In this webinar we will discuss the state of security for IoT devices, the threats that exists for IoT devices and the challenges for building secure IoT devices. We will also discuss the technologies available to ensure your IoT device is secure.
2. #EEwebinar
q This webinar will be available afterwards at
www.designworldonline.com & email
q Q&A at the end of the presentation
q Hashtag for this webinar: #EEwebinar
Before We Start
3. #EEwebinar
Aimee Kalnoskas
Design World EE Network
Moderator
Alan Grau
President & Co-founder
Icon Labs
Security Fundamentals for IoT Devices; Creating the Internet of Secure Things
Meet your Presenter
4. #EEwebinar
IoT security
• Why do we care about the IoT
• What do we mean by IoT/IIoT
• Why worry about security
• Security standards for Industrial Automation
• Nuts and bolts of security for IIoT devices
o Security challenges for the IoT
o Framework/requirements for security
o Implementing security for IIoT devices
• Summary/Questions
5. #EEwebinar
The IoT is driving businesses
$15 Trillion economic value created by IoT over next
20 years
GE
250 million connected vehicles by 2020
Gartner
75% growth in wireless devices between now and
2020, reaching 40 billion devices
ABI Research
$3 Billion IoT investment
IBM
Managed Services to jump from $14.75 billion in
2013 to $265.05 billion in 2018
Solarwinds
6. #EEwebinar
IoT
• IoT – Using Internet connectivity to capture data from a
cornucopia of “things”; then analyze the data to create new
efficiencies and business opportunities
6
7. #EEwebinar
Why focus on security?
• So your devices and systems are secure
o Hopefully by now this is self evident
• Competitive advantage
• Enable managed services – create revenue opportunities
• Required to meet regulator compliance and to protect
against lawsuits and bad PR
9. #EEwebinar
How are we doing?
• 70% of new IoT devices have significant security
weaknesses – HP Labs
• Average new IoT device has 25 security vulnerabilities –
HP Labs
• “We have been able to penetrate every system we’ve
targeted” – Kevin Mitnick
10. #EEwebinar
Security Standards
• Industrial automation
o ISA/IEC 62443:EDSA
• www.isa.org/isa99/
• Federal Mandate/NIST Cybersecurity Framework
o US Federal Executive Order (EO) 13636
• www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-
cybersecurity
• Power Grid/Smart Grid
o NERC/CIP
• www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
10
11. #EEwebinar
Regulatory Compliance: Major Driver
• Regulatory compliance is frequently a driving force for
implementing security
o Quantifiable
o Understandable
• Executives who struggle to understand nuanced security
tradeoffs CAN understand compliance
11
12. #EEwebinar
Security Standards
• Many standards, but common themes
o Identity management
o Mutual authentication/authorization
o Audit
o Protection
o Secure communication
o Attack detection and mitigation
o Security management and visibility
12
13. #EEwebinar
IoT Security Challenges
Scalability
• 8/16 bit MCU based
• 32 bit RTOS based
• 32 bit Linux/Android
Fragmented market
• HW vendors
• SW vendors
• Vertical markets
• End Users
Diverse
communication
• Wi-‐‑Fi, Ethernet, TCP/IP
• ZigBee, Bluetooth, BLE
Broad a^ack surfaces
• Multiple communication
interfaces
• Devices accessible to
hackers
15. #EEwebinar
Classes of IoT Devices
Class 1 device
• Very small
devices (light
bulbs, sensors)
• 8/16 bit MCU
• ZigBee, MESH
networking
• Limited CPU
cycles, memory
• Bare metal,
scheduler or
kernel such as
FreeRTOS or uC/
OS-‐‑III
Class 2 device
• Small, low cost
devices but
moderately
powerful devices
(medical devices,
telematics)
• 32 bit MCU
• Cellular, BLE,
Bluetooth,
Ethernet, or WiFi
• RTOS only – not
Linux
Class 3 device
• More expensive,
more powerful
devices such as
larger medical
devices,
• 32 bit MPU
• Ethernet or WiFi
• RTOS or
embedded Linux
Class 4 device
• Gateway or
high-‐‑end
endpoints
• 32/64 bit MPU
• Embedded Linux
or Android
• Multiple
protocols
including
Ethernet, WiFi
and ZigBee, BLE
or Bluetooth
16. #EEwebinar
Perimeter security
• One solution: More Perimeters
o Expensive!
o Doesn’t address fundamental issues
• Security perimeters are only a partial solution
o IoT devices may not be inside of a security perimeter
o Perimeters can be compromised
o Insider threats account for more than 50% of cyber-incidents
16
17. #EEwebinar
Secure the devices
• Don’t rely only on the perimeter
• Build the required security into the device
o Order of magnitude lower cost
o Addresses basic security needs such as secure boot and security
management
17
18. #EEwebinar
Challenge of IoT Device Security
• IoT devices are embedded devices
o Embedded Linux, Android or RTOS-based
o Limited resources for security software
o Traditional IT security solutions won’t work
• Not just about data – protecting critical operations
• Need new solutions designed for embedded devices
o Build it yourself
o Find a commercial solution
18
19. #EEwebinar
OT devices, IT security
• All devices must be
o Protected
o Trusted
o Authenticated
o Secured
o Managed
o Visible
19
20. #EEwebinar
Security Requirements
• Harden the device
o Hypervisor, secure boot, intrusion detection
o Leverage hardware security features
• Data protection
o Data at rest, data in motion
o key and password obfuscation
• Secure communication
o Security protocols, mutual authentication, firewall
• Visibility and management
o Management system integration (policy updates, events)
20
22. #EEwebinar
Hardening the device
• Leverage hardware security features
o TPM/TEE
o Secure device ID
o Crypto acceleration
• Hypervisor
• Secure boot
• Intrusion detection
22
23. #EEwebinar
Leverage HW Security
Features
• Trusted Platform Module (TPM)
o International standard for a secure
cryptographic processor
o Dedicated microprocessor designed
to enable secure devices
o Secure key storage
o Key generation
o Encryption/decryption
• Provides foundation for security
24. #EEwebinar
Hypervisor
• Enables partitioning to increase security
o Security processing & management isolated from user processing
• Security breach in one partition cannot impact other
partitions
24
25. #EEwebinar
Secure Boot
Before loading software, verify
• it came from the OEM
• it has not been tampered with
Hardware TPM/TEE can provide
• Protected key storage
• Protected signature storage
• Signature generation
26. #EEwebinar
IDS/IPS for Embedded Devices
• Communication based IDS/IPS
o Report firewall rules violations
o Protocol specific DPI
o Detect scans, probing
• Configuration based IDS/IPS
o Detect unauthorized changes to
firmware, libraries and data files
• Report events to a security management
system
27. #EEwebinar
• Data at rest: device is off, how is the data protected?
o Encrypted files, full disk encryption
• Data in use: while generated or being processed - is it secured?
o Obfuscation, MMU based protection methods, user privileges
o Protect against memory scraping attacks
• Data in transit: leaving the device, is it being hijacked?
o Security protocols
Securing Device Data
31. #EEwebinar
Summary
• Common requirements
o Industry standards help define security requirements
o Many standards, but common requirements
• Utilize a security framework that provides building blocks
to enable and support the various standards
• Integrate security into the device itself – don’t just rely on a
secure perimeter
32. #EEwebinar
Aimee Kalnoskas
Moderator
Design World EE Network
akalnoskas@wtwhmedia.com
@DW_Aimee
Alan Grau
President & Co-founder
Icon Labs
Alan.grau@iconlabs.com
Questions?
Security Fundamentals for IoT Devices; Creating the Internet of Secure Things
33. #EEwebinar
Thank You
q This webinar will be available at
designworldonline.com & email
q Tweet with hashtag #EEwebinar
q Connect with Design World
q Discuss this on EngineeringExchange.com