new securing the internet of things · 2019. 1. 9. · securing the internet of things ....
TRANSCRIPT
![Page 1: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/1.jpg)
SECURING THE INTERNET OF THINGS Authentication in IoT Workshop
Matt TettChair – Enabler Workstream 3 (eWS3), Cyber Security & Network Resilience
![Page 2: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/2.jpg)
Who cares about security?
![Page 3: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/3.jpg)
Why authentication is critical to security in an IoT world
The US is introducing legislation to force IoT manufacturers to include changeable authentication as one of three key “pillars” of their product security, along with patching and encryption. Europe is still focused on committees discussing the development of IoT security standards and Australia is actively developing IoT industry security programs. Today I will explain why identity and authentication is critical and outline where Australia is leading on their IoT Security Strategy - collaboratively and without creating impost or roadblocks.
![Page 4: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/4.jpg)
Trust
Ref: https://securityintelligence.com/no-authentication-without-trust/
![Page 5: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/5.jpg)
Authentication
Ref: https://www.blockchainsemantics.com/blog/blockchain-passwordless-authentication/
![Page 6: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/6.jpg)
Supply Chain & Third Party Risks
![Page 7: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/7.jpg)
Internet of Things – a complex eco-system that demands collaboration
IoT technology enables digital transformation
of industry
An end-to-end system comprising:
sensors/actuators communications data/analytics applications and services visualisation and user interfaces wrapped in security
Using analytics to gain insights, find patterns, predict
performance, optimisesystems
Collecting, transforming and
sharing data
Translating the physical world to
digital
![Page 8: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/8.jpg)
Security of Things - Confusion
FUD is counter productive
Trust is required
Clarity is required
What exactly are we talking about?
Privacy Safety Security
These are all very differentand are not interchangeable
It’s like the difference between a breach and compromise
![Page 9: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/9.jpg)
Increased attack vectors
Ref: https://reefbuilders.com/2017/08/07/aquarium-controller-used-to-hack-casino/https://www.researchgate.net/journal/1942-4795_Wiley_Interdisciplinary_Reviews_Data_Mining_and_Knowledge_Discovery /https://www.forbes.com/sites/anthonykosner/2014/01/17/actually-two-attacks-in-one-target-breach-affected-70-to-110-million-customers/#49f911525482
![Page 10: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/10.jpg)
Default Authentication Credentials!
Ref: https://www.blockchainsemantics.com/blog/blockchain-passwordless-authentication/
![Page 11: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/11.jpg)
Manufacturers often have their heads buried in the sand when it comes to security, bolting it on as an after thought, or attempting to patch when a vulnerability is identified, hopefully before it is exploited.
Security of Things – Biggest threat is; “It won’t happen to us”
https://securityintelligence.com/news/hacking-risk-for-computer-vision-systems-in-autonomous-cars/https://securityintelligence.com/how-israel-became-the-land-of-connected-car-research-and-development/
![Page 12: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/12.jpg)
Human Factors
Ref: https://www.alienvault.com/blogs/security-essentials/i-am-dave
![Page 13: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/13.jpg)
Security by Design
https://www.ibm.com/services/us/gbs/thoughtleadership/acceleratesecurity/
![Page 14: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/14.jpg)
Strengthening data privacy to safeguard data exchange
http://www.iot.org.au/wp/wp-content/uploads/2016/12/Good-Data-Practice-A-Guide-for-B2C-IoT-Services-for-Australia-Nov-2017.pdf
The IoTAA publishes this Good Data Practice Guide to promote industry and consumer awareness as to good practice in dealing with data associated with provision of business to consumer (B2C) IoT services. Examples of B2C IoT services include applications for connected car, smart homes, wearable technology, quantified self, connected health, and ‘smart appliances’ that use Wi-Fi for remote monitoring or control such as washer/dryers, robotic vacuums, air purifiers, ovens, or refrigerators.
The IoTAA promotes consumer and industry awareness about good business practice in provision of IoT services and IoT devices to consumers. By building that awareness, we aim to assist both businesses and consumers to anticipate and address possible concerns before they occur. This Guide focusses upon measures that IoT providers can take to build trust and understanding amongst consumers about collection and uses of data in the course of provision of operation of IoT devices and provision of IoT services, protection of privacy and secure installation and operation of IoT devices.
![Page 15: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/15.jpg)
Baseline Minimum IoT Security Requirements
1. No default authentication - administration passwords must be set before the device becomes functional.
2. Encryption – for data in motion and data at rest.
3. Automatic Patching – Security patches must be able to automatically be applied.
4. Fail Safe – if the device fails in the field then it fails secure rather than fail open.
5. Lifecycle – Product security is supported by the vendor for the expected lifecycle of the product.
![Page 16: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/16.jpg)
Security of Things - Strategy
http://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Strategic-Plan-to-Strengthen-IoT-Security-in-Australia-v4.pdf
Key points
Reference Framework Trust Mark Certification Scheme Supply and Demand Side Awareness Government & Industry Relationships
Action not committees and documents
Defending against cyber-threats in a connected world
![Page 17: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/17.jpg)
Security of Things – Reference Framework – Holistic Approach
• Covers safety, privacy and reliability, ensures security of smart infrastructure and control networks
• References other Security Frameworks, ie. NIST Security Framework, IoT Compliance Framework (IoTSF), Trustworthiness Framework (IIC)
• Structured around an IoT Reference Framework that includes IoT security • Within every layer of the framework, as well as the inter-domain
dependencies/complimentary• In both business operation and technical implementation• end-to-end – for every layer identified in the IoT Reference Framework
• Is Data Driven –• from data sources (sensors/machines) through to data processing platforms
(cloud), and through to data consumption endpoints (applications/human)• Data integrity and privacy based
• Extends beyond traditional cybersecurity aspects (CIA), into the physical aspects such as safety and reliability
• Lifecycle – security extends to the life of the product• Operational – resiliency, reliability and recovery
![Page 18: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/18.jpg)
Reference Framework Security Overlays
©20
18na
m@
infy
ra.n
etw
ww
.infy
ra.n
et
![Page 19: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/19.jpg)
1.3 Objectives
1.3.1 The objectives of the Trust Mark Scheme are to:
(a) encourage IoT device manufacturers to develop secure IoT devices;
(b) enable users of IoT devices to have confidence in the security and privacyfeatures claimed in an IoT device; and
(c) provide IoT testers with a framework for predictable, standardised andrepeatable testing of devices.
1.3.2 The Trust Mark Scheme brings together sources of information relating to the security, privacy, and resilience of IoT to assist the IoT industry in delivering quality products and services. It does not endorse any specific technology or approach for use.
Security of Things - Trust Mark Certification Scheme
![Page 20: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/20.jpg)
Security of Things – Security Awareness Guidelines
Ref: https://www.staysmartonline.gov.au/get-involved/guides
![Page 21: New SECURING THE INTERNET OF THINGS · 2019. 1. 9. · SECURING THE INTERNET OF THINGS . Authentication in IoT Workshop. Matt Tett. Chair – Enabler Workstream 3 (eWS3), Cyber Security](https://reader036.vdocuments.mx/reader036/viewer/2022071217/604af7cb120a1e0bb42af4e3/html5/thumbnails/21.jpg)
Q & A ?