The document discusses cybersecurity challenges related to IoT. It outlines several security incidents involving IoT devices over time. It then discusses inherent security challenges for IoT, including threats from advanced persistent threats, cyber terrorism, and compromised supply chains. The document also summarizes statistics on IoT security concerns and vulnerabilities. It identifies top vulnerabilities according to OWASP and discusses how to secure IoT in different domains like smart cities and homes.
1. Prepared by Sajid Mehmood
IoT: Cybersecurity Challenges
Challenges and Opportunities in Security of Internet of Things
2. AGENDA
2
Security is the Key
Inherent Security Challenges
Threat Spectrum – Trends
Securing the “Things”
3. INDUSTRY 4.0
Advanced Persistent Threats and Cyber-Espionage
Cyber-Terrorism
Supply Chain and the Extended Eco-System
Smart Security and the Smart Factory
Social Privacy
3
4. INCIDENTS – CHRONOLOGICAL PERSPECTIVE
Australian
treatment
sewage
plant
remote break into the
sewage treatment
controls which led to
the release of 264,000
gallons of raw sewage
into local rivers and
parks
2000 2003 2005 2008 2010
13 Daimler Chrysler
automobile plant went
offline for an hour
stopping all work after
being with ZotobWorm
Discovery of Stuxnet,
a 500 Kb computer
worm that infected
software of at least 14
industrial sites in Iran,
including a uranium
enrichment plant.
Davis-Basse nuclear power plant Slammer
Worm disabled the safety monitoring system.
Sobig computer virus was blamed for
shutting down train signalling systems
throughout the east cost of the U.S.
SCADA system alarm processor failed.
Power was lost affecting area of 50 million
people in the Northeast US and Canada.
Polish police arrested a 14
year old for hacking the
Lodz
disrupting
tram system,
traffic and
derailing trams, injuring 12
passengers.
4
5. INCIDENTS – CHRONOLOGICAL
PERSPECTIVE
Hackers attacked German Steel mill control
system such that a blast furnace was
unable to shutdown resulting in massive
damage.
A water treatment facility reported to ICS-
CERT that it suspected that an overflow of
wastewater treatment process was due to
unauthorised employee access.
In October, 2016
attacked by group
Dyn was
called
Anonymous. Various IoT devices
used to create DDoS on Dyn
servers is which is provider for
major internet platforms and
services.
2012 2014 2015 2016
Cyber
dubbed
espionage campaign
Energetic Bear or
Dragonfly targets grid operations,
industrial equipment.
information stealing,
energy
Includes
remote access and sabotage
capabilities.
In December 2015, Ukraine Power Grid was
attacked. Hackers were able to successfully
compromise information systems of three energy
distribution companies in Ukraine and temporary
disrupt electricity supply to the end consumers.
5
6. IOT SECURITY BY
NUMBERS
Aon Service Corporation | Global Security Services
62%
46%
40%
28%
27%
24%
58%
43%
31%
31%
40%
23%
29%
13%
0% 20% 40% 60% 80% 100%
Video Equipment
Electronic Peripherals
Physical Security
Sensors
Appliances
Controllers
Wearable
Internet Connect Things - Consumer Market
2014
2016
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Security
Concerns
Equipment Insufficient Latency Intermittent No
Issues Bandwidth Issues Service Challenges
Top Challenges in Keeping user Connected
2016
2014
AT&T's Cybersecurity Insights Report surveyed more than 5,000
enterprises around the world and found that 85% enterprises
are in the process of or intend to deploy IoT devices.
Yet a mere 10% of those surveyed feel confident that they
could secure those devices against hackers.
Source: IoT Developer Survey April 2016 by Eclipse IoT
Working Group, IEEE and AGILE; The many guises of
the IoT by Quocirca December 2015; 2016 IoT Trends:
The Devices Landed by SpiceWorks
7. IOT SECURITY BY
NUMBERS
Developer Concerns on IoT Products
0 10 20 30 40 50
Security
Interoperability
Connectivity
Integration with Hardware
Cost
Performance
Privacy
Complexity
Maintenance
Data Analytics
Certification/Conformance
Other
I Don't Know
0 0.5 1 1.5
Devices Recruited to Botnets
Devices Used as Ingress Points
Privacy - Employee
Vulnerable Firmware/API of IoT
Ownership of Data
Vulnerable Business Process
Regulatory Controls
Expanded Attack Surface to IoT
Privacy - Customers
Devices Insecurely Delivered to…
Open Source Hacker Tools
IoT Security Concerns
Source: IoT Developer Survey April 2016 by Eclipse IoT Working Group, IEEE and
AGILE; The many guises of the IoT by Quocirca December 2015; 2016 IoT Trends:
The Devices Landed by SpiceWorks
8. IOT SECURITY BY NUMBERS
17
%
49
%
21
%
13
%
Which statement best captures your
feelings about the IoT and security?
IoT will be Disaster
IoT will have same level of Secuirty Problem as other
applications and systems
IoT will provide opportunity to increase secuirty over today
Other
32
%
46
%
22
%
Do you have policy for visibility and secure
management of “Things” on your network
today?
Ye
s
No
Unknow
n
8
9. IOT SECURITY BY
NUMBERS
Other
Our Physical Secuirty
Group Department
Managers Our IT
Operations Group The
Thing Manufacturer
Our IT Security Group
0% 20% 40% 60% 80%
100%
In your opinion, who should take
responsibility for managing the risk
imposed by new “Things” connecting to
the Internet and your network?
What controls are you using currently to protect
against the risks imposed by new “Things” on your
network? What controls do you plan on deploying
in the next 2 years to address these issues?
80%
70%
60%
50%
40%
30%
20%
10%
0%
Current
Next 2
Years
Data From: SANS Securing the Internet of Things Survey 9
10. IOT CYBERSECURITY -
VULNERABILITIES
Rank OWASP Top 10 for IoT
I1 Insecure Web Interface
I2 Insufficient Authentication/
Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption/
Integrity Verification
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security
Source: OWASP IoT Project
•IoT Bases services require continuity and high
availability
Operational Security
•Valuable data require protection
Privacy
•Many IoT devices lack human users who can
install security updates
Software Patching
•In the absence of universal standards, each
implementation requires unique approach to
manage authentication and access
Identity of Things
•Logging system must identify events without
relying in time of day data
Logging
11. IOT CYBERSECURITY –
SECURITY TRIAD
11
Confidentiality
Availability
Integrity
Non-repudiation
Authentication
Code Validation
Threat Model
Availability threats
Integrity threats
Authenticity threats
Confidentiality threats
Non-repudiation/accountability threats
Smart processing
Data aggregation connectivity
Data processing
Data transmission network
Field components
Six Points
of SecuritySimplified View of ICT Architecture
12. IOT CYBERSECURITY –
SMART CITY
Protecting from IntentionalAttacks
Use Virtual Private Network
Encryption of Data
Network Intrusion detection system
Physical protection
Access control
Alarm and surveillance
Information security policy
Activity logs
Maintained of backups
Regular auditing
Shut down procedures
13. IOT CYBERSECURITY –
SMART CITY
Protecting from Accidents
Monitoring of KPIs
Hardware Redundancy
Shutdown Procedures
Design Specification
Maintenance Scheduling
Response teams
Quality assurance
Reporting procedures
Awareness
Incident Reporting System
Increase Resilience
14. IOT CYBERSECURITY –
SMART HOME
Threats
Physical attacks
Unintentional damage (accidental)
Disasters and Outages
Damage/ Loss (ITAssets)
Failures/ Malfunctions
Eavesdropping/Interception
Hijacking as well as Nefarious
Activity/Abuse
15. IOT CYBERSECURITY –
SMART HOME
15
The need for security in Smart
Home Environments is still
underestimated
Vendors lack incentives to
enhance security in Smart Home
devices and services
Smart Home devices and
services implement few security
measures
Smart Home Environments result
in new security challenges
IoT vulnerable “building blocks”
cause vulnerabilities to be shared
at large scale
IoT pervasiveness and
dynamicity