CSG Business Meeting: End-to-End Trust & Security Open Architecture for IoT Scot Ransbottom, Virginia Tech Florence Hudson, Internet2 April 28, 2016
Agenda How we began a discussion on end to end trust and security for IOT What is the Internet of Things (IoT) E2ET&S Open Architecture for IoT IoT Examples on Campus Making IoT More Secure on Campus 2
Internet2 Collaborative Innovation Community Working Groups identified the need for a focus on end to end trust and security for IOT Internet of Things: Smart Campus / Smart Cities Smart Grid Testbed IoT Sandbox E2E Trust & Security: End to End Trust and Security for the Internet of Things TIPPSS – Trust, Identity, Privacy, Protection, Safety, Security SDP (Software Defined Perimeter), Network Segmentation Distributed Big Data & Analytics: Smart Campus / Smart Cities Digital Humanities Genomics 3
Internet of Things will connect billions of devices, generate large volumes of data, create transformational value, and need a secure network. IoT applies across many industries and use cases As the physical world becomes connected to the digital world, more “things” will be at play 2014: 13B+ Internet of Things devices By 2020: 25B to 200B “things” will be connected IoT is projected to deliver 2x IT economic value, representing 10% of global GDP Amount of IoT data will be ENORMOUS Zettabytes (10 21 ) by 2020 Then Yottabytes (10 24 ) Then Brontobytes (10 27 ) Source: McKinsey “Unlocking the Potential of the Internet of Things.” June In 2025, the Internet of Things could contribute $11T in global economic value.
Vehicle Hacking Global Positioning System Spoofing Industrial Hacking Smart Home Hacking National Transportation Safety Board Connected-Car Mandate Healthcare Device & Information Hacking Sources: npr.org; thehackernews.com; spectrum.ieee.org; cnn.com; technologyreview.com; politico.com. IoT risk and security awareness is increasing … and highlighting the need for security research and development. 5
It is clear that CSG respondents do not know how many IoT devices are currently on a campus: 2K, 10K, 15K, 20K, 30K, somewhere between 10K and 50K IoT devices are generally connected to a network and are part of infrastructure or safety & security 2/3 of respondents say at least 90% of IoT devices are connected to a network Significant growth in the number of IoT devices on campus is expected over the next 3 years, with 83% of respondents expecting growth of at least 50% 6 N = 6 IoT devices are showing up on campus. How are you protecting your campus and its devices?
While most respondents see risk awareness for IoT device security on campus as important, it is currently a relatively low priority. Respondents are already identifying ways in which to address security concerns. Some responses were: Developing inter-organizational coordination will be critical for effective IoT systems implementations. Identifying common risk language to discuss IoT systems issues important. Review public exposure through tools such as Shodan.io or similar. Begin conversation of what a ‘common’ IoT backend might look like (device data aggregation, data analytics, dashboard/reports publishing) [currently every IoT systems vendor wants a different back end]. Facilities Management, working with Information Technology Services, has developed fairly robust security controls including network segmentation and firewalls to protect HVAC control and other facilities management systems. The same strategy has been employed for similar systems such as door control and security cameras under the Police Department. Still learning...it is rare for any IoT device to be introduced on campus that has well defined security. IoT devices are inherently insecure in general. Not necessarily operational, but students in our IT security lab learned how quickly exposed IoT devices can be discovered and abused by malicious actors. Separate, secured SCADA Network, separate secured door access network. Many standard security practices (security segmentation, clear responsibilities, minimum security standards) go a long way to address IoT risk issues. 7 N = 6 IoT security concerns are generating some initial thoughts on best practices and lessons learned.
On CampusOff Campus Smart buildings (e.g., Building Management Systems, connected lights, sensors, etc.) 60 Research projects (e.g., IoT Lab, connected cows)53 Connected healthcare (e.g., bluetooth connected insulin pumps, embedded heart devices, etc.) 33 Smart stadiums (e.g., sensor for crowd control, parking, etc.)31 Connected vehicles (e.g., in research or practical use including connected skateboards, cars, bikes, etc.) 22 Smart museums (e.g., asset protection)10 8 N = 6 IoT is becoming a campus reality: Smart Buildings, Research, and Healthcare. Are you participating in any operational IoT uses on or off your campus?
9 N = 6 And other use cases are expected over the next few years: Continued growth in lab automation. Particular growth in environmental control systems for research/lab areas, especially animal care facilities. Continued growth in physical access control. Continued growth in video surveillance. Continued growth in ‘walk-on’ IoT such as FitBit & similar devices. Continued growth in experimental IoT such as Raspberry Pi & networked Arduino (academic-based & non-academic-based) Greenhouse sensors & management, landscape irrigation control & management, security, iBeacon, personal devices Wireless IoT devices - across virtually all categories Medical school expansion will likely result in increases in connected medical devices Mostly medical equipment, door access and building control systems IoT is becoming a campus reality: Use cases are gaining in importance. For your campus, please rank the importance of the following IoT use cases:
10 IoT is a reality on campus today.
11 How secure are all these devices?
Sources: CIODive, “DHS Struggles to Hire Much-Needed Cybersecurity Experts.” 7 April 2016; IDG, “2015 US State of Cybercrime Infographic.” 15 July 2015; IDC, “FutureScape: Worldwide Internet of Things 2015 Predictions.” December 2014; IDC, “Thwarting Cyberthreats and Attacks Against Healthcare Organizations.” November 2014; Internet2 CINO. Cybersecurity is grabbing headlines and will become increasingly important with more connected IoT devices. Distributed Denial of Service (DDoS) attacks are increasingly more potent, and one of the most frequent types of incidents Key areas for innovation include: detection, response, defense, prediction, prevention Critical applications of the Internet of Things require TIPPSS Trust Identity Privacy Protection Safety Security “There are two kinds of big companies in the US. There are those who’ve been hacked, and those who don’t know they’ve been hacked.” – FBI Director, James Corney Within two years, 90% of all IT networks will have an IoT- based security breach, although many will be considered “inconveniences.” Chief Information Security Officers (CISOs) will be forced to adopt new IoT policies. 79% of organizations have experienced a Cybersecurity event in the past 12 months. Cybersecurity is required for IoT to be successful. 12 “Every bit of U.S. infrastructure – from power grids to dams to air and ground traffic control to water treatment plants and our financial institutions – are all accessible online. And while these systems are defended, some are still more vulnerable than others.” – CyberWarNews, October 2015
“We need to make sure we don’t fall prey to calling this end-to-end security, when really we want to talk about end-to-end security and safety,” Mr. Bob Martin (IIC) said. “It’s really not a network issue. Don’t take a network-security approach to this, because it’s really each element, each node, the software on those nodes … If we only come to this as the integrity of the network, we will fail gloriously. For the IoT, safety needs to be considered along with privacy, the performance issues, reliability, resilience, and, of course, the security of these systems.” February 2016 IEEE Experts in Technology & Policy meeting identified a number of areas where we can start: Education & Ethics Data localization Identity management Technology policy development process Autonomy 13 How can we make IoT devices more secure on campus? Accountability Tradeoff adjudication Solutions roadmap creation End-to-end security/privacy by design
14 Identifying a framework for segmenting IoT devices & the hack outcomes is a first step towards creating a TIPPSS environment. Hacking an IoT device can have implications across multiple fronts: Financial Physical Data Reputation Trust, Identity, Privacy, Protection, Safety & Security
Next steps Scan for categorization of discovered devices on campus Develop a view of procedures and processes to discover new devices on campus (researchers, students, etc.) and determine risk mitigation Determine if we want to focus on one TIPPSS element first, or a category of device or use case For student innovation on campus, add TIPPSS assessment Identify best practices Develop new recommendations Join IOT Systems risk management task force – send a note to 15
Scot Ransbottom: Florence Hudson: 16 Questions?
17 Survey:
18 Survey: