Downloaded 18 times
![Technology & Policy Interaction Panel at Inform[ED] IoT Security](https://cdn.slidesharecdn.com/ss_thumbnails/03-technologypolicyinteraction-3-170509164607-thumbnail.jpg?width=640&height=640&fit=bounds)
![How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/howbigbrandsaretakingyourtrafficinalbertadatainside-260123180142-42d276f3-thumbnail.jpg?width=640&height=640&fit=bounds)
Iot cyber security
- 1. Prepared by SajidMehmood IoT: Cybersecurity Challenges Challenges and Opportunities in Security of Internet of Things
- 2. AGENDA 2 Security isthe Key Inherent Security Challenges Threat Spectrum – Trends Securing the “Things”
- 3. INDUSTRY 4.0 Advanced PersistentThreats and Cyber-Espionage Cyber-Terrorism Supply Chain and the Extended Eco-System Smart Security and the Smart Factory Social Privacy 3
- 4. INCIDENTS – CHRONOLOGICALPERSPECTIVE Australian treatment sewage plant remote break into the sewage treatment controls which led to the release of 264,000 gallons of raw sewage into local rivers and parks 2000 2003 2005 2008 2010 13 Daimler Chrysler automobile plant went offline for an hour stopping all work after being with ZotobWorm Discovery of Stuxnet, a 500 Kb computer worm that infected software of at least 14 industrial sites in Iran, including a uranium enrichment plant. Davis-Basse nuclear power plant Slammer Worm disabled the safety monitoring system. Sobig computer virus was blamed for shutting down train signalling systems throughout the east cost of the U.S. SCADA system alarm processor failed. Power was lost affecting area of 50 million people in the Northeast US and Canada. Polish police arrested a 14 year old for hacking the Lodz disrupting tram system, traffic and derailing trams, injuring 12 passengers. 4
- 5. INCIDENTS – CHRONOLOGICAL PERSPECTIVE Hackersattacked German Steel mill control system such that a blast furnace was unable to shutdown resulting in massive damage. A water treatment facility reported to ICS- CERT that it suspected that an overflow of wastewater treatment process was due to unauthorised employee access. In October, 2016 attacked by group Dyn was called Anonymous. Various IoT devices used to create DDoS on Dyn servers is which is provider for major internet platforms and services. 2012 2014 2015 2016 Cyber dubbed espionage campaign Energetic Bear or Dragonfly targets grid operations, industrial equipment. information stealing, energy Includes remote access and sabotage capabilities. In December 2015, Ukraine Power Grid was attacked. Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporary disrupt electricity supply to the end consumers. 5
- 6. IOT SECURITY BY NUMBERS AonService Corporation | Global Security Services 62% 46% 40% 28% 27% 24% 58% 43% 31% 31% 40% 23% 29% 13% 0% 20% 40% 60% 80% 100% Video Equipment Electronic Peripherals Physical Security Sensors Appliances Controllers Wearable Internet Connect Things - Consumer Market 2014 2016 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Security Concerns Equipment Insufficient Latency Intermittent No Issues Bandwidth Issues Service Challenges Top Challenges in Keeping user Connected 2016 2014 AT&T's Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against hackers. Source: IoT Developer Survey April 2016 by Eclipse IoT Working Group, IEEE and AGILE; The many guises of the IoT by Quocirca December 2015; 2016 IoT Trends: The Devices Landed by SpiceWorks
- 7. IOT SECURITY BY NUMBERS DeveloperConcerns on IoT Products 0 10 20 30 40 50 Security Interoperability Connectivity Integration with Hardware Cost Performance Privacy Complexity Maintenance Data Analytics Certification/Conformance Other I Don't Know 0 0.5 1 1.5 Devices Recruited to Botnets Devices Used as Ingress Points Privacy - Employee Vulnerable Firmware/API of IoT Ownership of Data Vulnerable Business Process Regulatory Controls Expanded Attack Surface to IoT Privacy - Customers Devices Insecurely Delivered to… Open Source Hacker Tools IoT Security Concerns Source: IoT Developer Survey April 2016 by Eclipse IoT Working Group, IEEE and AGILE; The many guises of the IoT by Quocirca December 2015; 2016 IoT Trends: The Devices Landed by SpiceWorks
- 8. IOT SECURITY BYNUMBERS 17 % 49 % 21 % 13 % Which statement best captures your feelings about the IoT and security? IoT will be Disaster IoT will have same level of Secuirty Problem as other applications and systems IoT will provide opportunity to increase secuirty over today Other 32 % 46 % 22 % Do you have policy for visibility and secure management of “Things” on your network today? Ye s No Unknow n 8
- 9. IOT SECURITY BY NUMBERS Other OurPhysical Secuirty Group Department Managers Our IT Operations Group The Thing Manufacturer Our IT Security Group 0% 20% 40% 60% 80% 100% In your opinion, who should take responsibility for managing the risk imposed by new “Things” connecting to the Internet and your network? What controls are you using currently to protect against the risks imposed by new “Things” on your network? What controls do you plan on deploying in the next 2 years to address these issues? 80% 70% 60% 50% 40% 30% 20% 10% 0% Current Next 2 Years Data From: SANS Securing the Internet of Things Survey 9
- 10. IOT CYBERSECURITY - VULNERABILITIES RankOWASP Top 10 for IoT I1 Insecure Web Interface I2 Insufficient Authentication/ Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/ Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security Source: OWASP IoT Project •IoT Bases services require continuity and high availability Operational Security •Valuable data require protection Privacy •Many IoT devices lack human users who can install security updates Software Patching •In the absence of universal standards, each implementation requires unique approach to manage authentication and access Identity of Things •Logging system must identify events without relying in time of day data Logging
- 11. IOT CYBERSECURITY – SECURITYTRIAD 11 Confidentiality Availability Integrity Non-repudiation Authentication Code Validation Threat Model Availability threats Integrity threats Authenticity threats Confidentiality threats Non-repudiation/accountability threats Smart processing Data aggregation connectivity Data processing Data transmission network Field components Six Points of SecuritySimplified View of ICT Architecture
- 12. IOT CYBERSECURITY – SMARTCITY Protecting from IntentionalAttacks Use Virtual Private Network Encryption of Data Network Intrusion detection system Physical protection Access control Alarm and surveillance Information security policy Activity logs Maintained of backups Regular auditing Shut down procedures
- 13. IOT CYBERSECURITY – SMARTCITY Protecting from Accidents Monitoring of KPIs Hardware Redundancy Shutdown Procedures Design Specification Maintenance Scheduling Response teams Quality assurance Reporting procedures Awareness Incident Reporting System Increase Resilience
- 14. IOT CYBERSECURITY – SMARTHOME Threats Physical attacks Unintentional damage (accidental) Disasters and Outages Damage/ Loss (ITAssets) Failures/ Malfunctions Eavesdropping/Interception Hijacking as well as Nefarious Activity/Abuse
- 15. IOT CYBERSECURITY – SMARTHOME 15 The need for security in Smart Home Environments is still underestimated Vendors lack incentives to enhance security in Smart Home devices and services Smart Home devices and services implement few security measures Smart Home Environments result in new security challenges IoT vulnerable “building blocks” cause vulnerabilities to be shared at large scale IoT pervasiveness and dynamicity
- 16.