Did you know that today, there are over 30 billion connected IoT devices? And that in 2020, that number will double? Do you know how these devices connect to the internet? To each other? To their manufacturer? How many IoT devices are used within your company? If you’re a security professional you’ll need to be able to answer these questions and more. In this session, Jackson Shaw (Dell) will discuss the convergence (collision?) of IoT with IT and OT, what it means to him as a consumer and what it means to us as identity and IT security professionals.
Keynote presentation at European Identity Conference 2015, Munich, Germany.
https://www.id-conf.com/eic2015
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
The Convergence of IT, Operational Technology and the Internet of Things (IoT)
1. The Convergence of IT, Operational
Technology and the Internet of Things:
How to find a Balance of Risk and Value
Jackson Shaw – Jackson_Shaw@Dell.com
Sr. Director, IAM Product Management
2. This has been exciting research
• I’m an identity guy – not a hardware guy (thank you, Dr. McCoy)
• IoT is the buzzword of the year – everything is IoT and IoT is everywhere
• Very, very difficult to find good (any?) examples of
enterprise IoT other than HVAC
• Finding a definition of IoT is like finding a definition
of IAM/IAG/IdM ten years ago
• So, what has the good doctor found out?
3. The Internet of Things
“A network of everyday objects that have sensors, controls, and network
connectivity, allowing them to send and receive data. These devices could include
consumer devices (personal biomedical, smartphones); durable goods (televisions,
refrigerators, personal cars); commercial buildings (HVAC and lighting) and vehicles;
government buildings, vehicles, and infrastructure (streets, bridges); and utility
networks (electrical, water, internet).”
Any “thing” that does not require a person
to regularly interoperate with it that is
generating data and uses your network.
It’s basically an autonomous, internet-connected
device.
4. The IoT is very anti-social
• IoT devices don’t easily talk to each other
• Download a mobile app
• Create an account on the manufacturer’s server
• Connect your IoT device to your account
• How you connect your device could be Bluetooth,
Wi-fi, Zigbee, SCADA, Z-Wave or even non-IP based
• Every device manufacturer is solving these
problems differently ≠ interoperability
≠
“Using OAuth for Access Control on the Internet of Things”, Phillip Windley, PhD; Brigham Young University
To be published in IEEE Consumer Electronics Magazine
5. I saw the “future” at CES…
Autonomous
conference robots
Safety & Security Environmental
6. Lots of IoT & IoT data sources…
Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015
http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things
7. Lots of potential
• Real-time data = Real-time decisions
• Temperature, humidity, light, air quality, electrical
• Proximity, geo-location & motion
• Health
• Data analytics, especially cloud-based
analytics will be forefront to deal with
the huge amounts of IoT data
8. How pervasive is IoT?
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
12. Does this worry you? It worries me!
I don’t think firewalls are smart enough
for today and tomorrow’s IoT threat environments.
In/Outbound IP Traffic Analysis
13. Two recent IoT “incidents”…
Google Nest
• Wireless passwords stored on
device are unencrypted
• The Mini USB port gave the
necessary root access to the NEST
operating system
• “Once the entry point with the NEST
device was in place, we were then
able to compromise just about
everything within that network.”
Wink Hub
• Complete outage when a 1-yr SSL
certificate expired
• Technical workaround but most
customers will return their h/w for
replacement
• Incalculable financial and reputation
cost despite good security practice
http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf
14. What can you do?
JUST SAY NO!!
• Really? Are you going to say “No!” to an employee’s diabetes monitor?
http://www.popsci.com/temporary-tattoos-could-monitor-diabetes-less-invasively
15. What can you do?
Call Ghostbusters!
• Detect and eradicate?
16. “Standards like OAuth 2.0 &
OpenID Connect 1.0 will enable identity
interoperability for the IoT.”
https://www.linkedin.com/pulse/your-identity-concerns-internet-things-ces-2015-paul-madsen
…extras like a TCP/IP layer
got removed from industrial
protocols like BACnet and
GOOSE.
And features like robust
authentication were left out
of nearly all the industrial
protocols.
After all, who would ever
want to hack a control
system?
Offspark’s PolarSSL technology has been deployed in a variety of devices including sensor modules,
communication modules and smartphones. The acquisition will help companies build IoT products
with heightened security. PolarSSL IP will form the core of ARM’s embed communication security
and software cryptography strategy...
BACnet currently requires a
56-bit Data Ecryption
Standard (DES) key
encryption for session keys.
It has been demonstrated
that these keys can be
broken in times on the order
of 1 day.
17. At least there are standards now –
and coming – to help…
18. A practical use:
Controlling privileged accounts
Location as a factor in authentication
• Too far away, no PAM access
• Challenges found…
• Not tamper-proof
• Movable
• Openable
• Lacks non-repudiation
• OTP?
• Certificates?
• Result? Ruled out as a sol’n.
http://wwwhome.ewi.utwente.nl/~rijswijkrm/pub/ble-otp.pdf
19. Parting thoughts…
• Security is not priority #1 for most IoT vendors (Is it for most software vendors?)
• “Over the next two years the IoT devices and services markets will be chaotic”
• “New IoT-ready platforms will enable vendors to integrate the first wave of IoT devices and sensors
and enable them to communicate with vendors’ customers’ infrastructures.” This is *YOU*
• Recommendations:
• Question: How is security handled in the IoT device? Who has reviewed it? Has it been pen-tested?
• Detect: You cannot remediate unless you detect – before and after
• Contain: Segment your corporate IT devices from everything IoT related
• Anticipate: Everything IoT is in flux – you must stay on top of it
20. Please visit our booth for yours!
http://www.ibtimes.co.uk/stockholm-microchipped-office-workers-feel-very-modern-using-hand-implanted-chips-open-doors-1489739
http://www.popsci.com/swedish-company-puts-rfid-chips-employees
21. Questions? Copy of the slides? Have feedback? Please e-mail:
Jackson.Shaw@software.dell.com
Thank you for your time today!
23. Internet of things units installed
base by category
Category 2013 2014 2015 2020
Automotive 96.0 189.6 372.3 3,511.1
Consumer 1,842.1 2,244.5 2.874.9 13,172.5
Generic Business 395.2 479.4 623.9 5,158.6
Vertical Business 698.7 836.5 1,009.4 3,164.4
Grand Total 3,032.0 3,750.0 4,880.6 25,006.6
The IoT will bring into the digital security architecture dozens of new platform options,
hundreds of variations on hybrid IT/IoT integration, new standards per industry,
and a new view of an application. IT leaders will have to accommodate the differences
in technologies across those areas and develop a multifaceted technology approach to IoT risk and security.
http://www.gartner.com/newsroom/id/2905717
Internet of Things Units Installed Base by Category – In millions of units
Source: Gartner (November 2014)
27. Robust and flexible data management
capabilities & effective security are
needed…
Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015
http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things