#EEwebinar
Security Fundamentals for IoT Devices; Creating the Internet of Secure Things
#EEwebinar
q This webinar will be available afterwards at www.designworldonline.com & email
q Q&A at the end of the presentation q Hashtag for this webinar: #EEwebinar
Before We Start
#EEwebinar
Aimee Kalnoskas Design World EE Network
Moderator
Alan Grau President & Co-founder
Icon Labs
Security Fundamentals for IoT Devices; Creating the Internet of Secure Things
Meet your Presenter
#EEwebinar
IoT security • Why do we care about the IoT • What do we mean by IoT/IIoT • Why worry about security • Security standards for Industrial Automation • Nuts and bolts of security for IIoT devices
o Security challenges for the IoT o Framework/requirements for security o Implementing security for IIoT devices
• Summary/Questions
#EEwebinar
The IoT is driving businesses
$15 Trillion economic value created by IoT over next 20 years GE
250 million connected vehicles by 2020 Gartner 75% growth in wireless devices between now and 2020, reaching 40 billion devices ABI Research
$3 Billion IoT investment IBM Managed Services to jump from $14.75 billion in 2013 to $265.05 billion in 2018 Solarwinds
#EEwebinar
IoT • IoT – Using Internet connectivity to capture data from a
cornucopia of “things”; then analyze the data to create new efficiencies and business opportunities
6
#EEwebinar
Why focus on security? • So your devices and systems are secure
o Hopefully by now this is self evident
• Competitive advantage • Enable managed services – create revenue opportunities • Required to meet regulator compliance and to protect
against lawsuits and bad PR
#EEwebinar
Growing threat of cyber-attacks
#EEwebinar
How are we doing? • 70% of new IoT devices have significant security
weaknesses – HP Labs • Average new IoT device has 25 security vulnerabilities –
HP Labs • “We have been able to penetrate every system we’ve
targeted” – Kevin Mitnick
#EEwebinar
Security Standards
• Industrial automation o ISA/IEC 62443:EDSA
• www.isa.org/isa99/
• Federal Mandate/NIST Cybersecurity Framework o US Federal Executive Order (EO) 13636
• www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
• Power Grid/Smart Grid o NERC/CIP
• www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
10
#EEwebinar
Regulatory Compliance: Major Driver
• Regulatory compliance is frequently a driving force for implementing security o Quantifiable o Understandable
• Executives who struggle to understand nuanced security tradeoffs CAN understand compliance
11
#EEwebinar
Security Standards • Many standards, but common themes
o Identity management o Mutual authentication/authorization o Audit o Protection o Secure communication o Attack detection and mitigation o Security management and visibility
12
#EEwebinar
IoT Security Challenges
Scalability • 8/16 bit MCU based • 32 bit RTOS based • 32 bit Linux/Android
Fragmented market • HW vendors • SW vendors • Vertical markets • End Users
Diverse communication • Wi-‐‑Fi, Ethernet, TCP/IP • ZigBee, Bluetooth, BLE
Broad a^ack surfaces • Multiple communication interfaces
• Devices accessible to hackers
#EEwebinar
Classes of IoT Devices
#EEwebinar
Classes of IoT Devices Class 1 device
• Very small devices (light bulbs, sensors)
• 8/16 bit MCU • ZigBee, MESH networking
• Limited CPU cycles, memory
• Bare metal, scheduler or kernel such as FreeRTOS or uC/OS-‐‑III
Class 2 device
• Small, low cost devices but moderately powerful devices (medical devices, telematics)
• 32 bit MCU • Cellular, BLE, Bluetooth, Ethernet, or WiFi
• RTOS only – not Linux
Class 3 device
• More expensive, more powerful devices such as larger medical devices,
• 32 bit MPU • Ethernet or WiFi • RTOS or embedded Linux
Class 4 device
• Gateway or high-‐‑end endpoints
• 32/64 bit MPU • Embedded Linux or Android
• Multiple protocols including Ethernet, WiFi and ZigBee, BLE or Bluetooth
#EEwebinar
Perimeter security • One solution: More Perimeters
o Expensive! o Doesn’t address fundamental issues
• Security perimeters are only a partial solution o IoT devices may not be inside of a security perimeter o Perimeters can be compromised o Insider threats account for more than 50% of cyber-incidents
16
#EEwebinar
Secure the devices • Don’t rely only on the perimeter • Build the required security into the device
o Order of magnitude lower cost o Addresses basic security needs such as secure boot and security
management
17
#EEwebinar
Challenge of IoT Device Security
• IoT devices are embedded devices o Embedded Linux, Android or RTOS-based o Limited resources for security software o Traditional IT security solutions won’t work
• Not just about data – protecting critical operations • Need new solutions designed for embedded devices
o Build it yourself o Find a commercial solution
18
#EEwebinar
OT devices, IT security • All devices must be
o Protected o Trusted o Authenticated o Secured o Managed o Visible
19
#EEwebinar
Security Requirements • Harden the device
o Hypervisor, secure boot, intrusion detection o Leverage hardware security features
• Data protection o Data at rest, data in motion o key and password obfuscation
• Secure communication o Security protocols, mutual authentication, firewall
• Visibility and management o Management system integration (policy updates, events)
20
#EEwebinar
Security Framework
21
o Designed for embedded use
o Portable
o Small footprint
o Minimal performance overhead
#EEwebinar
Hardening the device
• Leverage hardware security features o TPM/TEE o Secure device ID o Crypto acceleration
• Hypervisor • Secure boot • Intrusion detection
22
#EEwebinar
Leverage HW Security Features
• Trusted Platform Module (TPM) o International standard for a secure
cryptographic processor o Dedicated microprocessor designed
to enable secure devices o Secure key storage o Key generation o Encryption/decryption
• Provides foundation for security
#EEwebinar
Hypervisor • Enables partitioning to increase security
o Security processing & management isolated from user processing
• Security breach in one partition cannot impact other partitions
24
#EEwebinar
Secure Boot Before loading software, verify • it came from the OEM • it has not been tampered with
Hardware TPM/TEE can provide • Protected key storage • Protected signature storage • Signature generation
#EEwebinar
IDS/IPS for Embedded Devices • Communication based IDS/IPS
o Report firewall rules violations o Protocol specific DPI o Detect scans, probing
• Configuration based IDS/IPS o Detect unauthorized changes to
firmware, libraries and data files
• Report events to a security management system
#EEwebinar
• Data at rest: device is off, how is the data protected? o Encrypted files, full disk encryption
• Data in use: while generated or being processed - is it secured? o Obfuscation, MMU based protection methods, user privileges o Protect against memory scraping attacks
• Data in transit: leaving the device, is it being hijacked? o Security protocols
Securing Device Data
#EEwebinar
Secure Communication • Security protocols
o IPsec/IKE (VPN) o SSH / SSL/TLS/DTLS
• Authentication o X.509 / Kerberos o RADIUS o TACACS+ o 802.1X
#EEwebinar
Embedded Firewall • Endpoint firewall for
embedded/RTOS systems • Rules based filtering (IP
addresses, ports, protocols) • Stateful packet inspection • Threshold filtering • Protocol specific deep packet
inspection • IDS alerts
#EEwebinar
Management and visibility
• Policy management • Event reporting • Situational awareness • Status monitoring • Secure firmware updates
30
#EEwebinar
Summary • Common requirements
o Industry standards help define security requirements o Many standards, but common requirements
• Utilize a security framework that provides building blocks to enable and support the various standards
• Integrate security into the device itself – don’t just rely on a secure perimeter
#EEwebinar
Aimee Kalnoskas Moderator Design World EE Network [email protected] @DW_Aimee
Alan Grau President & Co-founder Icon Labs [email protected]
Questions? Security Fundamentals for IoT Devices; Creating the Internet of Secure Things
#EEwebinar
Thank You q This webinar will be available at
designworldonline.com & email
q Tweet with hashtag #EEwebinar
q Connect with Design World
q Discuss this on EngineeringExchange.com
Top Related