SESSION ID:

#RSAC

SBX1-R05

Mitigating Security & Privacy RisksIn an Interconnected World

Brian Witten, Symantec

#RSAC

2

Protection EmbeddedIn Over a Billion Connected Things

#RSACIoT betters our lives countless ways.

Already 20 Billion Microcontrollers (MCU) annually5 Billion Connected Today, 20 Billion by 2020

Smart Cities Consumer Electronics

Medical Devices Connected Cars Digital Factories

#RSAC

Quick History of Recent Events

Pipeline, Steel Mill, Critical Infrastructure, Power Grid, Cars,Hospotials

Quick History of Actual Events

Multi-KilotonPipeline Explosion

Steel Mill BlastFurnace Damaged

Cars: Digitally Stolen,Remotely Crashed

Hospitals Breachedvia Medical Devices

Large ScalePower Grids Crashed

Hundreds of CriticalInfrastructure Sites

#RSAC

5

Internet of Things (IoT) Cornerstones of Security

Protect the CommunicationsProtect the Device

Understand Your SystemManage DevicesCloud/Data

Center

Gateway

Devices& Sensors

#RSAC

$0.25

Can extremely constrained devices do serious security?

6

Early 80’s grade chip8 bit8 MHz2 k SRAM

25 seconds AA Battery: 20+ years

Leading 10 year old chips16 bit, 16 MHz30 k SRAM

3 seconds AA Battery: 20+ years

Current 32 bit chips32 bit, 84 MHz30+ k SRAM

150 ms AA: 20 years

Benchmark: ECC/ECDSA256

$0.50

#RSACProtect The Communications

7

Certificates: Over a Billion IoT devices chain to aworld class Certificate Authority (CA)

Roots of Trust: IoT “Roots of Trust” can helpidentify foreign devices

Devices& Sensors Hardware

OperatingSystems

EmbeddedSoftware

Protect theCommunicationsRequired: Authentication

Helpful: EncryptionNote: Signing “objects” can

avoid decrypt/re-encrypt burden

Crypto Libraries: Several good open-sourceand commercial options

What’s needed?

#RSAC

8

Internet of Things (IoT) Cornerstones of Security

Protect the CommunicationsProtect the Device

Security AnalyticsManage DevicesCloud/Data

Center

Gateway

Devices& Sensors

SESSION ID:

#RSAC

SBX1-R05

Internet of Everything orInternet of Evil Things?

Brian Witten, Symantec

#RSAC

10

Protection EmbeddedIn Over a Billion Connected Things

#RSACIoT betters our lives countless ways.

Already 20 Billion Microcontrollers (MCU) annually5 Billion Connected Today, 20 Billion by 2020

Smart Cities Consumer Electronics

Medical Devices Connected Cars Digital Factories

#RSAC

Quick History of Recent Events

Pipeline, Steel Mill, Critical Infrastructure, Power Grid, Cars,Hospotials

Quick History of Actual Events

Multi-KilotonPipeline Explosion

Steel Mill BlastFurnace Damaged

Cars: Digitally Stolen,Remotely Crashed

Hospitals Breachedvia Medical Devices

Large ScalePower Grids Crashed

Hundreds of CriticalInfrastructure Sites

#RSAC

Do Consumers care?

Accenture study as reported by Venture Beat: http://venturebeat.com/2016/01/04/mobile-device-sales-slow-customers-grow-wary-of-security-holes-in-connected-devices-survey-says/

(69 percent) said they know the products could potentially be hacked.

(24 percent) chose to postpone buying one as a result of security concerns.

(18 percent) said they have stopped using their IoT devices because of these concerns

#RSACWhat changed?

PC / Datacenter EraSecurity - most easily

delivered by diskor by download

IoT / Cloud EraSecurity - must be

integrated by designto be effective

#RSAC

15

Internet of Things (IoT) Cornerstones of Security

Protect the CommunicationsProtect the Device

Security AnalyticsManage DevicesCloud/Data

Center

Gateway

Devices& Sensors

#RSAC

$0.25

Can extremely constrained devices do serious security?

16

Early 80’s grade chip8 bit8 MHz2 k SRAM

25 seconds AA Battery: 20+ years

Leading 10 year old chips16 bit, 16 MHz30 k SRAM

3 seconds AA Battery: 20+ years

Current 32 bit chips32 bit, 84 MHz30+ k SRAM

150 ms AA: 20 years

Benchmark: ECC/ECDSA256

$0.50

#RSACProtect The Communications

17

Certificates: Over a Billion IoT devices chain to aworld class Certificate Authority (CA)

Roots of Trust: IoT “Roots of Trust” can helpidentify foreign devices

Devices& Sensors Hardware

OperatingSystems

EmbeddedSoftware

Protect theCommunicationsRequired: Authentication

Helpful: EncryptionNote: Signing “objects” can

avoid decrypt/re-encrypt burden

Crypto Libraries: Several good open-sourceand commercial options

What’s needed?

#RSACProtecting Devices (Boot Time)

18

Never run unsigned code.

Never trust unsigned configuration data.

Never trust unsigned data. (Period.)

Provide run-time protection for each device.

F. Ne

twor

k M

onito

r

G. S

ettin

gs

E.Cr

ypto

Libr

arie

s

D. P

rimar

y Ap

p

A. Device Drivers

B. Network Stack

C. Operating System

Pre-boot Environment

Protect the Code that Drives IoT

#RSACProtecting Devices (Run Time)

19

Whitelisting Behaviors: SandboxingWhitelisting Behaviors: SandboxingTraditional Approach: Malware BlockingTraditional Approach: Malware Blocking

Ineffective on zero-day Effective on zero day

Ensures self-protection Protects OS critical resources

Customization or separate product Protects applications from each other

Large footprint Small footprint

Signature based Behavior / policy based

Internet access required No internet access required

Reactive Proactive

#RSAC

20

Internet of Things (IoT) Cornerstones of Security

Cloud/DataCenter

Gateway

Devices& Sensors

Protect the CommunicationsProtect the Device

Security AnalyticsManage Devices

Authentication

Run Time

Boot Time

#RSACSafely & Effectively Managing IoT Devices

21

Why update devices?Industrial Systems

19 years on average

Granular UpdatesSave Battery & Bandwidth

200 x =

2,000 x =

“Build it Right Once”(Use it for Both General & Security Management)

General & Security TelemetryFunctionality & Security UpdatesConfiguration ChangesDiagnostics & RemediationNetwork Access Control (NAC)Credentials/Permissions, Policies

3 daysVulnerability Discovery Rate (Linux)

… Build in Over The Air (OTA)updates from the start

#RSAC

22

Internet of Things (IoT) Cornerstones of Security

Cloud/DataCenter

Gateway

Devices& Sensors

Protect the CommunicationsProtect the Device

Security AnalyticsManage Devices

#RSACNetwork Operator Role & Opportunity

23

Requirements

MedicalDevices

IndustrialEquipment

Products

AutomotiveModules

Suppliers

Devices

Components

Buyers

Equipment Owners &Operators

Hospitals

Automakers

#RSAC

24

Thank You!bwitten@symantec.com

Internet of Things (IoT)Security Reference Architecture:

www.symantec.com/iot

#RSAC

25

#RSAC

Copyright © 2014 Symantec Corporation 26

Automotive ThreatsA Quick Refresher

RTOS

GSM

TCU

RTOS

I V I

Copyright © 2015 Symantec Corporation

GWCBCMECU

xxMxxMBCM

OBD2 UBIGSMCAN1

CAN2

Cellular (IP & GSM)

Cellular (IP & GSM)Physical Tampering

Other Wireless ( BT & Wifi )

Other Wireless

Vulnerabilities Announced This Summer

Supply Chain

Unauthenticated CommandsUnauthenticated Connections

No IP Port/Protocol Restrictions

InadequateCode Signing

Potential MemoryCorruption Vulnerabilities

VulnerableBrowsers/Apps

VulnerableModems

UnauthenticatedBus

TCU: Telecommunications UnitIVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: “gateway chip”OBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for MobileComm’s, aka "a modem”

(Architecture Simplified for Presentation)

#RSAC

27

Cornerstones of SecurityAutomotive Vehicles

Authenticate Comm’s Manage Devices

Protect Each Module Security Analytics

OMA DM, SCOMO

Embedded (in-vehicle), GlobalCode-Signing (Boot Time)

Host-Based (Run Time)Compiler Based (No-OS)

Business Constraints:-- Consumers won’t pay for security they “assume”-- OEM & Tier 1 Suppliers: extremely thin margins-- Security $ must be < “few %” of any car/module

TCU: Telecommunications UnitIVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: “gateway chip”OBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for MobileComm’s, aka "a modem”

CAMP: Crash Avoidance MetricsProgramVSC3: Vehicle Safety Comm’sHIS: Hersteller Initiative SoftwareSHE: Secure Hardware ExtensionsEVITA: E-safety Vehicle IntrusionProtected ApplicationsHSM: Hardware Security Module

OMA DM: Open Mobile Alliance(OMA) Device Management (DM)SCOMO: Software ComponentManagement Object

CAMP VSC3, HIS SHE, EVITA HSM

Copyright © 2015 Symantec Corporation

RTOS

GSM

TCU

RTOS

I V I

GWCBCMECU

xxMxxMBCM

OBD2 UBIGSMCAN1

CAN2