IoT Security Workshop For Product Management · Lean Startup ‘Minimal Viable Product’ [MVP]...
Transcript of IoT Security Workshop For Product Management · Lean Startup ‘Minimal Viable Product’ [MVP]...
1
IoT Security Workshop For Product Management
IoTSF 2017 Annual Conference
5th December 2017
Richard Marshall IoTSF Plenary Chair
Public - IoT Security Workshop For Product Management 05/12/2017
“Isn’t product security a technical problem, like safety requirements?”
IoT Security & Product Management
2 Public - IoT Security Workshop For Product Management 05/12/2017
– Products are often not considered a target, “Why would someone attack my product…?”
– IoT products, potentially installed by the billion – the number of devices could out number mobile phones
– Being connected allows remote attacks which makes presence and physical barriers redundant
– IoT devices become potential ‘weapons’ in large scale attacks
Being connected…
3 Public - IoT Security Workshop For Product Management 05/12/2017
Lean Startup ‘Minimal Viable Product’ [MVP] development approach
Supply Chain integrity and complexity
Traditional ship and develop next product strategy
Lack of security awareness and standards
Usability versus security
IoT product challenges
4 Public - IoT Security Workshop For Product Management 05/12/2017
Relies on an incremental approach to product development to gain customer feedback.
Security is seen as a ‘feature’ that can be added later…
This contradicts with the need to put the security foundations into a product from the beginning…
MVP development Strategy
5 Public - IoT Security Workshop For Product Management 05/12/2017
With happens if these considerations are not
considered…?
6 Public - IoT Security Workshop For Product Management 05/12/2017
Becoming a Headline…
7
Two key fundamentals:
– Secure integrity
– Secure identity
Creating Secure Foundations
8 Public - IoT Security Workshop For Product Management 05/12/2017
Areas of business impacted:
– Supply Chain
– Production
– Cloud Operations and Product Support
– Corporate Communications
– Product Development
Product Security Implications
9 Public - IoT Security Workshop For Product Management 05/12/2017
Software Supply Chain
Components often come with vendor software, typically:
– Boot loaders
– Protocol stacks
– Device drivers
Careful selection of the underlying platform is critical – has their security been considered?
10 Public - IoT Security Workshop For Product Management 05/12/2017
Hardware Supply Chain
Critical components may need secure programming or creation:
– Cryptographic Keys
– Vendor Certificates
Are the vendor’s security processes sufficient?
What impacts do these have on:
– Component lead times
– Minimum Order Quantities
11 Public - IoT Security Workshop For Product Management 05/12/2017
Production
Outsourced production, how is security maintained in a third party’s facility?
How are the following ensured by design:
– Cryptographic keys are not revealed - symmetric key insertion into devices is an issue
– Unauthorised product is not being manufactured
– Unauthorised software and data is not loaded into the product
12 Public - IoT Security Workshop For Product Management 05/12/2017
Cloud Operations
Where is customer data stored by the Cloud Service Provider?
How are the products keys securely deployed?
13 Public - IoT Security Workshop For Product Management 05/12/2017
Customer Data
Where is customer data stored by the Cloud Service Provider?
– In what territory is the Customer/Subscriber data guaranteed to be stored?
– EU GDPR implications
– Is customer data suitably anonymised
14 Public - IoT Security Workshop For Product Management 05/12/2017
Product Keys Deployment
“Where are my keys?”
Self managed keys
– Requires full key lifecycle management
– Can Managed Service Provider securely access keys
Third Party managed keys
– Supplier lock in – key escrow
– The Supplier is managing your identity credentials…
15 Public - IoT Security Workshop For Product Management 05/12/2017
Ongoing Support
What is the support policy?
Are the devices patchable?
What is the product service life?
EOL policy – revocation, kill switch
16 Public - IoT Security Workshop For Product Management 05/12/2017
Product Recalls…
The business case for security:
The cost of devices recall is often a significant proportion of the selling price of the product
Small BOM cost increments have the potential to significantly reduce the risk of recall
Competitive advantage – it works for Apple!
17 Public - IoT Security Workshop For Product Management 05/12/2017
Corporate Communications
Is a vulnerability policy in place?
– Its too late when a security researcher makes contact
Is a security notification process in place?
– Customers gain confidence from clear and unambiguous notifications on vulnerabilities
18 Public - IoT Security Workshop For Product Management 05/12/2017
Post Product Launch
Is a Vulnerability Disclosure policy and process in place?
Can you respond before your Company makes the headlines…
05/12/2017 19 Public - IoT Security Workshop For Product Management
How Not To Manage It…
05/12/2017 20
“ "We are aware of the report on Twitter…" an Owlet spokeswoman told us. ”
Public - IoT Security Workshop For Product Management
Making The Best Of It…
05/12/2017 21
“…triggered Philips to release a firmware patch for owners of its "Hue" connected bulbs. ”
Public - IoT Security Workshop For Product Management
Product Development
Needs requirements:
There is no such thing a software based security…
22 Public - IoT Security Workshop For Product Management 05/12/2017
Hardware vulnerabilities impossible to fix in deployed products
Product lifecycles longer than consumer or cell phone’s 2 to 5 years
Lifecycles not unusual to be 15 to 25 year life for infrastructure devices
Hardware Security
Product security relies on the strength of it’s weakest link
23 Public - IoT Security Workshop For Product Management 05/12/2017
Architectural Choices
Hardware cost pressures:
8 bit and 32 bit microcontrollers
Dedicated key storage devices
24 Public - IoT Security Workshop For Product Management 05/12/2017
Free Requirements…
25
RELEASE 1.1
Public - IoT Security Workshop For Product Management 05/12/2017
Thank You!
26 Public - IoT Security Workshop For Product Management 05/12/2017
https://iotsecurityfoundation.org/