what’s the right security for iot? - nist...likely future developments in iot security –expanded...

What’s The Right Security for IoT? Infineon Technologies September 2015

Agenda

Introduction to IoT

Risk Analysis

Countermeasures

Into the Future

1

2

3

4

2 September 2015 Copyright © Infineon Technologies AG 2015. All rights reserved.

Introduction to IoT

Risk Analysis

Countermeasures

Into the Future

1

2

3

4


IoT Definition

What is Internet of Things (IoT) all about?

“A world where physical objects are seamlessly integrated into the information network.”

› Industrial

› Automotive

› Consumer

› Medical

› Networking

› Computing


Internet of Things (IoT) Drives Increased Profits

Smart Home Automotive Industrial ICT

Greater efficiency 2

Increased flexibility and customization 3

New capabilities and services 1


IoT Trend Affects All Markets

Consumer Mobility Energy Industry & Logistics

ICT Healthcare Others

Major Home Appliances

Small Home Appliances

Consumer Electronics (incl. Wearables)

Lighting

Smartcards

Smartphones & Tablets

Desktops & Notebooks

Cars

Trucks & Buses

Construction Agricultural Vehicles

Traction

Light Electric Vehicles

Solar PV

Wind Power

Other Power Generation

Energy Storage Systems

Transmission & Distribution

Smart Meters

Charging Stations

Industrial Motor Controls & Drives

Automation Equipment

Building Automation

Logistics

Data Centers

Cellular Networks

Other WAN

Wireless LAN & PAN

Medical Equipment

Assisted Living

Lifestyle

Advertising

Retail

Gambling

Defense

Aerospace

Smart Home


http://www.google.de/imgres?start=100&biw=1600&bih=793&tbm=isch&tbnid=EsEd0b652PNoWM:&imgrefurl=http://www.defiancegames.com/forum/british-commonwealth-core-force/1709-fan-art-concepts-and-inspirations&docid=L8E8pgYCG0APJM&imgurl=http://img.photobucket.com/albums/v228/glitterboy2098/ReachConcept_SoldierVariant.png&w=737&h=799&ei=77yuUqWwEYeqhQfTqIHICg&zoom=1

IoT Architecture

IoT Has Many Layers

Gather data Analyze

Send commands

Reliably convey data and

commands

Send and receive data and

commands


Agenda

Introduction to IoT

Risk Analysis

Countermeasures

Into the Future

1

2

3

4


IoT Attacks Growing


Security threats for IoT

Each Layer can be Attacked

An Eavesdropper

listening in on data or

commands can reveal

confidential information

about the operation of

the infrastructure. A Fake Device injecting

fake measurements can

disrupt the control

processes and cause

them to react

inappropriately or

dangerously, or can be

used to mask physical

attacks.

A Fake Server sending

incorrect commands can

be used to trigger

unplanned events, to

send some physical

resource (water, oil,

electricity, etc.) to an

unplanned destination,

and so forth.


Protecting Our Values with IoT Security

› Provide safety and privacy › Maximize uptime › Protect revenue stream

› Enable and create business models › Differentiate from competition

Security

Privacy

Safety Reliability

› Reduce costs › Increase quality and reliability


Introduction to IoT

Risk Analysis

Countermeasures

Into the Future

1

2

3

4


Common Defenses

IoT Defenses


Bad-Better-Best: Options for IoT Security

SOFTWARE ONLY

Secures against casual intrusion and basic software attacks

NO SECURITY Everything open for all to see

HARDWARE SECURITY

Secures against hardware attacks and hardens against software attacks

Reading Software code easily readable by hackers

Hardware chip protects itself against code reading

Copying Software code easily copied and shared by hackers

Secure hardware cannot be easily copied. Must be extensively reverse engineered and remanufactured.

Analyzing Software code easily analyzed and understood using standard tools

Secure hardware use proprietary designs and non-standard code that is not easily understood

Root of Trust Software has no "Root of Trust", recovery of broken system practically impossible

Secure hardware provides "Root of Trust" anchor for system, providing detection, recoverability, secured updates


Miller & Valasek: A Case Study in IoT Hacking

Source: Remote Exploitation of an Unaltered Passenger Vehicle, Miller & Valasek, 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf

1. Evaluate Attack Surface

2. Investigate Potential Targets

3. Reverse Engineer Targets

4. Find Vulnerabilities

5. Develop Exploits

6. Use Exploits to Get New Targets

Miller & Valasek Attack Process

1. Adopt Secure Development Lifecycle

2. Develop Thorough Attack Tree

3. Prevent Reverse Engineering

4. Reduce Vulnerabilities

5. Detect and Respond to Attacks

6. Employ Layered Defenses

Countermeasures

CAN-C

RADIO

BCM LIN

CAN-IHS


Scalable Trust Anchors for IoT

OPTIGA™ Trust

Design-in complexity

Feature set

Security Level

Personalization (loading of keys and certificates)

OPTIGA™ TPM

+ CC EAL 4+

low medium

Authentication TPM standard

OPTIGA™ Trust P

CC EAL 5+

medium

Programmable

OPTIGA™ Trust E

+++

low

PKI-supported

Authentication

Security and Complexity


Introduction to IoT

Risk Analysis

Countermeasures

Into the Future

1

2

3

4


Likely Future Developments in IoT Security

– Expanded security features

– Expanded cryptographic algorithms

– Hardware Root of Trust standard in all IoT systems

– As today for IT and payment

– Regulations, insurance, etc.

› Continuing exploitation and damage

› Additional functionality

› Tighter integration with IoT systems

› Growing external requirements for stronger security


Summary

To protect our values, strong IoT security is needed.

Scalable Hardware Trust Anchors provide the Right Security for IoT.

IoT shows tremendous promise.


what’s the right security for iot? - nist...likely future developments in iot security –expanded...

Documents