Mark Benson's presentation at the IoT Stream Con discusses the significant security challenges posed by the Internet of Things (IoT), highlighting concerns such as growing attack surfaces, consumer privacy, and severe breach consequences. The document outlines three main dimensions of IoT security—resource constraints, deployment topologies, and usage modes—along with a focus on the evolving nature of security needs over time. Key takeaways emphasize the necessity of integrating security processes from the start, selecting appropriate technologies, and planning operational responses to potential security incidents.

1. IoT Security Patterns
Mark Benson, CTO
@markbenson
IoT Stream Con, 23 April 2015

2. The IoT opportunity
Recent Economist survey:
Expect their company to be
using IoT within 3 years
“IoT is our single biggest
threat AND biggest
opportunity over the next 10
years” – Brand-name fortune
500 board of directors
*Source: ABI Research, Cisco, Craig Hallum Estimates
0
2
4
6
8
10
12
14
16
18
20
$0
$50
$100
$150
$200
$250
DevicesBillions
Market SizeBillions
Big Data Analytics (53%
CAGR)
Connected Device Platforms
(33% CAGR)
Platforms (33% CAGR)
Application Enablement
Platforms (32% CAGR)
Value Added Services (26%
CAGR)
System Integration Services
(24% CAGR)
Hardware (23% CAGR)
Connectivity (12% CAGR)
Internet-connected devices
(Cisco Estimate)
95%

3. The Internet of Things?
More like the Internet of Attack Vectors
• Attack surfaces are expanding rapidly
• Physical access to systems is becoming easier
• Consumer privacy concerns are rising
• Consequences of a breach are becoming more severe (critical
infrastructure, brand deterioration, data privacy issues, etc.)
• Product companies are being forced outside of their comfort zones
• Three dimensions that make IoT security challenging…

4. 1. Resource constraints
MAC/PHY
IP
TLS/TCP
HTTP
App Data
MAC/PHY
IP
TLS/TCP
HTTP
App Data
MAC/PHY
IP
TLS/TCP
HTTP
App Data
MAC/PHY
IP
DTLS/UDP
CoAP
Binary Data
MAC/PHY
IP
DTLS/UDP
CoAP
Binary Data
SensorMAC/PHY
Binary DataRest
Use Motion
Motion
Motion
Use
Use
Use
Rest Rest
Enterprise Web Services IoT Data Platform Gateway or Aggregator Sensing Node
Has moderate resource constraints Has severe resource constraintsDeals with resource constraintsHas virtually no resource constraints
Network
MAC/PHY
Binary Data
Network

5. 2. Deployment topologies
Gateway IoT Cloud
Gateway On-prem
Gateway IoT CloudOn-prem
Gateway IoT CloudOn-prem Analytics
Analytics
Sensors Short RF Gateways On-prem SW Long-haul Cloud Platform Analytics platform
A. No cloud
D. Closed network
C. Multi-site
E. Comprehensive
B. Standard
Local
Display

6. 3. Usage modes
• Device cloud registration
* Secure authentication
* Secure API transports
* Secure storage
Initialization Operation Modification Retirement1 2 3 4
• Secure flash
* OTP parts
* Secure boot
* Secure provisioning
• Secure firmware updates
* Disable test/debug interfaces
* Factory defaults fallback
* Disable test interfaces
• Secure change of ownership
• Device de-registration process
• Optionally reenable retired devices
• Secure encryption key deletion
Things to note about IoT usage modes that affect security:
1. Some modes are normal and standard solutions exist
2. Some modes are new and standards are still emerging
3. Some modes are becoming more vulnerable due to resource constraints

7. Usage Modes
Sim
ple
NovelStandard
D
eploym
entTopologies
C
om
plex
Resource
Constraints
High
Low
The IoT security problem area
A. High resource constraints
B. Complex deployment topologies
C. Novel usage modes
Mo’ IoT, mo’ problems

8. The 4th dimension: time
Now we have a Tesseract
The difficulty with IoT security is that
the landscape is constantly changing,
even after products are deployed
Security should be designed for from
the beginning and embraced as a
journey throughout
It starts with a process…Modes
Topologies
Constraints
Time

9. The web you should be weaving
Secure processes => secure products => secure brand integrity
Security
Requirements
Planning Design Implementation Verification Validation Deployment Operations
Risk Analysis Threat Modeling
Secure Design
Practices
Security-Focused
Design Reviews
Secure Coding
Practices
Third Party Security
Audit
Security-Focused
Testing
User Testing to
Expose Weakpoints
Penetration Testing
Secure Deployment
Practices
Operational Risk
Assessment
Incident Response
Preparedness
Vulnerability
Management
Training and awareness
Information Security Management System (ISMS) policies, procedures, and compliance audits
Corporate strategy, governance, metrics, and optimization

10. Conclusion
Takeaways:
1. Security processes. Have a security architecture from the beginning and evolve
throughout (layers, topologies, modes)
2. Technology selection. Start it from the beginning and evolve thoughout
3. Operations planning. How do you respond if/when a security incident occurs in
the field. Use checklists
– http://owasp.org/
– http://builditsecure.ly/
Embrace the journey

11. Thank you
Mark Benson
@markbenson