The document discusses privacy and security considerations regarding data collection from internet of things devices. It notes that devices can collect extensive personal data about individuals without their knowledge, including energy usage patterns that can reveal when someone is home, what floors of a home they are on, and daily routines. The document also discusses how televisions may have listening capabilities. It raises questions about what data is being collected and discusses that both privacy laws and security are important considerations as the internet of things continues to expand.
8. Three Things Will Occur
• Data will become open to all
• Real-time analysis will occur at source
• Blockchain technology will become a
critical component for security
15. Internal And External Opportunities
Appirio gives all employees Fitbit trackers
Google Hangouts offer employees live video
sessions with a trainer
Data mined from Chatter groups and Fitbit
devices lead to 5% reduction in annual
insurance premiums at approx. $300k
36. Applications
Things
App Enablement
Workflow /
Rules Engine
Event
Management
Video
Sensing
Data Normalization
and Modeling
Protocol
Mediation
Enterprise App
Integration
Infrastructure
Software Defined Networking
Network Compute Storage
Applications
App Enablement
Workflow /
Rules Engine
Event
Management
Video
Sensing
Data Normalization
and Modeling
Protocol
Mediation
Enterprise App
Integration
Cloud and Fog
Analytics
Security and
Identity Management
Open and
Programmability
(APIs)
Ease of use
and Management
Infrastructure
Software Defined Networking
Network Compute Storage
Things
IoT Technology Platform – Accelerating Adoption
44. IoTWF Working Groups
Horizontal Working Groups
Vertical Working Groups
Security,
Privacy,
Compliance
Standards &
Interoperabilit
y
Architecture,
Management,
Analytics
Innovations,
Start-Ups
Sensors &
Embedded OS
GTM:
New Business
Models
Marketing
Education Health Manufacturing Energy Retail Transportation Smart City
71. ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com
Internet of Things
Retaining privacy and security in an ever connected
world
Martin Sloan, Partner, Brodies LLP
Blog: http://techblog.brodies.com
Twitter: @Brodies TechBlog
30 September 2015
73. "We, Siemens, have the technology to record [energy
consumption] every minute, second, microsecond, more or
less live... From that we can infer how many people are in
the house, what they do, whether they're upstairs,
downstairs, do you have a dog, when do you habitually get
up, when did you get up this morning, when do you have a
shower: masses of private data.”
Martin Pollack, Director of M&A, Siemens Energy
Smart Grids and Cleanpower Conference 2010
(as reported by Reuters)
74. Or….
BBC News: Not in front of the telly: Warning over 'listening' TV
http://www.bbc.co.uk/news/technology-31296188
78. What does the law say?
• EU-wide laws on data protection
• Other rules apply elsewhere – understand your markets
• Data Protection Act 1998
– imposes obligations on data controllers
– in connection with processing
– of personal data
– about living individuals, known as data subjects, who
have certain corresponding rights under the DPA
• If you are not processing personal data then DPA will not
apply
79.
80. Data protection principles
• Principle 1 – processed fairly and lawfully
• Principle 2 – processed only for specified and lawful
purposes
• Principle 3 – adequate, relevant and not excessive
• Principle 4 – accurate and (where necessary) up to date
• Principle 5 – kept only for so long as is necessary
• Principle 6 – processed in accordance with rights of the
data subject
• Principle 7 – kept secure
• Principle 8 – not transferred outside EEA, unless the
country ensures “adequate” protection
81. Fair and lawful processing
• Must satisfy a Schedule 1 condition – includes:
– consent
– necessary for pursuit of legitimate interests
• Sensitive personal data – more limited conditions
(Schedule 2)
• Fair processing code
– must ensure “so far as practicable” that data subject
is informed of the processing
• Processing must otherwise be fair and lawful in all the
circumstances
82. Secure processing
• Obligation to put in place “appropriate” technical and
organisational measures to prevent
unauthorised/unlawful processing and accidental loss,
damage or destruction
• “Appropriate” depends on nature of data and
consequences of a security breach
• ISO 27001 and other relevant standards?
• Techical and organisational measures:
– not just IT
– Needs holistic approach
– Use of third party processors
83. Where is the law going?
• New Data Protection Regulation
• European Commission
– Digital Single Market Initiative
– Alliance for Internet of Things Innovation
• ICO guidance
– ANPR, body worn cameras, drones
• Article 29 Working Party
– Opinions to date on geolocation, smart metering
84. It’s not just about privacy
• CMA investigation into consumer data
• Liability – what if
– your fridge orders too much milk?
– your health monitoring device fails to report an issue?
– your connected car crashes?
• Cyber attacks
– Not just about personal data – also reputational
• IP
– Who owns the IP? What can you do with it?
86. BBC News: Smart devices to get security tune-up
http://www.bbc.co.uk/news/technology-34324247
87. Key issues to consider
• Consumer understanding
• Privacy by Design
• How do you enable ongoing security improvements?
• Will you collect data about/from children?
• Will you collect sensitive personal data?
• Will you share data with third parties?
• Privacy impact assessments
• Privacy policy/fair processing notice
– What does it say?
– How do you future proof?
– How do you communicate that to individuals?
88. Developing a privacy aware product
• Conduct a privacy impact assessment
• Anonymisation – do you need to process personal data
at all? Can it be anonymised?
• Repurposing – is the processing consistent with the
original purpose? Do you need consent?
• Data minimsation – how do you achieve this?
• Transparency – how do you convey what you are
doing?
• Subject access requests – design your system to
enable you to comply with rules on subject access rights
• Data management policy
89. Online Trust Alliance
• Alliance of technology businesses
• Industry initiative to address privacy concerns
• Draft framework on best practices
• Covers:
– Transparency
– Limitations on use of data and data retention
– Rights of the individual
– Security
• Consultation closed 14 September 2015
92. ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com
Internet of Things
Retaining privacy and security in an ever connected
world
Martin Sloan, Partner, Brodies LLP
Blog: http://techblog.brodies.com
Twitter: @Brodies TechBlog
30 September 2015
142. What would 20,000 Things design?What would 20,000 Things design?
Dat
a
Things
Patterns
Usages
Ideas
Prototypes
Publications
Patents
NewThings
Data
hings
Patterns
Usages
deas
Prototypes
Publications
Patents
NewThings
Tactics and horizontals
143. What would 20,000 Things design?What would 20,000 Things design?
Dat
a
Things
Patterns
Usages
Ideas
Prototypes
Publications
Patents
NewThings
Data
hings
Patterns
Usages
deas
Prototypes
Publications
Patents
NewThings
Tactics and horizontals
144. What would 20,000 Things design?What would 20,000 Things design?
Dat
a
Things
Patterns
Usages
Ideas
Prototypes
Publications
Patents
NewThings
Data
hings
Patterns
Usages
deas
Prototypes
Publications
Patents
NewThings
Tactics and horizontals
146. ThingTank
“By 2017, asignificant disruptive digital businesswill belaunched
that wasconceivedbya computer algorithm.”
Gartner Report 2014, www.networkedworld.com, October 2014
More than human horizontals: ThingTank.org
164. Vision
To be THE Leading Global enabler for
Managing, Monitoring and Monetizing IoT across all
Connectivity Technologies
Cellular Satellite Wi-FiLPWA
Simplifying the Complex
166. Data Routing & Transit: Device to Enterprise
Device
Device
Device
Device
Enterprise
Applications
Data Stores
IT Services
167. Stream’s Customers
Stream’s Customers Comprise Leading Companies
from the following sectors:
MNOs Solution & Service
Providers
Enterprise Government
184. IoT-Xtend adds simplicity to LPWA networks
• Provides subscription and network management, data routing, and billing
• Multiple Backhaul options to LPWA base stations/gateway from the same platform
• Future Proofing: enables LPWA networks to be agnostic to gateway or end device.
• Any LPWA wireless protocol can be used as the ‘over the air’ communication
• ‘Real Time’ transformation of data from all end points – conversion of any wireless protocol
including legacy or prototyping variants.
• The Complex value chain and IoT ecosystem is made simple
• LPWA networks can be deployed end to end with pre-integrated technology partners
• Removes risk as multiple technologies can be deployed individually or simultaneously
190. Xpand Core Values
• Un-steered roaming SIM card that works across
2G/3G Network roaming partners
• Coverage is paramount and designed so that
data can be transferred securely over any
network to your infrastructure and applications.
• Stream provides a high level of resilience with
Multi-site infrastructure and N+1 service
redundancy
• Can be used with GSM, CDMA, Satellite and Low
Powered Radio for a mixture of technologies into
their solutions.
• Stream also provides location based services (LBS)
which track and geo fence remote devices and
report location to customers’ applications
throughout the UK, Europe and globally.
• Real-Time management and reporting of
SIMs. View connectivity, data usage levels, set
monitoring alerts and manage invoices.
• Troubleshoot and diagnose problems or get
help with any SIMs.
• Provides real-time GSM, WIFI or Satellite
network based lookup or triangulation.
• Stream’s network monitoring and
diagnostics along with technical &
operational support expertise ensure
optimal network management and
connectivity of devices.
ManageableResilient
Scalable Secure
190
194. Xlerate Productized Solutions
• Complete Turnkey solutions made easy to sell for operators
• Over 500+ existing service providers
• Best of breed partners for hardware, software &
applications
• Covering 16 Verticals
• Cellular, Satellite, Dual Mode, and Low Power Radio
199. The Big Money Internet of Things
A case study from 4 years in the US shale Oil & Gas business
Tim Everitt
www.tfe.expert
working for
200.
201.
202.
203.
204.
205.
206.
207. Key points from the Thing sprint:
Scale – millions of Things
Value – $billions
Mobility – 20% fixed, 80% in slow/medium/fast motion
Sensors – low-risk, public Internet ok
Actuators – high-risk, regulation, private Internets only
Rip & Replace – not possible
Roadmaps – must support legacy and convert to Things
208.
209.
210.
211.
212.
213.
214.
215.
216.
217. Key points from the Internet sprint:
Laws – Physics implemented as technology and products
Laws – Government, FCC, classification societies
Laws – Money realism
Public Internet – ok for sensors
Private Internets – needed for actuators
Industrial Grade – 5x9, high-capacity, all IP, secure, managed
Customer Demarcation – at tier 1 communications hub
Rip & Replace – not possible
Roadmaps – accept legacy networks and transition to IoT
218. Killer apps – for high-end IoT:
Sensors – Tag data historians, e.g. PI, Proficy, Wonderware, etc.
Actuators – SCADA/DCS, e.g. ABB, Siemens, Honeywell, etc.
but that’s enough about …
219.
220. Thank you… and an offer
Any questions
Tim Everitt
www.tfe.expert
working for
221. CENSIS & IoT
Derek Liddle – Technical Director
Kevin Power – Software Architect
225. About CENSIS
Industry-led with Sensor and Imaging
Systems (SIS) focus to generate GVA
Bringing researchers and industry
together for knowledge-driven
innovation
In-house team of engineers
and project managers
Straightforward commercial
framework
Shaping long-term R&D
in key sectors
226. Hub and Spoke Model
Articulate
industry need
Hub: CENSIS office
Spokes: Virtual
communities of
interest
Understand research
landscape
Identify and shape
potential interventions
Advanced
Data
Analysis &
Visualisation
Advanced
Devices &
Fabrication
Imaging
& Optics
Remote &
Distributed
Systems
Signal
Processing,
Networking
& Comms
Hub: CENSIS
Spokes:Virtual
Communities
Systems
Engineering,
Management,
Integration
227. The Sensor Systems Stack
From raw data to informed business decisions
Product evolutiondemands
connectedsensing
The value of sensor and
imaging systems is in
transforming raw datainto
meaningful information
Applications/
Software
Thisenables
businessesto:
• assess the value ofdata
• be targeted indata
gathering
• gaininsights
• act on theresults
Devices/
Hardware
Visualisation &
Presentation
Analysis &
Post Processing
Data Repository
Communications
& Networking
Transductance &
Pre-processing
Sensor Element
Presentinginformation to
informdecisions
Converting the measured data
to meaningful information
Storing, managing and
organising data and its content
Transporting the data to a
storagelocation
Converting changes to signals
& prioritising valuable data
Detecting and measuring a change
e.g. vibration, impacts, heart, light,
energy, colour, temperatureetc.
Information
RawData
POWER CONTROL MANAGE
228. Value Proposition
Incremental and step changes in industrial
competitiveness driven by the proliferation
of innovative SIS solutions targeting real
industry and challenges throughout the
supply chain
We aim to:
Inform and optimise
R&D choices
Enable new products
and markets
Anchor high value
elements of Scottish
supplychain
Address societal and
industrialchallenges
Demonstrate HEI
research impact
Reduce costs, risks,
time to market
229. Markets we support
From the built environment, manufacturing, gaming, agriculture and defence
to aerospace, water management, consumer, ocean science, food and drink,
life sciences and pharma, offshore, healthcare, renewables and energy generation
230. Importance of IoT for CENSIS
Hydrocarbon Detection
&Exploration
Gas monitoring CO2 –
Carbon Capture and
Storage
Asset monitoring and
condition monitoring
Multiphase flow, and
particledetection
Subsea position
detection and
communications
Super High Pressure
and High Temperature
Energy
Asset monitoring and
condition monitoring.
Smartgrid
CO2 Emissions
Ageing infrastructure /
PartialDischarge
MolecularSpectroscopy
Consumer health and
fitness
Implantable /
ingestable diagnostics
Medical Imaging and
diagnostics
Telehealth – remote
medicaldiagnostics
Environmental
Remote mapping of
large areas e.g. costal
aquaflora
Low cost – ubiquitous
air quality
measurement
Intelligent Transport –
dynamic optimisation
of transport systems
Smart Cities –open
systems / value add
services / decision
making
Infrastructure condition
monitoring
roads/railways/bridges
Defence
Target recognition in
low visibility
environments
Stand-off threat
detection
Low power / low
weight systems
Infantry super sensing
Food quality non-
invasive measurement
Traceability and
provenance(brand
protection)
Open systemsfor
environmental
management
Smart Farming –
targeted crop and
animal fertilisation.
Animal welfare and
remote monitoring
Manufacturing
Process real time
measurements – e.g.
pills / composites.
Industry 4.0 - smart
manufacturing.
Widget monitoring and
in lifeservice
Aero – Wireless
systems / high
temp./high pressure
1 2
Food &
Agriculture
3 4 5
Medical&
Health
6 7
Offshore &
Subsea
231. Connected Device Dev. Centre
Open to SME’s &
HEI’s to develop proof of concept
Industrial investment required
Connected Device Development
Centre (CDDC)
Access to full range of
hardware, comms and
software building blocks to
prove concepts
Full stack development for
prototype creation and
benchmarking purposes
Full time engineering support
from dedicated CDDC
engineers
Access to product and service
training material from various
vendors supporting the centre
HEI
CENSIS
INDUSTRY
CDDC
236. Experience
• A true rapid prototyping
experience
• Significantly reduced
time to demonstration
• End to end IoT
application that we know
can scale
https://ibm.biz/BdXNj5
• Improves operating and
energy efficiency in the
office
241. www.silentherdsman
About Alan Faichney
• 37 years in software & technology
• Founder & CTO of Concept Systems 1983 -
2007
• Start-up & turnaround management
• DEM Solutions, Rapid Quality Software,
Edinburgh Instruments,
Rock Solid Images, Adrok, Ion Geophysical
• NXD, then interim CEO of Silent Herdsman,
now CTO
• Currently also Chairman of Arrayjet &
Pufferfish, co-owner of The Pantry
243. www.silentherdsman
About dairy Cows
• 1 billion cows
• 380 billion l/year
• Dairy is A very
high tech industry
It uses robotics, genetics, genomics… and
software to get cows pregnant!
244. www.silentherdsman
cows…
• … only produce milk when breeding, & for less than a year
after calving
• … are only fertile (in œstrus) once a month
• failing to get a cow pregnant will lose 1 month’s production
• a UK cow produces ~8000 l of milk per lactation (per year) @
25p / L
• 1 year’s production = £2,000, 1 month’s lost production = £167
/ cow
• Noticing œstrus is easy… for very small herds
• Herds sizes > 1000 can be managed by 2 or 3 people…
• … But you need a system to manage pregnancy for < £100 /
cow…
247. www.silentherdsman
Activity monitoring
• 3-axis head mounted
accelerometer
built-in processor, ZigBee
comms
• 1 Hz enough to identify
“Bulling”
• 10 Hz allows discrimination
of many more activities, like
eating, limping
• Long term SRUC research
to characterise activity
signals
249. www.silentherdsman
PC Housing
• PC with Touch sensitive
screen
• IP67 Dirt resistant &
hoseable
• or on regular PC (in
farmhouse)
• & on any browser…
253. www.silentherdsman
From Science to Commerce
• Company spun out of Strathclyde University in
2007
• Founded on £5m of SRUC / ITI research
• Significant expertise in
• wireless communications, signal
processing, electronics, cows!
• However, the new company had no expertise in
• Sales. Distributors. Pricing. International.
Marketing. Manufacturing. Design for
manufacture. Quality systems. Customer
255. www.silentherdsman
2007 - 2010 The Early Years
Sales✓. Distributors✓. Pricing. International. Marketing. Manufacturing✓.
Design for manufacture. Quality systems. Customer support. Product
development✓. Product Roadmaps. PR. HR. IP✓. HSE. Competition. Investors.
256. www.silentherdsman
First sales. First customers. First problems.
Sales✓. Distributors✓. Pricing. International. Marketing. Manufacturing✓.
Design for manufacture. Quality systems. Customer support. Product
development✓. Product Roadmaps. PR. HR. IP✓. HSE. Competition.
Investors.
“If it wasn’t for staff, suppliers & customers, running a
company would be easy”
- Anonymous CEO.
“Never buy version 1.0”
- Anonymous pundit.
257. www.silentherdsman
First sales. First customers. First problems.
Sales✓. Distributors✓. Pricing. International. Marketing. Manufacturing✓.
Design for manufacture✗. Quality systems✗. Customer Support✗. Product
development✓. Product Roadmaps. PR. HR. IP✓. HSE. Competition.
Investors.
“If it wasn’t for staff, suppliers & customers, running a
company would be easy”
- Anonymous CEO.
“Never buy version 1.0”
- Anonymous pundit.
“Why doesn’t this work?”
- Anonymous customer.
258. www.silentherdsman
First sales. First customers. First problems.
• Version 1 had worked very well on trial farms, when
every collar had been lovingly hand built. But
making thousands was a different matter.
• The design of the electronics was sound. The
design of the quality system was not, and neither
was the robustness of the mechanicals.
• 50% of V1 collars either never worked, or broke in
the field. All had to be replaced
Now, that figure is 0.05%
259. www.silentherdsman
2010 - 2013 The Grind
• We learned the hard way on quality
• …but it hit our margins
• We secured a major distributor in Germany
• …but we met price competition from inferior
systems
• We had a team
• …jammed into a one room incubator in Duke
Street
• We had a dream
• …but we needed funding to build the Cloud
260. www.silentherdsman
Valuation
• Hardware manufacturer
• 1x to 2x revenues
• Perpetual licence software
• 2x to 3x revenues
• 5x in financial or security
• SAAS consumer
• 3x to 4x revenues
• SAAS Enterprise
• 5x to 10x revenues
0
2.5
5
7.5
10
12.5
Hardware Software SAAS
261. www.silentherdsman
October 2013
• For three years, still struggling with sales and
quality, we built our vision…
• “Data providing actionable events to improve farm profitability, animal
health, milk yield, fertility & reduce labour costs, using Big Data, IoT and
the Cloud to drive digital marketing & differentiated services”
• … and pitched it countless times. Eventually,
we raised £3m
• Scottish Equity Partners, Albion Ventures,
Scottish Investment Bank
• As well as money, investors bring much else…
• Professional management. Advisors. NXDS.
262. www.silentherdsman
New challenges - i - HR
• The company trebled in
headcount
• Three new senior
executives
• Three new functions
• Three small teams
become large teams
• Structure becomes
an issue
• The founders have to
x2x5
x2
263. www.silentherdsman
New challenges - Ii - Competition
• Whilst we built our cloud system, our
competitors were busy, too
• upgraded their systems. Added new features.
• Dropped prices. Poached our German
distributor. Consolidated the USA
• By the time our Cloud system was ready in mid
2014, we were “behind”
• Competitors had redefined the minimum
offering to include animal Health
264. www.silentherdsman
Conclusion - where we are now
• 50,000 collars, on 300 farms, ranging from 50 to
1,700 head, in UK, EU, USA
• Successful 2nd round funding (total £4m)
• Built first rate engineering team, & re-established
technical lead
• Built Product pipeline / roadmap
• TWO patents granted, another in process
• World-class branding
• Really nice premises
• Recruited World-class CEO & Chairman
• Successful transition from hardware company to
SAAS company
267. www.silentherdsman
Potted history
• 2006 ITI Scotland, Strathclyde Uni & SRUC invest £5m in
developing technology
• 2007 Company incorporated, Spun out from Strathclyde
• 2009 Exclusive licence to ITI technology. Outsource
manufacturing.
• 2010 UK Distribution agreement with National Milk Records,
1st sales
• 2011 Eu Distribution agreement with Semex Germany
• 2012 Raising funding…. a virtual team working for nothing!
• 2013 £3m funding from SEP, SIB & Albion Ventures.
Premises & professional Board
• 2014 Rebranding, Hiring, cloud development & launch, 1st US
farm (1,700 cows),
• 2015 Health ALERT SaaS product launch, new CEO, push
into USA
268. www.silentherdsman
Lead Investor - Scottish Equity Partners
• probably now the largest UK indigenous Growth
Investor.
• 150 investments over 20 years. 35 current companies.
• 6 partners & 35 staff in Glasgow, Edinburgh & London.
• Multiple “Unicorn” outcomes ($1bn) from start-
up. CSR Plc, Biovex, Skyscanner…
• Core focus is growth companies £5m to £20m equity
with min £5m of revenues.
• selective <£2m Venture Deals, if capital efficient & high
upside.
• raised over $1b of capital from investors
• “We love to do deals in Scotland!” Skyscanner, Orbital
Software, Voxar, Indigo Vision, Wolfson, Craneware,
Atlantech Technologies etc…
269. Innovate, Expand, Deliver
Manny Rivelo
EVP, Strategic Solutions
IoT is easy. Security, privacy and
scale of IoT are the real challenges
Michael Brown – F5 Networks
Systems Engineering Manager, UK Channel and Territory
321. Seric Logo Slide
Securing the Internet of Things (IoT)
Stuart Macdonald - MANAGING DIRECTOR
SEPTEMBER 30TH 2015 - DYNAMIC EARTH, EDINBURGH
#SERICCANHELP
#IOTSCOTLAND
323. Team Accolades
Seric teams and individuals have won a number of awards from
vendors and external organisations
TECHNICAL
• IBM (Global Technical Excellence)
• Microsoft (HPC Club Winners)
• BCS (Consultant of the Year Silver Medal)
• IBM (BP of the Year)
• NetApp (Outstanding Achievement for UK&I)
MANAGEMENT
• IoD Director of the Year (West of Scotland)
• IoD Young Director of the Year (UK – Highly Commended Runner Up)
• Prince’s Trust (Growth Mentor of the Year)
• E&Y Entrepreneur of the Year (Scottish Finalist)
ETHICAL/CSR
• Youth Business International (Global Ambassador of the Year)
• Prince’s Trust Scotland (Volunteer of the Year)
• IBM (Global Award for Citizenship - Volunteering)
• Inspiring Cities Awards (Commended for Best CSR, Winner for Youth Development)
324. Ethical Stance
• FIVE % of our Profits
• FIVE days of our Time
• #DigitalParticipation
• #SericCanHelp
• #HowSericHelp
• #SmartSTEMs
328. Seric Overview
Seric’s main focus is to deliver Security and Anti-Fraud
Solutions underpinned by robust resilient Infrastructure,
sound Governance and Data Management
Seric deliver Product and Project Services and for much of
their portfolio provide fully managed Service &
Support Offerings
Seric are working across the UK & Europe to assist
organisations in Public Sector, Oil & Gas, Manufacturing,
Retail and the Financial Services Sector
329. Areas of Expertise
• Data Loss Prevention
• Anti-Fraud Technology
• Data Management
• Encryption-as-a-Service
• Integrated Systems
• Secure Storage
• Fraud Case Management
• Insider Threat Detection
• Intrusion Prevention/Detection Systems
• Governance Risk & Compliance
• Web Application Security
• Mobile Application Security
• Enterprise Single Sign On
• Information Governance
331. Cyber Essentials
• 34 Questions/Controls
• Work with a qualified consultant to get ready and apply
• Certifying body will check application and award
certification
Cyber Essentials Plus
• As above but also includes yearly external audit
Cyber Essentials - Basics
333. Seric Logo Slide
Securing the Internet of Things (IoT)
Stuart Macdonald - MANAGING DIRECTOR
SEPTEMBER 30TH 2015 - DYNAMIC EARTH, EDINBURGH
#SERICCANHELP
#IOTSCOTLAND
338. IoT – some little thunkettes
• Opportunity
• Risk
• Background/Landscape
• Practical Steps
339. Opportunity
Use new fangled IoT thing to…
• Increase Sales
• Cut Costs
• Improve Efficiency
• Raise Profile / Get Famous
• Differentiate ourselves
• Save the World / Do Everything
341. A simple man will now attempt to
have a video play in full screen.
Try to be patient.
342. A man will now attempt to have a video play in
full screen.
Try to be patient.
343. Risks
Use new fangled IoT thing to
• Lose YOUR data
• Learn about Unintended Consequences
• Lose your CUSTOMERS’ data
• Get Amazing Press Coverage (about your mistake)
• Lose a fortune
• Get Fired
• Panic about IoT / Blame Ashley Madison
344. Those who do not learn from history
are condemned to repeat it
Personal Computers Mobile Devices
345. Those who have not yet learned from history
are condemned to repeat it
IoT ICS (Industrial
346. Evolving Risk Landscape – TCP/IP Enabled
Devices Migrating to TCP/IP networks
– Move from Wired to Wireless
– Many rely typically upon “wrapped” protocols
– Analog control and reporting protocols embedded in digital
protocols
– Encryption and command integrity limitations
– Poor selection of TCP/IP protocols
Problems with patching embedded
operating systems
– Controllers typically running outdated OS’s
– Controllers unable to support security CPU loading
– Security patches and updates not applied
– Difficulty patching the controllers
– Unacceptable downtime
347. Evolving Risk Landscape – Bridged Networks
Softest targets appear to be the control
centers
– Greatest use of “PC” systems
– Frequent external connectivity
– Entry-point to critical plant systems
– Vulnerable to insecure remote access ports (dial-up)
Bridging control centers and the plant
operational framework
– Network connectivity for ease of operational control
– Vulnerable to malware - proxy remote attacks
348. Evolving Risk Landscape
– Networked Device Proliferation
Replacement SKU parts
include new “free features”
– Additional features may be
“on” by default
– OR, may be turned on by
engineers
Switch from analog to digital controls
Incorporation of network standards
– TCP/IP communications
– Wireless communications
From analog to
digital
(+ networked)
Wireless integration
349. Evolving Risk Landscape
– Wireless RF/ WiFi Attacks
A 14.6 dBi Yagi antenna that can make
a WiFi connection from miles away
Increased use of wireless technologies
Large security research focus
– Common topic/stream at hacking conferences
Packet Radio Software
– New tools and software to attack &
eavesdrop on any RF transmission
– Community-based sharing of findings
Tools and guides on long-range
interception of wireless technologies
350. Evolving Risk Landscape
1. Systems designed 20 years ago when isolation was assumed
2. IoT often not built for Enterprise
=>Changes in corporate infrastructure and device capability bolt-ons
have enabled an entire array of new attack vectors
Control/Office Infrastructure Control Bridge Plant Infrastructure
Wireless (WiFi)
Attacks
Wireless RF AttacksDirect Internet Attacks
Vulnerable
Networked
Services
Malware Infected
Hosts
VPN Attacks
Portable Media
Attacks
Guessed / Stolen
Credentials
Embedded
Command Attacks
Device Contamination
Telephony / Modem
Attacks
External
Indirect Malware
Infections
So here is an cynical and overarching view...
IoT v1.0 – Rebaked for IP Connectivity
IoT v2.0 – Ground up with little/no Enterprise
awareness
IoT v3.0 – ??
So what does all that mean?
351. A Fresh Approach …
...requires specilaized knowledge and skill in IoT and in general adopts the
following practices:
Leverage security techniques from the IT domain where appropriate and effective
Segregate networks to provide better logical isolation of devices unable to support host-
based security solutions
Increase the amount of network-based monitoring in strategic locations such that network
sensors will be much better positioned to detect malicious or anomalous behavior
Monitor protocols as well as traffic (i.e MODBUS, ...)
Reduce the number of POPs to only a tightly controlled few (e.g. Network, WiFi, and
telephony / modem)
Increase logging and correlate into corporate security information and event monitoring
systems (attacks into the process control domain are typically preceeded or accompianied by
attacks into the corporate networks)
Implement a governance structure that clearly assigns responsibilities
Impose strict control over configuration, new system introduction and vendor access
352. Mind the Gap
Seric work with methodologies that are based on internationally accepted security
frameworks designed to meet industry requirements, regulatory requirements and risk-
based criteria.
Over the course of these engagements, we have learned no single industry framework
or security standard addresses the full scope of the problem.
The ISO/IEC 27000 family and NIST SP 800-53 are:
– IT-centric and cover multiple domains for people, process and technology for Information
Systems
– Do not support specific industry requirements and constraints dealing with limited
computation power, storage, environmental variances, and networking capability
Industry standards such as IEC 62351, IEC 62443 and NERC-CIP:
– Provide specific technical recommendations and requirements for industry controls and
protection/safety systems based on very specific operational constraints
– Do not support the people and process requirements of a information security management
system (ISMS) as defined by ISO/IEC 27000 and NIST.
353. Top 20 Critical Security Controls - v5
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Access Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Protection
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
354. IoT Security - Practical Steps
• Look at your Defined Opportunities
• Get Started on the Security front
• First Principles … & SANS!
• In-house and/or External Support
• Quantify your risk
• Understand your risk posture
• Remember it is a journey
• Oh and Seric Can Help!