internet of things security patterns
TRANSCRIPT
IoT Security Patterns
Mark Benson, CTO@markbenson
IoT Stream Con, 23 April 2015
The IoT opportunityRecent Economist survey:
Expect their company to be using IoT within 3 years
“IoT is our single biggest threat AND biggest
opportunity over the next 10 years” – Brand-name fortune
500 board of directors*Source:ABIResearch,Cisco,CraigHallum Estimates
0
2
4
6
8
10
12
14
16
18
20
$0
$50
$100
$150
$200
$250
Devices
Billion
s
MarketS
izeBillion
s BigDataAnalytics(53%CAGR)
ConnectedDevicePlatforms(33%CAGR)
Platforms(33%CAGR)
ApplicationEnablementPlatforms(32%CAGR)
ValueAddedServices(26%CAGR)
SystemIntegrationServices(24%CAGR)
Hardware(23%CAGR)
Connectivity(12%CAGR)
Internet-connecteddevices(CiscoEstimate)
95%
The Internet of Things?More like the Internet of Attack Vectors• Attack surfaces are expanding rapidly• Physical access to systems is becoming easier• Consumer privacy concerns are rising• Consequences of a breach are becoming more severe (critical
infrastructure, brand deterioration, data privacy issues, etc.)• Product companies are being forced outside of their comfort zones• Three dimensions that make IoT security challenging…
1. Resource constraints
MAC/PHY
IP
TLS/TCP
HTTP
App Data
MAC/PHY
IP
TLS/TCP
HTTP
App Data
MAC/PHY
IP
TLS/TCP
HTTP
App Data
MAC/PHYIP
DTLS/UDPCoAP
Binary Data
MAC/PHYIP
DTLS/UDPCoAP
Binary Data
SensorMAC/PHY
Binary DataRest
Use Motion
Motion
Motion
Use
Use
Use
Rest Rest
Enterprise Web Services IoT Data Platform Gateway or Aggregator Sensing Node
Has moderate resource constraints Has severe resource constraintsDeals with resource constraintsHas virtually no resource constraints
Network
MAC/PHY
Binary Data
Network
2. Deployment topologies
Gateway IoT Cloud
Gateway On-prem
Gateway IoT CloudOn-prem
Gateway IoT CloudOn-prem Analytics
Analytics
Sensors Short RF Gateways On-prem SW Long-haul Cloud Platform Analytics platform
A. No cloud
D. Closed network
C. Multi-site
E. Comprehensive
B. Standard
LocalDisplay
3. Usage modes
• Device cloud registration* Secure authentication* Secure API transports* Secure storage
Initialization Operation Modification Retirement1 2 3 4
• Secure flash* OTP parts* Secure boot* Secure provisioning
• Secure firmware updates* Disable test/debug interfaces* Factory defaults fallback* Disable test interfaces
• Secure change of ownership• Device de-registration process• Optionally reenable retired devices• Secure encryption key deletion
ThingstonoteaboutIoTusagemodesthataffectsecurity:1. Somemodesarenormalandstandardsolutionsexist2. Somemodesarenewandstandardsarestillemerging3. Somemodesarebecomingmorevulnerableduetoresourceconstraints
Usage Modes
Simple
NovelStandard
Deploym
ent T
opologies
Comp
lex
Resource Constraints
High
Low
TheIoTsecurityproblemareaA. HighresourceconstraintsB. ComplexdeploymenttopologiesC. Novelusagemodes
Mo’ IoT, mo’ problems
The 4th dimension: timeNow we have a Tesseract
ThedifficultywithIoTsecurityisthatthelandscapeisconstantlychanging,evenafterproductsaredeployed
Securityshouldbedesignedforfromthebeginning andembracedasajourneythroughout
Itstartswithaprocess…Modes
Topologies
Constraints
Time
The web you should be weavingSecure processes => secure products => secure brand integrity
Security Requirements
Planning Design Implementation Verification Validation Deployment Operations
Risk Analysis Threat Modeling
Secure Design Practices
Security-Focused Design Reviews
Secure Coding Practices
Third Party Security Audit
Security-Focused Testing
User Testing to Expose Weakpoints
Penetration Testing Secure Deployment Practices
Operational Risk Assessment
Incident Response Preparedness
Vulnerability Management
Training and awareness
Information Security Management System (ISMS) policies, procedures, and compliance audits
Corporate strategy, governance, metrics, and optimization
ConclusionTakeaways:1. Security processes. Have a security architecture from the beginning and evolve
throughout (layers, topologies, modes)2. Technology selection. Start it from the beginning and evolve thoughout3. Operations planning. How do you respond if/when a security incident occurs in
the field. Use checklists– http://owasp.org/– http://builditsecure.ly/
Embrace the journey
Thank you
Mark Benson@markbenson