SlideShare a Scribd company logo

Internet of Things Security - Trust in the supply chain

Duncan Purves
Duncan Purves

The document discusses several topics related to security issues in IoT systems and supply chains: 1. It describes how trust in an IoT system depends on trust in all of its elements and how they are integrated and interact. Effective risk management and threat modeling are required. 2. Specific security issues discussed include the Stuxnet virus, ransomware targeting IoT devices, hacks of vehicles and medical devices, and the 2016 DDoS attack using Mirai malware. 3. Key factors in managing risk and building trust are specifying security requirements, evaluating threats and risks, and addressing vulnerabilities throughout the system lifecycle. Attack surfaces and vectors must be identified and mitigated.

Technology
1 of 32
Download to read offline
Connect2  Systems  2017 Trust  in  the  Supply  Chain Duncan Purves duncan@connect2.io
Connect2  Systems  2017 In January 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the Iranian technicians replacing the centrifuges as to the inspectors observing them. Five months later a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until the researchers found a handful of malicious files on one of the systems and discovered the world’s first digital weapon. Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.
Connect2  Systems  2017
Connect2  Systems  2017 Ukraine  -­ technical  components  used  by  the  attackers   § Spear phishing to gain access to the business networks of the oblenergos (regional energy distributors) § Identification of BlackEnergy 3 at each of the impacted oblenergos § Theft of credentials from the business networks § The use of virtual private networks (VPNs) to enter the Industrial Control Systems (ICS) network § The use of existing remote access tools within the environment or issuing commands directly from a remote station similar to an operator HMI § Serial-­‐to-­‐Ethernet communications devices impacted at a firmware level § The use of a modified KillDisk to erase the master boot record of impacted organization systems as well as the targeted deletion of some logs § Utilizing UPS systems to impact connected load with a scheduled service outage § Telephone denial-­‐of-­‐service attack on the call centre From:  “Analysis  of  the  Cyber  Attack  on  the  Ukrainian  Power  Grid”,  TLP:  White,  E-­‐ISAC  and  SANS  |  March  18,  2016
Connect2  Systems  2017 It's  official:  Hearts  can  be  hacked The  FDA  confirmed  that  St.  Jude  Medical's  implantable  cardiac  devices   have  vulnerabilities  that  could  allow  a  hacker  to  access  a  device Once  in,  they  could  deplete  the  battery  or  administer  incorrect  pacing  or   shocks
Connect2  Systems  2017 The  attack  began  creating  problems  for  Internet  users  reaching  an  array  of  sites,   including  Twitter,  Amazon,  Tumblr,  Reddit,  Spotify  and  Netflix. The attack involved Mirai At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it
Connect2  Systems  2017 Hackers  Remotely  Kill  a  Jeep  on  the  Highway
Connect2  Systems  2017
Connect2  Systems  2017 Ransomware  has  carved  itself  a  niche  as  one  of  the  main  cybersecurity  threats  of  2016 While  traditional  ransomware  affects  your  computer  and  locks  your  files IoT  ransomware  has  the  opportunity  to  control  systems  in  the  real  world This  potential  to  cause  far  more  damage  means  that  the  potential  for  hackers  can  charge   much  more,  ultimately  making  it  an  appealing  market  for  them  to  explore
Connect2  Systems  2017 BUSINESS APPLICATIONS OPERATIONS &  MAINTENANCE |    ASSET MANAGEMENT &  MONITORING |  WORK ORDER MANAGEMENT |    SECURITY |  FACILITY MANAGEMENT |  INDUSTRIAL CONTROL |  ENERGY MANAGEMENT |  ENVIRONMENTAL MONITORING IoT  System  – Complex  Assembly  of  System  Elements WIDE AREA COMMUNICATION NETWORK SERVICES MOBILE |    SATELLITE |    FIXED |    WIRELESS |    INTERNET |    LPWAN IP    |    VPN    |    DATA |    SIM  MANAGEMENT |    BILLING SENSORS &  ACTUATORS WIDE AREA INTELLIGENT GATEWAYS &  ROUTERS EDGE OF NETWORK ANALYTICS |  COMPLEX EVENT PROCESSING |  APPLICATIONS |  SWARM COMPUTING SYSTEMINTEGRATION END CUSTOMER SERVICES LOCAL AREA,  PERSONAL AREA,  &  SENSOR NETWORKS EDGE DEVICES HARDWARE |  EMBEDDED SOFTWARE |  SENSOR &  ACTUATOR INTEGRATION |  PROTOCOL CONVERSION APPLICATION SERVICES MESSAGING |    DATA |    ANALYTICS |    INTEGRATION |  EVENT PROCESSING DASHBOARD |    REPORTING DEVICE MANAGEMENT SERVICES SERVER |  APIS |  BOOTSTRAP|  REGISTRATION DEVICE MANAGEMENT APPLICATION CONFIGURATION |  FIRMWARE UPDATE DEVICE &  NETWORK HEALTH MONITORING DATA&  PROTOCOL INTEGRATION&   SECURITYSERVICES ©  Copyright  Connect2  Systems  2017
Connect2  Systems  2017 Trust  in  the  IoT  System Depends  on: § Trust  in  all  the elements § How  they  are  integrated   § How  they  Interact  with  each  other
Connect2  Systems  2017 Trust  Relationship  between  Actors Each  Element  has  actors  that  execute  various  roles  in  the  creation,   integration  and  operation  of  the  system § Trust  flows  down  from  the  operator  to  the  all  parts  of  the  system § But  trust  must  be  built  from  the  bottom  up   Figure  taken  from  the  Industrial  Internet  Consortium;;  Industrial  Internet  of  Things  Volume  G4:  Security  Framework ;;  www.iiconsortium.org/
Connect2  Systems  2017 Trust  must  be  maintained  through  the  System  Lifecycle Requirements Design Development Commissioning Operation End  of  Life   Decommissioning Integrity  of  each  element  of  the  system and  supply  chain  must  be   monitored  to  ensure  that  the  initial  trustworthiness  is  preserved  through   life  of  the  system Threats and  therefore  risk will  not  be  static  over  the  lifetime  of  the  solution § You  need  a  governance structure  that  manages  cybersecurity  supply  chain  risks § To  actively  share  information  and  maintain  strong  relationships  with  your   suppliers and  partners
Connect2  Systems  2017 Permeation  of  Trust § The  trust  lifecycle  starts  with  the  specification  of  requirements  that  result  in  the   delivery  of  capabilities § The  assurance  that  these  capabilities  meet  the  stated  requirements  becomes  the   basis  of  trust  in  the  system Figure  taken  from  the  Industrial  Internet  Consortium;;  Industrial  Internet  of  Things  Volume  G4:  Security  Framework ;;  www.iiconsortium.org/
Connect2  Systems  2017 Specifying  Security  Requirements Unfortunately  many  operators  or  users  do  not  include   security  in  their  specification  of  requirements Many  believe  the  risk  is  of  their  systems  being   hacked/attacked  is  low It  is  very  expensive  and  damaging  to  your  reputation  to   incorporate  security  after  the  event– just  ask  Equifax! You  need  to  evaluate  the  risk  and  incorporate  security  at   the Requirement  and Design  Phase
Connect2  Systems  2017 Managing  Risk § It is not feasible to eliminate all risk from a system § Security investments are balanced against the effect of undesirable outcomes § Balancing must be grounded in a realistic assessment of the threats, the risks they pose and how they might prevent the system from fulfilling its intended functions § Costs must be evaluated and a rational selection of implementation choices made to deliver an acceptable return on investment
Connect2  Systems  2017 Generic  Risk  Model  With  Key  Risk  Factors   Source:  NIST  Special  Publication  800-­30,  Guide  for  Conducting  Risk  Assessments,  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-­30r1.pdf Risk  is  a  function  of  the  likelihood  of  a  threat  event’s  occurrence  and   potential  adverse  impact  should  the  event  occur  
Connect2  Systems  2017 Basic  Steps  in  the  Risk  Assessment  Process Source:  NIST  Special  Publication  800-­30,  Guide  for  Conducting  Risk  Assessments,  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-­30r1.pdf
Connect2  Systems  2017 Attack  Surface  and  Vectors The  elements  of  the  IoT  system  exposed  to  possible  attacks  are  called   its  attack  surface Each  of  these  elements  may  be  vulnerable  via  an  attack  vector § mechanism  by  which  an  attack  can  take  place Attack  vectors  include: § physical  attacks § networks  attacks § attacks  against  software § attacks  on  operators § attacks  on  the  supply  chains  of  the  elements  that  comprise  the   system
Connect2  Systems  2017 OWASP  IoT  Attack  Surface  Areas  Project https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas
Connect2  Systems  2017 Threat  Modelling 1. What  are  you  building? 2. What  can  go  wrong? 3. What  should  you  do  about  those   things  that  can  go  wrong? 4. Did  you  do  a  decent  job  of  analysis? Model   System Find Threats Address   Threats Validate
Connect2  Systems  2017 STRIDE,  developed  by  Microsoft Models  risks  and  evaluates  threats  for  the  IT/IoT  environment Spoofing  identity Ø Where  a  person  or  device  is  using  another  person’s  credentials  such  as  login  and  password Ø A  device  can  use  a  spoofed  device  ID Tampering  with  data Ø Altering  the  data  related  to  a  device,  packets  on  the  wire  (or  wireless),  bits  on  disk  or  in  memory Repudiation Ø Denial  that  a  person  or  device  was  involved  in  a  particular  transaction  or  event Ø Refers  to  the  ability  (or  lack)  to  trace  which  person  or  device  was  responsible  for  an  event Information  disclosure Ø Exposure  of  information  to  individuals  who  are  not  supposed  to  have  access  to  it Ø E.g.  sensor  data  for  a  city  in  the  hands  of  persons  with  intentions  to  launch  an  attack  on  the  city Denial  of  service Ø Making  a  service  unavailable,  often  through  resource  consumption  or  unreliable  execution Elevation  of  privilege Ø An  unprivileged  user  gains  sufficient  access  to  compromise  or  destroy  an  entire  system Ø An  attacker  has  penetrated  all  system  defences  and  become  part  of  the  trusted  system
Connect2  Systems  2017 Addressing  Threats § Mitigating Threats Ø doing  things  to  make  it  harder  to  take  advantage  of  a  threat Ø e.g.  adding  password  controls  that  enforce  complexity  or  expiration § Eliminating Threats Ø Almost  always  achieved  by  eliminating  features § Transferring Threats Ø letting  someone  or  something  else  handle  the  risk Ø e.g.  pass  trust  boundary  enforcement  to  a  firewall  product Ø transfer  risk  to  customers § Accepting the  Risk Ø the  final  approach  to  addressing  threats Ø e.g.  because  the  cost  is  prohibitive
Connect2  Systems  2017 So  where  do  you  go  to  for  advice   and  best  practice?
Connect2  Systems  2017 So  who  are  developing  IoT  Security Best  Practice  Principles  &  Guidelines? § National  Institute  of  Standards  and  Technology (NIST) § IoT  Security  Foundation  (IoT  SF) § GSM  Association  (GSMA) § Industrial  Internet  Consortium  (IIC) § Open  Web  Application  Security  Project  (OWASP) § U.S.  Department  of  Homeland  Security § Broadband  Internet  Technical  Advisory  Group  (BITAG) § Online  Trust  Alliance  (OTA)  -­ IoT  Trustworthy  Working  Group § U.S.  Department  of  Health  and  Human  Services,  Food  and  Drug   Administration § Cloud  Security  Alliance
Connect2  Systems  2017 NIST  Cybersecurity  Framework Provides a policy framework of computer security guidance for how private sector organisations can assess and improve their ability to prevent, detect, and respond to cyber attacks Designed  to foster  risk  and  cybersecurity  management  communications among   both internal and  external organisational  stakeholders Framework  is  a risk-­based approach https://www.nist.gov/cyberframework
Connect2  Systems  2017 NIST  Framework  Core  -­ Function  &  Categories
Connect2  Systems  2017 IoT  Security  Foundation  Principles  &  Best  Practice  Guides
Connect2  Systems  2017 IoT  Security  Foundation
Connect2  Systems  2017 Secure  IoT  Event  -­ 17th October  2017 Internet  of  Things  Security  Event Green  Park  Conference  Centre 100  Longwater  Avenue,  Green  Park,  Reading  RG2  6GP http://tinyurl.com/secureiot Learn  about: § potential  threats  and  risks  to  your  organisation § real  world  examples  of  IoT  attacks  and  the  damage  caused § IoT  security  best  practice  and  frameworks Meet  leading  experts  and  companies  offering  security  products,  solutions  and   services
Connect2  Systems  2017 Secure  IoT  Speakers IoT  Security  at  the  KTN Robin  Kennedy KTN Weaponising  the  IoT Ken  Munro Pen  Test  Partners   Industrial  IoT  -­ How  Secure  is  it? Ray  Evans IBM IoT  Security  Framework Richard  Marshall IoT  Security  Foundation Security  starts  with  a  threat  model Phil  Winstanley   Microsoft IoT Passwords (Past, Present and Future) Edward  Williams Trustwave Hardware-­Level  Intrusion  Detection Professor  Mark  Zwolinski University  of  Southampton Right-­sizing  secure  HW  for  a  range  of  threats  and   assets Erik  Jacobson Arm Device  Management  &  'Over-­The-­Air'  Firmware Upgrade  for  Constrained  Devices Duncan  Purves Connect2  Systems Internet of Things security architecture John  Donnelly Microsoft IoT  security  testing  -­ helping  to  improve  customer   confidence  and  win  new  clients Bryon  Lowen TVS Delivering  trust  through  independent  security   testing  and  certification Laurens  van  Oijen UL The  Art  of  Automation Rob  Dobson,  Campbell   Elder,  Mark  Tootell Device  Authority,   MultiTech  &  InVMA
Connect2  Systems  2017 Thank  you & Questions Duncan  Purves Connect2  Systems duncan@connect2.io

Recommended

Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014iotisrael
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
IoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endIoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endPilgrim Beart
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationWestermo Network Technologies
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C KNarinrit Prem-apiwathanokul
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin RodillasTI Safe
 

Recommended

Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014iotisrael
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
IoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endIoT Device Management using open standards end-to-end
IoT Device Management using open standards end-to-endPilgrim Beart
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationWestermo Network Technologies
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C KNarinrit Prem-apiwathanokul
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin RodillasTI Safe
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseAirTight Networks
 
Ad enterprise datasheet
Ad enterprise datasheetAd enterprise datasheet
Ad enterprise datasheetAdvantec Distribution
 
Transformation From Today To Tomorrow - Market and Product Strategy 2018
Transformation From Today To Tomorrow - Market and Product Strategy 2018Transformation From Today To Tomorrow - Market and Product Strategy 2018
Transformation From Today To Tomorrow - Market and Product Strategy 2018Jiunn-Jer Sun
 
Device Management for Internet of Things Constrained Devices OMA Lightweight M2M
Device Management for Internet of Things Constrained Devices OMA Lightweight M2MDevice Management for Internet of Things Constrained Devices OMA Lightweight M2M
Device Management for Internet of Things Constrained Devices OMA Lightweight M2MDuncan Purves
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationEnergySec
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksDuncan Purves
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01RoutecoMarketing
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeCisco Enterprise Networks
 
IoT, Demystified
IoT, DemystifiedIoT, Demystified
IoT, DemystifiedYulian Slobodyan
 
Cdi federal 2019
Cdi federal 2019Cdi federal 2019
Cdi federal 2019Communications Devices Inc.
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCreekside Marketing Group, LLC
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bSylvain Martinez
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesNir Cohen
 
AEE Cybersecurity for the IOT in Facility Energy Distribution Slides
AEE Cybersecurity for the IOT in Facility Energy Distribution SlidesAEE Cybersecurity for the IOT in Facility Energy Distribution Slides
AEE Cybersecurity for the IOT in Facility Energy Distribution SlidesAndy Taylor
 
12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_aAdvantec Distribution
 
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)IEC and cyber security (June 2018)
IEC and cyber security (June 2018)International Electrotechnical Commission (IEC)
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year ProjectMOHAMMEDELALAM1
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksInternational Journal of Engineering Inventions www.ijeijournal.com
 

More Related Content

What's hot

Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseAirTight Networks
 
Transformation From Today To Tomorrow - Market and Product Strategy 2018
Transformation From Today To Tomorrow - Market and Product Strategy 2018Transformation From Today To Tomorrow - Market and Product Strategy 2018
Transformation From Today To Tomorrow - Market and Product Strategy 2018Jiunn-Jer Sun
 
Device Management for Internet of Things Constrained Devices OMA Lightweight M2M
Device Management for Internet of Things Constrained Devices OMA Lightweight M2MDevice Management for Internet of Things Constrained Devices OMA Lightweight M2M
Device Management for Internet of Things Constrained Devices OMA Lightweight M2MDuncan Purves
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationEnergySec
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksDuncan Purves
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01RoutecoMarketing
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bSylvain Martinez
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesNir Cohen
 
AEE Cybersecurity for the IOT in Facility Energy Distribution Slides
AEE Cybersecurity for the IOT in Facility Energy Distribution SlidesAEE Cybersecurity for the IOT in Facility Energy Distribution Slides
AEE Cybersecurity for the IOT in Facility Energy Distribution SlidesAndy Taylor
 

What's hot (20)

Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the Enterprise
 
Ad enterprise datasheet
Ad enterprise datasheetAd enterprise datasheet
Ad enterprise datasheet
 
Transformation From Today To Tomorrow - Market and Product Strategy 2018
Transformation From Today To Tomorrow - Market and Product Strategy 2018Transformation From Today To Tomorrow - Market and Product Strategy 2018
Transformation From Today To Tomorrow - Market and Product Strategy 2018
 
Device Management for Internet of Things Constrained Devices OMA Lightweight M2M
Device Management for Internet of Things Constrained Devices OMA Lightweight M2MDevice Management for Internet of Things Constrained Devices OMA Lightweight M2M
Device Management for Internet of Things Constrained Devices OMA Lightweight M2M
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor Networks
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy Sector
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
IoT, Demystified
IoT, DemystifiedIoT, Demystified
IoT, Demystified
 
Cdi federal 2019
Cdi federal 2019Cdi federal 2019
Cdi federal 2019
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architecture
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
AEE Cybersecurity for the IOT in Facility Energy Distribution Slides
AEE Cybersecurity for the IOT in Facility Energy Distribution SlidesAEE Cybersecurity for the IOT in Facility Energy Distribution Slides
AEE Cybersecurity for the IOT in Facility Energy Distribution Slides
 
12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a
 
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)IEC and cyber security (June 2018)
IEC and cyber security (June 2018)
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year Project
 

Similar to Internet of Things Security - Trust in the supply chain

Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Networks
 
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET Journal
 
Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)OllieShoresna
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA NetworksIJRES Journal
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET Journal
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
Can you trust your smart building
Can you trust your smart buildingCan you trust your smart building
Can you trust your smart buildingDuncan Purves
 
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...IRJET Journal
 

Similar to Internet of Things Security - Trust in the supply chain (20)

Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack DetectionIRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
IRJET- Phishdect & Mitigator: SDN based Phishing Attack Detection
 
Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)Cyber Security DepartmentGraduation Project (407422)
Cyber Security DepartmentGraduation Project (407422)
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
IRJET - IDS for Wifi Security
IRJET - IDS for Wifi SecurityIRJET - IDS for Wifi Security
IRJET - IDS for Wifi Security
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
Can you trust your smart building
Can you trust your smart buildingCan you trust your smart building
Can you trust your smart building
 
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber security
 

More from Duncan Purves

Supporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devicesSupporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devicesDuncan Purves
 
The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?Duncan Purves
 
Insights into the IoT market
Insights into the IoT marketInsights into the IoT market
Insights into the IoT marketDuncan Purves
 
Meeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed LedgersMeeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed LedgersDuncan Purves
 
Extending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challengesExtending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challengesDuncan Purves
 
Smart Cities: A new development
Smart Cities: A new developmentSmart Cities: A new development
Smart Cities: A new developmentDuncan Purves
 
Saving lives on British Railways with IQRF
Saving lives on British Railways with IQRFSaving lives on British Railways with IQRF
Saving lives on British Railways with IQRFDuncan Purves
 
5G and Connected Communities
5G and Connected Communities5G and Connected Communities
5G and Connected CommunitiesDuncan Purves
 
AWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected homeAWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected homeDuncan Purves
 
PSA Certified – building trust in IoT
PSA Certified – building trust in IoTPSA Certified – building trust in IoT
PSA Certified – building trust in IoTDuncan Purves
 
Smart City Challenge calls
Smart City Challenge callsSmart City Challenge calls
Smart City Challenge callsDuncan Purves
 
Vodafone's NB-IoT Rollout
Vodafone's NB-IoT RolloutVodafone's NB-IoT Rollout
Vodafone's NB-IoT RolloutDuncan Purves
 
Are you prepared for R&D funding
Are you prepared for R&D fundingAre you prepared for R&D funding
Are you prepared for R&D fundingDuncan Purves
 
Thames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster ChallengeThames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster ChallengeDuncan Purves
 
World Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of FarmingWorld Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of FarmingDuncan Purves
 
Bridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloudBridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloudDuncan Purves
 
Cyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator ProgrammeCyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator ProgrammeDuncan Purves
 
The University of Sheffield AMRC
The University of Sheffield AMRCThe University of Sheffield AMRC
The University of Sheffield AMRCDuncan Purves
 
Supervised Manufacturing
Supervised ManufacturingSupervised Manufacturing
Supervised ManufacturingDuncan Purves
 

More from Duncan Purves (20)

Supporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devicesSupporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devices
 
The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?
 
Insights into the IoT market
Insights into the IoT marketInsights into the IoT market
Insights into the IoT market
 
Meeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed LedgersMeeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed Ledgers
 
Extending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challengesExtending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challenges
 
Smart Cities: A new development
Smart Cities: A new developmentSmart Cities: A new development
Smart Cities: A new development
 
Saving lives on British Railways with IQRF
Saving lives on British Railways with IQRFSaving lives on British Railways with IQRF
Saving lives on British Railways with IQRF
 
5G and Connected Communities
5G and Connected Communities5G and Connected Communities
5G and Connected Communities
 
AWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected homeAWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected home
 
PSA Certified – building trust in IoT
PSA Certified – building trust in IoTPSA Certified – building trust in IoT
PSA Certified – building trust in IoT
 
Smart City Challenge calls
Smart City Challenge callsSmart City Challenge calls
Smart City Challenge calls
 
Vodafone's NB-IoT Rollout
Vodafone's NB-IoT RolloutVodafone's NB-IoT Rollout
Vodafone's NB-IoT Rollout
 
Are you prepared for R&D funding
Are you prepared for R&D fundingAre you prepared for R&D funding
Are you prepared for R&D funding
 
Thames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster ChallengeThames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster Challenge
 
World Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of FarmingWorld Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of Farming
 
Bridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloudBridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloud
 
Cyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator ProgrammeCyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator Programme
 
Digital buildings
Digital buildingsDigital buildings
Digital buildings
 
The University of Sheffield AMRC
The University of Sheffield AMRCThe University of Sheffield AMRC
The University of Sheffield AMRC
 
Supervised Manufacturing
Supervised ManufacturingSupervised Manufacturing
Supervised Manufacturing
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Internet of Things Security - Trust in the supply chain

  • 1. Connect2  Systems  2017 Trust  in  the  Supply  Chain Duncan Purves duncan@connect2.io
  • 2. Connect2  Systems  2017 In January 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the Iranian technicians replacing the centrifuges as to the inspectors observing them. Five months later a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until the researchers found a handful of malicious files on one of the systems and discovered the world’s first digital weapon. Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.
  • 4. Connect2  Systems  2017 Ukraine  -­ technical  components  used  by  the  attackers   § Spear phishing to gain access to the business networks of the oblenergos (regional energy distributors) § Identification of BlackEnergy 3 at each of the impacted oblenergos § Theft of credentials from the business networks § The use of virtual private networks (VPNs) to enter the Industrial Control Systems (ICS) network § The use of existing remote access tools within the environment or issuing commands directly from a remote station similar to an operator HMI § Serial-­‐to-­‐Ethernet communications devices impacted at a firmware level § The use of a modified KillDisk to erase the master boot record of impacted organization systems as well as the targeted deletion of some logs § Utilizing UPS systems to impact connected load with a scheduled service outage § Telephone denial-­‐of-­‐service attack on the call centre From:  “Analysis  of  the  Cyber  Attack  on  the  Ukrainian  Power  Grid”,  TLP:  White,  E-­‐ISAC  and  SANS  |  March  18,  2016
  • 5. Connect2  Systems  2017 It's  official:  Hearts  can  be  hacked The  FDA  confirmed  that  St.  Jude  Medical's  implantable  cardiac  devices   have  vulnerabilities  that  could  allow  a  hacker  to  access  a  device Once  in,  they  could  deplete  the  battery  or  administer  incorrect  pacing  or   shocks
  • 6. Connect2  Systems  2017 The  attack  began  creating  problems  for  Internet  users  reaching  an  array  of  sites,   including  Twitter,  Amazon,  Tumblr,  Reddit,  Spotify  and  Netflix. The attack involved Mirai At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it
  • 7. Connect2  Systems  2017 Hackers  Remotely  Kill  a  Jeep  on  the  Highway
  • 9. Connect2  Systems  2017 Ransomware  has  carved  itself  a  niche  as  one  of  the  main  cybersecurity  threats  of  2016 While  traditional  ransomware  affects  your  computer  and  locks  your  files IoT  ransomware  has  the  opportunity  to  control  systems  in  the  real  world This  potential  to  cause  far  more  damage  means  that  the  potential  for  hackers  can  charge   much  more,  ultimately  making  it  an  appealing  market  for  them  to  explore
  • 10. Connect2  Systems  2017 BUSINESS APPLICATIONS OPERATIONS &  MAINTENANCE |    ASSET MANAGEMENT &  MONITORING |  WORK ORDER MANAGEMENT |    SECURITY |  FACILITY MANAGEMENT |  INDUSTRIAL CONTROL |  ENERGY MANAGEMENT |  ENVIRONMENTAL MONITORING IoT  System  – Complex  Assembly  of  System  Elements WIDE AREA COMMUNICATION NETWORK SERVICES MOBILE |    SATELLITE |    FIXED |    WIRELESS |    INTERNET |    LPWAN IP    |    VPN    |    DATA |    SIM  MANAGEMENT |    BILLING SENSORS &  ACTUATORS WIDE AREA INTELLIGENT GATEWAYS &  ROUTERS EDGE OF NETWORK ANALYTICS |  COMPLEX EVENT PROCESSING |  APPLICATIONS |  SWARM COMPUTING SYSTEMINTEGRATION END CUSTOMER SERVICES LOCAL AREA,  PERSONAL AREA,  &  SENSOR NETWORKS EDGE DEVICES HARDWARE |  EMBEDDED SOFTWARE |  SENSOR &  ACTUATOR INTEGRATION |  PROTOCOL CONVERSION APPLICATION SERVICES MESSAGING |    DATA |    ANALYTICS |    INTEGRATION |  EVENT PROCESSING DASHBOARD |    REPORTING DEVICE MANAGEMENT SERVICES SERVER |  APIS |  BOOTSTRAP|  REGISTRATION DEVICE MANAGEMENT APPLICATION CONFIGURATION |  FIRMWARE UPDATE DEVICE &  NETWORK HEALTH MONITORING DATA&  PROTOCOL INTEGRATION&   SECURITYSERVICES ©  Copyright  Connect2  Systems  2017
  • 11. Connect2  Systems  2017 Trust  in  the  IoT  System Depends  on: § Trust  in  all  the elements § How  they  are  integrated   § How  they  Interact  with  each  other
  • 12. Connect2  Systems  2017 Trust  Relationship  between  Actors Each  Element  has  actors  that  execute  various  roles  in  the  creation,   integration  and  operation  of  the  system § Trust  flows  down  from  the  operator  to  the  all  parts  of  the  system § But  trust  must  be  built  from  the  bottom  up   Figure  taken  from  the  Industrial  Internet  Consortium;;  Industrial  Internet  of  Things  Volume  G4:  Security  Framework ;;  www.iiconsortium.org/
  • 13. Connect2  Systems  2017 Trust  must  be  maintained  through  the  System  Lifecycle Requirements Design Development Commissioning Operation End  of  Life   Decommissioning Integrity  of  each  element  of  the  system and  supply  chain  must  be   monitored  to  ensure  that  the  initial  trustworthiness  is  preserved  through   life  of  the  system Threats and  therefore  risk will  not  be  static  over  the  lifetime  of  the  solution § You  need  a  governance structure  that  manages  cybersecurity  supply  chain  risks § To  actively  share  information  and  maintain  strong  relationships  with  your   suppliers and  partners
  • 14. Connect2  Systems  2017 Permeation  of  Trust § The  trust  lifecycle  starts  with  the  specification  of  requirements  that  result  in  the   delivery  of  capabilities § The  assurance  that  these  capabilities  meet  the  stated  requirements  becomes  the   basis  of  trust  in  the  system Figure  taken  from  the  Industrial  Internet  Consortium;;  Industrial  Internet  of  Things  Volume  G4:  Security  Framework ;;  www.iiconsortium.org/
  • 15. Connect2  Systems  2017 Specifying  Security  Requirements Unfortunately  many  operators  or  users  do  not  include   security  in  their  specification  of  requirements Many  believe  the  risk  is  of  their  systems  being   hacked/attacked  is  low It  is  very  expensive  and  damaging  to  your  reputation  to   incorporate  security  after  the  event– just  ask  Equifax! You  need  to  evaluate  the  risk  and  incorporate  security  at   the Requirement  and Design  Phase
  • 16. Connect2  Systems  2017 Managing  Risk § It is not feasible to eliminate all risk from a system § Security investments are balanced against the effect of undesirable outcomes § Balancing must be grounded in a realistic assessment of the threats, the risks they pose and how they might prevent the system from fulfilling its intended functions § Costs must be evaluated and a rational selection of implementation choices made to deliver an acceptable return on investment
  • 17. Connect2  Systems  2017 Generic  Risk  Model  With  Key  Risk  Factors   Source:  NIST  Special  Publication  800-­30,  Guide  for  Conducting  Risk  Assessments,  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-­30r1.pdf Risk  is  a  function  of  the  likelihood  of  a  threat  event’s  occurrence  and   potential  adverse  impact  should  the  event  occur  
  • 18. Connect2  Systems  2017 Basic  Steps  in  the  Risk  Assessment  Process Source:  NIST  Special  Publication  800-­30,  Guide  for  Conducting  Risk  Assessments,  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-­30r1.pdf
  • 19. Connect2  Systems  2017 Attack  Surface  and  Vectors The  elements  of  the  IoT  system  exposed  to  possible  attacks  are  called   its  attack  surface Each  of  these  elements  may  be  vulnerable  via  an  attack  vector § mechanism  by  which  an  attack  can  take  place Attack  vectors  include: § physical  attacks § networks  attacks § attacks  against  software § attacks  on  operators § attacks  on  the  supply  chains  of  the  elements  that  comprise  the   system
  • 20. Connect2  Systems  2017 OWASP  IoT  Attack  Surface  Areas  Project https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas
  • 21. Connect2  Systems  2017 Threat  Modelling 1. What  are  you  building? 2. What  can  go  wrong? 3. What  should  you  do  about  those   things  that  can  go  wrong? 4. Did  you  do  a  decent  job  of  analysis? Model   System Find Threats Address   Threats Validate
  • 22. Connect2  Systems  2017 STRIDE,  developed  by  Microsoft Models  risks  and  evaluates  threats  for  the  IT/IoT  environment Spoofing  identity Ø Where  a  person  or  device  is  using  another  person’s  credentials  such  as  login  and  password Ø A  device  can  use  a  spoofed  device  ID Tampering  with  data Ø Altering  the  data  related  to  a  device,  packets  on  the  wire  (or  wireless),  bits  on  disk  or  in  memory Repudiation Ø Denial  that  a  person  or  device  was  involved  in  a  particular  transaction  or  event Ø Refers  to  the  ability  (or  lack)  to  trace  which  person  or  device  was  responsible  for  an  event Information  disclosure Ø Exposure  of  information  to  individuals  who  are  not  supposed  to  have  access  to  it Ø E.g.  sensor  data  for  a  city  in  the  hands  of  persons  with  intentions  to  launch  an  attack  on  the  city Denial  of  service Ø Making  a  service  unavailable,  often  through  resource  consumption  or  unreliable  execution Elevation  of  privilege Ø An  unprivileged  user  gains  sufficient  access  to  compromise  or  destroy  an  entire  system Ø An  attacker  has  penetrated  all  system  defences  and  become  part  of  the  trusted  system
  • 23. Connect2  Systems  2017 Addressing  Threats § Mitigating Threats Ø doing  things  to  make  it  harder  to  take  advantage  of  a  threat Ø e.g.  adding  password  controls  that  enforce  complexity  or  expiration § Eliminating Threats Ø Almost  always  achieved  by  eliminating  features § Transferring Threats Ø letting  someone  or  something  else  handle  the  risk Ø e.g.  pass  trust  boundary  enforcement  to  a  firewall  product Ø transfer  risk  to  customers § Accepting the  Risk Ø the  final  approach  to  addressing  threats Ø e.g.  because  the  cost  is  prohibitive
  • 24. Connect2  Systems  2017 So  where  do  you  go  to  for  advice   and  best  practice?
  • 25. Connect2  Systems  2017 So  who  are  developing  IoT  Security Best  Practice  Principles  &  Guidelines? § National  Institute  of  Standards  and  Technology (NIST) § IoT  Security  Foundation  (IoT  SF) § GSM  Association  (GSMA) § Industrial  Internet  Consortium  (IIC) § Open  Web  Application  Security  Project  (OWASP) § U.S.  Department  of  Homeland  Security § Broadband  Internet  Technical  Advisory  Group  (BITAG) § Online  Trust  Alliance  (OTA)  -­ IoT  Trustworthy  Working  Group § U.S.  Department  of  Health  and  Human  Services,  Food  and  Drug   Administration § Cloud  Security  Alliance
  • 26. Connect2  Systems  2017 NIST  Cybersecurity  Framework Provides a policy framework of computer security guidance for how private sector organisations can assess and improve their ability to prevent, detect, and respond to cyber attacks Designed  to foster  risk  and  cybersecurity  management  communications among   both internal and  external organisational  stakeholders Framework  is  a risk-­based approach https://www.nist.gov/cyberframework
  • 27. Connect2  Systems  2017 NIST  Framework  Core  -­ Function  &  Categories
  • 28. Connect2  Systems  2017 IoT  Security  Foundation  Principles  &  Best  Practice  Guides
  • 29. Connect2  Systems  2017 IoT  Security  Foundation
  • 30. Connect2  Systems  2017 Secure  IoT  Event  -­ 17th October  2017 Internet  of  Things  Security  Event Green  Park  Conference  Centre 100  Longwater  Avenue,  Green  Park,  Reading  RG2  6GP http://tinyurl.com/secureiot Learn  about: § potential  threats  and  risks  to  your  organisation § real  world  examples  of  IoT  attacks  and  the  damage  caused § IoT  security  best  practice  and  frameworks Meet  leading  experts  and  companies  offering  security  products,  solutions  and   services
  • 31. Connect2  Systems  2017 Secure  IoT  Speakers IoT  Security  at  the  KTN Robin  Kennedy KTN Weaponising  the  IoT Ken  Munro Pen  Test  Partners   Industrial  IoT  -­ How  Secure  is  it? Ray  Evans IBM IoT  Security  Framework Richard  Marshall IoT  Security  Foundation Security  starts  with  a  threat  model Phil  Winstanley   Microsoft IoT Passwords (Past, Present and Future) Edward  Williams Trustwave Hardware-­Level  Intrusion  Detection Professor  Mark  Zwolinski University  of  Southampton Right-­sizing  secure  HW  for  a  range  of  threats  and   assets Erik  Jacobson Arm Device  Management  &  'Over-­The-­Air'  Firmware Upgrade  for  Constrained  Devices Duncan  Purves Connect2  Systems Internet of Things security architecture John  Donnelly Microsoft IoT  security  testing  -­ helping  to  improve  customer   confidence  and  win  new  clients Bryon  Lowen TVS Delivering  trust  through  independent  security   testing  and  certification Laurens  van  Oijen UL The  Art  of  Automation Rob  Dobson,  Campbell   Elder,  Mark  Tootell Device  Authority,   MultiTech  &  InVMA
  • 32. Connect2  Systems  2017 Thank  you & Questions Duncan  Purves Connect2  Systems duncan@connect2.io