the (in)security of the internet of things · 2020-03-25 · 3 market potential 50 bn connected...
TRANSCRIPT
The (in)security of the
Internet of Things
Rajesh Nair
Understanding the
Internet of Things
3
MARKET POTENTIAL
50 bn connected devices by 2020
Cloud industry digitalization >100 bn €
market potential in 2017
Cyber Security > 300 bn € in 2020
250 mio connected cars in 2020
TRENDS
Industry 4.0, cross-industry
integration and new business models
Internet of everything: integration of
prosumers, businesses, partners
Cloud and data explosion based on
reliable infrastructure and top security
CHALLENGES
X-industry value chain integration
Data-driven business models
Multi-faceted eco-systems
Process optimization beyond
corporate boundaries
Incorporation of prosumers, social
media, every time, every where
EVERYTHING THAT CAN BE DIGITISED, WILL BE DIGITISED…
…AND EVERYTHING THAT CAN BE CONNECTED,
WILL BE CONNECTED!
TIMOTHEUS HÖTTGES, CEO DEUTSCHE TELEKOM
NICHOLAS NEGROPONTE, PROFESSOR AT MIT
4
While integrating cyber-physical systems into manufacturing all objects receive a digital footprint …
History of development Industrie 4.0
Previously passive objects obtain:
Identifier
Sensor / Actuator
Microcontroller
(Real time) ability to communicate
Intelligent integration of machines, people,
products and objects
Horizontal and vertical interoperability
Digital footprints for real objects.
Cyber-physical systems*
* According to Fraunhofer IAO and BITKOM
CyberPhysical
Collaborative interaction
End of
18th century
Beginning of
20th century
Beginning
in the 70`s,
20th century
Today
Ko
mp
lex
ität
1. industrial revolution
Water and steam power
2. industrial revolution Mass production with
electronic energy
3. industrial revolution Electronics and IT
automation
4. industrial revolution cyber-physical systems
Industrie 1.0
Industrie 2.0
Industrie 3.0
Industrie 4.0
Source: illustration: Fraunhofer IAO Studie Produktionsarbeit der Zukunft – Industrie 4.0, 2013
Internet of Things
5
Progress on all IoT layers drives digitization
Internet of Things
Affordable proliferation of… Digitalization trends
UBIQUITOUS SECURE
CONNECTIVITY
REAL TIME /
LOW LATENCY
SECURE CLOUD
ADVANCED DATA
ANALYTICS
INTELLIGENT
DEVICES
BUSINESS PROCESS
VIRTUALIZATION
New business models, e.g. in consumables
replenishment for consumer goods & white goods
Big data analytics generate business insights from
increasing amount of unstructured data
100+ use cases productized by many suppliers
Significant processing cost reduction: decline by
nearly 60X over past 10 years
Wide-spread availability of BB (fixed & mobile) at
low cost
High quality, reliable networks (w/ quality classes,
latency) and end to end security
New concepts e.g. ‘SDN/NFV’ enable real time
configuration
Significant reduction in Sensor costs e.g. avg.
cost/sensor today: $0.60 vs. $1.30 10 years ago
Wide distribution of connected devices
Layers
Customer
Applications/Use
Case
Vertical Solutions
Horizontal
Connectivity
Devices
Horizontal
Services
En
d t
o E
nd
Se
cu
rity
How do I start to protect
such a complex setup?
7
First of all we need to understand what needs to be protected from a business perspective
Data
• data about customers, business etc. ?
• specific knowhow
• national and international
operations
• reputation
Knowhow Operations Reputation
Security
8
Vendor-driven reference architectures are focused on different elements than industry-driven reference architectures
Differences and Similarities in Reference Architectures for IoT
Vendor’s Reference Architectures Industry Reference Architectures
Established by software producers to show the scope of their
solutions. Generally very well-structured and superficial.
simple and easy to understand
sales oriented
technical perspective predominates
Established by different consortia to define best-practice
approaches for a specific industry. Usually contains a collection of
architecture artefacts, describes views and principles that are
important for industry solutions.
complex and comprehensive
industry specific
functional perspective predominates
Common ground in reference models arearchitectural layers in the technical perspective
9
Device Connectivity
This layer contains all components from the physical level to the backend of the IoT
platform (e.g. Devices, Sensors, Gateways, Client Software, UMTS Modems).
Differences and Similarities in Reference Architectures for IoT
Most IoT reference models use similar architectural layers on technology level.
Device Connectivity
Data Processing, Analytics & Management
Presentation & Business Connectivity
Three Technology Layers
Data Processing, Analytics & Management
This layer contains all components that are representing the IoT middleware between
the physical components and the applications that use the data (e.g. API Backend,
Device Management, Analytics Modules, Databases, Event Stream Processing).
Presentation & Business Connectivity
This layer contains all components that are used to utilize the IoT data and events
(e.g. Business Applications, User Devices, User Interfaces).
10
Further examples of layered technology architectures in the IoT context
Differences and Similarities in Reference Architectures for IoT
11
The traditional architecture of utilities and industries now have been changed with
a lot of commodity devices
connectivity is not in the control of the operators
free Access to the devices
uncontrolled supply chain
PII data in a public cloud
data integration in the cloud
Security
Protecting the new normal requires a deeper understanding of the architecture
Microsoft Azure reference architecture
Architecture
12
Security now can also be overlaid on the architecture from an operator perspective in a very simple manner.
Security
This level of protection needs to be done by an ecosystem. The operator has to make a set of assessments of the service providers and vendors and then set up a their cyber security operations.
Protecting the data
Protecting Business critical data
Planning
Actual measurements
Dscds
Protecting PII data
Information about consumers
Usage patterns
Current usage
Models
Protecting the devices
Physical tampering
BOTs, malware attacks etc
Protecting communication
Protecting the communication from the
meter to the cloud
Protecting the communication from the
cloud to the data center of the operator
Protecting the control signals
13
Identifying the target level of security is important as it has a P&L impact
Business plan is required in order to
define the target
Security
14
Adding strategic capabilities to meet the Cyber
security challenge
The traditional cyber security aspects were grossly insufficient and has to be extended with some key new skills
Current level
1
Integrating business in cyber thinking
2
Integrating data skills
3
Integrating the
network
4
ISMS based approach
extended with managing
aspects of security outside
the perimeter like IoT
Redesigning channels and
business processes with cyber
security in mind
Using data analytics as
a cyber defense
capability
Using the partner network
to combine knowledge and
provide focus
Security
15
“Ecosystem based security” is here to stay. It is a part of the digitalization path. It also explains who needs to do what.
Cyber
Security
• Focus on its part of the value chain Company
• Risk partnering and threat management
• Standards definition
• Regulatory support Regulation
• Innovation
• Intelligence sharing
• Skill sharing
• Outtasking
Partners
Security
16
A cyber security view of the capabilities required (illustrative and incomplete)
Application Security
Compliance
Framework
Legende: Covered Often not existing
Content SecurityNetwork Security
SimulationSecurity
GovernanceCompliance / Risk Mgmt
Architecture & Processes
Cyber Attack Knowledge Base
Incident & Breach Mgmt
Pentests
End-Point Sec.
Identity Access Management / Authentication
Data Loss Prevention
NG SOC /
SIEMManaged SIEM
Security Operation Center
Sec. Incident Detection & Response (Big Data)
Fore
nsic
CE
RT
External Data Sources (Social media, Dark web etc)
SO
C/S
IEM
for
SM
E
Advanced Persistent Threat (APT) / Malware Protection
MobileSecurity
DesktopSecurity
IOT platforms
Device Encryption Security
Data
security
Data analytics
Composite services (e.g. Clean Pipe)
Perimeter Security(Firewall, DMZ …)
DDoS Defense & Mitigation
Encryption/SSL Vulnerability /IPS
Network Behavior Analysis (NBA)
Mail, web Security
Dynamic Web Application Protection
(DWAP)
ApplicationVulnerability
Scanning
Security Development Lifecycle
DatabaseFirewall/Security
Partly covered
Business
FrameworkStrategy Operational
processesBCM Data management
Partner Management
Vendor Management
Channel Management
Security
17
Rajesh Nair
Detecon (Schweiz) AG
Löwenstrasse 1
8001 Zurich (Switzerland)
Mobile: +41 43 888 7456
Email: [email protected]
Contact