2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was...
Transcript of 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was...
![Page 1: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/1.jpg)
2016 ELPP – IoT Security
This work was created in an open classroom environment as part of a program within the Sutardja Center for Entrepreneurship & Technology and led by Prof. Ikhlaq Sidhu at UC Berkeley. There should be no proprietary information contained in this paper. No information contained in this paper is intended to affect or influence public relations with any firm affiliated with any of the authors. The views represented are those of the authors alone and do not reflect those of the University of California Berkeley.
• Vijay Kumar Eranti • Serge Maskalik • Jeffrey Pierce • Dina McKinney • Hima Devisetti • Venkata Nandanavanam • Geoffrey Perez
![Page 2: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/2.jpg)
Introduction IoThasthepotentialtobeoneofthegreatnewfrontiersforinnovationandtechnologicalgrowth.Astheinfrastructureandtechnologygrowtosupportthepossibilitiesofaconnectedworld,wewillsoonseeexamplesofIoTintegratedthroughoutourdailylives.Whereonceelectricitywasnewandstillbeingunderstood,andisnowtakenforgrantedasubiquitousandcommonplace,IoTwillbecomeacceptedasanintegralpartofhowweworkandlive.TheIoTspaceisstillinitsinfancyandtheprojectedgrowthandimpactofthisthistechnologyforbusinesses,consumers,andsocietyissettoshakeupthefoundationoftraditionalinstitutionsanindustries.EstimatesfortheimpactofIoTontheglobaleconomyrangefromfourtoeleventrilliondollarsinthenextdecade.Ourbottom-upanalysisfortheapplicationswesizeestimatesthattheIoThasatotalpotentialeconomicimpactof$3.9trillionto$11.1trillionayearby2025.Atthetopend,thatlevelofvalue—includingtheconsumersurplus—wouldbeequivalenttoabout11percentoftheworldeconomy.(JamesManyika,2015)
![Page 3: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/3.jpg)
OneofthefastestgrowingsegmentsoftheIoTspaceissecurity.Withtheenormousincreaseinavailabledataandthepossibilityofmisuse,securityandprivacyconcernsareincreasinglycomingtotheforefrontoftheIoTdiscussion.Provingsolutionstoaddresssecurityproblemswillbeasignificantareaofinvestmentforbusinesseslookingtoreaptherewardsofaconnectedworld.“TheglobalIoTsecurityproductsmarketwasvaluedatUS$7.8Bnin2014andisexpectedtoincreaseataCAGRof16.5%duringtheforecastperiod(2015-2020).Enhancementinend-userexperienceanddatasecurityarethebasicfactorspropellinggrowthofthismarketcurrently.…Meanwhile,thesoftwaresegmentintheglobalIoTsecurityproductsmarketwasvaluedatUS$3.9Bnin2014andisanticipatedtoregisteraCAGRof17.2%duringtheforecastperiod.”(futuremarketinsights.com,2015)“TheInternetofThings(IoT)securitymarketisdrivenduetorisingsecurityconcernsinthecriticalinfrastructuresandstrictgovernmentregulationsandisexpectedtogrowfromUSD7.90Billionin2016toUSD36.95Billionby2021ataCompoundAnnualGrowthRate(CAGR)of36.1%.Theyear2015hasbeenconsideredasthebaseyearforthestudy,whilethemarketsizeforecastisfrom2016to2021.”(marketsandmarkets.com,2016)
![Page 4: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/4.jpg)
ManyofthesamesecurityissuesexistwithcurrentInternettechnologies.Businessesarekeenlyawarethatsecurityisanimportantcomponenttothegrowthofthisburgeoningspace.ThereareopportunitiestocapitalizeonthemountingconcernsaboutsecurityintheIoTspace.TheInternetofThingsispoisedtoaddtrillionsofdollarstotheannualGDPinthenextfewyears.However,realizingthatpotentialimpactrequiresaddressingsecurity,whichisoneoftheprimarybarrierstoadoption.
Figure1:EstimatedsizeoftheIoTSecuritymarket(Source:BusinessInsiderIntelligenceEstimates2015)
![Page 5: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/5.jpg)
Figure2:BusinessperceptionofIoTbarriers
Lookingatsecurityasjustachallengetobeovercome,however,isonlypartofthestory:IoTsecurityisalargepotentialbusinessinitsownright.IfcompaniesstandtogaintrillionsfromIoTofferings,theyarelikelywillingtopaybillionstoaddresssecurityconcerns.LastyearBusinessInsiderestimatedthattheIoTcybersecuritymarketcouldgrowto$120billionperyearby2020.IoTSecurityThreatTypesIoTfacesavarietyofsecuritythreatswithwidelydifferentcapabilities.Atoneofthespectrumsecuritythreatsincludenation-states(whomightattackacountry’selectricalgridittocrippleitinawarorelectronicvotingmachinestoinfluenceanelection…)whopossessconsiderableresources,bothpersonnelandmaterial.Ontheotherhand
![Page 6: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/6.jpg)
are“scriptkiddiesorotherunskilledindividualswhocanre-useexistingattacksbutareunabletocreatetheirownexploits.Despitethevarietyofactors,mostattackshaveoneofthreebasicgoals:totakecontrolofaffecteddevices(forexample,tounlockdoors),tostealinformation(suchascorporatesecrets),ortodisruptservices(suchasyourautonomousvehicle).
Figure3:IoTThreatActors-SecurityGuidanceforEarlyAdoptersoftheInternetofThings– April2015
![Page 7: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/7.jpg)
IoTSecurityThreatVectorsTobuildasecureIoToffering,acompanyneedstostartwiththesecurityofindividualdevices.Andevenasimpledevicehasmultiplelevelsthatneedtobesecured.
Figure4:TypesofIoTattacks
![Page 8: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/8.jpg)
Figure5:IoTcomponents,issues,andrelevantcompanies
SiliconAtthelowestlevel,securingadevicerequiressecuringitshardwarecomponents:its“silicon”.Adevicecannotbesecureifsoftwareonthedevicecanmanipulatetheexecutionofarbitrarycodeonthedeviceoraccessarbitrarydata.Butachievingthatsecurityisnon-trivial,ascanbeobservedbyattackssuchastherecent”Rowhammer”attack,whichallowsarbitrarysoftwaretomanipulatethecontentsofmemorytoachieverootaccess.Whilesecuringhardwareisdifficult,mostofthecorechipmanufacturers(suchasIntel,ARM,andSamsung)arenowcompetingtodistinguishthemselvesthroughsecurehardwareofferings.FirmwareOnelevelupfromadevice’shardwareisitsfirmware,itslowest-levelcontrolsoftware.Securingadevice’sfirmwareiscritical,becauseunlikeadevice’soperatingsystemitisoftenimpossibletoupdateadevice’sfirmware.LowcostprovidersthatbakedpasswordsintofirmwarewereattherootoftherecentDDosattackagainstDyn.
Figure6:PCWorldOct24
Figure7:IBTOct25
![Page 9: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/9.jpg)
CompanieslikeMocanaandEscryptaretryingtoprovidesecurefirmwareasacomponenttoIoTdevicemakers.OperatingSystemWhileoperatingsystemstendtobeeasiertoupdatethanfirmware,they’realsoalotmorecomplex.ManydevicesuseLinuxasalow-costandpowerfuloperatingsystem,yetdespiteyearsofexperienceanditsfundamentalopennesspeoplearestillidentifyingnewsecurityexploitsforit.DirtyCOW(Dirtycopy-on-write)isasamplesecurityvulnerabilitythataffectsallLinux-basedoperatingsystems,includingAndroid.Itisalocalprivilegeescalationbugthatexploitsaraceconditionintheimplementationofthecopy-on-writemechanism.ThebughasbeenlurkingintheLinuxkernelsince2007andhasbeenactivelyexploitedatleastsinceOctober2016.Anumberofcompanies,suchasGemalto,Intel’sWindRiver,andLynx,providesecureoperatingsystemstodevicemakers.Others,suchasSymantec,provideservicesthathelpmonitorandsecureoperatingsystemsprovidedbyotherentities.NetworkInadditiontocomputation,communicationistheothercorecomponentofanIoTdevice.Andthenetworkingstackisacommonsourceofsecurityflaws,suchasweaknessesinSSHimplementations.SSHowDowNexploitsvulnerabilityinOpenSSHthatis12yearsold,andyetIoTdevicesstillshipwiththeflawunpatched.CompanieslikeCentri,SecureRF,andRubiconoffersecurenetworkstackimplementations,whileothercompaniessuchasDigiCertofferdigitalcertificatesolutionsthataddressendpointauthentication.ApplicationEvenifadevice’sownhardwareandsoftwareissecure,theparticularapplicationorapplicationsthatrunonthatdevicemayintroducetheirownsecurityflaws.Common
Figure8:ArsTechnicaOct20
Figure9:WiredOct13
Figure10:ZDNetOct25
![Page 10: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/10.jpg)
flawsarisefromapplicationsstoringdatainsecurelyonadeviceorfailingtoproperlysecureandauthenticatenetworkconnections.Securingapplicationsisdifficultbecauseeachapplicationisdifferent,butcompanieslikePraetorianandInsideSecureprovideconsulting,design,andanalysisservicestohelpmakersbuildsecureapplications.Cloud+Multiple,HeterogeneousDevicesOfcourse,intheInternetofThings,securingasingledeviceisinsufficient.Devicescommunicatewitheachotherandwiththecloud,meaningthatIoTprovidersalsoneedtoworryaboutthesecurityofnetworkprotocolsanddevices,theircloudinfrastructure,andtheircloudAPIs.InadditiontoestablishedcompanieslikeIBMandMicrosoft,start-upslikeIconLabsandTemperedNetworksprovideofferingsthathelpcompaniessecuretheircloudcomponentsandmanagetheirdevicecollections.Furtherresearch:https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
SecurityApproachesSecuringdevicesandtheircommunicationwithotherdevicesandservicesfocusesonpreventingsecurityissues,butit’sonlyonepartofhowcompaniesneedtoapproachsecuringtheInternetofThings.PreventionlargelyfocusesoncompaniescreatingIoTdevicesandservices.However,preventioncanbechallenging:thedevicesinvolvedareoftenresourceconstrainedsothattheycan’thandlecomplexsecuritysolutions,theyoftenneedtolastanorderofmagnitudelongerthantraditionalcomputingdevices(forexample,20yearsinsteadof2years),andupdatingthemwithnewsoftwareisdifficult,ifnotimpossible.
![Page 11: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/11.jpg)
Figure11:ApproachestoIoTsecurityincludePrevention,Detection,andResponding
Toaddresstheselimitations,companiesalsofocusondetectingattacksorcompromiseddevicesandrespondingappropriately.NumerousITandIoTcompanies,bothbiggerplayerslikeGE,Wurldtech,andCiscoandsmallerstart-upslikeIndegyandCyberFlowAnalytics,offersolutionstoIoToperators(thosethatpurchase,assemble,andoperateanIoTinstallation)thatallowthemtomonitortheoperationoftheirIoTinstallationsanddetectpotentialissues.Othercompanies,likeResilientSystems,CyberX,andNextNine,offersolutionsthathelpoperatorsrespondtodetectedissuesandhandlecompromiseddevices.DefenseinDepthThereanumberofanalogiestobedrawnfromwhathashappenedinthedatacenter/ITspaceinthecontextofaddressingtheattackvectorsthatareprominentintheIOTspacenow–technologiesatvariouslevelsalreadyexisttoaddressmajorityoftheissues.Vendorscansignificantlyimprovethesecuritypostureofthesolutionsbyhardeningtheirapplicationsandoperatingsystems,removingandshuttingdowntheunnecessaryservices,applyingsecurityscanningandpenetration
Defense-in-Depth: IOT Security Strategy
Prevent
Hardenhardwareandso/waretoeliminate
weaknesses(IOTVendor-driven)
Detect
Iden=fya@acks,compromised
applica=ons/devices(IOTOperatorDriven)
Respond
Dealwithcompromisedapplica=ons/devices,
mi=gateimpact(IOTOperatorDriven)
• Reduce attack surface
• Disable unneeded services
• Strip Operating Systems and Packages to bare minimum
• Apply Hardening techniques
Regulate
Iden=fya@acks,compromised
applica=ons/devices(IOTIndustryDriven)
• Leverage active device discovery
• Apply vulnerability scanning techniques frequently
• Leverage Network Intrusion Detection inline
• Apply Anomaly Detection
• Good alerting / scoring
• Visibility & Forensics capabilities
• Improve audit trail and configuration history / drift
• Patch/Remediate @ scale • Micro-segment to allow
only needed flows
• Manage @ scale & disable vulnerable services
• Have ability to selectively quarantine and isolate devices or endpoints
• Emulate existing regulations like PCI or HIPAA
• Have vendor compliance validation programs (like UL, FIPS, Common Criteria, NEBS
• Require mandatory vendor participation if present in critical infrastructure positions
![Page 12: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/12.jpg)
testingintheirqualityassurancecycles,andleverage3rdpartysecurityassessmentvendorstoclosegapspriortoshipmentofnewdevices.IndustrialandconsumercustomersofIOTcanbenefitfromdetectioncapabilitiesavailableinITspacetodayifappliedagainstIOTarea.Exampleswouldbediscovery-basedinventorysolutionswithscanningtodeterminesecuritypatchinglevelsandvulnerabilitystateofthedevices.Inlinenetwork-basedanomaly-detectionandintrusionpreventiontechniquescanbeappliedtowired/wirelessnetworksaggregatingIOTandcentralizedalerting/monitoringandconfigurationaudittrailmechanismscanbeappliedtoincreasevisibilityoftheIOTimplementationstofurtherdecreaseawarenessofpotentialissuesanddecreasetheremediationtimesforsecurityevents.Fromresponseandremediationperspective,havingcentralmanagementdeliveredasSaaSforindustrialIOTsolutionsisapossibility,butnotlikelyintheheterogeneousconsumerenvironments.Inenterprisespace,mass-patchingsolutionsexiststoprovidecomprehensivedistributionandinstallationofsecurityfixes–thiscanbeappliedtoIOTatscaletoinsurelatestfixesaredeployedtodevicesrapidlyandtimely.ItwouldalsobeinterestingtodoafurtherstudyacrossvendorsanddevicestoseeifapositivesecuritymodelcanbeappliedwhereonlytheneededcommunicationflowsareallowedintheIOTwired/wirelessnetworksandtherestoftheunneededcommunicationspathsaremicro-segmentedandturnedoffbydefault.Inhomogenousstacks,thiswouldbeapossibility.Furtherresearch:https://inform.tmforum.org/sponsored-feature/2014/09/defense-depth-breadth-securing-internet-things/
BusinessLandscapeTheInternetofThingsiscomprisedofawildlydiverserangeofdevicetypes- from small to large, from simple to complex – from consumergadgets to sophisticated systems found in DoD, utility andindustrial/manufacturing systems. Now part of the expanding webconnected network – Internet of Things, embedded devices are verydifferent from standard PCs or other consumer devices. These
![Page 13: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/13.jpg)
industrial operational assets are commonly fixed function devicesdesignedspecificallytoperformaspecializedtask.ManyofthemuseaspecializedoperatingsystemsuchasVxWorks,MQXorINTEGRITY,orastrippeddownversionofLinux.Installingnewsoftwareonthesystemin the field either requires a specialized upgrade process or is simplynotsupported. Inmostcases,thesedevicesareoptimizedtominimizeprocessingcyclesandmemoryusageanddonothaveextraprocessingresourcesavailabletosupporttraditionalsecuritymechanisms.Asaresult,standardPCsecuritysolutionswon’tsolvethechallengesofembeddeddevices.Infact,giventhespecializednatureofembeddedsystems,PCsecuritysolutionswon’tevenrunonmostembeddeddevices.TherearemanycompaniesthatareworkingonprovidingsecurityinIoTlandscape.Someofthecompaniesinclude:
• AzetiNetworksAG• Intel• Sypris• ZingBox• Shodan• CertifiedSecuritySolutions:EnterprisedigitalidentityCertified Security Solutions (CSS) (https://www.css-security.com/ ) is a cyber security company that builds andsupports platforms to enable secure commerce for globalbusinesses connected to the Internet. CMS enterprise certificatelifecycle management and VerdeTTo™ IoT identity securityplatforms simplify the design, deployment, monitoring andmanagement of trusted digital identities, making authenticationscalable,flexibleandaffordable.
• Symantec:Symantec (https://www.symantec.com/ ) expands securityportfolio with new Embedded Critical System Protection,designedtodefendIoTdevicesagainstzero-dayattacks,andsignsATMmanufacturerWincorNixdorf as oneof the early adopters.To further fuel innovation in IoT security, Symantec recentlyannounced a partnership with Frost Data Capital to incubateearly-stage startupswith funding, resourcesandexpertise.FrostData Capital underpins the incubator with seasoned
![Page 14: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/14.jpg)
entrepreneurs,proven innovationmethodologyandprocess,anddeep expertise in big data analytics, IoT, industrials andhealthcare.ThesestartupcompanieswillhavetheopportunitytocollaboratewithSymantec to solve themost complex challengesshapingtomorrow'sthreatlandscape.
• SecureThings:SecuriThings (http://securithings.com/) is a User and EntityBehavioral Analytics (UEBA) solution for IoT. It monitors usersandtheIoTdevicesthemselves.Itusesmachinelearningsecurityalgorithms adapted for IoT to identify andmitigate threats. Andit’s simple to add to any IoT application, because it’s pre-integratedwithleadingIoTplatforms.
• DeviceAuthority:SecurityAutomationforInternetofThingsDevice Authority (http://www.deviceauthority.com/) providessimple,innovativesolutionstoaddressthechallengesofsecuringthe Internet of Things (IoT). IoT brings new security challengesintroduced by the scale and pace of adoption, as well as thephysicalconsequencesofcompromisedsecurity.Thesechallengescannot be effectively addressed by traditional InformationTechnology (IT) security solutions. The Device Authority IoTsecurity platform is purpose-built to address these challengesthrough automated device provisioning, credentialmanagement,secure updates and policy-driven data encryption. The IoTpromises countless efficiencies, increased competitiveness,improved customer service and even brand new marketopportunities. However, deploying strong security is hard andalways has been. Deploying strong IoT security is evenharder. According to Gartner, by 2020, around 25% of allidentified security breaches will involve IoT. To address this,Device Authority introduces a new paradigm of IoT SecurityAutomation that accelerates and simplifies the deployment ofstrongIoTsecurity.Advanced,policydrivensecurityautomationiscriticalforindustrial,healthcare,transportationandotherlargescale security sensitive IoT environments. Their patenteddynamickeytechnologyprovidestheessentialdevice-basedtrustanchor for IoT devices, enabling policy-driven provisioning,
![Page 15: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/15.jpg)
access control and data protection for mission-critical IoTapplicationsandservices.
• Bastille:SecurityfortheInternetofRadiosBastille(https://www.bastille.net/)isthefirstcompanytoenableenterprise security teams to assess and mitigate the riskassociatedwiththegrowingInternetofRadios.Bastille’ssoftwareand security sensors bring visibility to devices emitting radiosignals (Wi-Fi, cellular, wireless dongles and other IoTcommunications) in the installed organization’sairspace. Bastille’s technology scans the entire radio spectrum,identifying devices on frequencies from 60MHz to 6 GHz. Thisdataisthengatheredandstored,andmappedsothatcompaniescan understand what devices are transmitting data, and fromwhere in their corporate airspace. This provides improvedsituational awareness of potential cyber threats and post-eventforensicanalysis.
FollowingaresomeofthecompaniesthatareworkingonprovidingsecurityinIoTlandscapeateachofthefollowinglayers(showninthepicturebelow):
![Page 16: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/16.jpg)
Startups
![Page 17: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/17.jpg)
Challenge:HeterogeneityThetypesofsecuritythreatsandtheapproachestoprovidingsecurityaresimilaracrossITandIoT,butsecuringIoTissignificantlymorecomplex.OnereasonisthatIoThastodealwithsignificantlymoreheterogeneity.Notonlydomakersandoperatorsneedtoaddressmultiplelevelsofthreats,theyhavetodoitacrossamuchwidervarietyofdevices.Andbecausesecurityisonlyasstrongasitsweakestlink,mixingmultiplecomponentsanddevicesthatmaynothavebeenexplicitlydesignedtoworkwitheachothermakesprovidingsecureofferingsmuchharder.
![Page 18: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/18.jpg)
Figure13:IoTheterogeneityisthecombinationofbothdeviceandcomponentheterogeneity
TrendsinIoTSecurity:AcquisitionsExaminationofcurrentofferingsintheIoTsecurityspaceandtheongoingchallengesfacedbyIoTmakersandoperators,severaltrendsareapparent.First,particularlyintheindustrialIoT,operatorsarelookingforsingle-providersolutionsthatreducetheheterogeneityofinstallationsandthushopefullyincreasetheirsecurity.Inresponse,manyofthelargeplayers(particularestablishedITsecurityplayers)areacquiringsmallercompaniesinordertoincreasetheirabilitytoprovide“onestopshopping”IoTsecuritysolutions.Cisco’sacquisitionofJasper,Intel’spurchaseofYogitech,andQualcomm’spurchaseofNXPareallinpartintendedtoallowthosecompaniestoimprovetheirIoTsecurityofferings.
![Page 19: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/19.jpg)
Thisconsolidationislikelytoincrease,asothercompanieswillfeelthepressuretoprovidecomparativeofferingsandwillthusneedtomakeacquisitionsoftheirown.Largerplayersarealsowellpositionedtomaketheseacquisitionsbecauseoftheirlargercashbalances,whichallowsthemtoconsiderbothlargeandsmallcompaniesaspotentialpurchases.
Undisclosedacquisitionprice $47billionacquisition$1.4billionacquisition
![Page 20: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/20.jpg)
Figure15:Cashbalanceoftopconsolidators(Source-MomentumPartners2016)
Challenge:CostInaddition,costismuchmoreofaconsiderationforIoT.Spendingtensofdollarstosecureadevicethatcoststhousandsofdollarsmaybeacceptable,butspendingthatsameamountofmoneytosecurealightbulb,alightswitch,oradoorlockisclearlynot.Asaresult,consumerIoTsecuritytendstoeitherignoredorprovidedascheaplyaspossible.Complicatingthematteristhatconsumerstypicallyconsiderjusttheshort-termcostofIoTdevices:theirpurchasecost.Buttherealcostofthosedevicesmaybetheirlong-termcostwhentheyfail:a$50smartlockthatcanbeeasilyhacked,allowingthievestostealyourvaluables,willendupalotmoreexpensivethan$50.Andwhilemanufacturersmayfocusontheshort-termcostsofmanufacturingadevice,IoTdevicesaremorelikelytofallunderproductliabilitylawsthanITdevices,leavingtheircreatorssubjecttosubstantiallawsuitsinthelong
![Page 21: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/21.jpg)
term.Andbothofthosecasesignorethecoststo3rdparties,asinrecentcaseswherehackedIoTdeviceshaveparticipatedinDDoSattacks.
Figure14:RelativeimpactofIoTcostsandwhobearsthatcost
TrendsinIoTSecurity:RegulationsRegulationisonewaytoshiftlong-termcostconsiderationstotheshort-term,andthereisalreadyevidenceofgovernmentmovementinthatdirection.TheObamaadministration,aspartofitsCybersecurityNationalActionPlan,hasactivelybeenworkingwithindustrytoexplorenewcertificationstandards.Asananalogy,considerhowsomegovernmentregulationsrequireUnderwritersLaboratorycertificationforsomeelectricalproductsincertaincases.ThereisastronglikelihoodthatthegovernmentwillsoonissueregulationsthatmakesimilarrequirementsforIoTdevices.TheUnderwritersLaboratoryhasbeenactivelyworkingwiththegovernmenttocreateaCybersecurityAssurancecertificationprogramforIoTproviders.Ifregulationsdogetinstituted,theywouldhaveasignificantimpactondemandfordifferenttypesofofferings.Componentsthatalreadyprovidesecurecomponentswouldlikelytoseeincreaseddemand,whilemorecompanieswilllikelyenterthespacetoprovideconsultingservicestohelpIoTdevicemakersdesignandimplementsecuredevices.Praetorianisonecompanythatalreadyprovidessuchconsultingservicesandiswellpositionedtotakeadvantageofincreaseddemand.ExistingcertificationcompaniessuchasUL,GE
![Page 22: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/22.jpg)
wurldtech,andICSALabsarealsoideallypositionedtobenefitfromnewsecurityregulations.
Figure16:SampleIoTcompanieslikelyimpactedbypotentialregulation
WhiteSpaceinIoTSecurityFinally,wenotethatintheconsumerspacethereissignificantwhitespaceforsecurityofferingsthatemphasizedetectingandrespondingtosecurityissues.ThiswhitespaceisdrivenbothbythecostconsciousnessoftheconsumerspaceandtherelativeimmaturityofconsumerIoTofferings(atleastascomparedtoindustrialofferings).However,consumerIoTcompanieswilleventuallyneedtoaddresstheseapproaches,andcompaniesthatstarttotacklethisspaceearlywilllikelyhaveanadvantage.
Figure17:DetectionandResponsearewhitespacefortheConsumerIoT
SummaryTheInternetofThingshasthepotentialtohaveamulti-trilliondollarannualimpactinthenearfuture,butonlyifcompaniescaneffectivelyaddresssecurity.Andwhilesecurityisalargeandcomplexissue,thereareobservabletrendsthathowtheindustrywillevolveinthenear-term.
![Page 23: 2016 ELPP – IoT Security Word V2 · 2016-12-19 · 2016 ELPP – IoT Security This work was created in an open classroom environment as part of a program within the Sutardja Center](https://reader033.fdocuments.us/reader033/viewer/2022042406/5f2009965581a45a0837fda7/html5/thumbnails/23.jpg)
Relatedreading:1.TheIOT:Mappingthevaluebeyondthehype:McKinseyGlobalInstituteAnalysis2.VulnerableIoTdevicesarechangingthecybersecuritylandscape:BusinessInsiderIntelligence3.SecurityIsaTopBarriertoInternetofThingsGrowth:Emarketer.comFeb2016IOTSecurityThreatTypes1.SecurityGuidancefor_Early_Adopters_of_the_Internet_of_Things:CoudSecurityAlliance2.Futureproofingtheconnectedworld:CloudSecurityAlliance3.SecurityChallengesintheIoTEra–“Internet”&“Things”ComingTogether:EquinoxblogSecurityApproaches1.Volume-1-Practical-Handbook-and-Reference-Guide-for-the-Working-Cyber-Security-Professional.pdf:CyberflowanalyticsandCiscoIOTStartups/Mergers1.IoTsecurityM&A,Part1:StartupstackleearlyIoTsecuritychallengesinkeymarkets2.451Research:IoTsecurityM&A,Part23.Cybersecurity_Market_Review_Q2_2016
IoT Security
• Acquisi'onbylargerplayers• Regula'onmayincreaseandshapedemand• Whitespacearounddetec'onandresponse
IoT’s potential impact is in the $ trillions, but realizing that value requires addressing security.