Security for the Internet of Things Moderated by: Robin Duke-Woolley Founder & CEO Beecham Research Sponsored by: Syed Zaeem Hosain Chief Technology Officer Aeris 16 December 2016
Security for the Internet of Things: Introduction Robin Duke-Woolley Beecham Research Ltd. December 16 th, 2015
The Ubiquity of M2M Source: Beecham Research
Research Approach M2M: Focusing on specific business process DATA
IoT: From Applications to Spaces DATA Umbrella concepts such as smart city, smart hospitals, smart factory, smart farming, smart vehicles IoT Solutions INTERACTION UNDERSTANDING CONTROL INSIGHT DATA DATA
Beecham Research IoT Threat Map
IoT Solutions bring security complexity
IoT Solutions bring interface proliferation Future IoT applications must break silos (Multi Sector solutions) Increases in Internal interfaces and associated vulnerabilities VARYING SECURITY vs THREAT LEVELS VARYING SECURITY vs ECONOMICS Variations between Service Sectors OR sooner, SUB SECTORS
Securing the Internet of Things December 16, 2015. Syed Zaeem Hosain ( Z ), CTO, Aeris. Syed.Hosain@aeris.net, Twitter: @AerisCTO
Agenda What we will cover Who is Aeris Overview of Security M2M and IoT Requirements Future Thoughts Q & A
About Aeris Overview Company M2M / IoT services HQ in Silicon Valley, CA Services since mid-1990 s Our Customers Enterprises deploying M2M Connectivity to / from Devices Analytics business actions Solutions The Numbers Optimized M2M / IoT platform Connectivity to Application enablement Neo Rapid M2M deployment Global M2M / IoT services, CDMA, GSM, and LTE 99.995% infrastructure reliability 500 Million+ messages per day
Aeris Markets & Services Global solution for M2M and IOT markets Multi-technology Services for M2M / IoT Markets Healthcare Telematics Consumer Auto Monitoring & Control Point of Sale Utilities Platform Application enablement Connectivity enablement Provisioning / Activation Real-time information Alerts & alarms Billing & reporting Account-level NOC support Device / IP session control Data & voice connectivity Cellular Global services 500+ carriers 2G / 3G CDMA and GSM 4G LTE
IoT Optimized Platform Full solution stack for M2M and IoT Applications
Security is a Complex Issue There isn t a single solution for all needs
Security Risks Can Be Must set expectations correctly Recognized and understood The implementation can plan correctly from the start Detected and resolved Quickly and efficiently Managed and controlled Reliably with confidence in the security methods But never completely eliminated! We must not expect perfectly secure IoT applications
Balance Security for Objectives What is secure enough? Authenticated sender & receiver Is correct device transmitting? Is correct server receiving? Sender and receiver accessible Always accessible when needed Reliability of connection is essential Trust in the data content Device transmitted data correctly? Device received control messages? Confidentiality of information Only intended recipients get data No access by anybody else Increased Security Complex Solutions Reduced Risk Longer time to market Higher up-front Costs Reduced Security Easy Deployment More Vulnerable Simple to Manage Lower Initial Costs
IoT Risk Management Points Bi-directional data chain: messaging and control Source Transport Network Infrastructure Data Connections Host Systems Recipient Sensors Short-Range Identity Mgmt Internet Servers Humans Smart Devices ZigBee, WiFi, etc. Provisioning VPN Corporate network Processes Hybrid Tech Medium-range Authentication Point-to-Point Access Control Automation Gateways Cellular Authorization Other Low-power RF Access Control Long-range Information Satellite Control Messages Non-wireless Data Transport Assess Impact Every element in the data chain is subject to risk Is only the element affected? or more? Understand access points and design for threats
Impact and Affected Make the security trade-offs with up-front knowledge and planning Few Affected All Affected All Affected, No Impact Many Affected, No Impact Some Affected, No Impact No Security Problems All Affected, Nominal Impact Many Affected, Nominal Impact Some Affected, Nominal Impact Few Affected, Nominal Impact All Affected, Serious Impact Many Affected, Serious Impact Some Affected, Serious Impact Few Affected, Serious Impact Wide-Spread Damage Many Affected, Major Impact Some Affected, Major Impact Few affected, Major Impact Little to No Impact Maximum Impact
Applications Make security implementation trade-offs with knowledge Few Affected All Affected Simple Data Financial Institutions & Commerce Telematics Medical Devices Food & Water Supply Little to No Impact Maximum Impact
Vulnerability Short-range threat could be privacy issue or more Source: Rutgers University Source: Bloomberg.com
Unique M2M & IoT Security Issues Yes, similar to other fields, but also different Scaling Million of devices means total impact of compromised devices could be high Longevity M2M devices stay deployed for a long time impact for years Automation Simplistic responses to compromised data could cascade into problems Regulations M2M and IoT regulations not in place or playing catchup Standards Architectures, incorporating security from the start, are being developed
Devices Scaling Large numbers of deployed devices Scaling Identity Management Provisioning & management of billions of devices Multiple technologies, applications and capability Authentication for presence on network(s) Authorization for services accessed Compromised Devices Difficult to replace [often limited] human access Smart devices with more impact on rest of chain Content security has privacy & regulatory impacts Common operating systems known weaknesses
Devices Longevity Plan for the future IoT Devices Active for Long Life-cycles Often operating continuously 24/7 for years Compromised devices could transmit in future Access to fix device issues not always easy Application servers must be backward compatible Planning for the Future is Essential Remote device update capability is critical Developers must design for end of life Hardware and software reliability is vital Faster technology change is the norm
Some Final Thoughts Present and future Security issues could be barrier to IoT adoption Trust in the applications and the data is important Prevention, detection, response and resolution are essential M2M & IoT security still an afterthought today Better to architect and design for best outcomes Particularly for highly impactful applications Who owns the information? Data from IoT applications may be private or public Unclear ownership of information in data mashups Is Privacy dying? Generational differences social media driven Desentization widely-reported security breaches
Thank you! Beecham Research: www.beechamresearch.com Aeris Communications: www.aeris.com IoT M2M Council: www.iotm2mcouncil.org Syed.Hosain@aeris.net +1 (408) 557-1905, twitter: @AerisCTO
Security for the Internet of Things Questions? You may submit a question through the Q&A box. Please address your questions to All Panelists which is the default setting in the Q&A box. Robin Duke-Woolley Founder & CEO Beecham Research Syed Zaeem Hosain Chief Technology Officer Aeris
Security for the Internet of Things Thank you for Joining Us! Although the live event is over, you may access the webinar recording and PDF download of the slide deck anytime until June 16, 2016. The webinar recording and downloadable slide deck will be available approximately 48 hours after the live event at www.iotm2mcouncil.org. Join us for the next IMC Webinar Managing the Grid IoT Makes Energy Smarter, Cheaper, Safer 28 January, 2016 This webinar will cover the deployment of IoT/M2M technology in the plethora of applications commonly referred to as the Smart Grid, including; the home as gateway integrating smart devices, including EVs with DC fast-charging, demand Response encompassing distributed energy resources, cost recovery, energy storage, and renewables, getting vulnerable, lowincome consumers onto the grid and updates on grid stability/security and the regulatory framework. More information is available at www.iotm2mcouncil.com.