O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

IoT and the industrial Internet of Things - june 20 2019


Confira estes a seguir

1 de 76 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a IoT and the industrial Internet of Things - june 20 2019 (20)


Mais de John D. Johnson (13)

Mais recentes (20)


IoT and the industrial Internet of Things - june 20 2019

  1. 1. IoT and the Industrial Internet of Things Security, Privacy & Safety in a World of Connected Devices John D. Johnson, CISSP, CRISC, SMIEEE June 20, 2019 • Chicago, IL Source: shutterstock.com
  2. 2. Disclaimer: • This presentation represents my own views and not that of past, present or future employers • Thank you for getting up early! • I hope to be more interactive with the audience, because I don’t want you bored • Sometimes I am the only one in the room who thinks my jokes are funny • Please feel free to ask questions anytime
  3. 3. Introduction to the Internet of Things (IoT)
  4. 4. The first “selfie” taken in 1920 Pre-Internet Things
  5. 5. What we think of when we hear IoT “This past summer my wife and I…decided it was time to update our kitchen…and laundry appliances.…A quick online search showed us internet-connected…smart models were available.…Now our refrigerator shows us our family calendar…and sends us our grocery list.…Our dryer begins its work and tells us when it's done…and how much energy it's used on the load.…All of these appliances, including our thermostat,…garage doors, home lighting, television,…and door locks send information about our home to us…no matter where we are.…”
  6. 6. History of IoT Summary • The Internet of Things definition: “Sensors and actuators embedded in physical objects are linked through wired and wireless networks” • There are a number of similar concepts but Internet of Things is by far the most popular term to describe this phenomenon • M2M or the Industrial Internet are not opposing concepts to the Internet of Things. Rather, they are sub-segments.
  7. 7. Let’s Define “IoT” • Internet of Things • Consumer IoT (IoT) • All of our consumer “things” – smart devices and sensors connected and communicating over the Internet. • Industrial IoT (IIoT) • The Industrial Internet of Things, or IIoT, connects machines and devices in industries such as transportation, power generation, and healthcare. • Embedded Systems • An embedded system is a programmed controlling and operating system with a dedicated function within a larger mechanical or electrical system, often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. • Industrial Control Systems (ICS) • Industrial Control System. Industrial control system (ICS) is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. • Supervisory Control and Data Acquisition (SCADA) • Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data.
  8. 8. 80 Billion
  9. 9. IoT Architecture
  10. 10. THE EDGE THE CONNECTION THE ANALYTICS Fog Computing Cloud Computing
  11. 11. IoT Applications
  12. 12. Smart & Autonomous Vehicles
  13. 13. Military Applications
  14. 14. Industrial IoT
  15. 15. Industrial IoT (IIoT) The Industrial IoT Consortium lists these 15 possible uses of IIoT: 1. Smart factory warehousing applications 2. Predictive and remote maintenance. 3. Freight, goods and transportation monitoring. 4. Connected logistics. 5. Smart metering and smart grid. 6. Smart city applications. 7. Smart farming and livestock monitoring. 8. Industrial security systems 9. Energy consumption optimization 10.Industrial heating, ventilation and air conditioning 11.Manufacturing equipment monitoring. 12.Asset tracking and smart logistics. 13.Ozone, gas and temperature monitoring in industrial environments. 14.Safety and health (conditions) monitoring of workers. 15.Asset performance management It is about adding value: Harley Davidson reduced its built-to-order cycle by a factor of 36 and grew overall profitability by 3-4% by shifting to full IoT enabled plant
  16. 16. Internet of Things vs. Industrial IoT
  17. 17. Size and market impact of the Industrial Internet of Things – source: Morgan Stanley, IndustryARC, Accenture and Research and Markets.
  18. 18. Emerging Technologies Converge and Enable IoT
  19. 19. 5G Enables IoT • 100x faster than 4G • 1/50 the latency of 4G • Much more scalable: 100x more devices than there are people • Good for time sensitive applications (e.g. factory robotics, robotic surgery) • How do you get billions of devices to talk to each other? • Security & Privacy are key • Connected assets can be used to extract productivity
  20. 20. Big Data and IoT Sensors on GE jet engines can produce 10 terabytes of operational information for every 30 minutes they turn. A four engine jumbo jet can create 640 terabytes of data on just one Atlantic crossing. Now multiply that by the many flights flown each day…
  21. 21. Fog (Edge) Computing Enables IoT
  22. 22. AI and Machine Learning Enable IoT
  23. 23. ‘A Cambrian Explosion that will disrupt virtually all sectors.’ Speech to text translation rates are now > 95% accurate.
  24. 24. Blockchain (Distributed Ledger) Adds Integrity to IoT and Security to M2M Communications
  25. 25. • Amazon, Google, Microsoft and other industry leaders will enable standardized platforms that allow EVERYTHING to be connected to the Internet • The Alexa Connection Kit will allow many devices to be connected to the Internet by writing a few lines of code • The future IoT will be ubiquitous and pervasive, low-power and small as a grain of sand
  26. 26. iPhone Sensors • Proximity Sensor • Light Sensor • Camera • Gyroscope • Accelerometer • Moisture Sensor • GPS • Compass • Barometer • Touch ID • Face ID Source: Apple
  27. 27. The Increasing Attack Surface
  28. 28. “The difference between a good and bad Internet of Things depends on society’s ability to construct effective IoT governance models… the formation of principles as a means to unify the multiple bodies and organizations involved in the IoT governance ecosystem.” - Vint Cerf F. Berman and V.G. Cerf, “Social and Ethical Behavior in the Internet of Things,” Comm. ACM, vol. 60 no. 2, 2017, pp. 6-7
  29. 29. The first “selfie” taken in 1920 Source: joyoftech.com
  30. 30. The Future Human Impact of Smart & Autonomous Vehicles The Rodney Brooks Rules for Predicting a Technology’s Commercial Success. (2018, October 25). Retrieved from https://spectrum.ieee.org/at-work/innovation/the-rodney-brooks-rules- for-predicting-a-technologys-commercial-success All Illustrations by Chris Philpot
  31. 31. Framing risk & challenges for consumers • Security, privacy & safety are top concerns • Poor or non-existent security built into devices • Consumers don’t segment or create hardened home network • Devices travel with family and connect to insecure access points • Devices are not often updated – too complex if at all • Default credentials are often hard coded • Monitoring your children sounds like a great use case, until you realize that data is out there and being collected and vulnerable to attack • When we monitor and manage everything around us, we are set up for failure when our critical infrastructure is attacked or made unavailable
  32. 32. Click Here to Kill Everybody The bottom line is the more that all of our things are connected together, and the more we rely on them, the more vulnerable we are to having disastrous disruptions to our business processes, personal lives, and to society as a whole.
  33. 33. Securing Industrial IoT
  34. 34. Global ICS Risks • At least 84% of sites have at least one remotely accessible device • 40% of industrial sites have at least one direct connection to the Internet • 53% of industrial sites have outdated Windows like systems like XP • 69% have plain text passwords traversing the network (FTP, SNMP…) • 57% of sites are still not running anti-virus protection with automatic updates Source: www.cyberx-labs.com
  35. 35. Many OT Protocols
  36. 36. A bad day at an Iranian power plant.
  37. 37. Adversaries & Attacks • The ability for criminals to weaponize IoT was highlighted in 2016 when Mirai botnet used hundreds of thousands of cameras, routers and digital video recorders to overwhelm a key Internet server • This DDoS attack shut down websites of large companies for several hours • Today 40% of home appliances globally are being used for botnet attacks (Gartner) • Engineers often think about functionality and not how to use technology for unintended purposes (what would the bad guys do?) • A home thermostat may help you conserve energy • A home thermostat may tell criminals when you are home and when you are away
  38. 38. Threat Modeling Target •Data (DAR, DIM, DIU) •Code/Software •Services •Databases •Operating Systems •Networks/Infrastructure •Platforms/Hardware/Firmware Threat Vector •Copy, Exfiltrate •Modify, Corrupt •Destroy, Denial of Service Threat Source •Insider •Hacktivists •Motivated Hobbyist •Corporate Espionage •Cybercriminals •Nation State Requirements • Level of knowledge required • Ability, Expertise • Proximity required • Access required • Resources required • Time required Motivations • Money • Ideology • Coercion • Ego Risk can be mitigated; the threat landscape remains unchanged. Threat Intel • Industry Peer Groups; ISACs • Threat Intel Feeds • Private/Public Partnerships
  39. 39. Source: SANS ICS Program
  40. 40. Source: SANS ICS Program
  41. 41. Source: SANS ICS Program
  42. 42. Latest CIS Implementation Guide for ICS: http://bit.ly/2IrJd6t
  43. 43. Latest CIS Implementation Guide for ICS: http://bit.ly/2IrJd6t
  44. 44. Mapping ICS Cyber Coverage to Standards NIST CSF Categories
  45. 45. Industrial IoT Cybersecurity Program Threat Detection/Intelligence • Threat intelligence • Detect known threats • Anomaly detection • IDS/IPS Endpoint and Vulnerability Management • Endpoint secure baseline configuration • Anti-virus • Security management • Vulnerability and Patch Management • Secure remote access • Password management • Secure policies and procedures • Secure removable media • NAC Network Segmentation • Network policies and VPN • IP segmentation • Microsegmentation/SDA • Firewall / OT gateway Incident Management • SIEM / Incident Response / Orchestration • Forensics • Security Operations Center • Analytics & reporting • Playbooks Visibility • Discover assets • Inventory assets • Inventory software • Profile assets • Passive network monitoring • Active network monitoring Business, IT, OT Governance • Executive buy-In & Business/Stakeholder alignment • Prioritized strategy tied to standards • Program management • Governance / metrics • Training • Risk assessment • Threat modeling Data Integrity • Ensure secure communications • Access point discovery • Certificate management • Validate transport paths • Logging Identity Management • Identity Access Management (IAM) • Privileged Access Management (PAM) • Multi-Factor Authentication (MFA) MSSP? Continuous Improvement IT / OT Convergence Architecture Detect Faster Respond Better Get Started in Parallel • Integration • Scaling • Single pane of glass
  46. 46. OT Security Vendors Consider finding a partner on your journey!
  47. 47. john@johndjohnson.com @johndjohnson
  48. 48. Videos 1. Future Son | Progressive Insurance – https://www.youtube.com/watch?v=NLTKvGgTb10 2. “The Smart Cities Of Tomorrow Are Already Here | Mach | NBC News”, https://www.youtube.com/watch?v=THiQtn9hVB8 3. “Agriculture: How Internet of Things (IoT) is changing the game”, https://www.youtube.com/watch?v=Rxulo78gyGc 4. “The Vision of IoT – Intel”, 2016, https://www.youtube.com/watch?v=rnDey89wp_M 5. “The Future of Industrial IoT”, 2018, https://www.youtube.com/watch?v=NYRSw0UeqHY 6. “Private LTE Networks for the Industrial IoT — Use Cases“, https://www.youtube.com/watch?v=U82tIdvrlEA 7. (extra) “How It Works: Internet of Things”, https://www.youtube.com/watch?v=QSIPNhOiMoE
  49. 49. Regulations: Good, Bad & Ugly • California Governor Jerry Brown has signed a cybersecurity law covering “smart” devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. • Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess. • The bill has been praised as a good first step by some and criticized by others for its vagueness. Cybersecurity expert Robert Graham has been one of its harshest critics. He’s argued that it gets security issues backwards by focusing on adding “good” features instead of removing bad ones that open devices up to attacks. He praised the password requirement, but said it doesn’t cover the whole range of authentication systems that “may or may not be called passwords,” which could still let manufacturers leave the kind of security holes that allowed the devastating Mirai botnet to spread in 2016. • But others, including Harvard University fellow Bruce Schneier, have said that it’s a good start. “It probably doesn’t go far enough — but that’s no reason not to pass it,” he told The Washington Post. While the rule is only state-wide, any device-makers who sell products in California would pass the benefits on to customers elsewhere.

Notas do Editor

  • The Internet of things is amongst us
    Billions of devices connected and seamlessly communicating all around us to produce a smarter, more efficient society

    Sensors, controllers and smart devices permeate the world around us, and as technology advances
    As computing power, speed and communications enable devices to become smaller and smarter and communicate faster
    Everything will be connected to the Internet

    Image Source: Multiple Online Sources
  • 30 seconds – Future Son | Progressive Insurance – https://www.youtube.com/watch?v=NLTKvGgTb10
  • Image Source: A Brief History of the Internet of Things. (n.d.). Retrieved from http://www.baselinemag.com/networking/slideshows/a-brief-history-of-the-internet-of-things.html
  • It is predicted that in the next 5 years there could be 80 B devices connected to the Internet.

    Image Source: IoT and Its’ Impact on Testing | Zephyr. (n.d.). Retrieved from https://www.getzephyr.com/resources/whitepapers/iot-and-its-impact-testing
  • Three major parts make up the Internet of Things: The Edge, The Connection & The Analytics
    The Edge is the interface to the physical world. Think of this as the sensors that collect the data.

    The Connection is the wireless communication methods used to transmit this data. For applications like self-driving cars, manufacturing and robotic surgery,  real-time analytics require extremely high data transmission rates and low latency. 5G looks to accommodate this by providing gigabit data transmission rates at very high frequencies, such as 2800 GHz. This will allow millions of low-power, low data rate devices to be connected, while also being able to handle occasional spikes for high bandwidth pulses of data. This will allow IoT to have a virtually unlimited number of things with embedded connectivity.

    Big Data Analytics takes the data and turns it into something useful, valuable and actionable. As the number of devices and the amount of data being processed grows exponentially, cloud computing platforms will give way to Fog Computing, which is sometimes called Edge Computing.

    Image Source: Fuller, J. (2016, May 26). How to design an IoT-ready infrastructure: The 4-stage architecture. Retrieved from https://techbeacon.com/4-stages-iot-architecture
  • Smart phones have commoditized the mobile device computing stack and made it faster and cheaper, so we can now take that computing stack and apply it to even smaller sensors and devices.

    New technology, new manufacturing techniques and a paradigm shift in how we think about using sensors for consumers, cities, the power grid, vehicles, manufacturing and other uses, is required.

    The demand for IoT will rapidly grow as our society finds new and beneficial uses for this revolutionary advance in technology. IoT is the next frontier of innovation.

    Image Source: IoT Analytics platform for Real-Time and Streaming Analytics - XenonStack Blog. (2018, May 30). Retrieved from https://www.xenonstack.com/blog/big-data-engineering/iot-analytics-platform-solutions/
  • This architecture goes way beyond what we may think of for the consumer IoT we are familiar with

    It gives us a SMART GRID and enables us to deliver the right amount of energy in the right form to various energy consumers.

    It can allow consumers to sell back their energy surplus and make power distribution more efficient.

    Image source: AM57x processors for smart grid applications - The Process - Blogs - TI E2E Community. (2015, October 21). Retrieved from https://e2e.ti.com/blogs_/b/process/archive/2015/10/21/am57x-processors-for-smart-grid-applications
  • In the healthcare sector, IoT offers many benefits ranging from patient monitoring to providing better insights and patient care, and even remote medicine and surgery.

    The global medical device market is expected to reach an estimated $409.5 billion by 2023, growing at 4.5% per year between 2018 and 2023.

    Image Source: The Change of Healthcare Industry and Modern IT Trends: Where Do We Stand Now? (n.d.). Retrieved from https://dashbouquet.com/blog/artificial-intelligence/the-change-of-healthcare-industry-and-modern-it-trends-where-do-we-stand-now
  • Image Sources: The Connected Haven. (n.d.). Retrieved from http://visions.newmobility.global/0817/faye-francy-auto-isac
  • IoT leads to…


    Image Source: Shutterstock.com & “US mayors aim to advance smart cities. (n.d.). Retrieved from https://www.smartcitiesworld.net/governance/governance/us-mayors-aim-to-advance-smart-cities”

    Image Source: Cubeacon Mesosfer Smart Digital Life Architecture. (n.d.). Retrieved from https://blog.cubeacon.com/cubeacon-mesosfer-smart-digital-life-architecture.html

    Precision farming, agronomics, and higher yields to more effectively feed a larger future population that is expected to reach 9.6 billion by 2050 without having more land for farming.

    Sensors will provide data on soil conditions, insects, disease, weather and more.

    GPS will precisely guide tractors and field equipment.

    All of this data helps to improve yields and make farms more competitive to feed the planet.

    Image Source: Precision Agriculture: Almost 20% increase in income possible from smart farming. (n.d.). Retrieved from https://www.nesta.org.uk/blog/precision-agriculture-almost-20-increase-in-income-possible-from-smart-farming/
  • Source: “Internet-of-Things-Innovation-Report-2018-Deloitte”, https://www2.deloitte.com/content/dam/Deloitte/de/Documents/Innovation/Internet-of-Things-Innovation-Report-2018-Deloitte.pdf
  • Source: “Internet-of-Things-Innovation-Report-2018-Deloitte”, https://www2.deloitte.com/content/dam/Deloitte/de/Documents/Innovation/Internet-of-Things-Innovation-Report-2018-Deloitte.pdf
  • Source:

    [1] Toesland, F. (2017, March 9) Top 5 applications for the industrial internet of things - Raconteur. Retrieved from https://www.raconteur.net/technology/top-5-applications-for-the-industrial-internet-of-things

    [2] Hoffman, T. (2003, March 24). Smart Dust. Retrieved from https://www.computerworld.com/article/2581821/mobile-wireless/smart-dust.html
  • Source: WEF

    Source: Powerpoint; “The Convergence of 5G, AI and IoT “, Ericsson (2018)

    Image Source: Internet of Things in manufacturing – the Microsoft view – source SlideShare presentation – License: CC Attribution-ShareAlike License
  • Source: Morgan Stanley, IndustryARC, Accenture and Research and Markets.
  • Let’s take a look at some enablers of this IoT explosion we are experiencing.

    Starting with 5G as we mentioned before. It will take time to fully deploy 5G, but along with other communications protocols for specialized purposes, we will ramp up to something 100 times faster than 4G today.
  • Source: General Electric
  • Source: Powerpoint; “The Convergence of 5G, AI and IoT “, Ericsson (2018)
  • IoT can generate an unfathomable amount of data, as we have seenk and uploading all of this data to the cloud is time consuming.

    Along with 5g speeds, Fog Computing steps in to push the border of the cloud closer to the edge devices. Often, computing will take place in a hybrid cloud computing environment with a mix of public cloud and private fog networks. Self-driving vehicles and healthcare are two examples of applications that will benefit from more real-time fog computing. Fog computing can also be more secure by design, than traditional cloud solutions.

    Image Source: Fog Computing and the Internet of Things: A Review. (2018, April 8). Retrieved from https://www.mdpi.com/2504-2289/2/2/10/htm
  • Image Source: Recent Machine Learning Applications to Internet of Things (IoT). (n.d.). Retrieved from https://www.cse.wustl.edu/~jain/cse570-15/ftp/iot_ml/index.html
  • ALSO: Speech to text translation rates are < 5%.

    The combination of IoT, 5G and AI has been called a ‘Cambrian Explosion’ that will disrupt virtually all sectors.

    Source: Powerpoint; “The Convergence of 5G, AI and IoT “, Ericsson (2018)
  • Image Source: IBM
  • In the future, we won’t just have Google Home and iPhones connected to the Internet…

    Every type of device can be connected to the Internet. Like we saw in the opening video, your son may ask the trash can to turn on the TV.

    As opposed to traditional computers with a security model, we are opening the door for a fabric of IoT to cover our lives, and most of these devices will be connected without fully thinking of how to secure them and maintain privacy.

    Image Source:
    [1] https://developer.amazon.com/alexa/connected-devices
    [2] https://www.inverse.com/article/14356-how-to-make-amazon-s-alexa-open-and-close-your-blinds
  • Source: joyoftech.com
  • Various Google Sources
  • The bottom line is the more we are and all of our things are connected together, the more vulnerable we are to having disastrous disruptions to our business processes, personal lives, and to society as a whole.

    Source: Amazon
  • As we start to connect automobiles and toasters and power grids and factory systems, we cross the physical world boundary and create what we refer to as CYBER PHYSICAL SYSTEMS. These systems can have real safety concerns.

    Source: getcybersafe.ca
  • A bad day at an Iranian power plant.

    Source: Undisclosed
  • We want to identify the risk, and one way to do that is with threat modeling.

    When you are modeling threat, you want to determine who wants what and how they are likely to go about getting it. I think there are some really smart people and service providers in this space, who can help you understand the risk your industry and your company in specific may be facing.
  • Regulations may be necessary because this industry is evolving and growing so rapidly – if we don’t take the time to consider security and privacy, we may deploy millions of devices that are later shown to be insecure and take decades to replace (think of old ICS)
  • Recently a bill was drafted for the Senate of the State of Michigan which
    would punish automobile hacking with a sentence of life in prison. One of the
    authors contacted one of the senators proposing the legislation and that
    senator agreed to modify the bill to allow hacking for beneficial research
    purposes. Researchers who discover serious vulnerabilities and report them
    responsibly provide a service to the industry similar to people who discover
    safety flaws in automobiles and other safety-critical machinery. Legitimate
    security research may be hindered by excessive legislation. One way to
    differentiate between research and unethical hacking is to mandate
    responsible disclosure of discovered vulnerabilities. Responsible disclosure
    requires the researcher to first notify the manufacturer or governing
    authorities and allow reasonable time for the vulnerability to be
    independently verified and fixed before going public with a system hack.
    Another, less desirable, approach might be to require researchers to first
    register with a government office or the manufacturer before attempting to
    break into a device.