The Convergence of IT, Operational Technology and the Internet of Things (IoT)

The Convergence of IT, Operational Technology and the Internet of Things:

How to find a Balance of Risk and Value

Jackson Shaw – [email protected]. Director, IAM Product Management

This has been exciting research

• I’m an identity guy – not a hardware guy (thank you, Dr. McCoy)

• IoT is the buzzword of the year – everything is IoT and IoT is everywhere

• Very, very difficult to find good (any?) examples ofenterprise IoT other than HVAC

• Finding a definition of IoT is like finding a definitionof IAM/IAG/IdM ten years ago

• So, what has the good doctor found out?

The Internet of Things

“A network of everyday objects that have sensors, controls, and network connectivity, allowing them to send and receive data. These devices could include consumer devices (personal biomedical, smartphones); durable goods (televisions, refrigerators, personal cars); commercial buildings (HVAC and lighting) and vehicles; government buildings, vehicles, and infrastructure (streets, bridges); and utility networks (electrical, water, internet).”

Any “thing” that does not require a personto regularly interoperate with it that is generating data and uses your network.

It’s basically an autonomous, internet-connecteddevice.

The IoT is very anti-social

• IoT devices don’t easily talk to each other

• Download a mobile app

• Create an account on the manufacturer’s server

• Connect your IoT device to your account

• How you connect your device could be Bluetooth,Wi-fi, Zigbee, SCADA, Z-Wave or even non-IP based

• Every device manufacturer is solving theseproblems differently ≠ interoperability

≠

“Using OAuth for Access Control on the Internet of Things”, Phillip Windley, PhD; Brigham Young UniversityTo be published in IEEE Consumer Electronics Magazine

I saw the “future” at CES…

Autonomousconference robots

Safety & Security Environmental

Lots of IoT & IoT data sources…

Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things

Lots of potential

• Real-time data = Real-time decisions

• Temperature, humidity, light, air quality, electrical

• Proximity, geo-location & motion

• Health

• Data analytics, especially cloud-basedanalytics will be forefront to deal withthe huge amounts of IoT data

How pervasive is IoT?

http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world

They’re here and it’s the Wild West

Do you know this man?

Fridge caught sending 750,000 spam emails in botnet attack!

http://www.cnet.com/news/fridge-caught-sending-spam-emails-in-botnet-attack/

Does this worry you? It worries me!

I don’t think firewalls are smart enoughfor today and tomorrow’s IoT threat environments.

In/Outbound IP Traffic Analysis

Two recent IoT “incidents”…

Google Nest

• Wireless passwords stored on device are unencrypted

• The Mini USB port gave the necessary root access to the NEST operating system

• “Once the entry point with the NEST device was in place, we were then able to compromise just about everything within that network.”

Wink Hub

• Complete outage when a 1-yr SSL certificate expired

• Technical workaround but most customers will return their h/w for replacement

• Incalculable financial and reputation cost despite good security practice

http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf

What can you do?JUST SAY NO!!

• Really? Are you going to say “No!” to an employee’s diabetes monitor?

http://www.popsci.com/temporary-tattoos-could-monitor-diabetes-less-invasively

What can you do?Call Ghostbusters!

• Detect and eradicate?

“Standards like OAuth 2.0 & OpenID Connect 1.0 will enable identity interoperability for the IoT.”

https://www.linkedin.com/pulse/your-identity-concerns-internet-things-ces-2015-paul-madsen

…extras like a TCP/IP layer got removed from industrial protocols like BACnet and GOOSE.

And features like robust authentication were left out of nearly all the industrial protocols.

After all, who would ever want to hack a control system?

Offspark’s PolarSSL technology has been deployed in a variety of devices including sensor modules, communication modules and smartphones. The acquisition will help companies build IoT products with heightened security. PolarSSL IP will form the core of ARM’s embed communication security and software cryptography strategy...

BACnet currently requires a 56-bit Data EcryptionStandard (DES) key encryption for session keys. It has been demonstrated that these keys can be broken in times on the order of 1 day.

At least there are standards now –and coming – to help…

A practical use:Controlling privileged accounts

Location as a factor in authentication

• Too far away, no PAM access

• Challenges found…

• Not tamper-proof

• Movable

• Openable

• Lacks non-repudiation

• OTP?

• Certificates?

• Result? Ruled out as a sol’n.

http://wwwhome.ewi.utwente.nl/~rijswijkrm/pub/ble-otp.pdf

Parting thoughts…

• Security is not priority #1 for most IoT vendors (Is it for most software vendors?)

• “Over the next two years the IoT devices and services markets will be chaotic”

• “New IoT-ready platforms will enable vendors to integrate the first wave of IoT devices and sensors and enable them to communicate with vendors’ customers’ infrastructures.” This is *YOU*

• Recommendations:

• Question: How is security handled in the IoT device? Who has reviewed it? Has it been pen-tested?

• Detect: You cannot remediate unless you detect – before and after

• Contain: Segment your corporate IT devices from everything IoT related

• Anticipate: Everything IoT is in flux – you must stay on top of it

Please visit our booth for yours!

http://www.ibtimes.co.uk/stockholm-microchipped-office-workers-feel-very-modern-using-hand-implanted-chips-open-doors-1489739http://www.popsci.com/swedish-company-puts-rfid-chips-employees

http://www.ibtimes.co.uk/stockholm-microchipped-office-workers-feel-very-modern-using-hand-implanted-chips-open-doors-1489739

http://www.popsci.com/swedish-company-puts-rfid-chips-employees

Questions? Copy of the slides? Have feedback? Please e-mail:[email protected]

Thank you for your time today!

mailto:[email protected]

AppendixIoT Datapoints & Other Information

Internet of things units installed base by category

Category 2013 2014 2015 2020Automotive 96.0 189.6 372.3 3,511.1Consumer 1,842.1 2,244.5 2.874.9 13,172.5Generic Business 395.2 479.4 623.9 5,158.6Vertical Business 698.7 836.5 1,009.4 3,164.4Grand Total 3,032.0 3,750.0 4,880.6 25,006.6

The IoT will bring into the digital security architecture dozens of new platform options, hundreds of variations on hybrid IT/IoT integration, new standards per industry, and a new view of an application. IT leaders will have to accommodate the differences in technologies across those areas and develop a multifaceted technology approach to IoT risk and security.

http://www.gartner.com/newsroom/id/2905717

Internet of Things Units Installed Base by Category – In millions of unitsSource: Gartner (November 2014)

Dell/EMA ioT survey results


Dell/EMA Iot survey results


Dell/EMA iot survey results


Robust and flexible data management capabilities & effective security are needed…

Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things