iot security-arrow-roadshow #iotconfua

Intel® IoT

Докладчик

Розумей РоманИнженер-консультант по вопросам ИБ

ERC

Что такое интернет вещь?...

1. IDC

2. MC/EDC: The Digital Universe of

Opportunities

3. Goldman Sachs

4. IMS Research

The Internet of Things is …

Home

MobileNetwork

IndustrialGateway

DC/Cloud

3

COST OF SENSORS 2X

PAST 10 YEARS

COST OF BANDWIDTH40X

PAST 10 YEARS

COST OF PROCESSING60X

PAST 10 YEARS

50BDEVICES1

21

212BSensors

Чем чревато?...

Основные кибер-угрозы

• Отказ в обслуживании - DDoS

• Зловредное ПО

• Утечки данных

• Непреднамеренные утечки

• Ослабление периметра

безопасности

Internet of Things

Количество атак на интернет вещи будет расти в связи с взрывным ростом количества

подключенных устройств и все более критичной информацией хранящейся на устройствах.

Source: McAfee, based on research by BI Intelligence, IDC, and Intel Source : HP

Сегодня:

70% содержит уязвимости.

80% не требует паролей или испрльзует

пароль небезопасной длины и сложности.

90% хранят персональные данные.

70% не имеют защиты от брутфорс атак.

Как бороться?...

IoT Ключевые аспекты

безопасности

• Целостность устройства

• Идентификация устройства

• Защита каналов передачи данных в

ЦОД/Облако

• Защита каналов передачи данных

на устройство

• Безопасность ЦОДа/Облака

• Безопасность вспомогательных

узлов

Чем бороться?...

Intel® IoT Platform: Logical Definition

MCU

• WiFi + LP WiFi

• Bluetooth®

Technology + BTLE

• 3G/4G/LTE (GPRS)

• ZigBee*, Zwave*

• 6LoWPAN*

• WiHART*

• Ethernet

• RFID

Gateway

I/O

I/O

Data Ingestion &

Processing

Data Transport

Broker

Query

Storage

Compute

Gateway

Device Attestation

Persistence &

Concurrency

Device Attestation

Analytics

MCU

I/O

Sensor

Actuator

Sensor

Actuator

Sensor

Sensor

P

M

A

P

M

A

Asset Info,

Policies &

Metadata

Security, Configuration &

Management

Data Center Management & Security (Monitoring, Auto-scaling, Logging, Eventing)

Business Logic

& Rules

Services

Orchestration

Vert

ical Io

T A

pp

s

APIs, API

Libraries, SDK

Business Portal IT/ B

usin

ess S

yste

ms

Network

Infrastructure

3rd Party

Systems

Data Flow: MQTT, HTTPS, WebSockets, XMPP, CoAP, REST, AMQP, DDS, et al. Security & Mgmt Flow: MQTT, EPID, OMA-DM, TR-069, REST, et al.

P M AProtocol Mapper & Adapter

(formerly UPAL)

Security on all Devices, Data, & Comms from Things to Cloud

(Identity Protection, Integrity, Confidentiality, Trusted Execution, Attestation) *Other names and brands may be claimed as the property of others.

Sensor Gateways

Networks

On-Premise or Off-Premise Data Center or Cloud

Identity

Integrity

Data Protection

Intrusion Prevention

Intrusion Detection

Managed Networks

Database Security

Services Management

Security Information

and Event

Monitoring System

Threat Intelligence

Public Cloud Security

Private Cloud Security

Intel Management

Platform

Intel® Security - IoT Portfolio

Provides

comprehensive

protection of Critical

infrastructure from

physical and

cyberattacks

Inte

l® S

ecurity

Critical In

frastr

uctu

re P

rote

ction

PRIVATE /

PUBLIC CLOUD

SECURITY

EVENT

MANAGEMENT

AND THREAT

INTELLIGENCE

DEVICE LEVEL

SECURITY

NETWORK

SECURITY

McAfee Security Information

and Event Monitoring System

(SIEM)

Central security intelligence system for

IOT‘s heterogenes architecture

McAfee Threat

Intelligence Exchange (TIE)

& Data Exchange Layer (DXL)

Tailors comprehensive threat intelligence

from multiple intelligence data sources

McAfee ePolicy Orchestrator

(McAfee ePO)

Security agent that connects with the

McAfee security infrastructure for

monitoring and managing security of

the IoT

McAfee Network Security

Platform

Helps detect and block attacks by

enforcing security policies at the

application, port and protocol levels

Provides Intrustion Detection /

Prevention Capabilities

McAfee Network Security

Platform

McAfee Embedded/ Integrity

Control (Whitelisting

Technology)

Helps block unauthorized applications

and changes in IOT devices

Intel Silicon Hardened

FoundationSecurity capabilities that include Secure

Boot, HW Root of Trust and EPID

Intel Security Whitelisting TechnologyЦелостность устройств и проверенные обновления

• Самостоятельное или централизовано-

управляемое с McAfee ePolicy Orchestrator

решение.

• Часть Intel IoT Gateway

• Интеграция McAfee Threat Intelligence Exchange

(TIE) and Security Information and Event Monitoring

Solution (SIEM)

SYS

STOP

Unknown Binary

is Unauthorized

Whitelist

Intel® IoT Gateway

Performance at

the edge

Advanced

Security

Scalability Manageability Fast, Flexible

deployment

Intel® IoT Gateway

Linux* Operating System

Microsoft Windows® OSIntel® IoT Gateway




Microsoft Windows® OS

Sensor/Device Integrity & Security

Intel® Quark™/ Intel® Atom™/ Intel® Core™ SoCs

Intel® IoT Gateway



Secure Boot (UEFI)

McAfee Embedded

Control

Management Agents

Signed Updates

IoT Security and Device Management

McAfee ePolicy Orchestrator* (ePO) and/or

Wind River* Helix Device Cloud

Good

1. UEFI Secure Boot

2. OS built-in capabilities B

ett

er

1. UEFI Secure Boot measured through TPM (Measure Boot)

2. McAfee Embedded Control

3. Remotly manageable via Intel AMT

Best

1. UEFI Secure Boot and Device Attestation through TPM (Measure Boot, Attested)

2. McAfee Embedded Control

3. Management Agents to manage device and its security posture

4. Centralized managed and monitored

Intel® IoT Gateway







Data Protection & Security

Intel® Quark™/ Intel® Atom™/ Intel® Core™ SoCs

Intel® Advanced Encryption Standard - New Instructions (Intel® AES-NI)

Intel® IoT Gateway



Secure Boot (UEFI)

McAfee Drive

Encryption

Management Agents

McAfee MNE

IoT Security and Device Management

McAfee ePolicy Orchestrator* (ePO) and/or

Wind River* Helix Device Cloud

Good

1. OS built-in capabilities like dmcrypt or Bitlocker

2. SSL Connections to Services and other devices

Bett

er

1. McAfee Drive Encryption or McAfee Native Management Agents

2. Utilization of Intel AES-NI for Encryption

3. Use of certified and/or hardened SSL libraries to establish secure connections

Best

1. McAfee Drive Encryption or McAfee Native Management Agents

2. Utilization of Intel AES-NI for Encryption

3. Use of certified and/or hardened SSL libraries to establish secure connections

4. Centralized Management of Data Protection Software and Key Management

Secure

Co

nn

ection

s

Итог

• IoT Это не только устройства

• Безопасность IoT начинается на этапе разработки

• Безопасность IoT должна быть реализована на всех уровнях от

микроконтроллера до датацентра.

• В мире IoT необходима защита инфраструктуры и сервисов.

iot security-arrow-roadshow #iotconfua

Engineering