Embed Size (px)
Citation preview
IoT Security Landscape: Survey & Analysis
DFWCUGAugust 2nd, 2017
Mark Szewczul, MSEE CISSPIoT Security Architect
[email protected] @vslick1
©aliveandbloggin
Technology allows society to advance exponentially• Embedded processors/RTOS everywhere, 8-‐bit, 32-‐bit, 64-‐bit
• Classic 8051 core, ARM, x86
• Wireless connections are accelerating in number and speed• WiFi, Bluetooth (BT5) ZigBee, Proprietary RF links (SigFox, LoRa, RPMA), 5G Cellular (NB-‐IOT, LTE-‐M), GPS, NFC
• Countless sensors are being dropped into nodes• Camera, temperature, accelerometers, microphones, lasers, infrared
~semtech.com
~Ingenu
~Ingenu
IoT Reaching Critical Mass…but when?• By the year 2020 there are many predicting anywhere from 28 to 75 Billion connected devices to the internet with about 7 Billion people
• ~7 devices per person
• Data and revenue streams will be huge
• Life can only get easier & simpler…right?
John von Neumann Architecture – 1940s
John von Neumann – “Singularity” 1950sFrom Wikipedia: The technological singularity (also, simply, the singularity)[1] is the hypothesis that the invention of artificial superintelligence will abruptly trigger runaway technological growth, resulting in unfathomable changes to human civilization.[2] According to this hypothesis, an upgradable intelligent agent (such as a computer running software-‐based artificial general intelligence) would enter a 'runaway reaction' of self-‐improvement cycles, with each new and more intelligent generation appearing more and more rapidly, causing an intelligence explosion and resulting in a powerful superintelligence that would, qualitatively, far surpass all human intelligence. John von Neumann first uses the term "singularity" (c. 1950s[3]), in the context of technological progress causing accelerating change: "The accelerating progress of technology and changes in the mode of human life, give the appearance of approaching some essential singularity in the history of the race beyond which human affairs, as we know them, can not continue".
Metcalfe's Law – 1980
Do more nodes = more value?• Metcalfe's Law, which states that the value of a network grows as the
square of the number of its users
• number of unique connections in a network can be expressed mathematically as the triangular number n(n − 1)/2, which is proportional to n2 asymptotically
Ray Kurzweil – “Singularity is Near” 2000sFrom Wikipedia: Kurzweil describes his law of accelerating returns which predicts an exponential increase in technologies like computers, genetics, nanotechnology, robotics and artificial intelligence. Kurzweil explains that evolutionary progress is exponential because of positive feedback; the results of one stage are used to create the next stage. Kurzweil calls this exponential growth the law of accelerating returns, and he believes it applies to many human-‐created technologies such as computer memory, transistors, microprocessors, DNA sequencing, magnetic storage, the number of Internet hosts, Internet traffic, decrease in device size, and nanotech citations and patents. What technology will follow integrated circuits is unknown, but Kurzweil believes nanotubes are the most likely alternative among a number of possibilities: nanotubes and nanotube circuitry, molecular computing, self-‐assembly in nanotube circuits, biological systems emulating circuit assembly, computing with DNA, spintronics (computing with the spin of electrons), computing with light, and quantum computing.
~readingrat.net
IoT Promised Benefits• Countless possibilities of value (or perceived value?)
• Increased productivity/efficiencies• Eg. Reduced natural resources consumed
• New markets discovered• Eg. Autonomous transportation
• Time and Money saved on existing operations• Eg. Further Just-‐In-‐Time optimization
Recent Buzzwords• Artificial Intelligence (AI) 1950s
• Concept birthed: Eg. A Computer can play Checkers game.
• Machine Learning (ML) HERE• A narrow implementation of AI. Eg. System is trained with large inputs of data where robust algorithms (feedback loop) give it ability to learn.
• Deep Learning (DL) NEXT• Eg. Image recognition even better than humans: Recognizing indicators in MRI scans for tumors in tissue or cancer in the blood.
• Eg. Google DeepMind “Go” game, matched against itself before defeating the world grandmaster.
• Eg. Google TPU Tensor – ML processing farm on the GCP
Recent Buzzwords• Augmented Reality (AR) ON THE HORIZON
• Magic Leap -‐ > $4.5B from investors; light field overlay lenses; mixed reality objects can interact with YOUR surroundings.
• Human-‐Assisted Machine Intelligence versus Machine-‐Assisted Human Intelligence – ie. Augmented Intelligence (not Artificial Intelligence).
• Quantum Computing (as a Service from IBM)-‐ Quantum Entanglement: “spooky action at a distance” 1200km in China
• Watson-‐• Cognitive computing is the simulation of human thought processes in a computerized model.
• Cognitive computing involves self-‐learning systems that use data mining, pattern recognition and natural language processing to mimic the way the human brain works.
Top ML Trends ~MapR Blog
• Hyper-‐personalization (context-‐driven marketing)• Real-‐time sentiment analysis & response (social customer care)• Behavioral analytics (predictive & prespcriptive)• Conversational chatbots (using NLG: Natural Language Generation)• Agile analytics (DataOps)• Influencer marketing (amplification of your message to specific audiences)• Journey Sciences (using graph & linked data modeling)• Context-‐based customer engagement through IoT (knowing the knowable via ubiquitous sensors)
~Gartner
IoT Benefits?• Make it all wireless..Add more sensors to all nodes..Add more compute/storage as well!
• More raw data obtained with Sensors/Storage/Compute embedded everywhere
• more remote control for everything -‐ feel more in control, more powerful
• With AI, ML, DL: IoT will be much more Contextual, Predictive, Prescriptive• “AI is the brain, IoT is the body” ~Maciej Kranz-‐Cisco VP Corp Strategy
Innovation Group
IoT Tradeoffs• Expensive to acquire
• Many systems require large investment of HW
• Hard to configure• Continual FW/SW update requires frequently recurring end-‐user setting changes
IoT Tradeoffs• Security issues
• Potentially large attack space for Bad Actors to infiltrate the system• Ruined Reputation, Stolen Intellectual Property, Lost Revenue
• Privacy issues• PII can be stolen• Systems can leak PII unintentionally because of careless design.
• Safety issues• The Grid can be taken down…the very systems that we rely upon daily (GPS,
electricity, Autonomous transportation).• Social chaos could erupt.
~S.Hema Latha
All this data – WAIT!• All this data has to go somewhere:
• It can go places you don’t trust..Big Brother• Response: oh well I don’t expect Privacy on internet in this Digital Age!
• It can get released to the open internet…
• It can also go places you are oblivious to...
• IoT Standards are quite lacking• Many proprietary protocols do not easily allow interoperability
~rs-‐components.com
IoT to Cloud – All 7 layers
Cisco Jasper – Control Center
IoT technology embraced by many small companies
IoT Alliances – OCF: Unification is focus• “OCF”: Open Connectivity Foundation history
• OIC (Open Interconnect Consortium) started by Intel and sponsored IoTivityopen source project
• Qualcomm started AllJoyn but handed the sourcecode and trademark to The Linux Foundation by creating the Allseen Alliance
• AllJoyn merged with IoTivity
IoT Alliances – OCF: Unification is focus (cont’d)• Then OCF and Allseen have merged…to keep the OCF (Open Connectivity Foundation) name
• OCF now sponsors IoTivity and AllJoyn open source projects at The Linux Foundation
• OCF members: GE Digital (GE IIoT), Cisco, ARRIS, LG, Electrolux, Intel, Microsoft, Qualcomm, Samsung and many others
IoT Alliances – IIC: Architecture/Security is focus• “Industrial Internet Consortium” – IIC has released IIoT Volume G4: Security Framework• First revision to “initiate a process to create broad industry consensus on how to secure IIoT systems”
• IIoT Volume G1 Internet Reference Architecture• IIoT Volume G5 Connectivity Framework
IoT Alliances – IoTC: adoption is focus• “Internet of Things Consortium”-‐ IoTC
• Non-‐profit Trade Association• Jumpstart business development• Raise IoT education of consumers, sales channels and investors• IoTCmembers: Verizon, Whirlpool, Honeywell, Belkin
FTC -‐ Division of Privacy and Identity Protection
• FTC: researching and advising on secure APIs, authentication, and product updates.
• Will companies release security updates long after the initial product release?
FTC -‐ Division of Privacy and Identity Protection (cont’d)
• If routers and smartphones have issues today, is there hope for IoTdue to the fragmentation and sheer numbers of devices and networks?
• How will end-‐users reliably become aware and apply these patches?
FTC -‐ Division of Privacy and Identity Protection (cont’d)
• FTC’s main concerns:• Transparency/deceptive practices • Consumer data privacy
• Focus is on enforcingConsumer Privacy & Safety
FCC -‐ Focus in on IoT security by design• “Cybersecurity Risk Reduction” White Paper
• Published January 18, 2017.• As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards and adherence to best practices”
FCC -‐ Focus on self cyber-‐accountability (cont’d)• FCC wants self cyber-‐accountability and expects to see response from the market, or it may be forced to propose further regulations,
• eg. Further Notice of Proposed Rulemaking (FNPRM)
FCC -‐ Focus in on IoT security protocols (cont’d)• The FCC could go further and use its Open Internet rules to bar ISPs from blocking any traffic emanating from IoT devices, or at least those with easily circumvented security protocols.
• FCC is careful because it’s doesn’t have statutory power to effectively police cybersecurity, eg. IoT space.
GAO – IoT Technology Assessment• May 2017: IoT Status and implications of an increasingly connected world
• Inherent risks and potential challenges:
• Information Security-‐ 2016 many IoT devices were hacked.• Privacy-‐ PII gets stored, transferred, sold without consumer knowledge or consent.• Safety-‐ 2015 cars were hacked where brakes were cut and transmission disabled.• Standards-‐ Technical intercommunication protocols are lacking• Economic Issues-‐ disruptions are possible where people may loose jobs.
DHS• Published “Strategic Principles for Securing the Internet of Things (IoT) Version 1.0: November 15, 2016.
• Suggests the following principles:• Incorporate Security at the Design Phase• Promote Security Updates and Vulnerability Management• Build on Recognized Security Practices• Prioritize Security Measures According to Potential Impact• Promote Transparency across IoT• Connect Carefully and Deliberately
NIST• Framework for Cyber-‐Physical Systems: Published June 2017
• These application areas include energy infrastructures, advanced manufacturing, building control, transportation, health care.
• Towards a Foundation for a Collaborative Replicable Smart Cities IoTArchitecture: Published April 2017• For civic solutions, must maintain a certain level of standardization in platform and data architecture.
NIST (cont’d)• Report on Lightweight Cryptography (NISTIR 8114): Published March 2017
• Describes plans for approved cryptography for embedded systems, RFID and sensor networks
• NIST Special Publication 800-‐183 -‐ Networks of ‘Things’: Published July 2016• Theory and characterization of IoT and NoT (Network of ‘Things’)• IoT is a realization of NoT• IoT involves sensing, computing, communication, actuation
Isaac Asimov's three law of robotics1. A robot may not injure a human being or, through inaction, allow
a human being to come to harm.2. A robot must obey the orders given to it by human beings, except
where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Security Architect’s Three Laws of the IoT1. A Thing fails safe, protects its customers’ security and privacy, and
must never injure a person, or through inaction, allow a person to come to harm.
2. A Thing must obey the orders given to it by its owner, except where such orders would conflict with the First Law.
3. A Thing may protect its own existence or follow the orders of Authorized Third Parties, except where such actions conflict with the First or Second Law.
Cisco and IoT – not much today• Jasper Control Center 7.0, real-‐time control and visibility to launch, manage and monetize IoT
deployments.
• Cisco Kinetic announced, Connection Management, Fog Computing, and Data Delivery
• Cisco IoT Threat Defense announced, no real IOT security solutions yet.
• Cisco..breast cancer detection in a bra: IOT’s powerful life-‐saving potential “iTBra”
Security Companies and IoT• Quantum resistant cryptography for the IoT.
• Brainspace-‐ Accelerate Human Potential: “Discovery 5” fastest and most powerful weapon for conducting digital investigations..harnesses ML and AI to search unstructured data for legal e-‐discovery.
• ZigBee War-‐Drone Driving
• Vicarious: “bring human-‐like intelligence to the world of robots” CATPCHA Completely Automated Public Turing test to tell Computers and Humans Apart-‐ built a system that never saw CATPCHA before, just clean letters. The system was able (taught itself) to read correctly a broad array of fonts of the challenges!
• Nvidia invests in Deep Instinct, DL cybersecurity startup -‐ this is the future of Threat Detection
Security Companies and IoT• Microsoft launches IoT aaS for enterprises.
• You think you need actual IoT Hardware for IoT Development?• Also lunched Azure Raspberry Pi emulator.
• EdgeX Foundry just launched by OpenLinux
• www.postscapes.com. Great comprehensive reference IOT website
• CSA IoT Working Group• https://cloudsecurityalliance.org/group/internet-‐of-‐things/
• 67 open source tools and resources for IOT• https://techbeacon.com/67-‐open-‐source-‐tools-‐resources-‐iot
Security Companies and IoT• Facebook AI Research (FAIR): AI chatbots had developed their own language and were talking
to each other in this new language..without human input.
• CSA-‐ “Future-‐proofing the Connected World: 13 Steps to Developing Secure IoT Products”
• IOTA Trusted Internet of Things Alliance with Blockchain
• Android Things – on RPi• Android OS, Things Play Store, APKs.
• Health Care Industry Cybersecurity (HCIC) Task Force.
Thank You!Mark Szewczul, CISSP, is an IoT Security Architect at Zimperium with over 20 years of experience from Semiconductor, Telecom/Datacom, and Computing sectors. He currently is Director of Marketing at the Dallas/Fort Worth Cisco Users Group, has led the IEEE-‐Electromagnetic Compatibility Society and co-‐founded the IEEE-‐Consumer Electronics Society, both in Dallas. Along the journey, he has mastered design, testing, integration and deployment of numerous systems. His passion entails implementing best practices of security and privacy principles at all 7-‐layers and beyond. He has his MS in Information Science and Systems from Texas A&M University and 3 patents.
