SlideShare a Scribd company logo

The Convergence of IT, Operational Technology and the Internet of Things (IoT)

Jackson Shaw
Jackson Shaw

Did you know that today, there are over 30 billion connected IoT devices? And that in 2020, that number will double? Do you know how these devices connect to the internet? To each other? To their manufacturer? How many IoT devices are used within your company? If you’re a security professional you’ll need to be able to answer these questions and more. In this session, Jackson Shaw (Dell) will discuss the convergence (collision?) of IoT with IT and OT, what it means to him as a consumer and what it means to us as identity and IT security professionals. Keynote presentation at European Identity Conference 2015, Munich, Germany. https://www.id-conf.com/eic2015

Related slideshows

Iot how it works
Iot how it worksIot how it works
Iot how it works
 
Internet of things (IOT) | Future Trends
Internet of things (IOT) | Future TrendsInternet of things (IOT) | Future Trends
Internet of things (IOT) | Future Trends
 
IoT (Internet of Things)
IoT (Internet of Things)IoT (Internet of Things)
IoT (Internet of Things)
 
1 of 27
Download to read offline
The Convergence of IT, Operational Technology and the Internet of Things: How to find a Balance of Risk and Value Jackson Shaw – Jackson_Shaw@Dell.com Sr. Director, IAM Product Management
This has been exciting research • I’m an identity guy – not a hardware guy (thank you, Dr. McCoy) • IoT is the buzzword of the year – everything is IoT and IoT is everywhere • Very, very difficult to find good (any?) examples of enterprise IoT other than HVAC • Finding a definition of IoT is like finding a definition of IAM/IAG/IdM ten years ago • So, what has the good doctor found out?
The Internet of Things “A network of everyday objects that have sensors, controls, and network connectivity, allowing them to send and receive data. These devices could include consumer devices (personal biomedical, smartphones); durable goods (televisions, refrigerators, personal cars); commercial buildings (HVAC and lighting) and vehicles; government buildings, vehicles, and infrastructure (streets, bridges); and utility networks (electrical, water, internet).” Any “thing” that does not require a person to regularly interoperate with it that is generating data and uses your network. It’s basically an autonomous, internet-connected device.
The IoT is very anti-social • IoT devices don’t easily talk to each other • Download a mobile app • Create an account on the manufacturer’s server • Connect your IoT device to your account • How you connect your device could be Bluetooth, Wi-fi, Zigbee, SCADA, Z-Wave or even non-IP based • Every device manufacturer is solving these problems differently ≠ interoperability ≠ “Using OAuth for Access Control on the Internet of Things”, Phillip Windley, PhD; Brigham Young University To be published in IEEE Consumer Electronics Magazine
I saw the “future” at CES… Autonomous conference robots Safety & Security Environmental
Lots of IoT & IoT data sources… Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015 http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things
Lots of potential • Real-time data = Real-time decisions • Temperature, humidity, light, air quality, electrical • Proximity, geo-location & motion • Health • Data analytics, especially cloud-based analytics will be forefront to deal with the huge amounts of IoT data
How pervasive is IoT? http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
They’re here and it’s the Wild West
Do you know this man?
Fridge caught sending 750,000 spam emails in botnet attack! http://www.cnet.com/news/fridge-caught-sending-spam-emails-in-botnet-attack/
Does this worry you? It worries me! I don’t think firewalls are smart enough for today and tomorrow’s IoT threat environments. In/Outbound IP Traffic Analysis
Two recent IoT “incidents”… Google Nest • Wireless passwords stored on device are unencrypted • The Mini USB port gave the necessary root access to the NEST operating system • “Once the entry point with the NEST device was in place, we were then able to compromise just about everything within that network.” Wink Hub • Complete outage when a 1-yr SSL certificate expired • Technical workaround but most customers will return their h/w for replacement • Incalculable financial and reputation cost despite good security practice http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf
What can you do? JUST SAY NO!! • Really? Are you going to say “No!” to an employee’s diabetes monitor? http://www.popsci.com/temporary-tattoos-could-monitor-diabetes-less-invasively
What can you do? Call Ghostbusters! • Detect and eradicate?
“Standards like OAuth 2.0 & OpenID Connect 1.0 will enable identity interoperability for the IoT.” https://www.linkedin.com/pulse/your-identity-concerns-internet-things-ces-2015-paul-madsen …extras like a TCP/IP layer got removed from industrial protocols like BACnet and GOOSE. And features like robust authentication were left out of nearly all the industrial protocols. After all, who would ever want to hack a control system? Offspark’s PolarSSL technology has been deployed in a variety of devices including sensor modules, communication modules and smartphones. The acquisition will help companies build IoT products with heightened security. PolarSSL IP will form the core of ARM’s embed communication security and software cryptography strategy... BACnet currently requires a 56-bit Data Ecryption Standard (DES) key encryption for session keys. It has been demonstrated that these keys can be broken in times on the order of 1 day.
At least there are standards now – and coming – to help…
A practical use: Controlling privileged accounts Location as a factor in authentication • Too far away, no PAM access • Challenges found… • Not tamper-proof • Movable • Openable • Lacks non-repudiation • OTP? • Certificates? • Result? Ruled out as a sol’n. http://wwwhome.ewi.utwente.nl/~rijswijkrm/pub/ble-otp.pdf
Parting thoughts… • Security is not priority #1 for most IoT vendors (Is it for most software vendors?) • “Over the next two years the IoT devices and services markets will be chaotic” • “New IoT-ready platforms will enable vendors to integrate the first wave of IoT devices and sensors and enable them to communicate with vendors’ customers’ infrastructures.” This is *YOU* • Recommendations: • Question: How is security handled in the IoT device? Who has reviewed it? Has it been pen-tested? • Detect: You cannot remediate unless you detect – before and after • Contain: Segment your corporate IT devices from everything IoT related • Anticipate: Everything IoT is in flux – you must stay on top of it
Please visit our booth for yours! http://www.ibtimes.co.uk/stockholm-microchipped-office-workers-feel-very-modern-using-hand-implanted-chips-open-doors-1489739 http://www.popsci.com/swedish-company-puts-rfid-chips-employees
Questions? Copy of the slides? Have feedback? Please e-mail: Jackson.Shaw@software.dell.com Thank you for your time today!
Appendix IoT Datapoints & Other Information
Internet of things units installed base by category Category 2013 2014 2015 2020 Automotive 96.0 189.6 372.3 3,511.1 Consumer 1,842.1 2,244.5 2.874.9 13,172.5 Generic Business 395.2 479.4 623.9 5,158.6 Vertical Business 698.7 836.5 1,009.4 3,164.4 Grand Total 3,032.0 3,750.0 4,880.6 25,006.6 The IoT will bring into the digital security architecture dozens of new platform options, hundreds of variations on hybrid IT/IoT integration, new standards per industry, and a new view of an application. IT leaders will have to accommodate the differences in technologies across those areas and develop a multifaceted technology approach to IoT risk and security. http://www.gartner.com/newsroom/id/2905717 Internet of Things Units Installed Base by Category – In millions of units Source: Gartner (November 2014)
Dell/EMA ioT survey results http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
Dell/EMA Iot survey results http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
Dell/EMA iot survey results http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
Robust and flexible data management capabilities & effective security are needed… Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015 http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things

More Related Content

The Convergence of IT, Operational Technology and the Internet of Things (IoT)

  • 1. The Convergence of IT, Operational Technology and the Internet of Things: How to find a Balance of Risk and Value Jackson Shaw – Jackson_Shaw@Dell.com Sr. Director, IAM Product Management
  • 2. This has been exciting research • I’m an identity guy – not a hardware guy (thank you, Dr. McCoy) • IoT is the buzzword of the year – everything is IoT and IoT is everywhere • Very, very difficult to find good (any?) examples of enterprise IoT other than HVAC • Finding a definition of IoT is like finding a definition of IAM/IAG/IdM ten years ago • So, what has the good doctor found out?
  • 3. The Internet of Things “A network of everyday objects that have sensors, controls, and network connectivity, allowing them to send and receive data. These devices could include consumer devices (personal biomedical, smartphones); durable goods (televisions, refrigerators, personal cars); commercial buildings (HVAC and lighting) and vehicles; government buildings, vehicles, and infrastructure (streets, bridges); and utility networks (electrical, water, internet).” Any “thing” that does not require a person to regularly interoperate with it that is generating data and uses your network. It’s basically an autonomous, internet-connected device.
  • 4. The IoT is very anti-social • IoT devices don’t easily talk to each other • Download a mobile app • Create an account on the manufacturer’s server • Connect your IoT device to your account • How you connect your device could be Bluetooth, Wi-fi, Zigbee, SCADA, Z-Wave or even non-IP based • Every device manufacturer is solving these problems differently ≠ interoperability ≠ “Using OAuth for Access Control on the Internet of Things”, Phillip Windley, PhD; Brigham Young University To be published in IEEE Consumer Electronics Magazine
  • 5. I saw the “future” at CES… Autonomous conference robots Safety & Security Environmental
  • 6. Lots of IoT & IoT data sources… Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015 http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things
  • 7. Lots of potential • Real-time data = Real-time decisions • Temperature, humidity, light, air quality, electrical • Proximity, geo-location & motion • Health • Data analytics, especially cloud-based analytics will be forefront to deal with the huge amounts of IoT data
  • 8. How pervasive is IoT? http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
  • 9. They’re here and it’s the Wild West
  • 10. Do you know this man?
  • 11. Fridge caught sending 750,000 spam emails in botnet attack! http://www.cnet.com/news/fridge-caught-sending-spam-emails-in-botnet-attack/
  • 12. Does this worry you? It worries me! I don’t think firewalls are smart enough for today and tomorrow’s IoT threat environments. In/Outbound IP Traffic Analysis
  • 13. Two recent IoT “incidents”… Google Nest • Wireless passwords stored on device are unencrypted • The Mini USB port gave the necessary root access to the NEST operating system • “Once the entry point with the NEST device was in place, we were then able to compromise just about everything within that network.” Wink Hub • Complete outage when a 1-yr SSL certificate expired • Technical workaround but most customers will return their h/w for replacement • Incalculable financial and reputation cost despite good security practice http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf
  • 14. What can you do? JUST SAY NO!! • Really? Are you going to say “No!” to an employee’s diabetes monitor? http://www.popsci.com/temporary-tattoos-could-monitor-diabetes-less-invasively
  • 15. What can you do? Call Ghostbusters! • Detect and eradicate?
  • 16. “Standards like OAuth 2.0 & OpenID Connect 1.0 will enable identity interoperability for the IoT.” https://www.linkedin.com/pulse/your-identity-concerns-internet-things-ces-2015-paul-madsen …extras like a TCP/IP layer got removed from industrial protocols like BACnet and GOOSE. And features like robust authentication were left out of nearly all the industrial protocols. After all, who would ever want to hack a control system? Offspark’s PolarSSL technology has been deployed in a variety of devices including sensor modules, communication modules and smartphones. The acquisition will help companies build IoT products with heightened security. PolarSSL IP will form the core of ARM’s embed communication security and software cryptography strategy... BACnet currently requires a 56-bit Data Ecryption Standard (DES) key encryption for session keys. It has been demonstrated that these keys can be broken in times on the order of 1 day.
  • 17. At least there are standards now – and coming – to help…
  • 18. A practical use: Controlling privileged accounts Location as a factor in authentication • Too far away, no PAM access • Challenges found… • Not tamper-proof • Movable • Openable • Lacks non-repudiation • OTP? • Certificates? • Result? Ruled out as a sol’n. http://wwwhome.ewi.utwente.nl/~rijswijkrm/pub/ble-otp.pdf
  • 19. Parting thoughts… • Security is not priority #1 for most IoT vendors (Is it for most software vendors?) • “Over the next two years the IoT devices and services markets will be chaotic” • “New IoT-ready platforms will enable vendors to integrate the first wave of IoT devices and sensors and enable them to communicate with vendors’ customers’ infrastructures.” This is *YOU* • Recommendations: • Question: How is security handled in the IoT device? Who has reviewed it? Has it been pen-tested? • Detect: You cannot remediate unless you detect – before and after • Contain: Segment your corporate IT devices from everything IoT related • Anticipate: Everything IoT is in flux – you must stay on top of it
  • 20. Please visit our booth for yours! http://www.ibtimes.co.uk/stockholm-microchipped-office-workers-feel-very-modern-using-hand-implanted-chips-open-doors-1489739 http://www.popsci.com/swedish-company-puts-rfid-chips-employees
  • 21. Questions? Copy of the slides? Have feedback? Please e-mail: Jackson.Shaw@software.dell.com Thank you for your time today!
  • 22. Appendix IoT Datapoints & Other Information
  • 23. Internet of things units installed base by category Category 2013 2014 2015 2020 Automotive 96.0 189.6 372.3 3,511.1 Consumer 1,842.1 2,244.5 2.874.9 13,172.5 Generic Business 395.2 479.4 623.9 5,158.6 Vertical Business 698.7 836.5 1,009.4 3,164.4 Grand Total 3,032.0 3,750.0 4,880.6 25,006.6 The IoT will bring into the digital security architecture dozens of new platform options, hundreds of variations on hybrid IT/IoT integration, new standards per industry, and a new view of an application. IT leaders will have to accommodate the differences in technologies across those areas and develop a multifaceted technology approach to IoT risk and security. http://www.gartner.com/newsroom/id/2905717 Internet of Things Units Installed Base by Category – In millions of units Source: Gartner (November 2014)
  • 24. Dell/EMA ioT survey results http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
  • 25. Dell/EMA Iot survey results http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
  • 26. Dell/EMA iot survey results http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/03/27/internet-of-things-unlocks-the-power-of-data-in-a-connected-world
  • 27. Robust and flexible data management capabilities & effective security are needed… Demystifying the Internet of Things Implementing IoT Solutions An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for Dell Software April 2015 http://en.community.dell.com/techcenter/information-management/b/weblog/archive/2015/04/10/demystifying-the-internet-of-things