06/03/2017 Public 1

Securing your IoT products

LPWAN London Feb 2017

Richard MarshallIoTSF Plenary Chair and CEO Xitex Ltd

We can’t carry on like this

– Products are often not considered a target, “Why would someone attack my product…?”

– IoT products, potentially installed by the billion – the number of devices could out number mobiles phones

– Being connected allows remote attacks which makes presence and physical barriers redundant

– IoT devices become potential ‘weapons’ in large scale attacks

Being connected…

Public

Lean Startup ‘Minimal Viable Product’ [MVP] development approach

Supply Chain integrity and complexity

Traditional ship and develop next product strategy

Lack of security awareness and standards

Usability versus security

IoT product challenges

Public

Relies on an incremental approach to product development to gain customer feedback.

Security is seen as a ‘feature’ that can be added later…

This contradicts with the need to put the security foundations into a product from the beginning…

MVP development Strategy

Public

Hardware vulnerabilities impossible to fix in deployed products

Product lifecycles longer than consumer or cell phone’s 2 to 5 years

Lifecycles not unusual to be 15 to 25 year life for infrastructure devices

MVP & Hardware Security

Product security relies on the strength of it’s weakest link

Public

Component Supply Chain

Public

Components often come with vendor software, typically:

– Boot loaders

– Protocol stacks

– Device drivers

Careful selection of the underlying platform is critical – has their security been considered?

Production

Public

Outsourced production, how is security maintained in a third party’s facility?

How are the following ensured by design:

– Cryptographic keys are not revealed - symmetric key insertion into devices is an issue

– Unauthorised product is not being manufactured

– Unauthorised software and data is not loaded into the product

Ongoing Support

Public

What is the support policy?

Are the devices patchable?

EOL policy – revocation, kill switch?

Is a vulnerability policy in place?

Is a security notification process in place?

Help is available for you

06/03/2017 See https://iotsecurityfoundation.org/best-practice-guidelines/ 10

RELEASE 1.0

Executive Steering Board

Prof. John Haine, Chair, University of Bristol

Prof. David Rogers, CEO, Copper Horse Solutions

Prof. Ben Azvine, Global Head of Security Research and Innovation, BT

Prof. Kenny Paterson, RHUL

Ken Munro, Partner, PenTest Partners

Dr. Steve Babbage, Chief Cryptographer, Distinguished Engineer, Vodafone Group

Haydn Povey, CEO, Secure Thingz

John Moor, MD, IoT Security Foundation

Majid Bemanian, Director Segment Marketing, Imagination Technologies

Richard Marshall, Managing Consultant, Xitex Ltd.

www.iotsecurityfoundation.org

SECURITY FIRST

FIT FOR PURPOSE

RESILIENCE

Designed in at the start

Right-sized for application

Through operating life

Thank You!

06/03/2017 12