SECURE YOUR SPACE: THE INTERNET OF THINGS John P. Rudy 1/13/2016 Lexington Computer & Technology Group All snazzy material is from Michael Daly SECURE YOUR SPACE: THE INTERNET OF THINGS Term first coined in 1999 Explosion of articles in the last year Sensors, actuators and network 3.2 billion internet users in 2015 SECURE YOUR SPACE: THE INTERNET OF THINGS Copyright 2014 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a registered trademark of Raytheon Company. Michael K. Daly Chief Technology Officer Cybersecurity and Special Missions Daly has more than 28 years in security and information systems, in both the federal government and private sector. As CTO of Raytheons CSM division, he provides cyber solutions to domestic and international government and commercial customers. Additionally, Daly supports the National Security Telecommunications Advisory Committee to the President of the United States. SECURE YOUR SPACE: THE INTERNET OF THINGS People Connecting with People. The Internet of yesterday The internet as we traditionally know it was about people interacting with data and with other people; it was about democratizing information, giving individuals and organizations the ability to produce, upload and download content as they needed it. But as revolutionary as this wasand is it was only the beginning. SECURE YOUR SPACE: THE INTERNET OF THINGS Machines, Machines and Sometimes People. The Internet of Things -- first theorized in the 90s but really becoming a reality in the past 2-3 years has shifted the traditional internet paradigm. Todays internet is equally about machines interacting with data with other machines and with people. Today, in addition to people creating and sharing content, automated platforms and technologies also produce, distribute and make use of content, as well. The difference changes everything. SECURE YOUR SPACE: THE INTERNET OF THINGS Thats a lot of stuff talking to other stuff. SECURE YOUR SPACE: THE INTERNET OF THINGS Address space IPv4 (1983) Internet Protocol version 4 (IPv4) 32-bit addresses (4 billion) notated like But exhausted in IPv6 (1998) uses a 128-bit address. SECURE YOUR SPACE: THE INTERNET OF THINGS And there is so much more coming. 6.8B today 12.5B today SECURE YOUR SPACE: THE INTERNET OF THINGS Example: OT might be reactors The Internet of Things comes from the convergence of Business IT and Personal IT, with Industrial OT and Critical Infrastructure OT. But these systems do not share all the same attributes. While IT systems users are most concerned with confidentiality and integrity, and are desirous of frequent updates, the OT systems users are concerned with safety and availability, and are not tolerant of change. SECURE YOUR SPACE: THE INTERNET OF THINGS Sensors. Effectors. Data. Lots of Data. SECURE YOUR SPACE: THE INTERNET OF THINGS Every Aspect of Human Life. Drones Could Help Tulsa Firefighters During Search, Rescuehttps://www.dot.gov/fastlane/v2v-cars-communicating-prevent-crashes-deaths-injuries SECURE YOUR SPACE: THE INTERNET OF THINGS And Plant and Animal Life. Scientists at Australias Commonwealth Scientific and Industrial Research Organization have fitted 5,000 tiny sensors, measuring just 2.5mm squared to the backs of honey bees in Hobart, Tasmania, before releasing them into the wild honeybees-fitted-backpacks-helping-scientists-understand- colonies-dying-out.html Each sensor will create ~200MB of data every year. SECURE YOUR SPACE: THE INTERNET OF THINGS And Near-Lifeless Factories and Warehouses.Vs_amarillos.jpgshowcases-state-art-technologyautomatated-manufacturing/amazons-warehouse.html SECURE YOUR SPACE: THE INTERNET OF THINGS vulnerable to everything and everyone else. SECURE YOUR SPACE: THE INTERNET OF THINGS It has been published that the attackers first broke into the retailers network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services. The thieves used the access to get malware onto the HVAC systems and then jumped from there onto the point-of- sale ( POS ) devices at the checkout lines to steal customer information. Every connection is a possible vector. SECURE YOUR SPACE: THE INTERNET OF THINGS Many devices are not cyber-maintained. SECURE YOUR SPACE: THE INTERNET OF THINGS IoT has its roots in Net-Centric Warfare. SECURE YOUR SPACE: THE INTERNET OF THINGS IoT has its roots in Net-Centric Warfare. SECURE YOUR SPACE: THE INTERNET OF THINGS Understand the impacts of IoT before we implement. Data proliferation impact What controls are in place to protect the data and the systems that transmit, process and store the data (e.g., encryption, authentication, monitoring)? Physical impact and harm introduced by effectors and actuators What controls are in place to limit the physical impact in the event of a compromise? Risk of diminished interoperability amongst government systems What would happen to adjacent and reliant systems if this IoT set should fail to provide trustworthy information or to operate properly? Opportunities for adversaries to implement new covert communications methods What mechanisms do we have to identify and control unwanted communications? Opportunities for an adversary to conduct large scale PsyOps, creating events or complicating emergency response What measures can be implemented to identify and constrain unwanted social engineering? Attack surface impact What controls are in place to limit the exposure of the attack surface and to contain a threat in the event of a compromise? SECURE YOUR SPACE: THE INTERNET OF THINGS Know The Device. General Keith Alexander, the National Security Agencys director, said The cyber domain is a dynamic domain that changes every time you power on a device. With each new device that enters this domain, new vulnerabilities and threats are introduced. In military parlance, we say that we have an increased attack surface. A good security organization must do solid research on new devices to understand what is embedded in the devices entering their business ecosystem: what data is generated and what data is being transmitted; where does the device transmit its data; what connections will it accept from other devices in your environment; does the device have on-board storage that an adversary could use to store software and data; does the device try to do automatic updates; and most importantly, if an adversary had access to the sensors and data generated by this device (including the personal devices your users are bringing into the building), what advantage would it give them? SECURE YOUR SPACE: THE INTERNET OF THINGS Know The Insider. The IoT brings its benefits through the analysis of changes, based on the collection of vast amounts of data that are often personal and sensitive. This information, particularly in the aggregate, is extremely valuable not only to the society but to our potential adversaries. Protecting sensitive data from external threats has been the focus of cybersecurity investments since the first computers were used. But thats only half the story. Its critical for companies to have insider-focused security and continuous monitoring that can detect anomalies, inappropriate privileged user activity, and determine when information has been accessed inappropriately. These strategies must include behavioral analytics, not just simple rules and policies. Episodes such as the Target, Wikileaks and the Snowden breaches have shown that the most significant risk of damage to customer trust and to our missions is posed by internal system access. This can come from the disgruntled employee, or the unaware supplier, or an advanced nation-state adversary using a sophisticated chain to operate from the inside. SECURE YOUR SPACE: THE INTERNET OF THINGS Maintaining Trust in Time & Space SECURE YOUR SPACE: THE INTERNET OF THINGS Today:Fitbit, TV, phones Soon: Car, thermostat, cameras, keys, children and pets, aging parents, monitor wine via cork sensors When:Medical devices, clothes, appliances Nano-technology will become the driver, with very small, very cheap devices Discussion questions: Can the internet handle the projected traffic? Do I want the pool to warm up when I am 30 minutes from home? Or check that I turned off the oven? Or start dinner. Do I want the windows to close when there is rain and 25+ mph wind? Farm Tractors image and locate each plant for analysis and need for fertilizer, pesticide or water How will all this affect privacy SECURE YOUR SPACE: THE INTERNET OF THINGS References in addition to those in presentation: https://en.wikipedia.org/wiki/Internet_of_Things Future Computing: The Internet of Things, Windows Secrets 12/3/2015 Internet of Things Global Standards Initiative (completed July 2015)T/gsi/iot/Pages/default.aspxhttp://www.itu.int/en/ITU- T/gsi/iot/Pages/default.aspx