The (in)security of the

Internet of Things

Rajesh Nair

Understanding the

Internet of Things

3

MARKET POTENTIAL

50 bn connected devices by 2020

Cloud industry digitalization >100 bn €

market potential in 2017

Cyber Security > 300 bn € in 2020

250 mio connected cars in 2020

TRENDS

Industry 4.0, cross-industry

integration and new business models

Internet of everything: integration of

prosumers, businesses, partners

Cloud and data explosion based on

reliable infrastructure and top security

CHALLENGES

X-industry value chain integration

Data-driven business models

Multi-faceted eco-systems

Process optimization beyond

corporate boundaries

Incorporation of prosumers, social

media, every time, every where

EVERYTHING THAT CAN BE DIGITISED, WILL BE DIGITISED…

…AND EVERYTHING THAT CAN BE CONNECTED,

WILL BE CONNECTED!

TIMOTHEUS HÖTTGES, CEO DEUTSCHE TELEKOM

NICHOLAS NEGROPONTE, PROFESSOR AT MIT

4

While integrating cyber-physical systems into manufacturing all objects receive a digital footprint …

History of development Industrie 4.0

Previously passive objects obtain:

Identifier

Sensor / Actuator

Microcontroller

(Real time) ability to communicate

Intelligent integration of machines, people,

products and objects

Horizontal and vertical interoperability

Digital footprints for real objects.

Cyber-physical systems*

* According to Fraunhofer IAO and BITKOM

CyberPhysical

Collaborative interaction

End of

18th century

Beginning of

20th century

Beginning

in the 70`s,

20th century

Today

Ko

mp

lex

ität

1. industrial revolution

Water and steam power

2. industrial revolution Mass production with

electronic energy

3. industrial revolution Electronics and IT

automation

4. industrial revolution cyber-physical systems

Industrie 1.0

Industrie 2.0

Industrie 3.0

Industrie 4.0

Source: illustration: Fraunhofer IAO Studie Produktionsarbeit der Zukunft – Industrie 4.0, 2013

Internet of Things

5

Progress on all IoT layers drives digitization

Internet of Things

Affordable proliferation of… Digitalization trends

UBIQUITOUS SECURE

CONNECTIVITY

REAL TIME /

LOW LATENCY

SECURE CLOUD

ADVANCED DATA

ANALYTICS

INTELLIGENT

DEVICES

BUSINESS PROCESS

VIRTUALIZATION

New business models, e.g. in consumables

replenishment for consumer goods & white goods

Big data analytics generate business insights from

increasing amount of unstructured data

100+ use cases productized by many suppliers

Significant processing cost reduction: decline by

nearly 60X over past 10 years

Wide-spread availability of BB (fixed & mobile) at

low cost

High quality, reliable networks (w/ quality classes,

latency) and end to end security

New concepts e.g. ‘SDN/NFV’ enable real time

configuration

Significant reduction in Sensor costs e.g. avg.

cost/sensor today: $0.60 vs. $1.30 10 years ago

Wide distribution of connected devices

Layers

Customer

Applications/Use

Case

Vertical Solutions

Horizontal

Connectivity

Devices

Horizontal

Services

En

d t

o E

nd

Se

cu

rity

How do I start to protect

such a complex setup?

7

First of all we need to understand what needs to be protected from a business perspective

Data

• data about customers, business etc. ?

• specific knowhow

• national and international

operations

• reputation

Knowhow Operations Reputation

Security

8

Vendor-driven reference architectures are focused on different elements than industry-driven reference architectures

Differences and Similarities in Reference Architectures for IoT

Vendor’s Reference Architectures Industry Reference Architectures

Established by software producers to show the scope of their

solutions. Generally very well-structured and superficial.

simple and easy to understand

sales oriented

technical perspective predominates

Established by different consortia to define best-practice

approaches for a specific industry. Usually contains a collection of

architecture artefacts, describes views and principles that are

important for industry solutions.

complex and comprehensive

industry specific

functional perspective predominates

Common ground in reference models arearchitectural layers in the technical perspective

9

Device Connectivity

This layer contains all components from the physical level to the backend of the IoT

platform (e.g. Devices, Sensors, Gateways, Client Software, UMTS Modems).

Differences and Similarities in Reference Architectures for IoT

Most IoT reference models use similar architectural layers on technology level.

Device Connectivity

Data Processing, Analytics & Management

Presentation & Business Connectivity

Three Technology Layers

Data Processing, Analytics & Management

This layer contains all components that are representing the IoT middleware between

the physical components and the applications that use the data (e.g. API Backend,

Device Management, Analytics Modules, Databases, Event Stream Processing).

Presentation & Business Connectivity

This layer contains all components that are used to utilize the IoT data and events

(e.g. Business Applications, User Devices, User Interfaces).

10

Further examples of layered technology architectures in the IoT context

Differences and Similarities in Reference Architectures for IoT

11

The traditional architecture of utilities and industries now have been changed with

a lot of commodity devices

connectivity is not in the control of the operators

free Access to the devices

uncontrolled supply chain

PII data in a public cloud

data integration in the cloud

Security

Protecting the new normal requires a deeper understanding of the architecture

Microsoft Azure reference architecture

Architecture

12

Security now can also be overlaid on the architecture from an operator perspective in a very simple manner.

Security

This level of protection needs to be done by an ecosystem. The operator has to make a set of assessments of the service providers and vendors and then set up a their cyber security operations.

Protecting the data

Protecting Business critical data

Planning

Actual measurements

Dscds

Protecting PII data

Information about consumers

Usage patterns

Current usage

Models

Protecting the devices

Physical tampering

BOTs, malware attacks etc

Protecting communication

Protecting the communication from the

meter to the cloud

Protecting the communication from the

cloud to the data center of the operator

Protecting the control signals

13

Identifying the target level of security is important as it has a P&L impact

Business plan is required in order to

define the target

Security

14

Adding strategic capabilities to meet the Cyber

security challenge

The traditional cyber security aspects were grossly insufficient and has to be extended with some key new skills

Current level

1

Integrating business in cyber thinking

2

Integrating data skills

3

Integrating the

network

4

ISMS based approach

extended with managing

aspects of security outside

the perimeter like IoT

Redesigning channels and

business processes with cyber

security in mind

Using data analytics as

a cyber defense

capability

Using the partner network

to combine knowledge and

provide focus

Security

15

“Ecosystem based security” is here to stay. It is a part of the digitalization path. It also explains who needs to do what.

Cyber

Security

• Focus on its part of the value chain Company

• Risk partnering and threat management

• Standards definition

• Regulatory support Regulation

• Innovation

• Intelligence sharing

• Skill sharing

• Outtasking

Partners

Security

16

A cyber security view of the capabilities required (illustrative and incomplete)

Application Security

Compliance

Framework

Legende: Covered Often not existing

Content SecurityNetwork Security

SimulationSecurity

GovernanceCompliance / Risk Mgmt

Architecture & Processes

Cyber Attack Knowledge Base

Incident & Breach Mgmt

Pentests

End-Point Sec.

Identity Access Management / Authentication

Data Loss Prevention

NG SOC /

SIEMManaged SIEM

Security Operation Center

Sec. Incident Detection & Response (Big Data)

Fore

nsic

CE

RT

External Data Sources (Social media, Dark web etc)

SO

C/S

IEM

for

SM

E

Advanced Persistent Threat (APT) / Malware Protection

MobileSecurity

DesktopSecurity

IOT platforms

Device Encryption Security

Data

security

Data analytics

Composite services (e.g. Clean Pipe)

Perimeter Security(Firewall, DMZ …)

DDoS Defense & Mitigation

Encryption/SSL Vulnerability /IPS

Network Behavior Analysis (NBA)

Mail, web Security

Dynamic Web Application Protection

(DWAP)

ApplicationVulnerability

Scanning

Security Development Lifecycle

DatabaseFirewall/Security

Partly covered

Business

FrameworkStrategy Operational

processesBCM Data management

Partner Management

Vendor Management

Channel Management

Security

17

Rajesh Nair

Detecon (Schweiz) AG

Löwenstrasse 1

8001 Zurich (Switzerland)

Mobile: +41 43 888 7456

Email: Rajesh.Nair@detecon.com

Contact