Next-genadvancedthreatdetectionsystem

TheroleofIPv6insecuringIoTSystem

#1.Security– abigchallengeforIoT

Fromuserperspective:Whichonewouldyouchoose?

Safer: + 1$

[Cyber] safer: + 20$

Fromuserperspective:Whichonewouldyouchoose?

Protocols&Standards:easysetup,wearable,wireless

Safer: + 1$

IoT - Wireless - Security ?

HackerandDDOS….byIoTdevices

20 -> 50 billion devices IoT by 2020

IoTSecurityisdifficult

Technical and Cost challenges for Vendors User’s willingness to pay

IoTandSecurity

How to secure the IoT world ???

#2.IoTSecurityRisks

IoTandSecurity

Device Firmware

Device Memory

Mobile Apps

Device InterfacesLocal Data Storage

Network Traffic

Vendor Backend API

3rd party Backend API

Update mechanism

Cloud web interface

And many things.....

OTA

Read/writedevicebywireless

• Manystandard• Manyconnection• NoIP(BLE,Zigbee,Z-wave,RF)• NoSecurityStandard

IoTProblems

IoTandSecurity

Gartner

IoTandSecurity

Gartner

#3.HowIPv6helpsecurityforIoT

• RemoteGatewayBLE,zigbee,z-wave

SimplewithIpv6

• RemoteGatewayBLE,zigbee,z-wave• Otherbrand,protocolcaninterface:Thinktalkthink

SimplewithIpv6

IPv6

• ReconnaissanceAttacks• DenialofServiceAttacks• Man-in-the-middleAttacks• ARPpoisoningAttacks• DDoS• MalwareAttacks

IPv4Problems

• MandatoryuseofIPSec• AH(AuthenticationHeader)• ESP(EncapsulatingSecurityPayload)

IPv6EnhancementforSecurity

• LargeAddressingSpace• Allocating64bitsforaddressing(asexpectedinanIPv6subnet)meansperforminganetscanof2^64(18446744073709551616)hosts.Itispracticallyimpossible.

IPv6EnhancementforSecurity

• NeighborDiscovery• BothNDandaddressauto-configurationcontributetomakeIPv6moresecurethanitspredecessor.

IPv6EnhancementforSecurity

• ReconnaissanceAttacks=>Better• DenialofServiceAttacks =>Better• Man-in-the-middleAttacks =>Better• ARPpoisoningAttacks =>Better• MalwareAttacks =>Better

IPv6EnhancementforIoT Security

IPv6EnhancementforIoT Security

Edge Technology Aspect Vulnerability Areas Remediation Options

Network: Wired and Wireless •Large attack surface•Flat networks and unauthenticated network access•Missing security

•Connectivity inventory•Secure protocols•Network zoning•Device authentication

Network: Internet and Other Public Connectivity

•Missing security•Legacy protocol support•Unsecure inbound connections

•Secure protocols•Inbound access control

Devices: Hardware/Software •Physical and logical tampering•Software reverse engineering

•Secure software development•Software hardening•Hardware tamper-proofing

Devices: Capability Constraints •Limited cryptographic options•Limited active security options

•Passive security•Low-power security techniques•Use of more-powerful edge devices, such as gateways

Devices: "Non-IT" Technology •Lack of applicable IT security capabilities, technologies and practices

•Combined cybersecurity and engineering practices•Adapted security patterns and technologies

Devices: COTS Components •Vulnerable common components •Secure software development•Secure updates

Devices: Software Updates •Lack of secure software update functions•Lack of updatability

•Verified update connectivity•Verified update packages

Devices: Actuator Hardware •Safety implications•Lack of manual user controls

•Use of hardware-based safety controls•Use of manual (backup) controls

IPv6EnhancementforIoT Security

Platform Technology Aspect Vulnerability Areas Remediation Options

Network: Edge and Enterprise Communications

•Lack of built-in protocol security•Legacy protocol support

•Secure protocols and secure protocol configuration•Use of TLS or DTLS as a default option•Use of standardized protocols, such as HTTP and MQTT

Network: Internet and Other Public Networks

•DoS attacks•API abuse

•Network-based API security measures•Client authentication

Software: Privileged User Access and Data Security

•Loss of security through risk aggregation

•Scope limits for privileged users•Privileged user monitoring•Strong authentication•Secure platform component configuration

Software: Security Capabilities •Lack of security capabilities, such as security monitoring and security management

•Using available platform capabilities•Extending platform software capabilities to powerful edge devices

#4.Conclusion

• SecurityisabigchallengeforIoT• IPv4hassomeprobleminsecurity• IPv6withenhancedfeaturescanhelpIoT

#4.Conclusion

Q&A!