1

Internet2IoTSystemsRiskManagementTaskForce2016-2017Outcomes

2

Internet2IoTSystemsRiskManagementTaskForce2016-2017Outcomes

• ExplorenotionofalifecycleofIoTSystemsrisk&operationalmanagementinHigherEdinstitutions

• Develop2tools/practicesasstartingplace:• HEpracticeofusingShodanandCensystoolstodevelopIoTSystemsriskexposureforanHEinstitution

• IoTSystemsVendorManagementdocument/checklisttoguidemultipledepartments/orgswithinanHEinstitutiononselection,procurement,managementofIoTSystems

• Identifypotentialforfuturework

• Identify&shareotherresources

3

IoTSystemsVendorManagementGuidance Document-- questionstoguidepurchaser/futureownerofIoTSystems

Institutionalleadership,policy,oversight,resourcingforknownsystemspre-IoTSystemsImplementation --

RiskMitigation

post-IoTSystems Implementation --OperationalRiskManagement

DevelopinganIoTSystemsRiskMitigationLifeCycle

Shodan/Censys/Othertools?• Systemsidentification(therecanbe

surprises)• Riskmitigation

post-IoTSystemsImplementation --CybersecRiskManagement/Mitigation

4

JanCheethamResearchCyberinfrastructureLiaisonOfficeoftheCIOUniversityofWisconsin-Madison

WiNESTTemplateforamodelwirelesscity

IoTresearchinitiatives

5

IoTVulnerabilities:DDoSattacks

krebsonsecurity.com

9/20/16620Gbps

9/18/161.1Tbps

10/21/161.2Tbps

Un-namedUSUniversityLate2016

DVRs,CCTVcameras,homerouters

Mirai,BASHLITE,andevolvingmalware

Campusvendingmachines,lightsensors,refrigerators

6

IoTVulnerabilities:Industrialcontrolsystems

2008Turkishoilpipeline

2014Germanblastfurnace

BBCNews

IndustrialControl&CriticalInfrastructureinHigherEd

Wealsocareaboutthese:ResearchSystems Building,InternalSpace,

AnimalFacility,BSL3Access

Building/Roomenvironmentcontrol(HVAC)

Utilitydistribution

Andothers…

7

Taskforcebenchmarkingactivity

WARNING: ConsultyourCISOofficebeforeusing!Priornoticeandauthorizationmayberequired.

• Proprietary• DevelopedbyformerUCSDstudent• Usedbyprivatesectorandacademia

• Opensource• DevelopedatUnivofMichigan/Illinois• Daily ZMap and ZGrab scansofIPv4addressspaceacrossimportantportsandprotocols

Bothdofulltextsearchingonprotocolbannersandothermetadataonwebsites,servers,devices

8

9

10

Whatwefound

ICS/SCADAdeviceservers

Searchterms

PotentialRisk

”camera”

Weak,hard-codedpasswords

BuildingAutomation

”scada,”“ICS,”“HVAC,”“TridiumFox,”“BACnet,”“Modbus”

ComponentsofbuildingcontrolsystemsexposedonInternet,protocolslackingauthentication,encryption

”AMQP”“RabbitMQ”“MQTT”

SensorsCameras

Complex,layeredsystemswithphysicalsecurityissues,protocolslackingauthentication

11

Maybeothers

Othertypesofdeviceswedidn’tsearchfor• Vendingmachines• Refrigerators• Healthcaremonitors

Imagesources:MegaLab,AlerSense,UAIVending

12

Briefbackground

ChuckBenson

FacilitiesServicesIT,UWDronepolicyworkinggroup,UWChairInternet2IoTSystemsRiskManagementTaskForceFormerChairUW-ITServiceManagementBoard,UWFormerChairProtectionofIndustrialControls(PICS)TaskForce

ArticlesJune&July2016–

“InternetofThings,IoTSystems,andHigherEducation”&“RaisingExpectationsforIoTSystemsVendors”

King’sCollegeLondonBookChapteronSmartCities– partofSystemsScience/SystemsThinkingSeries

“IoTSystems– SystemsSeams&SystemsSocialization–ConsiderationsforManagingIoTSystemsRiskinSmartCitiesandInstitutions”

(andtheobligatorytwitterfeed-- @cabenson361)

ChairInternet2IoTSystemsRiskManagementTaskForce

13

IoTSystemsVendorManagementDocument

• Shodan,Censys,andnon-publishedtoolsrevealcracks/attackpointsinourinstitutions• Creatingpotentiallysubstantialadditionalrisk

• Wecanlowerthatrisk• Byraisingthebar&settingexpectationsoftheIoTSystemsvendor• RFI,RFP,contractnegotiation,&relationshipmanagementphaseswiththevendor

14

Canwemanagewhatweown?

15

AndtheIoTSystemisdeployedinasystemofhuman&technicalsystems…

meter1

meter2

meter3

metern

Meterdataaggregatoranalytics&reporting

dashboards

rawdata

processing

processeddata1

processeddata2

processing

Exampledatapathforenergymgmt.system

ExistingIT/InfoMgmtInfrastructure(e.g.,physicalnetwork&physicalimplementationpoints)Technicalinfrastructure

Organizationalstructure CentralIT Distributed

ITFacilitiesMgmt

InstitutionLeadership

Acad/AdminDept1

Acad/AdminDeptn

People– withroles,expectations,patterns,routines,opinions

Vendor1 Vendorn

16

Increasingvendor/systemcountincreasessystemscomplexity&managementoverhead

Vendormanagementcomplexitygrowsrapidlywith#IoTsystems@cabenson361#risk#i2summit17

17

IoTSystemsVendorManagementDocument• Acknowledgethat:

• IoTSystemsincreasinglyenteringinstitutioninnon-traditionalways• e.g.,notcentralIT– butend-users/PI’s,facilities,capitalplanning,planning/budgeting

• IoTSystemsaredeployedinnon-traditionalways• Thesearenottraditionalenterprisesystems• OftennotwithcentralIT• Oftenwithvendor-heavyinfluence

• Generally,limitedvettingforIoTSystems• Many,most?ofthesesystemswillnotbemanagedbycentralIT

• IoTSystemsVendorManagementDoc• Designedtoassist:

• selection• RFI• RFP• contractionnegotiation• systemsmanagement

• Docneedsbroadutility&consumability -- Needstobereadableor‘parseable’byorganizationsfulfillingmultipledifferentroles– notjustIT

18

-- exampleitems--

qDoesvendorneed1(ormore)datafeeds/datasharingfromyourorganization?

qArethedatafeedswell-defined?qDotheyexistalready?

q Ifnot,whowillcreate&supportthem

qHowmanyendpointdeviceswillbeinstalled?qIsthereapatchplan?Whomanagesthis?

qDoesthisvendor’ssystemhavedependenciesonothersystems?

qWhopaysforvendorsystemsrequirements(eghardware,supportingsoftware,networking,etc?)

qDoeslocalsupport(FTE)exist?Isitavailable?Willitremainavailable?

q Ifhostedinadatacenter,whopaysforthosecosts?q Ifcloud-hosted,egAWS,whopaysforthosecosts?qAbovequestionsansweredforbothimplementation

&longtermsupport?

operationalrisks(egresourcing&planning) cybersec(badguy)risks both

qWhatistotaloperationalcostafterinstallation?q LicensingqSupportcontractsqHostingrequirementsqBusinessresiliencerequirements(egredundancy,

recovery,etcforOS,db,other)

q IstheIoTvendorsystemimplementationdocumented?

qArchitecturediagram?qw/IPaddresses&physical

locationofdevices?qw/requiredportsdocumented

q Isthereacommissioningplan?Orhaveinstallationexpectationsotherwisebeenstated?

qDefaultlogins&passwordschanged&recorded?qNon-requireddefaultportsclosed?qDevicesportscanned(orsimilar)afterinstallation

qForremotesupport,howdoesvendorsafeguardlogin/accountinformation?

q Isitincontract?

qWho,inyourorganization,willmanagetheIoTsystemvendorcontract?

qCentralIT?qFacilities?qTenant/customerdept ?qOther?PD/security?CISO?CSO?

qCanIoTsystemvendormaintenancecontractoffsetlocalITsupportshortages?

q for10’s,100’s,1000’sofnewendpoints?

q Isarisksharingagreementinplaceforsharedinstitutionalinformation?

qHowmanyIoTsystemsareyoualreadymanaging?qAreyouanticipatingmoreinnext18

months?

IoTSystemsVendorManagementDocument

19

Manyotherresources(somelongertoreadthanothers)• NISTCybersecurityforIoTProgram

• https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf

• FTC&IoTPrivacy• https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-

things-privacy/150127iotrpt.pdf

• IndustrialInternetofThingsSecurityFramework• http://www.iiconsortium.org/IISF.htm

• GSMAIoTSecurityGuidelines• http://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/

• OWASPIoTSecurityGuidance• https://www.owasp.org/index.php/IoT_Security_Guidance

• DHSStrategicPrinciplesforSecuringtheInternetofThings• https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf

• Others…

20

Possiblefutureworkinarea• IoTSystemsCosting

• Few,ifany,institutionshaveahandleonthis

• Networksegmentportfoliostrategies• Segmentationisalltherage,buthowarethosesegmentationportfoliosmanaged

• InternalICS&IoTexposure• Shodan/Censys dopublicaddresses

• InternalVLAN’s,VRF’s,etc notcovered

• Benchmark/standardforexposureinHE

21

Questions/Comments?