Embracing IoT in the Enterprise and Blocking

the Top 10 RisksGabriella Davis

Technical Director - IBM Lifetime Champion

The Turtle Partnership

IWT-2469

IBM InterConnect 2017 Conference

Who Am I?• Adminofallthingsandespeciallyquite

complicatedthingswherethefunis

• Workingwithsecurity,healthchecks,singlesignon,designanddeploymentofIBMtechnologiesandthingsthattheytalkto

• Stubbornandrelentlessproblemsolver

• LivesinLondonabouthalfoftheBme

• gabriella@turtlepartnership.com

• twiEer:gabturtle

• AwardedthefirstIBMLifeBmeAchievementAwardforCollaboraBonSoluBons

Roadmap For This Session

• The World of IoT

• Opportunities In The Enterprise

• Challenges of IoT

• Risks of the Unexpected

• Your Checklist For IoT In The Enterprise

Internet Of Things

• A physical device with embedded internet connectivity and “always on” status

• The beauty of IOT devices is that they are integrated into your life

• There’s no authentication

• They know everything they need to know simply because of their placement or setup

• Their true value is in learning about things like your preferences, behaviour, patterns

Pre IoT Machine Learning

• Using algorithms to learn and improve functionality without direct programming

• Guided learning - this is where we want to get to

• Unguided learning - using only the data

• Reinforced learning - based on interactions

• IoT connect devices whereas machine learning accumulates and acts on data

Evolution of IoT• Consumer products

• Envisaging potential for Enterprises

• Initial investments

• In most industries we are still at a very early conceptualising stage

Opportunities In The

Enterprise

How IoT Can Change Enterprises

• Generating new revenue models

• Becoming a digital enterprise

• Introducing efficiencies

• Changing and aiding customer service and customer reach

Manufacturing (Industry 4.0)

• Improve the production process and the supply chain

• More suppliers over longer distances all attempting to work together

• Much of the supply chain is outside direct control and IoT devices can supply the data needed to regain that

Retail• Store layout

• High traffic areas, tracking customer paths

• Using beacon technology to reach out to consumers in store with promotions

• Connecting digital and physical worlds

• Disney’s Magic Bands

Utilities• Customer Service

• Manage communication

• Improving response for outages

• Increasing reliability

• Competition for utilities providers from IoT providers

• Developing countries with monitoring for sanitation

• Recycling companies with sensors on bins and collection trucks

Insurance• Triggering alerts on damage including

quantifiable data

• Recording environment status

• Customer service - automatically generating insurance claims

Healthcare• Devices to record and send data

• Sensors to track and monitor vital signs

• Smartbeds

• Home medicine dispensers

• Increasing interactions between Dr and patient

Challenges of IoT

Changing existing models

• The principles behind deploying IoT anywhere require re-thinking of existing processes and models

• IoT cannot just be bolted on to an existing method

• Enormous amounts of data will be generated and where and how to insert them into the business as well as how to leverage them needs to be considered

Challenging Embedded Thinking• Changes to the way people and processes work requires us to

approach each area of the business holistically

• Do we need to do this this way?

• If we could get any information either from our own systems or from our customers what would we want and what would we do with it?

• Assuming anything is achievable

Building From New• It’s far more likely that a system integrating IoT into your business

will require building from new

• Certainly deploying the correct hardware / sensors and modifying processes both mechanical and human to leverage those is a big undertaking

• There will be a significant investment required in hardware and an ongoing investment in maintenance, data analysis, training, marketing and change

Handling large amounts of data• IoT is about generating masses of data and then acting on it

• Virgin Airlines new 787 planes are expected to generate over half a TB of data per flight on every aspect of the plane’s mechanics

• There needs to be a plan for what data will be generated, how it will be handled, how to act on it quickly, how to secure it and how to destroy it

Analysing Data, Identifying Patterns

• The value from IoT is dependent on the ability to generate, analyse and act on data

• Data visualisation, design algorithms, customer service all depend on management of data

• Farmers are able to use sensors to monitor soil content in real time and adjust their treatment

Risks of the Unexpected

Why This Is A Concern With IOT• Physical devices may now come with built in connectivity as an

added feature

• Companies who didn’t deploy them for that feature may also not have security policies in place to disable or limit it

• Risk assessment happens too late

Risk: Data Bleed• Malware

• Sniffing Traffic

• Compromised credentials

• Traversing across into secure internal networks

Risk: DNS Attacks

A vulnerability in a particular sensor’s hardware that could allow a DNS attack and potentially

disable other similar devices or break a process / production line

Risk: BYOIoTD• People bringing IoT devices in from home and attaching them

to corporate networks

• Enterprise wifi transmitting insecure private information

• Supporting application software with too high permissions

• Data protection for personal information

Risk: HTTP Traffic• Many devices are designed to use HTTP to send data to the

cloud or between themselves

• Some devices receive firmware updates without authentication over HTTP

• For consumer devices this is often not detailed in documentation

• Most enterprises restrict inbound traffic but not always for HTTP

Designing Security Best Practices

• Physical access / location

• Firmware updates

• Local administrative accounts and access

• Network access

• Encryption tunnels for data

• Recovery / remediation plan

Blockchain and IoT• Blockchain is a transactional auditing method originated for Bitcoins but

rapidly expanding out to enterprise technologies

• Using Blockchain every transaction is logged and verified via cryptographic strings across multiple nodes.

• Once enough nodes have verified a transaction as valid that is written to the audit record

• Blockchain deployed for IoT devices would present a way to identify missing expected transactions and unexpected transactions both of which result from hijacking

Your Checklist For IoT In The

Enterprise

Planning

1. Risk assessment of enterprise hardware

2. Policy for use of consumer devices by line of business

3. Budget planning for IoT assessment, maintenance and security

Security4. Finding all the devices - most will not advertise themselves

or be visible on the network as they use specific protocols that aren’t easily to monitor

5. Identify the device type and usefulness

6. Identify the attack surface of a device

7. Create security policies for the use and maintenance of IoT devices

Securing the Enterprise Network

8. Create an isolated IoT network

Deny user credentials onto that network

9. Traffic monitoring

10.Resetting firmware and all administrative authentication protocols on any IoT devices

Maintenance & Firmware Updates11.Most IoT devices use unexpected protocols and can’t be interrogated by

standard network monitoring tools

12.IoT devices use specific operating systems, at best you could hope for a version of Linux. It’s unlikely you can install management software on them

13.Keeping the enterprise secure will require devices to be updated / patched with the latest firmware

almost certainly a manual process for each device

14.The expected lifespan of most IoT devices is much longer than for other hardware

Remediation1. Map all critical inbound and outbound routes and have a plan to shut

down non critical and, if necessary, critical ones

2. Disable sensors on unnecessary IoT devices. If a piece of hardware has an IoT sensor you don’t need, disable it before installing it

3. Have plans to replace or regenerate data

4. Be able to isolate network activity by separating networks

5. Don’t expect the worst but plan for an analog fallback in the event systems are disabled or networks are unavailable

Summary1. We are at the beginning of an evolutionary and exciting phase in every

industry. Now is the time to think about how this will change yours.

2. IoT is not something that can be bolted on to existing systems, thinking and processes the planning involved will always be a large commitment

3. Technology and security for IoT devices is changing but not rapidly enough and older devices will not have the hardware on board to support new security processes

4. IoT brings huge opportunities to every industry sector offering a chance to innovate and drastically alter existing business models

•gabriella@turtlepartnership.com

•twitter: gabturtle

Notices and disclaimers

Copyright © 2017 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law

Notices and disclaimers continued

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.