1

IoT Security Workshop For Product Management

IoTSF 2017 Annual Conference

5th December 2017

Richard Marshall IoTSF Plenary Chair

Public - IoT Security Workshop For Product Management 05/12/2017

“Isn’t product security a technical problem, like safety requirements?”

IoT Security & Product Management

2 Public - IoT Security Workshop For Product Management 05/12/2017

– Products are often not considered a target, “Why would someone attack my product…?”

– IoT products, potentially installed by the billion – the number of devices could out number mobile phones

– Being connected allows remote attacks which makes presence and physical barriers redundant

– IoT devices become potential ‘weapons’ in large scale attacks

Being connected…

3 Public - IoT Security Workshop For Product Management 05/12/2017

Lean Startup ‘Minimal Viable Product’ [MVP] development approach

Supply Chain integrity and complexity

Traditional ship and develop next product strategy

Lack of security awareness and standards

Usability versus security

IoT product challenges

4 Public - IoT Security Workshop For Product Management 05/12/2017

Relies on an incremental approach to product development to gain customer feedback.

Security is seen as a ‘feature’ that can be added later…

This contradicts with the need to put the security foundations into a product from the beginning…

MVP development Strategy

5 Public - IoT Security Workshop For Product Management 05/12/2017

With happens if these considerations are not

considered…?

6 Public - IoT Security Workshop For Product Management 05/12/2017

Becoming a Headline…

7

Two key fundamentals:

– Secure integrity

– Secure identity

Creating Secure Foundations

8 Public - IoT Security Workshop For Product Management 05/12/2017

Areas of business impacted:

– Supply Chain

– Production

– Cloud Operations and Product Support

– Corporate Communications

– Product Development

Product Security Implications

9 Public - IoT Security Workshop For Product Management 05/12/2017

Software Supply Chain

Components often come with vendor software, typically:

– Boot loaders

– Protocol stacks

– Device drivers

Careful selection of the underlying platform is critical – has their security been considered?

10 Public - IoT Security Workshop For Product Management 05/12/2017

Hardware Supply Chain

Critical components may need secure programming or creation:

– Cryptographic Keys

– Vendor Certificates

Are the vendor’s security processes sufficient?

What impacts do these have on:

– Component lead times

– Minimum Order Quantities

11 Public - IoT Security Workshop For Product Management 05/12/2017

Production

Outsourced production, how is security maintained in a third party’s facility?

How are the following ensured by design:

– Cryptographic keys are not revealed - symmetric key insertion into devices is an issue

– Unauthorised product is not being manufactured

– Unauthorised software and data is not loaded into the product

12 Public - IoT Security Workshop For Product Management 05/12/2017

Cloud Operations

Where is customer data stored by the Cloud Service Provider?

How are the products keys securely deployed?

13 Public - IoT Security Workshop For Product Management 05/12/2017

Customer Data

Where is customer data stored by the Cloud Service Provider?

– In what territory is the Customer/Subscriber data guaranteed to be stored?

– EU GDPR implications

– Is customer data suitably anonymised

14 Public - IoT Security Workshop For Product Management 05/12/2017

Product Keys Deployment

“Where are my keys?”

Self managed keys

– Requires full key lifecycle management

– Can Managed Service Provider securely access keys

Third Party managed keys

– Supplier lock in – key escrow

– The Supplier is managing your identity credentials…

15 Public - IoT Security Workshop For Product Management 05/12/2017

Ongoing Support

What is the support policy?

Are the devices patchable?

What is the product service life?

EOL policy – revocation, kill switch

16 Public - IoT Security Workshop For Product Management 05/12/2017

Product Recalls…

The business case for security:

The cost of devices recall is often a significant proportion of the selling price of the product

Small BOM cost increments have the potential to significantly reduce the risk of recall

Competitive advantage – it works for Apple!

17 Public - IoT Security Workshop For Product Management 05/12/2017

Corporate Communications

Is a vulnerability policy in place?

– Its too late when a security researcher makes contact

Is a security notification process in place?

– Customers gain confidence from clear and unambiguous notifications on vulnerabilities

18 Public - IoT Security Workshop For Product Management 05/12/2017

Post Product Launch

Is a Vulnerability Disclosure policy and process in place?

Can you respond before your Company makes the headlines…

05/12/2017 19 Public - IoT Security Workshop For Product Management

How Not To Manage It…

05/12/2017 20

“ "We are aware of the report on Twitter…" an Owlet spokeswoman told us. ”

Public - IoT Security Workshop For Product Management

Making The Best Of It…

05/12/2017 21

“…triggered Philips to release a firmware patch for owners of its "Hue" connected bulbs. ”

Public - IoT Security Workshop For Product Management

Product Development

Needs requirements:

There is no such thing a software based security…

22 Public - IoT Security Workshop For Product Management 05/12/2017

Hardware vulnerabilities impossible to fix in deployed products

Product lifecycles longer than consumer or cell phone’s 2 to 5 years

Lifecycles not unusual to be 15 to 25 year life for infrastructure devices

Hardware Security

Product security relies on the strength of it’s weakest link

23 Public - IoT Security Workshop For Product Management 05/12/2017

Architectural Choices

Hardware cost pressures:

8 bit and 32 bit microcontrollers

Dedicated key storage devices

24 Public - IoT Security Workshop For Product Management 05/12/2017

Free Requirements…

25

RELEASE 1.1

Public - IoT Security Workshop For Product Management 05/12/2017

Thank You!

26 Public - IoT Security Workshop For Product Management 05/12/2017

https://iotsecurityfoundation.org/