Embracing & Securing the Internet of Things A briefing for CIOs at the CIO Dialogue 9 Oxford. May 2014 Presenter: Adrian Wright VP of Research - Information Systems Security Association CEO of Secoda Risk Management

1. Adrian Wright
VP Research & Board - ISSA-UK
CEO - Secoda Risk Management
The Internet of Things
What should we start thinking about & planning now?

2. Enterprise & The Internet of Things
Hitchhikers Guide to the Thingiverse1
New World? Or just Hype?2
Technology Drivers, Enablers, Challenges3
4 Security & Privacy Issues
Summary & Questions5

3. Start with a good quote:
And some cynical humour for good measure:

4. Talk is everywhere - even if IoT isn’t yet

5. "The Internet of Things is not a concept; it is a network. The true technology-
enabled Network of all networks". Edewede Oriwoh
(bio: http://www.researchgate.net/profile/Edewede_Oriwoh/ )

6. More devices than people

7. Implications
• IoT = Future where everyday physical objects will be connected to the
Internet and will be able to identify themselves to other devices
• IoT = Integration of the physical and virtual world
• IoT = Significant, as when a physical object is represented in the virtual
world it can be connected to other virtually represented objects & data
• IoT = Object can be monitored & managed based on preset
parameters
• IoT = Huge revenue opportunity to mobile operators. $1.2 trillion by
2020* Most profit coming from app devt rather than delivering
connectivity
* GSMA report Oct 2011 with AT&T, Deutsche Bank, KT, Telenor Connexion, Vodafone & Machina Research. Link to Report here:
http://machinaresearch.com/report-m2m-communications-service-provider-benchmarking-report-2013/

8. Projected growth

9. On the road to somewhere

10. When will it all happen?
Link to original paper: http://www.booz.com/media/file/Rise_Of_Generation_C.pdf

11. Gartner Hype Cycle
Link to image source: http://joemurphylibraryfuture.com/gartner-2012-hype-cycle-for-emerging-technologies/

12. M2M Your Life

13. Its already here…in places
However:
• Existing M2M solutions highly fragmented & typically
dedicated to a single application (e.g. fleet management,
meter reading, vending machines).
• Multitude of technical solutions & dispersed
standardisation activities result in slow development of
global M2M market.
• Standardisation is key enabler to remove technical barriers
& ensure interoperable M2M services & networks
• M2M / IoT has huge potential but currently comprises a
heterogeneous collection of established & emerging (often
competing) technologies & standards (although moves are
afoot here). This is because the concept applies to & has
grown from, a wide range of market sectors.

14. Market example – smart parking

15. What is it?
• Once upon a time the Internet was about connecting people via their
computers
• Then mobile allowed people to connect while on the move
• As simpler devices come equipped with IP connections, people have
largely left the room leaving all sorts of devices talking directly to each
other and to higher systems via the web, without human intervention or
supervision
• By 2020 30-50 billion ‘things’ will be connected to the internet, from
simple widgets like temperature sensors & domestic water meters to
more critical devices like medical monitors, power plant telemetry &
ATMs
• This is called M2M (Machine to Machine) communication, as distinct
from H2H (Human to Human) & dubbed “The Internet of Things”* (IoT)
• Today 12 bn devices connected to the internet, incl 8 bn mobile devices
* Term initially used by Kevin Ashton in 1999 (About Kevin Ashton: http://kevinjashton.com/ )

16. Will it actually happen in Enterprises?
No Yes
• No interoperability Standard(s):
• We create an “Internet of Silos”
• Privacy & Security Fears
• Slow transition to IPv6
• Big data analytics not evolved
• Battery technology doesn’t outstrip
Moore's Law
• No clear business benefits
• We can’t manage it
• Interoperability & connectivity sorted
• Standard(s) adopted
• Security & Privacy issues contained
• Large IP address ranges available
• Data analytics scale to meet
challenges
• Battery & solar technologies keep pace
• Clear business benefits identified
• Management supervisory systems &
standards emerge
Partially
Fragmented
Slower uptake

17. IoT Plans

18. Why bother now?
• Forrester say there’s low ‘connected world’
adoption among enterprise customers.
• 2013 networks & telecoms survey says
“50% of companies have no interest and/or
no plans to implement M2M or IoT
capabilities, while just 8% tell us they have
implemented”
• Lack of interest causes:
– security concerns (37%);
– costs (32%);
– technology immaturity (25%);
– integration challenges;
– migration and/or installation risks;
– regulatory issues.
• More pressing priorities
• Your strategy might simply be to say, ‘let’s
wait and see.”
• Historically, when we try to play catch
up – we never actually do
• Retrofitting costly & ineffective
• Like early PCs, dot com, mobile
adopters – early pioneers were winners
• If it takes off: You snooze – you lose!

19. CIO Viewpoint
Enterprise
Business/
Customer
Opportunity
Employees
IoT
(BYOD)
Internal
IoT

20. Implications for CIOs
• IoT in workplace will be another BYOD – IoT enabled personal devices
• Bring-your-own-Cloud: already here but IoT brings tighter integration
• Low-end infrastructure devices will start to appear IoT enabled
• Privacy issues: blurring the line between private & business data
• Liability questions: employee personal banking etc.
• ISACA recommends five steps enterprises can take to be agile in the
Internet of Things era:
– 1. Act quickly; enterprises cannot afford to be reactive
– 2. Govern the initiative to ensure that data remain secure and risks are
managed
– 3. Identify expected benefits and how to measure them
– 4. Leverage internal technology steering committee to communicate
benefits to the board.
– 5. Embrace creativity and encourage innovation.

21. CIO Challenges / Opportunities
• Technical debt (aka code quality) exposing creaking architecture to big data,
customers, salespeople
– Might want to start technical debt reversal sooner than later
• User driven and they’ll expect to just do things when the time comes
– Connectivity is key
• In many cases IoT systems using firmware that’s hard or impossible to patch
• Building automation is absolutely ripe for exploitation.
• The trick is to resolutely deploy the hype shield & look out for information
content that will deliver real value to the organisation.
“Much of the value from the Internet of
Things will come from the data, making Big
Data analysis a cornerstone of the success
of the Internet of Things and a clear reason
for CIOs to be involved.”

22. Concepts & Jargon
• Things: Physical entities whose identity, state (or surroundings) capable of
being relayed to an internet-connected IT infrastructure.
– Anything to which you can attach a sensor — a cow in a field, a container on a cargo
vessel, the air-conditioning unit in your office, a lamppost in the street — can
become a node in the Internet of Things.
• Sensors: Components of 'things' that gather and/or disseminate data
– e.g. location, altitude, velocity, temperature, illumination, motion, power, humidity,
blood sugar, air quality, soil moisture - you name it.
– Not ‘computers’ as such but have CPU, memory, storage, I/O, OS, app s/w
– Key point is increasingly cheap, plentiful, can communicate via internet & other
internet-connected devices
• Comms: (local-area) All IoT sensors require some means of relaying data to
the outside world.
– Plethora of short-range or local area, wireless technologies available incl RFID,
NFC, Wi-Fi, Bluetooth, Wireless M-Bus + wired Ethernet

23. Concepts & Jargon (cont.)
Libelium's customisable Waspmote
sensor/comms board (left) and the
Waspmote Plug & Sense enclosure (right),
with connections for sensors, antennas, a
solar panel and USB PC connectivity
• Comms: (wide-area) links, existing mobile
networks GSM, GPRS, 3G, LTE or WiMAX &
satellite connections.
– New wireless networks ultra-narrowband
SIGFOX & TV white-space NeulNET
emerging specifically for M2M connectivity.
– Fixed 'things' in convenient locations could
use wired Ethernet or phone lines for wide-
area connections
• Server: (on premise)
– Some M2M installations use local server to
collect & analyse data - both real time and
episodically - from assets on the local area
network.
– On-premise servers or simpler gateways
usually also connect cloud-based storage &
services.

24. Concepts & Jargon (cont.)
• Local scanning device: 'Things' with short-range
sensors located in a restricted area but not
permanently connected to a local area network
– (RFID-tagged livestock on a farm, or credit-card-toting
shoppers in a mall, for example). In this case, local
scanning devices extract data and transmit it onwards
for processing
• Storage & analytics: IoT will require massive,
scalable, storage & processing capacity
– Will almost invariably reside in the cloud, except for
specific localised or security-sensitive cases.
– Service providers will need access here to curate the
data & tweak analytics, but also for LoB processes
such as customer relations, billing, technical support
• User-facing services:
– Subsets of data & analyses from the IoT available to
users or subscribers, presented (hopefully) via easily
accessible navigable interfaces on full spectrum of
secure client devices

25. Network-level shift & challenges
• IoT data transfer patterns differ fundamentally from classic 'human-to-
human'.
• M2M communications orders of magnitude more nodes than H2H
– mostly low-bandwidth, upload-biased traffic.
• Many M2M applications need to deliver & process information in real
time, or near-real-time.
– Many nodes will have to be extremely low-power or self-powered (eg. solar
powered) devices.
• Requires billions of new IP addresses we currently don’t have.
– IPv4 restricted to c. 4.3 billion addresses.
– IPv6 required but it will have to be lightweight (likely with trimmed-down
security attributes)
– APNIC has already run out of addresses. Reclamation of unused IPv4
address space. Markets in IP addresses - to buy back space.
– Urgency on transition mechanisms IPv4 to 6

26. “The world as we have created it is a process of our thinking.
It cannot be changed without changing our thinking."
Albert Einstein”

27. Privacy anyone?

28. What’s changed security-wise?
• Underlying principle of M2M communications isn't particularly new.
– Similar technology has been used for decades at power stations, water utilities,
building control and management systems, usually in the more recognisable form of
supervisory control and data acquisition (SCADA) systems.
• However these systems are typically custom implementations
– Often running proprietary operating systems, and without any particular standard to
follow. Assumption is usually that they’re behind a firewall
• CT scanners, MRI scanners, dialysis machines - they're on an internet.
– They talk IP, and they have massively vulnerable operating systems. They're running
embedded versions of Windows
• Smart meters, ATMs, SCADA systems, rollout of patches and updates
– Tends to be slower than you would normally have compared with your home PC,
where you get a normal update every week or so or every month
– there's a lightweight version of IPv6 you can use on M2M type of communications, but
it's not full IPv6
• Sheer scale and numbers of things to secure…

29. Control Maturity
Unconsciously
Uncontrolled
Consciously
Uncontrolled
Unconsciously
Controlled
Consciously
Controlled
Unaware of what IoT is
No strategy / policy
No definition
No deployment visibility or
control
Some strategy & policy
Some definition & insight
Maybe some standards
No education & awareness
No process for identifying ,
controlling & managing
deployments
No strategy & policy
No definition & insight
But no deployments due to
other reasons:
Culture / fixed mindset / rigid
command & control
Technical, economic or other
inhibitors
Its known & understood
Well communicated
strategy, policy, stds
Governs appropriate use
Good awareness
Visibility & control of all
deployment programmes

30. Security FUD corner
• The security implications are obvious, where hackers might able to do anything
from running up people’s electricity bills to shutting down an oil pipeline.
– We’ve already had a preview of this with the Stuxnet SCADA story and M2M / The
Internet of Things will take us infinitely deeper into that territory…
• Denial of service (DoS) could have new consequences.
– Many field-based devices will be powered from batteries. Hit them with long bursts
of spurious requests and you’ll kill their power.
• Encrypting information tends to be a processor-intensive task
– Meaning devices need to be selective as to what to encrypt, as opposed to the
web's trend toward full end-to-end encryption.
– Unless nanotechnology and battery manufacturing increases as per Moore's Law,
it's going to be a huge issue.
• You don't want to have devices with any kind of identification left lying around
– Need effective disposal or self-disposal processes built into protocols. Once
decommissioned they'll need to ‘mission impossible’ – like, self destruct remotely
• Slow transition from IPv4 networks to IPv6 could harm M2M uptake.
– With IPv4 addresses nearing exhaustion, networks simply won't have enough
addresses to assign to the explosion of devices unless they transition to IPv6

31. No security standard…anytime soon
• "It's either going to take a standard for the industry to agree on, or a
very powerful vendor to make things work, so that everyone kind of
says, 'Well, that works, so I'm just going to use that for the pure ease of
use.' It might be completely proprietary, but all we really care about is
that stuff works and stuff's secure, in that order, unfortunately."
• “It's entirely possible that despite the work by research groups,
standards and possibly security could be circumvented entirely if a
powerful enough company stepped up”
• "We can be sure of one thing: The lion’s share of IoT growth over the
next 3-5 years is going to occur in market segments where the value is
tangible – and these are almost wholly seen in the business-centric
marketplace". Alex Brisbourne

32. Security forecast
• Information Security is often an afterthought for nascent technology &
nearly always in catch-up mode, retrofitting, patching, firefighting.
• IoT presents a unique opportunity to build in security from the off
• If IoT takes off as predicted, there won’t be opportunities to retrofit
security after the fact, due to sheer scale & technical issues
• Whoever achieves market dominance over IoT could ultimately hold
the keys to securing civilisation – and might not do a good job of it!
• Market fragmentation and resulting lack of standards major problem
• Low-cost, mass-market devices from China or ?? What’s in them?
• Western civilisation will be hugely more vulnerable than those who
might attack us. Critical infrastructure, privacy et al
• In this future gold rush, will security be sacrificed for other gains?
• PRISM, NSA, Orwell,1984 & Big Brother. When everything and
everyone can be tracked & monitored – who will police the police?

33. CIO Priorities - Gartner
Gartner analysts advise CIOs to do 3 things now:
• Start taking a lead figuring out information needs the organisations has
from its own Internet of Things.
– Information analysis drive business case, re efficiency, reduced costs &
increased revenue.
• Create a team to become the experts on Internet of Things.
– Build knowledge, skills & partnerships.
• Ensure big data efforts are aligned with your IoT strategies
– Data analysis is the driving force behind IoT, and should include the
information you intend to get from your network of “things”

34. Things to ponder
1. Is this a new problem, or just a new take on an existing one?
2. Are there enough IP addresses available for these billions of 'things'? Or will
we be forced into IPv6, carrier-grade NAT, or end up putting large numbers of
devices behind each public IP address, and what are the security implications
of those choices?
3. The dumber the connected device, the more basic the security attributes of
the device are likely to be. So how will the billions of such devices be security-
monitored and updated to maintain security in the face of emerging threats?
4. What are the implications for protecting critical infrastructure and cyber-
warfare/espionage? Could hackers shut off all our water, drain our bank
accounts, melt our ice cream and turn all the traffic lights to red?
5. Flooding market with low-cost, mass-market devices usually means buying
from economies like China or Vietnam. With the Huawei debate escalating,
how can we be certain of no hidden trapdoors inside these widgets?
6. Big Data: do we have the technologies to analyse massive amounts of data?
7. With the PRISM scandal, will Privacy become an obsolete concept?

35. Help!
Link to original work: http://farm2.staticflickr.com/1419/5159177886_1276e96f54_b.jpg

36. Get Involved!

37. We need to look ahead this time!

38. adrian.wright@issa-uk.org
adrian.wright@secoda.com
t. 44 (0)8456 4 27001
m.44 (0)780 363 9704