[View the Webinar] - https://electrici.mp/2v1fQlI
Electric Imp CEO, Hugo Fiennes, and UL’s Director of Connected Technologies, Rachna Stegall discuss the unique demands of helping to secure the IoT — and why independent certification is even more critical in the fast-evolving world.
Join us to hear Fiennes & Stegall share candid insights into why establishing an IoT Security Benchmark, such as UL 2900-2-2 Cybersecurity Certification, is critical for due diligence of edge to enterprise technologies — and the future of commercial, industrial and consumer IoT overall.
[Webinar] Why Security Certification is Crucial for IoT Success
1.
2. #impWebinars
HOUSEKEEPING ITEMS
Unmute Computer Speakers
Slides & Recording Distributed via Email
Following the Session
Please Submit Your Questions Via the Q&A Panel
Live Tweet Using #impWebinars
3. #impWebinars
WHAT WILL WE DISCUSS TODAY
1. Brief Introductions
2. Current State of IoT Security
3. Why Security Certification is Important
4. What is UL 2900-2-2? How Does it Affect IoT Moving Forward?
5. IoT Best Practices
6. Secure IoT in the Real World
7. Q&A
4. #impWebinars
TODAY’S SPEAKERS
Rachna Stegall is the Global Director of Connected Technologies – one of UL’s
newest divisions - designed to develop, support and deliver Cybersecurity
solutions including interoperability, software and functional safety, and new
associated technologies.
Global Director of Connected Technologies, UL LLC
Prior to co-founding Electric Imp, Hugo led the Apple hardware team through the
first four generations of the groundbreaking iPhone, and subsequently designed
and architected the hardware for the Nest Thermostat. Early in his career, Hugo
founded empeg, creator of the first in-car MP3 digital audio player.
CEO & Co-Founder, Electric Imp, Inc.
6. #impWebinars
Award Winning Secure IoT. Managed Connectivity.
What We Do: Proven IoT
Deployments at Scale
We help more than 100
manufacturers and
enterprises in 105+ countries
transform the world through
the power of secure IoT
connectivity and enterprise
integrations.
Trusted by Industry Leaders Full Lifecycle,
Defense in Depth Security
1st IoT Platform UL®
2900-2-2 Certified.
Security & pen tested by
major global manufacturers
First edge IoT platform
aligned with IIC Security
Framework
11. Hackers are
just starting to
get interested.
0
5
10
15
20
25
defcon 18 defcon 19 defcon 20 defcon 21 defcon 22 defcon 23 defcon 24 defcon 25
iot/scada car consumer embedded
Number of IoT related sessions at the
last 7 DEFCON conferences
12. #impWebinars
COST OF SECURITY (VS COSTS OF NOT
DOING SECURITY)
Cost of IoT breaches
• Represent 13.4% of total revenues for
companies <$5 million annually
• $20 million cost for Enterprises with
$2billion+ revenues
SOURCE: Altman Vilandrie Company Survey of IoT Security Breaches, June 2017
A reputation
is a fragile
thing.
13. #impWebinars
SOURCE: Altman Vilandrie Company Survey of IoT Security Breaches, June 2017
IN IOT, THERE IS ROI FOR SECURITY.
Business Value of IoT Security
Companies that did not experience
a security incursion have invested
65% more on IoT security than
those who have been breached.
15. #impWebinars
Guidance Documents
• ISO/IEC TR 15443
• ITU-T CYBEX 1500
series
• CVE / NVD
• CWE
(CWRAF/CWSS,
SANS CWE Top
25 / OWASP Top
10) and CAPEC
• ISO/IEC 27000 series
• ISO/IEC 15408
• ISO/IEC DIS 20243
/O-TTPS
• FISMA
• HIPAA
• IEC 62443
• IEC 80001
• PCI
• SANS 20 CSC
• Cyber Essentials (UK)
• Top 35 mitigation strategies
(AU)
• NIST Cybersecurity Framework
& SP 800-53r4 security controls
• DHS C3 VP & CRR
• SAE AS5553 & 6174
Data Breaches 66%
International Data Corporation (IDC) Research shows that 66% of networks will be
breached by 2018
28% to 47% of organizations have
experienced IoT-related breaches
(Source: Forrester/CISCO)
70% of IoT devices are
vulnerable to attack
(Source:HP)
In 2016, the average consolidated
total cost of a data breach was $4M
USD
(Source: 2016 Ponemon Study)
BREACH
CURRENT CYBER RISKS
16. #impWebinars
• Technical Testable Criteria
• Objective Evidence
• Transparent Security Posture
• Validate Security Claims
• Demonstrate Product Security
• Market Differentiation
• Brand Trust
• Manage Security Risk
WHY THIRD PARTY CERTIFICATION IS IMPORTANT
17. WHAT IS UL 2900-2-2?
HOW WILL IT AFFECT IOT
MOVING FORWARD?
18. #impWebinars
UL CYBERSECURITY ASSURANCE PROGRAM
A standards-based program to evaluate the cybersecurity posture of SOFTWARE
in network-connectable products, aiming to provide a reasonable level of
confidence in the absence of vulnerabilities and software weaknesses and the
presence of appropriate risk controls
standards-based SOFTWARE
confidence vulnerabilities software weaknesses
risk controls
network-connectable products
19. #impWebinars
YOUR REPORT AND/OR
CERTIFICATION
CYBERSECURITY SOLUTIONS
TESTING
YOUR NETWORK
CONNECTABLE PRODUCT
AND/OR SYSTEM
AUTOMOTIVE LIGHTING SMART HOME HVAC BUILDING
AUTOMATION
APPLIANCES ALARM
SYSTEMS
SMART
METERS
MEDICAL
DEVICES
FIRE
SYSTEMS
INDUSTRIAL
CONTROL SYSTEMS
loT
NETWORK-CONNECTABLE PRODUCTS & SYSTEMS
UL CAP Solutions
TRAINING SERVICES
ADVISORY SERVICES
REVIEW SERVICES
Submit product or system
for discrete testing
(One or more individual
tests)
Submit product or system
for certification testing
(All tests)
• Fuzz Testing
• Known Vulnerabilities
• Code & Binary Analysis
• Access Control & Authentication
• Cryptography
• Remote Communication
• Software Updates
• Structured Penetration Testing
TESTING SERVICES
Test
Report
Certificate
KEY TAKEAWAYS: RISK MITIGATION INNOVATION COMPETITIVE ADVANTAGE
21. #impWebinars
• Programmable Logic Controllers (PLC)
• Distributed Control Systems (DCS)
• Process control systems
• Historians, data loggers & data storage systems
• Control servers
• SCADA servers
• Remote Terminal Units (RTU)
• Human-Machine Interfaces (HMI)
• Input/Output (IO) servers
• Fieldbuses
• Networking equipment for ICS systems
• Smart sensors
• Controllers
• Embedded system/controllers
Fuzz Testing
Known Vulnerability
Code & Binary
Analysis
Access Control &
Authentication
Cryptography
Remote
Communication
Software Updates
Risk Assessment
Structured Pen
Testing
UL 2900-2-2
>
EXAMPLE PRODUCTS
22. #impWebinars
UL 2900-2-2
Internet
ERP Systems
Manufacturing and
Engineering Systems
Plant Floor
Branch
Offices
Branch
Factories
Customers
Supply Chain
Systems
Machining
Assets
Programmable Logic
Controllers (PLCs)
Factory Network
Infrastructure
UL 2900-2-2 PROGRAM SCOPE EXAMPLE
UL 2900-2-2 is written specifically to address product
ecosystems in the industrial control system vertical
23. Leverage Electric Imp’s Certification to
Save Time and Resources:
• By incorporating an IoT platform that
is already UL certified with your
products, you can leverage the UL
Certified Software Implementation
Solution by streamlining your
product’s UL certification with less
cost and faster time to market.
• Find out which platforms are already
UL certified by searching the UL
Online Certifications Directory with
the UL Category Code CYBR.
UL 2900-2-2 SOFTWARE IMPLEMENTATION SOLUTION
23
25. #impWebinars
BIG PICTURE: SECURITY IS CRUCIAL TO IOT
“Security is a special challenge for IoT.
IoT systems operate across the public internet; are deployed outside of the physical control
of the organization; may remain in place in critical systems for 10 to 20 years; and may control
critical infrastructure, or be capable of coordinated attacks on other systems.
Furthermore, IoT developers are focused on business
problems and may not have a strong security perspective. The
devices themselves may lack critical hardware capabilities for securing their operation against
attack. Securing IoT requires a balance of protecting against long- term devastation and
accelerating value generation… “
Internet of Things Primer for 2017
26. #impWebinars
WHAT DOES A “STRONG SECURITY PERSPECTIVE” MEAN?
UNDERSTANDING…
… need for Defense in Depth
… devices need to be able to be updated
without end user involvement
… no application is safe.
These are nodes. They are valuable to someone.
28. #impWebinars
SECURE IOT IS FOR A LIFETIME
(of your connected product, that is)
• Devices in the
field for years or
even decades
• A compromise
may be invisible
but dangerous
Credit: Happiest Midns http://www.happiestminds.com/Insights/internet-of-things/
29. #impWebinars
IN IOT SECURITY, NO REASON TO REINVENT THE WHEEL
• Root of trust using FIPS140-2 HSMs
(OS signing)
• Every chip provisioned with unique
secrets at time of manufacture
• Privilege separation: application has
no access to keys
• Certificate secured communications
• OTA upgrades of both OS and
application: consensual or forced
Credit: Spencer Lewis - http://www.spencerclewis.com/2016/04/reinventing-the-wheel/
30. #impWebinars
TIMING? YOU COULD WAIT FOR GOVERNMENT
MANDATES ….
Worldwide Threat Assessment of the
US Intelligence Community
Senate Select Committee on Intelligence
31. #impWebinars
… OR GET STARTED
NOW WITH
CONFIDENCE
• Certification delivers
cybersecurity due
diligence
• Ongoing testing is
defense against evolving
(and increasing) security
threats
32. SECURE IOT IN THE REAL WORLD
WINNING AWARDS IN
REGULATED MARKETS
34. #impWebinars
ELECTRIC IMP: UL 2900-2-2 CYBERSECURITY CERTIFIED
This image cannot
currently be
displayed.
imp Authorized
Hardware
impOS
™
impCloud
™
BlinkUp
™
impFactory
™
impSecure
™
IoT Platform Stack
HARDWARE
DEVICE MGMT
CONNECTIVITY
APP ENABLEMENT
CLOUD
DATA
SECURITY
impCloud
™
35. #impWebinars
HOW TO WORK WITH US
SECURE IOT EDGE TO ENTERPRISE CONNECT TO LEARN MORE
Get started at:
electricimp.com/docs/gettingstarted/
Connect at:
ul.com/cybersecurity
Reach out to us to learn more ulcyber@ul.com
OR visit www.ul.com/cybersecurity
FREE DEVELOPER ACCOUNT
IoT QUICKSTART FAMILY FOR PROTOTYPING
• impExplorer™ Kits
• impAccelerator™ Solution Kits
• Electric Imp Breakout Boards
Hinweis der Redaktion
SOURCE: Verizon Data Breach Survey http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
SOURCE: https://www.rambus.com/blogs/u-s-firms-confirm-iot-security-breaches/
SOURCE: Altman Vilandrie Company Survey of IoT Security Breaches http://www.businesswire.com/news/home/20170601006165/en/Survey-U.S.-Firms-Internet-Hit-Security-Breaches/?feedref=JjAwJuNHiystnCoBq_hl-Q-tiwWZwkcswR1UZtV7eGe24xL9TZOyQUMS3J72mJlQ7fxFuNFTHSunhvli30RlBNXya2izy9YOgHlBiZQk2LOzmn6JePCpHPCiYGaEx4DL1Rq8p
SOURCE: Altman Vilandrie Company Survey of IoT Security Breaches http://www.businesswire.com/news/home/20170601006165/en/Survey-U.S.-Firms-Internet-Hit-Security-Breaches/?feedref=JjAwJuNHiystnCoBq_hl-Q-tiwWZwkcswR1UZtV7eGe24xL9TZOyQUMS3J72mJlQ7fxFuNFTHSunhvli30RlBNXya2izy9YOgHlBiZQk2LOzmn6JePCpHPCiYGaEx4DL1Rq8p
Data breaches can have catastrophic effects including unplanned downtime and loss of production, costly harm to assets, reputational damage, and damage to living and working environments. This growing concern to address cybersecurity prompted many guidance and best practice documents to help product manufacturers and asset owners improve the security of their products and installations. After using these guidance documents, how do you validate that they helped improve cybersecurity?
UL was asked by our clients and government stakeholders to create a transparent, testable framework that can be used across industry verticals to repeat-ably and reproducibly measure the security posture of products and address the basic cyber-hygiene of products in order to be the first step in improving product security.
UL 2900-1 evaluates general product requirements that can be applied across industry verticals. UL 2900-2-2 targets specific industrial environment
UL 2900-2-1 and -2-2 are written specifically to address product ecosystems in the medical device and industrial control system verticals. As we continue to expand UL CAP, additional Part 2s can be written easily using UL 2900-1 as a baseline and collaborating with industry stakeholders from various verticals. For example we have seen interest from the lighting and automotive industries to create particular requirements specific to those industries.
In addition, to evaluate the organization, UL 2900-3 has been planned for release in Q2 of this year.
The key differentiators from UL 2900 compared to other available testing programs is UL 2900 can be applied across industry verticals and second it is based on a balance of prescriptive and risk assessment based requirements. Because product security largely relies on the installation environment of the product, requirements must be fit for use of the product. For example, if a software exploit within the parameters is found, a product manufacturer may indicate risk mitigation methods during product installation that can prevent the exploit from causing a security risk. UL will work with vendors through their risk assessment process to identify mitigating factors are adequate to address security risks.
Vector to attack behind firewalls
Possible DDoS participants
Closing Slide
Thank you everyone for joining today’s session, we hope you gained valuable insight and enjoyed Hugo & Rachna’s unique take on IoT Security. We will take some time for Q&A but first we encourage you if you’re interested in learning more about electric imp to sign up for a FREE developer account to explore our platform– just visit the link displayed here on screen to get started. Electricimp.com/docs/gettingstarted
If you’re interested in learning more about UL Cybersecurity, please reach out to them at ulcyber@ul.com or by visiting ul.com/cybersecurity.
Now – let’s go ahead and answer some of the questions that came in during the session…..
Seed Questions
1. Do customers have to send UL their source code? [Rachna]
2. What is UL’s experience in this space? How long has it been in cybersecurity? [Rachna]
3. What is the difference between IEC 62443 and UL 2900? [Rachna]