1

IoT Security Platform

Andrey Doukhvalov

Head of Future Tech

Industrial Cybersecurity: Safegarding Progress

Saint Petersburg, Russia

September, 2017

2

IoT Malware in Action

• 900,000 customers of German ISP Deutsche Telekom

• 2,400 home routers across the UK

• In 2016 one million devices have been infected with BASHLITE. • 96 % are IoT devices (cameras and DVRs),

• 4% are home routers

• 1% are compromised Linux servers.

• Linux.Darlloz is worm which infects Linux em

bedded systems. It targets the internet of things a

nd infects routers, security cameras, set-top boxe

s by exploiting a PHP vulnerability

•Remaiten is a Malware which infects Linux

on embedded systems by brute forcing using frequentl

y used default username and passwords combinations

from a list in order to infect a system

3

IoT Security Landscape

@

EdgeGateways /

Smart DevicesNetwork DataCenter/

Cloud

DNSSEC / DANE

Infrastructure

Root-of-Trust, Strong Authentication, Verification

• Authentication (verified)

• Service discovery / provisioning / pairing

• Trusted execution environment

• Network security / firewall

• Secure Boot

Authentication (verified)

•PKI / certificate management

•Trusted execution environment

•Network security / firewall

•Access control (role based)

• Authentication (verified)

• Encryption

• Message integrity

• MitM protection

• DNS spoofing protection

IoT Device Security Communication Security Cloud Security

4

The Eclipse IoT Working Group, IEEE IoT, AGILE IoT and IoT Council co-sponsored an

online survey to better understand how developers are building IoT solutions.

The survey was open from February 7 until March 17, 2017.

A total of 713 individuals participated in the survey. Each partner promoted the survey to their

communities through social media and web sites.

IoT Developer Survey 2017

IOT

PLATFORM

=

HOME

AUTOMATION

=

INDUSTRIAL

AUTOMATION

⬈

ENERGY

MANAGEMENT

⬈

CONNECTED

CITIES

⬈

5

Key Industries / Trends 2016-2017

20,1%

21,4%

22,7%

25,5%

26,1%

33,3%

33,4%

36,4%

41,1%

41,6%

Transportation

Automotive

Healthcare

Agriculture

Building automation

Energy management

Connected / smartcities

Industrial automation

Home automation

IoT platform /middleware

2016

2017

Participation of

other

industries is

growing…

6

Hardware Components in IoT Solutions

86,8%

50,8% 50,2%

36,2% 35,1% 33,5%

25,4%

17,4%

4,5% 4,1%

Sensors Actuators Gateway /hub device

Edge nodedevice

Camera /video

capture

LCDdisplay

Touchscreen

Audioplayback /speaker

None Other

What hardware components are included in your IoT solution?

7

Security is the N1 IoT Developers’ concern

2,4%

3,8%

4,4%

8,2%

9,0%

12,3%

12,3%

13,7%

14,1%

14,7%

14,8%

15,0%

19,3%

21,4%

24,4%

46,7%

I don't know

Other

Certification / conformance

Maintenance

Complexity

Data analytics

Performance

Privacy

Scalability

Cost

Return on investment (ROI)

Standards

Integration with hardware

Connectivity

Interoperability

Security

SECURITY

CONNECTIVITY

INTEROPERABILITY

8

IoT Security Technologies

2,5%

9,3%

10,0%

10,6%

11,4%

16,4%

18,5%

24,3%

27,2%

34,4%

43,2%

48,3%

Other

Don't know

Use of Trusted PlatformModules (TPM)

Use of HardwareSecurity Module (HSM)

Secure boot

No security technology isused

Over the air update

OAuth & OpenID

Public key infrastructure

JSON web token orsimilar token formats

Data encryption

Communication security

Root of Trust (55%)

LifeCycle (29,5%)

Identity & PKI (51,5%)

Encryption (43,2%)

TLS/SSL (48,3%)

9

What can we learn from mobile & apply to IoT?

Device Securi

ty

Communications Secur

ity

Lifecycle Securi

ty

Crypto

Root ofTrust

non-truste

d

truste

d

trusted softwar

e

trustedhardwar

e

secur

e

syste

m

secur

e stor

age

9

10

IoT Security should be integrated

Most IoT developers are not security

experts

Little to no knowledge of hardware

Prior experience in mobile app

development

Time to market & functionality beat security

Ease of use requirements on tools & IoT

platform providers

Hide complexity of hardware based

security

Provide built-in security functions

Use standard methods and building blocks

Situation

Strategy

How much security you need ?

SW & HWAttacks• Physical access to de

vice

– JTAG,Bus, IO Pins,

•Time, money

& equipment.Software Attacks & lightweighthardware attacks• Buffer overflows

• Interrupts

• Malware

CommunicationAttacks•Man InThe Middle

•WeakRNG

•Code vulnerabilities

Attack Cost

Security Cost

ТрадиционныеTLS/S

SL

Security Subsyst

em

Hardware isolatedTEE/SP

M*

Secure Element

*Trusted Execution Environment / Secure PartitioningMan

ager11

GlobalPlatform Trusted Execution Environment

В 2010, под эгидой GlobalPlatform был запущен проект

Trusted Execution Environment (TEE). Инициатива была

запущена в ответ на изменения на рынке мобильности:

требования к безопасности существенно возросли по

мере того как потребители начали использовать

мобильные устройства для финансовых и платежных

транзакций. Кроме того, по мере роста потребления

контента (видео, музыка) на разных типах устройств,

старые методы защиты контента оказались

недостаточны. Для защиты премиального контента его

владельцы традиционно использовали Digital Rights

Management (DRM), Conditional Access (CA) и др.

подобные схемы часто использовали аппаратно-

усиленную защиту контента, в то время как теперь они

столкнулись со средой где взаимодействует множество

разных агентов.Кроме того, изменение путей доставки

контента (3G, 4G, Wi-Fi, WiMAX, Bluetooth, NFC)

предъявляет повышенные требования к

коммуникационным каналам.

13

Global Platform Trusted Execution Environment

• TEE became the global standard for embedded security

14

TEE Platform in action

Global Platform TEE Management Framework

The goals of the security model for administrationare:

to provide means to manage the Trusted Execut

ion Environment (TEE), Security Domains (SD),

and Trusted Applications(TA),

to ensure the security and the integrity of these e

ntities,

to enable the confidentiality of the data,

to provide a scalable model allowing deployments

involving a unique Actor or multipleActors,

and to enforce the security policy of eachActor w

hile preserving its assets.

To ensure the security and integrity of these entities, th

e TMF code implementation on the device is a Trusted

OS Component (see [TEE Arch]), or composed from a

group of such components. As such it inherits the same

security requirements as other Trusted OS Component

s.

15

• The newly emerging TEE MF standard lays ground to the remotely controlled embedded security

Kaspersky IoT Security Platform - proposal

16

Security Operation Center Gateway Edge

Inte

gra

ted

Se

cu

rity H

VS

oC

Trusted Boot Trusted Channel OTA Trusted Storage Crypto

Non-TEE 3rd-party TEE KOS TEEKOS TEE

on trusted SoC

KOS TEE + SE

on trusted SoC

Ap

plic

ations

Syste

mT

EE

MF

Lifecycle Security Comm Security

Device Security

Service Discovery Provisioning Pairing

HypervisorTEE ServicesKOS

Cloud security servicesSystems ManagementPolicy Management

Genera

lS

ecurity

FW AV

KSN, DPITMS/TFS, KICS

VPNLoggingInspection

Security Services MngmntKATA

Суб

ъе

кты

Бе

зопасно

сти

Об

ъе

кты

Бе

зопасно

сти

TEE

Security Center

Platform RoadmapS

ecu

rity

Op

era

tio

n

Cen

ter

Ga

tew

ay/N

etw

ork

ing

Devic

e L

eve

l

KL Core Assets EcosystemServices

KSS (Lib -> Agent)

KOS

KSH

Trusted Channel

Firmware Update

KSN/CV/AV/TMS/KICS

KSC for IoT (TEE MF)

MLAD/KATA

KSN/CF/AV

KSS Linux

SoC (Elvis)

Trusted IoT Platform

TEE functions

Devices (Router, STB)

Security ServicesMalware Protection

Anomaly Detection

Trusted Monitoring

Communication Security

Lifecycle Security

Trusted Hypervisor

Integrated Security

System Security

Add-Ons

IoT Platform Connectors

Industrial Modules

Industrial Protocols

Device Pairing Devices (Router, STB)Device Security

18

IoT Security Platform

Andrey Doukhvalov

Head of Future Tech

Industrial Cybersecurity: Safegarding Progress

Saint Petersburg, Russia

September, 2017

Lets discuss it