In this webinar we will discuss the state of security for IoT devices, the threats that exists for IoT devices and the challenges for building secure IoT devices. We will also discuss the technologies available to ensure your IoT device is secure.

1. #EEwebinar
Security Fundamentals for
IoT Devices; Creating the
Internet of Secure Things

2. #EEwebinar
q This webinar will be available afterwards at
www.designworldonline.com & email
q Q&A at the end of the presentation
q Hashtag for this webinar: #EEwebinar
Before We Start

3. #EEwebinar
Aimee Kalnoskas
Design World EE Network
Moderator
Alan Grau
President & Co-founder
Icon Labs
Security Fundamentals for IoT Devices; Creating the Internet of Secure Things
Meet your Presenter

4. #EEwebinar
IoT security
• Why do we care about the IoT
• What do we mean by IoT/IIoT
• Why worry about security
• Security standards for Industrial Automation
• Nuts and bolts of security for IIoT devices
o Security challenges for the IoT
o Framework/requirements for security
o Implementing security for IIoT devices
• Summary/Questions

5. #EEwebinar
The IoT is driving businesses
$15 Trillion economic value created by IoT over next
20 years
GE
250 million connected vehicles by 2020
Gartner
75% growth in wireless devices between now and
2020, reaching 40 billion devices
ABI Research
$3 Billion IoT investment
IBM
Managed Services to jump from $14.75 billion in
2013 to $265.05 billion in 2018
Solarwinds

6. #EEwebinar
IoT
• IoT – Using Internet connectivity to capture data from a
cornucopia of “things”; then analyze the data to create new
efficiencies and business opportunities
6

7. #EEwebinar
Why focus on security?
• So your devices and systems are secure
o Hopefully by now this is self evident
• Competitive advantage
• Enable managed services – create revenue opportunities
• Required to meet regulator compliance and to protect
against lawsuits and bad PR

8. #EEwebinar
Growing threat of cyber-attacks

9. #EEwebinar
How are we doing?
• 70% of new IoT devices have significant security
weaknesses – HP Labs
• Average new IoT device has 25 security vulnerabilities –
HP Labs
• “We have been able to penetrate every system we’ve
targeted” – Kevin Mitnick

10. #EEwebinar
Security Standards
• Industrial automation
o ISA/IEC 62443:EDSA
• www.isa.org/isa99/
• Federal Mandate/NIST Cybersecurity Framework
o US Federal Executive Order (EO) 13636
• www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-
cybersecurity
• Power Grid/Smart Grid
o NERC/CIP
• www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
10

11. #EEwebinar
Regulatory Compliance: Major Driver
• Regulatory compliance is frequently a driving force for
implementing security
o Quantifiable
o Understandable
• Executives who struggle to understand nuanced security
tradeoffs CAN understand compliance
11

12. #EEwebinar
Security Standards
• Many standards, but common themes
o Identity management
o Mutual authentication/authorization
o Audit
o Protection
o Secure communication
o Attack detection and mitigation
o Security management and visibility
12

13. #EEwebinar
IoT Security Challenges
Scalability
• 8/16 bit MCU based
• 32 bit RTOS based
• 32 bit Linux/Android
Fragmented market
• HW vendors
• SW vendors
• Vertical markets
• End Users
Diverse
communication
• Wi-­‐‑Fi, Ethernet, TCP/IP
• ZigBee, Bluetooth, BLE
Broad a^ack surfaces
• Multiple communication
interfaces
• Devices accessible to
hackers

14. #EEwebinar
Classes of IoT Devices

15. #EEwebinar
Classes of IoT Devices
Class 1 device
• Very small
devices (light
bulbs, sensors)
• 8/16 bit MCU
• ZigBee, MESH
networking
• Limited CPU
cycles, memory
• Bare metal,
scheduler or
kernel such as
FreeRTOS or uC/
OS-­‐‑III
Class 2 device
• Small, low cost
devices but
moderately
powerful devices
(medical devices,
telematics)
• 32 bit MCU
• Cellular, BLE,
Bluetooth,
Ethernet, or WiFi
• RTOS only – not
Linux
Class 3 device
• More expensive,
more powerful
devices such as
larger medical
devices,
• 32 bit MPU
• Ethernet or WiFi
• RTOS or
embedded Linux
Class 4 device
• Gateway or
high-­‐‑end
endpoints
• 32/64 bit MPU
• Embedded Linux
or Android
• Multiple
protocols
including
Ethernet, WiFi
and ZigBee, BLE
or Bluetooth

16. #EEwebinar
Perimeter security
• One solution: More Perimeters
o Expensive!
o Doesn’t address fundamental issues
• Security perimeters are only a partial solution
o IoT devices may not be inside of a security perimeter
o Perimeters can be compromised
o Insider threats account for more than 50% of cyber-incidents
16

17. #EEwebinar
Secure the devices
• Don’t rely only on the perimeter
• Build the required security into the device
o Order of magnitude lower cost
o Addresses basic security needs such as secure boot and security
management
17

18. #EEwebinar
Challenge of IoT Device Security
• IoT devices are embedded devices
o Embedded Linux, Android or RTOS-based
o Limited resources for security software
o Traditional IT security solutions won’t work
• Not just about data – protecting critical operations
• Need new solutions designed for embedded devices
o Build it yourself
o Find a commercial solution
18

19. #EEwebinar
OT devices, IT security
• All devices must be
o Protected
o Trusted
o Authenticated
o Secured
o Managed
o Visible
19

20. #EEwebinar
Security Requirements
• Harden the device
o Hypervisor, secure boot, intrusion detection
o Leverage hardware security features
• Data protection
o Data at rest, data in motion
o key and password obfuscation
• Secure communication
o Security protocols, mutual authentication, firewall
• Visibility and management
o Management system integration (policy updates, events)
20

21. #EEwebinar
Security Framework
21
o Designed for
embedded use
o Portable
o Small footprint
o Minimal
performance
overhead

22. #EEwebinar
Hardening the device
• Leverage hardware security features
o TPM/TEE
o Secure device ID
o Crypto acceleration
• Hypervisor
• Secure boot
• Intrusion detection
22

23. #EEwebinar
Leverage HW Security
Features
• Trusted Platform Module (TPM)
o International standard for a secure
cryptographic processor
o Dedicated microprocessor designed
to enable secure devices
o Secure key storage
o Key generation
o Encryption/decryption
• Provides foundation for security

24. #EEwebinar
Hypervisor
• Enables partitioning to increase security
o Security processing & management isolated from user processing
• Security breach in one partition cannot impact other
partitions
24

25. #EEwebinar
Secure Boot
Before loading software, verify
• it came from the OEM
• it has not been tampered with
Hardware TPM/TEE can provide
• Protected key storage
• Protected signature storage
• Signature generation

26. #EEwebinar
IDS/IPS for Embedded Devices
• Communication based IDS/IPS
o Report firewall rules violations
o Protocol specific DPI
o Detect scans, probing
• Configuration based IDS/IPS
o Detect unauthorized changes to
firmware, libraries and data files
• Report events to a security management
system

27. #EEwebinar
• Data at rest: device is off, how is the data protected?
o Encrypted files, full disk encryption
• Data in use: while generated or being processed - is it secured?
o Obfuscation, MMU based protection methods, user privileges
o Protect against memory scraping attacks
• Data in transit: leaving the device, is it being hijacked?
o Security protocols
Securing Device Data

28. #EEwebinar
Secure Communication
• Security protocols
o IPsec/IKE (VPN)
o SSH / SSL/TLS/DTLS
• Authentication
o X.509 / Kerberos
o RADIUS
o TACACS+
o 802.1X

29. #EEwebinar
Embedded Firewall
• Endpoint firewall for
embedded/RTOS systems
• Rules based filtering (IP
addresses, ports, protocols)
• Stateful packet inspection
• Threshold filtering
• Protocol specific deep packet
inspection
• IDS alerts

30. #EEwebinar
Management and visibility
• Policy management
• Event reporting
• Situational awareness
• Status monitoring
• Secure firmware updates
30

31. #EEwebinar
Summary
• Common requirements
o Industry standards help define security requirements
o Many standards, but common requirements
• Utilize a security framework that provides building blocks
to enable and support the various standards
• Integrate security into the device itself – don’t just rely on a
secure perimeter

32. #EEwebinar
Aimee Kalnoskas
Moderator
Design World EE Network
akalnoskas@wtwhmedia.com
@DW_Aimee
Alan Grau
President & Co-founder
Icon Labs
Alan.grau@iconlabs.com
Questions?
Security Fundamentals for IoT Devices; Creating the Internet of Secure Things

33. #EEwebinar
Thank You
q This webinar will be available at
designworldonline.com & email
q Tweet with hashtag #EEwebinar
q Connect with Design World
q Discuss this on EngineeringExchange.com