SIM Portland IOT - Sandhi Bhide - (09-14-2016)

What? Connecting IOT Devices to my IT Network? No Way!

Keynote Presentation to the Society Information Management (SIM)

Sandhiprakash Bhide, Visionary Leader, Strategist & Future Technologist Previously Director of Innovation, IOT Group, Intel Corporation

Sept. 14, 2016

Agenda1. IT network Today2. New IOT devices that will be online3. What about those IOT devices4. Key network strategies to evolve to

Internet of Things Group 2

4. Key network strategies to evolve to5. Key considerations for IT6. What would the future architectures look like?7. Closing thoughts

IT is all about Cost/Benefit and ROIIT is all about tangible resultsIT is all about Risk Management

IT Perspective

Internet of Things Group

IT is UX, Safety, Security, Asset Protection, …

3

Any new devices added cannot violate these basis principles

Some key revelations from SecurityWeek1. IOT devices are becoming an increasingly important part of enterprise

environments, yet companies continue to fail at securing them properly, a recent report sponsored by ForeScout reveals.

2. Many devices feature vulnerable software or re-use cryptographic secrets that make them vulnerable, yet there are also those who


secrets that make them vulnerable, yet there are also those who are sold with malware embedded in them right from the start.

3. IOT devices on the network: 66% of respondents feel that 25% or less devices in the network are IoT. 85% of respondents said they aren’t confident they know all devices in the network, but nearly two-thirds of them admitted to having 6-15 unique device types on their networks.

Source: http://www.securityweek.com/iot-devices-not-properly-secured-enterprise-networks-survey, June 14, 2016

Some key revelations from SecurityWeek4. Security Policy: 44% said they have a policy, 26% admitted they didn’t

know, and 30% said no such policy was in use. 33% were aware of their company’s security policy covering home networks too, while 45% said that accessing the corporate network from home wasn’t covered by the existing policy.

5. Device Discovery: 89% felt it’s important to discover an IoT device on


5. Device Discovery: 89% felt it’s important to discover an IoT device on the network. 87% said it is important to classify IoT devices. 86% found discovering/classifying w/o the use of an agent to be important.

6. Securing IoT devices on the network: 30% of respondents relied on “industry/manufacturer methods, such as Wi-Fi, WPA22, BT protocols.” 17% said they have a password on the network, 13% didn’t know and 14% weren’t aware of such protection.

Source: http://www.securityweek.com/iot-devices-not-properly-secured-enterprise-networks-survey, June 14, 2016

Man ! That is scary !!


Man ! That is scary !!

Typical IT Network todayInternet

WAN

3/4/5GSwitchFirewallRouter


Proxy EmailFTP Web LAN

DB

Desktop, Laptops, Tablets, Phones (~1.6B)Enterprise Devices on the IT Network Internet

Malware

PhysicalViruses

Internet of Things Group 8Then, Consumer Devices

Denial of Service

Spoofing

WormTrojan Horse

A recent example is the failure to secure thousands of Internet-connected printers around the world, which allowed a researcher to access them via port 9100 and to set all of them to print an anti-Semitic flier.

Other office-specific devices in the offices

Energy

Sensors

HVAC Lighting

Security Cameras


Entertainment Devices

Wearables

Today Security, Lighting, HVAC, etc. are connected through Building


Management System (BMS), but there are many issues...

Building Management Systems

Internet of Things Group 11Image above by: http://www.wbdg.org/resources/cybersecurity.phpHeating, Ventilating, and Air-conditioning Control (HVAC), BAC – Building Automation and Control, VAV – Variable Air Volume

Issues: Lighting, HVAC, Security, …1. Different Systems for different Apps – Problem for Integration2. Sensing and Actuation both may not be possible3. Lack of Finer Grain Control4. Lack of Individual Device Level Control


4. Lack of Individual Device Level Control5. Little Device Security6. Complexity of Multiple System7. Lack of Local Intelligence8. Lack of Extensibility and Upgradeability

Interesting Note: IT and WSPs have already solved these problems for laptops, tablets, smart phones, printers,…

Examples1. Lighting Systems2. HVAC Controls3. Surveillance/Security Camera


3. Surveillance/Security Camera4. Presence in conference rooms

Life with 1T sensors + 50B devices?


• Loss of economic value & innocence

Most of the 50B devices will be unprotected & open to hacking ! IT should be worried !!


• Loss of economic value & innocence (opt-in without knowing consequences)

• How many 20 pages of legal stuff will you read?

• Safety, security at risk15

Manageability, Upgradeability, Security, Large Data sizes, Power,

Communication, Processing,


Communication, Processing, Analytics, and redundancy

problems are going to explode !!

Hackers are already attacking the industrial world

Hackers break into networks of 3 big medical device makers (SF Chronicle,

Thousands of IoT control systems vulnerable: DHS Study (Info Week,

Shamoon [virus] was an external attack on Saudi Oil Production (Info Security magazine, Dec. 10, 2012))

World First Cyber hijack: Was missing Malaysia flight hacked by mobile phone? (Express, March 16, 2014)


Feb 10, 2014)Jan 11 2013)

Underground copper wire heist causes San Jose freeway flood (SJ Mercury News, Feb 28, 2014)

Target hackers broke in via HVAC company (CNBC, Feb 5, 2014)

How Hackers can take control of your Car (EE Times, Jul 8, 2013)Attack on California substation fuels Grid Security debate (IEEE Spectrum, Feb 2014)

17

What should be the strategy to include these new IOT devices in


include these new IOT devices in the architecture?

Strategy 1 IT

Build a Wall

Advantages1. Keeps away the contamination2. Security, device management does

not turn into a nightmares3. Simpler IP addressing 4. QoS and Latency not critical5. Easy management of rogue devices

Internet of Things Group 19IOT

1

Build a Wall 5. Easy management of rogue devicesDisadvantages1. High cost of creating a parallel new

network2. Separate IT and Facilities

Management personnel3. Employee has no access/control4. Operational inefficiencies

Strategy 2 IT Advantages1. Reduced cost of deployment2. Easier IT/Facilities management 3. IPV6 addressing 4. Employees can also have direct

control over certain devices5. Uniform policy management

Create one Ubiquitous


5. Uniform policy management6. Easier OS, analytics, profile update7. Sensing as well as actuationDisadvantages1. Security vulnerabilities2. QoS/Latency issues3. Rogue devices creep4. Device Volume/Management

2

Ubiquitous Network

Strategy 3 IT Advantages1. Phased transition of devices2. Staggered deployment cost3. Easier IT/Facilities management 4. Device security behind a gateway5. Employees can also have direct

control over certain devices6. Uniform policy management7. Easier OS, analytics, profile updateBuild a hybrid


7. Easier OS, analytics, profile update8. Sensing as well as actuationDisadvantages1. QoS/Latency issues2. Device Volume/Management3

Build a hybridNetwork

(Gateway)

There is no ideal solution.Each case is different.


Implementation is defined by organizational priorities

Issues facing with adding IOT to IT network1. Security: Many IOT devices do not come with security2. Volume: 30X more devices will be added to the network3. QoS: When there is a critical event, e.g. fire, or a water leak, how to

ensure the event gets the highest priority?


4. Power: How do we power these devices? 110V, batteries, or energy harvesting?

5. Device Upgrade/Replacement: How do you upgrade (OS, analytics, profile, and Firmware) in real time? Detect when a device dies?

6. Redundancy/Failover: How do you ensure reliable operation?

Issues facing with adding IOT to IT network7. Manageability/Support: How to recognize/fulfill support needs?8. Processing/Analytics: How do you define where the analytics processing

occurs (end node, edge, or cloud), on-premise or off-premise? 9. Storage: Where is the data stored, what is the retention period, and should be

data be even stored or only exceptions?


data be even stored or only exceptions?10.Communication: What are the wireless protocol that makes sense? Should

the devices be connected over BT, Wi-Fi, or WAN? Bandwidth? Real time?11.Data Sizes: The amount of data created is going to be humongous! What

type of data it is?12.Human Safety: What are the implications on human life?

We live in Exponential Sensor Times


IOT takes it several orders of magnitude forward

From Tsensors Summit – Janusz Bryzek – Roadmap for Trillion Sensor universe

Data Load on Analytics Framework


Unique thing IOT Data (it can be reduced)

KnowledgeWisdom


Sensors Data

Information

Knowledge

Step by Step TransitionHVAC Video Digital

Signage Lighting Elevator PACSAdvanced Metering

HVAC Video

DigitalSignage

Lighting

Elevator

Advanced


BASFire and Life and Safety (FLS)Physical Security and Access Control (PACS)Energy Management Systems (EMS), which includes Lighting ControlHeating, Ventilation and Air Conditioning (HVAC)

PLCPACS

Advanced Metering

Gateway

WANITIT

IT/IOT Architectural UbiquityHVAC Video Digital

Signage Lighting Elevator PACSAdvanced Metering

Internet of Things Group 29BAS: Fire and Life and Safety (FLS), Physical Security and Access Control (PACS), Energy Management Systems (EMS), which includes Lighting Control, Heating, Ventilation and Air Conditioning (HVAC)

LAN/WANITIOT

Closing Thoughts1. Security/Human Safety Priority #12. Validate IOT Devices before adding them to the IT Network3. Use phased approach to adding devices and systems


4. Define economic value/metrics/replacement cost and then monitor5. Key Considerations: Security, Volume, QoS, Power, Device Upgrade

and Replacement, Redundancy/Failover, Manageability/Support, Processing, Analytics, Storage, Communication, Data Sizes and type of Data

Internet of Things Group 31Thank you

Backup

32

New Security Threats to Personal IOT Devices

Fridge sending out spam after web attack compromised gadgets. One of > than 100K devices used in spam campaign. (BBC News. Jan 2014)“Wearable Computing Equals New Security Risks”,

Baby Monitor: Hacker takes over baby monitor and shouts obscenities at sleeping child. (ABC News, 13 Aug 2013)


“Wearable Computing Equals New Security Risks”, (InformationWeek. 13 Jan 2013)Medical Devices: We’re starting to attach medical devices to electronic health records, and they’re not secure.' (Healthcare IT News. May 2013)Credit Card Information System: “Target Confirms Point-of-Sale Malware Was Used in Attack” (Security Week. 13 Jan 2014)

33

Glossary of Terms1. Hacker Attacks: Indicates attacks that are not automated by programs such as viruses, worms, or Trojan horse programs.

There are various forms that exploit weaknesses in security. Many of these may cause loss of service or system crashes. 2. IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from.

There are various forms and results to this attack. The attack may be directed to a specific computer addressed as though it is from that same computer. This may make the computer think that it is talking to itself. This may cause some operating systems such as Windows to crash or lock up. Gaining access through source routing. Hackers may be able to break through other friendly but less secure networks and get access to your network using this method.

3. Session Hijacking - An attacker may watch a session open on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session. This attack can be prevented if the two legitimate systems share a secret which is checked periodically during the


session. This attack can be prevented if the two legitimate systems share a secret which is checked periodically during the session.

4. Server spoofing - A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (in the clear) authentication from the client. The attacker will run this utility while acting like the server while the user attempts to login. If the client is tricked into sending LANMAN authentication, the attacker can read their username and password from the network packets sent.

5. DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information which can cause traffic to be diverted. The DNS information can be falsified since name servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false DNS reply with additional bogus information which the requesting DNS server may cache. This attack can be used to divert users from a correct webserver such as a bank and capture information from customers when they attempt to logon.

34

Glossary of Terms1. Password cracking - Used to get the password of a user or administrator on a network and gain unauthorized access. 2. Viruses - This type of malicious code requires you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page. It reproduces itself by attaching to other executable files. 3. Worms - Worms propagate without your doing anything. They typically start by exploiting a software vulnerability (a flaw that allows the software's intended security policy to be violated). Then once the victim computer has been infected, the worm will attempt to find and infect other computers. Similar to viruses, worms can propagate via email, web sites, or network-based software. The automated self-propagation of worms distinguishes them from viruses. Self-reproducing program. Creates copies of itself. Worms that spread using e-mail address books are often called viruses.


often called viruses. 4. Trojan horses - A Trojan horse program is software that claims to do one thing while, in fact, doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending your confidential information to an intruder.5. Spyware - This sneaky software rides its way onto computers when you download screensavers, games, music, and other applications. Spyware sends information about what you're doing on the Internet to a third-party, usually to target you with pop-up ads. Browsers enable you to block pop-ups. You can also install anti-spyware to stop this threat to your privacy.6. DoS- Denial of Service 7. Logic Bomb - Dormant until an event triggers it (Date, user action, random trigger, etc.).

35

Documents

SIM Portland IOT - Sandhi Bhide - (09-14-2016)