06/03/2017 Public 1
Securing your IoT products
LPWAN London Feb 2017
Richard MarshallIoTSF Plenary Chair and CEO Xitex Ltd
– Products are often not considered a target, “Why would someone attack my product…?”
– IoT products, potentially installed by the billion – the number of devices could out number mobiles phones
– Being connected allows remote attacks which makes presence and physical barriers redundant
– IoT devices become potential ‘weapons’ in large scale attacks
Being connected…
Public
Lean Startup ‘Minimal Viable Product’ [MVP] development approach
Supply Chain integrity and complexity
Traditional ship and develop next product strategy
Lack of security awareness and standards
Usability versus security
IoT product challenges
Public
Relies on an incremental approach to product development to gain customer feedback.
Security is seen as a ‘feature’ that can be added later…
This contradicts with the need to put the security foundations into a product from the beginning…
MVP development Strategy
Public
Hardware vulnerabilities impossible to fix in deployed products
Product lifecycles longer than consumer or cell phone’s 2 to 5 years
Lifecycles not unusual to be 15 to 25 year life for infrastructure devices
MVP & Hardware Security
Product security relies on the strength of it’s weakest link
Public
Component Supply Chain
Public
Components often come with vendor software, typically:
– Boot loaders
– Protocol stacks
– Device drivers
Careful selection of the underlying platform is critical – has their security been considered?
Production
Public
Outsourced production, how is security maintained in a third party’s facility?
How are the following ensured by design:
– Cryptographic keys are not revealed - symmetric key insertion into devices is an issue
– Unauthorised product is not being manufactured
– Unauthorised software and data is not loaded into the product
Ongoing Support
Public
What is the support policy?
Are the devices patchable?
EOL policy – revocation, kill switch?
Is a vulnerability policy in place?
Is a security notification process in place?
Help is available for you
06/03/2017 See https://iotsecurityfoundation.org/best-practice-guidelines/ 10
RELEASE 1.0
Executive Steering Board
Prof. John Haine, Chair, University of Bristol
Prof. David Rogers, CEO, Copper Horse Solutions
Prof. Ben Azvine, Global Head of Security Research and Innovation, BT
Prof. Kenny Paterson, RHUL
Ken Munro, Partner, PenTest Partners
Dr. Steve Babbage, Chief Cryptographer, Distinguished Engineer, Vodafone Group
Haydn Povey, CEO, Secure Thingz
John Moor, MD, IoT Security Foundation
Majid Bemanian, Director Segment Marketing, Imagination Technologies
Richard Marshall, Managing Consultant, Xitex Ltd.