Securing the Internet of EverythingKevin von Keyserling, CEO

Certified Security Solutions, Inc.

October 22, 2016

Loyola Marymount University

Agenda

© 2016 Certified Security Solutions, Inc. 2

• Technology Drivers and the IoT Landscape

• Security Challenges

• Security Technology Considerations

• Conclusion

Rapidly Evolving Technology

Five core technologies that are changing everything

© 2016 Certified Security Solutions, Inc. 3

Robotics

Self driving cars

to Nanobots

Artificial Intelligence

Cloud compute power

Machine learning

Quantum computing

Healthcare

Wearables to

Gene editing, CRISPR

3D Printing

Ability to print an

automotive engine

or a human organ

Energy

Storage (Battery)

Renewable Energy Grid

Fusion

These five technologies are now feeding off of each other at an exponential growth rate.

Getting security right is of paramount importance.

The Internet of Things – Industries

© 2016 Certified Security Solutions, Inc. 4

“The turnover of the Internet of Things,

especially that generated by suppliers of

products and services, will rise to $300

billion in 2020, amounting to 1.9 trillion

dollars in total sales. Sectors that will see a

major use of these kind of things, according

to Gartner, are medical, industrial

automation systems, sensors and

applications in robotics, sensors for

increasing agricultural productivity,

sensors for monitoring the production

sector car and in several other areas, such as

road and rail, water distribution and

transmission power. Among the vertical

markets that mainly contribute to the

development of the IoT are manufacturing,

healthcare and insurance. − Gartner

Especially in the corporate sector Gartner sees

future applications for the IoT. E.g. monitoring

sensors, for example in medicine or in the

manufacturing industry, can monitor the

condition of machinery. Other areas include

the monitoring of roads, public transport

routes, water and power lines. The safety

technology and insurance industry will also

benefit from the IoT. Here completely new

business models will emerge such as custom

insurance premiums for car owners based on

real-time driving analysis. In addition, many

devices in the health and fitness will be newly

created, combined with medical sensor

technology. Data security and privacy are also

likely to grow in significance as more

consumers engage with IoT-based products.

Healthcare

Financial

Services

Manufacturing

Energy

Transportation

Telecom

Retail

Insurance

The Internet of Things Landscape

© 2016 Certified Security Solutions, Inc. 5

Home

AutomationSmart

Routers

Energy

Management

Media

Devices

Smart

Appliances Transportation

LED

Lighting

Wearables

Indoor / Around the House

Geo Fencing / Location Tracking

Outdoor Activities

Location / Navigation

Consumer

Energy &

Metering Infrastructure Industrial/

Building

Smart

WatchesSmart

Trackers

Smart

Glasses

Wearable

Cameras

Body

Sensors

billion units by 202026Commercial / Gov’t Body / Health

© 2016 Certified Security Solutions, Inc. 6

Smart Building

Management

Wireless Vehicle

Charging

Road Sensors

Smart Parking

Meters and

Garages

Building an IoT Platform

Vehicle to Infrastructure

CommunicationSmart Lighting

Control System

Smart Traffic Lights

Connecting Smart Cities, Infrastructure & the Connected Car

The Evolution from Enterprise to IoT

© 2016 Certified Security Solutions, Inc. 7

Characteristics

• Well understood O/S

• High computational availability

• Established network standards

• Client | Server hardware

Characteristics

• Well understood O/S

• High computational availability

• Closed system

• Client | Server network

Challenges

• O/S ad hoc

• Low computational availability

• Lack of codified standards

• Lack of Bandwidth

Challenges

• Retrofitting

• Open system architecture

• Firmware updates

Embedded

Devices

Challenges

• Discovery

• Reporting

• Compliance

• Heterogeneous environment

Traditional

Enterprise

Emerging IoT

Characteristics

• Massive Scale

• Lots of data collection

• Connectivity (RFID, BlueTooth, Cellular, WiFi)

Evolving Transportation

© 2016 Certified Security Solutions, Inc. 8

Autonomous Cars

The transportation sector is quickly evolving with the introduction of the autonomous, self-driving cars. Internet search behemoth Google

has already demonstrating its autonomous vehicle on test courses. However, the threat of malicious actors taking control of glaring flaws in

smart cars is on the rise. This threat is therefore considered to be one of the major technical security challenges confronting the automotive

industry today.

IoT Security Challenges − Hacking Vulnerability

© 2016 Certified Security Solutions, Inc. 9

Car Hacking

Smart Appliance Hacking

Refrigerator Caught Sending Spam Emails in Botnet Attack

In the first documented attack of its kind, the Internet of Things has

been used as part of an attack that sent out over 750,000 spam emails.

For the First Time Hackers Have Used a Refrigerator to Attack Businesses

Posted by: John McAfee, January 17, 2014

Security researchers at Proof point have uncovered the very first wide-scale hack

that involved television sets and at least one refrigerator. Yes, a fridge. This is

being hailed as the first home appliance “botnet” and the first cyber attack from

the Internet of Things.

Car Computer Systems Hacked Remotely – Be Afraid, Very Afraid

Car-hacking gets realBy: Chris Neiger, 24 June 2013

Many new cars can be turned on and off with a tap of a smartphone. Others can apply

the brakes while a driver is distracted, park themselves and maintain safe distances from

surrounding vehicles. But with their increasing reliance on electronic controls, cars open

themselves up to malicious manipulation.

CarTech | Safety | TechnologyCan Your Car Be Hacked?

Updated on July 7, 2016

© janderson99-HubPages

Your car is highly vulnerable to Malware via cellphones, Wi-Fi, infected MP3 and other

means. Be very afraid! - Hackers can hijack the car's computer systems to disable the

brakes, change the cruise control, turn the engine on and off, and control most of the

electrical systems such as the lights, climate control, odometer, locks and your radio.

IoT and Big Data

Source

* Estimates by EMC and IDC

** HP Internet of Things Research Study 2014

10© 2016 Certified Security Solutions, Inc.

Of devices “collected at least one piece of personal

information” through the mobile app, the cloud, or

the device itself**

90%Digital Universe

The digital universe is estimated to be 44 ZettaBytes …

That’s 44 trillion Gigabytes by 2020*

Internet of Things

IoT will drive much of the data growth

Bandwidth

Bandwidth will need to grow

IoT Security

70% of devices

employed unencrypted

network service

11© 2016 Certified Security Solutions, Inc.

Source: HP Internet of Things Research Study 2014

70%

80% of devices and associated apps

and cloud services

“failed to require passwords of a

sufficient complexity and length”

80%

Authentication Authenticity

Encryption

IoT Security

IoT Identity Challenges

Flight AU2323

Tail Number N414RS

Altitude 34,300 ft

Heading 210º

Airspeed 513 kn

Flight SW1234

Tail Number N789PQ

Altitude 31,300 ft

Heading 28º

Airspeed 490 kn

Altitude 34,300 ft

Heading 28º

Let’s look at airplanes

© 2016 Certified Security Solutions, Inc.

12

Connectivity

Securing device-to-device connectivity is hard

due to the following challenges …

Data Collection

Multiple data collection

sources from different vendors

Lack of Standards

Connected devices can’t talk to each other, and

each device comes with its own app, rather than

being managed from a single point of control

Authentication and Authorization

Many devices don’t have enough information to

authenticate or authorize connections

IoT Security Challenges − Questions

© 2016 Certified Security Solutions, Inc. 13

Data Security

• How do I protect the data that my system is producing and consuming?

• How can I be sure that this data is not being manipulated?

• How can I share this data – or my analysis of it – securely with others?

Physical Security

• How can I protect my devices from being tampered with?

Device Identity

• How can I be sure that the participants in this system are genuine?

• How can I be sure that the device that’s communicating with my systems actually is that device, and not an imposter?

?

?

?

IoT Identity Observations

© 2016 Certified Security Solutions, Inc. 14

Hub and Spoke Architectures

• “Hub and Spoke” architectures may prevail in many cases − especially in the near term

• IoT devices are going to expect wireless access

Data Collectors vs. Data Owners

• Data collectors are incented to be data owners – emphasis may be on product release over data security

Shared Hacking

• Shared keys and passwords don’t work well – hack one, you’ve hacked them all

• IoT devices can not be scanned and therefore may introduce malware

• Non-patchable endpoints leave security holes

Crypto Keys

• By themselves, crypto keys don’t establish identity

IoT Security Technologies

© 2016 Certified Security Solutions, Inc. 15

Block Chain

Crypto Currencies (BitCoin), Financial Services, an Internet Ledger

Biometrics

Great in certain environments, may be limited in many IoT applications, thumbprints are static

Heuristics

Detects deviations in expected data sets, time of day, range, frequency. Defense in Depth

Public/Private Key Infrastructure (PKI)

Cryptographically binds an identity to data

Digital Identity for IoT

© 2016 Certified Security Solutions, Inc. 16

The Foundation

In Conclusion

© 2016 Certified Security Solutions, Inc. 17

This is our chance to get IoT Security right …

• Security should be in a design

• Device identity is important

• Devices have long lifespans. Plan ahead!

• Private / secret key security is critical

Certified Security Solutions, Inc.

© 2016 Certified Security Solutions, Inc. 18

Securely connecting people, applications, and devices.

People Applications Devices

Follow us on

As the market leader in enterprise and IoT digital identity security for data, devices and applications, CSS is a cyber

security company that builds and supports platforms to enable secure commerce for global businesses connected to

the Internet. Headquartered in Cleveland, Ohio, with operations throughout North America, CSS is at the forefront of

delivering innovative software products and SaaS solutions that are secure, scalable, economical and easy to

integrate into any business.

© 2016 Certified Security Solutions, Inc. All Rights Reserved.

Thank you

At CSS, we believe that every electronic device sending

data across the Internet should be protected and secured.

For more information on certificate management software,

PKI managed services, or PKI professional services at CSS,

please visit us at: www.css-security.com.

Kevin von Keyserling, CEO

Certified Security Solutions, Inc.

Email: Kevin.vonKeyserling@css-security.com

Direct: (216) 785-2985