2. 2
IOT Security
Over 13 Standards bodies have a advisory
http://www.cisoplatform.com/profiles/blogs/survey-of-iot-security-
standards
FTC, NIST
IoT Security Foundation, Broadband Internet Technical Advisory Group
(BITAG)
OWASP
IETF
DICE MUD, OtrF, ACE
IIC Industrial Internet Consortium,
Cybersecurity = risk is Money and reputation
IoT = risk is accident and human lives
3. 3
Task Force on IoT Security
IoT Forum & CISO platform join hands to
create IoT Security Task force
Readying up the Nation for #IoTSecurity
The task force is chartered to develop threat models,
controls and assist players in new techno-legal-
commercial arrangements to improve IoT Security
Fresh thinking around Security for IOT
4. 4
Fresh Thinking: Is the Emperor Naked?
You don’t change all the locks of
each house in a city merrily because
criminals can break 7 lever locks in
less time
5. 5
IOTSecurity
Program COMPLEXITY= Algorithm + Data Structure
CyberSecurity Difficulty= Legal + Technical
Internet was designed to withstand disruptive nuclear attack
IP and MAC spoofing make it fundamentally unsecure
Legal Basis
Product Quality and Liability regime – USA
DDOS by House Owners is like Rioters are House owner responsibility?
Petty Wannacry type ransom ware is like carjacking in Joburg
Armoured car ?
Criminal Law
Territorial
Individual, layers of Government
Precinct, City, State, Nation
Right of Self defence
Do IoT Networks need to be anyone,
anywhere, anytime?
We need attribution which can hold in a
court of law and can be easily and routinely
derived. not require weeks of research?
6. 6
Plan
Initial discussions IoTNext 2016 (4Q 2016)
Public Airing 9 Sep 2017
CISO Platform 14 Sep
IET Socialization 15 Sep
1W OCT
TSDSI, DOT,TRAI,CDAC,
BSNL. Airtel, Jio, Vodafone, Ericson, Telco Stack
SoC, Chip mfgs
Lawyers, Free Internet
Others (IEEE,iSPIRT)
2W Revisions based on feedback
Final Draft Nov9/10
7. 7
Urban City: Does every house need to be a Fort Knox?
▪ The Wild West
▪ The Frontier Town
▪ The City
Private
Semi
Private
Semi
Public
Public
Visitor ID, verification
Inspection of car,
High Security Area
Checks on types of
transport and speed etc
IEEE P1931.1 WG Roof Computing
Context based
8. 8
Fresh Thinking: Enterprise security at scale
A level between end devices, users/enterprise and Cloud
Shared skills, services, more economical and scalable
Range of service levels provided by Managed Security Network Providers
(MSNP)
SAFE
HARDENED
BALLISTIC
Collaboration Necessary
WireX Botnet --- Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru
collaborated in near time to pin point Android Apps
Tanium
9. 9
Segmenting the Internet:
Regulatory SANDBOX for pioneering a effective technical solution
A IPv4 network
A net part
126 for Class A
2 Million + for Class C
A host part
254 for Class C
16 Mill for Class A
Specials
127.0.0.1 local loopback within a host
192 .168.1.1 default gateway
255.255.255.255 mask for multicast
IoT SECURENET
Class E network
10. 10
SECURENET for IoT
1 Users subscribe to a protocol that allows managed safe network provider
(MSNP) to inform them of suspicions activity by any end point at their end and
they take action within minutes. MSNP has authority to throttle or block such
devices till a discussion with user and resolution is put in place. This messaging
is “out of band” and not to the device initiating communication
2 For safe networks anonymous, anywhere access is explicitly not a feature.
Much like 2 factor tokens used by many banks or SMS based OTP; safe
networks have technical steps in place to assure devices are identified and
authenticated.
3 Users agree to MSNP blocking all traffic from ISP that do not subscribe to
some minimum protocols like Source Address verification for Secure and
higher guarantees on identity end users/devices that Safe hardened and
ballistic networks require.
4 HARDENED networks may route packets thru specific routers/ISP and
border gateways which are “trusted” even if this may cause delay or increase
costs. They may use deception based protection like honeypot and tarpit as
a standard.
11. 11
IoT SECURENET
5 MSNP may block some protocols permanently ( video) and some unless
pre registered ( telenet , rlogin and SSH ). If users have devices where a
service provider needs access thru telenet or SSH this needs to be registered
and pre agreed. MSNP may require a high level of security from the source of
service provider access.
6 Limited encryptions. MSNP needs to be able to determine ultimate source and
destination and other meta data to cross correlate with others and make
assessments of safety and compromised devices. Deep packet Inspection
may be allowed if required for HARDENED networks and agreed by subscribers.
In this scenario sender of packets are denied anonymous passage.
7 Cyber CCTV and patrolling. MSNP will be logging almost all traffic and sharing
in near real time suspicious activity and making threat assessments with other
participating ISP and CERT-IN. To make this evidence sufficient for a court of
law ISP may mandate physical verification and logging as well hardware root of
trust based secure boot at all routers, gateways, bridges in the network technical
steps to defeat IP and MAC spoofing should be in place and audited regularly
8 The Cyber CCTV logs should follow an agreed protocol for sharing with a
central clearing house and post event analysis.
12. 12
CROSS BORDER
PROTOCOL for Countries allowed to connect on SECURENET
FAST , MINIMUM ACTION on suspect SITES automatically
MARTIME LAW is basis
In the days of fighting sail, a letter of marque and reprisal was a government
license authorizing a person (known as a privateer) to attack and capture
enemy vessels and bring them before admiralty courts for condemnation and
sale.
A "letter of marque and reprisal" would include permission to cross an
international border to effect a reprisal (take some action against an attack or
injury) authorized by an issuing jurisdiction to conduct reprisal operations
outside its borders.
Wikipedia
The United States Constitution grants to the Congress the power, among
others, to issue “Letters of Marque and Reprisal.
13. 13
Critique, Alternative, Improvements
Volunteer Please…HARD PROBLEM
Technical Tools and approaches
Enterprise security at scale
Phishing and Super user hijack in IoT
Trigger words for Alexa, Google Home, Siri
MUD, DICE etc
Legal Tools and Approaches
Semi private and Semi Public in Cyberspace
Right to self defence
Delegated policing powers