iiw | 06 may 2014 secure identity consulting © copyright secure identity consulting 2014 jeff...
TRANSCRIPT
IIW | 06 May 2014
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014
Jeff Stollman
Secure Identity Consulting
Unexpected and Complex Implications of the Internet of Everything (IoE)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Agenda
Defining Terms
Promise and Implications
Issues Prompted by IoT
Legal Perspective
Q&A
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
DEFINING TERMS
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
What is it?
Internet of Things
Internet of EverythingS
enso
r Net
wor
ksSm
art Appliances
ServersNetbooks
Smar
t Pho
nes
Industrial Controllers
SCADA
Datab
ases
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Definition
The Internet of Everything is:
ANY device that is connected to a network.
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Constituent Devices
1. SENSOR 2. PROCESSOR 3. ACTUATOR
4. Combinations of the above
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
IoE is a superset
Traditional IT SCADA devices New Smart devices
IoE
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
PROMISE AND IMPLICATIONSUse Cases
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
The Promise
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Home Appliances – Security and Privacy
Who is ordering your perishables?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Irrigation & Flood Control - Security
Who is ensuring data integrity?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Farming – Information Ownership
Who owns the data you collect?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Automotive Management – Privacy and Liability
Who is controlling your vehicle?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Electric Vehicle Recharging Systems – Security and Liability
Who is paying for power from your outlet?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Smart Packaging – Privacy and Liability
Who can learn what drugs you are taking?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Physical Security – Privacy
Does privacy exist anymore?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Electrical Grid – Security and LIability
Who is managing your power?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
ISSUES PROMPTED BY IOT
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
IoT prompts several areas of concern
Security- Security issues of IoT are not new, but new solutions will be required.
Privacy Privacy issues of IoT are not new, but new solutions will be required.
Ownership - Device ownership enters a new gray area.
- Data ownership represents a brave new world of possibility.
Liability- Liability, as well, opens up a Pandora’s box of complex issues.
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Security Questions
1. As traditional enterprise perimeters disintegrate into a web of devices, how do we secure devices
1. From an adversary manipulating sensor input data ?
1. E.g., holding a lighter below an outdoor temperature sensor that triggers an emergency response)
2. While this could happen today, I submit that the additional layer of abstraction provided by the IoT may prompt less scrutiny of physical security and increase the vulnerability of such systems.
2. From an adversary manipulating output from a sensor or input to a processor?
1. E.g., dividing the output from sensors on a harvester in half to create the impression of a bad crop, causing commodity prices to rise
2. compromising the video feed from a surveillance camera during a burglary
3. or the altimeter in an airplane to cause it to crash
3. From an adversary compromising the instruction code in the processor
1. E.g., changing the rule that prompts an alarm to take no action instead
4. From an adversary compromising the instruction feed from the processor or the input feed to the actuator
1. E.g., dividing the changing ON to OFF or a LOW setting to HIGH
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Security Questions cont’d.
2. Who is responsible for controlling access to the data?
2. At rest -- on the device
3. In transit -- between devices
3. Who is responsible for allowing a “man-in-the-middle” attack when there is no perimeter?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Practical Questions
1. Will all devices need enough intelligence to manage their own access control?
1. Will all devices need to be servers to do so?
2. If devices have enough intelligence (i.e., processing power and storage) to manage access control, will they also have enough processing power and storage to be victims of malware and/or hacking?
3. Once enough devices are deployed to be of interest to adversaries (e.g., malware and hack publishers), will the burden of managing access to devices outweigh the benefits to be gained from them?