The Internet of Things (IoT) is getting a lot of hype, some of it valid. The underlying issue for organizations is how do we prepare, from a security standpoint, for "Things" that we can't anticipate coming onto our networks. This presentation covers some of the ways that we can "prepare for the unpreparable".
2. There are now more devices attached to the internet as machine to
machine connections than there are devices attached that support human
interface and interaction.
Sensors, devices, wearables, SCADA, PLC machines, and many, many more.
3. What is IoT ?
A network of Physical Objects that can
interact with each other to share information
and take Action.
The term was first proposed by
Kevin Ashton in 1999.
The concept of IoT first became
popular at the Auto-ID center, MIT.
IoT can also be pronounced as
Machine to Machine (M2M)
Technology.
5. Perspective
Cisco appears to view IoT as an opportunity to expand networks to
connect all of the emerging devices.
Google is focused on creating devices that will become members of the
community of IoT (Nest). They are actively engaged in guiding
companies to make both existing products and new products members
of that community.
6.
7.
8.
9.
10. Simple View of the
Internet of Things
Information
Technology
Personal
Technology
Operational
Technology
PCs
Servers
Virtualization
Routers
Switches
Tablets
Smartphones
Mi-Fi
Home energy
Wearables
Medical implants
Home entertainment
Home control
ICS/SCADA
Medical Machines
Kiosks
Manufacturing
Cloud Service Infra.
Environ. monitoring
11. The Operational Technology Specialization
• Manufacturing
• Connected Safety and Security
• Energy and Utilities
• Travel and Transport
• Retail
• Stadiums, arenas, entertainment and conference centers
12. Presenters will tell you that there are fifteen times more potential
network connections on the manufacturing plant floor than in the
existing office/carpeted space.
Are you ready for a fifteen fold increase in devices to be secured and
managed? And these are completely different types of devices arriving
from the Operational Technology domain?
13. Its already here
However:
• M2M is highly fragmented & dedicated to a single purpose (e.g.
fleet management, meter reading, vending machines).
• Multitude of technical solutions & disjointed standards activities
result in slow development of global M2M market.
• Standardisation is key enabler to remove technical barriers &
ensure interoperable M2M services & networks
• M2M / IoT has huge potential but currently comprises a
heterogeneous collection of established & emerging (often
competing) technologies & standards (although moves are
afoot here). This is because the concept applies to & has grown
from, a wide range of market sectors.
17. Is No Way to Go Through Life, Son!
Thin
Drunk
&
Stupid
18. There’s hope… What can I do?!?
• Start thinking about new protocols (CoAP & MQQT)
• Minimize the threat surface (Start building VLANs-of-One)
• Build Watson-like intelligence into your SIEM
• Start thinking like…
• It’s not on our network
• It’s not in our building
• We don’t even know that it exists
• But, it’s in our organization
Editor's Notes
Things to ponder & worry about:
The dumber the connected device, the more basic the security attributes of the device are likely to be. So how will the billions of such devices be security-monitored and updated to maintain security in the face of emerging threats?
What are the implications for protecting critical infrastructure and cyber-warfare/espionage? Could hackers shut off all our water, drain our bank accounts, melt our ice cream and turn all the traffic lights to red?
Flooding the market with low-cost, mass-market devices usually means buying them from economies like China or Vietnam. With the Huawei debate escalating, how can we be certain of no hidden trapdoors inside these widgets?
IoT data transfer patterns differ fundamentally from those in the classic 'human-to-human'.
M2M communications will feature orders of magnitude more nodes than H2H, most of which will create low-bandwidth, upload-biased traffic.
Many M2M applications will need to deliver and process information in real time, or near-real-time, and many nodes will have to be extremely low-power or self-powered (eg. solar powered) devices.
Will require billions of new IP addresses we simply don’t have. IPv6 required but it will have to be lightweight (likely with trimmed-down security attributes)
The security implications are obvious, where hackers might able to do anything from running up people’s electricity bills to shutting down an oil pipeline.
Preview of this with the Stuxnet SCADA story and M2M/IoT will take us infinitely deeper into that territory…
Denial of service (DoS) will have new consequences.
Many field-based devices will be powered from batteries. Hit them with long bursts of spurious requests and you’ll kill their power.
Encrypting information tends to be a processor-intensive task
Meaning devices need to be selective as to what to encrypt, as opposed to the web's trend toward full end-to-end encryption.
Unless nanotechnology and battery manufacturing increases as per Moore's Law, it's going to be a huge issue.
You don't want to have devices with any kind of identification left lying around
Need effective disposal or self-disposal processes built into protocols. Once decommissioned they'll need to ‘mission impossible’ – like, self destruct remotely
Slow transition from IPv4 networks to IPv6 could harm M2M uptake.
With IPv4 addresses nearing exhaustion, networks simply won't have enough addresses to assign to the explosion of devices unless they transition to IPv6
Things: Physical entities whose identity, surroundings capable of being relayed to an connected IT. Almost anything to which you can attach a sensor — a cow in a field, a container on a cargo vessel, the air-conditioning unit in your office, a lamppost in the street — can become a node in the Internet of Things.
Sensors: gather data e.g. location, altitude, velocity, temperature, illumination, motion, power, humidity, blood sugar, air quality, soil moisture - you name it.
Not ‘computers’! But have processor, memory, storage, inputs and outputs, OS, app s/w
Increasingly cheap, plentiful, can communicate directly with internet or with internet-connected devices
Comms: IoT sensors require relaying data to the outside world - short-range/LAN/PAN, incl RFID, NFC, Wi-Fi, Bluetooth, M-Bus + wired
IoT will require massive, scalable, storage & processing capacity
Will almost invariably reside in the cloud, except for specific localised or security-sensitive cases.
Service providers will need access here to curate the data & tweak analytics, but also for LoB processes such as customer relations, billing, technical support
User-facing services:
Subsets of data & analyses from the IoT available to users or subscribers, presented (hopefully) via easily accessible navigable interfaces on full spectrum of secure client devices
So what’s different?
Longevity - Updates are harder (or impossible)
Size - Capabilities are limited – especially around crypto
Only a device - Usually no UI for id or authenticator
Data - Highly personal
Mindset -
Appliance manufacturers don’t think like security experts
Embedded systems are cobbled together by grabbing existing chips, designs, etc
CoAP - Constrained Application Protocol
http://tools.ietf.org/html/draft-ietf-core-coap-18
REST-like model built on UDP
Californium project coming soon to Eclipse IoT
No authentication or authorization
Relies on DLTS or data in the body
MQQT -Very lightweight messaging protocol
Designed for 8-bit controllers, SCADA, etc
Low power, low bandwidth
Binary header of 2 bytes
Lots of implementations
Mosquitto, Paho, RSMB and Moquette from Eclipse
Clients:
Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc
Plus an even lighter-weight version for Zigbee
MQTT-SN (Sensor Network)
Relies on TLS for confidentiality
Username/Password field
Today, we’re exposed because of social media - can lead to intelligent spear fishing attacks.