SESSION ID:
#RSAC
Brian Witten
Tactical Survival Tips Internet of Things (IoT) Systems
SBX1-R05
Senior Director, IoTSymantec Corporation@WittenBrian
^
#RSAC
2
How to Protect Connected Things
#RSAC
IoT betters our lives countless ways…
Already 20 Billion Microcontrollers (MCU) annually5 Billion Connected Today, 20 Billion by 2020
Smart Cities Consumer Electronics
Medical Devices Connected Cars Digital Factories
#RSAC
Quick History of Recent Events
Pipeline, Steel Mill, Critical Infrastructure, Power Grid, Cars, Hospotials
Quick History of Actual Events
Multi-KilotonPipeline Explosion
Steel Mill BlastFurnace Damaged
Cars: Digitally Stolen,Remotely Crashed
Hospitals Breachedvia Medical Devices
National ScalePower Grid Crashed
Hundreds of Critical Infrastructure Sites
#RSAC
What changed?
PC / Datacenter EraSecurity - most easily
delivered by diskor by download
IoT / Cloud EraSecurity - must be
integrated by designto be effective
#RSAC
6
Information Technology(IT)
Internet of Things(IoT)
All verticals have sameHardware/OS supply chain Fragmentation Each vertical has different
Hardware/OS supply chain
“3”(Mostly UDP, TCP, IP)
Protocols Thousands of Protocols(Hundreds in each vertical)
“5”(Mostly Windows, Linux,
OSX, iOS, Android)
OperatingSystems
(OS)
Dozens(Heavily fragmented by vertical)
“2”X86 and x64 by Intel and AMD
ChipsetArchitectures
Many8/16/32/64 bit, AVR, ARM, MIPS,
Over 12 vendors
#RSAC
7
Internet of Things (IoT) Cornerstones of Security
Protect the CommunicationsProtect the Device
Understand Your SystemManage DevicesCloud/Data
Center
Gateway
Devices& Sensors
#RSAC
Protect The Communications
8
Certificates: Over a Billion IoT devices chain to a world class Certificate Authority (CA)
Roots of Trust: IoT “Roots of Trust” can helpidentify foreign devices
Devices& Sensors
Hardware
Operating Systems
Embedded Software
Protect the CommunicationsRequired: Authentication
Helpful: EncryptionNote: Signing “objects” can
avoid decrypt/re-encrypt burden
Crypto Libraries: Several good open-source and commercial options
What’s needed?
#RSAC
$0.25
Can extremely constrained devicesdo meaningful security?
9
Early 80’s grade chip 8 bit8 Mhz2 k SRAM
25 seconds AA Battery: 20+ years
Leading 10 year old chips16 bit, 16 Mhz30 k SRAM
3 seconds AA Battery: 20+ years
Current 32 bit chips32 bit, 84 Mhz30+ k SRAM
150 ms AA: 20 years
Benchmark: ECC/ECDSA256
$0.50
#RSAC
Protecting Devices (Boot Time)
10
Never run unsigned code.
Never trust unsigned configuration data.
Never trust unsigned data. (Period.)
Provide run-time protection for each device.F. N
etw
ork
Mon
itor
G. S
ettin
gs
E. C
rypt
o Li
brar
ies
D. P
rimar
y Ap
p
A. Device Drivers
B. Network Stack
C. Operating System
Pre-boot Environment Protect the Code that Drives IoT
#RSAC
Protecting Devices (Run Time)
11
Whitelisting Behaviors: SandboxingTraditional Approach: Malware Blocking
Ineffective on zero-day Effective on zero day
Ensures self-protection Protects OS critical resources
Customization or separate product Protects applications from each other
Large footprint Small footprint
Signature based Behavior / policy based
Internet access required No internet access required
Reactive Proactive
#RSAC
12
Internet of Things (IoT) Cornerstones of Security
Cloud/DataCenter
Gateway
Devices& Sensors
Protect the CommunicationsProtect the Device
Understand Your SystemManage Devices
Authentication
Run Time
Boot Time
#RSAC
Safely & Effectively Managing IoT Devices
13
Why update devices?Industrial Systems
19 years on average
Granular UpdatesSave Battery & Bandwidth
200 x =
2,000 x =
“Build it Right Once”(Use it for Both General & Security Management)
General & Security TelemetryFunctionality & Security UpdatesConfiguration ChangesDiagnostics & RemediationNetwork Access Control (NAC) Credentials/Permissions, Policies
3 daysVulnerability Discovery Rate (Linux)
… Build in Over The Air (OTA) updates from the start
#RSACUnderstand Your System
14
No matter how well you do everything else, some threats will still get past even the best defenses.
Detecting such threats requires strong understandingof what your network “should” be doing.
Machine learning (ML) distills models of “normal”that can run in compact Single Board Computers (SBC).
Some ML can “learn” in resource constrained gateways andsmall SBC to detect anomalies specific to specific networks.
Such IoT Security Analytics are crucial in finding advanced threats.
To Detect Strategic Threats
#RSAC
15
Internet of Things (IoT) Cornerstones of Security
Cloud/DataCenter
Gateway
Devices& Sensors
Protect the CommunicationsProtect the Device
Understand Your SystemManage Devices
Authentication
Run Time
Boot Time
Embedded AnalyticsUpdates
Policies
#RSAC
Agenda
16
Define a Simpler Framework for Building Security Into IoT Things
Practical Example (2 slides)
Tips & Tricks for Companies Leveraging (not Building) IoT Things
#RSAC
Copyright © 2014 Symantec Corporation 17
Automotive ThreatsA Quick Refresher
RTOS
GSM
TCU
RTOS
I V I
Copyright © 2015 Symantec Corporation
GWCBCMECU
xxMxxMBCM
OBD2 UBI GSMCAN1
CAN2
Cellular (IP & GSM)
Cellular (IP & GSM)Physical Tampering
Other Wireless ( BT & Wifi )
Other Wireless
Vulnerabilities Announced This Summer
Supply Chain
Unauthenticated CommandsUnauthenticated Connections
No IP Port/Protocol Restrictions
InadequateCode Signing
Potential MemoryCorruption Vulnerabilities
VulnerableBrowsers/Apps
VulnerableModems
UnauthenticatedBus
TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: “gateway chip”OBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comm’s, aka "a modem”
(Architecture Simplified for Presentation)
#RSAC
18
Cornerstones of SecurityAutomotive Vehicles
Authenticate Comm’s Manage Devices
Protect Each ModuleSecurity Analytics
OMA DM, SCOMO
Embedded (in-vehicle), GlobalCode-Signing (Boot Time)
Host-Based (Run Time)Compiler Based (No-OS)
Business Constraints:-- Consumers won’t pay for security they “assume”-- OEM & Tier 1 Suppliers: extremely thin margins -- Security $ must be < “few %” of any car/module
TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: “gateway chip”OBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comm’s, aka "a modem”
CAMP: Crash Avoidance Metrics ProgramVSC3: Vehicle Safety Comm’sHIS: Hersteller Initiative SoftwareSHE: Secure Hardware ExtensionsEVITA: E-safety Vehicle Intrusion Protected ApplicationsHSM: Hardware Security Module
OMA DM: Open Mobile Alliance (OMA) Device Management (DM)SCOMO: Software Component Management Object
CAMP VSC3, HIS SHE, EVITA HSM
Copyright © 2015 Symantec Corporation
RTOS
GSM
TCU
RTOS
I V I
GWCBCMECU
xxMxxMBCM
OBD2 UBI GSMCAN1
CAN2
#RSAC
Tips & Tricks LEVERAGING IoT Devices
19
Requirements
Medical Devices
Industrial Equipment
Products
Automotive Modules
Suppliers
Medical Equipment
Automotive
Buyers
Manufacturing Equipment
Plant Owners & Operators
Hospitals
Automakers
#RSAC
20
Internet of Things (IoT) Cornerstones of Security
Cloud/DataCenter
Gateway
Devices& Sensors
Protect the CommunicationsProtect the Device
Understand Your SystemManage Devices
Authentication
Run Time
Boot Time
Embedded AnalyticsUpdates
Policies
#RSAC
IoT Security “Recipe”
Protect your devices: [ (high assurance boot) + (runtime protection) ]
Protect communications: design in strong authentication mechanisms
Manage your devices: build in update mechanisms for granular updates
Understand your system: leverage analytics to catch strategic threats
Strong Foundations Cover All Four IoT Security Cornerstones!
#RSAC
22
Owners/Buyers of IoT Things:
Next week: meet with your Procurement team to begin adding Security Requirements to all RFP for equipment and/or component suppliers
Next quarter: start educating other stakeholders on what it means to “build security into these things.”
Next year: refuse to buy equipment without adequate security
Makers / Builders / Venders of IoT Things:Ensure you adequately cover all four “cornerstones” of security for your Things!
Apply What You Have Learned Today
#RSAC
23
Thank [email protected]
Internet of Things (IoT)Security Reference Architecture:
www.symantec.com/iot
#RSAC
24