This document summarizes a presentation given by Paul Malone at the IERC Conference 2015 on the internet of energy things. The presentation discusses that while the internet of energy things could deliver a secure, cheap and sustainable energy future, there are significant security challenges to address first. These include an increased attack surface from more connected devices, the difficulty of patching devices remotely, and a lack of agreed upon data governance frameworks to protect privacy and regulate use of data. Case studies are presented showing vulnerabilities in existing internet-connected devices like baby monitors. The presentation argues that security must be designed into internet of energy things from the start in order to fully realize its benefits.

1. IERC Conference 2015
Paul Malone 13th May 2015
12/05/2015
www.tssg.org

2. The internet of energy things
will deliver a secure, cheap and
sustainable energy future
12/05/2015
www.tssg.org
2

3. The internet of energy things
will deliver a secure?, cheap and
sustainable energy future
14/05/2015
www.tssg.org
3

4. • Increased attack surface
• Difficulty of patching devices
• Lack of data governance frameworks
12/05/2015
www.tssg.org
4

5. Increased attack surface
12/05/2015
www.tssg.org
5

6. 12/05/2015
www.tssg.org
6
Source:
Cisco

7. 2014
Verizon
Data
Breach
Inves6ga6ons
Report
12/05/2015
www.tssg.org
7
Source:
Verizon

8. The
OWASP
Internet
of
Things
Top
10
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10. Poor Physical Security
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
12/05/2015
www.tssg.org
8

9. Difficulty of patching devices
12/05/2015
www.tssg.org
9

10. HP
Report
2014
“70 percent of the most commonly used Internet of
Things (IoT) devices contain vulnerabilities,
including password security, encryption and general
lack of granular user access permissions.”
“IoT devices averaged 25 vulnerabilities per
product, indicating expanding attack surface for
adversaries”
12/05/2015
www.tssg.org
10

11. “The challenge is, you see all of these devices coming
online at a rapid clip, without robust security. … Trying to
apply a patch to a thermostat in the home is going to be
much more challenging.”
- Gary Davis, Intel Security
12/05/2015
www.tssg.org
11

12. Foscam
Baby
Monitor
• Multiple vulnerabilities
• 100,000 cameras in the wild (easy to find)
• 20% default user “admin” no password
• Vendor generated a patch (for some of the
vulnerabilities)
• 99% of cameras still ran the older firmware
12/05/2015
www.tssg.org
12

13. Lack of agreed Data
Governance Frameworks
12/05/2015
www.tssg.org
13

14. • Huge amounts of data
• Regulatory and compliance complexities
• Assurances with regard to PII
– Where is my data?
– Who has access?
• What assurances does the consumer have?
– How is my data being used?
• What is the value to me?
• What is the value to 3rd parties?
12/05/2015
www.tssg.org
14

15. 12/05/2015
www.tssg.org
15
What about Surveillance?

16. “If privacy and confidentiality isn’t designed in up front, on
top of the security capabilities provided by the enabling
M2M infrastructure (including authentication, access
control, data protection), the benefits of the IoT cannot be
fully realized.”
- Tim Carey, Alcatel Lucent
12/05/2015
www.tssg.org
16

17. The internet of energy things
will deliver a secure, cheap and
sustainable energy future
14/05/2015
www.tssg.org
17

18. The internet of energy things
will deliver a secure, cheap and
sustainable energy future
can
12/05/2015
www.tssg.org
18

19. The internet of energy things
will deliver a secure, cheap and
sustainable energy future
can
14/05/2015
www.tssg.org
19
But only if security is
addressed first!

20. “You cannot escape the
responsibility of tomorrow by
evading it today.”
- Abraham Lincoln
12/05/2015
www.tssg.org
20