securing the internet of everything - wordpress.com · securing the internet of everything ... road...
TRANSCRIPT
Securing the Internet of EverythingKevin von Keyserling, CEO
Certified Security Solutions, Inc.
October 22, 2016
Loyola Marymount University
Agenda
© 2016 Certified Security Solutions, Inc. 2
• Technology Drivers and the IoT Landscape
• Security Challenges
• Security Technology Considerations
• Conclusion
Rapidly Evolving Technology
Five core technologies that are changing everything
© 2016 Certified Security Solutions, Inc. 3
Robotics
Self driving cars
to Nanobots
Artificial Intelligence
Cloud compute power
Machine learning
Quantum computing
Healthcare
Wearables to
Gene editing, CRISPR
3D Printing
Ability to print an
automotive engine
or a human organ
Energy
Storage (Battery)
Renewable Energy Grid
Fusion
These five technologies are now feeding off of each other at an exponential growth rate.
Getting security right is of paramount importance.
The Internet of Things – Industries
© 2016 Certified Security Solutions, Inc. 4
“The turnover of the Internet of Things,
especially that generated by suppliers of
products and services, will rise to $300
billion in 2020, amounting to 1.9 trillion
dollars in total sales. Sectors that will see a
major use of these kind of things, according
to Gartner, are medical, industrial
automation systems, sensors and
applications in robotics, sensors for
increasing agricultural productivity,
sensors for monitoring the production
sector car and in several other areas, such as
road and rail, water distribution and
transmission power. Among the vertical
markets that mainly contribute to the
development of the IoT are manufacturing,
healthcare and insurance. − Gartner
Especially in the corporate sector Gartner sees
future applications for the IoT. E.g. monitoring
sensors, for example in medicine or in the
manufacturing industry, can monitor the
condition of machinery. Other areas include
the monitoring of roads, public transport
routes, water and power lines. The safety
technology and insurance industry will also
benefit from the IoT. Here completely new
business models will emerge such as custom
insurance premiums for car owners based on
real-time driving analysis. In addition, many
devices in the health and fitness will be newly
created, combined with medical sensor
technology. Data security and privacy are also
likely to grow in significance as more
consumers engage with IoT-based products.
Healthcare
Financial
Services
Manufacturing
Energy
Transportation
Telecom
Retail
Insurance
The Internet of Things Landscape
© 2016 Certified Security Solutions, Inc. 5
Home
AutomationSmart
Routers
Energy
Management
Media
Devices
Smart
Appliances Transportation
LED
Lighting
Wearables
Indoor / Around the House
Geo Fencing / Location Tracking
Outdoor Activities
Location / Navigation
Consumer
Energy &
Metering Infrastructure Industrial/
Building
Smart
WatchesSmart
Trackers
Smart
Glasses
Wearable
Cameras
Body
Sensors
billion units by 202026Commercial / Gov’t Body / Health
© 2016 Certified Security Solutions, Inc. 6
Smart Building
Management
Wireless Vehicle
Charging
Road Sensors
Smart Parking
Meters and
Garages
Building an IoT Platform
Vehicle to Infrastructure
CommunicationSmart Lighting
Control System
Smart Traffic Lights
Connecting Smart Cities, Infrastructure & the Connected Car
The Evolution from Enterprise to IoT
© 2016 Certified Security Solutions, Inc. 7
Characteristics
• Well understood O/S
• High computational availability
• Established network standards
• Client | Server hardware
Characteristics
• Well understood O/S
• High computational availability
• Closed system
• Client | Server network
Challenges
• O/S ad hoc
• Low computational availability
• Lack of codified standards
• Lack of Bandwidth
Challenges
• Retrofitting
• Open system architecture
• Firmware updates
Embedded
Devices
Challenges
• Discovery
• Reporting
• Compliance
• Heterogeneous environment
Traditional
Enterprise
Emerging IoT
Characteristics
• Massive Scale
• Lots of data collection
• Connectivity (RFID, BlueTooth, Cellular, WiFi)
Evolving Transportation
© 2016 Certified Security Solutions, Inc. 8
Autonomous Cars
The transportation sector is quickly evolving with the introduction of the autonomous, self-driving cars. Internet search behemoth Google
has already demonstrating its autonomous vehicle on test courses. However, the threat of malicious actors taking control of glaring flaws in
smart cars is on the rise. This threat is therefore considered to be one of the major technical security challenges confronting the automotive
industry today.
IoT Security Challenges − Hacking Vulnerability
© 2016 Certified Security Solutions, Inc. 9
Car Hacking
Smart Appliance Hacking
Refrigerator Caught Sending Spam Emails in Botnet Attack
In the first documented attack of its kind, the Internet of Things has
been used as part of an attack that sent out over 750,000 spam emails.
For the First Time Hackers Have Used a Refrigerator to Attack Businesses
Posted by: John McAfee, January 17, 2014
Security researchers at Proof point have uncovered the very first wide-scale hack
that involved television sets and at least one refrigerator. Yes, a fridge. This is
being hailed as the first home appliance “botnet” and the first cyber attack from
the Internet of Things.
Car Computer Systems Hacked Remotely – Be Afraid, Very Afraid
Car-hacking gets realBy: Chris Neiger, 24 June 2013
Many new cars can be turned on and off with a tap of a smartphone. Others can apply
the brakes while a driver is distracted, park themselves and maintain safe distances from
surrounding vehicles. But with their increasing reliance on electronic controls, cars open
themselves up to malicious manipulation.
CarTech | Safety | TechnologyCan Your Car Be Hacked?
Updated on July 7, 2016
© janderson99-HubPages
Your car is highly vulnerable to Malware via cellphones, Wi-Fi, infected MP3 and other
means. Be very afraid! - Hackers can hijack the car's computer systems to disable the
brakes, change the cruise control, turn the engine on and off, and control most of the
electrical systems such as the lights, climate control, odometer, locks and your radio.
IoT and Big Data
Source
* Estimates by EMC and IDC
** HP Internet of Things Research Study 2014
10© 2016 Certified Security Solutions, Inc.
Of devices “collected at least one piece of personal
information” through the mobile app, the cloud, or
the device itself**
90%Digital Universe
The digital universe is estimated to be 44 ZettaBytes …
That’s 44 trillion Gigabytes by 2020*
Internet of Things
IoT will drive much of the data growth
Bandwidth
Bandwidth will need to grow
IoT Security
70% of devices
employed unencrypted
network service
11© 2016 Certified Security Solutions, Inc.
Source: HP Internet of Things Research Study 2014
70%
80% of devices and associated apps
and cloud services
“failed to require passwords of a
sufficient complexity and length”
80%
Authentication Authenticity
Encryption
IoT Security
IoT Identity Challenges
Flight AU2323
Tail Number N414RS
Altitude 34,300 ft
Heading 210º
Airspeed 513 kn
Flight SW1234
Tail Number N789PQ
Altitude 31,300 ft
Heading 28º
Airspeed 490 kn
Altitude 34,300 ft
Heading 28º
Let’s look at airplanes
© 2016 Certified Security Solutions, Inc.
12
Connectivity
Securing device-to-device connectivity is hard
due to the following challenges …
Data Collection
Multiple data collection
sources from different vendors
Lack of Standards
Connected devices can’t talk to each other, and
each device comes with its own app, rather than
being managed from a single point of control
Authentication and Authorization
Many devices don’t have enough information to
authenticate or authorize connections
IoT Security Challenges − Questions
© 2016 Certified Security Solutions, Inc. 13
Data Security
• How do I protect the data that my system is producing and consuming?
• How can I be sure that this data is not being manipulated?
• How can I share this data – or my analysis of it – securely with others?
Physical Security
• How can I protect my devices from being tampered with?
Device Identity
• How can I be sure that the participants in this system are genuine?
• How can I be sure that the device that’s communicating with my systems actually is that device, and not an imposter?
?
?
?
IoT Identity Observations
© 2016 Certified Security Solutions, Inc. 14
Hub and Spoke Architectures
• “Hub and Spoke” architectures may prevail in many cases − especially in the near term
• IoT devices are going to expect wireless access
Data Collectors vs. Data Owners
• Data collectors are incented to be data owners – emphasis may be on product release over data security
Shared Hacking
• Shared keys and passwords don’t work well – hack one, you’ve hacked them all
• IoT devices can not be scanned and therefore may introduce malware
• Non-patchable endpoints leave security holes
Crypto Keys
• By themselves, crypto keys don’t establish identity
IoT Security Technologies
© 2016 Certified Security Solutions, Inc. 15
Block Chain
Crypto Currencies (BitCoin), Financial Services, an Internet Ledger
Biometrics
Great in certain environments, may be limited in many IoT applications, thumbprints are static
Heuristics
Detects deviations in expected data sets, time of day, range, frequency. Defense in Depth
Public/Private Key Infrastructure (PKI)
Cryptographically binds an identity to data
In Conclusion
© 2016 Certified Security Solutions, Inc. 17
This is our chance to get IoT Security right …
• Security should be in a design
• Device identity is important
• Devices have long lifespans. Plan ahead!
• Private / secret key security is critical
Certified Security Solutions, Inc.
© 2016 Certified Security Solutions, Inc. 18
Securely connecting people, applications, and devices.
People Applications Devices
Follow us on
As the market leader in enterprise and IoT digital identity security for data, devices and applications, CSS is a cyber
security company that builds and supports platforms to enable secure commerce for global businesses connected to
the Internet. Headquartered in Cleveland, Ohio, with operations throughout North America, CSS is at the forefront of
delivering innovative software products and SaaS solutions that are secure, scalable, economical and easy to
integrate into any business.
© 2016 Certified Security Solutions, Inc. All Rights Reserved.
Thank you
At CSS, we believe that every electronic device sending
data across the Internet should be protected and secured.
For more information on certificate management software,
PKI managed services, or PKI professional services at CSS,
please visit us at: www.css-security.com.
Kevin von Keyserling, CEO
Certified Security Solutions, Inc.
Email: [email protected]
Direct: (216) 785-2985