The document discusses several topics related to security issues in IoT systems and supply chains:
1. It describes how trust in an IoT system depends on trust in all of its elements and how they are integrated and interact. Effective risk management and threat modeling are required.
2. Specific security issues discussed include the Stuxnet virus, ransomware targeting IoT devices, hacks of vehicles and medical devices, and the 2016 DDoS attack using Mirai malware.
3. Key factors in managing risk and building trust are specifying security requirements, evaluating threats and risks, and addressing vulnerabilities throughout the system lifecycle. Attack surfaces and vectors must be identified and mitigated.
2. Connect2 Systems 2017
In January 2010, inspectors with the International
Atomic Energy Agency visiting the Natanz uranium
enrichment plant in Iran noticed that centrifuges
used to enrich uranium gas were failing at an
unprecedented rate.
The cause was a complete mystery—apparently as
much to the Iranian technicians replacing the
centrifuges as to the inspectors observing them.
Five months later a seemingly unrelated event
occurred. A computer security firm in Belarus was
called in to troubleshoot a series of computers in
Iran that were crashing and rebooting repeatedly.
Again, the cause of the problem was a mystery.
That is, until the researchers found a handful of
malicious files on one of the systems and
discovered the world’s first digital weapon.
Stuxnet, as it came to be known, was unlike any
other virus or worm that came before. Rather than
simply hijacking targeted computers or stealing
information from them, it escaped the digital realm
to wreak physical destruction on equipment the
computers controlled.
4. Connect2 Systems 2017
Ukraine - technical components used by the attackers
§ Spear phishing to gain access to the business
networks of the oblenergos (regional energy
distributors)
§ Identification of BlackEnergy 3 at each of the
impacted oblenergos
§ Theft of credentials from the business networks
§ The use of virtual private networks (VPNs) to
enter the Industrial Control Systems (ICS)
network
§ The use of existing remote access tools within
the environment or issuing commands directly
from a remote station similar to an operator HMI
§ Serial-‐to-‐Ethernet communications devices
impacted at a firmware level
§ The use of a modified KillDisk to erase the
master boot record of impacted organization
systems as well as the targeted deletion of some
logs
§ Utilizing UPS systems to impact connected load
with a scheduled service outage
§ Telephone denial-‐of-‐service attack on the call
centre
From: “Analysis of the Cyber Attack on the Ukrainian Power Grid”, TLP: White, E-‐ISAC and SANS | March 18, 2016
5. Connect2 Systems 2017
It's official: Hearts can be hacked
The FDA confirmed that St. Jude Medical's implantable cardiac devices
have vulnerabilities that could allow a hacker to access a device
Once in, they could deplete the battery or administer incorrect pacing or
shocks
6. Connect2 Systems 2017
The attack began creating problems for Internet users reaching an array of sites,
including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
The attack involved Mirai
At the end September 2016, the
hacker responsible for creating the
Mirai malware released the source
code for it
9. Connect2 Systems 2017
Ransomware has carved itself a niche as one of the main cybersecurity threats of 2016
While traditional ransomware affects your computer and locks your files
IoT ransomware has the opportunity to control systems in the real world
This potential to cause far more damage means that the potential for hackers can charge
much more, ultimately making it an appealing market for them to explore
11. Connect2 Systems 2017
Trust in the IoT System
Depends on:
§ Trust in all the elements
§ How they are integrated
§ How they Interact with each other
12. Connect2 Systems 2017
Trust Relationship between Actors
Each Element has actors that execute various roles in the creation,
integration and operation of the system
§ Trust flows down from the operator to the all parts of the system
§ But trust must be built from the bottom up
Figure taken from the Industrial Internet Consortium;; Industrial Internet of Things Volume G4: Security Framework ;; www.iiconsortium.org/
13. Connect2 Systems 2017
Trust must be maintained through the System Lifecycle
Requirements
Design
Development
Commissioning
Operation
End of Life
Decommissioning
Integrity of each element of the system and supply chain must be
monitored to ensure that the initial trustworthiness is preserved through
life of the system
Threats and therefore risk will not be static over the lifetime of the solution
§ You need a governance structure that manages cybersecurity supply chain risks
§ To actively share information and maintain strong relationships with your
suppliers and partners
14. Connect2 Systems 2017
Permeation of Trust
§ The trust lifecycle starts with the specification of requirements that result in the
delivery of capabilities
§ The assurance that these capabilities meet the stated requirements becomes the
basis of trust in the system
Figure taken from the Industrial Internet Consortium;; Industrial Internet of Things Volume G4: Security Framework ;; www.iiconsortium.org/
15. Connect2 Systems 2017
Specifying Security Requirements
Unfortunately many operators or users do not include
security in their specification of requirements
Many believe the risk is of their systems being
hacked/attacked is low
It is very expensive and damaging to your reputation to
incorporate security after the event– just ask Equifax!
You need to evaluate the risk and incorporate security at
the Requirement and Design Phase
16. Connect2 Systems 2017
Managing Risk
§ It is not feasible to eliminate all risk from a system
§ Security investments are balanced against the effect of undesirable outcomes
§ Balancing must be grounded in a realistic assessment of the threats, the risks
they pose and how they might prevent the system from fulfilling its intended
functions
§ Costs must be evaluated and a rational selection of implementation choices
made to deliver an acceptable return on investment
17. Connect2 Systems 2017
Generic Risk Model With Key Risk Factors
Source: NIST Special Publication 800-30, Guide for Conducting Risk Assessments, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Risk is a function of the likelihood of a threat event’s occurrence and
potential adverse impact should the event occur
18. Connect2 Systems 2017
Basic Steps in the Risk Assessment Process
Source: NIST Special Publication 800-30, Guide for Conducting Risk Assessments, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
19. Connect2 Systems 2017
Attack Surface and Vectors
The elements of the IoT system exposed to possible attacks are called
its attack surface
Each of these elements may be vulnerable via an attack vector
§ mechanism by which an attack can take place
Attack vectors include:
§ physical attacks
§ networks attacks
§ attacks against software
§ attacks on operators
§ attacks on the supply chains of the elements that comprise the
system
20. Connect2 Systems 2017
OWASP IoT Attack Surface Areas Project
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas
21. Connect2 Systems 2017
Threat Modelling
1. What are you building?
2. What can go wrong?
3. What should you do about those
things that can go wrong?
4. Did you do a decent job of analysis?
Model
System
Find
Threats
Address
Threats
Validate
22. Connect2 Systems 2017
STRIDE, developed by Microsoft
Models risks and evaluates threats for the IT/IoT environment
Spoofing identity
Ø Where a person or device is using another person’s credentials such as login and password
Ø A device can use a spoofed device ID
Tampering with data
Ø Altering the data related to a device, packets on the wire (or wireless), bits on disk or in memory
Repudiation
Ø Denial that a person or device was involved in a particular transaction or event
Ø Refers to the ability (or lack) to trace which person or device was responsible for an event
Information disclosure
Ø Exposure of information to individuals who are not supposed to have access to it
Ø E.g. sensor data for a city in the hands of persons with intentions to launch an attack on the city
Denial of service
Ø Making a service unavailable, often through resource consumption or unreliable execution
Elevation of privilege
Ø An unprivileged user gains sufficient access to compromise or destroy an entire system
Ø An attacker has penetrated all system defences and become part of the trusted system
23. Connect2 Systems 2017
Addressing Threats
§ Mitigating Threats
Ø doing things to make it harder to take advantage of a threat
Ø e.g. adding password controls that enforce complexity or expiration
§ Eliminating Threats
Ø Almost always achieved by eliminating features
§ Transferring Threats
Ø letting someone or something else handle the risk
Ø e.g. pass trust boundary enforcement to a firewall product
Ø transfer risk to customers
§ Accepting the Risk
Ø the final approach to addressing threats
Ø e.g. because the cost is prohibitive
25. Connect2 Systems 2017
So who are developing IoT Security
Best Practice Principles & Guidelines?
§ National Institute of Standards and Technology (NIST)
§ IoT Security Foundation (IoT SF)
§ GSM Association (GSMA)
§ Industrial Internet Consortium (IIC)
§ Open Web Application Security Project (OWASP)
§ U.S. Department of Homeland Security
§ Broadband Internet Technical Advisory Group (BITAG)
§ Online Trust Alliance (OTA) - IoT Trustworthy Working Group
§ U.S. Department of Health and Human Services, Food and Drug
Administration
§ Cloud Security Alliance
26. Connect2 Systems 2017
NIST Cybersecurity Framework
Provides a policy framework of computer security guidance for how private
sector organisations can assess and improve their ability to prevent, detect,
and respond to cyber attacks
Designed to foster risk and cybersecurity management communications among
both internal and external organisational stakeholders
Framework is a risk-based approach https://www.nist.gov/cyberframework
30. Connect2 Systems 2017
Secure IoT Event - 17th October 2017
Internet of Things Security Event
Green Park Conference Centre
100 Longwater Avenue, Green Park, Reading RG2 6GP
http://tinyurl.com/secureiot
Learn about:
§ potential threats and risks to your organisation
§ real world examples of IoT attacks and the damage caused
§ IoT security best practice and frameworks
Meet leading experts and companies offering security products, solutions and
services
31. Connect2 Systems 2017
Secure IoT Speakers
IoT Security at the KTN Robin Kennedy KTN
Weaponising the IoT Ken Munro Pen Test Partners
Industrial IoT - How Secure is it? Ray Evans IBM
IoT Security Framework Richard Marshall IoT Security Foundation
Security starts with a threat model Phil Winstanley Microsoft
IoT Passwords (Past, Present and Future) Edward Williams Trustwave
Hardware-Level Intrusion Detection Professor Mark Zwolinski University of Southampton
Right-sizing secure HW for a range of threats and
assets
Erik Jacobson Arm
Device Management & 'Over-The-Air' Firmware
Upgrade for Constrained Devices
Duncan Purves Connect2 Systems
Internet of Things security architecture John Donnelly Microsoft
IoT security testing - helping to improve customer
confidence and win new clients
Bryon Lowen TVS
Delivering trust through independent security
testing and certification
Laurens van Oijen UL
The Art of Automation Rob Dobson, Campbell
Elder, Mark Tootell
Device Authority,
MultiTech & InVMA