The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.

1. © Copyright Fortinet Inc. All rights reserved.
The Internet of Things – Good, Bad or Just Plain Ugly?
Patrick Grillo, Senior Director, Security Strategy

2. 2
IoT – What is it?
The Internet of Things (IoT) is the
network of physical objects—devices,
vehicles, buildings and other items—
embedded with electronics, software,
sensors, and network connectivity that
enables these objects to collect and
exchange data.*
*Internet of Things Global Standards Initiative

3. 3
IoT – Is it Real?

4. 4
 Trash bin posts to Facebook
 Connected egg tray
 ICPooch - Dog treat dispenser
with video chat
 Dog fitness tracker
 Connected “doggie” door
 WiFi connected beer home
brewing kit
 Spectator worn sports jersey
that vibrates
 Connected “piggy” bank with
mobile app
Would You Believe?
Just Because They Can

5. 5
 Nuclear Facilities (US)
» More than 150 successful cyber
attacks between 2010 & 2014
 Steel Mills (Germany)
» Uncontrollable blast furnace
 Energy Grid (US)
» More than 150 successful cyber
attacks between 2010 & 2014
 Water Supply
 Hospital
» Remotely hack drug pumps
 Building Infrastructure
» Temperature and fire control systems
 Oil Rigs
» Hacker induced instability
 Firearms
» Smart weapons with WiFi
 Airplanes
» Access flight control via entertainment
system
 Kitchen
» Toaster refusing to toast white break
Did You Know?
Top 10 Scariest IoT Data Breaches

6. 6
Trend: Device Growth Continues
 33 Billion endpoints projected to
be connected by 2020 – Gartner
 New device types entering the
network
» ‘headless’ IoT, wireless sensor
nodes, beacons, wearables
More devices and newer device types are entering the network

7. 7
Best Two out of Three?
IoT Challenge
SecureCheap
Fast

8. 8
IoT Security is a BIG STORY!

9. 9
“CEO’s Guide to IoT Security” – AT&T, March 2016
of global organizations are
considering, exploring, or
implementing an IoT
strategy
85%
IoT deployments are on the rise
How many connected devices do you
have in your organization?
of organizations are fully
confident that their
connected devices are
secure
10%
1%
8%
20%
35% 32%
5%
None Fewer than 100
100-999 1,000-4,999
5,000+ Don't know
Source:AT&T, March 2016

10. 10
“CEO’s Guide to IoT Security” – AT&T, March 2016
Source:AT&T, March 2016
44%
32%
14%
4%
6%
IoT share of IT Security Budget
0 - 25% 26-50% 51-75% 76% Not sure

11. 11
Threat Agents in the IoT
Criminals Hackivists Industrial Spies Nation States
Terrorists Insiders Chaotic Actors &
Vigilantes
Regulators

12. 12
IoT Use-case Examples: Consumer and Enterprise
Automated
prescription
ordering
Micro-payments
for ad hoc
home heating
P2P lending
– through
the TV
Re-fill the
fridge

13. 13
IoT Use-case Examples: Consumer and Enterprise
Automated
prescription
ordering
Micro-payments
for ad hoc
home heating
P2P lending
– through
the TV
Re-fill the
fridge
Stored value
and loyalty
Energy
Spot-market
settlement
Pay as you go feed
stock by inventory
managers
Fuel currencies
(block chains)

14. 14
Big Threat #1 – Device to Device Attacks
 Infected device enters the home and attacks
adjacent devices – which in turn launch attacks
 Infected/ compromised devices attack
internally and externally

15. 15
Big Threat #1 – Device to Device Attacks
 Infected device enters the home and attacks
adjacent devices – which in turn launch attacks
 Infected/ compromised devices attack
internally and externally

16. 16
Big Threat #2 – IoT as the Weakest Link
Personally
Identifiable
Info
Sabotage or
privacy invasions
Attack on
information-rich
devices
IoT Cloud services
 Compromise of one device leads to
all adjacent systems
 Social engineering in the IoT

17. 17
Big Threat #2 – IoT as the Weakest Link
Personally
Identifiable
Info
Sabotage or
privacy invasions
Attack on
information-rich
devices
IoT Cloud services
Man-in-the-Middle or
compromise Cloud
Messages pushed to device manager
“Upgrade now for your own safety”
Fetch “patches” = malware
Malware
Drop
 Compromise of one device leads to
all adjacent systems
 Social engineering in the IoT

18. 18
Big Threat #3 – Interdependency and Complexity
 IoT ecosystem has many stakeholders and
service providers at each point in the
architecture
 Cascading impacts almost
impossible to project or monitor
 Assumptions will fail
End point
Device user(s)
Device owner
Device manager
Device maker
Supply chain

19. 19
Big Threat #3 – Interdependency and Complexity
 IoT ecosystem has many stakeholders and
service providers at each point in the
architecture
 Cascading impacts almost
impossible to project or monitor
 Assumptions will fail
1
Gateway
Service function owner
Gateway owner
Gateway manager
Gateway maker
Supply chain
End point
Device user(s)
Device owner
Device manager
Device maker
Supply chain

20. 20
Big Threat #3 – Interdependency and Complexity
 IoT ecosystem has many stakeholders and
service providers at each point in the
architecture
 Cascading impacts almost
impossible to project or monitor
 Assumptions will fail
1 2
Gateway
Service function owner
Gateway owner
Gateway manager
Gateway maker
Supply chain
Network
Network provider Equipment maker
Network owner Supply chain
Network manager
End point
Device user(s)
Device owner
Device manager
Device maker
Supply chain

21. 21
3
Big Threat #3 – Interdependency and Complexity
 IoT ecosystem has many stakeholders and
service providers at each point in the
architecture
 Cascading impacts almost
impossible to project or monitor
 Assumptions will fail
1 2
Gateway
Service function owner
Gateway owner
Gateway manager
Gateway maker
Supply chain
Cloud / DC
Service tenant Platform vendor
Software owner
Infrastructure
owner
Software manager
Infrastructure
manage
Software vendor
Infrastructure
vendors
Platform owner Supply chain
Platform manager
Network
Network provider Equipment maker
Network owner Supply chain
Network manager
End point
Device user(s)
Device owner
Device manager
Device maker
Supply chain

22. 22
3
Big Threat #3 – Interdependency and Complexity
 IoT ecosystem has many stakeholders and
service providers at each point in the
architecture
 Cascading impacts almost
impossible to project or monitor
 Assumptions will fail
1 2
Gateway
Service function owner
Gateway owner
Gateway manager
Gateway maker
Supply chain
Cloud / DC
Service tenant Platform vendor
Software owner
Infrastructure
owner
Software manager
Infrastructure
manage
Software vendor
Infrastructure
vendors
Platform owner Supply chain
Platform manager
Network
Network provider Equipment maker
Network owner Supply chain
Network manager
End point
Device user(s)
Device owner
Device manager
Device maker
Supply chain
4

23. 23
WHERE DO THE
IOT SECURITY
ANSWERS LIE?

24. 24
WHERE DO THE
IOT SECURITY
ANSWERS LIE?
PARTIALLY WITH
THE IOT DEVICES
THEMSELVES.

25. 25
WHERE DO THE
IOT SECURITY
ANSWERS LIE?
PARTIALLY WITH
THE IOT DEVICES
THEMSELVES.
BUT MOSTLY
WITH THE
NETWORK.

26. 26
End-to-End: IoT Security Reference Model
End point Gateways Network Data Center and Cloud
Control & Visibility
Security Services & Framework
END POINTS
(Wireless/Fixed)
NETWORK
DATA CENTER
& CLOUD
(Smart)
GATEWAYS

27. 27
An Equal Opportunity Problem

28. 28
An Equal Opportunity Problem

29. 29
An Equal Opportunity Problem

30. 30
Thumbs Up or Thumps Down?
 IoT is here to stay
 Understand its advantages and liabilities
 Put security in the forefront when considering IoT