ISSA-UK Chapter MeetingLondon

13th June 2013

Adrian WrightVP Research - ISSA-UK

CEO - Secoda Risk Management

Securing The Internet of Things

Securing The Internet of Things

Hitchhikers Guide to the Thingiverse11

New World? Or a New Term?22

Technology Drivers & Enablers33

44 Security Challenges

Summary & Debate55

Start with a great quote:

And a critical observation for good measure:

Privacy anyone?

1. Anatomy of M2M

"The Internet of Things is not a concept; it is a network. The true technology-enabled Network of all networks". Edewede Oriwoh (bio: http://www.researchgate.net/profile/Edewede_Oriwoh/ )

What is it?

• Once upon a time the Internet was about connecting people via their computers

• Then mobile allowed people to connect while on the move

• As simpler devices come equipped with IP connections, people have largely left the room leaving all sorts of devices talking directly to each other and to higher systems via the web, without human intervention or supervision

• By 2020 30-50 billion ‘things’ will be connected to the internet, from simple widgets like temperature sensors & domestic water meters to more critical devices like medical monitors, power plant telemetry & ATMs

• This is called M2M (Machine to Machine) communication, as distinct from H2H (Human to Human) & dubbed “The Internet of Things”* (IoT)

• Today 9 bn devices connected to the internet, incl 6 bn mobile devices

* Term initially used by Kevin Ashton in 1999 (About Kevin Ashton: http://kevinjashton.com/ )

Implications

• IoT = Future where everyday physical objects will be connected to the Internet and will be able to identify themselves to other devices

• IoT = Integration of the physical and virtual world

• IoT = Significant, as when a physical object is represented in the virtual world it can be connected to other virtually represented objects & data

• IoT = Object can be monitored & managed based on preset parameters

• IoT = Huge revenue opportunity to mobile operators. $1.2 trillion by 2020* Most profit coming from app devt rather than delivering connectivity

• Image: http://cdn-static.zdnet.com/i/r/story/70/00/008219/machina-chart-620x450.jpg?hash=Z2Z5AmAwBJ&upscale=1

* GSMA report Oct 2011 with AT&T, Deutsche Bank, KT, Telenor Connexion, Vodafone & Machina Research. Link to Report here: http://machinaresearch.com/report-m2m-communications-service-provider-benchmarking-report-2013/

Its already here

However:

• Existing M2M solutions highly fragmented & typically dedicated to a single application (e.g. fleet management, meter reading, vending machines).

• Multitude of technical solutions & dispersed standardisation activities result in slow development of global M2M market.

• Standardisation is key enabler to remove technical barriers & ensure interoperable M2M services & networks

• M2M / IoT has huge potential but currently comprises a heterogeneous collection of established & emerging (often competing) technologies & standards (although moves are afoot here). This is because the concept applies to & has grown from, a wide range of market sectors.

Market example – smart parking

Things everywhere

Link to article: http://www.beechamresearch.com/article.aspx?id=4

Concepts & Jargon

• Things: Physical entities whose identity, state (or surroundings) capable of being relayed to an internet-connected IT infrastructure. Almost anything to which you can attach a sensor — a cow in a field, a container on a cargo vessel, the air-conditioning unit in your office, a lamppost in the street — can become a node in the Internet of Things.

• Sensors: Components of 'things' that gather and/or disseminate data e.g. location, altitude, velocity, temperature, illumination, motion, power, humidity, blood sugar, air quality, soil moisture - you name it.– Not ‘computers’ as such but have processor, memory, storage, inputs and outputs,

OS, app s/w– Key point is increasingly cheap, plentiful, can communicate either directly with

internet or with other internet-connected devices• Comms: (local-area) All IoT sensors require some means of relaying data to

the outside world. Plethora of short-range or local area, wireless technologies available incl RFID, NFC, Wi-Fi, Bluetooth, Wireless M-Bus + wired Ethernet

Concepts & Jargon (cont.)

Libelium's customisable Waspmote sensor/comms board (left) and the Waspmote Plug & Sense enclosure (right), with connections for sensors, antennas, a solar panel and USB PC connectivity

• Comms: (wide-area) links, existing mobile networks GSM, GPRS, 3G, LTE or WiMAX & satellite connections. – New wireless networks ultra-narrowband

SIGFOX & TV white-space NeulNET emerging specifically for M2M connectivity.

– Fixed 'things' in convenient locations could use wired Ethernet or phone lines for wide-area connections

• Server: (on premise) Some M2M installations (smart home or office) use local server to collect & analyse data - both real time and episodically - from assets on the local area network. – These on-premise servers or simpler

gateways usually also connect cloud-based storage & services.

Concepts & Jargon (cont.)

• Local scanning device: 'Things' with short-range sensors will often be located in a restricted area but not permanently connected to a local area network– (RFID-tagged livestock on a farm, or credit-card-toting

shoppers in a mall, for example). In this case, local scanning devices extract data and transmit it onwards for processing

• Storage & analytics: IoT will require massive, scalable, storage & processing capacity– Will almost invariably reside in the cloud, except for

specific localised or security-sensitive cases. – Service providers will need access here to curate the

data & tweak analytics, but also for LoB processes such as customer relations, billing, technical support

• User-facing services: – Subsets of data & analyses from the IoT available to

users or subscribers, presented (hopefully) via easily accessible navigable interfaces on full spectrum of secure client devices

Network-level paradigm shift

• IoT data transfer patterns differ fundamentally from those in the classic 'human-to-human'.

• M2M communications will feature orders of magnitude more nodes than H2H, most of which will create low-bandwidth, upload-biased traffic.

• Many M2M applications will need to deliver and process information in real time, or near-real-time, and many nodes will have to be extremely low-power or self-powered (eg. solar powered) devices.

• Will require billions of new IP addresses we simply don’t have. IPv6 required but it will have to be lightweight (likely with trimmed-down security attributes)

M2M Your Life

When will it all happen?

Link to original paper: http://www.booz.com/media/file/Rise_Of_Generation_C.pdf

Gartner Hype Cycle

Link to image source: http://joemurphylibraryfuture.com/gartner-2012-hype-cycle-for-emerging-technologies/

2. Big Security Questions

“We can learn every trick in our adversaries' play book - except the one they're using right now”

What’s changed security-wise?

• Underlying principle of M2M communications isn't particularly new.– Similar technology has been used for decades at power stations, water utilities,

building control and management systems, usually in the more recognisable form of supervisory control and data acquisition (SCADA) systems.

• However these systems are typically custom implementations– Often running proprietary operating systems, and without any particular standard to

follow. Assumption is usually that they’re behind a firewall • CT scanners, MRI scanners, dialysis machines - they're on an internet.

– They talk IP, and they have massively vulnerable operating systems. They're running embedded versions of Windows

• Smart meters, ATMs, SCADA systems, rollout of patches and updates– Tends to be slower than you would normally have compared with your home PC,

where you get a normal update every week or so or every month– there's a lightweight version of IPv6 you can use on M2M type of communications, but

it's not full IPv6• Sheer scale and numbers of things to secure…

Control Maturity

Unconsciously Uncontrolled

ConsciouslyUncontrolled

UnconsciouslyControlled

ConsciouslyControlled

Unaware of what IoT isNo strategy / policyNo definitionNo deployment visibility or control

Some strategy & policySome definition & insightNo education & awarenessNo process for identifying , controlling & managing deployments

No strategy & policyNo definition & insightBut no deployments due to other reasons:Culture / fixed mindset / rigid command & control

Well communicated strategy & policyGoverns appropriate useGood awarenessVisibility & control of all cloud-based programmes

PRISM R’ Us

Link to original work: http://baldric.net/wp-content/uploads/2012/03/dr-fun-rfid1.jpg

FUD corner

• The security implications are obvious, where hackers might able to do anything from running up people’s electricity bills to shutting down an oil pipeline. – We’ve already had a preview of this with the Stuxnet SCADA story and M2M / The

Internet of Things will take us infinitely deeper into that territory…• Denial of service (DoS) could have new consequences.

– Many field-based devices will be powered from batteries. Hit them with long bursts of spurious requests and you’ll kill their power.

• Encrypting information tends to be a processor-intensive task– Meaning devices need to be selective as to what to encrypt, as opposed to the

web's trend toward full end-to-end encryption. – Unless nanotechnology and battery manufacturing increases as per Moore's Law,

it's going to be a huge issue.• You don't want to have devices with any kind of identification left lying around

– Need effective disposal or self-disposal processes built into protocols. Once decommissioned they'll need to ‘mission impossible’ – like, self destruct remotely

• Slow transition from IPv4 networks to IPv6 could harm M2M uptake.– With IPv4 addresses nearing exhaustion, networks simply won't have enough

addresses to assign to the explosion of devices unless they transition to IPv6

No security standard…anytime soon

• "It's either going to take a standard for the industry to agree on, or a very powerful vendor to make things work, so that everyone kind of says, 'Well, that works, so I'm just going to use that for the pure ease of use.' It might be completely proprietary, but all we really care about is that stuff works and stuff's secure, in that order, unfortunately."

• “It's entirely possible that despite the work by research groups, standards and possibly security could be circumvented entirely if a powerful enough company stepped up”

• "We can be sure of one thing: The lion’s share of IoT growth over the next 3-5 years is going to occur in market segments where the value is tangible – and these are almost wholly seen in the business-centric marketplace". Alex Brisbourne

Things to ponder & worry about:

1. Is this a new problem, or just a new take on an existing one?

2. Are there enough IP addresses available for these billions of 'things'? Or will we be forced into IPv6, carrier-grade NAT, or end up putting large numbers of devices behind each public IP address, and what are the security implications of those choices?

3. The dumber the connected device, the more basic the security attributes of the device are likely to be. So how will the billions of such devices be security-monitored and updated to maintain security in the face of emerging threats?

4. What are the implications for protecting critical infrastructure and cyber-warfare/espionage? Could hackers shut off all our water, drain our bank accounts, melt our ice cream and turn all the traffic lights to red?

5. Flooding the market with low-cost, mass-market devices usually means buying them from economies like China or Vietnam. With the Huawei debate escalating, how can we be certain of no hidden trapdoors inside these widgets?

6. With the PRISM scandal, will Privacy become an obsolete concept?

Help!

Link to original work: http://farm2.staticflickr.com/1419/5159177886_1276e96f54_b.jpg

adrian.wright@issa-uk.orgadrian.wright@secoda.com 44 (0)8456 4 27001