© Copyright Fortinet Inc. All rights reserved.

The Internet of Things – Good, Bad or Just Plain Ugly?

Patrick Grillo, Senior Director, Security Strategy

2

IoT – What is it?

The Internet of Things (IoT) is the

network of physical objects—devices,

vehicles, buildings and other items—

embedded with electronics, software,

sensors, and network connectivity that

enables these objects to collect and

exchange data.* *Internet of Things Global Standards Initiative

3

IoT – Is it Real?

4

Trash bin posts to Facebook

Connected egg tray

ICPooch - Dog treat dispenser

with video chat

Dog fitness tracker

Connected “doggie” door

WiFi connected beer home

brewing kit

Spectator worn sports jersey

that vibrates

Connected “piggy” bank with

mobile app

Would You Believe?

Just Because They Can

5

Nuclear Facilities (US) » More than 150 successful cyber

attacks between 2010 & 2014

Steel Mills (Germany) » Uncontrollable blast furnace

Energy Grid (US) » More than 150 successful cyber

attacks between 2010 & 2014

Water Supply

Hospital » Remotely hack drug pumps

Building Infrastructure » Temperature and fire control systems

Oil Rigs » Hacker induced instability

Firearms » Smart weapons with WiFi

Airplanes » Access flight control via entertainment

system

Kitchen » Toaster refusing to toast white break

Did You Know?

Top 10 Scariest IoT Data Breaches

6

Trend: Device Growth Continues

33 Billion endpoints projected to

be connected by 2020 – Gartner

New device types entering the

network

» ‘headless’ IoT, wireless sensor

nodes, beacons, wearables

More devices and newer device types are entering the network

7

Best Two out of Three?

IoT Challenge

Secure Cheap

Fast

8

IoT Security is a BIG STORY!

9

“CEO’s Guide to IoT Security” – AT&T, March 2016

of global organizations are

considering, exploring, or

implementing an IoT

strategy

85%

IoT deployments are on the rise How many connected devices do you

have in your organization?

of organizations are fully

confident that their

connected devices are

secure

10% 1%

8% 20%

35% 32%

5%

None Fewer than 100

100-999 1,000-4,999

5,000+ Don't know

Source: AT&T, March 2016

10

“CEO’s Guide to IoT Security” – AT&T, March 2016

Source: AT&T, March 2016

44%

32%

14%

4% 6%

IoT share of IT Security Budget

0 - 25% 26-50% 51-75% 76% Not sure

11

Threat Agents in the IoT

Criminals Hackivists Industrial Spies Nation States

Terrorists Insiders Chaotic Actors & Vigilantes

Regulators

12

IoT Use-case Examples: Consumer and Enterprise

Automated

prescription

ordering

Micro-payments

for ad hoc

home heating

P2P lending

– through

the TV

Re-fill the

fridge

13

IoT Use-case Examples: Consumer and Enterprise

Automated

prescription

ordering

Micro-payments

for ad hoc

home heating

P2P lending

– through

the TV

Re-fill the

fridge

Stored value

and loyalty

Energy

Spot-market

settlement

Pay as you go feed

stock by inventory

managers

Fuel currencies

(block chains)

14

Big Threat #1 – Device to Device Attacks

Infected device enters the home and attacks

adjacent devices – which in turn launch attacks

Infected/ compromised devices attack

internally and externally

15

Big Threat #1 – Device to Device Attacks

Infected device enters the home and attacks

adjacent devices – which in turn launch attacks

Infected/ compromised devices attack

internally and externally

16

Big Threat #2 – IoT as the Weakest Link

Personally

Identifiable

Info

Sabotage or

privacy invasions

Attack on

information-rich

devices

IoT Cloud services

Compromise of one device leads to

all adjacent systems

Social engineering in the IoT

17

Big Threat #2 – IoT as the Weakest Link

Personally

Identifiable

Info

Sabotage or

privacy invasions

Attack on

information-rich

devices

IoT Cloud services

Man-in-the-Middle or

compromise Cloud

Messages pushed to device manager

“Upgrade now for your own safety”

Fetch “patches” = malware

Malware

Drop

Compromise of one device leads to

all adjacent systems

Social engineering in the IoT

18

Big Threat #3 – Interdependency and Complexity

IoT ecosystem has many stakeholders and

service providers at each point in the

architecture

Cascading impacts almost impossible to project or monitor

Assumptions will fail

End point

Device user(s)

Device owner

Device manager

Device maker

Supply chain

19

Big Threat #3 – Interdependency and Complexity

IoT ecosystem has many stakeholders and

service providers at each point in the

architecture

Cascading impacts almost impossible to project or monitor

Assumptions will fail

1

Gateway

Service function owner

Gateway owner

Gateway manager

Gateway maker

Supply chain

End point

Device user(s)

Device owner

Device manager

Device maker

Supply chain

20

Big Threat #3 – Interdependency and Complexity

IoT ecosystem has many stakeholders and

service providers at each point in the

architecture

Cascading impacts almost impossible to project or monitor

Assumptions will fail

1 2

Gateway

Service function owner

Gateway owner

Gateway manager

Gateway maker

Supply chain

Network

Network provider Equipment maker

Network owner Supply chain

Network manager

End point

Device user(s)

Device owner

Device manager

Device maker

Supply chain

21

3

Big Threat #3 – Interdependency and Complexity

IoT ecosystem has many stakeholders and

service providers at each point in the

architecture

Cascading impacts almost impossible to project or monitor

Assumptions will fail

1 2

Gateway

Service function owner

Gateway owner

Gateway manager

Gateway maker

Supply chain Cloud / DC

Service tenant Platform vendor

Software owner Infrastructure

owner

Software manager Infrastructure

manage

Software vendor Infrastructure

vendors

Platform owner Supply chain

Platform manager

Network

Network provider Equipment maker

Network owner Supply chain

Network manager

End point

Device user(s)

Device owner

Device manager

Device maker

Supply chain

22

3

Big Threat #3 – Interdependency and Complexity

IoT ecosystem has many stakeholders and

service providers at each point in the

architecture

Cascading impacts almost impossible to project or monitor

Assumptions will fail

1 2

Gateway

Service function owner

Gateway owner

Gateway manager

Gateway maker

Supply chain Cloud / DC

Service tenant Platform vendor

Software owner Infrastructure

owner

Software manager Infrastructure

manage

Software vendor Infrastructure

vendors

Platform owner Supply chain

Platform manager

Network

Network provider Equipment maker

Network owner Supply chain

Network manager

End point

Device user(s)

Device owner

Device manager

Device maker

Supply chain

4

23

WHERE DO THE IOT SECURITY ANSWERS LIE?

24

WHERE DO THE IOT SECURITY ANSWERS LIE?

PARTIALLY WITH THE IOT DEVICES THEMSELVES.

25

WHERE DO THE IOT SECURITY ANSWERS LIE?

PARTIALLY WITH THE IOT DEVICES THEMSELVES.

BUT MOSTLY WITH THE NETWORK.

26

End-to-End: IoT Security Reference Model

End point Gateways Network Data Center and Cloud

Control & Visibility

Security Services & Framework

END POINTS

(Wireless/Fixed)

NETWORK

DATA CENTER

& CLOUD

(Smart)

GATEWAYS

27

An Equal Opportunity Problem

28

An Equal Opportunity Problem

29

An Equal Opportunity Problem

30

Thumbs Up or Thumps Down?

IoT is here to stay

Understand its advantages and liabilities

Put security in the forefront when considering IoT