Opening presentation from a Blockchain/IoT event in London on 1st June 2016

1. 1
the need for
security in IoT
Simon Harrison RWE

2. 2
bout
About Me
I a m t h e e n e m y p a r t o f t h e p r o b l e m
s e r i a l c o r p o r a t e i n n o v a t o r
t e c h n i c a l l y l i t e r a t e , b u t n o t a n e n g i n e e r
I oT e v a n g e l i s t ( i n r e c o v e r y )
B l o c k c h a i n n o v i t i a t e
i d e a s g u y - r i s k i s s o m e o n e e l s e ’ s p r o b l e m

3. 3
A b o u t
RWE
2 3 m i l l i o n e n e r g y c u s t o m e r s
6 0 , 0 0 0 e m p l o y e e s
Headquarters in Germany, significant presence in UK
and the Netherlands, and across Europe
Our expertise is in energy generation, distribution and
retail - but we know that the energy markets are being
fundamentally changed by technology, and a group of us
are working to find opportunities for the future of RWE
B l o c k c h a i n E n t h u s i a s t s
You may have met Carsten, if you haven't then you will
soon. We are moving as fast as we can to explore
options around Blockchain and Ethereum

4. 4
1 9 9 9 : I o T N a m e d
2 0 0 0 : F i r s t S m a r t
F r i d g e
1 9 9 0 C o n n e c t e d
T o a s t e r D e m o
For whatever reason - fridges are a popular use case for
IoT - they must be a useful universal reference point
RFID was the first proposed application for things that
could connect - in a variety of domains
I oT a s a n e p i d e m i c
timeline
ZerotoBillions
Who or what was patient zero? Do we go back to 1832 and the invention of the
electromagnetic telegraph? Morse code? Turing?
Probably the root cause for the Internet of Things was the creation of the Internet,
usually attributed to Tim Berners-Lee in 1989
Within a year of the internet being created, and before
the first web page, there was a connected toaster. Lots
of ‘crazy’ experiments followed - Coke machines, water
fountains etc. all involving some kind of connection

5. 5
2 0 0 0 - 2 0 1 0 : T h e
S t a n d a r d s W a r s
2 0 0 0 - 2 0 1 0 : T h e
M a r k e t s E x p a n d
2 0 0 9 : I o T i s B o r n
Rather than wait to be told that the standards were
ready - the domains just went ahead and built
connected stuff. No one knew they were building out
the Internet of Things
As you might expect, coming from dozens of different
domains, there have been millions of hours logged in
committee trying to agree on standards across the OSI
layers - this work continues
Cisco identifies that more things than people were
connected to the internet - by 2010 there were 1.84
connected devices per person 2 0 1 1 - I P v 6
Very important to allow many many things to be
connected to the internet

6. 6
2 0 1 0 + : R e a l i s a t i o n
N o w : G r o w t h
2 0 2 0 ? : U b i q u i t y
Public awareness grows - through smart phones, or
smart thermostats or smart TVs, people seem to like the
services the IoT enables - Netflix, Home Automation,
Weatables - and trust that it is all OK
Once enterprise began to grasp the concept of
connected things, they realised that their ATMs,
Streetlights, Smart Meters , Trains etc. were part of the
Internet of Things
Predictions vary, but there will be many billions of
connected devices doing many different things for
individuals, businesses and each other

7. 7
R e t r o f i t t i n g s e c u r i t y t o a d e s i g n f o r 5 0 m e n d p o i n t s
A personal story
A n u n s o l v a b l e p r o b l e m
in 2006, I created the first specifications for
the UK gas and electricity smart meters. It
took three years to get to an agreed industry
design and the start of a Government
programme. And then we met the security
experts…..
CriticalInfrastructure

8. 8
C r e a t i n g a P e r f e c t S t o r m
let’s connect
everything
It seems that the rush to interoperability and
interconnection of all systems for the greater
human good is accelerating by the week.
For every nonsensical IoT device, there will be
dozens of practical, efficient and profitable use
cases that connect sensors and actuators.
And in the rush to make things simple and
beautiful and useful, how loud is the voice of
the data security engineer?
Customers are concerned, but not enough to
use 2 factor authentication or passwords that
aren’t “123456” - and…
CUSTOMERS ARE NEVER WRONG

9. 9
what is at risk?
NESCORModel
Unauthorised access to information - about you, about your home or car,
about your habits. When are you home, what do you listen to, what do
you watch, what do you weigh, when do you sleep - feel violated yet?
C O N F I D E N T I A L I T Y
Modification (or Theft) of information - someone pretending to be you, or
someone else - intercepting information and potentially changing it for
any variety of reasons. Nanny Cam hackers are pretty low on the
spectrum of human integrity, but this is what they exploit
I N T E G R I T Y
Typically denial of service. Frustrating if it is Netflix or your thermostat,
pretty devastating if it is part of a self driving autonomous vehicle. Also
includes things like viruses and other malware - an IoT gateway could be
the achilles heel for data security
A V A I L A B I L I T Y
Mainly for accountability - a way of removing evidence that something
did or did not happen. No need to break in to wipe the security camera
tapes anymore if you can just switch them off
N O N - R E P U D I A T I O N

10. 10
who are the actors?TheBadGuys
The IoT is a global playground - and criminals are incredible innovators.
They will find a weak point in every design and exploit it ruthlessly for
financial gain or power. Ransomware for smart locks?
C R I M I N A L S
People with the means but possibly not much of a motive apart from
causing havoc for their own amusement or the applause of their peer
group.
M I S C H I E F
The ultimate scare story - is this foreign government activity, or worse?
Might not be interested in your Sonos, but could be interested in a
network of substations or geolocation tags on critical infrastructure
vehicles
T E R R O R I S T S
Ex-employees, spurned lovers, the generally unhappy. Looking for revenge
or to cause pain or embarrassment - might not need to be a hacker if
their passwords still work for the alarm or cameras.
D I S C O N T E N T E D

11. 11
IoT domain ubiquity
THREATVECTORS
C o n n e c t e d H o m e
C o n n e c t e d H e a l t h
S m a r t C i t i e s
F i n a n c e
T r a n s p o r t S y s t e m s
I n f r a s t r u c t u r e
What would be the problem if those risks were exploited by those actors?
CONFIDENTIALITY, AVAILABILITY, INTEGRITY, NON-REPUDIATION
CRIMINALS, MISCHIEF, TERRORISTS, DISCONTENTED

12. 12
not just data securityTheinternetofTHINGS
More criminals, many exceptionally talented can create fake goods that
are indistinguishable from the real thing, but fake nonetheless. That’s bad
but not scary if it’s a Mulberry bag - very much more worrying if it is Olive
Oil, Manuka Honey or Baby Formula
C O U N T E R F E I T I N G
Despite the growth in Solar taking place during the realisation of the
internet of things, very few of them are connected devices - utilities don’t
think like that, and yet they are out there
R E N E W A B L E S
At the moment, a lot of the IoT is concerned with sensing an activity or an
environment - breaches here are worrying enough, but once we start to
add controls to those sensors things can get very worrying
S E N S O R S v s S W I T C H E S
A $10 sensor that monitors critical temperature tolerances for
transporting vaccines? Connects to any phone with bluetooth? Brilliant
solution to a real problem, but also a very tempting target for anyone
looking to steal/disrupt/destabilise
L O G I S T I C S
.

13. 13
asswo
how are
we feeling?
F o r g o t P a s s w o r d ?

14. 14
M Y P E R S O N A L A U D I T
12Person
80+At Home
??City
!Globally

15. 15
we’re not
the crazy
ones
DAILYMAILCLICKBAIT
There is a growing list of very
disturbing scare stories about IoT
security
And we need to make it clear this
isn’t just hackers messing around
with the stuff owned by geeks and
early adopters

16. 16
Project
Nest
Backdoor
Theskyis
falling
Printer of
Doom

17. 17
C o m i n g …
ready or
not?
Have I said this often enough? We are in the process of connecting everything to
everything else.. These are still discrete networks of devices, with just an internet
backbone crossing domains - but
From an estimate of 1 million
computers in 1992, to over 50
billion connected things in 2020
We are halfway up the ramp,
which started in 2009
M E D I U M F O R E C A S T
C U R R E N T L Y A R O U N D 2 0 b n
Individual sectors could explode in the next 4 years -
some estimates run much higher
Entrepreneurial activities differ substantially depending
on the type of Entrepreneurial activities differ
Entrepreneurial activities differ substantially depending
on the type of Entrepreneurial activities differ
5 0 b n b y 2 0 2 0
1992 2020

18. 18
T h e f u t u r e i s n o t w r i t t e n
Truly the Internet of Things
D i s c o n n e c t t h e U s e r s
What is moving faster than IoT? What could
resolve most of the human risk around IoT?
Where is a lot of smart money going?
What could possibly go wrong in letting IoT
devices think for themselves, talk to and learn
about each other and use flawless logic to
make decisions?
Afinalconsideration

19. 19
hanky
thanks
s i m o n . h a r r i s o n @ r w e . c o m
@ r a y g u n s i m o n
w w w . r w e i n n o v a t i o n h u b . c o m