Embed Size (px)
Citation preview
SECURING THE INTERNET OF THINGS Authentication in IoT Workshop
Matt TettChair – Enabler Workstream 3 (eWS3), Cyber Security & Network Resilience
Who cares about security?
Why authentication is critical to security in an IoT world
The US is introducing legislation to force IoT manufacturers to include changeable authentication as one of three key “pillars” of their product security, along with patching and encryption. Europe is still focused on committees discussing the development of IoT security standards and Australia is actively developing IoT industry security programs. Today I will explain why identity and authentication is critical and outline where Australia is leading on their IoT Security Strategy - collaboratively and without creating impost or roadblocks.
Trust
Ref: https://securityintelligence.com/no-authentication-without-trust/
Authentication
Ref: https://www.blockchainsemantics.com/blog/blockchain-passwordless-authentication/
Supply Chain & Third Party Risks
Internet of Things – a complex eco-system that demands collaboration
IoT technology enables digital transformation
of industry
An end-to-end system comprising:
sensors/actuators communications data/analytics applications and services visualisation and user interfaces wrapped in security
Using analytics to gain insights, find patterns, predict
performance, optimisesystems
Collecting, transforming and
sharing data
Translating the physical world to
digital
Security of Things - Confusion
FUD is counter productive
Trust is required
Clarity is required
What exactly are we talking about?
Privacy Safety Security
These are all very differentand are not interchangeable
It’s like the difference between a breach and compromise
Increased attack vectors
Ref: https://reefbuilders.com/2017/08/07/aquarium-controller-used-to-hack-casino/https://www.researchgate.net/journal/1942-4795_Wiley_Interdisciplinary_Reviews_Data_Mining_and_Knowledge_Discovery /https://www.forbes.com/sites/anthonykosner/2014/01/17/actually-two-attacks-in-one-target-breach-affected-70-to-110-million-customers/#49f911525482
Default Authentication Credentials!
Ref: https://www.blockchainsemantics.com/blog/blockchain-passwordless-authentication/
Manufacturers often have their heads buried in the sand when it comes to security, bolting it on as an after thought, or attempting to patch when a vulnerability is identified, hopefully before it is exploited.
Security of Things – Biggest threat is; “It won’t happen to us”
https://securityintelligence.com/news/hacking-risk-for-computer-vision-systems-in-autonomous-cars/https://securityintelligence.com/how-israel-became-the-land-of-connected-car-research-and-development/
Human Factors
Ref: https://www.alienvault.com/blogs/security-essentials/i-am-dave
Security by Design
https://www.ibm.com/services/us/gbs/thoughtleadership/acceleratesecurity/
Strengthening data privacy to safeguard data exchange
http://www.iot.org.au/wp/wp-content/uploads/2016/12/Good-Data-Practice-A-Guide-for-B2C-IoT-Services-for-Australia-Nov-2017.pdf
The IoTAA publishes this Good Data Practice Guide to promote industry and consumer awareness as to good practice in dealing with data associated with provision of business to consumer (B2C) IoT services. Examples of B2C IoT services include applications for connected car, smart homes, wearable technology, quantified self, connected health, and ‘smart appliances’ that use Wi-Fi for remote monitoring or control such as washer/dryers, robotic vacuums, air purifiers, ovens, or refrigerators.
The IoTAA promotes consumer and industry awareness about good business practice in provision of IoT services and IoT devices to consumers. By building that awareness, we aim to assist both businesses and consumers to anticipate and address possible concerns before they occur. This Guide focusses upon measures that IoT providers can take to build trust and understanding amongst consumers about collection and uses of data in the course of provision of operation of IoT devices and provision of IoT services, protection of privacy and secure installation and operation of IoT devices.
Baseline Minimum IoT Security Requirements
1. No default authentication - administration passwords must be set before the device becomes functional.
2. Encryption – for data in motion and data at rest.
3. Automatic Patching – Security patches must be able to automatically be applied.
4. Fail Safe – if the device fails in the field then it fails secure rather than fail open.
5. Lifecycle – Product security is supported by the vendor for the expected lifecycle of the product.
Security of Things - Strategy
http://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Strategic-Plan-to-Strengthen-IoT-Security-in-Australia-v4.pdf
Key points
Reference Framework Trust Mark Certification Scheme Supply and Demand Side Awareness Government & Industry Relationships
Action not committees and documents
Defending against cyber-threats in a connected world
Security of Things – Reference Framework – Holistic Approach
• Covers safety, privacy and reliability, ensures security of smart infrastructure and control networks
• References other Security Frameworks, ie. NIST Security Framework, IoT Compliance Framework (IoTSF), Trustworthiness Framework (IIC)
• Structured around an IoT Reference Framework that includes IoT security • Within every layer of the framework, as well as the inter-domain
dependencies/complimentary• In both business operation and technical implementation• end-to-end – for every layer identified in the IoT Reference Framework
• Is Data Driven –• from data sources (sensors/machines) through to data processing platforms
(cloud), and through to data consumption endpoints (applications/human)• Data integrity and privacy based
• Extends beyond traditional cybersecurity aspects (CIA), into the physical aspects such as safety and reliability
• Lifecycle – security extends to the life of the product• Operational – resiliency, reliability and recovery
Reference Framework Security Overlays
©20
18na
m@
infy
ra.n
etw
ww
.infy
ra.n
et
1.3 Objectives
1.3.1 The objectives of the Trust Mark Scheme are to:
(a) encourage IoT device manufacturers to develop secure IoT devices;
(b) enable users of IoT devices to have confidence in the security and privacyfeatures claimed in an IoT device; and
(c) provide IoT testers with a framework for predictable, standardised andrepeatable testing of devices.
1.3.2 The Trust Mark Scheme brings together sources of information relating to the security, privacy, and resilience of IoT to assist the IoT industry in delivering quality products and services. It does not endorse any specific technology or approach for use.
Security of Things - Trust Mark Certification Scheme
Security of Things – Security Awareness Guidelines
Ref: https://www.staysmartonline.gov.au/get-involved/guides
Q & A ?
