Bill Harpley, profile picture
Uploaded byBill Harpley
PDF, PPTX523 views

Scaling IoT Security

Bill Harpley's presentation discusses the importance of scaling security in IoT, focusing on both macro and micro-level challenges. Key concerns include protecting critical infrastructure from cyber-attacks and addressing security during product development and scaling processes. The presentation emphasizes the necessity for proactive security planning and best practices to mitigate risks associated with increased connectivity.

Download as PDF, PPTX
Scaling Security for IoT
A presentation given by Bill Harpley to the Brighton IoT Forum on March 23rd, 2016 23/03/2016 Bill Harpley 2
02/03/2016 Bill Harpley3 Linux | Cloud | Wireless | IoT www.astius.co.uk
Overview • IoT is all about scalability • In this presentation we will look at two contrasting views of IoT security: – Macro level: security of complex physical systems – Micro level: how to start with a product idea and scale it up in a secure fashion 23/03/2016 Bill Harpley 4
SECURING BASIC SOCIAL AND ECONOMIC INFRASTRUCTURE Scaling Security for IoT 23/03/2016 Bill Harpley 5
Security of large-scale infrastructure • The diagram shows how traditional vertical market sectors are embracing IoT connectivity solutions. • Cyber-Physical systems – large scale connected infrastructure which spans multiple vertical sectors. So how do you make these secure? • Significant security challenges in terms of: • Different industry standards • Regulatory regimes • Legacy infrastructure • Timing of signals • Communications protocols • Proprietary technologies • System complexity • Understanding of risks • Security monitoring • Co-ordinating multiple agencies • Many legacy systems were never intended to be connected to the Internet and so lack essential security mechanisms (e.g. SCADA) . SCADA (Supervisory Control & Data Acquisition) systems are used to monitor and control industrial processes and buildings. They were first deployed in the 1960s and some have an expected working life of up to 20 years. 23/03/2016 Bill Harpley 6
Protecting critical infrastructure • As more ‘things’ become connected to the Internet, the threat of large-scale cyber attacks increases. • Attackers may try to: – Gain unauthorised access to information. – Disrupt communication networks and IT services. – Cause breakdown of physical infrastructure (e.g. energy distribution grids, major transport hubs). • Let’s have a look at a topical example! 23/03/2016 Bill Harpley 7
Example: connected cars (1 of 3) • Cars are evolving from Assisted Driving mode (ADAS) to fully Autonomous mode (driverless). • Car makers are cramming their new vehicles with electronics and software. – Turning them into mobile data centers. – Many potential security vulnerabilities. • Recent report in Information Age that 75% of cars stolen in France during 2014 were electronically hacked. • ‘Jeep Hack’ of July 2015 in which vehicle forced off the road by hackers ( Chrysler recalled 1.4 million cars). – Rising concern about vulnerability of cars to cyber-attacks. 23/03/2016 Bill Harpley 8
Example: connected cars (2 of 3) Source: Cisco 23/03/2016 Bill Harpley 9
Example: connected cars ( 3 of 3) • Kerbside infrastructure is vulnerable to cyber-attacks. • Need to protect a complex “system of systems”. • Requires strategy to be developed at both local and national level. Artist’s visualisation of connected vehicles control point. Source: US Department of Transport 23/03/2016 Bill Harpley 10
UK Cybersecurity strategy • Cyber-security features very prominently in Government thinking. • Many policy initiatives announced over the last 5 years – First UK Cyber Security Strategy created in 2009. – Office of Cyber Security & Information Assurance (OCSIA) founded in 2010 (located in Cabinet Office) – National Cyber Security Programme (NSCP) launched in 2010 – CERT-UK began operations in March 2014 (formal incident reporting). – 2015 National Cyber Security Plan launched with great fanfare ( budget of £1.9 billion in spending between 2016-2020 ) – Creation of National Centre for Cybersecurity (NCSC) announced & will open in October 2016. • Main take-away is that cyber-security is very complex business which needs leadership at the highest level. 23/03/2016 Bill Harpley 11
NIST notional framework “Cyber-Physical Systems or ‘smart’ systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will bring advances in personalized health care, emergency response, traffic flow management, and electric power generation and delivery, as well as in many other areas now just being envisioned.” – NIST (http://www.nist.gov/cps/) 23/03/2016 Bill Harpley 12
SECURITY SCALING FOR YOUR GREAT PRODUCT IDEA Scaling Security for IoT 23/03/2016 Bill Harpley 13
It’s a great idea (but is it secure?) • Let’s suppose you have a great idea for a new portable music ‘widget’ • Your aim is to provide people with a great ‘connected’ user experience • You build a prototype and show it to potential customers who are very enthusiastic • So you then launch a Kickstarter campaign with a view to making 100 units • What security management problems might you run into? 23/03/2016 Bill Harpley 14
Scaling from 1 to 100 • Let’s say you have manufactured and shipped 100 units to your Kickstarter customers • Your music widget gets rave reviews … but then 3 customers claim to have found a security flaw – It could be a flaw in your own design or a fault in a 3rd party module – You do the right thing and notify all 100 customers but they don’t seem too inconvenienced by it – The three customers that complained return their widget to you, the problem is “fixed” and the unit is shipped back to them – Everyone is happy! 23/03/2016 Bill Harpley 15
Scaling from 100 to 1000 • Congratulations! You have attracted some outside investors and plan a further production run of 1000 units. • But now things start to go wrong: – You never had a plan to manage ‘unique’ items such as MAC addresses and security keys. – You did not design the product for high-volume manufacture. – If customers complain about security faults, manual returns and upgrades are not an option at this scale. – You need to design a process of remotely upgrading firmware on each unit. • Make sure you fix these problems before committing to the manufacturing run: – It will take more effort and extend your ‘time to market’ – But should save money in the long run 23/03/2016 Bill Harpley 16
Scaling from 1000 to 10000 • Your music widget is now very popular! You have built and shipped 10,000 units: – But the product has attracted the attention of malicious hackers – You need to routinely issue security patches – Get this one wrong and it will affect profits and brand image • At this scale, you will begin to see customers raise many more “marginal” support issues (including obscure security bugs) – Fixing these can consume a large proportion of your development and support budget – Unsold items in stock will also need to be patched with new firmware to fix security and other problems – If you have not planned for these issues you will end up losing money on each new item sold • Now try scaling up to 100,000 units … 23/03/2016 Bill Harpley 17
Scale your product • At each stage of production scaling, you should also plan for the next stage • Implement the principle of ‘security by design’, starting with your first production batch • Design your product for high volume manufacturing runs in order to lower production costs • Design for the complete security lifecycle of the product – If a product stores a lot of personal data at end-of-life (or when re-sold), can this be easily erased? – Use your management of security & privacy processes as a way to differentiate yourself from the competition • Embrace security ‘best practice’ and certification for products and processes (e.g. ISO 27000) • Be aware of regulatory requirements in overseas markets • Can you afford to design, build and support a secure product at your intended price point? 23/03/2016 Bill Harpley 18
Conclusions • We have seen that protecting critical social and economic infrastructure from cyber-attacks is a major priority for the UK • We have examined how developing secure IoT products can present startup businesses with many challenges • What do these two ends of the scale have in common? – You need to plan ahead and ask ‘What if …?’ – You need to try and understand the risks – You need to invest adequate resources to meet your goals – You need to monitor how well your security strategy is performing – Put effective processes in place to manage and contain any security problems • Whether working at the micro-scale or the macro-scale, it’s crucial to develop a security mindset 23/03/2016 Bill Harpley 19
Any questions? bill.harpley@astius.co.uk 23/03/2016 Bill Harpley 20

More Related Content

PDF
What is the Natural Business Model for the Internet of Things - Blair Currie ...
byIoT613
 
PDF
Addressing Global Chanllenges Through IoT
byDr.Vetrivelan Pandu
 
PPTX
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
byMultisoft Virtual Academy
 
PDF
Defining the IoT Stack
byPubNub
 
PPTX
Data Value Creation in the Industrial IoT
bySemyon Teplisky
 
PPTX
7 trends of IoT in 2017
byAhmed Banafa
 
PDF
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
byMicheleNati
 
PPTX
Internet of things ecosystem: The quest for value
byDeloitte United States
 
What is the Natural Business Model for the Internet of Things - Blair Currie ...
byIoT613
 
Addressing Global Chanllenges Through IoT
byDr.Vetrivelan Pandu
 
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
byMultisoft Virtual Academy
 
Defining the IoT Stack
byPubNub
 
Data Value Creation in the Industrial IoT
bySemyon Teplisky
 
7 trends of IoT in 2017
byAhmed Banafa
 
IoTMeetupGuildford#2: The IoT Ecosystem - Justin Anderson (FlexEye)
byMicheleNati
 
Internet of things ecosystem: The quest for value
byDeloitte United States
 

What's hot

PDF
IoT security reference architecture
byElias Hasnat
 
PDF
Industrial IoT is coming
byColin Koh (許国仁)
 
PPTX
Internet of Things Ecosystem
byCompTIA
 
PDF
Intro to IoT-23Sep2015
byVincent Lefebvre
 
PDF
IoT Systems: Technology, Architecture & Performance
byAshu Joshi
 
PDF
IOT and Big Data - The Perfect Marriage
byDr. Mazlan Abbas
 
PDF
Presentacion Wim Elfrink IoT World Forum Chicago
byFelipe Lamus
 
PDF
Internet of Things (IoT) - Trends, Challenges and Opportunities
byDr. Mazlan Abbas
 
PDF
CyberSecurity_for_the_IoT
byAbdullahi Arabo Jr (MEng, MBCS, PhD)
 
PDF
M2M transitioning to IoT opportunity for telcos. Success references.
byPedro Menendez-Valdes
 
PDF
IoT Smart Home, Connected Car, Health Patents Data Use Cases
byAlex G. Lee, Ph.D. Esq. CLP
 
PPTX
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
byIoT613
 
PDF
Oies IoT World Europe 20170615
byFrancisco Maroto
 
PDF
Iot tunisia forum 2017 internet of things trends_directions and opportunit...
byIoT Tunisia
 
PPT
IoT
byMphasis
 
PDF
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
byErik G. Hansen
 
PDF
Smart Cities Day 1 Secure Cities
by4 All of Us
 
PDF
Understanding IoT
byMd. Shamsul Haque
 
PDF
Industrial Internet of Things (IIoT)
byVersa Technology
 
PPTX
Who will buy IOT products and why.
byAtanu Roy Chowdhury
 
IoT security reference architecture
byElias Hasnat
 
Industrial IoT is coming
byColin Koh (許国仁)
 
Internet of Things Ecosystem
byCompTIA
 
Intro to IoT-23Sep2015
byVincent Lefebvre
 
IoT Systems: Technology, Architecture & Performance
byAshu Joshi
 
IOT and Big Data - The Perfect Marriage
byDr. Mazlan Abbas
 
Presentacion Wim Elfrink IoT World Forum Chicago
byFelipe Lamus
 
Internet of Things (IoT) - Trends, Challenges and Opportunities
byDr. Mazlan Abbas
 
CyberSecurity_for_the_IoT
byAbdullahi Arabo Jr (MEng, MBCS, PhD)
 
M2M transitioning to IoT opportunity for telcos. Success references.
byPedro Menendez-Valdes
 
IoT Smart Home, Connected Car, Health Patents Data Use Cases
byAlex G. Lee, Ph.D. Esq. CLP
 
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
byIoT613
 
Oies IoT World Europe 20170615
byFrancisco Maroto
 
Iot tunisia forum 2017 internet of things trends_directions and opportunit...
byIoT Tunisia
 
IoT
byMphasis
 
Internet of Things (IoT) as a Driver for the Circular Economy – Innovation, Q...
byErik G. Hansen
 
Smart Cities Day 1 Secure Cities
by4 All of Us
 
Understanding IoT
byMd. Shamsul Haque
 
Industrial Internet of Things (IIoT)
byVersa Technology
 
Who will buy IOT products and why.
byAtanu Roy Chowdhury
 

Viewers also liked

PDF
Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
byCapgemini
 
PDF
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
byBill Harpley
 
PDF
Public policy aspects of Connected and Autonomous Vehicles
byBill Harpley
 
PPTX
IoT based on cyber security in defense industry and critical infrastructures
byUITSEC Teknoloji A.Ş.
 
ODP
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
byMauro Risonho de Paula Assumpcao
 
PPTX
Principals of IoT security
byIoT613
 
PPTX
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
byClicTest
 
PDF
Cyber Security - awareness, vulnerabilities and solutions
byinLabFIB
 
PPTX
Cyren cybersecurity of things
byChristian Milde
 
PDF
Building an 'Internet of Things' ( IoT ) technology cluster in Brighton
byBill Harpley
 
PPTX
Get yourself connected: Google Glass and the Internet of Bling
byBill Harpley
 
PPTX
Build Safe and Secure Distributed Systems
byReal-Time Innovations (RTI)
 
PPT
Feasible car cyber defense - ESCAR 2010
byIddan Halevy
 
PDF
FASTR_Overview2017
byCraig Hurst
 
PPT
Myths vs. Truths at St. Vincent's Hospital
byNewellNYC
 
PPTX
Deft
bysaddamhusain hadimani
 
PDF
Building the Social Internet of Things
byBill Harpley
 
PDF
Designing for IoT and Cyber-Physical System
byMaurizio Caporali
 
PDF
SAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
byAndreas Mai
 
PPTX
Cyber Security Architecture - A Systems Approach December 05 2012
byJoseph Hennawy
 
Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...
byCapgemini
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
byBill Harpley
 
Public policy aspects of Connected and Autonomous Vehicles
byBill Harpley
 
IoT based on cyber security in defense industry and critical infrastructures
byUITSEC Teknoloji A.Ş.
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
byMauro Risonho de Paula Assumpcao
 
Principals of IoT security
byIoT613
 
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...
byClicTest
 
Cyber Security - awareness, vulnerabilities and solutions
byinLabFIB
 
Cyren cybersecurity of things
byChristian Milde
 
Building an 'Internet of Things' ( IoT ) technology cluster in Brighton
byBill Harpley
 
Get yourself connected: Google Glass and the Internet of Bling
byBill Harpley
 
Build Safe and Secure Distributed Systems
byReal-Time Innovations (RTI)
 
Feasible car cyber defense - ESCAR 2010
byIddan Halevy
 
FASTR_Overview2017
byCraig Hurst
 
Myths vs. Truths at St. Vincent's Hospital
byNewellNYC
 
Deft
bysaddamhusain hadimani
 
Building the Social Internet of Things
byBill Harpley
 
Designing for IoT and Cyber-Physical System
byMaurizio Caporali
 
SAE 2014 - Cyber Security: Mission Critical for the Internet of Cars
byAndreas Mai
 
Cyber Security Architecture - A Systems Approach December 05 2012
byJoseph Hennawy
 

Similar to Scaling IoT Security

PPTX
Hugo Fiennes - Security and the IoT - Electric Imp
byBusiness of Software Conference
 
PPTX
Ravi i ot-security
byskumartarget
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
PDF
[TestWarez 2017] Securing the Internet of Things
byStowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
PDF
Building security into the internetofthings
byPrayukth K V
 
PDF
Ten Expert Tips on Internet of Things Security
byDean Bonehill ♠Technology for Business♠
 
PDF
expert tips
byMcolisi Tineth Ngwenya
 
PDF
Internet
byhetal001
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
PDF
GR - Security Economics in IoT 150817- Rel.1
byClay Melugin
 
PDF
Bridgera enterprise IoT security
byRon Pascuzzi
 
PPTX
Iot(security)
byShreya Pohekar
 
PPTX
IoT security presented in Ada's List Conference
byCigdem Sengul
 
PDF
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
PDF
From Identity to Ownership Theft
byUniversity of Hertfordshire
 
PDF
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
byDr Dev Kambhampati
 
PPTX
Fundamental Best Practices in Secure IoT Product Development
byMark Szewczul, CISSP
 
PDF
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
byKatedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
PDF
Security for the IoT - Report Summary
byAccenture Technology
 
PDF
Cybersecurity in the Age of IoT - Skillmine
bySkillmine Technology Consulting
 
Hugo Fiennes - Security and the IoT - Electric Imp
byBusiness of Software Conference
 
Ravi i ot-security
byskumartarget
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
[TestWarez 2017] Securing the Internet of Things
byStowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
Building security into the internetofthings
byPrayukth K V
 
Ten Expert Tips on Internet of Things Security
byDean Bonehill ♠Technology for Business♠
 
expert tips
byMcolisi Tineth Ngwenya
 
Internet
byhetal001
 
Security Testing for IoT Systems
bySecurity Innovation
 
GR - Security Economics in IoT 150817- Rel.1
byClay Melugin
 
Bridgera enterprise IoT security
byRon Pascuzzi
 
Iot(security)
byShreya Pohekar
 
IoT security presented in Ada's List Conference
byCigdem Sengul
 
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
From Identity to Ownership Theft
byUniversity of Hertfordshire
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
byDr Dev Kambhampati
 
Fundamental Best Practices in Secure IoT Product Development
byMark Szewczul, CISSP
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
byKatedra Informatologii. Wydział Dziennikarstwa, Informacji i Bibliologii, Uniwersytet Warszawski
 
Security for the IoT - Report Summary
byAccenture Technology
 
Cybersecurity in the Age of IoT - Skillmine
bySkillmine Technology Consulting
 

More from Bill Harpley

PPTX
Marine and coastal applications of LoRa wireless technology
byBill Harpley
 
PDF
Connected & Driverless vehicles: the road to Safe & Secure mobility?
byBill Harpley
 
PDF
Cybersecurity in the Age of the Everynet
byBill Harpley
 
PDF
Hitch-hikers guide to AI for Connected and Autonomous Vehicles
byBill Harpley
 
PDF
Introduction to Connected Cars and Autonomous Vehicles
byBill Harpley
 
PDF
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
byBill Harpley
 
PDF
SME 10-minute guide to digital transformation v1
byBill Harpley
 
Marine and coastal applications of LoRa wireless technology
byBill Harpley
 
Connected & Driverless vehicles: the road to Safe & Secure mobility?
byBill Harpley
 
Cybersecurity in the Age of the Everynet
byBill Harpley
 
Hitch-hikers guide to AI for Connected and Autonomous Vehicles
byBill Harpley
 
Introduction to Connected Cars and Autonomous Vehicles
byBill Harpley
 
How to survive the Fourth Industrial Revolution: a guide to Digital Manufactu...
byBill Harpley
 
SME 10-minute guide to digital transformation v1
byBill Harpley
 

Recently uploaded

PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PDF
Generation Data Sets - Unique, Useful... Understandable?.pdf
byPrecisely
 
PDF
Memo No.3006141 dt.25.10.2025- SOP for Grant of Online Change Of Land Use
byRaghu Ram
 
PPTX
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
PPTX
Autonomous Convoy Routing via Drone Swarms and Multi-Modal Threat Detection
byIvan Ruchkin
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PDF
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
 
PDF
Linux Day Prato 2025: NixOS spiegato ammiocuggino - NixOS for Human Beings
byPeter Bittner
 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PDF
RaBitQ, JSON Index, Schema Evolution, What's New in Milvus 2.6
byZilliz
 
PDF
SAP Building Agentic Systems (Milvus Community Meetup)
byZilliz
 
PPTX
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
PDF
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
Generation Data Sets - Unique, Useful... Understandable?.pdf
byPrecisely
 
Memo No.3006141 dt.25.10.2025- SOP for Grant of Online Change Of Land Use
byRaghu Ram
 
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
Autonomous Convoy Routing via Drone Swarms and Multi-Modal Threat Detection
byIvan Ruchkin
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
 
Linux Day Prato 2025: NixOS spiegato ammiocuggino - NixOS for Human Beings
byPeter Bittner
 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
RaBitQ, JSON Index, Schema Evolution, What's New in Milvus 2.6
byZilliz
 
SAP Building Agentic Systems (Milvus Community Meetup)
byZilliz
 
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 

Scaling IoT Security

  • 1.
  • 2.
    A presentation given byBill Harpley to the Brighton IoT Forum on March 23rd, 2016 23/03/2016 Bill Harpley 2
  • 3.
    02/03/2016 Bill Harpley3 Linux| Cloud | Wireless | IoT www.astius.co.uk
  • 4.
    Overview • IoT isall about scalability • In this presentation we will look at two contrasting views of IoT security: – Macro level: security of complex physical systems – Micro level: how to start with a product idea and scale it up in a secure fashion 23/03/2016 Bill Harpley 4
  • 5.
    SECURING BASIC SOCIALAND ECONOMIC INFRASTRUCTURE Scaling Security for IoT 23/03/2016 Bill Harpley 5
  • 6.
    Security of large-scaleinfrastructure • The diagram shows how traditional vertical market sectors are embracing IoT connectivity solutions. • Cyber-Physical systems – large scale connected infrastructure which spans multiple vertical sectors. So how do you make these secure? • Significant security challenges in terms of: • Different industry standards • Regulatory regimes • Legacy infrastructure • Timing of signals • Communications protocols • Proprietary technologies • System complexity • Understanding of risks • Security monitoring • Co-ordinating multiple agencies • Many legacy systems were never intended to be connected to the Internet and so lack essential security mechanisms (e.g. SCADA) . SCADA (Supervisory Control & Data Acquisition) systems are used to monitor and control industrial processes and buildings. They were first deployed in the 1960s and some have an expected working life of up to 20 years. 23/03/2016 Bill Harpley 6
  • 7.
    Protecting critical infrastructure •As more ‘things’ become connected to the Internet, the threat of large-scale cyber attacks increases. • Attackers may try to: – Gain unauthorised access to information. – Disrupt communication networks and IT services. – Cause breakdown of physical infrastructure (e.g. energy distribution grids, major transport hubs). • Let’s have a look at a topical example! 23/03/2016 Bill Harpley 7
  • 8.
    Example: connected cars(1 of 3) • Cars are evolving from Assisted Driving mode (ADAS) to fully Autonomous mode (driverless). • Car makers are cramming their new vehicles with electronics and software. – Turning them into mobile data centers. – Many potential security vulnerabilities. • Recent report in Information Age that 75% of cars stolen in France during 2014 were electronically hacked. • ‘Jeep Hack’ of July 2015 in which vehicle forced off the road by hackers ( Chrysler recalled 1.4 million cars). – Rising concern about vulnerability of cars to cyber-attacks. 23/03/2016 Bill Harpley 8
  • 9.
    Example: connected cars(2 of 3) Source: Cisco 23/03/2016 Bill Harpley 9
  • 10.
    Example: connected cars( 3 of 3) • Kerbside infrastructure is vulnerable to cyber-attacks. • Need to protect a complex “system of systems”. • Requires strategy to be developed at both local and national level. Artist’s visualisation of connected vehicles control point. Source: US Department of Transport 23/03/2016 Bill Harpley 10
  • 11.
    UK Cybersecurity strategy •Cyber-security features very prominently in Government thinking. • Many policy initiatives announced over the last 5 years – First UK Cyber Security Strategy created in 2009. – Office of Cyber Security & Information Assurance (OCSIA) founded in 2010 (located in Cabinet Office) – National Cyber Security Programme (NSCP) launched in 2010 – CERT-UK began operations in March 2014 (formal incident reporting). – 2015 National Cyber Security Plan launched with great fanfare ( budget of £1.9 billion in spending between 2016-2020 ) – Creation of National Centre for Cybersecurity (NCSC) announced & will open in October 2016. • Main take-away is that cyber-security is very complex business which needs leadership at the highest level. 23/03/2016 Bill Harpley 11
  • 12.
    NIST notional framework “Cyber-PhysicalSystems or ‘smart’ systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will bring advances in personalized health care, emergency response, traffic flow management, and electric power generation and delivery, as well as in many other areas now just being envisioned.” – NIST (http://www.nist.gov/cps/) 23/03/2016 Bill Harpley 12
  • 13.
    SECURITY SCALING FOR YOURGREAT PRODUCT IDEA Scaling Security for IoT 23/03/2016 Bill Harpley 13
  • 14.
    It’s a greatidea (but is it secure?) • Let’s suppose you have a great idea for a new portable music ‘widget’ • Your aim is to provide people with a great ‘connected’ user experience • You build a prototype and show it to potential customers who are very enthusiastic • So you then launch a Kickstarter campaign with a view to making 100 units • What security management problems might you run into? 23/03/2016 Bill Harpley 14
  • 15.
    Scaling from 1to 100 • Let’s say you have manufactured and shipped 100 units to your Kickstarter customers • Your music widget gets rave reviews … but then 3 customers claim to have found a security flaw – It could be a flaw in your own design or a fault in a 3rd party module – You do the right thing and notify all 100 customers but they don’t seem too inconvenienced by it – The three customers that complained return their widget to you, the problem is “fixed” and the unit is shipped back to them – Everyone is happy! 23/03/2016 Bill Harpley 15
  • 16.
    Scaling from 100to 1000 • Congratulations! You have attracted some outside investors and plan a further production run of 1000 units. • But now things start to go wrong: – You never had a plan to manage ‘unique’ items such as MAC addresses and security keys. – You did not design the product for high-volume manufacture. – If customers complain about security faults, manual returns and upgrades are not an option at this scale. – You need to design a process of remotely upgrading firmware on each unit. • Make sure you fix these problems before committing to the manufacturing run: – It will take more effort and extend your ‘time to market’ – But should save money in the long run 23/03/2016 Bill Harpley 16
  • 17.
    Scaling from 1000to 10000 • Your music widget is now very popular! You have built and shipped 10,000 units: – But the product has attracted the attention of malicious hackers – You need to routinely issue security patches – Get this one wrong and it will affect profits and brand image • At this scale, you will begin to see customers raise many more “marginal” support issues (including obscure security bugs) – Fixing these can consume a large proportion of your development and support budget – Unsold items in stock will also need to be patched with new firmware to fix security and other problems – If you have not planned for these issues you will end up losing money on each new item sold • Now try scaling up to 100,000 units … 23/03/2016 Bill Harpley 17
  • 18.
    Scale your product •At each stage of production scaling, you should also plan for the next stage • Implement the principle of ‘security by design’, starting with your first production batch • Design your product for high volume manufacturing runs in order to lower production costs • Design for the complete security lifecycle of the product – If a product stores a lot of personal data at end-of-life (or when re-sold), can this be easily erased? – Use your management of security & privacy processes as a way to differentiate yourself from the competition • Embrace security ‘best practice’ and certification for products and processes (e.g. ISO 27000) • Be aware of regulatory requirements in overseas markets • Can you afford to design, build and support a secure product at your intended price point? 23/03/2016 Bill Harpley 18
  • 19.
    Conclusions • We haveseen that protecting critical social and economic infrastructure from cyber-attacks is a major priority for the UK • We have examined how developing secure IoT products can present startup businesses with many challenges • What do these two ends of the scale have in common? – You need to plan ahead and ask ‘What if …?’ – You need to try and understand the risks – You need to invest adequate resources to meet your goals – You need to monitor how well your security strategy is performing – Put effective processes in place to manage and contain any security problems • Whether working at the micro-scale or the macro-scale, it’s crucial to develop a security mindset 23/03/2016 Bill Harpley 19
  • 20.