Upload
sandhibhide
View
31
Download
0
Embed Size (px)
Citation preview
What? Connecting IOT Devices to my IT Network? No Way!
Keynote Presentation to the Society Information Management (SIM)
Sandhiprakash Bhide, Visionary Leader, Strategist & Future Technologist Previously Director of Innovation, IOT Group, Intel Corporation
Sept. 14, 2016
Agenda1. IT network Today2. New IOT devices that will be online3. What about those IOT devices4. Key network strategies to evolve to
Internet of Things Group 2
4. Key network strategies to evolve to5. Key considerations for IT6. What would the future architectures look like?7. Closing thoughts
IT is all about Cost/Benefit and ROIIT is all about tangible resultsIT is all about Risk Management
IT Perspective
Internet of Things Group
IT is UX, Safety, Security, Asset Protection, …
3
Any new devices added cannot violate these basis principles
Some key revelations from SecurityWeek1. IOT devices are becoming an increasingly important part of enterprise
environments, yet companies continue to fail at securing them properly, a recent report sponsored by ForeScout reveals.
2. Many devices feature vulnerable software or re-use cryptographic secrets that make them vulnerable, yet there are also those who
Internet of Things Group 4
secrets that make them vulnerable, yet there are also those who are sold with malware embedded in them right from the start.
3. IOT devices on the network: 66% of respondents feel that 25% or less devices in the network are IoT. 85% of respondents said they aren’t confident they know all devices in the network, but nearly two-thirds of them admitted to having 6-15 unique device types on their networks.
Source: http://www.securityweek.com/iot-devices-not-properly-secured-enterprise-networks-survey, June 14, 2016
Some key revelations from SecurityWeek4. Security Policy: 44% said they have a policy, 26% admitted they didn’t
know, and 30% said no such policy was in use. 33% were aware of their company’s security policy covering home networks too, while 45% said that accessing the corporate network from home wasn’t covered by the existing policy.
5. Device Discovery: 89% felt it’s important to discover an IoT device on
Internet of Things Group 5
5. Device Discovery: 89% felt it’s important to discover an IoT device on the network. 87% said it is important to classify IoT devices. 86% found discovering/classifying w/o the use of an agent to be important.
6. Securing IoT devices on the network: 30% of respondents relied on “industry/manufacturer methods, such as Wi-Fi, WPA22, BT protocols.” 17% said they have a password on the network, 13% didn’t know and 14% weren’t aware of such protection.
Source: http://www.securityweek.com/iot-devices-not-properly-secured-enterprise-networks-survey, June 14, 2016
Man ! That is scary !!
Internet of Things Group 6
Man ! That is scary !!
Typical IT Network todayInternet
WAN
3/4/5GSwitchFirewallRouter
Internet of Things Group 7
Proxy EmailFTP Web LAN
DB
Desktop, Laptops, Tablets, Phones (~1.6B)Enterprise Devices on the IT Network Internet
Malware
PhysicalViruses
Internet of Things Group 8Then, Consumer Devices
Denial of Service
Spoofing
WormTrojan Horse
A recent example is the failure to secure thousands of Internet-connected printers around the world, which allowed a researcher to access them via port 9100 and to set all of them to print an anti-Semitic flier.
Other office-specific devices in the offices
Energy
Sensors
HVAC Lighting
Security Cameras
Internet of Things Group 9
Entertainment Devices
Wearables
Today Security, Lighting, HVAC, etc. are connected through Building
Internet of Things Group 10
Management System (BMS), but there are many issues...
Building Management Systems
Internet of Things Group 11Image above by: http://www.wbdg.org/resources/cybersecurity.phpHeating, Ventilating, and Air-conditioning Control (HVAC), BAC – Building Automation and Control, VAV – Variable Air Volume
Issues: Lighting, HVAC, Security, …1. Different Systems for different Apps – Problem for Integration2. Sensing and Actuation both may not be possible3. Lack of Finer Grain Control4. Lack of Individual Device Level Control
Internet of Things Group 12
4. Lack of Individual Device Level Control5. Little Device Security6. Complexity of Multiple System7. Lack of Local Intelligence8. Lack of Extensibility and Upgradeability
Interesting Note: IT and WSPs have already solved these problems for laptops, tablets, smart phones, printers,…
Examples1. Lighting Systems2. HVAC Controls3. Surveillance/Security Camera
Internet of Things Group 13
3. Surveillance/Security Camera4. Presence in conference rooms
Life with 1T sensors + 50B devices?
Internet of Things Group 14
• Loss of economic value & innocence
Most of the 50B devices will be unprotected & open to hacking ! IT should be worried !!
Internet of Things Group
• Loss of economic value & innocence (opt-in without knowing consequences)
• How many 20 pages of legal stuff will you read?
• Safety, security at risk15
Manageability, Upgradeability, Security, Large Data sizes, Power,
Communication, Processing,
Internet of Things Group 16
Communication, Processing, Analytics, and redundancy
problems are going to explode !!
Hackers are already attacking the industrial world
Hackers break into networks of 3 big medical device makers (SF Chronicle,
Thousands of IoT control systems vulnerable: DHS Study (Info Week,
Shamoon [virus] was an external attack on Saudi Oil Production (Info Security magazine, Dec. 10, 2012))
World First Cyber hijack: Was missing Malaysia flight hacked by mobile phone? (Express, March 16, 2014)
Internet of Things Group 17
Feb 10, 2014)Jan 11 2013)
Underground copper wire heist causes San Jose freeway flood (SJ Mercury News, Feb 28, 2014)
Target hackers broke in via HVAC company (CNBC, Feb 5, 2014)
How Hackers can take control of your Car (EE Times, Jul 8, 2013)Attack on California substation fuels Grid Security debate (IEEE Spectrum, Feb 2014)
17
What should be the strategy to include these new IOT devices in
Internet of Things Group 18
include these new IOT devices in the architecture?
Strategy 1 IT
Build a Wall
Advantages1. Keeps away the contamination2. Security, device management does
not turn into a nightmares3. Simpler IP addressing 4. QoS and Latency not critical5. Easy management of rogue devices
Internet of Things Group 19IOT
1
Build a Wall 5. Easy management of rogue devicesDisadvantages1. High cost of creating a parallel new
network2. Separate IT and Facilities
Management personnel3. Employee has no access/control4. Operational inefficiencies
Strategy 2 IT Advantages1. Reduced cost of deployment2. Easier IT/Facilities management 3. IPV6 addressing 4. Employees can also have direct
control over certain devices5. Uniform policy management
Create one Ubiquitous
Internet of Things Group 20IOT
5. Uniform policy management6. Easier OS, analytics, profile update7. Sensing as well as actuationDisadvantages1. Security vulnerabilities2. QoS/Latency issues3. Rogue devices creep4. Device Volume/Management
2
Ubiquitous Network
Strategy 3 IT Advantages1. Phased transition of devices2. Staggered deployment cost3. Easier IT/Facilities management 4. Device security behind a gateway5. Employees can also have direct
control over certain devices6. Uniform policy management7. Easier OS, analytics, profile updateBuild a hybrid
Internet of Things Group 21IOT
7. Easier OS, analytics, profile update8. Sensing as well as actuationDisadvantages1. QoS/Latency issues2. Device Volume/Management3
Build a hybridNetwork
(Gateway)
There is no ideal solution.Each case is different.
Internet of Things Group 22
Implementation is defined by organizational priorities
Issues facing with adding IOT to IT network1. Security: Many IOT devices do not come with security2. Volume: 30X more devices will be added to the network3. QoS: When there is a critical event, e.g. fire, or a water leak, how to
ensure the event gets the highest priority?
Internet of Things Group 23
4. Power: How do we power these devices? 110V, batteries, or energy harvesting?
5. Device Upgrade/Replacement: How do you upgrade (OS, analytics, profile, and Firmware) in real time? Detect when a device dies?
6. Redundancy/Failover: How do you ensure reliable operation?
Issues facing with adding IOT to IT network7. Manageability/Support: How to recognize/fulfill support needs?8. Processing/Analytics: How do you define where the analytics processing
occurs (end node, edge, or cloud), on-premise or off-premise? 9. Storage: Where is the data stored, what is the retention period, and should be
data be even stored or only exceptions?
Internet of Things Group 24
data be even stored or only exceptions?10.Communication: What are the wireless protocol that makes sense? Should
the devices be connected over BT, Wi-Fi, or WAN? Bandwidth? Real time?11.Data Sizes: The amount of data created is going to be humongous! What
type of data it is?12.Human Safety: What are the implications on human life?
We live in Exponential Sensor Times
Internet of Things Group 25
IOT takes it several orders of magnitude forward
From Tsensors Summit – Janusz Bryzek – Roadmap for Trillion Sensor universe
Data Load on Analytics Framework
Internet of Things Group
Unique thing IOT Data (it can be reduced)
KnowledgeWisdom
Internet of Things Group 27
Sensors Data
Information
Knowledge
Step by Step TransitionHVAC Video Digital
Signage Lighting Elevator PACSAdvanced Metering
HVAC Video
DigitalSignage
Lighting
Elevator
Advanced
Internet of Things Group 28
BASFire and Life and Safety (FLS)Physical Security and Access Control (PACS)Energy Management Systems (EMS), which includes Lighting ControlHeating, Ventilation and Air Conditioning (HVAC)
PLCPACS
Advanced Metering
Gateway
WANITIT
IT/IOT Architectural UbiquityHVAC Video Digital
Signage Lighting Elevator PACSAdvanced Metering
Internet of Things Group 29BAS: Fire and Life and Safety (FLS), Physical Security and Access Control (PACS), Energy Management Systems (EMS), which includes Lighting Control, Heating, Ventilation and Air Conditioning (HVAC)
LAN/WANITIOT
Closing Thoughts1. Security/Human Safety Priority #12. Validate IOT Devices before adding them to the IT Network3. Use phased approach to adding devices and systems
Internet of Things Group 30
4. Define economic value/metrics/replacement cost and then monitor5. Key Considerations: Security, Volume, QoS, Power, Device Upgrade
and Replacement, Redundancy/Failover, Manageability/Support, Processing, Analytics, Storage, Communication, Data Sizes and type of Data
Internet of Things Group 31Thank you
Backup
32
New Security Threats to Personal IOT Devices
Fridge sending out spam after web attack compromised gadgets. One of > than 100K devices used in spam campaign. (BBC News. Jan 2014)“Wearable Computing Equals New Security Risks”,
Baby Monitor: Hacker takes over baby monitor and shouts obscenities at sleeping child. (ABC News, 13 Aug 2013)
Internet of Things Group 33
“Wearable Computing Equals New Security Risks”, (InformationWeek. 13 Jan 2013)Medical Devices: We’re starting to attach medical devices to electronic health records, and they’re not secure.' (Healthcare IT News. May 2013)Credit Card Information System: “Target Confirms Point-of-Sale Malware Was Used in Attack” (Security Week. 13 Jan 2014)
33
Glossary of Terms1. Hacker Attacks: Indicates attacks that are not automated by programs such as viruses, worms, or Trojan horse programs.
There are various forms that exploit weaknesses in security. Many of these may cause loss of service or system crashes. 2. IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from.
There are various forms and results to this attack. The attack may be directed to a specific computer addressed as though it is from that same computer. This may make the computer think that it is talking to itself. This may cause some operating systems such as Windows to crash or lock up. Gaining access through source routing. Hackers may be able to break through other friendly but less secure networks and get access to your network using this method.
3. Session Hijacking - An attacker may watch a session open on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session. This attack can be prevented if the two legitimate systems share a secret which is checked periodically during the
Internet of Things Group 34
session. This attack can be prevented if the two legitimate systems share a secret which is checked periodically during the session.
4. Server spoofing - A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (in the clear) authentication from the client. The attacker will run this utility while acting like the server while the user attempts to login. If the client is tricked into sending LANMAN authentication, the attacker can read their username and password from the network packets sent.
5. DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information which can cause traffic to be diverted. The DNS information can be falsified since name servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false DNS reply with additional bogus information which the requesting DNS server may cache. This attack can be used to divert users from a correct webserver such as a bank and capture information from customers when they attempt to logon.
34
Glossary of Terms1. Password cracking - Used to get the password of a user or administrator on a network and gain unauthorized access. 2. Viruses - This type of malicious code requires you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page. It reproduces itself by attaching to other executable files. 3. Worms - Worms propagate without your doing anything. They typically start by exploiting a software vulnerability (a flaw that allows the software's intended security policy to be violated). Then once the victim computer has been infected, the worm will attempt to find and infect other computers. Similar to viruses, worms can propagate via email, web sites, or network-based software. The automated self-propagation of worms distinguishes them from viruses. Self-reproducing program. Creates copies of itself. Worms that spread using e-mail address books are often called viruses.
Internet of Things Group 35
often called viruses. 4. Trojan horses - A Trojan horse program is software that claims to do one thing while, in fact, doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending your confidential information to an intruder.5. Spyware - This sneaky software rides its way onto computers when you download screensavers, games, music, and other applications. Spyware sends information about what you're doing on the Internet to a third-party, usually to target you with pop-up ads. Browsers enable you to block pop-ups. You can also install anti-spyware to stop this threat to your privacy.6. DoS- Denial of Service 7. Logic Bomb - Dormant until an event triggers it (Date, user action, random trigger, etc.).
35