Ethical issues in internet of things
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a IoT and the industrial Internet of Things - june 20 2019 (20)
Mais de John D. Johnson (13)
Mais recentes (20)
IoT and the industrial Internet of Things - june 20 2019
- 1. IoT and the Industrial Internet of Things Security, Privacy & Safety in a World of Connected Devices John D. Johnson, CISSP, CRISC, SMIEEE June 20, 2019 • Chicago, IL Source: shutterstock.com
- 2. Disclaimer: • This presentation represents my own views and not that of past, present or future employers • Thank you for getting up early! • I hope to be more interactive with the audience, because I don’t want you bored • Sometimes I am the only one in the room who thinks my jokes are funny • Please feel free to ask questions anytime
- 3. Introduction to the Internet of Things (IoT)
- 4. The first “selfie” taken in 1920 Pre-Internet Things
- 5. What we think of when we hear IoT “This past summer my wife and I…decided it was time to update our kitchen…and laundry appliances.…A quick online search showed us internet-connected…smart models were available.…Now our refrigerator shows us our family calendar…and sends us our grocery list.…Our dryer begins its work and tells us when it's done…and how much energy it's used on the load.…All of these appliances, including our thermostat,…garage doors, home lighting, television,…and door locks send information about our home to us…no matter where we are.…”
- 6. History of IoT Summary • The Internet of Things definition: “Sensors and actuators embedded in physical objects are linked through wired and wireless networks” • There are a number of similar concepts but Internet of Things is by far the most popular term to describe this phenomenon • M2M or the Industrial Internet are not opposing concepts to the Internet of Things. Rather, they are sub-segments.
- 7. Let’s Define “IoT” • Internet of Things • Consumer IoT (IoT) • All of our consumer “things” – smart devices and sensors connected and communicating over the Internet. • Industrial IoT (IIoT) • The Industrial Internet of Things, or IIoT, connects machines and devices in industries such as transportation, power generation, and healthcare. • Embedded Systems • An embedded system is a programmed controlling and operating system with a dedicated function within a larger mechanical or electrical system, often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. • Industrial Control Systems (ICS) • Industrial Control System. Industrial control system (ICS) is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. • Supervisory Control and Data Acquisition (SCADA) • Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data.
- 8. 80 Billion
- 9. IoT Architecture
- 10. THE EDGE THE CONNECTION THE ANALYTICS Fog Computing Cloud Computing
- 11. IoT Applications
- 12. Smart & Autonomous Vehicles
- 13. Military Applications
- 14. Industrial IoT
- 15. Industrial IoT (IIoT) The Industrial IoT Consortium lists these 15 possible uses of IIoT: 1. Smart factory warehousing applications 2. Predictive and remote maintenance. 3. Freight, goods and transportation monitoring. 4. Connected logistics. 5. Smart metering and smart grid. 6. Smart city applications. 7. Smart farming and livestock monitoring. 8. Industrial security systems 9. Energy consumption optimization 10.Industrial heating, ventilation and air conditioning 11.Manufacturing equipment monitoring. 12.Asset tracking and smart logistics. 13.Ozone, gas and temperature monitoring in industrial environments. 14.Safety and health (conditions) monitoring of workers. 15.Asset performance management It is about adding value: Harley Davidson reduced its built-to-order cycle by a factor of 36 and grew overall profitability by 3-4% by shifting to full IoT enabled plant
- 16. Internet of Things vs. Industrial IoT
- 17. Size and market impact of the Industrial Internet of Things – source: Morgan Stanley, IndustryARC, Accenture and Research and Markets.
- 18. Emerging Technologies Converge and Enable IoT
- 19. 5G Enables IoT • 100x faster than 4G • 1/50 the latency of 4G • Much more scalable: 100x more devices than there are people • Good for time sensitive applications (e.g. factory robotics, robotic surgery) • How do you get billions of devices to talk to each other? • Security & Privacy are key • Connected assets can be used to extract productivity
- 20. Big Data and IoT Sensors on GE jet engines can produce 10 terabytes of operational information for every 30 minutes they turn. A four engine jumbo jet can create 640 terabytes of data on just one Atlantic crossing. Now multiply that by the many flights flown each day…
- 21. Fog (Edge) Computing Enables IoT
- 22. AI and Machine Learning Enable IoT
- 23. ‘A Cambrian Explosion that will disrupt virtually all sectors.’ Speech to text translation rates are now > 95% accurate.
- 24. Blockchain (Distributed Ledger) Adds Integrity to IoT and Security to M2M Communications
- 25. • Amazon, Google, Microsoft and other industry leaders will enable standardized platforms that allow EVERYTHING to be connected to the Internet • The Alexa Connection Kit will allow many devices to be connected to the Internet by writing a few lines of code • The future IoT will be ubiquitous and pervasive, low-power and small as a grain of sand
- 26. iPhone Sensors • Proximity Sensor • Light Sensor • Camera • Gyroscope • Accelerometer • Moisture Sensor • GPS • Compass • Barometer • Touch ID • Face ID Source: Apple
- 27. The Increasing Attack Surface
- 28. “The difference between a good and bad Internet of Things depends on society’s ability to construct effective IoT governance models… the formation of principles as a means to unify the multiple bodies and organizations involved in the IoT governance ecosystem.” - Vint Cerf F. Berman and V.G. Cerf, “Social and Ethical Behavior in the Internet of Things,” Comm. ACM, vol. 60 no. 2, 2017, pp. 6-7
- 29. The first “selfie” taken in 1920 Source: joyoftech.com
- 30. The Future Human Impact of Smart & Autonomous Vehicles The Rodney Brooks Rules for Predicting a Technology’s Commercial Success. (2018, October 25). Retrieved from https://spectrum.ieee.org/at-work/innovation/the-rodney-brooks-rules- for-predicting-a-technologys-commercial-success All Illustrations by Chris Philpot
- 31. Framing risk & challenges for consumers • Security, privacy & safety are top concerns • Poor or non-existent security built into devices • Consumers don’t segment or create hardened home network • Devices travel with family and connect to insecure access points • Devices are not often updated – too complex if at all • Default credentials are often hard coded • Monitoring your children sounds like a great use case, until you realize that data is out there and being collected and vulnerable to attack • When we monitor and manage everything around us, we are set up for failure when our critical infrastructure is attacked or made unavailable
- 32. Click Here to Kill Everybody The bottom line is the more that all of our things are connected together, and the more we rely on them, the more vulnerable we are to having disastrous disruptions to our business processes, personal lives, and to society as a whole.
- 33. Securing Industrial IoT
- 34. Global ICS Risks • At least 84% of sites have at least one remotely accessible device • 40% of industrial sites have at least one direct connection to the Internet • 53% of industrial sites have outdated Windows like systems like XP • 69% have plain text passwords traversing the network (FTP, SNMP…) • 57% of sites are still not running anti-virus protection with automatic updates Source: www.cyberx-labs.com
- 35. Many OT Protocols
- 36. A bad day at an Iranian power plant.
- 37. Adversaries & Attacks • The ability for criminals to weaponize IoT was highlighted in 2016 when Mirai botnet used hundreds of thousands of cameras, routers and digital video recorders to overwhelm a key Internet server • This DDoS attack shut down websites of large companies for several hours • Today 40% of home appliances globally are being used for botnet attacks (Gartner) • Engineers often think about functionality and not how to use technology for unintended purposes (what would the bad guys do?) • A home thermostat may help you conserve energy • A home thermostat may tell criminals when you are home and when you are away
- 38. Threat Modeling Target •Data (DAR, DIM, DIU) •Code/Software •Services •Databases •Operating Systems •Networks/Infrastructure •Platforms/Hardware/Firmware Threat Vector •Copy, Exfiltrate •Modify, Corrupt •Destroy, Denial of Service Threat Source •Insider •Hacktivists •Motivated Hobbyist •Corporate Espionage •Cybercriminals •Nation State Requirements • Level of knowledge required • Ability, Expertise • Proximity required • Access required • Resources required • Time required Motivations • Money • Ideology • Coercion • Ego Risk can be mitigated; the threat landscape remains unchanged. Threat Intel • Industry Peer Groups; ISACs • Threat Intel Feeds • Private/Public Partnerships
- 39. Source: SANS ICS Program
- 40. Source: SANS ICS Program
- 41. Source: SANS ICS Program
- 42. Latest CIS Implementation Guide for ICS: http://bit.ly/2IrJd6t
- 43. Latest CIS Implementation Guide for ICS: http://bit.ly/2IrJd6t
- 44. Mapping ICS Cyber Coverage to Standards NIST CSF Categories
- 45. Industrial IoT Cybersecurity Program Threat Detection/Intelligence • Threat intelligence • Detect known threats • Anomaly detection • IDS/IPS Endpoint and Vulnerability Management • Endpoint secure baseline configuration • Anti-virus • Security management • Vulnerability and Patch Management • Secure remote access • Password management • Secure policies and procedures • Secure removable media • NAC Network Segmentation • Network policies and VPN • IP segmentation • Microsegmentation/SDA • Firewall / OT gateway Incident Management • SIEM / Incident Response / Orchestration • Forensics • Security Operations Center • Analytics & reporting • Playbooks Visibility • Discover assets • Inventory assets • Inventory software • Profile assets • Passive network monitoring • Active network monitoring Business, IT, OT Governance • Executive buy-In & Business/Stakeholder alignment • Prioritized strategy tied to standards • Program management • Governance / metrics • Training • Risk assessment • Threat modeling Data Integrity • Ensure secure communications • Access point discovery • Certificate management • Validate transport paths • Logging Identity Management • Identity Access Management (IAM) • Privileged Access Management (PAM) • Multi-Factor Authentication (MFA) MSSP? Continuous Improvement IT / OT Convergence Architecture Detect Faster Respond Better Get Started in Parallel • Integration • Scaling • Single pane of glass
- 46. OT Security Vendors Consider finding a partner on your journey!
- 47. john@johndjohnson.com @johndjohnson
- 48. Videos 1. Future Son | Progressive Insurance – https://www.youtube.com/watch?v=NLTKvGgTb10 2. “The Smart Cities Of Tomorrow Are Already Here | Mach | NBC News”, https://www.youtube.com/watch?v=THiQtn9hVB8 3. “Agriculture: How Internet of Things (IoT) is changing the game”, https://www.youtube.com/watch?v=Rxulo78gyGc 4. “The Vision of IoT – Intel”, 2016, https://www.youtube.com/watch?v=rnDey89wp_M 5. “The Future of Industrial IoT”, 2018, https://www.youtube.com/watch?v=NYRSw0UeqHY 6. “Private LTE Networks for the Industrial IoT — Use Cases“, https://www.youtube.com/watch?v=U82tIdvrlEA 7. (extra) “How It Works: Internet of Things”, https://www.youtube.com/watch?v=QSIPNhOiMoE
- 49. Regulations: Good, Bad & Ugly • California Governor Jerry Brown has signed a cybersecurity law covering “smart” devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. • Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess. • The bill has been praised as a good first step by some and criticized by others for its vagueness. Cybersecurity expert Robert Graham has been one of its harshest critics. He’s argued that it gets security issues backwards by focusing on adding “good” features instead of removing bad ones that open devices up to attacks. He praised the password requirement, but said it doesn’t cover the whole range of authentication systems that “may or may not be called passwords,” which could still let manufacturers leave the kind of security holes that allowed the devastating Mirai botnet to spread in 2016. • But others, including Harvard University fellow Bruce Schneier, have said that it’s a good start. “It probably doesn’t go far enough — but that’s no reason not to pass it,” he told The Washington Post. While the rule is only state-wide, any device-makers who sell products in California would pass the benefits on to customers elsewhere.
