RISC Keynote v1 - Real-world IoT Security Conference (RISC) · 2017-06-23 · • Business and...

DESIGN.BUILD.SECURE

Preventing a Global Disaster

IOT SECURITY

IoT Security: Preventing a Global Disaster

Page

A Security Practitioner who is an Engineer

MY JOURNEY

1

My journey was accidental and eye opening2

Security and Privacy are a way of life3

We can secure IoT but we much change our way of thinking4

2Pa

gePa

ge2

How did we get here?

Page


BY THE NUMBERS 4

Source Code

Space Shuttle 400,000 16,000

Firefox 8,000,000 320,000

Boeing 747 14,000,000 560,000

F35 Jet Fighter 25,000,000 1,000,000

MS Office 2013 44,000,000 1,760,000

Car Software 100,000,000 4,000,000

Google 3,300,000,000 120,000,000

Page


• SCADA systems started adding IP connections • Components became cheaper due to mass manufacturing • WiFi and cellular connectivity became broadly available • Mobile and cloud became a “big thing”

WE STARTED CONNECTING 5

Page


• Business and consumer software is not required to undergo any formal assessment or validation prior to use

• Vendors hide behind licensing agreements • Vendors are not liable for vulnerabilities….but this is changing • Many developers lack skill set to develop securely • Vendors - No formal SDLC that include security testing

WE ARE ACCEPTING OF SUBSTANDARD SOFTWARE 6

Page


EARLY WARNING INDICATORS 7

ransomware

WannaCry

Mirai

IoT security

Source: trends.google.com

routers, security cameras, printers and digital video

recorder (DVRs)

Un-patched Windows desktops

Source: trends.google.com

default passwords & configs

Page


EARLY WARNING INDICATORS 2 8

15,000,000 Elevators Globally

665Gbps is only the “baseline” from weaponized things

Page


• Lack of global expertise in IoT Cyber Security ~500K • Lack of security testing and validation of products/deployments • Zero-days waiting to be discovered {and traded} • Weaponizing current generation IoT devices • Many organizations lack breach plans • State sponsored actors

THE PERFECT STORM 9

The IoT Attack Surface

Page


ANATOMY OF AN ATTACK 11

Recon Plan Attack Execute Attack Owned

Get to know your

target

Write a toolkit or

script

Launch attack and

validate success

Use your new device for fun and adventure

Page


THE ATTACK SURFACE 12

OT Network Internet

Platform API

Cloud Database

Threat VisibilityNo Threat Visibility

Hackers, State

Sponsored Threats, and other cyber

criminalsGateway“Thing”

Page


• Stuxnet • Marai • Vehicles • Home Monitoring • Medical Records

IOT ATTACK TURNING POINTS 13

Page


• Stuxnet - Policy • Mirai - Design, Threat Modeling and Testing • Automotive - Design, Threat Modeling and Testing • Consumer Devices - Design, Threat Modeling and Testing • Medical Records - Policy, Design, Threat Modeling and Testing

HOW THESE COULD OF BEEN PREVENTED 14

Security Controls 101

Page


• Prove that your organization was not negligent • Reduce product costs • Reduce legal fees and possible legal action • A higher level of assurance for end user • Competitive advantage

THE GOAL OF SECURITY 16

Page


• Implement a Information Security Management System (ISMS) • Create a SDLC that implements Secure Coding Methodology

• Threat Modelling (What is the attack surface?) • Secure by Design (Runtime, Updating, Tamper resistance,

monitoring, etc) • Source Code Evaluation • Understand your component supply chain • Test (TRA, Pen Test, VA at a minimum) for every major release • Formal Evaluation for IIoT (IEC 62443)

• PIA

SECURING YOUR IOT SOLUTION 17

Page


• With your ISMS you will know your data at risk! • Ensure your quality of data - Integrity • Validation of Data • Realize that decisions must be decentralized vs. asynchronous • You may want to consider a meta data approach

SECURING YOUR DATA 18

Page


• Primarily in IIoT but implications in consumer market with healthcare and wearables

• You must ensure you do not endanger human life with your product - based on the Threat Model

• Need to consider: Runtime, fault, resilience, and detection • Testing and Validation by 3rd party is key

SAFETY IN IOT 19

Privacy in an IoT World

Page


• Personally Identifying Information (PII) • Any collection of data that identify a person including:

• Name, address, DOB, Health number, SIN, passport, credit card • Need to known the legal and regulatory requirements for your

jurisdiction • Your responsible for data collected, processed and stored

• What is usable “life” of the data?

PRIVACY 21

Page


• Make sure you meet regulatory requirements • Use a “Privacy by Design” approach • Conduct a Privacy Impact Assessment (PIA) • Determine useful life of data collected • Securely delete old data

IMPLEMENTING PII 22

Standards

Page


• Don’t try to boil the ocean • Why ISO? • Determine what you need for your sector • At a minimum consider:

• IEC 62443 - for IIoT • ISO/IEC 27000 Series for ISMS • ISO/IEC 27034 for Application Security • ISO/EIC 29134 for Privacy Impact Assessment

STANDARDS 24

Conclusions

Page


• Change your company culture to be secure 1st • Implement an ISMS • Implement an SDLC • Threat Model when designing • Evaluate all 3rd party software and HW component for signs of

tampering • Respect PII of your users • Test, test, and test

HOW TO BE SUCCESSFUL AT IOT SECURITY 26

Page


• Read IEC White Paper IoT 2020: Smart and secure IoT platform • Read RIoT Control: Understanding and Managing Risks and the

Internet of Things — Tyson Macaulay • Actively track security mailing lists and CVE for new vulns • Track the changing landscape of attack targets • Get to know your data at risk • Get to know your risk posture at any given time

YOUR HOMEWORK 27


[email protected] @encrypto99

+1 613 447 3393

www.twelvedot.com

THANK-YOU FOR YOUR TIME

RISC Keynote v1 - Real-world IoT Security Conference (RISC) · 2017-06-23 · • Business and...

Documents

Transcript of RISC Keynote v1 - Real-world IoT Security Conference (RISC) · 2017-06-23 · • Business and...