Zurich Insurance Risk Nexus Report April 2014 – threats will soon outpace our ability to deal with them
, and 20% targeted manufacturing
50% of US Broadband homes will have an Internet connected device by 2020 – Parks assocates
Not just machine data – its remote control - What would happen if a DoS attack were launched against a city’s traffic controls or energy supply?
In fact - According to US DHS, in the last 3 months 59% of reported cyber attacks against critical infrastructure targeted energy
Let me give you a simpler example to show you the hidden risk even on data - Energy example – nobody’s home
Privacy – medical records worth more on black market than CC data – and by its nature IoT has the potential to collect (and expose) even more personal information about individuals than we’ve ever seen before
Biggest problem – IoT greatly expands the attack surface that must be secured
We often have a hard enough time simply preventing attacks on traditional infrastructure – throw in potentially thousands of remote points of attack, many of which cannot feasibly be physically protected, and now you have a much more complex security equation
susceptible physical tampering
Processing power of devices
Distributed, remote, physically accessible
Huge number of devices, vendors, protocols
Potential for remote actuation
Design systems that assume everything can be compromised
zero trust at all points of the system
Firewall approach of simply controlling the ports of entry insufficient
Need to recognize breaches when they occur and stop them before they can do more damage
DoS on both the devices and on the server
Can often be the weakest link – even a simple sensor can be an attack point.
Device key management - Managing all those devices can be daunting – call home bootstrapping
Unique hardware signatures for key generation
Use internet technologies – no reason you can’t use Open ID for devices
www.kurzweilai.net UCSD hardware tool for testing security
Data has both security and privacy concerns, so it deserves special focus
Data governance policy – not all data has the same sensitivity – know what your data is and protect it accordingly
TLS – table stakes, but not enough
Encrypt from ingress to target (data increasingly cached on the local device)
Application layer – structure and content to ensure it is what is expected
After all, with the IoT we are exposing data and control interfaces over the network – typically the open Internet
Impossible to eliminate breaches – this is where most implementations fail
Analytics - Must be able to recognize what threats & breaches look like, constantly evolving
Isolation – client devices cut off (and preferably wiped), servers taken offline
IBM design goal: 30 seconds
Opt in – most consumers have no idea what information is being collected and shared about them – look at facebook
Data anonymization
Reduce context on the device – add context in the Cloud
Zero trust – expect breaches, simulate breaches (Chaos monkey approach), test test test
Edges – all the way up to the application layer