1111

Great – Now We Have to Secure an “Internet of Things”

John PescatoreDirector, Emerging Security Trends

jpescatore@sans.org@John_Pescatore

2

What the Heck is That??

3

Different Views of the Internet of Things

4

Venture Capital Definition

5

Rapid Penetration

6

Simple View of the Internet of Things

Information Technology

Personal Technology

Operational Technology

PCsServersVirtualizationRoutersSwitches

TabletsSmartphonesMiFi

Home energyMedical wearablesMedical implantsHome entertainmentHome control

ICS/SCADAMedical MachinesKiosksManufacturingCloud Service Infra.Env. monitoring

Mobility, Smart Buildings/ICS, Medical Devices Are Main IoT Issues

Con

sum

er d

evic

es (

set

tops

,...

Sm

art

build

ing/

HV

AC

aut

om..

.

Ele

ctric

al,

wat

er,

gas

prod

ucti.

..

Med

ical

dev

ices

Oth

er t

rans

port

atio

n sm

art

...

Aut

omot

ive

smar

t sy

stem

s

Man

ufac

turin

g sy

stem

s (n

ot e

...

Foo

d pr

oduc

tion

syst

ems/

ref.

..0%10%20%30%40%50%60%70%80%

What types of IoT applications is your organization involved in or planning to be involved in?

Producing

Operating/Managing

Source: SANS 2013

Partly Cloudy or Partly Sunny?

17.2%

48.8%

21.4%

12.6%

Which statement best captures your feelings about the IoT and security?

The IoT will be a security disas-ter.

The IoT will have the same level of security problems we have today with other applica-tions and systems.

The IoT will provide an oppor-tunity to increase security over today.

Other

Source: SANS 2013

9

Major Differences

Old Things

• General purpose OS• Fixed, wired• TCP/IP, 802.11, HTML5• Layered apps• Homogeneous• Enterprise-driven• 2-3 year life cycle• Impact data

New Things• Embedded OS• Mobile, wireless• Zigbee, IoT6, WebHooks• Embedded apps• Heterogeneous• Consumer-driven• .2 to 20 year life cycle• Impact health/safety

Enhancement and Augmentation of Existing Security Controls

Aut

hent

icat

ion/

auth

oriz

atio

n

Sys

tem

mon

itorin

g

Enc

rypt

ion

of c

omm

unic

atio

ns

Sec

urity

eva

luat

ion

and

test

o..

.

Seg

men

tatio

n

New

IT

sec

urity

con

trol

s

New

phy

sica

l sec

urity

con

trol

s

Sec

ure

AP

Is

TP

Ms

for

hard

war

e en

cryp

tion.

..

Geo

-loca

tion

serv

ices

Oth

er

0%

10%

20%

30%

40%

50%

60%

70%

80%

What controls are you using currently to protect against the risks im-posed by new “Things” on your network? What controls do you plan on

deploying in the next 2 years to address these issues?

Current Next 2 years

The Critical Security Controls

11

1 23

4

5

6

7

89

10111213

14

15

16

17

18

1920

1) Inventory of Authorized and

Unauthorized Devices

11) Limitation and Control of Network Ports,

Protocols and Services

2) Inventory of Authorized and Unauthorized Software

3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4) Continuous Vulnerability Assessment and Remediation

5) Malware Defense

6) Application Software Security

7) Wireless Device Control

8) Data Recovery Capability

9) Security Skills Assessment and Appropriate Training to Fill Gaps

10) Secure Configuration of Devices such as Firewalls, Routers, and Switches

20) Penetration Tests and Red Team Exercises

19) Secure Network Engineering

18) Incident Response Capability

17) Data Loss Prevention

15) Controlled Access Based on Need to Know

14) Maintenance, Monitoring and Analysis of Audit Logs

13) Boundary Defense

12) Controlled Use of Administrative Privileges

16) Account Monitoring and Control

12

Evolving Critical Security Controls to the Internet of Things

• What will be the connectivity and governance model? (CSC 6, 7, 9, 19)

• What is mine, what’s running on it, where is it? (CSC 1-4)

• How do I protect from attack? (CSC 5, 10-13, 15, 16)

• How do I detect and recover from compromise? (CSC 8, 14, 17, 18, 20

Requiring Secure Products from IoT Manufacturers

Our

IT

sec

urity

gro

up

The

Thi

ng m

anuf

ac..

.

Our

IT

ope

ratio

ns .

..

Dep

artm

ent

man

a...

Our

phy

sica

l sec

uri..

.

Oth

er

0%10%20%30%40%50%60%70%80%90%

In your opinion, who should take responsibility for manag-ing the risk imposed by new “Things” connecting to the In-

ternet and your network?

14

Learn From Mistakes of the Past

1. More defendable endpoints1. Hardware security2. White list3. Sandbox4. Auto update

2. Smarter Internet1. Endpoint Validation/Network Access Control2. Filter Known Bad3. Assume hostility (IPSEC, DNSSEC, better CA, etc)

15

Government Efforts

• Stuxnet?• NSTAC – “Industrial Internet”• FTC – “Internet of Things - Privacy and Security

in a Connected World”• DoE – Smart Grid Task Force• DoT/NHTSA – Autonomous Vehicles• FAA – Drones• FCC – Baby monitors, M2M, …

16

Summary

• The IoT is an opportunity to not repeat the mistakes of the past– IPSEC, DNSSEC, etc– New device capabilities– Building security in, extending the perimeter

• Basic hygiene is Job 1• Drive suppliers to higher quality/security• How can the security community raise the bar?