cyber security | worldwide | 2015i.crn.com/custom/security_for_the_internet_of_things... ·...

Cyber Security | Worldwide | 2015

Security for the Internet of Things - Market InSight -Worldwide

SITSI I Market Analysis I Market InSight

6

7

4

9

9

10

8

1414

18

19

19

18

33

12

16

22

Table of Contents

List of figures

Document information

Management summary

PAC's Opinion

PAC Recommendation

Why security the IoT?

Why will securing IoT be difficult?

Priorities

Key principles in securing the IoT

Privacy and other implications

IoT standards

Candidate standards initiatives

Opportunities for security and services providers from the IoT

Supply side analysis

Mapping the provider landscape

Key developments in the provider landscape

Leading SITS Players in IoT

About Pierre Audoin Consultants

SITSI I Market Analysis I Market InSight I Security for the Internet of Things I Worldwide I 2015 2

List of figures

Document information

Authors: Duncan Brown ([email protected])

Quality check: Mathieu Poujol ([email protected])

Publication date: 12.06.2015

Modification date: 12.06.2015

Scope ID: Cyber Security | Worldwide | 2015

Portfolio ID: SITSI I Market Analysis I Market InSight


The Internet of things (IoT) is at the very peak of its hype curve. But while the expectations are currentlyoutstripping reality, one thing is clear: security in the IoT will be paramount to its success.

It is the very nature of the IoT to be pervasive through all aspects of society. This means that, along withthe relatively trivial (inter-connected fridges and toasters), there are the most safety critical and personallysensitive applications imaginable. Get security wrong in this latter category and we could have a majordisaster on our hands.

The first thing, then, to say about security in the IoT is that the type and amount of security will dependentirely on the application in question. This may seem obvious, but it is important to maintain awarenessthat an even and equal degree of security throughout the IoT is neither achievable nor desirable. This hasimplications for the definition of standards, currently a fragmented and tortuous ongoing process ofdiscussion and debate (without much agreement).

The ecosystem of the IoT is vast, incorporating the traditional SITS players plus those from otherindustries, such as automotive, consumer electronics and industrial systems. Although the IoT is oftenexpressed as a horizontal technology – the Internet plus things (devices) – it is most likely to beimplemented in highly verticalised use cases. So connected car, connected home, and smart cities are alluse cases of the IoT. Each of these has a different supply chain ecosystem, different technical andsecurity standards, and will require different sets of partners. In fact it would not be wrong to say that thereis no such thing as a single Internet of things, but instead internets of related things.

It is important to understand that, at this stage in the IoT's development, there is much uncertainty as tothe rate of adoption in any particular market segment. However, such is the scale of the IoT that even inthese early days there are considerable opportunities for SITS providers, both in software and in theservices space, and security features in many of these.

What is the IoT?

Defining the IoT is tough. PAC has drafted an entire report on the variables of the IoT, and its likely impacton the SITS market, which is essential reading (see The Impact of the Internet of Things on SITSMarkets).

Importantly, the IoT embodies not just the Internet and “things” (devices, sensors, etc) but also services. Services will represent the core value that manufacturers will offer their clients in the future. A

Management summary


differentiating market positioning will no longer be achieved by features and functions, design or price onlybut also by additional services that are provided by manufacturers or third-party service providers after theinitial acquisition and at extra costs.

Security, data protection and privacy can be seen as essential services that make the IoT functional,reliable and trusted.


MAJOR GROWTH DRIVERS MAJOR OBSTACLES

The massive opportunity from IoT to improve quality of the

living, better health and social care, better control of

energy and food supplies, and so on

Data protection: most IoT involves the collection of

sensitive personal data, protectable under law. Thus

security underpins much of the IoT opportunity.

APIs: they are the cornerstone of IoT integration, but are

an real vulnerability for the IoT ecosystem. Secure by

design and APIs security are strategic focus

Partnerships: early in IoT development players have

recognized the necessity of partnering, and these

collaborations are driving market development.

Government initiatives: many governments are investing

in smart cities, healthcare provision and autonomous

vehicles, acting as incubators for IoT proof points.

Government-backed schemes are likely to have greater

security and/or privacy implications.

Privacy and data protection: the IoT requires data

protection and individual privacy, but this is hard to assure

given the scale of attack surface and amount of data

gathered to be distributed and stored securely.

Lack of standardization: IoT components need to work

together, requiring standards of data formats, transmission

protocols, operating systems, etc. Too many standards

initiatives exist, and standardization efforts are diluted and

duplicative.

Industry fragmentation: the supply chains and

collaboration ecosystems that IoT requires are still

forming, with multiple vested interests and weak alliances.

PAC's Opinion


FOR IT SUPPLIERS FOR IT USERS

Take a vertical market approach to building partnerships,

use cases and go-to-market collateral

Partner, partner, partner. You cannot do IoT by yourself.

The leading industry collaborations (and thus sources of

partnerships) are the IIC and the OIC, but also consider

other standards initiatives.

Avoid vested interest in standards. Collaborate on

standards, compete on performance and services.

The biggest opportunity in IoT will be in integration. It isn't

sexy or newsworthy, but it makes IoT work. Integration

across the IoT stack – from chip to data centre – is

fundamental to its success.

Start small. There is little benefit to planning a large-scale

IoT project from the outset. The technology is changing so

quickly that pilots, while proving concepts, will rapidly

become obsolete.

Don't neglect software application and APIs security.

Much focus will be on security of data, for privacy. But

most vulnerabilities will exist in the app layer, so apply

Security By Design principles from the outset.

Apply, don’t invent. We see many too user organisations

try to conceive new technologies and processes for IoT.

Leave that to the providers, who have the funds and

know-how to innovate. Your creativity is to be found in

new use cases for proven technology.

PAC Recommendation


Consider an IoT world without security...

The following are real examples of security failures in IoT.

Hacked cars: Researchers from a German motorist association demonstrated how they could interceptcommunications with BMW's ConnectedDrive and unlock the doors, using a fake mobile phonenetwork. Researchers also hacked a Toyota Prius’s steering and braking systems, and published areport on how hackable many modern cars are.Hacked heart monitors, as highlighted in an episode of Homeland, and which led to vice president DickCheney having the wireless connection to his pacemaker disabled.Hacked insulin pumps: security expert and diabetic Jay Radcliffe revealed flaws by hacking into his owninsulin pump.Hacked train systems: a Polish teenager hacked the Lodz tram system, causing a tram to derail.Hacked nuclear centrifuge: in 2010 the Stuxnet worm targeted Siemens supervisory control and dataacquisition (SCADA) systems, causing Iranian nuclear centrifuges to malfunction. Stuxnet’s design andarchitecture are not domain-specific and it could be tailored as a platform for attacking modern SCADAsystems. Stuxnet has already affected systems in the UK, France, Germany, Italy, Finland and Spain,according to Symantec.Hacked banking systems: there are multiple cases of ATM hacking over the past 20 years. There’seven an online manual with instructions. ATMs are vulnerable both to online and physical attacks (suchas via the keypad).Hacked retail systems: the now-infamous Target breach in 2013 manifested itself (ultimately) incompromised in-store cash registers. But the same “Backoff” malware has also affected numerousother retailers including UPS and Supervalu, a grocer.Hacked utility control systems: in 2014 the US Department for Homeland security confirmed that anunnamed public utility was recently breached by a sophisticated threat actor who gained unauthorizedaccess to its control system network.Hacked satellite networks: 10,000 satellite dish-based computer systems were compromised in 2013,exposing vulnerabilities to broadband Internet access to remote locations, and transmission of point-of-sale credit card transactions, SCADA and other narrowband data. Sky TV decoder boxes have alsobeen hacked and sold online.

It should be fairly obvious from the examples above why security underpins the operation of many aspectsof IoT. There is no category of IoT device that has not been successfully compromised in a cyber attack:everything from nuclear power plants to WiFi light bulbs have been hacked.

In addition, supply chain security issues are multiplied as the number of potential weaknesses tracks the

Why security the IoT?


number of connected devices. Any security system is only as secure as the weakest link in the supplychain: the longer and more complex the supply chain is, the more opportunity for failure.

But it is clear that securing the Internet of things is not a straightforward task.

The challenges in securing the Internet of things are many. The main barriers to success include:

IoT is complex, multifarious and heterogeneous;IoT operates at a massive scale, in the millions or billions of connected devices;IoT impacts the resilience of critical national infrastructure, by massively increasing the attack surface.IoT is highly connected, enabling the widespread transmission of security failings;IoT grows organically as new devices and device types are added to the network;IoT gathers and processes sensitive data, such as personal health information or critical systemsoperational data, and this has very high security requirements (and is also an attractive target).IoT systems are lightweight, with limited CPU, storage and broadband capacities that limit the way IoTcan be secured

Perhaps the biggest challenge to the security industry is in applying strong security principles to the IoTwithout slowing the pace of innovation and adoption.

Prioritisation of certain use cases within the IoT is essential, in order to focus attention on those systemsthat depend on security for continued and trusted functioning. Fridges and washing machines are of lessinterest than SCADA systems and heart monitors.

There will be no one-size-fits-all security solution. Instead we predict a multilayer approach – you needmore security on a nuclear power station then you do on a light bulb. The focus then should be on how toput strong security in (or around) important or protected devices.

A reasonable taxonomy of security priorities would appear to be:

High: People/animals will die if the system fails, or social order breaks down. Examples: utilities(Including water supply) , power generation and supply, certain transport systems, some logisticssystems, medical devices, moving vehicles.Medium: People and/or businesses will be inconvenienced or disrupted if these fail, and may escalateto high priority if not remediated quickly. Examples: Smart meters, personal health, predictivemaintenance, manufacturing production, navigation, rhinoceros ankle bracelet trackers, hotel roomdoors, building environment management systems.Low: Some minor annoyances and inconvenience. Examples: Retail shelf stock levels, individually-tracked SKUs (such as beer kegs), infotainment systems, personalised soda flavour dispensingmachines, cup cake dispensers.

Some prioritisation of Internet of things applications depends on personal value systems, preferences andprejudices. In addition, priority may quickly escalate if remediation of faults and failures does not happen

Why will securing IoT be difficult?

Priorities


quickly. Failure at scale also causes escalation: one train journey or failed ATM is annoying, an entirerailway signaling system or ATM network could cause social unrest and political backlash.

One of the main concerns with securing the IoT is just knowing where to start. Such is the breadth andscale of the IoT that the concept of there being a single security approach seems fruitless.

We think it is useful to pick apart the IoT and consider not a single Internet of things but multiple internetsof similar things, such as cars, transport infrastructure, aircraft engines, and so on. These internets mayalso be connected together, but more often will be separated logically and/or physically in order to reducethe technical and standardization challenges to a manageable level.

It’s important to remember that security of IoT is in principle the same as for any computer system. It hasthree core principles: confidentiality, integrity and availability (often referred to as the CIA triad). In IoTterms this means:

The data held on or transmitted by devices is only accessed by those systems, devices or people withthe authorisation to do so;The devices and other system elements are trusted and have not been tampered with;Devices are collecting, transmitting or delivering data as designed, and are resilient to failures (poweroutages, cyber attacks, etc.). This includes consideration of safety protocols when non-availabilityoccurs: do brakes default to On, and do doors default to Open or Closed, when a sensor fails.

Some devices cannot be fully secured themselves, due to resource constraints in memory and/orprocessing capacity. Therefore these need network-based security or some built-in encryption capability.Thus there may be dissociations between what one is securing and where that security is performed.

There is no relationship between the capacity of a device or sensor and its importance. Some devices willhave very limited capacity but be part of critical symptoms, such as a heat sensor on a nuclear powerplant cooling system. We expect to see many cases of embedding security in, or wrapping it around, lowcapacity but critical sensors.

Several frameworks propose a three or four tier architecture, such as Intel's Atlantic Ridge framework,thus:

Devices, including mesh networks that enable m2m communicationsIoT gateways that connect devices to the InternetNetworks that form the InternetBack-end systems, including analytics

Key principles in securing the IoT


We must not only protect IoT infrastructure but also protect the data gathered by IoT. The primaryrequirements for securing IoT are:

Some means of assuring the identity and integrity of legitimate devices, as well as validating the actionsof a device, or information processed or gathered - security at and of the deviceSome means of authenticating information as it is transported between other points on the network –security in and of the networkA means of protecting the data garnered from IoT devices that is held and managed centrally - securityof the data.Protection of the application level issues such as the APIs

An outstanding issue relates to the responsibility for securing the IoT. There is an obligation on the state toco-ordinate the protect of critical national infrastructure, but also on providers of critical nationalinfrastructure (financial services, transport, telecommunications, and so on) to actually implement securitymeasures.


One of the primary inhibitors of the IoT is the protection of personal data. The regulators are very activeacross Europe: the independent data protection advisory body, the Article 29 Working Party, haspublished an opinion on IoT, and most national data protection authorities have also opined on thesubject.

Essentially this is an issue of citizen acceptance. For example, municipal authorities may be legitimatelyinterested in understanding the waste disposal habits of citizens, for recycling purposes, but what wastegoes in what bins could also be used to monitor compliance with recycling rules, consumption patterns,household occupancy rates, and other personal information.

Another example is the tracking of energy and utility consumption by smart meters. Periodicity of waterusage at night, for instance, may indicate certain medical symptoms: insurance firms and pharmaceuticalcompanies may be interested in obtaining such information.

At the heart of this concern is a "could we?" versus "should we?" debate: citizens worry at a lack ofapplication of discretion.

The issue is, what is reasonable? It may be reasonable, for example, to track car journeys to managecongestion or to determine driving styles that affect insurance premiums. But it may be regarded asunreasonable to impose speeding finds on drivers as a consequence of the time taken to complete ajourney. Most countries in Europe have begun to consider such issues, but they are all several years awayfrom resolving these fundamental concerns. Cultural differences will undoubtedly play a part in localflavors of regulations.

The proposed General Data Protection Regulation (GDPR) has important implications for IoT with regardto data collection. Personal information gathered by IoT may include:

FinancialLocationalAn IP addressHealthMarital status and sexual orientationEducationDemographicsand so on.

While many proponents of the IoT state that such data will be held only in aggregated forms and

Privacy and other implications


appropriately anonymised it is possible to re-identify individuals by cross-referring datasets. This could bedone by accident or on purpose. Either way, data gatherers must ensure that data anonymised staysanonymised. Technologies such as format-preserving encryption and tokenization will be important here.

A key concern with IoT data is its ownership and how data controllers and processors intend to use it.Some citizens will be comfortable at the thought of government agencies holding data, but extremelyuncomfortable at the same data being held by private companies. In other cases, the oppositepreferences may apply. It is therefore important to have a broad and public debate, preferably before IoTtakes off at scale.


There are no agreed standards for IoT. There are, however, numerous candidate standards that arejostling for position. Inevitably, a variety of vested interests are present, as the scope and scale of IoTspans traditional IT ecosystems, specific vertical industry interests, operational technology supply chains,and country-based critical infrastructure concerns. The only thing that everyone agrees on is theassumption that IoT cannot fulfill its potential without a common set of agreed standards.

Standards formally focus on interoperability. But they must also "protect against cyber crime and nationalsecurity threats, and help to ensure that the system is trustworthy and trusted." All of the candidatestandards feature security prominently.

(Source: The Internet of Things: Making the most of the Second Digital Revolution, a report by the UKGovernment Chief Scientific Advisor.)

Industrial Internet Consortium (IIC) - focused on industrial systems, the IIC aims to influence and/ordevelop IoT standards for enterprise-orientated Internet-based systems. It is led by founding membersAT&T, Cisco, GE, Intel and IBM.Open Interconnect Consortium (OIC) - led by Cisco, GE Software, Intel, MediaTek and Samsung, theOIC now has over 50 members. Its focus is building a single set of open source standards covering IoTinteroperability across multiple vertical markets and use cases.ISO/IEC: The joint technical committee special working group (JTC1/SWG5) develops and facilitatesthe development of IoT standards for ISO/IEC. The SWG also collaborates with IEEE and the ITU.IEEE: The P2413 Draft Standard for an Architectural Framework for IoT is essentially a blueprint for IoTarchitectures. It does not provide technical details itself but rather a map for other standards to follow(although IEEE has plenty of its own technical standards).ITU: The ITU's global standards initiative on Internet of things (IoT–GSI) aims to be an umbrellaorganisation for IoT standards development worldwide. Its X.1255 ITU standard for devices and objectscould be a basis for IoT security. It involves the concept of Federated registries of identity. A draftrecommendation already exists. Study group 17 is responsible for security considerations at the ITU.OneM2M: A standards initiative designed to be applied cross-sector, members include Adobe, Airbus,AT&T, BT, Blackberry, Cisco, Fujitsu, Gemalto, IBM, LG, Oracle, Orange, Samsung and Verizon: itsmembership numbers around 200 leading worldwide vendors, as well as a number of industryassociations and universities. The set of standards under preparation include consideration of security

IoT standards

Candidate standards initiatives


and privacy aspects such as authentication, encryption and integrity verification.AllSeen Alliance: a consortium of over 70 members, it is led by Microsoft, Electrolux, Qualcomm andseveral Asian manufacturers such as Panasonic, Sony and Sharp. The Alliance is an offshoot of theLinux Foundation, and has delivered a framework and opens source software components that enablefundamental IoT activities such as discovery of adjacent devices, pairing, message routing andsecurity.Thread: A consortium led from Silicon Valley, it is led by Nest, acquired by Google. It would be wrong todismiss Thread as a start-up only initiative as it includes ARM and Samsung amongst its sponsors, butits membership is dominated by tiny firms from California. Thread’s focus is a mesh network based onIPv6 and aims to connect devices in the home.W3C: a recently announced (February 2015) collaboration with automotive manufacturers has resultedin an automotive working group within the W3C. Collaboration partners include GM, Jaguar LandRover, Mitsubishi, Porsche and Volkswagen, as well as GENIVI, an in-vehicle infotainment consortium,and OpenCar, an HTML5 application platform and toolkit developer.

There are also several transmission protocols emerging, such as CoAP (Constrained Application Protocol), ETSI SmartM2M, MQTT Message Queuing Telemetry Transport, and Lightweight M2M from the OpenMobile Alliance.

It is notable that several organisations are involved in multiple initiatives, in order to spread their influenceand hedge bets. This is sensible: no-one wants to back the losing standard exclusively.

It is also important to observe that standards will not be defined by governments. Governmentorganisations and agencies are investing in IoT research, typically in smart cities projects and to ensureinternational competitiveness, but they will follow standards established by the global industry players.


Multiple opportunities exist for IT services providers in IoT, many of which are still emerging. PAC thinksthat short-to-medium term opportunities exist in the following areas:

Services

Consulting: IoT is an emerging technology and concept that is a key component of DigitalTransformation. As such, consulting needs from business to technology are soaring and will beimportant.Integration: pulling all of the various and disparate infrastructure together into a cohesive andmanageable system. This is likely to be the largest, but least well-defined, opportunity for SPs.Risk assessment consulting, especially of those legacy systems that are newly being connected to theInternet. SCADA systems and ICS are likely candidates.Application security testing, either by using dedicated tools from the likes of Veracode, Checkmarx andHP (Fortify), or provided as a testing service service such as that from HP or Capgemini.Retrofitting security onto devices already in operation. Although the number of devices within the IoT isgrowing, many such devices are already deployed in the field, but not yet connected to the internet. Asthese systems become connected, and once a risk assessment has been done, we expect a significanteffort will be required to retrofit security onto, or surrounding, these devices.Device testing and certification. Currently many categories of network device require type approval andcertification: smart meters and card payment terminals are examples. As the number and type ofdevices increases we see opportunity to expand this business significantly.

Software

Behaviour-based anomaly threat detection. There are two broad types of anomaly detection systems:those that focus on user behaviour (such as RSA SilverTail and IBM Trusteer) and those that examinenetwork traffic (like Dark Trace and Lancope). Both will be applicable to IoT, though m2m trafficpatterns will be an important theme of interest for network anomaly detection systems.Solutions such as Unisys's Stealth or Akamai Site Shield, which effectively render Internet-baseddomains invisible to outside attackers.Real-time monitoring and eDiscovery of IT ecosystems and connected devices, such as Cavirin,vArmour and Guidance Software, which come with a selection of features such as dynamic assessmentof risk, policy violations, addition of new devices, and so on.Machine-readable big data, such as Splunk or AWS, which takes machine data from a wide variety ofsources such as GPS, RFID, sensors, security appliances, and so on. Correlation of events and alertsacross all of these types may then indicate anomalies within the system (or feed into behavioralanomaly detection systems).

Opportunities for security and services providers from the IoT


Real time SIEMS such as Prelude,Specialized IoT governance systems such as Sentryo or Alert Systems, that are non intrusive and thathave a deep integration with various IoT and M2M protocols.Providers across the ‘threat protection’ landscape (e.g. vulnerability assessment, threat detection,incident response, etc.) are targeting IoT as an opportunity to add greater value to their clients. Thismakes sense given that IoT will drive an expansion of the environment across which their propositionscan operate. BT, Symantec, FireEye, Qualys and many others already play in this broad area.Automated remediation of malware and other attacks (such as that from Guidance Software and HexisCyber Solutions) will be sought after in order to quickly limit damage and cross-infection across thenetwork.Manufacturing devices, sensors and applications that are trusted, using in-built security features.Examples are Arxan which verifies software as untampered and Intel's Enhanced Privacy ID (EPID) forimmutable hardware-based identity.


Player categories (and examples)

Supply side analysis

Mapping the provider landscape


We can’t overstate the importance of security in IoT. Security underpins IoT at its most basicfundamentals. Confidence in IoT will erode rapidly if devices fail, or betray trust.

What is clear, then, is that multi-party relationships and partnerships will be required, between those thathave device and network expertise, and those that have security expertise. Although some organisationsalready have capability across the IoT stack no-one has (or will have) a complete view and portfolio.

It is becoming apparent that new collaborations are emerging, beyond those typically pursued by SITSfirms. For example, SITS players will forge partnerships with chip/sensor manufacturers, industrial controlsystems providers, automotive manufacturers, and so on. It’s important for SITS firms to recognize theirplace in the value chain: they may hold the integration or security capability, but other players may ownthe customer relationship and will relinquish it only reluctantly.

SITS firms should also be aware that supply chains for vertical markets are very specific: the connectedcar supply chain is quite different to that for telehealth and telemedicine, or building management systems.Vertical market expertise is essential for IoT, no more so than in operational technology (OT). Thetechnical security needs are broadly similar across vertical markets; however the technical specifications(communications protocols, operating systems, chipset architectures, etc.) within vertical markets are veryspecific, and often proprietary.

SITS firms should also be prepared to engage a different buyer community for IoT. In many cases it won'tbe the CIO that buys IoT solutions, but the COO, the process manager or the production officer. Whileanalytics and data centre-based elements of a system will fall into the purview of the CIO, the IoT edge willbe firmly in the control of Operations and will often involve mission- or safety-critical systems.

IBM

IBM has been researching IoT for at least two decades in what it used to call its ‘Pervasive Computing’division, and has been waiting for the market demand to catch up with its vision. It already has some large“near” IoT deployment like Airbus A 380 shopfloor automation. The moment has arrived now, but with abundle of competitors all vying for position. Interestingly, in a departure from its early trials, IBM is not somuch interested in the end devices as the backend infrastructure and analytics these days. It has alreadydelivered IoT Foundation, a managed cloud-based service based on the Bluemix devops platform thatfacilitates application development and integration. In an app store-like interface developers can buildapps with a number of devices pre-integrated, including Raspberry Pi and chips/sensors from Intel, TexasInstruments, ARM and Arduino.

IBM has a broad security portfolio covering SIEM, GRC, endpoint protection, identity management, and soon. It also has a strong services capability in both project-based work and MSS.

SAP

SAP HANA Cloud Platform for the IoT builds on SAP’s existing data and application services, which include

Key developments in the provider landscape

Leading SITS Players in IoT


predictive analytics, telematics and geolocation. SAP’s IoT services include device management, IoTmessaging and IoT application enablement including data modeling, aiming to support cost-efficient andfast development, deployment and operation of solutions for IoT.

SAP offers a portfolio of IoT applications such as the Connected Assets solution, including the cloudedition of the Predictive Maintenance and Service solution, and Connected Logistics software, amongothers that leverage HANA Cloud Platform for the IoT. SAP is partnering with the API specialist Apigee tosolve security problems at this level.

SAP and Intel are collaborating to simplify, secure and scale the IoT for the enterprise. Intel provides ablueprint for industry-leading, interoperable IoT solutions. SAP is taking the complementary SAP HANAplatform in conjunction with the Intel blueprint to simplify IoT end-to-end deployments for enterprises. Thefirst step in the collaboration is a joint proof of concept (POC) to integrate the Intel IoT Gateway with theSAP cloud.

Symantec

Symantec, a security specialist firm, has a well-defined and active IoT vision. It is focused on five key usecases: connected car, industrial control systems, healthcare, point-of-sale devices & ATMs, and smartgrid/city. Symantec already secures critical systems such as ICS, and so is well-placed to extend reachinto IoT in this area: for example it provides the certificates for the UK’s national smart meter programme.It is also actively engaged with the ITU’s standards and discussion activities regarding the IoT.

Symantec has two go-to-market approaches: it goes direct to OEMs for embedding security into chips anddevices, in a Security By Design method; and it works through partners to retrofit security onto existingimplementations. Partnerships in the first category cover manufacturers of ATMs, cable modems andpoint-of-sale terminals. Channel and SI partners include Accenture and Wipro, but are expanding rapidly.It also works with SAP.

In January 2015 Symantec acquired the staff of Narus and licensing to its technology from Boeing. Narusfocuses on big data analytics in cyber security, just the type of capability required to analyse large volumesof machine-generated traffic for security compromises.

Intel/McAfee

Intel has a particularly interesting position in the IoT ecosystem. It is the primary supplier of microchipsthat range from tiny devices with small size and low power to large-scale data centres: from Quark toXeon, as it says. But it also has a global security capability with its McAfee acquisition, now rolled into itsIntel Security division.

On the chip side, Intel's EPID technology delivers guaranteed chip-based identity, coupled with privacyassurance. Intel is working with other chip manufacturers to implement EPID across non-Intel devices. InDecember 2014, Intel announced its Atlantic Ridge architecture, a multi-layer framework for IoT. Intel hasalso extended McAfee’s ePolicy orchestrator (ePO) to encompass both IT and operations technology(OT). Intel has also announced relationships with Accenture, Booz Allen Hamilton, Capgemini, Dell, HCL,NTT DATA, SAP, TCS and Wipro to develop and deploy solutions on its IoT platform. It also partners withGE and Siemens on ICS security implications, and is very active in the IIC and OIC.

Cisco

Cisco has been investing in what it calls the “Internet of Everything” for at least a decade. It sees its role asthe connecting glue between all of the world’s connectable devices. Although Cisco’s core productpositioning remains firmly based with network equipment, it also has a strong security play, enhanced inrecent years through several acquisitions (Sourcefire, ThreatGRID, etc.). Its positioning of the network as


the backbone of security is interesting: the network can act as an enforcer of security policy, as a sensor(of malware and/or breaches), and a "mitigation accelerator" in breach containment and remediationactivities.

Cisco’s product portfolio is expanding to support IoT: as well as a plethora of routers and switches it alsooffers application enablement (through its concept of Fog computing), and architecture managementthrough analytics, as well as its security portfolio.

Cisco is well-integrated into the IoT ecosystem: partnerships include Rockwell, Schneider Electric andHoneywell.

Apple

HomeKit is Apple’s home automation platform, which provides a standardised framework formanufacturers to enable home automation products to be controlled through Apple devices. As with itsapp store and iTunes ecosystems, Apple has invested substantially in creating an ecosystem of HomeKit-compatible manufacturers. Apple’s initial focus is on home security and home energy applications, But itcould easily be extended to other IoT use cases such as transportation (iPhone-controlled keyless entry)and healthcare (automated emergency services alerts created by an Apple Watch).

Apple has also launched HealthKit, This application allows users to track their steps, oxygen, sleep levels,and other health-related data sourced from Apple or 3rd party devices.

ARM

ARM has announced mbed, an operating system built around open standards to "bring internet protocols,security and standards-based manageability into one integrated tool" and make IoT deployment faster andeasier and thus speed up the creation of IoT-powered devices. The software also comes with its owncommunity, Mbed.org, which claims more than 70,000 developers using the platform. ARM also partnerswith IBM to channel data from internet-connected devices directly into IBM's Bluemix cloud platform.

Google

Google has unveiled an Android-based IoT operating system for developers called Project Brillo, in a bidto dominate the growing connected devices market. It is based on an Android kernel, which has minimalsystem requirements. Brillo is being pitched as a cross-platform IoT standard.

Google has also announced a common communications standard – Weave – and set of IoT protocolsalongside Brillo. Weave allows Nest and 3rd party devices to communicate together.

Google also has large stakes in IoT through its $3.2bn acquisition of Nest and its self-driving carprogramme.


From strategy to execution, PAC delivers focused and objective responses to the growth challenges of Information and

Communication Technology (ICT) players.

Founded in 1976, PAC is a privately held research & consulting firm for the software and ICT services market.

PAC helps ICT vendors to optimize their strategies by providing quantitative and qualitative market analysis as well as

operational and strategic consulting. We advise CIOs and financial investors in evaluating ICT vendors and solutions and

support their investment decisions. Public institutions and organizations also rely on our key analyses to develop and shape

their ICT policies.

For more information, please visit www.pac-online.com (http://www.pac-online.com).

All information provided by Pierre Audoin Consultants (PAC), in any form, is proprietary to Pierre Audoin Consultants (PAC)

and is protected in each country by local and national laws governing intellectual property. All information published by

Pierre Audoin Consultants (PAC) or presented by its employees is copyright protected, including hard-copy or electronic

material, as well as material on our website. The omission of any copyright notice does not invalidate copyright protection

and does not indicate that Pierre Audoin Consultants (PAC) authorizes the production of such proprietary material.

Violation of Pierre Audoin Consultants (PAC)'s copyright may permit Pierre Audoin Consultants (PAC) to recover actual

damages, statutory damages, punitive damages, and attorneys' fees through actions in local, national, or international

courts. Pierre Audoin Consultants (PAC) will prosecute violators of its copyrights.

Additionally, Pierre Audoin Consultants (PAC) may be entitled to terminate the license contract in consequence of any

violation of Pierre Audoin Consultants (PAC)'s copyright.

No part of this publication may be reproduced or transmitted for external use for any commercial or non-commercial purpose

in any form or by any means, electronic or mechanical, including photocopy, recording, or storage in any information storage

or retrieval system, without the express written consent of Pierre Audoin Consultants (PAC).

Nothing contained herein shall create an implication that there has been no change in the information since its original

publication. While every effort has been made to ensure accuracy, Pierre Audoin Consultants (PAC) cannot be held

responsible for any errors or omissions. Additionally, Pierre Audoin Consultants (PAC) cannot be held liable for misuse by

any third party. In addition, Pierre Audoin Consultants (PAC) may only be held liable for losses resulting from malice

aforethought or gross negligence of Pierre Audoin Consultants (PAC). For any other losses, Pierre Audoin Consultants

(PAC) can be held liable only to foreseeable damages. Pierre Audoin Consultants (PAC) cannot be held liable for losses

related to decisions made based on the contents of our research or any other materials or opinions. Readers should

independently verify any information before taking any action that could result in financial loss.

Copyright Pierre Audoin Consultants (PAC), 2015. All rights reserved.

About Pierre Audoin Consultants


http://www.pac-online.com

cyber security | worldwide | 2015i.crn.com/custom/security_for_the_internet_of_things... ·...

Documents