Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf ·...
Transcript of Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf ·...
![Page 1: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/1.jpg)
Tekna seminar “Sårbarhet i kraftsektoren”, Gardermoen, Apr2017
Hvordan ivareta sikkerhet rundt IoT enheter?
Josef Noll [email protected], @josefnoll, m: +47 9083 8066
Professor at University of Oslo, Department of Technology Systems Co-Founder and Secretary General at Basic Internet Foundation
1
![Page 2: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/2.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Outline! From electricity to intelligent power
➡ The Internet of Things (IoT) and the power grid ! Digitisation of the Society
➡ Sensor and Data driven ➡ Industry and Society ➡ Your role as power provider
! Privacy and Security ➡ Do we really understand the challenge? ➡ Measurable security ➡ Privacy labelling
! Conclusions2
[Source: Monique Morrow, Cisco]
![Page 3: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/3.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Who is going to manage the home?
3
Admin Cloud
GSM/LTESmart Meter
Smart Meter
Smart homeappliance
powerline communications
radio
Concentrator
Internetcommunications
![Page 4: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/4.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Considerations! A variety of services ! Security and Privacy
requirements
! Novel trends, flexibility
! My Home is everywhere
4
HealthServices
Car & energy management
Homeinfrastructure
Mon
itorin
g, C
ontro
l, C
onfig
ure Appliances &
services
![Page 5: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/5.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Digitalisation of the Society
5
Source: EU commission, https://www.youtube.com/watch?v=BK-UuUnQalM&feature=youtu.be
![Page 6: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/6.jpg)
Apr2017, Josef NollSecuring the Internet of Things
The Internet of Things (IoT)! IoT =
➡ Internet + ➡ Semantics + ➡ Things
! Tingene som snakker ➡ med en datamaskin, ➡ som forstår hva det
dreier seg om, ➡ og tar selvstendige
beslutninger
6
Source: L. Atzori et al., The Internet of Things: A survey, Comput. Netw. (2010), doi:10.1016/
* security * privacy * dependability * context-aware * personalised
![Page 7: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/7.jpg)
Apr2017, Josef NollSecuring the Internet of Things
How to handle security?
7
![Page 8: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/8.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Traditional: Threat-based approach
8
Organisation
System of Systems
Security attribute
VulnerabilityControl/
ConfigurationSeverity
scale
Threatowns
implemented
requires
affects
exploited by
hasseverity
mitigatedby
vuln
erab
ility
on
impl
emen
ts
threatens
defin
es
[source: http://securityontology.sba-research.org/]
Scalability?
Future Threats?
![Page 9: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/9.jpg)
Apr2017, Josef NollSecuring the Internet of Things
IoT threats ! First massive attack from IoT devices
➡ 16Oct2016 IoT botnet attack on Dyn ➡ Camera (CCTV), video recorder, TV,… ➡ 1.2 Gbps Denial-of-Service attack
! How? ! All using Linux BusyBox for authentication
➡ admin - admin, root - root, admin - 1111… ➡ simple “test” was enough to convert IoTs into botnet
9
[Source: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ ]
16Oct2016
![Page 10: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/10.jpg)
Feb 2016, Josef NollIoTSec.no
IoTSec.no “Research on IoT security”
with “The national Security Centre for Smart Grid”
http://IoTSec.no
10
Smart MeterInternet
Communication & IoT for society
![Page 11: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/11.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Example: Measurable Security! From people defined security classes ! To automated security decisions
➡ through metrics assessment
! based on ➡ security, privacy and dependability
functionalities
11
SystemComponents
and functionalities
SPD Components, SPD functionalities
is made by could be
can becomposed
sub-system 2(s,p,d)
Comp. 1 Comp. 2 Comp. 3
Multi-MetricsMM
M
sub-system 1(s,p,d)
system(s,p,d)
Multi-Metrics (weighted subsystems)
![Page 12: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/12.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Multi Metrics Assessment! Metrics to SPD conversion
» Parametrisation of system parameters, e.g. latency -> [ms] » SPD regression: «SPD value and importance for the system»
» parameter into S,P,D value range, e.g. latency=50ms :=> (ideal, good, acceptable, critical, failure)
» Scaling according to System Importance, e.g. latency :=> Smax=30, Pmax=10, Dmax=20
» Assignment of SPD values, e.g. latency=50 ms
! Metrics combination to provide SPDSystem: (60, 30, 70) » Mathematical combination, e.g. SSystem=100 - SQRT(S12+S22+…Sx2)
12
SPD regression
M1
SPD combiner
SPDSystem
idea
l
good
acce
p.
criti
cal
failu
re
SPD
criti
calit
y
![Page 13: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/13.jpg)
Apr2017, Josef NollSecuring the Internet of Things
From System to Security Assessment! System described through
➡ Security functionality ➡ Security attributes ➡ Metrics converting security into [0…100]
! Automatic Meter Reader (AMR) ➡ (1) remote access metric - (yes/no)
‣ reading, or just controlling ➡ (2) authentication metric
‣ everyone, or authenticated user
13
GSM/LTE
(1) remote access(2) authentication
![Page 14: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/14.jpg)
Apr2017, Josef NollSecuring the Internet of Things
SPDGoal versus System-SPDLevel
! Application-based security goals ! Automated assessment
! Visualisation of “operating envelopes” ➡ Security good enough? ➡ Too high Security
! Critical component/sub-system assessment
14
![Page 15: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/15.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Change in Business Models due to IoT
15
http://www.scmagazine.com/iot-security-forcing-business-model-changes-panel-says/article/448668/
![Page 16: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/16.jpg)
Apr2017, Josef NollSecuring the Internet of Things
The “sharing economy” for energy companies?
16
Sharing Economy: “Telenor will create a digital ecosystem in
Pakistan”
[Source: eSmartSystems.com]
Energy stability
Security
Privacy
![Page 17: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/17.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Towards Measurable Privacy - Privacy Labelling! “Measure, what you can measure -
Make measurable, what you can’t measure” - Galileo
! Privacy today ➡ based on lawyer terminology ➡ 250.000 words on app terms
and conditions ! Privacy tomorrow
➡ A++: sharing with no others ➡ A: … ➡ C: sharing with ….
! The Privacy label for apps and devices
17
![Page 18: Hvordan ivareta sikkerhet rundt IoT enheter?its-wiki.no/images/b/be/201704_IoTSec_Tekna_Noll.pdf · Securing the Internet of Things Apr2017, Josef Noll Multi Metrics Assessment! Metrics](https://reader033.fdocuments.in/reader033/viewer/2022042916/5f5482b264a41d73b52d925d/html5/thumbnails/18.jpg)
Apr2017, Josef NollSecuring the Internet of Things
Conclusions for 2025! Things (IoT) are driving the digital societies ! Novel services at home
– Internet + Semantics + Things = IoT – Digitisation of the Society – Measurable Security and Privacy – Autonomous Decisions
! IoT Security and privacy – automated privacy/security through Multi-Metrics – Privacy label (A++, A+…D)
18
idea
l
good
acce
p.
criti
cal
failu
re
SPD
criti
calit
y