IERC Conference 2015

Paul Malone 13th May 2015

12/05/2015   www.tssg.org  

The internet of energy things will deliver a secure, cheap and

sustainable energy future

12/05/2015   www.tssg.org   2  

The internet of energy things will deliver a secure?, cheap and

sustainable energy future

14/05/2015   www.tssg.org   3  

•  Increased attack surface

•  Difficulty of patching devices

•  Lack of data governance frameworks

12/05/2015   www.tssg.org   4  

Increased attack surface

12/05/2015   www.tssg.org   5  

12/05/2015   www.tssg.org   6  

Source:  Cisco  

2014  Verizon  Data  Breach  Inves6ga6ons  Report  

12/05/2015   www.tssg.org   7  

Source:  Verizon  

The  OWASP  Internet  of  Things  Top  10    

1.  Insecure Web Interface

2.  Insufficient Authentication/Authorization 3.  Insecure Network Services

4.  Lack of Transport Encryption

5.  Privacy Concerns

6.  Insecure Cloud Interface

7.  Insecure Mobile Interface 8.  Insufficient Security Configurability

9.  Insecure Software/Firmware

10. Poor Physical Security

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

12/05/2015   www.tssg.org   8  

Difficulty of patching devices

12/05/2015   www.tssg.org   9  

HP  Report  2014  

“70 percent of the most commonly used Internet of

Things (IoT) devices contain vulnerabilities,

including password security, encryption and general

lack of granular user access permissions.”

“IoT devices averaged 25 vulnerabilities per

product, indicating expanding attack surface for

adversaries” 12/05/2015   www.tssg.org   10  

“The challenge is, you see all of these devices coming

online at a rapid clip, without robust security. … Trying to

apply a patch to a thermostat in the home is going to be

much more challenging.”

- Gary Davis, Intel Security

12/05/2015   www.tssg.org   11  

Foscam  Baby  Monitor  

•  Multiple vulnerabilities

•  100,000 cameras in the wild (easy to find)

•  20% default user “admin” no password

•  Vendor generated a patch (for some of the

vulnerabilities)

•  99% of cameras still ran the older firmware

12/05/2015   www.tssg.org   12  

Lack of agreed Data Governance Frameworks

12/05/2015   www.tssg.org   13  

•  Huge amounts of data

•  Regulatory and compliance complexities

•  Assurances with regard to PII

–  Where is my data?

–  Who has access?

•  What assurances does the consumer have?

–  How is my data being used?

•  What is the value to me?

•  What is the value to 3rd parties?

12/05/2015   www.tssg.org   14  

12/05/2015   www.tssg.org   15  

What about Surveillance?

“If privacy and confidentiality isn’t designed in up front, on

top of the security capabilities provided by the enabling

M2M infrastructure (including authentication, access

control, data protection), the benefits of the IoT cannot be

fully realized.”

- Tim Carey, Alcatel Lucent

12/05/2015   www.tssg.org   16  

The internet of energy things will deliver a secure, cheap and

sustainable energy future

14/05/2015   www.tssg.org   17  

The internet of energy things will deliver a secure, cheap and

sustainable energy future can

12/05/2015   www.tssg.org   18  

The internet of energy things will deliver a secure, cheap and

sustainable energy future can

14/05/2015   www.tssg.org   19  

But only if security is addressed first!

“You cannot escape the responsibility of tomorrow by

evading it today.”

- Abraham Lincoln

12/05/2015   www.tssg.org   20