iot security platform - kaspersky lab · kaspersky iot security platform - proposal 1 6 security...
TRANSCRIPT
1
IoT Security Platform
Andrey Doukhvalov
Head of Future Tech
Industrial Cybersecurity: Safegarding Progress
Saint Petersburg, Russia
September, 2017
2
IoT Malware in Action
• 900,000 customers of German ISP Deutsche Telekom
• 2,400 home routers across the UK
• In 2016 one million devices have been infected with BASHLITE. • 96 % are IoT devices (cameras and DVRs),
• 4% are home routers
• 1% are compromised Linux servers.
• Linux.Darlloz is worm which infects Linux em
bedded systems. It targets the internet of things a
nd infects routers, security cameras, set-top boxe
s by exploiting a PHP vulnerability
•Remaiten is a Malware which infects Linux
on embedded systems by brute forcing using frequentl
y used default username and passwords combinations
from a list in order to infect a system
3
IoT Security Landscape
@
EdgeGateways /
Smart DevicesNetwork DataCenter/
Cloud
DNSSEC / DANE
Infrastructure
Root-of-Trust, Strong Authentication, Verification
• Authentication (verified)
• Service discovery / provisioning / pairing
• Trusted execution environment
• Network security / firewall
• Secure Boot
Authentication (verified)
•PKI / certificate management
•Trusted execution environment
•Network security / firewall
•Access control (role based)
• Authentication (verified)
• Encryption
• Message integrity
• MitM protection
• DNS spoofing protection
IoT Device Security Communication Security Cloud Security
4
The Eclipse IoT Working Group, IEEE IoT, AGILE IoT and IoT Council co-sponsored an
online survey to better understand how developers are building IoT solutions.
The survey was open from February 7 until March 17, 2017.
A total of 713 individuals participated in the survey. Each partner promoted the survey to their
communities through social media and web sites.
IoT Developer Survey 2017
IOT
PLATFORM
=
HOME
AUTOMATION
=
INDUSTRIAL
AUTOMATION
⬈
ENERGY
MANAGEMENT
⬈
CONNECTED
CITIES
⬈
5
Key Industries / Trends 2016-2017
20,1%
21,4%
22,7%
25,5%
26,1%
33,3%
33,4%
36,4%
41,1%
41,6%
Transportation
Automotive
Healthcare
Agriculture
Building automation
Energy management
Connected / smartcities
Industrial automation
Home automation
IoT platform /middleware
2016
2017
Participation of
other
industries is
growing…
6
Hardware Components in IoT Solutions
86,8%
50,8% 50,2%
36,2% 35,1% 33,5%
25,4%
17,4%
4,5% 4,1%
Sensors Actuators Gateway /hub device
Edge nodedevice
Camera /video
capture
LCDdisplay
Touchscreen
Audioplayback /speaker
None Other
What hardware components are included in your IoT solution?
7
Security is the N1 IoT Developers’ concern
2,4%
3,8%
4,4%
8,2%
9,0%
12,3%
12,3%
13,7%
14,1%
14,7%
14,8%
15,0%
19,3%
21,4%
24,4%
46,7%
I don't know
Other
Certification / conformance
Maintenance
Complexity
Data analytics
Performance
Privacy
Scalability
Cost
Return on investment (ROI)
Standards
Integration with hardware
Connectivity
Interoperability
Security
SECURITY
CONNECTIVITY
INTEROPERABILITY
8
IoT Security Technologies
2,5%
9,3%
10,0%
10,6%
11,4%
16,4%
18,5%
24,3%
27,2%
34,4%
43,2%
48,3%
Other
Don't know
Use of Trusted PlatformModules (TPM)
Use of HardwareSecurity Module (HSM)
Secure boot
No security technology isused
Over the air update
OAuth & OpenID
Public key infrastructure
JSON web token orsimilar token formats
Data encryption
Communication security
Root of Trust (55%)
LifeCycle (29,5%)
Identity & PKI (51,5%)
Encryption (43,2%)
TLS/SSL (48,3%)
9
What can we learn from mobile & apply to IoT?
Device Securi
ty
Communications Secur
ity
Lifecycle Securi
ty
Crypto
Root ofTrust
non-truste
d
truste
d
trusted softwar
e
trustedhardwar
e
secur
e
syste
m
secur
e stor
age
9
10
IoT Security should be integrated
Most IoT developers are not security
experts
Little to no knowledge of hardware
Prior experience in mobile app
development
Time to market & functionality beat security
Ease of use requirements on tools & IoT
platform providers
Hide complexity of hardware based
security
Provide built-in security functions
Use standard methods and building blocks
Situation
Strategy
How much security you need ?
SW & HWAttacks• Physical access to de
vice
– JTAG,Bus, IO Pins,
•Time, money
& equipment.Software Attacks & lightweighthardware attacks• Buffer overflows
• Interrupts
• Malware
CommunicationAttacks•Man InThe Middle
•WeakRNG
•Code vulnerabilities
Attack Cost
Security Cost
ТрадиционныеTLS/S
SL
Security Subsyst
em
Hardware isolatedTEE/SP
M*
Secure Element
*Trusted Execution Environment / Secure PartitioningMan
ager11
GlobalPlatform Trusted Execution Environment
В 2010, под эгидой GlobalPlatform был запущен проект
Trusted Execution Environment (TEE). Инициатива была
запущена в ответ на изменения на рынке мобильности:
требования к безопасности существенно возросли по
мере того как потребители начали использовать
мобильные устройства для финансовых и платежных
транзакций. Кроме того, по мере роста потребления
контента (видео, музыка) на разных типах устройств,
старые методы защиты контента оказались
недостаточны. Для защиты премиального контента его
владельцы традиционно использовали Digital Rights
Management (DRM), Conditional Access (CA) и др.
подобные схемы часто использовали аппаратно-
усиленную защиту контента, в то время как теперь они
столкнулись со средой где взаимодействует множество
разных агентов.Кроме того, изменение путей доставки
контента (3G, 4G, Wi-Fi, WiMAX, Bluetooth, NFC)
предъявляет повышенные требования к
коммуникационным каналам.
13
Global Platform Trusted Execution Environment
• TEE became the global standard for embedded security
14
TEE Platform in action
Global Platform TEE Management Framework
The goals of the security model for administrationare:
to provide means to manage the Trusted Execut
ion Environment (TEE), Security Domains (SD),
and Trusted Applications(TA),
to ensure the security and the integrity of these e
ntities,
to enable the confidentiality of the data,
to provide a scalable model allowing deployments
involving a unique Actor or multipleActors,
and to enforce the security policy of eachActor w
hile preserving its assets.
To ensure the security and integrity of these entities, th
e TMF code implementation on the device is a Trusted
OS Component (see [TEE Arch]), or composed from a
group of such components. As such it inherits the same
security requirements as other Trusted OS Component
s.
15
• The newly emerging TEE MF standard lays ground to the remotely controlled embedded security
Kaspersky IoT Security Platform - proposal
16
Security Operation Center Gateway Edge
Inte
gra
ted
Se
cu
rity H
VS
oC
Trusted Boot Trusted Channel OTA Trusted Storage Crypto
Non-TEE 3rd-party TEE KOS TEEKOS TEE
on trusted SoC
KOS TEE + SE
on trusted SoC
Ap
plic
ations
Syste
mT
EE
MF
Lifecycle Security Comm Security
Device Security
Service Discovery Provisioning Pairing
HypervisorTEE ServicesKOS
Cloud security servicesSystems ManagementPolicy Management
Genera
lS
ecurity
FW AV
KSN, DPITMS/TFS, KICS
VPNLoggingInspection
Security Services MngmntKATA
Суб
ъе
кты
Бе
зопасно
сти
Об
ъе
кты
Бе
зопасно
сти
TEE
Security Center
Platform RoadmapS
ecu
rity
Op
era
tio
n
Cen
ter
Ga
tew
ay/N
etw
ork
ing
Devic
e L
eve
l
KL Core Assets EcosystemServices
KSS (Lib -> Agent)
KOS
KSH
Trusted Channel
Firmware Update
KSN/CV/AV/TMS/KICS
KSC for IoT (TEE MF)
MLAD/KATA
KSN/CF/AV
KSS Linux
SoC (Elvis)
Trusted IoT Platform
TEE functions
Devices (Router, STB)
Security ServicesMalware Protection
Anomaly Detection
Trusted Monitoring
Communication Security
Lifecycle Security
Trusted Hypervisor
Integrated Security
System Security
Add-Ons
IoT Platform Connectors
Industrial Modules
Industrial Protocols
Device Pairing Devices (Router, STB)Device Security
18
IoT Security Platform
Andrey Doukhvalov
Head of Future Tech
Industrial Cybersecurity: Safegarding Progress
Saint Petersburg, Russia
September, 2017
Lets discuss it