SESSION ID:

#RSAC

Brian Witten

Tactical Survival Tips Internet of Things (IoT) Systems

SBX1-R05

Senior Director, IoTSymantec Corporation@WittenBrian

^

#RSAC

2

How to Protect Connected Things

#RSAC

IoT betters our lives countless ways…

Already 20 Billion Microcontrollers (MCU) annually5 Billion Connected Today, 20 Billion by 2020

Smart Cities Consumer Electronics

Medical Devices Connected Cars Digital Factories

#RSAC

Quick History of Recent Events

Pipeline, Steel Mill, Critical Infrastructure, Power Grid, Cars, Hospotials

Quick History of Actual Events

Multi-KilotonPipeline Explosion

Steel Mill BlastFurnace Damaged

Cars: Digitally Stolen,Remotely Crashed

Hospitals Breachedvia Medical Devices

National ScalePower Grid Crashed

Hundreds of Critical Infrastructure Sites

#RSAC

What changed?

PC / Datacenter EraSecurity - most easily

delivered by diskor by download

IoT / Cloud EraSecurity - must be

integrated by designto be effective

#RSAC

6

Information Technology(IT)

Internet of Things(IoT)

All verticals have sameHardware/OS supply chain Fragmentation Each vertical has different

Hardware/OS supply chain

“3”(Mostly UDP, TCP, IP)

Protocols Thousands of Protocols(Hundreds in each vertical)

“5”(Mostly Windows, Linux,

OSX, iOS, Android)

OperatingSystems

(OS)

Dozens(Heavily fragmented by vertical)

“2”X86 and x64 by Intel and AMD

ChipsetArchitectures

Many8/16/32/64 bit, AVR, ARM, MIPS,

Over 12 vendors

#RSAC

7

Internet of Things (IoT) Cornerstones of Security

Protect the CommunicationsProtect the Device

Understand Your SystemManage DevicesCloud/Data

Center

Gateway

Devices& Sensors

#RSAC

Protect The Communications

8

Certificates: Over a Billion IoT devices chain to a world class Certificate Authority (CA)

Roots of Trust: IoT “Roots of Trust” can helpidentify foreign devices

Devices& Sensors

Hardware

Operating Systems

Embedded Software

Protect the CommunicationsRequired: Authentication

Helpful: EncryptionNote: Signing “objects” can

avoid decrypt/re-encrypt burden

Crypto Libraries: Several good open-source and commercial options

What’s needed?

#RSAC

$0.25

Can extremely constrained devicesdo meaningful security?

9

Early 80’s grade chip 8 bit8 Mhz2 k SRAM

25 seconds AA Battery: 20+ years

Leading 10 year old chips16 bit, 16 Mhz30 k SRAM

3 seconds AA Battery: 20+ years

Current 32 bit chips32 bit, 84 Mhz30+ k SRAM

150 ms AA: 20 years

Benchmark: ECC/ECDSA256

$0.50

#RSAC

Protecting Devices (Boot Time)

10

Never run unsigned code.

Never trust unsigned configuration data.

Never trust unsigned data. (Period.)

Provide run-time protection for each device.F. N

etw

ork

Mon

itor

G. S

ettin

gs

E. C

rypt

o Li

brar

ies

D. P

rimar

y Ap

p

A. Device Drivers

B. Network Stack

C. Operating System

Pre-boot Environment Protect the Code that Drives IoT

#RSAC

Protecting Devices (Run Time)

11

Whitelisting Behaviors: SandboxingTraditional Approach: Malware Blocking

Ineffective on zero-day Effective on zero day

Ensures self-protection Protects OS critical resources

Customization or separate product Protects applications from each other

Large footprint Small footprint

Signature based Behavior / policy based

Internet access required No internet access required

Reactive Proactive

#RSAC

12

Internet of Things (IoT) Cornerstones of Security

Cloud/DataCenter

Gateway

Devices& Sensors

Protect the CommunicationsProtect the Device

Understand Your SystemManage Devices

Authentication

Run Time

Boot Time

#RSAC

Safely & Effectively Managing IoT Devices

13

Why update devices?Industrial Systems

19 years on average

Granular UpdatesSave Battery & Bandwidth

200 x =

2,000 x =

“Build it Right Once”(Use it for Both General & Security Management)

General & Security TelemetryFunctionality & Security UpdatesConfiguration ChangesDiagnostics & RemediationNetwork Access Control (NAC) Credentials/Permissions, Policies

3 daysVulnerability Discovery Rate (Linux)

… Build in Over The Air (OTA) updates from the start

#RSACUnderstand Your System

14

No matter how well you do everything else, some threats will still get past even the best defenses.

Detecting such threats requires strong understandingof what your network “should” be doing.

Machine learning (ML) distills models of “normal”that can run in compact Single Board Computers (SBC).

Some ML can “learn” in resource constrained gateways andsmall SBC to detect anomalies specific to specific networks.

Such IoT Security Analytics are crucial in finding advanced threats.

To Detect Strategic Threats

#RSAC

15

Internet of Things (IoT) Cornerstones of Security

Cloud/DataCenter

Gateway

Devices& Sensors

Protect the CommunicationsProtect the Device

Understand Your SystemManage Devices

Authentication

Run Time

Boot Time

Embedded AnalyticsUpdates

Policies

#RSAC

Agenda

16

Define a Simpler Framework for Building Security Into IoT Things

Practical Example (2 slides)

Tips & Tricks for Companies Leveraging (not Building) IoT Things

#RSAC

Copyright © 2014 Symantec Corporation 17

Automotive ThreatsA Quick Refresher

RTOS

GSM

TCU

RTOS

I V I

Copyright © 2015 Symantec Corporation

GWCBCMECU

xxMxxMBCM

OBD2 UBI GSMCAN1

CAN2

Cellular (IP & GSM)

Cellular (IP & GSM)Physical Tampering

Other Wireless ( BT & Wifi )

Other Wireless

Vulnerabilities Announced This Summer

Supply Chain

Unauthenticated CommandsUnauthenticated Connections

No IP Port/Protocol Restrictions

InadequateCode Signing

Potential MemoryCorruption Vulnerabilities

VulnerableBrowsers/Apps

VulnerableModems

UnauthenticatedBus

TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: “gateway chip”OBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comm’s, aka "a modem”

(Architecture Simplified for Presentation)

#RSAC

18

Cornerstones of SecurityAutomotive Vehicles

Authenticate Comm’s Manage Devices

Protect Each ModuleSecurity Analytics

OMA DM, SCOMO

Embedded (in-vehicle), GlobalCode-Signing (Boot Time)

Host-Based (Run Time)Compiler Based (No-OS)

Business Constraints:-- Consumers won’t pay for security they “assume”-- OEM & Tier 1 Suppliers: extremely thin margins -- Security $ must be < “few %” of any car/module

TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: “gateway chip”OBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comm’s, aka "a modem”

CAMP: Crash Avoidance Metrics ProgramVSC3: Vehicle Safety Comm’sHIS: Hersteller Initiative SoftwareSHE: Secure Hardware ExtensionsEVITA: E-safety Vehicle Intrusion Protected ApplicationsHSM: Hardware Security Module

OMA DM: Open Mobile Alliance (OMA) Device Management (DM)SCOMO: Software Component Management Object

CAMP VSC3, HIS SHE, EVITA HSM

Copyright © 2015 Symantec Corporation

RTOS

GSM

TCU

RTOS

I V I

GWCBCMECU

xxMxxMBCM

OBD2 UBI GSMCAN1

CAN2

#RSAC

Tips & Tricks LEVERAGING IoT Devices

19

Requirements

Medical Devices

Industrial Equipment

Products

Automotive Modules

Suppliers

Medical Equipment

Automotive

Buyers

Manufacturing Equipment

Plant Owners & Operators

Hospitals

Automakers

#RSAC

20

Internet of Things (IoT) Cornerstones of Security

Cloud/DataCenter

Gateway

Devices& Sensors

Protect the CommunicationsProtect the Device

Understand Your SystemManage Devices

Authentication

Run Time

Boot Time

Embedded AnalyticsUpdates

Policies

#RSAC

IoT Security “Recipe”

Protect your devices: [ (high assurance boot) + (runtime protection) ]

Protect communications: design in strong authentication mechanisms

Manage your devices: build in update mechanisms for granular updates

Understand your system: leverage analytics to catch strategic threats

Strong Foundations Cover All Four IoT Security Cornerstones!

#RSAC

22

Owners/Buyers of IoT Things:

Next week: meet with your Procurement team to begin adding Security Requirements to all RFP for equipment and/or component suppliers

Next quarter: start educating other stakeholders on what it means to “build security into these things.”

Next year: refuse to buy equipment without adequate security

Makers / Builders / Venders of IoT Things:Ensure you adequately cover all four “cornerstones” of security for your Things!

Apply What You Have Learned Today

#RSAC

23

Thank You!bwitten@symantec.com

Internet of Things (IoT)Security Reference Architecture:

www.symantec.com/iot

#RSAC

24