Join Shawn Henry as he discusses his vision of IoT Security. What will be the impact of insecured IoT devices for consumers in the home, smart cities and other industrial and critical infrastructures? Looking forward five years, what is the landscape to consider?
Shawn Henry
President, CrowdStrike Services & CSO
https://www.cablelabs.com/informed/
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE STATE OF IoT SECURITY
SHAWN HENRY, President of Services & CSO
2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 Threats and Vulnerabilities
2
Impact of unsecure devices: industrial and
critical infrastructures,
3 …in smart cities,
4 …in the home
5 The Future of IoT Security
6 Questions
4. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE INTERNET OF THINGS: BY THE NUMBERS
Gartner & IDC estimate the amount and cost of IoT devices at:
YEAR 2016:
6.4 billion devices
totaling over
$235 billion
YEAR 2020:
20 billion devices
totaling over
$1.7 trillion
6. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
HOW MUCH WILL BE SPENT ON IoT SECURITY?
Worldwide IoT Security Spending Forecast (Millions of Dollars)
2014 2015 2016 2017 2018
$231.86 $281.54 $348.32 $433.95 $547.20
Reference: Forecast: IoT Security, Worldwide, Gartner, April 2016
7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE INTERNET OF VULNERABILITIES
IoT Village at DEF CON 2016:
47 new vulnerabilities affecting
23 devices from
21 manufacturers
8. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE INTERNET OF VULNERABILITIES
• Late 2016 brought the rise of Mirai, the botnet “that broke the
Internet”
• Exploits vulnerabilities on unsecure IoT devices
• CCTV cameras, routers, DVRs, smart TVs, etc.
• Continuously scans for connected IoT devices configured with
factory default settings
9. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INTERNET OF THINGS
ADVERSARY PRIORITIES
Vehicle Systems
ICS/SCADA
Network Devices
EFI Firmware
Embedded Applications
Linux/Unix
BSD
VxWorks
QNX
10. INDUSTRIAL IoT AND SMART CITIES
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
11. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Reference: The Internet Of Things Heat Map, 2016 --Forrester
THE GROWTH OF IoT AT A GLANCE
12. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INDUSTRIAL IoT
Bain: by 2020 annual revenues could exceed $470B
for IoT vendors
General Electric: investment in the Industrial Internet
of Things (IIoT) to exceed $60 trillion during the next
15 years
Reference: Forecast: IoT Security, Worldwide, Gartner, April 2016
13. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INDUSTRIAL IoT
“Lufthansa is using an IoT-based strategy to create an
entirely new business mining data from their maintenance,
repair and overhaul operations and providing it to their
customers.” –Forbes
14. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FIRST, THE GOOD NEWS…
“Enterprises lead small and medium size businesses in IoT
adoption and interest by more than 10 points”
“23% percent of global enterprise respondents use IoT, but
only about 14% of small and medium-size business
respondents do.”
- Forbes
16. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INFRASTRUCTURE ATTACK:
ENERGY GRID
Dec 2015: Ukrainian power stations hacked
Commands disable UPS systems –225,000 customers go dark
“From an attack perspective, it was just so awesome. I mean
really well done by them.”
17. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INFRASTRUCTURE ATTACK:
DAM CONTROL SYSTEM
2013: Iranian hackers infiltrated the control system of a dam via
Google hacking
Officials identified the dam breach while investigating the same
hackers conducting attacks on the US financial infrastructure
Fortunately, the dam was out of commission for repairs during
the attack so the flood gate was unaffected
18. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SMART CITIES
Google’s Sydney office hacked
via its building management
system
Michigan researchers hacked
into wireless traffic lights
ATMs robbed via Smartphones
in Taiwan
20. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
VEHICLE TELEMATICS
Researcher hack publicly available Telematics Gateway Units.
Cellular modem with public IP address
Mandated for commercial trucking in 2017
Trucks, ambulances, buses, industrial vehicles
GPS location, speed, fuel efficiency, potential for vehicle
controls (ignition, brakes, etc.)
22. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TIMELINE OF VEHICLE HACKS
• 2015: Researchers hack a Jeep’s
digital system over the Internet
Chrysler recalls 1.4M vehicles
• 2016: USG issues PSA about the
“real rise” of car hacking
• 2017: Legislation calls for car
cybersecurity standards
23. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
VEHICLE INFOTAINMENT
Vehicles pre-equipped with:
• WiFi
• BlueTooth
• Microphones
• Cloud-based content sharing
25. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WIRED HOMES
LG announced all home appliances will feature:
Advanced Wi-Fi connectivity
DeepThinkQ technology
Each item to learn from its owner’s patterns
Example: smart refrigerator featuring a camera and
voice-activated system powered by Amazon’s Alexa
Reference: BU News Service
30. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WEARABLES
Worldwide shipments of
wearable devices belived to
have reached110 million in
2016 with 38.2% growth year
over year
32. THE FUTURE OF IoT
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
33. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE NEXT MIRAI
IoT devices continue to remain unsecure:
Outdated code
Poorly maintained operating systems
“Install and Forget” model
No patching
Long lifespan of devices
Default credentials
Lack of security solutions
“Minimal Viable Products”
34. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE NEXT MIRAI
• Mirai converted IOT devices into a botnet for DDoS
• Estimates range up to 400,000 devices controlled
• ~250,000,000 CCTV cameras are deployed around the
world
• Source code is
openly available
• What happens when botnets are converted from DDoS to access platforms?
35. WE’VE SEEN THE PROBLEMS….
NOW HOW DO WE SECURE OURSELVES IN THE
AGE OF IoT?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
36. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
STEPS IN SECURING IoT
1) Major expansion of
supply chain, network
edge devices, and
cloud operations
2) Defense in depth and
limiting the attack
surface
37. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
3) Red teaming and
penetration testing
4) Device reverse
engineering and due
diligence
STEPS IN SECURING IoT
38. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
5) Vendor pressure to provide
adequate and standardized
logging
6) Security devices that can
interact with a multitude of
network protocols
STEPS IN SECURING IoT
39. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
7) Managed security
services
8) Government
Regulations and
Liabilities for Consumer
Devices
STEPS IN SECURING IoT