lpwan london meetup: securing your iot products

of 12 /12
06/03/2017 Public 1 Securing your IoT products LPWAN London Feb 2017 Richard Marshall IoTSF Plenary Chair and CEO Xitex Ltd

Author: digital-catapult

Post on 22-Mar-2017




0 download

Embed Size (px)


  • 06/03/2017 Public 1

    Securing your IoT products

    LPWAN London Feb 2017

    Richard MarshallIoTSF Plenary Chair and CEO Xitex Ltd

  • We cant carry on like this

  • Products are often not considered a target, Why would someone attack my product?

    IoT products, potentially installed by the billion the number of devices could out number mobiles phones

    Being connected allows remote attacks which makes presence and physical barriers redundant

    IoT devices become potential weapons in large scale attacks

    Being connected


  • Lean Startup Minimal Viable Product [MVP] development approach

    Supply Chain integrity and complexity

    Traditional ship and develop next product strategy

    Lack of security awareness and standards

    Usability versus security

    IoT product challenges


  • Relies on an incremental approach to product development to gain customer feedback.

    Security is seen as a feature that can be added later

    This contradicts with the need to put the security foundations into a product from the beginning

    MVP development Strategy


  • Hardware vulnerabilities impossible to fix in deployed products

    Product lifecycles longer than consumer or cell phones 2 to 5 years

    Lifecycles not unusual to be 15 to 25 year life for infrastructure devices

    MVP & Hardware Security

    Product security relies on the strength of its weakest link


  • Component Supply Chain


    Components often come with vendor software, typically:

    Boot loaders

    Protocol stacks

    Device drivers

    Careful selection of the underlying platform is critical has their security been considered?

  • Production


    Outsourced production, how is security maintained in a third partys facility?

    How are the following ensured by design:

    Cryptographic keys are not revealed - symmetric key insertion into devices is an issue

    Unauthorised product is not being manufactured

    Unauthorised software and data is not loaded into the product

  • Ongoing Support


    What is the support policy?

    Are the devices patchable?

    EOL policy revocation, kill switch?

    Is a vulnerability policy in place?

    Is a security notification process in place?

  • Help is available for you

    06/03/2017 See https://iotsecurityfoundation.org/best-practice-guidelines/ 10

    RELEASE 1.0

  • Executive Steering Board

    Prof. John Haine, Chair, University of Bristol

    Prof. David Rogers, CEO, Copper Horse Solutions

    Prof. Ben Azvine, Global Head of Security Research and Innovation, BT

    Prof. Kenny Paterson, RHUL

    Ken Munro, Partner, PenTest Partners

    Dr. Steve Babbage, Chief Cryptographer, Distinguished Engineer, Vodafone Group

    Haydn Povey, CEO, Secure Thingz

    John Moor, MD, IoT Security Foundation

    Majid Bemanian, Director Segment Marketing, Imagination Technologies

    Richard Marshall, Managing Consultant, Xitex Ltd.

  • www.iotsecurityfoundation.org




    Designed in at the start

    Right-sized for application

    Through operating life

    Thank You!

    06/03/2017 12