security fundamental for iot devices; creating the internet of secure things

33
#EEwebinar Security Fundamentals for IoT Devices; Creating the Internet of Secure Things

Upload: design-world

Post on 15-Apr-2017

657 views

Category:

Engineering


2 download

TRANSCRIPT

Page 1: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Security Fundamentals for IoT Devices; Creating the Internet of Secure Things

Page 2: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

q  This webinar will be available afterwards at www.designworldonline.com & email

q  Q&A at the end of the presentation q  Hashtag for this webinar: #EEwebinar

Before We Start

Page 3: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Aimee Kalnoskas Design World EE Network

Moderator

Alan Grau President & Co-founder

Icon Labs

Security Fundamentals for IoT Devices; Creating the Internet of Secure Things

Meet your Presenter

Page 4: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

IoT security •  Why do we care about the IoT •  What do we mean by IoT/IIoT •  Why worry about security •  Security standards for Industrial Automation •  Nuts and bolts of security for IIoT devices

o  Security challenges for the IoT o  Framework/requirements for security o  Implementing security for IIoT devices

•  Summary/Questions

Page 5: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

The IoT is driving businesses

$15  Trillion  economic  value  created  by  IoT  over  next  20  years GE

250  million  connected  vehicles  by  2020 Gartner 75%  growth  in  wireless  devices  between  now  and  2020,  reaching  40  billion  devices ABI  Research

$3  Billion  IoT  investment IBM Managed  Services  to  jump  from  $14.75  billion  in  2013  to  $265.05  billion  in  2018 Solarwinds

Page 6: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

IoT •  IoT – Using Internet connectivity to capture data from a

cornucopia of “things”; then analyze the data to create new efficiencies and business opportunities

6  

Page 7: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Why focus on security? •  So your devices and systems are secure

o  Hopefully by now this is self evident

•  Competitive advantage •  Enable managed services – create revenue opportunities •  Required to meet regulator compliance and to protect

against lawsuits and bad PR

Page 8: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Growing threat of cyber-attacks

Page 9: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

How are we doing? •  70% of new IoT devices have significant security

weaknesses – HP Labs •  Average new IoT device has 25 security vulnerabilities –

HP Labs •  “We have been able to penetrate every system we’ve

targeted” – Kevin Mitnick

Page 10: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Security Standards

•  Industrial automation o  ISA/IEC 62443:EDSA

•  www.isa.org/isa99/

•  Federal Mandate/NIST Cybersecurity Framework o  US Federal Executive Order (EO) 13636

•  www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

•  Power Grid/Smart Grid o  NERC/CIP

•  www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

10  

Page 11: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Regulatory Compliance: Major Driver

•  Regulatory compliance is frequently a driving force for implementing security o  Quantifiable o  Understandable

•  Executives who struggle to understand nuanced security tradeoffs CAN understand compliance

11  

Page 12: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Security Standards •  Many standards, but common themes

o  Identity management o  Mutual authentication/authorization o  Audit o  Protection o  Secure communication o  Attack detection and mitigation o  Security management and visibility

12  

Page 13: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

IoT Security Challenges

Scalability • 8/16  bit  MCU  based • 32  bit  RTOS  based • 32  bit  Linux/Android

Fragmented  market • HW  vendors • SW  vendors • Vertical  markets • End  Users

Diverse  communication • Wi-­‐‑Fi,  Ethernet,  TCP/IP • ZigBee,  Bluetooth,  BLE

Broad  a^ack  surfaces • Multiple  communication  interfaces

• Devices  accessible  to  hackers

Page 14: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Classes of IoT Devices

Page 15: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Classes of IoT Devices Class  1  device

• Very  small  devices  (light  bulbs,  sensors)

• 8/16  bit  MCU • ZigBee,  MESH  networking  

• Limited  CPU  cycles,  memory

• Bare  metal,  scheduler  or  kernel  such  as  FreeRTOS  or  uC/OS-­‐‑III

Class  2  device

• Small,  low  cost  devices  but  moderately  powerful  devices  (medical  devices,  telematics)

• 32  bit  MCU • Cellular,  BLE,  Bluetooth,  Ethernet,  or  WiFi

• RTOS  only  –  not  Linux

Class  3  device

• More  expensive,  more  powerful  devices  such  as  larger  medical  devices,  

• 32  bit  MPU • Ethernet  or  WiFi • RTOS  or  embedded  Linux

Class  4  device

• Gateway  or  high-­‐‑end  endpoints

• 32/64  bit  MPU • Embedded  Linux  or  Android

• Multiple  protocols  including  Ethernet,  WiFi  and  ZigBee,  BLE  or  Bluetooth

Page 16: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Perimeter security •  One solution: More Perimeters

o  Expensive! o  Doesn’t address fundamental issues

•  Security perimeters are only a partial solution o  IoT devices may not be inside of a security perimeter o  Perimeters can be compromised o  Insider threats account for more than 50% of cyber-incidents

16  

Page 17: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Secure the devices •  Don’t rely only on the perimeter •  Build the required security into the device

o  Order of magnitude lower cost o  Addresses basic security needs such as secure boot and security

management

17  

Page 18: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Challenge of IoT Device Security

•  IoT devices are embedded devices o  Embedded Linux, Android or RTOS-based o  Limited resources for security software o  Traditional IT security solutions won’t work

•  Not just about data – protecting critical operations •  Need new solutions designed for embedded devices

o  Build it yourself o  Find a commercial solution

18  

Page 19: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

OT devices, IT security •  All devices must be

o  Protected o  Trusted o  Authenticated o  Secured o  Managed o  Visible

19  

Page 20: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Security Requirements •  Harden the device

o  Hypervisor, secure boot, intrusion detection o  Leverage hardware security features

•  Data protection o  Data at rest, data in motion o  key and password obfuscation

•  Secure communication o  Security protocols, mutual authentication, firewall

•  Visibility and management o  Management system integration (policy updates, events)

20  

Page 21: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Security Framework

21  

o  Designed for embedded use

o  Portable

o  Small footprint

o  Minimal performance overhead

Page 22: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Hardening the device

•  Leverage hardware security features o  TPM/TEE o  Secure device ID o  Crypto acceleration

•  Hypervisor •  Secure boot •  Intrusion detection

22  

Page 23: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Leverage HW Security Features

•  Trusted Platform Module (TPM) o  International standard for a secure

cryptographic processor o  Dedicated microprocessor designed

to enable secure devices o  Secure key storage o  Key generation o  Encryption/decryption

•  Provides foundation for security

Page 24: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Hypervisor •  Enables partitioning to increase security

o  Security processing & management isolated from user processing

•  Security breach in one partition cannot impact other partitions

24  

Page 25: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Secure Boot Before loading software, verify •  it came from the OEM •  it has not been tampered with

Hardware  TPM/TEE  can  provide •  Protected  key  storage •  Protected  signature  storage •  Signature  generation

Page 26: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

IDS/IPS for Embedded Devices •  Communication based IDS/IPS

o  Report firewall rules violations o  Protocol specific DPI o  Detect scans, probing

•  Configuration based IDS/IPS o  Detect unauthorized changes to

firmware, libraries and data files

•  Report events to a security management system

Page 27: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

•  Data at rest: device is off, how is the data protected? o  Encrypted files, full disk encryption

•  Data in use: while generated or being processed - is it secured? o  Obfuscation, MMU based protection methods, user privileges o  Protect against memory scraping attacks

•  Data in transit: leaving the device, is it being hijacked? o  Security protocols

Securing Device Data

Page 28: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Secure Communication •  Security protocols

o  IPsec/IKE (VPN) o  SSH / SSL/TLS/DTLS

•  Authentication o  X.509 / Kerberos o  RADIUS o  TACACS+ o  802.1X

Page 29: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Embedded Firewall •  Endpoint firewall for

embedded/RTOS systems •  Rules based filtering (IP

addresses, ports, protocols) •  Stateful packet inspection •  Threshold filtering •  Protocol specific deep packet

inspection •  IDS alerts

Page 30: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Management and visibility

•  Policy management •  Event reporting •  Situational awareness •  Status monitoring •  Secure firmware updates

30  

Page 31: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Summary •  Common requirements

o  Industry standards help define security requirements o  Many standards, but common requirements

•  Utilize a security framework that provides building blocks to enable and support the various standards

•  Integrate security into the device itself – don’t just rely on a secure perimeter

Page 32: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Aimee Kalnoskas Moderator Design World EE Network [email protected] @DW_Aimee

Alan Grau President & Co-founder Icon Labs [email protected]

Questions? Security Fundamentals for IoT Devices; Creating the Internet of Secure Things

Page 33: Security Fundamental for IoT Devices; Creating the Internet of Secure Things

#EEwebinar

Thank You q  This webinar will be available at

designworldonline.com & email

q  Tweet with hashtag #EEwebinar

q  Connect with Design World

q  Discuss this on EngineeringExchange.com