SlideShare a Scribd company logo

Kl iot cebit_dg_200317_finalmktg

L. Duke Golden
L. Duke Golden

Next Generation Embedded Security for IOT - Powered by Kaspersky Secure OS. This presentation examines our "Secure by Design" alternative to legacy Microsoft / Linux OS - together with an end-to-end IOT security strategy. This presentation was originally given publicly at the CEBIT 2017 Event in Hannover, Germany.

Technology
1 of 20
Download to read offline
NEXT-GENERATION EMBEDDED SYSTEMS SECURITY FOR IOT: Powered by KASPERSKY SECURE OS
2 EVERYTHING WILL BE CONNECTED – WHETHER WE LIKE IT OR NOT
THE INTERNET OF THINGS – BUT WHY NOW? AN EXPLOSION OF NETWORK POSSIBILITIES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System2 BILLIONSOFDEVICES 50 40 30 20 10 0 90 92 94 96 98 00 02 04 06 08 10 12 14 16 18 20 YEAR 1992 1,000,000 2003 0.5 BILLION 2009 IoT INCEPTION 2012 8.7 BILLION 2014 14.4 BILLION 2015 18.2 BILLION 2017 28.4 BILLION 2016 22.9 BILLION 2018 34.8 BILLION 2019 42.1 BILLION 2020 50.1 BILLION 2013 11.2 BILLION 1998 2001 2003 2005 2007 2009 2011 Initial WDM Deployments 8 x 2.5GB Increased # of λ 8-40 x 2.5G Introduction of 10GB λ Additional λ increases Introduction of 40GB λ Premiere of OTN Automatic Optical Switching ROADM – Bandwidth Flexibility 100GB λ FMC 400GBλ Network Evolution 1TBλ
RICH IoT DEVICES ARE THE MOST VULNERABLE “Things” Sensor & Actuator Processing Communication Local Network Gateway(s) Wired/wireless Power line BAN, PAN, LAN The Internet Back-End Services Remote Server User access and control Business Data Analysis Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System4
IoT ATTACKS MIRAI Mirai’s name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August 2016. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox, a common tool for IoT embedded devices. BASHLITE Infects Linux systems in order to launch distributed denial-of- service attacks (DDoS). In 2014 BASHLITE exploited the Shellshock software bug to exploit devices running BusyBox. In 2016 it was reported that one million devices have been infected with BASHLITE. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System5
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System6 MAIN CONSIDERATIONS FROM A CYBER SECURITY PERSPECTIVE  Human mistakes  Usage of 3rd party software and libraries  Software Complexity (Number of Lines of Code increasing dramatically) INSECURE DESIGN VULNERABILITIES  Time to market pressure  Rapidly changing technology landscape INSECURITY OF CONVENTIONAL OPERATING SYSTEMS
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System7 WHY CONVENTIONAL OPERATING SYSTEMS ARE DANGEROUS…  Monolithic system where any module can call any other one  With help of exploitation of arbitrary code execution vulnerability it is possible to call any other module regardless of security settings  Uncontrolled usage of 3rd party libraries  Adversaries can get control over whole system with help of only one vulnerability  Poor security settings due to various reasons (lack of expertise, other priorities, lack of time…)  Wide attack surface Interactive user Device Driver Libraries Commands Application Programs OS System Call Interface … Device Driver Device Driver … DriverInterface Trap Table Monolithic Kernel Module Process Management Memory Management File Management Device Mgmt Infrastructure
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System8 THE ONLY REAL SOLUTION TO THE PROBLEM… Create an environment that simply won't allow the program to perform undeclared functions and prevent exploiting of vulnerabilities. MAIN PRINCIPLES OF SECUREOS Secure by design system MILS with reference monitor approach Microkernel based Meets specific requirements for embedded systems
SPECIFIC REQUIREMENTS FOR AN EMBEDDED OPERATING SYSTEM SMALL SIZE AND MINIMUM RESOURCE USAGE Most of the embedded systems use limited hardware resources (RAM, ROM, CPU) OUT OF THE BOX SECURITY – OR AS CLOSE AS POSSIBLE Most embedded systems have somewhat unique security requirements. Simplicity in security settings reduces time to market and effort required to roll out Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System9 STABLE FUNCTIONALITY EVEN WHEN UNDER ATTACK One has to think about possible threats and threat vectors in advance – and maintain stability throughout COMPLIANCE WITH INDUSTRY STANDARDS A system has to be designed and programmed in accordance With industrial safety and security standards
10 KASPERSKYOS // OVERVIEW  Designed for embedded connected systems with specific requirements for cyber security  Based on the separation kernel which guarantees the control of all internal system communications  Behavior of every module is pre described via security policies  Separate business applications from security (easier to develop and support, decrease time to market, increase security and safety)  MILS architecture Domain separation/isolation Flexible internal communications control via Kaspersky Security System (KSS) Kaspersky Secure OS
BENEFITS OF KASPERSKYOS INHERENT SECURITY KasperskyOS is an operating system that is secure by design and we intend to keep it that way by using the best practices of software development FLEXIBLE SECURITY CONFIGURATION Well-designed configuration tools make it easy to create declarative rule definitions and combinations of rules to control interactions in the system. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System11 VERSATILE MODULAR ARCHITECTURE Building the system based on loosely coupled modules helps to minimize the amount of trusted code and tailor each solution to the customer’s specific needs SEPARATION OF APPLICATION FEATURES FROM SECURITY FUNCTIONS The security architecture is designed to separate security functions from application business logic, making both configuring security policies and developing applications easier
12 BEYOND THE OS: EMBEDDED SECURITY FOR ALL… • Default Deny only installation mode • Low system requirements (256MB system memory) • Low traffic consumption (no regular AV updates) • No internet connection required • Executable files, DLLs, Drivers • Hash sum check, signatures check, destination check • Optional 2-layer check for whitelisted applications with Kaspersky Private Security Network …EVEN THOSE RUNNING LESS SECURE OPERATING SYSTEMS: • Windows XP Embedded • Windows 2009 Embedded • Windows XP Pro • Windows 7 Embedded POSReady • Windows 7 Embedded Standard • Windows Embedded 8.0 Standard • Windows 10 IoT Kaspersky Embedded Systems Security
USE CASES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System13 Telecoms and Network Equipment IoT and Industrial IoT Connected Cars Endpoints POS Terminals Linux Systems security enhancement
USE CASES – General Usage IoT Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System14 Isolation of every single module Minimization impact of vulnerabilities Protection of sensitive data (i.e. encryption keys, user’s data, secure storage) Secure boot  System Security by design - the only way to secure IoT devices! 1. Smart CCTV camera (does image processing on a device and send processed data to a server) 2. Smart hub (all sensors and end devices connected to it) EXAMPLE Connected to the Internet and Powerful enough (not MCU based) devices like: KASPERSKYOS
USE CASES – IOT FOR CONNECTED CARS Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System15 Isolation of infotainment from safety critical system (advanced driver assistance systems, AUTOSAR) Minimise impact of vulnerabilities in every domain Protection of sensitive data (i.e. encryption keys, logs, telematics data) from unauthorised access Secure boot and protection against unauthorised modification of firmware and software (i.e. malware infection, unauthorised modifications)  System Security by Design  Can be used in Central gateway, Head unit or specific ECU/TCU KASPERSKY SECURE HYPERVISOR
CONNECTED CAR MAIN INTERNAL VULNERABILITY POINTS Head UnitECUs Vehicle Buses
POTENTIAL THREAT VECTORS Private Data Key StoreHeadUnit Browser Keypad ECU Man-in-the-Middle Attack Attack from Mobile Device Attack on Key / Certificate Stores Sniffing of User Data Attack from Downloaded Apps Malware Delivery Thru Data Storage Device Malicious Firmware Update Remote Attack on Vehicle Bus Compromised Actuator Exploiting Software Vulnerabilities Operating System Attack on OBD2
CONNECTED CAR SECURITY LAYERS & KL SECURITY Car Gateway Threat vectors KL Technologies •Man in-The-Middle-Attack •Attack From Downloaded Apps Server Security, Solutions for Data Centers, DDoS Protection, Security Intelligence Services (SIS) •Sniffing of User Data •Attack From Downloaded Apps •Exploiting Software Vulnerabilities Security and Vulnerability Mgmt (SVM), IDS & IPS, Security Intelligence Services (SIS), Mobile SDK •Attack from Apps in Mobile Device •Exploiting SW Vulnerabilities •Malicious Firmware Update •Malware Delivery Thru Data Storage Devices IDS & IPS, Security and Vulnerability Mgmt, Anti-Malware, Security Intelligence Services (SIS), Kaspersky Secure Hypervisor, Kaspersky Security System (KSS), KasperskyOS •Compromised Engine Actuator •Attack on Vehicle Bus Security Intelligence Services, Kaspersky Embedded Systems Security •Attack on Key •Malicious Firmware Update •Attack on Vehicle Bus Flexible Security Policy Control Framework (KSS), Encryption, Security Hypervisor, Security Intelligence Services, KasperskyOS Car Network ECU Car Cloud Services Network Access
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System19 END-TO-END IOT SECURITY – POWERED BY KASPERSKY IoT and Industrial IoT – Powered By Kaspersky Kaspersky Embedded Systems Security Kaspersky Secure Operating System Kaspersky Industrial CyberSecurity DDoS Protection Security Intelligence Services
20 Questions? L. Duke Golden Strategic Accounts Manager, DACH duke.golden@kaspersky.com +49 (0)151 544 39 309 www.kaspersky.com

Recommended

Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
Alan Tatourian
 
Samsung beyond basic android online 0
Samsung beyond basic android online 0Samsung beyond basic android online 0
Samsung beyond basic android online 0
Javier Gonzalez
 
How Endpoint Security works ?
How Endpoint Security works ?How Endpoint Security works ?
How Endpoint Security works ?
William hendric
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
Kaspersky Lab
 
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Javier González
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
Nozomi Networks
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 

Recommended

Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
Alan Tatourian
 
Samsung beyond basic android online 0
Samsung beyond basic android online 0Samsung beyond basic android online 0
Samsung beyond basic android online 0
Javier Gonzalez
 
How Endpoint Security works ?
How Endpoint Security works ?How Endpoint Security works ?
How Endpoint Security works ?
William hendric
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
Kaspersky Lab
 
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Javier González
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
Nozomi Networks
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Priyanka Aash
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollers
Milosch Meriac
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?
Alan Tatourian
 
Preventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint SecurityPreventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint Security
Intel IT Center
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon Library
Fortinet
 
Introducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentIntroducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light Agent
Kaspersky
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
RoutecoMarketing
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
IJECEIAES
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012
dvanwyk30
 
Samsung knox and android for work
Samsung knox and android for workSamsung knox and android for work
Samsung knox and android for work
Javier Gonzalez
 
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOXAndroid Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOX
Samsung Biz Mobile
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
ESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure AuthenticationESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure Authentication
ESET
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 

More Related Content

What's hot

Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Priyanka Aash
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollers
Milosch Meriac
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?
Alan Tatourian
 
Preventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint SecurityPreventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint Security
Intel IT Center
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon Library
Fortinet
 
Introducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentIntroducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light Agent
Kaspersky
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
RoutecoMarketing
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
IJECEIAES
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012
dvanwyk30
 
Samsung knox and android for work
Samsung knox and android for workSamsung knox and android for work
Samsung knox and android for work
Javier Gonzalez
 
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOXAndroid Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOX
Samsung Biz Mobile
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
ESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure AuthenticationESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure Authentication
ESET
 

What's hot (20)

Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollers
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?
 
Preventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint SecurityPreventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint Security
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon Library
 
Introducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentIntroducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light Agent
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012Sophos utm-roadshow-south africa-2012
Sophos utm-roadshow-south africa-2012
 
Samsung knox and android for work
Samsung knox and android for workSamsung knox and android for work
Samsung knox and android for work
 
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOXAndroid Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOX
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
ESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure AuthenticationESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure Authentication
 

Similar to Kl iot cebit_dg_200317_finalmktg

Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
Andy Shutka
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
International Communications Corporation
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
International Communications Corporation
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
Nir Cohen
 
Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?
Mirco Vanini
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
Jamal Jamali
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
Secure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure Sphere
Microsoft Tech Community
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Linaro
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPs
Cisco Russia
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
Leonardo Antichi
 
IoT Day - Introducing Azure Sphere
IoT Day - Introducing Azure SphereIoT Day - Introducing Azure Sphere
IoT Day - Introducing Azure Sphere
Mirco Vanini
 
137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)
Karteek Irukulla
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
How to Choose a SandBox - Gartner
How to Choose a SandBox - GartnerHow to Choose a SandBox - Gartner
How to Choose a SandBox - Gartner
Moti Sagey מוטי שגיא
 

Similar to Kl iot cebit_dg_200317_finalmktg (20)

Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
 
Secure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure Sphere
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPs
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
 
IoT Day - Introducing Azure Sphere
IoT Day - Introducing Azure SphereIoT Day - Introducing Azure Sphere
IoT Day - Introducing Azure Sphere
 
137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)137.gsm, fprs ,keypad_based_atm_security_(doc)
137.gsm, fprs ,keypad_based_atm_security_(doc)
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
How to Choose a SandBox - Gartner
How to Choose a SandBox - GartnerHow to Choose a SandBox - Gartner
How to Choose a SandBox - Gartner
 

Recently uploaded

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 

Recently uploaded (20)

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 

Kl iot cebit_dg_200317_finalmktg

  • 1. NEXT-GENERATION EMBEDDED SYSTEMS SECURITY FOR IOT: Powered by KASPERSKY SECURE OS
  • 2. 2 EVERYTHING WILL BE CONNECTED – WHETHER WE LIKE IT OR NOT
  • 3. THE INTERNET OF THINGS – BUT WHY NOW? AN EXPLOSION OF NETWORK POSSIBILITIES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System2 BILLIONSOFDEVICES 50 40 30 20 10 0 90 92 94 96 98 00 02 04 06 08 10 12 14 16 18 20 YEAR 1992 1,000,000 2003 0.5 BILLION 2009 IoT INCEPTION 2012 8.7 BILLION 2014 14.4 BILLION 2015 18.2 BILLION 2017 28.4 BILLION 2016 22.9 BILLION 2018 34.8 BILLION 2019 42.1 BILLION 2020 50.1 BILLION 2013 11.2 BILLION 1998 2001 2003 2005 2007 2009 2011 Initial WDM Deployments 8 x 2.5GB Increased # of λ 8-40 x 2.5G Introduction of 10GB λ Additional λ increases Introduction of 40GB λ Premiere of OTN Automatic Optical Switching ROADM – Bandwidth Flexibility 100GB λ FMC 400GBλ Network Evolution 1TBλ
  • 4. RICH IoT DEVICES ARE THE MOST VULNERABLE “Things” Sensor & Actuator Processing Communication Local Network Gateway(s) Wired/wireless Power line BAN, PAN, LAN The Internet Back-End Services Remote Server User access and control Business Data Analysis Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System4
  • 5. IoT ATTACKS MIRAI Mirai’s name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August 2016. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox, a common tool for IoT embedded devices. BASHLITE Infects Linux systems in order to launch distributed denial-of- service attacks (DDoS). In 2014 BASHLITE exploited the Shellshock software bug to exploit devices running BusyBox. In 2016 it was reported that one million devices have been infected with BASHLITE. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System5
  • 6. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System6 MAIN CONSIDERATIONS FROM A CYBER SECURITY PERSPECTIVE  Human mistakes  Usage of 3rd party software and libraries  Software Complexity (Number of Lines of Code increasing dramatically) INSECURE DESIGN VULNERABILITIES  Time to market pressure  Rapidly changing technology landscape INSECURITY OF CONVENTIONAL OPERATING SYSTEMS
  • 7. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System7 WHY CONVENTIONAL OPERATING SYSTEMS ARE DANGEROUS…  Monolithic system where any module can call any other one  With help of exploitation of arbitrary code execution vulnerability it is possible to call any other module regardless of security settings  Uncontrolled usage of 3rd party libraries  Adversaries can get control over whole system with help of only one vulnerability  Poor security settings due to various reasons (lack of expertise, other priorities, lack of time…)  Wide attack surface Interactive user Device Driver Libraries Commands Application Programs OS System Call Interface … Device Driver Device Driver … DriverInterface Trap Table Monolithic Kernel Module Process Management Memory Management File Management Device Mgmt Infrastructure
  • 8. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System8 THE ONLY REAL SOLUTION TO THE PROBLEM… Create an environment that simply won't allow the program to perform undeclared functions and prevent exploiting of vulnerabilities. MAIN PRINCIPLES OF SECUREOS Secure by design system MILS with reference monitor approach Microkernel based Meets specific requirements for embedded systems
  • 9. SPECIFIC REQUIREMENTS FOR AN EMBEDDED OPERATING SYSTEM SMALL SIZE AND MINIMUM RESOURCE USAGE Most of the embedded systems use limited hardware resources (RAM, ROM, CPU) OUT OF THE BOX SECURITY – OR AS CLOSE AS POSSIBLE Most embedded systems have somewhat unique security requirements. Simplicity in security settings reduces time to market and effort required to roll out Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System9 STABLE FUNCTIONALITY EVEN WHEN UNDER ATTACK One has to think about possible threats and threat vectors in advance – and maintain stability throughout COMPLIANCE WITH INDUSTRY STANDARDS A system has to be designed and programmed in accordance With industrial safety and security standards
  • 10. 10 KASPERSKYOS // OVERVIEW  Designed for embedded connected systems with specific requirements for cyber security  Based on the separation kernel which guarantees the control of all internal system communications  Behavior of every module is pre described via security policies  Separate business applications from security (easier to develop and support, decrease time to market, increase security and safety)  MILS architecture Domain separation/isolation Flexible internal communications control via Kaspersky Security System (KSS) Kaspersky Secure OS
  • 11. BENEFITS OF KASPERSKYOS INHERENT SECURITY KasperskyOS is an operating system that is secure by design and we intend to keep it that way by using the best practices of software development FLEXIBLE SECURITY CONFIGURATION Well-designed configuration tools make it easy to create declarative rule definitions and combinations of rules to control interactions in the system. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System11 VERSATILE MODULAR ARCHITECTURE Building the system based on loosely coupled modules helps to minimize the amount of trusted code and tailor each solution to the customer’s specific needs SEPARATION OF APPLICATION FEATURES FROM SECURITY FUNCTIONS The security architecture is designed to separate security functions from application business logic, making both configuring security policies and developing applications easier
  • 12. 12 BEYOND THE OS: EMBEDDED SECURITY FOR ALL… • Default Deny only installation mode • Low system requirements (256MB system memory) • Low traffic consumption (no regular AV updates) • No internet connection required • Executable files, DLLs, Drivers • Hash sum check, signatures check, destination check • Optional 2-layer check for whitelisted applications with Kaspersky Private Security Network …EVEN THOSE RUNNING LESS SECURE OPERATING SYSTEMS: • Windows XP Embedded • Windows 2009 Embedded • Windows XP Pro • Windows 7 Embedded POSReady • Windows 7 Embedded Standard • Windows Embedded 8.0 Standard • Windows 10 IoT Kaspersky Embedded Systems Security
  • 13. USE CASES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System13 Telecoms and Network Equipment IoT and Industrial IoT Connected Cars Endpoints POS Terminals Linux Systems security enhancement
  • 14. USE CASES – General Usage IoT Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System14 Isolation of every single module Minimization impact of vulnerabilities Protection of sensitive data (i.e. encryption keys, user’s data, secure storage) Secure boot  System Security by design - the only way to secure IoT devices! 1. Smart CCTV camera (does image processing on a device and send processed data to a server) 2. Smart hub (all sensors and end devices connected to it) EXAMPLE Connected to the Internet and Powerful enough (not MCU based) devices like: KASPERSKYOS
  • 15. USE CASES – IOT FOR CONNECTED CARS Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System15 Isolation of infotainment from safety critical system (advanced driver assistance systems, AUTOSAR) Minimise impact of vulnerabilities in every domain Protection of sensitive data (i.e. encryption keys, logs, telematics data) from unauthorised access Secure boot and protection against unauthorised modification of firmware and software (i.e. malware infection, unauthorised modifications)  System Security by Design  Can be used in Central gateway, Head unit or specific ECU/TCU KASPERSKY SECURE HYPERVISOR
  • 16. CONNECTED CAR MAIN INTERNAL VULNERABILITY POINTS Head UnitECUs Vehicle Buses
  • 17. POTENTIAL THREAT VECTORS Private Data Key StoreHeadUnit Browser Keypad ECU Man-in-the-Middle Attack Attack from Mobile Device Attack on Key / Certificate Stores Sniffing of User Data Attack from Downloaded Apps Malware Delivery Thru Data Storage Device Malicious Firmware Update Remote Attack on Vehicle Bus Compromised Actuator Exploiting Software Vulnerabilities Operating System Attack on OBD2
  • 18. CONNECTED CAR SECURITY LAYERS & KL SECURITY Car Gateway Threat vectors KL Technologies •Man in-The-Middle-Attack •Attack From Downloaded Apps Server Security, Solutions for Data Centers, DDoS Protection, Security Intelligence Services (SIS) •Sniffing of User Data •Attack From Downloaded Apps •Exploiting Software Vulnerabilities Security and Vulnerability Mgmt (SVM), IDS & IPS, Security Intelligence Services (SIS), Mobile SDK •Attack from Apps in Mobile Device •Exploiting SW Vulnerabilities •Malicious Firmware Update •Malware Delivery Thru Data Storage Devices IDS & IPS, Security and Vulnerability Mgmt, Anti-Malware, Security Intelligence Services (SIS), Kaspersky Secure Hypervisor, Kaspersky Security System (KSS), KasperskyOS •Compromised Engine Actuator •Attack on Vehicle Bus Security Intelligence Services, Kaspersky Embedded Systems Security •Attack on Key •Malicious Firmware Update •Attack on Vehicle Bus Flexible Security Policy Control Framework (KSS), Encryption, Security Hypervisor, Security Intelligence Services, KasperskyOS Car Network ECU Car Cloud Services Network Access
  • 19. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System19 END-TO-END IOT SECURITY – POWERED BY KASPERSKY IoT and Industrial IoT – Powered By Kaspersky Kaspersky Embedded Systems Security Kaspersky Secure Operating System Kaspersky Industrial CyberSecurity DDoS Protection Security Intelligence Services
  • 20. 20 Questions? L. Duke Golden Strategic Accounts Manager, DACH duke.golden@kaspersky.com +49 (0)151 544 39 309 www.kaspersky.com