iot security-arrow-roadshow #iotconfua
TRANSCRIPT
Intel® IoT
Докладчик
Розумей РоманИнженер-консультант по вопросам ИБ
ERC
Что такое интернет вещь?...
1. IDC
2. MC/EDC: The Digital Universe of
Opportunities
3. Goldman Sachs
4. IMS Research
The Internet of Things is …
Home
MobileNetwork
IndustrialGateway
DC/Cloud
3
COST OF SENSORS 2X
PAST 10 YEARS
COST OF BANDWIDTH40X
PAST 10 YEARS
COST OF PROCESSING60X
PAST 10 YEARS
50BDEVICES1
21
212BSensors
Чем чревато?...
Основные кибер-угрозы
• Отказ в обслуживании - DDoS
• Зловредное ПО
• Утечки данных
• Непреднамеренные утечки
• Ослабление периметра
безопасности
Internet of Things
Количество атак на интернет вещи будет расти в связи с взрывным ростом количества
подключенных устройств и все более критичной информацией хранящейся на устройствах.
Source: McAfee, based on research by BI Intelligence, IDC, and Intel Source : HP
Сегодня:
70% содержит уязвимости.
80% не требует паролей или испрльзует
пароль небезопасной длины и сложности.
90% хранят персональные данные.
70% не имеют защиты от брутфорс атак.
Как бороться?...
IoT Ключевые аспекты
безопасности
• Целостность устройства
• Идентификация устройства
• Защита каналов передачи данных в
ЦОД/Облако
• Защита каналов передачи данных
на устройство
• Безопасность ЦОДа/Облака
• Безопасность вспомогательных
узлов
Чем бороться?...
Intel® IoT Platform: Logical Definition
MCU
• WiFi + LP WiFi
• Bluetooth®
Technology + BTLE
• 3G/4G/LTE (GPRS)
• ZigBee*, Zwave*
• 6LoWPAN*
• WiHART*
• Ethernet
• RFID
Gateway
I/O
I/O
Data Ingestion &
Processing
Data Transport
Broker
Query
Storage
Compute
Gateway
Device Attestation
Persistence &
Concurrency
Device Attestation
Analytics
MCU
I/O
Sensor
Actuator
Sensor
Actuator
Sensor
Sensor
P
M
A
P
M
A
Asset Info,
Policies &
Metadata
Security, Configuration &
Management
Data Center Management & Security (Monitoring, Auto-scaling, Logging, Eventing)
Business Logic
& Rules
Services
Orchestration
Vert
ical Io
T A
pp
s
APIs, API
Libraries, SDK
Business Portal IT/ B
usin
ess S
yste
ms
Network
Infrastructure
3rd Party
Systems
Data Flow: MQTT, HTTPS, WebSockets, XMPP, CoAP, REST, AMQP, DDS, et al. Security & Mgmt Flow: MQTT, EPID, OMA-DM, TR-069, REST, et al.
P M AProtocol Mapper & Adapter
(formerly UPAL)
Security on all Devices, Data, & Comms from Things to Cloud
(Identity Protection, Integrity, Confidentiality, Trusted Execution, Attestation) *Other names and brands may be claimed as the property of others.
Sensor Gateways
Networks
On-Premise or Off-Premise Data Center or Cloud
Identity
Integrity
Data Protection
Intrusion Prevention
Intrusion Detection
Managed Networks
Database Security
Services Management
Security Information
and Event
Monitoring System
Threat Intelligence
Public Cloud Security
Private Cloud Security
Intel Management
Platform
Intel® Security - IoT Portfolio
Provides
comprehensive
protection of Critical
infrastructure from
physical and
cyberattacks
Inte
l® S
ecurity
Critical In
frastr
uctu
re P
rote
ction
PRIVATE /
PUBLIC CLOUD
SECURITY
EVENT
MANAGEMENT
AND THREAT
INTELLIGENCE
DEVICE LEVEL
SECURITY
NETWORK
SECURITY
McAfee Security Information
and Event Monitoring System
(SIEM)
Central security intelligence system for
IOT‘s heterogenes architecture
McAfee Threat
Intelligence Exchange (TIE)
& Data Exchange Layer (DXL)
Tailors comprehensive threat intelligence
from multiple intelligence data sources
McAfee ePolicy Orchestrator
(McAfee ePO)
Security agent that connects with the
McAfee security infrastructure for
monitoring and managing security of
the IoT
McAfee Network Security
Platform
Helps detect and block attacks by
enforcing security policies at the
application, port and protocol levels
Provides Intrustion Detection /
Prevention Capabilities
McAfee Network Security
Platform
McAfee Embedded/ Integrity
Control (Whitelisting
Technology)
Helps block unauthorized applications
and changes in IOT devices
Intel Silicon Hardened
FoundationSecurity capabilities that include Secure
Boot, HW Root of Trust and EPID
Intel Security Whitelisting TechnologyЦелостность устройств и проверенные обновления
• Самостоятельное или централизовано-
управляемое с McAfee ePolicy Orchestrator
решение.
• Часть Intel IoT Gateway
• Интеграция McAfee Threat Intelligence Exchange
(TIE) and Security Information and Event Monitoring
Solution (SIEM)
SYS
STOP
Unknown Binary
is Unauthorized
Whitelist
Intel® IoT Gateway
Performance at
the edge
Advanced
Security
Scalability Manageability Fast, Flexible
deployment
Intel® IoT Gateway
Linux* Operating System
Microsoft Windows® OSIntel® IoT Gateway
Linux* Operating System
Microsoft Windows® OSIntel® IoT Gateway
Linux* Operating System
Microsoft Windows® OS
Sensor/Device Integrity & Security
Intel® Quark™/ Intel® Atom™/ Intel® Core™ SoCs
Intel® IoT Gateway
Linux* Operating System
Microsoft Windows® OS
Secure Boot (UEFI)
McAfee Embedded
Control
Management Agents
Signed Updates
IoT Security and Device Management
McAfee ePolicy Orchestrator* (ePO) and/or
Wind River* Helix Device Cloud
Good
1. UEFI Secure Boot
2. OS built-in capabilities B
ett
er
1. UEFI Secure Boot measured through TPM (Measure Boot)
2. McAfee Embedded Control
3. Remotly manageable via Intel AMT
Best
1. UEFI Secure Boot and Device Attestation through TPM (Measure Boot, Attested)
2. McAfee Embedded Control
3. Management Agents to manage device and its security posture
4. Centralized managed and monitored
Intel® IoT Gateway
Linux* Operating System
Microsoft Windows® OSIntel® IoT Gateway
Linux* Operating System
Microsoft Windows® OSIntel® IoT Gateway
Linux* Operating System
Microsoft Windows® OS
Data Protection & Security
Intel® Quark™/ Intel® Atom™/ Intel® Core™ SoCs
Intel® Advanced Encryption Standard - New Instructions (Intel® AES-NI)
Intel® IoT Gateway
Linux* Operating System
Microsoft Windows® OS
Secure Boot (UEFI)
McAfee Drive
Encryption
Management Agents
McAfee MNE
IoT Security and Device Management
McAfee ePolicy Orchestrator* (ePO) and/or
Wind River* Helix Device Cloud
Good
1. OS built-in capabilities like dmcrypt or Bitlocker
2. SSL Connections to Services and other devices
Bett
er
1. McAfee Drive Encryption or McAfee Native Management Agents
2. Utilization of Intel AES-NI for Encryption
3. Use of certified and/or hardened SSL libraries to establish secure connections
Best
1. McAfee Drive Encryption or McAfee Native Management Agents
2. Utilization of Intel AES-NI for Encryption
3. Use of certified and/or hardened SSL libraries to establish secure connections
4. Centralized Management of Data Protection Software and Key Management
Secure
Co
nn
ection
s
Итог
• IoT Это не только устройства
• Безопасность IoT начинается на этапе разработки
• Безопасность IoT должна быть реализована на всех уровнях от
микроконтроллера до датацентра.
• В мире IoT необходима защита инфраструктуры и сервисов.
Q&A