06/03/2017 Public 1
Securing your IoT products
LPWAN London Feb 2017
Richard MarshallIoTSF Plenary Chair and CEO Xitex Ltd
We cant carry on like this
Products are often not considered a target, Why would someone attack my product?
IoT products, potentially installed by the billion the number of devices could out number mobiles phones
Being connected allows remote attacks which makes presence and physical barriers redundant
IoT devices become potential weapons in large scale attacks
Lean Startup Minimal Viable Product [MVP] development approach
Supply Chain integrity and complexity
Traditional ship and develop next product strategy
Lack of security awareness and standards
Usability versus security
IoT product challenges
Relies on an incremental approach to product development to gain customer feedback.
Security is seen as a feature that can be added later
This contradicts with the need to put the security foundations into a product from the beginning
MVP development Strategy
Hardware vulnerabilities impossible to fix in deployed products
Product lifecycles longer than consumer or cell phones 2 to 5 years
Lifecycles not unusual to be 15 to 25 year life for infrastructure devices
MVP & Hardware Security
Product security relies on the strength of its weakest link
Component Supply Chain
Components often come with vendor software, typically:
Careful selection of the underlying platform is critical has their security been considered?
Outsourced production, how is security maintained in a third partys facility?
How are the following ensured by design:
Cryptographic keys are not revealed - symmetric key insertion into devices is an issue
Unauthorised product is not being manufactured
Unauthorised software and data is not loaded into the product
What is the support policy?
Are the devices patchable?
EOL policy revocation, kill switch?
Is a vulnerability policy in place?
Is a security notification process in place?
Help is available for you
06/03/2017 See https://iotsecurityfoundation.org/best-practice-guidelines/ 10
Executive Steering Board
Prof. John Haine, Chair, University of Bristol
Prof. David Rogers, CEO, Copper Horse Solutions
Prof. Ben Azvine, Global Head of Security Research and Innovation, BT
Prof. Kenny Paterson, RHUL
Ken Munro, Partner, PenTest Partners
Dr. Steve Babbage, Chief Cryptographer, Distinguished Engineer, Vodafone Group
Haydn Povey, CEO, Secure Thingz
John Moor, MD, IoT Security Foundation
Majid Bemanian, Director Segment Marketing, Imagination Technologies
Richard Marshall, Managing Consultant, Xitex Ltd.
FIT FOR PURPOSE
Designed in at the start
Right-sized for application
Through operating life