Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IoT Security Patterns Mark Benson, CTO @markbenson IoT Stream Con, 23 April 2015
The IoT opportunity Recent Economist survey: Expect their company to be using IoT within 3 years “IoT is our single bigges...
The Internet of Things? More like the Internet of Attack Vectors • Attack surfaces are expanding rapidly • Physical access...
1. Resource constraints MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP TLS/TCP HTTP App Data...
2. Deployment topologies Gateway IoT Cloud Gateway On-prem Gateway IoT CloudOn-prem Gateway IoT CloudOn-prem Analytics Ana...
3. Usage modes • Device cloud registration * Secure authentication * Secure API transports * Secure storage Initialization...
Usage Modes Sim ple NovelStandard D eploym entTopologies C om plex Resource Constraints High Low The IoT security problem ...
The 4th dimension: time Now we have a Tesseract The difficulty with IoT security is that the landscape is constantly chan...
The web you should be weaving Secure processes => secure products => secure brand integrity Security Requirements Planning...
Conclusion Takeaways: 1. Security processes. Have a security architecture from the beginning and evolve throughout (layers...
Thank you Mark Benson @markbenson
Upcoming SlideShare
Loading in …5
×

Internet of Things Security Patterns

394 views

Published on

Presented at Internet of Things Stream Conference 2015 in San Francisco by Mark Benson on April 2nd, 2015.

ABSTRACT: The growth of IoT is occurring at an incredible rate, justly raising alarms about security and privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the world’s most well known OEMs to deploy connected product fleets.

Published in: Technology
no profile picture user

  • Login to see the comments

Internet of Things Security Patterns

  1. 1. IoT Security Patterns Mark Benson, CTO @markbenson IoT Stream Con, 23 April 2015
  2. 2. The IoT opportunity Recent Economist survey: Expect their company to be using IoT within 3 years “IoT is our single biggest threat AND biggest opportunity over the next 10 years” – Brand-name fortune 500 board of directors *Source: ABI Research, Cisco, Craig Hallum Estimates 0 2 4 6 8 10 12 14 16 18 20 $0 $50 $100 $150 $200 $250 DevicesBillions Market SizeBillions Big Data Analytics (53% CAGR) Connected Device Platforms (33% CAGR) Platforms (33% CAGR) Application Enablement Platforms (32% CAGR) Value Added Services (26% CAGR) System Integration Services (24% CAGR) Hardware (23% CAGR) Connectivity (12% CAGR) Internet-connected devices (Cisco Estimate) 95%
  3. 3. The Internet of Things? More like the Internet of Attack Vectors • Attack surfaces are expanding rapidly • Physical access to systems is becoming easier • Consumer privacy concerns are rising • Consequences of a breach are becoming more severe (critical infrastructure, brand deterioration, data privacy issues, etc.) • Product companies are being forced outside of their comfort zones • Three dimensions that make IoT security challenging…
  4. 4. 1. Resource constraints MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP TLS/TCP HTTP App Data MAC/PHY IP DTLS/UDP CoAP Binary Data MAC/PHY IP DTLS/UDP CoAP Binary Data SensorMAC/PHY Binary DataRest Use Motion Motion Motion Use Use Use Rest Rest Enterprise Web Services IoT Data Platform Gateway or Aggregator Sensing Node Has moderate resource constraints Has severe resource constraintsDeals with resource constraintsHas virtually no resource constraints Network MAC/PHY Binary Data Network
  5. 5. 2. Deployment topologies Gateway IoT Cloud Gateway On-prem Gateway IoT CloudOn-prem Gateway IoT CloudOn-prem Analytics Analytics Sensors Short RF Gateways On-prem SW Long-haul Cloud Platform Analytics platform A. No cloud D. Closed network C. Multi-site E. Comprehensive B. Standard Local Display
  6. 6. 3. Usage modes • Device cloud registration * Secure authentication * Secure API transports * Secure storage Initialization Operation Modification Retirement1 2 3 4 • Secure flash * OTP parts * Secure boot * Secure provisioning • Secure firmware updates * Disable test/debug interfaces * Factory defaults fallback * Disable test interfaces • Secure change of ownership • Device de-registration process • Optionally reenable retired devices • Secure encryption key deletion Things to note about IoT usage modes that affect security: 1. Some modes are normal and standard solutions exist 2. Some modes are new and standards are still emerging 3. Some modes are becoming more vulnerable due to resource constraints
  7. 7. Usage Modes Sim ple NovelStandard D eploym entTopologies C om plex Resource Constraints High Low The IoT security problem area A. High resource constraints B. Complex deployment topologies C. Novel usage modes Mo’ IoT, mo’ problems
  8. 8. The 4th dimension: time Now we have a Tesseract The difficulty with IoT security is that the landscape is constantly changing, even after products are deployed Security should be designed for from the beginning and embraced as a journey throughout It starts with a process…Modes Topologies Constraints Time
  9. 9. The web you should be weaving Secure processes => secure products => secure brand integrity Security Requirements Planning Design Implementation Verification Validation Deployment Operations Risk Analysis Threat Modeling Secure Design Practices Security-Focused Design Reviews Secure Coding Practices Third Party Security Audit Security-Focused Testing User Testing to Expose Weakpoints Penetration Testing Secure Deployment Practices Operational Risk Assessment Incident Response Preparedness Vulnerability Management Training and awareness Information Security Management System (ISMS) policies, procedures, and compliance audits Corporate strategy, governance, metrics, and optimization
  10. 10. Conclusion Takeaways: 1. Security processes. Have a security architecture from the beginning and evolve throughout (layers, topologies, modes) 2. Technology selection. Start it from the beginning and evolve thoughout 3. Operations planning. How do you respond if/when a security incident occurs in the field. Use checklists – http://owasp.org/ – http://builditsecure.ly/ Embrace the journey
  11. 11. Thank you Mark Benson @markbenson

×