how to benefit from iot - and not breaking the...
TRANSCRIPT
How to benefit from IoT
- and not breaking the law
Before we start - a personal observation
All data may be sensitive
These sensors just popped up in my home automationsystem!
Is my favourite neighbour at home?
The IoT landrush #1
1021 Exhibitors works with IOT 4 Exhibitors works with IOT security
IoT Landrush #2 – hacking
16th October 2016
EU’s General data protection regulation
ORGANIZATIONSPERSONAL DATA
WHEN? RISKS
May 252018
2% / 4%Global
revenue
Fines up to 4%↓
measurable consequence↓
creates management attention↓
security
6 pillars of the GDPR
GDPR
The right to be
forgotten
Privacy by
design
Breach notifi-
cations
Risk and impact assess-ments
ConsentData
porta-bility
2/3 of all connectedthings are personal
GDPR applies to everything!
PEOPLE
SOFTWARE/COMPUTERS THINGS
+DIGITAL SECURITY
PHYSICAL SECURITY SECURITY
=
GDPR includes physical security
IoT may become a nightmare↓
Internet of Listeners?↓
The Army of Things?
Hacking a blood infusion pump
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm (May 2015)
• Telnet and FTP services accessible without authentication
• Immediate administrator level access • Easy to tamper the pump’s operation • Hospital’s wireless keys stored in clear text• No firmware update security
FDA issued a warning only
“Go Ahead, Hackers. Break My Heart”
Marie Moe, Security ReseacherSINTEF and pacemaker user
https://www.wired.com/
• FDA:• Bad security – too bad!
• GDPR• Leaking personal data – BAD!
• The good news:• Privacy cannot exist without
security
IoT is more than the things
Constrained devices, often battery powered
Powered computers and gateways
IoT architecture example
Switch Wifi access point
MobileAppsLocal
server/GW
Low power
wifi
Wired actuators and sensors
Actuators and sensorsover WIFI
AdminPortal
RESTAPI
Web Socket
API
Cloud server
RESTAPI
Web Socket
API
CustomerPortal
Browser
3rd party
Service
Customer’s local infrastructure Internet Cloud
Switch Wifi access point
MobileAppsLocal
server
Low power
wifi
Wired luminaries and sensors
Luminaries and sensorsover WIFI
AdminPortal
RESTAPI
Web Socket
API
Cloud server
RESTAPI
Web Socket
API
CustomerPortal
Browser
3rd party
Service
Customer’s local infrastructure Internet Cloud
Authentication, A
uthorisation
Authentication, A
uthorisation, Identity Managem
ent
Certificates
IoT architecture example
Things need secure identities
• Things may last <20 years!• Renewal of keys and algorithms
• Secure software update• Protect data at rest and in transport• Secure onboarding/ exhange• Problem: low power sensor networks
Certificate enrolment for billions of things
• Endorsers
• Partners
Critical todo #1:
– Identity and access management from physical device to the cloud
Critical todo #2:Strong Authentication and Digital signing
- secure access to data - verify owner of data- verify age- manage consent
Critical todo #3:
-Use technology to enforce digital and physical access policies across your organization
EASY TO USE AUTHENTICATION & AUTHORISATION
IMPROVE PHYSICAL
ACCESS ROUTINES
ENFORCE POLICIES AND LOG
EVERYTHING
STRONG IDENTITES TO EVERYTHING
Conclusions:
IDENTITY OF THINGS IS
MANDATORY
PRIVACY IS GOOD FOR SECURITY
RESULTING IN LESS OPERATIONAL RISK