IoT Security Patterns

Mark Benson, CTO@markbenson

IoT Stream Con, 23 April 2015

The IoT opportunityRecent Economist survey:

Expect their company to be using IoT within 3 years

“IoT is our single biggest threat AND biggest

opportunity over the next 10 years” – Brand-name fortune

500 board of directors*Source:ABIResearch,Cisco,CraigHallum Estimates

0

2

4

6

8

10

12

14

16

18

20

$0

$50

$100

$150

$200

$250

Devices

Billion

s

MarketS

izeBillion

s BigDataAnalytics(53%CAGR)

ConnectedDevicePlatforms(33%CAGR)

Platforms(33%CAGR)

ApplicationEnablementPlatforms(32%CAGR)

ValueAddedServices(26%CAGR)

SystemIntegrationServices(24%CAGR)

Hardware(23%CAGR)

Connectivity(12%CAGR)

Internet-connecteddevices(CiscoEstimate)

95%

The Internet of Things?More like the Internet of Attack Vectors• Attack surfaces are expanding rapidly• Physical access to systems is becoming easier• Consumer privacy concerns are rising• Consequences of a breach are becoming more severe (critical

infrastructure, brand deterioration, data privacy issues, etc.)• Product companies are being forced outside of their comfort zones• Three dimensions that make IoT security challenging…

1. Resource constraints

MAC/PHY

IP

TLS/TCP

HTTP

App Data

MAC/PHY

IP

TLS/TCP

HTTP

App Data

MAC/PHY

IP

TLS/TCP

HTTP

App Data

MAC/PHYIP

DTLS/UDPCoAP

Binary Data

MAC/PHYIP

DTLS/UDPCoAP

Binary Data

SensorMAC/PHY

Binary DataRest

Use Motion

Motion

Motion

Use

Use

Use

Rest Rest

Enterprise Web Services IoT Data Platform Gateway or Aggregator Sensing Node

Has moderate resource constraints Has severe resource constraintsDeals with resource constraintsHas virtually no resource constraints

Network

MAC/PHY

Binary Data

Network

2. Deployment topologies

Gateway IoT Cloud

Gateway On-prem

Gateway IoT CloudOn-prem

Gateway IoT CloudOn-prem Analytics

Analytics

Sensors Short RF Gateways On-prem SW Long-haul Cloud Platform Analytics platform

A. No cloud

D. Closed network

C. Multi-site

E. Comprehensive

B. Standard

LocalDisplay

3. Usage modes

• Device cloud registration* Secure authentication* Secure API transports* Secure storage

Initialization Operation Modification Retirement1 2 3 4

• Secure flash* OTP parts* Secure boot* Secure provisioning

• Secure firmware updates* Disable test/debug interfaces* Factory defaults fallback* Disable test interfaces

• Secure change of ownership• Device de-registration process• Optionally reenable retired devices• Secure encryption key deletion

ThingstonoteaboutIoTusagemodesthataffectsecurity:1. Somemodesarenormalandstandardsolutionsexist2. Somemodesarenewandstandardsarestillemerging3. Somemodesarebecomingmorevulnerableduetoresourceconstraints

Usage Modes

Simple

NovelStandard

Deploym

ent T

opologies

Comp

lex

Resource Constraints

High

Low

TheIoTsecurityproblemareaA. HighresourceconstraintsB. ComplexdeploymenttopologiesC. Novelusagemodes

Mo’ IoT, mo’ problems

The 4th dimension: timeNow we have a Tesseract

ThedifficultywithIoTsecurityisthatthelandscapeisconstantlychanging,evenafterproductsaredeployed

Securityshouldbedesignedforfromthebeginning andembracedasajourneythroughout

Itstartswithaprocess…Modes

Topologies

Constraints

Time

The web you should be weavingSecure processes => secure products => secure brand integrity

Security Requirements

Planning Design Implementation Verification Validation Deployment Operations

Risk Analysis Threat Modeling

Secure Design Practices

Security-Focused Design Reviews

Secure Coding Practices

Third Party Security Audit

Security-Focused Testing

User Testing to Expose Weakpoints

Penetration Testing Secure Deployment Practices

Operational Risk Assessment

Incident Response Preparedness

Vulnerability Management

Training and awareness

Information Security Management System (ISMS) policies, procedures, and compliance audits

Corporate strategy, governance, metrics, and optimization

ConclusionTakeaways:1. Security processes. Have a security architecture from the beginning and evolve

throughout (layers, topologies, modes)2. Technology selection. Start it from the beginning and evolve thoughout3. Operations planning. How do you respond if/when a security incident occurs in

the field. Use checklists– http://owasp.org/– http://builditsecure.ly/

Embrace the journey

Thank you

Mark Benson@markbenson