Keynote presentation for ISSA/ISACA annual meeting, June 20, 2019, Chicago, IL.

1. IoT and the Industrial
Internet of Things
Security, Privacy & Safety
in a World of Connected Devices
John D. Johnson, CISSP, CRISC, SMIEEE
June 20, 2019 • Chicago, IL
Source: shutterstock.com

2. Disclaimer:
• This presentation represents my own views
and not that of past, present or future
employers
• Thank you for getting up early!
• I hope to be more interactive with the
audience, because I don’t want you bored
• Sometimes I am the only one in the room
who thinks my jokes are funny
• Please feel free to ask questions anytime

3. Introduction to the
Internet of Things (IoT)

4. The first “selfie” taken in 1920
Pre-Internet Things

5. What we think of when we hear IoT
“This past summer my wife and I…decided it was time to update
our kitchen…and laundry appliances.…A quick online search
showed us internet-connected…smart models were
available.…Now our refrigerator shows us our family calendar…and
sends us our grocery list.…Our dryer begins its work and tells us
when it's done…and how much energy it's used on the load.…All
of these appliances, including our thermostat,…garage doors,
home lighting, television,…and door locks send information about
our home to us…no matter where we are.…”

8. History of IoT
Summary
• The Internet of Things definition: “Sensors
and actuators embedded in physical
objects are linked through wired and
wireless networks”
• There are a number of similar concepts
but Internet of Things is by far the most
popular term to describe this
phenomenon
• M2M or the Industrial Internet are not
opposing concepts to the Internet of
Things. Rather, they are sub-segments.

9. Let’s Define “IoT”
• Internet of Things
• Consumer IoT (IoT)
• All of our consumer “things” – smart devices and sensors connected and communicating over
the Internet.
• Industrial IoT (IIoT)
• The Industrial Internet of Things, or IIoT, connects machines and devices in industries such as
transportation, power generation, and healthcare.
• Embedded Systems
• An embedded system is a programmed controlling and operating system with a dedicated
function within a larger mechanical or electrical system, often with real-time computing
constraints. It is embedded as part of a complete device often including hardware and
mechanical parts.
• Industrial Control Systems (ICS)
• Industrial Control System. Industrial control system (ICS) is a collective term used to describe
different types of control systems and associated instrumentation, which include the devices,
systems, networks, and controls used to operate and/or automate industrial processes.
• Supervisory Control and Data Acquisition (SCADA)
• Supervisory control and data acquisition (SCADA) is a system of software and hardware
elements that allows industrial organizations to: Control industrial processes locally or at
remote locations. Monitor, gather, and process real-time data.

11. 80 Billion

12. IoT Architecture

13. THE EDGE THE CONNECTION THE ANALYTICS
Fog Computing Cloud Computing

16. IoT Applications

19. Smart & Autonomous Vehicles

26. Military Applications

28. Industrial IoT

29. Industrial IoT (IIoT)
The Industrial IoT Consortium lists these 15 possible uses of IIoT:
1. Smart factory warehousing applications
2. Predictive and remote maintenance.
3. Freight, goods and transportation monitoring.
4. Connected logistics.
5. Smart metering and smart grid.
6. Smart city applications.
7. Smart farming and livestock monitoring.
8. Industrial security systems
9. Energy consumption optimization
10.Industrial heating, ventilation and air conditioning
11.Manufacturing equipment monitoring.
12.Asset tracking and smart logistics.
13.Ozone, gas and temperature monitoring in industrial environments.
14.Safety and health (conditions) monitoring of workers.
15.Asset performance management
It is about adding value:
Harley Davidson reduced
its built-to-order cycle
by a factor of 36 and
grew overall profitability
by 3-4% by shifting to
full IoT enabled plant

30. Internet of Things vs. Industrial IoT

33. Size and market impact of the Industrial Internet of Things – source: Morgan Stanley, IndustryARC, Accenture and Research and Markets.

35. Emerging Technologies Converge
and Enable IoT

36. 5G Enables IoT
• 100x faster than 4G
• 1/50 the latency of 4G
• Much more scalable: 100x more devices than there are people
• Good for time sensitive applications (e.g. factory robotics, robotic
surgery)
• How do you get billions of devices to talk to each other?
• Security & Privacy are key
• Connected assets can be used to extract productivity

37. Big Data and IoT
Sensors on GE jet engines can produce 10 terabytes
of operational information for every 30 minutes they turn.
A four engine jumbo jet can create 640 terabytes of data
on just one Atlantic crossing. Now multiply that by the
many flights flown each day…

39. Fog (Edge) Computing Enables IoT

40. AI and Machine Learning Enable IoT

41. ‘A Cambrian Explosion
that will disrupt
virtually all sectors.’
Speech to text
translation rates
are now > 95%
accurate.

46. Blockchain (Distributed Ledger) Adds Integrity to IoT
and Security to M2M Communications

47. • Amazon, Google, Microsoft and other industry leaders will enable standardized platforms that allow
EVERYTHING to be connected to the Internet
• The Alexa Connection Kit will allow many devices to be connected to the Internet by writing a few lines of
code
• The future IoT will be ubiquitous and pervasive, low-power and small as a grain of sand

48. iPhone Sensors
• Proximity Sensor
• Light Sensor
• Camera
• Gyroscope
• Accelerometer
• Moisture Sensor
• GPS
• Compass
• Barometer
• Touch ID
• Face ID
Source: Apple

49. The Increasing Attack Surface

50. “The difference between a good and bad
Internet of Things depends on society’s ability to
construct effective IoT governance models… the
formation of principles as a means to unify the
multiple bodies and organizations involved in
the IoT governance ecosystem.”
- Vint Cerf
F. Berman and V.G. Cerf, “Social and Ethical Behavior in the Internet of Things,” Comm. ACM, vol. 60 no. 2, 2017, pp. 6-7

51. The first “selfie” taken in 1920 Source: joyoftech.com

54. The Future Human Impact
of Smart &
Autonomous Vehicles
The Rodney Brooks Rules for Predicting a Technology’s Commercial Success. (2018, October 25). Retrieved from https://spectrum.ieee.org/at-work/innovation/the-rodney-brooks-rules-
for-predicting-a-technologys-commercial-success
All Illustrations by Chris Philpot

55. Framing risk & challenges for consumers
• Security, privacy & safety are top concerns
• Poor or non-existent security built into devices
• Consumers don’t segment or create hardened home network
• Devices travel with family and connect to insecure access points
• Devices are not often updated – too complex if at all
• Default credentials are often hard coded
• Monitoring your children sounds like a great use case, until you realize that
data is out there and being collected and vulnerable to attack
• When we monitor and manage everything around us, we are set up for
failure when our critical infrastructure is attacked or made unavailable

56. Click Here to Kill Everybody
The bottom line is the
more that all of our things
are connected together,
and the more we rely on
them, the more vulnerable
we are to having
disastrous disruptions to
our business processes,
personal lives, and to
society as a whole.

57. Securing Industrial IoT

59. Global ICS Risks
• At least 84% of sites have at least one remotely accessible device
• 40% of industrial sites have at least one direct connection to the Internet
• 53% of industrial sites have outdated Windows like systems like XP
• 69% have plain text passwords traversing the network (FTP, SNMP…)
• 57% of sites are still not running anti-virus protection with automatic updates
Source: www.cyberx-labs.com

60. Many OT Protocols

62. A bad day at an Iranian power plant.

63. Adversaries & Attacks
• The ability for criminals to weaponize IoT was highlighted in 2016 when
Mirai botnet used hundreds of thousands of cameras, routers and digital
video recorders to overwhelm a key Internet server
• This DDoS attack shut down websites of large companies for several hours
• Today 40% of home appliances globally are being used for botnet attacks
(Gartner)
• Engineers often think about functionality and not how to use technology
for unintended purposes (what would the bad guys do?)
• A home thermostat may help you conserve energy
• A home thermostat may tell criminals when you are home and when you are away

64. Threat Modeling
Target
•Data (DAR, DIM, DIU)
•Code/Software
•Services
•Databases
•Operating Systems
•Networks/Infrastructure
•Platforms/Hardware/Firmware
Threat
Vector
•Copy, Exfiltrate
•Modify, Corrupt
•Destroy, Denial of Service
Threat
Source
•Insider
•Hacktivists
•Motivated Hobbyist
•Corporate Espionage
•Cybercriminals
•Nation State
Requirements
• Level of knowledge
required
• Ability, Expertise
• Proximity required
• Access required
• Resources required
• Time required
Motivations
• Money
• Ideology
• Coercion
• Ego
Risk can be mitigated; the threat landscape remains unchanged.
Threat Intel
• Industry Peer
Groups; ISACs
• Threat Intel
Feeds
• Private/Public
Partnerships

65. Source: SANS ICS Program

66. Source: SANS ICS Program

67. Source: SANS ICS Program

69. Latest CIS Implementation Guide for ICS: http://bit.ly/2IrJd6t

70. Latest CIS Implementation Guide for ICS: http://bit.ly/2IrJd6t

71. Mapping ICS Cyber Coverage to Standards
NIST CSF Categories

72. Industrial IoT Cybersecurity Program
Threat Detection/Intelligence
• Threat intelligence
• Detect known threats
• Anomaly detection
• IDS/IPS
Endpoint and Vulnerability Management
• Endpoint secure baseline configuration
• Anti-virus
• Security management
• Vulnerability and Patch Management
• Secure remote access
• Password management
• Secure policies and procedures
• Secure removable media
• NAC
Network Segmentation
• Network policies and VPN
• IP segmentation
• Microsegmentation/SDA
• Firewall / OT gateway
Incident Management
• SIEM / Incident Response / Orchestration
• Forensics
• Security Operations Center
• Analytics & reporting
• Playbooks
Visibility
• Discover assets
• Inventory assets
• Inventory software
• Profile assets
• Passive network monitoring
• Active network monitoring
Business, IT, OT Governance
• Executive buy-In & Business/Stakeholder alignment
• Prioritized strategy tied to standards
• Program management
• Governance / metrics
• Training
• Risk assessment
• Threat modeling
Data Integrity
• Ensure secure communications
• Access point discovery
• Certificate management
• Validate transport paths
• Logging
Identity Management
• Identity Access Management (IAM)
• Privileged Access Management (PAM)
• Multi-Factor Authentication (MFA)
MSSP?
Continuous
Improvement
IT / OT Convergence
Architecture
Detect Faster
Respond Better
Get Started in Parallel
• Integration
• Scaling
• Single pane of glass

73. OT Security Vendors Consider finding a partner on your journey!

74. john@johndjohnson.com
@johndjohnson

75. Videos
1. Future Son | Progressive Insurance –
https://www.youtube.com/watch?v=NLTKvGgTb10
2. “The Smart Cities Of Tomorrow Are Already Here | Mach | NBC News”,
https://www.youtube.com/watch?v=THiQtn9hVB8
3. “Agriculture: How Internet of Things (IoT) is changing the game”,
https://www.youtube.com/watch?v=Rxulo78gyGc
4. “The Vision of IoT – Intel”, 2016,
https://www.youtube.com/watch?v=rnDey89wp_M
5. “The Future of Industrial IoT”, 2018,
https://www.youtube.com/watch?v=NYRSw0UeqHY
6. “Private LTE Networks for the Industrial IoT — Use Cases“,
https://www.youtube.com/watch?v=U82tIdvrlEA
7. (extra) “How It Works: Internet of Things”,
https://www.youtube.com/watch?v=QSIPNhOiMoE

76. Regulations: Good, Bad & Ugly
• California Governor Jerry Brown has signed a cybersecurity law covering “smart” devices, making
California the first state with such a law. The bill, SB-327, was introduced last year and passed the
state senate in late August.
• Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly”
to the internet must equip it with “reasonable” security features, designed to prevent
unauthorized access, modification, or information disclosure. If it can be accessed outside a local
area network with a password, it needs to either come with a unique password for each device,
or force users to set their own password the first time they connect. That means no more generic
default credentials for a hacker to guess.
• The bill has been praised as a good first step by some and criticized by others for its
vagueness. Cybersecurity expert Robert Graham has been one of its harshest critics. He’s argued
that it gets security issues backwards by focusing on adding “good” features instead of removing
bad ones that open devices up to attacks. He praised the password requirement, but said it
doesn’t cover the whole range of authentication systems that “may or may not be called
passwords,” which could still let manufacturers leave the kind of security holes that allowed the
devastating Mirai botnet to spread in 2016.
• But others, including Harvard University fellow Bruce Schneier, have said that it’s a good start. “It
probably doesn’t go far enough — but that’s no reason not to pass it,” he told The Washington
Post. While the rule is only state-wide, any device-makers who sell products in California would
pass the benefits on to customers elsewhere.