addressing the wicked challenges of iot security...addressing the wicked challenges of iot security...
TRANSCRIPT
![Page 1: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/1.jpg)
20/03/2017 Public 1
Addressing the Wicked Challenges of IoT Security
John Moor
![Page 2: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/2.jpg)
21/03/2017 2
Caveat Emptor The IoT Security Journey: observation, insight and action
![Page 3: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/3.jpg)
$: The economic impact of the Internet of Things will be measured in $trillions.
∑: The number of connected devices will be measured in billions.
∞: The resultant benefits of a connected society are significant, transformational and disruptive.
IoT: What more can be said?
![Page 4: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/4.jpg)
Bletchley Summit: we can’t carry on like this
![Page 5: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/5.jpg)
The Realty of the Digital Trend
20/03/2017 5
![Page 6: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/6.jpg)
What’s The Big Idea?
21/03/2017 6
IoT security is a “Highly Distributed Moral Responsibility” - We must all accept
accountability - In the global interest SUPPLY CHAIN OF TRUST DUTY OF CARE - Producers - Integrators - Procurers - Retailers / Users - Governments and Citizens
![Page 7: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/7.jpg)
What’s new with the IoT security challenge?
It’s all the same…
– apart from the players (supply chains) and the markets and the scale, and the scope (operating / regulatory environments), potential for physical harm, headless, constrained, coordinated patching, and, and, and…
IoT concept at odds with security
– Complexity/provenance ~ Long and porous borders
The ugly truth about being cyber-secure – You cannot win – you can only ‘not lose’
20/03/2017 7
![Page 8: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/8.jpg)
What’s new with the IoT security challenge II?
Dynamic context: Convergence IT/OT/Emb – Differences in knowledge, reporting structures,
cultures, demographics, skills, technologies etc.
Reasonable Expectations – Should we expect all developers to be security experts?
– Should we expect users to be infallible?
Assertion: Best practice security needs to be consumable for developers and convenient for users – Cost and Complexity are our enemies
20/03/2017 8
Machina Research, IoTSF 2016 Annual Conference
![Page 9: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/9.jpg)
Beyond the horror stories: the IoT Security Foundation was launched on Sept 23rd 2015 in response to wide-ranging security concerns from IoT stakeholder groups
Introducing the Internet of Things Security Foundation
Simplified mission statement: “Drive the quality and pervasiveness… of IoT security” “Make it safer to connect in the era of IoT”
![Page 10: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/10.jpg)
How we are (currently) organized
Members
Plenary Group
Executive Steering Board
Working Groups
Working Group 1: Self-Certification
Working Group 2: Connected Consumer / Home
Working Group 3: Patching Constrained devices
Working Group 4: Vulnerability Disclosure
Working Group 5: IoT Security Landscape
Priority Working Groups Chaired by:
Working Group Formed: Trustmark / Regulatory
![Page 11: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/11.jpg)
Executive Steering Board
Majid Bemanian, Imagination Technologies
Prof. John Haine, University of Bristol
Prof. David Rogers, Copper Horse Solutions
Prof. Ben Azvine, BT plc.
Prof. Kenny Paterson, Royal Holloway, University of London
Ken Munro, PenTest Partners
Dr. Steve Babbage, Vodafone Group
Haydn Povey, Secure Thingz
John Moor, IoT Security Foundation
Richard Marshall, Xitex Ltd.
Prof. Paul Dorey, CSO Confidential
Dr. Stephen Pattison, ARM
![Page 12: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/12.jpg)
Members
20/03/2017 See https://iotsecurityfoundation.org/our-members 12
88 members, large and small, and growing… Doubled in 2016 Low Cost Membership / High Value Activity
![Page 13: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/13.jpg)
Best Practice Guides
20/03/2017 See https://iotsecurityfoundation.org/best-practice-guidelines/ 13
Free to download and use More to come…
![Page 14: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/14.jpg)
IoT Security Compliance Framework
20/03/2017 14
RELEASE 1.0
![Page 15: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/15.jpg)
What’s ahead for IoTSF?
Expansion
Home
20/03/2017 15
![Page 16: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/16.jpg)
Situation Now and for 2017…
Moveable feast
Know your enemy – Attribution blurring
– Crime-as-a-service
2017 attacks – Weaponisation
• More DDoS
– Ransomware
• Consumers and Citizens
Legacy systems challenge – IIoT / Vulnerability shields
20/03/2017 16
References: 1. Security predictions: The Next Tier, Trend Micro 2. The Cyber Threat to UK business, NCSC NSA 3. The Black Report, Nuix
![Page 17: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/17.jpg)
Footnotes – a few words on… S/W integrity / agility
Patching constrained X
PKI too heavy for IoT?
Authentication methods
– Passwords, MFA
– Immutable ID
ML
Blockchain, Quantum
Regulation / Certification
GDPR? DSO + $$
20/03/2017 17
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem
from programming errors and not a lack of security features.
(industry average 15-50 bugs for every 1000 lines)
PKI: System to manage digital certificates and public key encryption
![Page 18: Addressing the Wicked Challenges of IoT Security...Addressing the Wicked Challenges of IoT Security John Moor 21/03/2017 2 Caveat Emptor The IoT Security Journey: observation, insight](https://reader035.vdocuments.us/reader035/viewer/2022062602/5f01ea6a7e708231d401aa15/html5/thumbnails/18.jpg)
Final word
20/03/2017
18
https://iotsecurityfoundation.org
[email protected] @IoT_SF
In this hyper-connected, increasingly software defined, digital world, security is a right, not a nice to have
…make it safe to connect