The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

377 Comments

  1. Tomi Engdahl says:

    ICS / IIoT Market Segmentation Needed So We Can Communicate Effectively
    https://pentestmag.com/ics-iiot-market-segmentation-needed-so-we-can-communicate-effectively/

    There have been many events and data points that show even people knowledgeable in ICS and security are having difficulty communicating together because we have different views and experiences on what an ICS is. The latest example is Kaspersky’s Threat Landscape for Industrial Automation Systems H1 2018 report. The report stated that “42% of all machines had regular or full-time internet connections”, and base on the other statistics a large percentage of that 42% were sending and receiving email. In case you think Kaspersky isn’t looking at ICS, they characterized the 320 computers in the survey as SCADA servers, historians, OPC gateways, engineering workstations (EWS) and operator stations/HMI.

    My initial reaction was, that’s crazy. We see almost no direct Internet access from ICS computers and certainly these computers are not receiving email.

    This demonstrates the challenge we have in communicating effectively about ICS when we use these broad terms without some sort of taxonomy. There are even more important areas where this large ICS category inhibits effective communication and action including appropriate architecture, security controls, regulation, and risk. And the confusion is getting worse.

    The answer: a taxonomy of ICS/IIoT is needed.

    The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication. Here are some possible categories:

    Value – what would be the consequence if integrity or availability of the ICS/IIoT is compromised?
    Architecture – classic Purdue model, IoT, classic + cloud, ???2
    Maturity of ICSsec program – huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
    Sector / System Type – This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.
    Your category here … this is far from a complete list of possibilities.

    The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS. We need an ICS/IIoT taxonomy.

    Reply
  2. Tomi Engdahl says:

    https://www.uusiteknologia.fi/2019/05/28/cpx2019-nanoagentit-tuovat-tietoturvaa-iot-laitteisiin/

    Tietoturvan merkitys esineiden internetissä oli hyvin esillä tänään Helsingissä järjestetyssä tietoturvatalo Check Pointin CPX Finland-tapahtumassa. Paikalla oli noin 250 alan ammattilaista ja uusimpana aiheena IoT-laitteiden tietoturvan parantaminen nanoagenteilla.

    Check Pointin tutkimuksen ja tuotekehityksen Oded Gonda totesi tapahtumassa, että modernin tietoturvan pitää toimia millisekunneissa ja olla käytettävissä paikasta riippumatta silloinkin, kun laitteet puhuvat suoraan toisilleen.

    Check Pointilla on jo Infinity -arkkitehtuuri, joka tuottaa tietoturvan niin pilveen, mobiililaitteille, IoT-laitteille kuin yritysverkkoihin ja päätelaitteisiinkin. Kehitystyö kuitenkin jatkuu. Yritys aikoo julkistaa pian neljän megatavun kokoisen nanoagentin, joka voidaan upottaa periaatteessa mihin tahansa IoT-laitteeseen.

    Nanoagentti kontrolloi Gondan mukaan kaikkea laitteeseen tulevaa ja siltä lähtevää liikennettä. Se pitää yhteyttä tekoälypohjaiseen, globaaliin tietoturvajärjestelmään, joka ohjaa tietoturvaa ja tekee ratkaisut reaaliajassa. Nanoagentin ohjelmisto perustuu avoimeen lähdekoodiin.

    ”Kun meillä tällä hetkellä on keskimäärin viisi verkkoon kytkettyä laitetta kullakin, muutaman vuoden kuluttua, 5G-ympäristössä, hallitsemme ehkä 50 laitetta. Kun valaisimiakin ohjataan sovelluksella verkon kautta, palvelu on järkevää siirtää pilveen”, Check Pointin Sandkuijl totesi.

    Reply
  3. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/9529-nanoagentti-suojaa-iot-laitteet

    Nyt on pinnalla erityisesti pilven tietoturva. Aivan uutta on verkkoon kytkettyjen IoT-laitteiden tietoturvan parantaminen nanoagenteilla.

    - Tietojemme mukaan viime vuonna lähes joka viidennessä yrityksessä koettiin jokin pilvipalveluihin liittyvä tietoturvan loukkaus. Yleisimpiä olivat tietovuodot, käyttäjätilien kaappaukset ja haittaohjelmatartunnat. Kun SaaS-sovellusten ja esimerkiksi pilvipohjaisen sähköpostin käyttö yleistyy, käyttäjätilien hakkerointi ja kalasteluyritykset yleistyvät entisestään, Lindqvist sanoi.

    Check Pointilla on jo valmiina ratkaisu, Check Point Infinity -arkkitehtuuri, joka tuottaa tietoturvan niin pilveen, mobiililaitteille, IoT-laitteille kuin yritysverkkoihin ja päätelaitteisiinkin.

    Reply
  4. Tomi Engdahl says:

    How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in
    https://www.washingtonpost.com/technology/2019/04/23/how-nest-designed-keep-intruders-out-peoples-homes-effectively-allowed-hackers-get/

    As hacks such as the one the Thomases suffered become public, tech companies are deciding between user convenience and potential damage to their brands. Nest could make it more difficult for hackers to break into Nest cameras, for instance, by making the log-in process more cumbersome. But doing so would introduce what Silicon Valley calls “friction” — anything that can slow down or stand in the way of someone using a product.

    At the same time, tech companies pay a reputational price for each high-profile incident.

    Reply
  5. Tomi Engdahl says:

    It has in a recent article been described how intruders accessed Google Nest users’ cameras, which was possible due to weak or earlier compromised passwords

    Google argues that the vulnerable, simple password model is chosen as a tradeoff between convenience and security.

    Nabto believes otherwise: We eliminate the password and instead use o a paired public key approach (similar to SSH’s authorized_keys access control). For end-users, this means no hassle in configuring and managing passwords. For hackers, this means you have to somehow obtain the user’s private key to access the device, a vastly more complicated task than downloading a list of stolen passwords or brute-forcing a poor login mechanism.

    So all in all, it indeed IS possible with high security and a great user experience if you think a bit outside the password-entry box. Read more here:

    PLATFORMS, SECURITY
    Pairing and Access Control: Part 1 – Intro and Device
    https://www.nabto.com/pairing-and-access-control-part-1-intro-and-device/

    paired public key authentication (PPKA)

    PPKA is the recommended approach to access control as outlined in section 8.2 of TEN036 Security in Nabto Solutions.

    To recap, PPKA gives several benefits:

    simple solution with no dependency on a central user management solution or CA service
    strong security
    intuitive user experience with no need to sign up for a central service or issue certificates from a CA

    Reply
  6. Tomi Engdahl says:

    The Nabto PPKA pairing flow is as follows:

    user creates an RSA keypair on a client device and associates it with a name, e.g. “Joe’s iPhone 8”
    in a trusted setting (similar to WPS for wifi configuration), the target IoT device is put into “open for local pairing” mode, e.g. at the first boot
    the user connects to the device on the local network while the device is in pairing mode
    the user’s public key is registered as the owner on the device through the device’s access control list
    The user is now paired with the device. He can open for pairing again later on to add other users as guests. Or “manually” add other users’ public keys to the device’s access control list.

    After pairing, the user can access the device from remote. When connecting from remote, the Nabto servers (denoted the basestation services) first perform a normal challenge response handshake with the client (as regular TLS) and hence validates that the client possesses the private key that matches the public key (the authentication step). The fingerprint of this public key is then passed on to the device which finally looks it up in its access control list (the authorization step): Does this client have access and what are the permissions?

    Source: https://www.nabto.com/pairing-and-access-control-part-1-intro-and-device/

    Reply
  7. Tomi Engdahl says:

    etn.fi/index.php/embedded-conference-finland/72-ecf/9518-ecf19-iot-tietoturva-tulee-vihdoin-pakolliseksi

    Reply
  8. Tomi Engdahl says:

    Industry is Not Prepared for the IIoT Attacks that Have Already Begun
    https://www.securityweek.com/industry-not-prepared-iiot-attacks-have-already-begun

    Industrial Internet of Things (IIoT) is an essential part of business transformation and the Industry 4.0 revolution. Its use is burgeoning, with more than 7 billion devices in use worldwide. This is expected to grow to more 20 billion by 2025 — and does not include phones, tablets or laptops. It is a journey just beginning, and nobody yet knows the destination or route.

    Cybersecurity complications are expected, but the most common perception is that so far this has been limited to the rise of massive DDoS botnets able to deliver huge attacks — like Mirai — from thousands of compromised IoT devices. A new survey now shows that direct cyber-attacks against IIoT have already started, and that DDoS is not a primary concern to security teams.

    While attacks against IIoT have already started, organizations have little confidence in the immediate future. Globally, 83% of organizations are concerned about their IoT systems suffering a future cyber-attack (with 32% being ‘very’ concerned). Concern is highest in the UK (91%), with the U.S. at 87%. Japan and China show the least concern at 76% and 77% respectively.

    Reply
  9. Tomi Engdahl says:

    IoT Security- it’s complicated
    https://pentestmag.com/iot-security-its-complicated/

    IoT security is an extremely hot topic right now.

    It seemed this market became crowded very fast with many startups, each working hard to find the best way to differentiate itself. And many customers just confused.

    Internet of Things (IoT) security is the latest addition to the cybersecurity world. As more and more devices are being connected to the internet, and especially after large-scale attacks have occurred, it is clear that security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry.

    Reply
  10. Tomi Engdahl says:

    OWASP TOP10 Internet of Things 2018 – Miten teet IoT-järjestelmästä kyberturvallisen – Voita ainakin nämä 10 tyypillistä haavoittuvuutta
    https://cyberinsights.elfgroup.fi/iot-jarjestelmien-kyberturvallisuus-opas

    Reply
  11. Tomi Engdahl says:

    An 14-year-old’s Internet-of-Things worm is bricking shitty devices by the thousands
    https://boingboing.net/2019/06/25/teenaged-kicks.html

    A hacker calling themself Light Leafon who claims to be a 14-year-old is responsible for a new IoT worm called Silex that targets any Unix-like system by attempting a login with default credentials; upon gaining access, the malware enumerates all mounted disks and writes to them from /dev/random until they are filled, then it deletes the devices’ firewall rules and removes its network config and triggers a restart — this effectively bricks the device, rendering it useless until someone performs the complex dance needed to download and reinstall the device’s firmware.

    Reply
  12. Tomi Engdahl says:

    University attacked by its own vending machines, smart light bulbs & 5,000 IoT devices
    https://www.csoonline.com/article/3168763/university-attacked-by-its-own-vending-machines-smart-light-bulbs-and-5-000-iot-devices.html

    A university, attacked by its own malware-laced soda machines and other botnet-controlled IoT devices, was

    Reply
  13. Tomi Engdahl says:

    Amazon confirms Alexa customer voice recordings are kept forever
    That is unless you know how to delete them manually.
    https://www.zdnet.com/article/amazon-confirms-alexa-customer-voice-recordings-are-kept-forever/

    Reply
  14. Tomi Engdahl says:

    Japan to Hack 200 Million IoT Devices
    https://www.eetimes.com/author.asp?section_id=36&doc_id=1334266

    The government’s plan to hack IoT devices already installed in Japan is likely to expose the uncomfortable truth known to many experts but unknown to most consumers: Many IoT devices in use are vulnerable to cyberattacks.

    Insecurity in IoT is triggered by many factors — including consumer indifference and inaction. Too often, consumers don’t bother to change the initial settings in an IoT device after purchase and installation. Second, peer-to-peer communication among IoT devices, by nature, remain unchecked and unsupervised. Third, service providers aren’t doing automated updates of firmware frequently enough.

    While security experts hail the Japanese government plan as a necessary step, many Japanese media reports have balked, criticizing the heavy hand of the government.

    Reply
  15. Tomi Engdahl says:

    Securing IoT device data against physical access
    A technical overview of how Ubuntu Core with full disk encryption and secure boot can be implemented to harden IoT devices
    https://ubuntu.com/engage/iot-disk-encryption?utm_source=Facebook_ad&utm_medium=social&utm_campaign=CY19_IOT_UbuntuCore_Whitepaper_SecureBoot_FDE

    Reply
  16. Tomi Engdahl says:

    Security flaws in a popular smart home hub let hackers unlock front doors
    https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock-doors/

    Zipato smart hubs. In new research published Tuesday and shared with TechCrunch, Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock.

    Reply
  17. Tomi Engdahl says:

    New Silex malware is bricking IoT devices, has scary plans
    Over 2,000 devices have been bricked in the span of a few hours. Attacks still ongoing.
    https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/

    Reply
  18. Tomi Engdahl says:

    Home> Systems-design Design Center > How To Article
    Designing hardware for data privacy
    https://www.edn.com/design/systems-design/4462039/Designing-hardware-for-data-privacy

    As Internet-connected devices become more prevalent, they are fueling an increasing risk to privacy. Fortunately, there are now many off-the-shelf chips and services available to help designs resist intrusion and prevent unauthorized access to private data. The key lies in identifying the specific threats that need mitigation.

    Broadly stated, privacy entails keeping designated information inaccessible without authorization from the information’s owner. Privacy involves security; information cannot be kept private without also keeping it secure. But they are not the same thing.

    Reply
  19. Tomi Engdahl says:

    ‘World’s first Bluetooth hair straighteners’ can be easily hacked
    https://techcrunch.com/2019/07/11/bluetooth-hair-straighteners-hacked/

    Here’s a thing that should have never been a thing: Bluetooth-connected hair straighteners.

    Glamoriser, a U.K. firm that bills itself as the maker of the “world’s first Bluetooth hair straighteners“, allows users to link the device to an app, which lets the owner set certain heat and style settings. The app can also be used to remotely switch off the straighteners within Bluetooth range.

    Big problem, though. These straighteners can be hacked.

    Reply
  20. Tomi Engdahl says:

    Leivänpaahtimet osallistuvat kyberhyökkäyksiin Suomessakin – Mitä kuluttajan pitää tietää älylaitteensa tietoturvasta?
    Tällä hetkellä kuluttajan on käytännössä vaikea tietää laitteensa tietoturvan tasoa. Selkeää kriteeristöä ei ole.
    https://yle.fi/uutiset/3-10880289

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*