars). – Rising concern about vulnerability of cars to cyber-attacks. 23/03/2016 Bill Harpley 8
  • 9. Example: connected cars (2 of 3) Source: Cisco 23/03/2016 Bill Harpley 9
  • 10. Example: connected cars ( 3 of 3) • Kerbside infrastructure is vulnerable to cyber-attacks. • Need to protect a complex “system of systems”. • Requires strategy to be developed at both local and national level. Artist’s visualisation of connected vehicles control point. Source: US Department of Transport 23/03/2016 Bill Harpley 10
  • 11. UK Cybersecurity strategy • Cyber-security features very prominently in Government thinking. • Many policy initiatives announced over the last 5 years – First UK Cyber Security Strategy created in 2009. – Office of Cyber Security & Information Assurance (OCSIA) founded in 2010 (located in Cabinet Office) – National Cyber Security Programme (NSCP) launched in 2010 – CERT-UK began operations in March 2014 (formal incident reporting). – 2015 National Cyber Security Plan launched with great fanfare ( budget of £1.9 billion in spending between 2016-2020 ) – Creation of National Centre for Cybersecurity (NCSC) announced & will open in October 2016. • Main take-away is that cyber-security is very complex business which needs leadership at the highest level. 23/03/2016 Bill Harpley 11
  • 12. NIST notional framework “Cyber-Physical Systems or ‘smart’ systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will bring advances in personalized health care, emergency response, traffic flow management, and electric power generation and delivery, as well as in many other areas now just being envisioned.” – NIST (http://www.nist.gov/cps/) 23/03/2016 Bill Harpley 12
  • 13. SECURITY SCALING FOR YOUR GREAT PRODUCT IDEA Scaling Security for IoT 23/03/2016 Bill Harpley 13
  • 14. It’s a great idea (but is it secure?) • Let’s suppose you have a great idea for a new portable music ‘widget’ • Your aim is to provide people with a great ‘connected’ user experience • You build a prototype and show it to potential customers who are very enthusiastic • So you then launch a Kickstarter campaign with a view to making 100 units • What security management problems might you run into? 23/03/2016 Bill Harpley 14
  • 15. Scaling from 1 to 100 • Let’s say you have manufactured and shipped 100 units to your Kickstarter customers • Your music widget gets rave reviews … but then 3 customers claim to have found a security flaw – It could be a flaw in your own design or a fault in a 3rd party module – You do the right thing and notify all 100 customers but they don’t seem too inconvenienced by it – The three customers that complained return their widget to you, the problem is “fixed” and the unit is shipped back to them – Everyone is happy! 23/03/2016 Bill Harpley 15
  • 16. Scaling from 100 to 1000 • Congratulations! You have attracted some outside investors and plan a further production run of 1000 units. • But now things start to go wrong: – You never had a plan to manage ‘unique’ items such as MAC addresses and security keys. – You did not design the product for high-volume manufacture. – If customers complain about security faults, manual returns and upgrades are not an option at this scale. – You need to design a process of remotely upgrading firmware on each unit. • Make sure you fix these problems before committing to the manufacturing run: – It will take more effort and extend your ‘time to market’ – But should save money in the long run 23/03/2016 Bill Harpley 16
  • 17. Scaling from 1000 to 10000 • Your music widget is now very popular! You have built and shipped 10,000 units: – But the product has attracted the attention of malicious hackers – You need to routinely issue security patches – Get this one wrong and it will affect profits and brand image • At this scale, you will begin to see customers raise many more “marginal” support issues (including obscure security bugs) – Fixing these can consume a large proportion of your development and support budget – Unsold items in stock will also need to be patched with new firmware to fix security and other problems – If you have not planned for these issues you will end up losing money on each new item sold • Now try scaling up to 100,000 units … 23/03/2016 Bill Harpley 17
  • 18. Scale your product • At each stage of production scaling, you should also plan for the next stage • Implement the principle of ‘security by design’, starting with your first production batch • Design your product for high volume manufacturing runs in order to lower production costs • Design for the complete security lifecycle of the product – If a product stores a lot of personal data at end-of-life (or when re-sold), can this be easily erased? – Use your management of security & privacy processes as a way to differentiate yourself from the competition • Embrace security ‘best practice’ and certification for products and processes (e.g. ISO 27000) • Be aware of regulatory requirements in overseas markets • Can you afford to design, build and support a secure product at your intended price point? 23/03/2016 Bill Harpley 18
  • 19. Conclusions • We have seen that protecting critical social and economic infrastructure from cyber-attacks is a major priority for the UK • We have examined how developing secure IoT products can present startup businesses with many challenges • What do these two ends of the scale have in common? – You need to plan ahead and ask ‘What if …?’ – You need to try and understand the risks – You need to invest adequate resources to meet your goals – You need to monitor how well your security strategy is performing – Put effective processes in place to manage and contain any security problems • Whether working at the micro-scale or the macro-scale, it’s crucial to develop a security mindset 23/03/2016 Bill Harpley 19