The Challenges of Securing the Internet of Things (IoT) at Scale

Transcription

1 The Challenges of Securing the Internet of Things (IoT) at Scale Ulf Lindqvist, Ph.D. Program Director, SRI International Chair, IEEE Computer Society s Technical Committee on Security and Privacy Vice Chair, IEEE Cybersecurity Initiative March 16, 2016

2 The Evolution of Connected Things

3 An Unprecedented Scale of Connected Devices By 2018, 10 billion connected devices with no keyboard, no mouse, small or no Screen

4 Today s Future Tech is Tomorrow s Legacy Smartphones Hardware lifetime: 2 years Very frequent interaction with human user Vulnerabilities are managed with frequent software updates IoT devices Hardware lifetime Implanted medical devices: 3-7 years Home appliances: 5-10 years Cars: 10 years Smart meters: >15 years Building sensors: >20 years Limited or no interaction with human user Lack of consistent updates leave devices vulnerable

5 Technology Management Challenges For Industrial Control Systems, we identified a cultural and organizational gap between OT and IT management For the Internet of Things, it can be unclear who is responsible for managing a deployed device The manufacturer The vendor The person/organization who deployed it The cloud/comms provider The user?

6 Security is About Separation Separate the good (authorized) from the bad (unauthorized) Types of separation Physical Logical Cryptographic BUT: Separation is counteracted by the trend to connect everything to everything else Image credit

7 What We Are Doing for IT Will Not Work for IoT Security for today s IT systems depends on Frequent patching Secure configuration Add-on security products Monitoring threat and vulnerability scanning Filtering firewalls, application whitelisting Authentication and access control How much of that can we do effectively and reliably for the distributed autonomous limited-resource devices that make up The Internet of Things?

8 The Time Is Now! IoT security and privacy is critical IoT directly impacts everyone all of the time from public infrastructure to personal wearables IoT security and privacy is especially challenging Developers and integrators lack the knowledge, experience, and standards to provide security and privacy Operating systems, software stacks, and development tools are less mature than web, enterprise, or mobile IoT devices have long life-cycles There is a small and rapidly closing window to grasp the opportunities of IoT in a way that maximizes security and minimizes risk NSTAC Report to the President on the Internet of Things, 2014

9 Safety Requires Security and Privacy Improved health and safety are the main drivers for connectivity and functionality in applications such as vehicles and medical devices BUT that trend also creates vulnerabilities When our health and safety depend on the correct function of an IoT system, security is essential Without security guarantees, there can be no safety guarantees because a compromise of security could manipulate or disable any function including safety-critical controls Privacy violations that let criminals learn the location, habits, or medical information about victims also constitute threats to safety

10 Focus: Help The Developers Make IoT Secure SRI s vision for its strategic initiative: Sustainably Trustworthy IoT Provide IoT developers and integrators with usable and effective tools and methods for building secure and maintainable IoT systems IEEE Cybersecurity Initiative cybersecurity.ieee.org Document: Avoiding the Top Ten Software Security Design Flaws Starting new conference on security for developers Early November 2016, in Boston, MA area See initiative website for updates

11 Immediate R&D Opportunities The U.S. Department of Homeland Security is providing funding for startup companies via Other Transaction Solicitation HSHQDC-16-R-00035, Securing the Internet of Things Detecting IoT Components and Connections Authenticating IoT Components Updating IoT Components SRI is looking for visiting students and researchers Menlo Park, California Arlington, Virginia (Washington DC) New York City

12 Thank You Headquarters 333 Ravenswood Avenue Menlo Park, CA Princeton, NJ 201 Washington Road Princeton, NJ Additional U.S. and international locations 12