The 1.5 Billion Dollar Market: IoT Security
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.


  1. Tomi Engdahl says:

    ​4 best practices to combat new IoT security threats at the firmware level

    Firmware may be the next frontier for IoT hacks. See below how the healthcare industry addresses these threats.

    How do you combat new IoT security threats at the firmware level, which traditional IT security is not designed for? Here are four best practices:

    1. Secure physical premises
    2. Engage in continuous security dialogs with vendors
    3. During the RFP process, evaluate prospective IoT vendors for best practices
    4.Perform beneficial hacking on your own

    By regularly testing your machine with “friendly hacks,” you can probe for security holes and fix what you find.

  2. Tomi Engdahl says:

    Open-source hardware could defend against the next generation of hacking

    Lessons from open-source software
    Software users and developers already embrace computer software whose source code is publicly accessible. All supercomputers, 90 percent of cloud servers, 82 percent of smartphones and 62 percent of embedded systems – like those inside consumer electronics – run on open-source operating systems. More than 70 percent of “internet of things” devices also use open-source software.

    Open-source software isn’t inherently or automatically more secure. But it creates more possibilities, and market pressure, for improving security. Just as when choosing a safe to store a secret document in, customers must decide – should they pick a system whose security is vouched for by the company that makes it, or a system that can be explored, examined and tested?

    Open-source software users choose not to trust a program unless they can verify it independently.

  3. Tomi Engdahl says:

    How open source hardware increases security

    Want to boost cybersecurity at your organization? Switch to open source hardware.

  4. Tomi Engdahl says:

    Germany proposes router security guidelines

    German government would like to regulate what kind of routers are sold and installed across the country.

  5. Tomi Engdahl says:

    Going Above and Beyond Basic Cybersecurity Authentication Chips

    Cryptographic ICs come with different features, protections, and algorithms, so it’s challenging for design engineers to get a good handle on choosing the right one

    Given today’s ongoing system counterfeiting assaults, design engineers from all sectors of industry, military/aerospace, business, and technology are searching out the best cryptographic authentication ICs to safeguard their advanced system designs against counterfeiting.

    Unfortunately, while there are many choices to select from, most of them provide only minimal security coverage. In some cases, design engineers are unwittingly prone to select ones that severely limit the anti-counterfeiting (ACF) umbrella that they’re expecting.

    There are two types of authentication ICs: fixed-function “state machine designs” and software-programmable devices that include a wealth of different security protocols.

    The challenge/response protocol is at the heart of anti-counterfeiting. This is best explained using a Challenge-Handshake Authentication Protocol (CHAP) example. In a CHAP system, the authenticating server issues a challenge to the user in the form of a large series of random bits. The user’s password — a secret value — is used to encrypt the challenge, and the encrypted result is returned to the server. Once the server receives the user response, it can verify that the response matches what it was expecting, meaning that the user must have entered the correct password. When that match is confirmed, the user is authenticated; hence, the “challenge/response protocol” moniker.

  6. Tomi Engdahl says:

    Cybersecurity Storms: Visibility is Key to Cyber Protections

    Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks

    The most destructive disaster is the one you do not see coming. Before modern meteorology, settlers along the Atlantic coast had no warning when a hurricane was upon them. There was no way to escape from the titanic forces of wind and rain. Now, scientific instruments such as radar, barometers and satellites can see trouble brewing halfway across the ocean, giving residents time to evacuate and save lives.

    While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.

  7. Tomi Engdahl says:

    M2M Protocols Expose Industrial Systems to Attacks

    Some machine-to-machine (M2M) protocols can be abused by malicious actors in attacks aimed at Internet of Things (IoT) and industrial Internet of Things (IIoT) systems, according to research conducted by Trend Micro and the Polytechnic University of Milan.

    The security firm has analyzed two popular M2M protocols: Message Queuing Telemetry Transport (MQTT), which facilitates communications between a broker and multiple clients, and the Constrained Application Protocol (CoAP), a UDP-based server-client protocol that allows HTTP-like communications between nodes.

    In the case of MQTT, Trend Micro researchers discovered vulnerabilities in both the protocol itself and its implementations. The flaws can allow malicious actors to execute arbitrary code or cause a denial-of-service (DoS) condition, which, as experts have often warned, can pose a serious risk to industrial systems. The flaws have been reported to the developers of the affected software and patches have been released.

  8. Tomi Engdahl says:

    Machine-to-Machine (M2M) Technology Design Issues and Implementation Vulnerabilities

    MQTT Payload Remaining Length (CVE-2018-17614)

    The vulnerability is an unbounded write-in caused by a missing check on the “remaining length” field in a popular MQTT library. This allows an attacker to execute arbitrary code on vulnerable devices that implement an MQTT client. An attacker here must either control a rogue MQTT broker, or the broker must be missing proper checks for the remaining length field and just relay MQTT packets “as they are” from publishers to subscribers. The vulnerability can be triggered during the parsing routine for an MQTT PUBLISH packet, and precisely when reading the “remaining length” and “topic length” fields.

    There was a fix for this vulnerability. However, the developers could not agree on the best way to implement it.

    CoAP: IP address spoofing on UDP and the risk of amplification (PoC)

  9. Tomi Engdahl says:

    MQTT and CoAP: Security and Privacy Issues in IoT and IIoT Communication Protocols

    We looked into MQTT brokers and CoAP servers around the world to assess IoT protocol security. Learn how to prevent risks and secure machine-to-machine (M2M) communications over MQTT and CoAP in our research.

  10. Tomi Engdahl says:

    7 Non-Computer Hacks That Should Never Happen
    From paper to IoT, security researchers offer tips for protecting common attack surfaces that you’re probably overlooking.—threats/7-non-computer-hacks-that-should-never-happen/d/d-id/1333194

  11. Tomi Engdahl says:

    The CoAP protocol is the next big thing for DDoS attacks
    CoAP DDoS attacks have already been detected in the wild, some clocking at 320Gbps.

    RFC 7252, also known as the Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attacks, security researchers have told ZDNet.

    CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce

    In a very simplistic explanation, CoAP is very similar to HTTP, but instead of working on top of TCP packets, it works on top of UDP, a lighter data transfer format created as a TCP alternative.

    Just like HTTP is used to transport data and commands (GET, POST, CONNECT, etc.) between a client and a server,

    But just like any other UDP-based protocol, CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the amplification of a DDoS attack.

    An attacker can send a small UDP packet to a CoAP client (an IoT device), and the client would respond with a much larger packet.

    The people who designed CoAP added security features to prevent these types of issues, but as Cloudflare pointed out in a blog post last year, if device makers implement these CoAP security features, the CoAP protocol isn’t so light anymore, negating all the benefits of a lightweight protocol.

    That’s why most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.

    TLS 1.3 is going to save us all, and other reasons why IoT is still insecure

  12. Tomi Engdahl says:

    Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS

    Recently, I saw a report about several bugs that were found on FreeRTOS. Curiosity got the best of me, and I started to take a look to see what can be done from the IPS side to protect our customers because of importance of IoT devices and the popularity of this operating system. (Since the initial report more details have been made available here, CVE-2018-16525.)

  13. Tomi Engdahl says:

    DARPA to brief industry on initiatives in trusted computing, secure chip use, semiconductor manufacturing

    U.S. military researchers will brief industry later this month on a new initiative to help develop secure integrated circuit technology for trusted computing applications, ranging from manufacturing to systems integration.

  14. Tomi Engdahl says:

    Dodging The Next Generation Of Car Thieves
    How a hardware Root of Trust can thwart attacks on ever more complex vehicles.

  15. Tomi Engdahl says:

    Five steps to successful threat modeling
    How to build a security plan and put it into action.

    The Internet of Things (IoT) is changing the way we interact with the world around us. Over the next few years, billions more connected devices will enable us to drive efficiency, boost productivity, and enhance comfort and convenience in our personal and professional lives. And we’re not the only ones to see the potential of this market.

    Simplifying security
    To meet the challenges of operating in this ever-changing and connected world, security can no longer be considered a separate component. It must be embedded in every element and process, starting with the product development phase. Arm’s Platform Security Architecture (PSA) framework simplifies this activity and makes it quicker and easier to build a secure device.

    Identifying the right level of security for your device
    To design-in security, Arm PSA recommends developers and manufacturers start by analyzing the operating environment and understanding and documenting the ways each device could be attacked. It is a process known as Threat Models and Security Analyses (TMSA), or an English Language Protection Profile, and it has been used in the mobile industry for some time but is rarely carried out in the IoT space.

    The TMSA will highlight critical issues you need to address and challenge you to consider important questions, such as:

    – What are your most valuable assets?
    – What are the potential threats to your device?
    – What type of attack do you need to protect against?
    – How severe are the threats?
    – What counter-measures could you implement?
    – What are your security requirements?
    – How does your device meet your security requirements?

    Who will benefit from Threat Models and Security Analyses (TMSA)?
    You can apply the methodology to any device, from simple, low-cost or even disposable applications, through to the most advanced edge and gateway devices.

    The TMSA documentation is intended to make threat modeling more accessible to all, so you can secure your device even if you do not have access to dedicated security knowledge or expertise.

    Step 1 checklist
    2. Identify potential adversaries, the attack surface and threats
    3. Identify high-level security objectives to address threats
    4. Define security requirements for each security objective
    5. Consolidate all information into a threats summary table

    Continuing the security journey
    The Threat Model and Security Analysis (TMSA) is just the first of three stages in Arm’s Platform Security Architecture (PSA).

    After you have completed your TMSA documentation and established your security requirements, the next step is to put them into action.

    Stage 2: Architect
    This stage of the PSA includes architecture specifications for firmware and hardware.

    Stage 3: Implement
    This gives you access to high quality reference code and documents.

  16. Tomi Engdahl says:

    Building Security into the Smart Home Devices with a Hardware Root of Trust
    Best practices for protecting personal assets from cyber criminals.

    Building security into the device
    One approach to IoT security is to build protection directly into the device. This provides a critical security layer, and the devices are no longer dependent on the Internet gateway or a home router as their primary protection. A security solution for smart home devices must ensure the device firmware has not been tampered with, be able to secure the data stored by the device, secure in and outbound communications, and it must detect and report attempted cyber-attacks. This only can be achieved by including security in the early stages of design.

    Trust in embedded security refers to an expectation of integrity that a smart home device is operating as designed. Software trusts that hardware is operating as it should be. Applications trust that the operating system is not corrupting files. Remote systems trust in the device’s identity to which it’s connected. This process of establishing trust is called authentication. A device’s root-of-trust is the point where authentication starts and then extends through each layer. For critical smart home applications, a hardware root of trust is an important building block to secure endpoints and services.

    Design for security from the ground up using Hardware-Enforced Root of Trust

  17. Tomi Engdahl says:

    Open-Source RISC-V Hardware And Security

    Experts at the Table, Part 1: The advantages and limitations of a new instruction set architecture.

    SE: Is open-source hardware more secure, or does it just open up vulnerabilities to a much wider audience of cyber criminals?

    Newell: We deal a lot with governments and defense customers. They have a tendency to believe everything should be secret. I take more of a middle ground view, which recognizes that complex systems are going to have bugs. In that case, secrecy can improve your security. But security systems can be protected by open source and improved. Any real security has to include simpler elements that protect the more complex systems.

    Handschuh: With open source, you have the opportunity to review it and come up with comments, feed it back to the community, and as a group you can advance maybe not faster but better. You have more hands. Everybody is available to give you constructive comments, and then you can work together to make it better. That means you start from something that is open and published, and then you evolve it together by adding things and creating white papers.

    Kiniry: Our government trends toward not having artifacts being public, but they definitely want to see everything. Openness helps with them as a client.

    SE: If you are updating open source that is public, that may be great. But when hackers find vulnerabilities, they don’t necessarily publish those. So now a lot more is exposed for everyone to see. Is that worse than proprietary instruction set architectures?

    Handschuh: By publishing the interfaces you get more people to look at it. Hiding things behind the scenes is worse because then you don’t know what’s going on.

    Newell: There are different ways to analyze this. Formal analysis is certainly a good way. A lot of eyes on it is another good way. We are going down a formal route. We have a formal committee that is providing a description of the ISA interface. And then you need to look at the microkernel. But as soon as you get to a rich OS like Linux, you’re never going to be able to solve the bugs. If you look at set-top boxes, a lot of those hacks happened because the software was reverse-engineered. There is a place for secrecy, at least as a road bump to slow down these guys.

    Kiniry: The struggle I see is at the intersection of policy and technology. With our current leadership, there is a tendency to hold vulnerabilities close to the vest. If the government finds problems, especially with hardware, we’re not guaranteed we will learn about them—even in the case of open systems. That’s problematic.

  18. Tomi Engdahl says:

    Synopsys’ Taylor Armerding warns that air gaps, a valuable barrier against cyberattacks, are disappearing from industrial control systems and considers what that means for the global shipping industry.

    Air gaps in ICS going, going … and so is security

    As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. What’s next?

  19. Tomi Engdahl says:

    “Kysy myyjältä” – Uusi merkki kertoo tietoturvasta

    Tilannetta kenties helpottaa ensi vuonna käyttöön tuleva Viestintäviraston Kyberturvallisuuskeskuksen luoma tietoturvamerkki, jonka

    avulla kuluttajien on helppo tunnistaa riittävän tietoturvallinen laite.

    Tietoturvasta kertova merkki tulee aluksi valittujen pilottikumppanien käyttöön. “Kannattaa ottaa heti yhteyttä Viestintävirastoon, jos

    toiminta IoT-verkostossa tai merkin käyttöönotto kiinnostaa”, Viestintäviraston kehityspäällikkö Joonas Orkola sanoo tiedotteessa.

  20. Tomi Engdahl says:


  21. Tomi Engdahl says:

    New Year’s Resolution: Help Rescue Privacy from the Jaws of Big Tech

    Let us make the resolution today, as tech-minded and talented individuals, to work together to turn the tide against Big Tech

    If you’re like me, you’re both shocked and appalled at the rapid erosion of privacy. The recent revelation that Facebook gave corporate partners access to its users’ private messages is just another example of our privacy being violated. Although many of us have come to expect this from online platforms such as Facebook, we are still holding onto an expectation of privacy in our homes, cars, and perhaps even our offices and/or workplaces. However, it’s rather obvious that these spaces are also inside Big Tech’s crosshairs in their ongoing quest to take control and data-mine anything connected to the internet.

    Each new device that we buy with the intent to improve our lives comes equipped with sensors designed to collect and send data back to the cloud, where artificial intelligence (AI) is applied for the purpose of classifying and modeling. Although Big Tech assures us that our data is being gathered and employed only to improve services and target ads, deep down, many of us have a sneaking feeling that this data is being used for more nefarious purposes.

    Open-source to the rescue
    Repeat after me: “We resolve this year to participate and make our mark on at least one privacy-related open-source project. We will pursue projects that seek to disrupt, not strengthen, Big Tech’s grip on us. We will join the army of open-source developers that is ever-growing thanks to the worldwide, omnipresent training ground consisting of maker boards, web browsers, and powerful open-source software tools.”

    I don’t know about you, but I feel invigorated and empowered. There are many great open-source projects to consider and others that need to be started. You might also contemplate participating in standardization efforts, such as the Internet Engineering Task Force (IETF), to champion new protocols and methods (RFCs) for data visibility for the device owner. For example, all connected device owners should be entitled to view the data being sent to the cloud before it is encrypted. Even if TLS 1.3 was perfect, which it isn’t, encryption doesn’t protect data that you never intended to share from being analyzed on a cloud-based server to where it was delivered. There needs to be a standardized method to deploy an open, centralized proxy to view any data that applications and IoT devices are transmitting to the cloud.

  22. Tomi Engdahl says:

    Digital transformation needs a solid cybersecurity plan

    Companies looking to perform digital transformation need to tackle cybersecurity and they need everyone–not just IT–to take responsibility to make it work.

    Along those lines, Gorskie said he has met with plenty of his customers and they feel their security posture is better than average. But the reality is that may be more of a pipe dream than anything else.

    That is why he feels manufacturers should start off with a basic assessment of their site.

    There are seven key categories/vectors a user should look at:

    Network security
    Workstation hardening
    User account management
    Patch and security management
    Physical and perimeter security
    Security monitoring
    Data management

    Once that assessment comes out there should be a report looking at what issues should be addressed first and that is the beginning of the journey toward a more secure environment.

    “Most users will be ready to start immediately after doing an assessment,” Gorskie said.

    “Patching the most important thing to do, and we don’t do it,” he said.

    Once the user is ready to start their cybersecurity journey, they need to move to create policies and procedures, Gorskie said.

    “It is not rocket science, it is something we do every day,” he said.

    Gorskie related creating security procedures to safety procedures.

    “If you don’t follow safety procedures, you will eventually be let go,” he said. “Security should be the same way. It is about doing the right thing and making sure you follow it.”

    While he said OT security is different than IT security, there needs to be a change in mindset on the plant floor. The reality is there are plenty of tasks IT people do on a daily basis, Gorskie said, but there are some things OT does.

  23. Tomi Engdahl says:

    Mistä on kyse laitteiden tietoturvassa?

    1) Kuluttajalaitteet yleistyvät – pysyykö tietoturva perässä?

    2) Internet of Things moninkertaistaa hyökkäyspinta-alan

    3) Laitteisiin voidaan upottaa kaikenlaista

    4) Onko laite sitä, mitä se esittää olevansa?

  24. Tomi Engdahl says:

    Multicloud + IoT: Securing IoT Applications in Diverse, Distributed Environments

    IoT and Network Threats are Not One-dimensional

    It’s not just the consumer market driving the rapid proliferation of connected gadgets. The latest connected toys and appliances might be the most visible during the holiday season, but enterprises are also integrating Internet of Things (IoT) applications and devices into office spaces and day-to-day operations across industries. From drones to smart switches and HVAC systems, it’s clear IoT technology can offer businesses a competitive edge through increased convenience, connectivity and the massive amount of data generated by connected devices.

    Multicloud, meet IoT

    Following a trend across various areas of IT, organizations are now running IoT application workloads in diverse locations that create complex ecosystems for IT and security personnel to oversee. To be more specific:

    • Over half (51 percent) of survey respondents reported IoT application workloads run in private data or control centers, 36 percent maintain deployments at the network edge and the remainder (13 percent) run their workloads in a public cloud.

    • Twenty-six percent of respondents run their IoT application workloads on one cloud and 29 percent have workloads in two or more clouds, indicating that many IoT workloads are in a multicloud environment. Only 45 percent of respondents are not currently running IoT applications on any cloud.

    Part of the challenge of securing IoT applications and workloads is the inherent distributed complexity of these technologies. As enterprises prepare to scale IoT deployments, they need to be concurrently planning to address these complexity issues, especially with regards to security. While running these applications in public, private and on-premises environments is a natural next step that provides more flexibility, increased connectivity also exposes organizations to additional security vulnerabilities.

    Truly securing IoT workloads demands more than just securing a device or endpoint. Leverage IoT deployments as opportunities to provide a much-needed chance to review features and configurations with an eye to the future.

    Diverse risks

    From IoT malware proliferation across the organization to protecting privacy, the survey also found that the majority of enterprises are extremely concerned or very concerned about a wide range of IoT security challenges – and they should be. No enterprise wants to be hit with malware or an advanced cyberattack, but poorly implemented security creates vulnerabilities that hackers are only too happy to exploit.

    Understandably, 51 percent of survey respondents overwhelmingly reported their top IoT security challenge is hard-to-detect sophisticated IoT threats such as zero-day attacks. But it’s doubtful this comes as a surprise to anyone in the cybersecurity industry.

  25. Tomi Engdahl says:

    BlackBerry Offers Its Security Technology to IoT Device Makers

    BlackBerry on Monday announced that manufacturers of Internet of Things (IoT) devices can now use the company’s technology to improve the safety and security of their products.

    The Secure feature packs provide manufacturers a framework that should help them build safer and more secure products without the need to internally develop cybersecurity technology and expertise. Each device will be reviewed by the company’s cybersecurity experts to ensure that it complies with the requirements needed for it to become “BlackBerry Secure.”

    Available immediately, there are three types of BlackBerry Secure packages: Enablement Feature Pack, Foundations Feature Pack, and Enterprise Feature Pack.

    Consumers don’t trust connected devices

    The tech giant says the licensing of its BlackBerry Secure technology should address the lack of trust consumers have in connected devices. A survey conducted last month on behalf of BlackBerry – over 4,000 people from the US, UK and Canada participated – showed that roughly 80 percent of respondents did not trust their current devices in terms of data security and privacy.

    More than half of the consumers who took part in the survey said they would pay more for Internet-connected devices that offer better security.

  26. Tomi Engdahl says:

    ICS/IIoT taxonomy needed for cybersecurity

    There is many opinions and beliefs on what an industrial control system (ICS) is and what the Industrial Internet of Things (IIoT) comprises, which makes a common understanding crucial.

    ICS/IIoT taxonomy

    The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication.

    Here are some possible categories:

    Value–What would be the consequence if integrity or availability of the ICS/IIoT is compromised
    Architecture–Classic Purdue model, IoT, classic + cloud?
    Maturity of ICSsec program–Huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
    Sector/system type–This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.

    This is far from a complete list of possibilities.

    The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS.

  27. Tomi Engdahl says:

    IoT Merging Into Data-Driven Design

    Emphasis on processing at the edge adds confusion to the IoT model as the amount of data explodes.

    Back in 2013, when the IoT concept really began taking off, connectivity to the Internet was considered the ultimate goal because the biggest compute resources were still in the data center. Today, compute resources are becoming more distributed and processing is becoming more nuanced. In fact, almost all of the early major proponents of the IoT, such as Cisco, Arm, Samsung and Philips, have shifted their IoT focus to data management, processing, and security.

  28. Tomi Engdahl says:

    IoT Device Security Makes Slow Progress

    Experts at the Table: While attention is being paid to security in IoT devices, still more must be done.

  29. Tomi Engdahl says:

    Identifying IIoT risks and rewards
    Integrators provide a safe passage to smart factory technology

    Information technology implications

    What are the potential risks for small- to medium-sized companies? How do we minimize these risks? Before making the decision to jump in, it is important to consider your specific internet-based cloud storage needs and your technological infrastructure.

    Will cloud storage increase efficiency and effectiveness for my company?
    What process will minimize my risk of security threats?
    Do I have the resources to adapt and adopt the IIoT process?

    Is it worth the security risk?

    As with any online data storage, the potential for security breaches can be minimized and mitigated, but never fully nullified. This reality is among the first that any business must consider before making the decision to use an IIoT platform.

    A challenge of this network is that, traditionally, industrial automation systems have almost always been physically separated from business network systems; thereby making them secure from remote threats.

  30. Tomi Engdahl says:

    ICS/IIoT taxonomy needed for cybersecurity

    There is many opinions and beliefs on what an industrial control system (ICS) is and what the Industrial Internet of Things (IIoT) comprises, which makes a common understanding crucial.

  31. Tomi Engdahl says:

    The Biggest Security Threats Facing Embedded Designers

    Software security alone is not enough to protect today’s networked devices and fielded systems. What is needed is a combination of software and hardware security.

    Embedded system designers face a number of threats to the applications that they develop for the IoT. One of the biggest threats comes from IoT subsystems that hackers can access, such as commercial networked HVAC systems, wireless base stations (e.g., small cells), implanted medical devices and their controllers, smart automobiles and the emerging networked transportation infrastructure, home and industrial-infrastructure network gateway systems, and remote industrial sensors.

    Factors that make IoT endpoints especially vulnerable to security threats include:

    • Networked: IoT endpoints may be remotely accessible from nearly anywhere in the world via the internet or other (e.g., phone) networks. Wireless connections, used in many IoT devices, are especially vulnerable.

    • Fielded: IoT devices are often physically accessible, as well as interconnected. This exposes them to additional hardware attacks that do not usually need to be considered for systems that may be networked but are physically protected by “guns, guards, and gates.”

    • Available: Samples are often easily available through purchase or theft that can be analyzed at the adversary’s leisure.

    Combining Hardware and Software to Secure the IoT

    Software security, alone, has proven relatively unsatisfactory in protecting networked devices against known and freshly discovered threats (so-called “zero day” vulnerabilities), and is totally inadequate for the additional threats posed to fielded systems. What is needed is a combination of software and hardware security. For example, today’s SoC FPGAs can be used to implement a hardware security scheme that complements the software and strengthens the system. Ideally, the hardware and software solution should combat three types of security: design security, hardware security, and data security.

    • Design security: This includes IP protection and ensuring that configuration bit streams and firmware are encrypted and protected. Designs need to incorporate a method to ensure that overbuilding or cloning of the design is not possible. Field updates to processor firmware or FPGA configurations need to be authenticated and the payload kept confidential.

    • Hardware security: Designers also need to certify that user-accessible devices are resistant to physical attacks. For example, differential power analysis (DPA) attacks can extract keys and other vital device information. System boot-up needs to be kept secure, not just from remote network-based attacks, but also where the adversary has physical access.

    • Data security: This element ensures that communications into and out of the system are authentic and secure, and sensitive data stored in the system cannot easily be extracted.

    Embedded-system program managers and development teams must design these types of protections into their products

    Key methods for achieving this goal include:

    • Risk assessment
    • Protection planning
    • Attack scenario testing
    • Side-channel analysis and mitigation

  32. Tomi Engdahl says:

    Q&A: S2’s Impact on Z-Wave and IoT Security

    Z-Wave Alliance Executive Director Mitchell Klein discusses the S2 framework and what it means for the future of Z-Wave devices and beyond.

    On November 17, the Z-Wave Alliance, an open consortium of leading global companies deploying the Z-Wave (see “What’s The Difference Between ZigBee And Z-Wave?”) smart-home standard, announced a new security mandate for devices receiving Z-Wave Certification after April 2, 2017. The security measures in the new framework, known as S2, provide the most advanced security for smart-home devices and controllers, gateways, and hubs in the market today.

    Wong: Will S2 be backwards-compatible in other devices or updatable OTA?

    Klein: Security will no longer be optional for Z-Wave manufacturers to deploy; therefore, through an easy update, all gateways with 500 series chips and all devices that allow over-the-air (OTA) upgrades are able to add S2 to existing devices. Z-Wave devices also include signal jam detection and the tunneling of all Z-Wave over IP (Z/IP) traffic to eliminate any cloud vulnerability.

  33. Tomi Engdahl says:

    Security Essentials for the Internet of Things

    As Ethernet’s role grows in the Internet of Things, recent technology advances in IEEE 802.1AE MACsec and IEEE 802.1x KeySec will help provide a much-needed layer of network security

    It’s clear we live in a world where connections are flourishing between people, “things,” and the Internet. This megatrend continues despite the almost daily news headlines about cyberattacks and ways to boost our online defenses.

    Any of the 75 billion devices that Morgan Stanley forecasts will connect to the Internet of Things (IoT) by 2020 will also theoretically be hackable, as is true for anything with an IP address.

    Ethernet especially suitable in various Industrial IoT (IIoT) settings

    IoT communications, like any other network, will require strong protection against malicious intrusions, including pervasive monitoring, wiretapping, MAC address spoofing, man-in-the-middle attacks, and denial-of-service (DOS) attacks. Of the tens of billions of IoT-connected devices already in use today, few find themselves in physically secure locations. For better or worse, this is a natural consequence of mobility. Yet these same devices are often used to transmit confidential data.

    Fortunately, Ethernet security standards already exist. Let’s take a closer look at what’s available

    As the IIoT standardizes on Ethernet for networked communications, L2 encryption becomes an ideal solution. The reason is simple—there’s a direct relationship between the OSI layer at which security is implemented and the security solution’s strength. Securing at a lower layer means more robust protection.

    Still, encryption is just one aspect of security, only covering data confidentiality. It does not, for example, prevent unauthorized access on a trusted network by a hacker spoofing a “trusted” device. To prevent such intrusions, it’s imperative to authenticate, authorize, and account (AAA) for devices and networks, as well as applications. This is arguably even more essential than application-layer security.

    While AAA is commonplace for the applications layer, these principles are less uniformly enforced for the network and device/link layer. The latter may be especially vulnerable, since rogue devices could be swapped with network elements outside of physically secured areas and gain access to an entire network. Without securing the network and device/link layer, application-level security is largely in vain.

    The other critical piece to Ethernet security is the IEEE 802.1x KeySec protocol. When used with a Remote Authentication Dial-In User Service (RADIUS) authentication server, KeySec can deliver the AAA capabilities needed to secure Ethernet communications.

    Through a combination of IEEE 802.1AE and IEEE 802.1X, Ethernet can readily handle numerous security requirements, such as:

    • AAA: This establishes the origin of any secure data transmitted in the network (using IEEE 802.1x and a RADIUS authentication server).

    • Data integrity: The MACsec Integrity Check Value Field (ICV) safeguards against data replacement, modification, or delay beyond specific bounds. The ICV reflects changes when an Ethernet payload is tampered with—if it fails to match what was sent, the traffic is dropped.

    • Data confidentiality: Using IEEE 802.1AE MACsec AES encryption (128- or 256-bit) ensures that only intended parties can read secured data.

  34. Tomi Engdahl says:

    Newsmaker Interview: Bruce Schneier on Physical Cyber Threats

    Bruce Schneier discusses the clash between critical infrastructure and cyber threats.

    Attacks on physical devices and infrastructure offer a new target for cyber crime, a new opportunity for espionage and even a few front in cyber war.

    Rather than exploit computers and their applications, the Internet of Things allows malicious actors to go after a whole new category of devices, from children’s toys to nuclear power equipment.

    This is the context for the latest book by cryptographer and cyber security expert Bruce Schneier. In “Click Here to Kill Everybody,” Schneier paints a bleak picture of a world unprepared for the risks attached to the “Internet+” (a term coined to describe the application of the internet to conventional industries) and the clash between physical and cyber threats.

    Threatpost caught up with Schneier, and asked him about his vision to limit the damage.

    Threatpost: What prompted you to write “Click Here to Kill Everybody?”

    Schneier: That title, alarmist as it might sound, invokes the notion of computers that can affect the physical world. That is something relatively new, but increasingly important. [The book] is about what citizens and society can do about the increased risks from physically capable, and dangerous, computing devices.

    TP: How big a departure is the Internet+ or Internet of Things, from the risks we’ve faced through conventional computing and the internet?

    Schneier: There’s no difference and there is a lot difference.

    We can talk about vulnerabilities in software, about worms and viruses. The difference really is what the computers are doing. We are moving to a world where computers are in things, in cars, in medical devices, in appliances, in toys, in power plants.

    It’s what the computers are attached to, and what they can do.

    TP: It’s still relatively early days for the IoT and connected devices. Where are we on the threat curve – how many attacks have we seen?

    Schneier: We see attacks all the time. Just recently, we had a major attack on Marriott Hotels. These things happen every week, every day. Attacks against cars have been largely in the lab and in demonstrations…but we’ve seen ransomware against thermostats, refrigerators sending spam.

    Have we seen a death by this? Not that’s documented. Possibly if you dig down through some of the effects of the hospital DDoS and ransomware attacks you might find some. But we have not seen murder through disabling the brakes in a car. We haven’t seen massive property damage through disabling thermostats in the middle of winter. Those are still to come.

  35. Tomi Engdahl says:

    Cybersecurity Is the Key to Unlocking Demand in the Internet of Things

    Enterprise customers would buy more IoT devices if vendors could ensure better security.

    At a Glance

    Enterprise customers are limiting their investment in IoT devices because they have concerns about security risks.
    Executives say they would buy more devices and pay more for them if manufacturers could provide better security.
    Investing to improve security could grow the IoT cybersecurity market by $9 billion to $11 billion.

  36. Tomi Engdahl says:

    Researchers Create PoC Malware for Hacking Smart Buildings

    Researchers at IoT security company ForeScout have created a piece of malware to demonstrate how malicious actors could remotely hack into smart buildings.

    Smart buildings have become increasingly common. They rely on building automation systems – including sensors, controllers and actuators – to control heating, ventilation, air conditioning, lighting, surveillance, elevators, and access.

    The automation systems that power smart buildings are similar to industrial control systems (ICS), but ForeScout warns that their security should be handled differently given that building automation systems are much more open and interconnected compared to ICS. Furthermore, when it comes to the threats targeting these systems, the final payload is much easier to deliver in the case of building systems as the physical processes involved are less complicated.

  37. Tomi Engdahl says:

    As IoT Grows, Confidence in Security Remains Low

    Despite the growth in use and the need for security in the use of embedded devices (IoT), almost half of all businesses are unable to detect a breach in any of their devices. The situation is worse in the UK (it rises from 48% overall to almost 60%), even though the UK government introduced a code of practice for manufacturers and developers last year.

    The figures come from a Gemalto survey of 950 IT and business decision makers globally. Spending on securing IoT is growing (from 11% of IoT budget in 2017 to 13% now); and security awareness is high (90% believe it is a major consideration). Belief that IoT security is an ethical responsibility has grown from 4% a year ago to 14% now. But confidence in breach detection remains low.

    Consumers are not impressed. Sixty-two percent believe that security must improve. Fifty-four percent fear a loss of privacy through connected devices, 51% are worried about hackers taking control over the devices, and 50% are worried about a lack of control over their personal data.

  38. Tomi Engdahl says:

    Why it’s So Hard to Implement IoT Security

    Harmonizing Security Across IoT Infrastructures that are Connected to Both Brownfield and Greenfield Systems is Easier Said Than Done

    The Internet of Things (IoT) is integrating the physical world and computer-based systems more and more through a vast network of electronics, software, sensors, actuators and connectivity. According to Statista, the IoT juggernaut is growing nearly 20-percent annually and on track to hit $8.9 trillion by 2020. All the while, a quarter of all IoT remains devoted to industrial settings — the Industrial Internet of Things (IIoT).

    Unfortunately, as the new opportunities for innovation, efficiency and convenience multiply, so do the IoT-related vulnerabilities and attack surfaces for malicious actors to exploit. And because cyber attacks take advantage of the weakest link in a chain, organizations can’t just pick and choose which IoT vulnerabilities to address — they have to deal with them all, in real-time.

    The reality is: IoT security is a tough challenge — involving everything from hard to implement standards; hard to reach industrial components; and hard choices on how to integrate security seamlessly around both older “brownfield” and newer “greenfield” IoT systems and equipment.

    Lots of Guidance, but Not Enough of it is Practical

    IoT and IIoT security challenges range from insecure web and mobile interfaces and network services, to poor encryption, authentication and physical security. Especially in industrial settings, organizations are realizing they must address the entire IoT ecosystem, including: operational technology (OT) running on factory floors; new devices connected to IIoT cloud platforms; IT systems that link to business systems; new devices and sensors, and everything in between.

    Groups like the National Institute of Standards and Technology (NIST) and International Society of Automation (ISA) have tried to help by issuing IoT and IIoT cybersecurity standards — but such guidelines are complex, difficult to understand and hard to implement because they often lack clear implementation recommendations. Equipment manufacturers and integrators are left to determine how to achieve the appropriate safety, reliability, resilience and privacy for the requisite security levels for their devices. Oftentimes, this means that standards are not put into real-world practice because the perception is that they are too complex.

    The Trusted Computing Group’s TPM 2.0 standards, for instance, give guidance for embedding a unique secret key into microchips and firmware to help prove the identity of IoT devices, but the technical documentation runs more than 3,000 pages.

    The Industrial IoT is Especially Mission Critical — and Even Harder to Secure

    Keep in mind that, for refineries and some other complex industrial operations, emergency shutdowns can take a year or more to recover from. This means lost revenue, damaged reputations and even the possibility of bankruptcy.

    Unfortunately, IIoT security is especially hard to implement. Many industrial components were built long ago and designed to run continuously. This makes it tough to retrofit systems for security; some industrial control systems have been in place for decades, with maintenance windows as fleeting as four hours every year.

    The Right Approach to IoT Security

    Enterprises are increasingly realizing that, to protect the organization and maintain operations, they must implement security across the entire IoT ecosystem — and especially in industrial settings.

    A top challenge is to overlay security onto “brownfield” problem spaces involving older equipment and legacy systems. At the same time, it’s critical for manufacturers to bake in security from the beginning for new “greenfield” devices that are being developed.

    Harmonizing security across IoT infrastructures that are connected to both brownfield and greenfield systems is easier said than done. On the brownfield side, some systems simply can’t be upgraded — meaning your only choice is to replace the system or find a way to place a secure gateway in front of it. Other brownfield elements may be incrementally upgraded with stronger authentication, more encryption or better web, mobile or physical security. On the greenfield side, security should be incorporated into the design of all the devices and components as early as possible in their development and production cycles.

    Finally, developers should understand that even if a brand new system is stamped secure from the factory, its operational capacity could still be compromised if it’s going into an environment that doesn’t have security across the board.

    Implementing Better IoT Security in Your Own Organization

    By now, it should be clear that there’s no one-size-fits-all solution that someone can simply buy and turn on with the flip of a switch. Instead, IoT security is something that must be implemented with the right strategies and industry partnerships tailored to your organization and its vulnerabilities.

  39. Tomi Engdahl says:

    MQTT’s role as an IoT message transport

    Messaging queuing telemetry transport’s (MQTT) role as an Internet of Things (IoT) message transport derives from its simple design, when it began as an industrial communicator for a pipeline supervisory control and data acquisition (SCADA) system.

    Messaging queuing telemetry transport (MQTT) has emerged as one of the dominant IoT message transports across multiple industries in the last five years. Considering that most cloud services provide native MQTT capabilities, more device manufacturers, software, and services are implementing MQTT-based products.

    Adoption of MQTT by Facebook, cloud service providers, and many others in the information technology (IT) space might lead one to think that MQTT was invented targeting IT solutions, but the genesis of MQTT was driven by an industrial communication problem.

    According to a survey by the Eclipse Foundation, messaging queuing telemetry transport (MQTT) is the most-used messaging protocol for an IoT solution.

    The original design goals of MQTT were that it would be simple, efficient, stateful, and open.

    Simple. When MQTT first was being developed, the hardware platforms available on the market for remote edge computing were minimal; 8-bit microprocessors with 64 KB of memory were the norm. MQTT had to be simple to implement with minimal computing resources. Even in 2018, Arduino microcontrollers can provide complete MQTT communication stacks.

    Efficient. Early VSAT system providers charged for every byte of information sent and received. The MQTT transport had to provide minimal overhead on the network. Once an MQTT session is established, there is only a 2-byte overhead in messages being published.

    Stateful. If a user is providing infrastructure for mission critical, real-time infrastructure then the “state” of the MQTT TCP/IP connection is critical. MQTT provides a mechanism called “continuous session awareness” that informs all clients that care about the real-time state information of the MQTT connections.

    Open. In the late 1990’s SCADA/DCS/Telemetry products were based mainly on proprietary legacy Poll/Response protocols. For MQTT to be useful to the industry as a whole it was understood that when it was released, it needed to be an open specification that anyone could implement for free.

    Even with those criteria, it would be easy to assume a few important aspects are left out, including:

    Security. A lot of people note the MQTT specification does not define any security. This is because the MQTT specification in based on top of TCP/IP. It always was envisaged that the latest TCP/IP security practices would be applicable to an MQTT infrastructure. This ranges from private networks where security isn’t even required, to full transport layer security (TLS) certificates being used for connections. Since MQTT is a remote-originated connection, edge devices and clients don’t even have to have any TCP/IP ports open, which is a huge reduction in the overall cybersecurity footprint.

    Payload data format. MQTT is data agnostic when it comes to the information contained in an MQTT payload. It can be a binary message from a programmable logic controller (PLC), a JPEG image, an extensible markup language (XML) document or a JavaScript object notation (JSON) string. MQTT leaves the encoding and interpretation of the payload to the software provider.

    The Sparkplug specification was developed to help define how best to get started using MQTT in a mission-critical, real-time application. The Sparkplug specification defines:

    A well-known MQTT topic namespace so publishers and subscribers of information can know the topic namespace in advance for interoperability.
    A binary payload optimized for industrial process variables. The Sparkplug specification acknowledges that industrial infrastructures don’t have unlimited bandwidth and must work well over VSAT, radio, and cellular infrastructures.
    How the “state” management in MQTT works and how to effectively use it in SCADA, distributed control system (DCS), and industrial control system (ICS) solutions to know the state of all MQTT clients in real time.

  40. Tomi Engdahl says:

    ‘We Want IoT Security Regulation,’ Say 95% of IT Decision-Makers–of-it-decision-makers/d/d-id/1333667?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

    New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.

    IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn’t actually want it.

    Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)

  41. Tomi Engdahl says:

    Data Protection Laws Will Change How Electronics Systems are Designed

    The advent of 5G cellular service is upon us (see “The 5G Future Begins Now!”). This is great news for the chip and electronic system industries and — possibly — outstanding news for the digital security industry.

    I pointed out that weaknesses in data security exist in the technologies that are purchased by media and retail companies. Even if those companies do everything in their power to protect customer data, a hacker can access that data through the equipment anyway. I asked how long he thought it would be before the EU went after the equipment providers for data breaches or if their customers would seek financial relief from them if they were fined. His face went white for a few seconds and then red. “I think this interview is over,” he said, and then he walked away.

    Here’s the revelation that he had: In the EU, the fine for violating the GDPR is €20 million, or 4% of a company’s annual global revenue, whichever is greater. Read that again just to let it sink in. Let’s say that Apple had a breach in their devices that was exploited by a group of hackers working for the Chinese government, giving access to the data of a couple of thousand customers in Europe. The fine for that is more than €2 billion.

    Could that happen? Well, before the GDPR went into effect, researchers discovered the Meltdown/Spectre hole in every commercial processor on the market, including all Apple products. As I wrote several times last year (see my “The Illusion of Security” columns), the hole was quickly patched at a significant cost to device performance.

    Apple and the rest of the device world is safe from the GDPR at the moment. This is because no one is thinking about applying it to devices and also because the EU regulation is an “opt-in” service. Users have to choose to have the protection, and the patch protects the device world from liability. he patches, however, can be turned off voluntarily, which constitutes a decision to opt out of the protection. This will protect them with the CCPA in 2020 because that law is opt-out, and turning off the patches could constitute a decision to opt out.

    The problem comes in when tech support doesn’t tell users that bypassing the patch to regain performance will eliminate their protection. Guess what? They don’t. That will have to change because when the CCPA goes into effect, the financial penalties could kill a company.

    The handwriting is on the wall about what data breaches will cost in the next decade, and it’s time for the hardware industry to get very serious about dealing with this issue.

  42. Tomi Engdahl says:

    Why it’s So Hard to Implement IoT Security

    Harmonizing Security Across IoT Infrastructures that are Connected to Both Brownfield and Greenfield Systems is Easier Said Than Done

    The Internet of Things (IoT) is integrating the physical world and computer-based systems more and more through a vast network of electronics, software, sensors, actuators and connectivity. According to Statista, the IoT juggernaut is growing nearly 20-percent annually and on track to hit $8.9 trillion by 2020. All the while, a quarter of all IoT remains devoted to industrial settings — the Industrial Internet of Things (IIoT).

  43. Tomi Engdahl says:

    Six Steps to Segmentation in a Perimeterless World

    Setting Objectives and Having a Clear Roadmap is the Best Path to a Successful Network Segmentation Journey

    1. Define Objectives.
    2. Identify, Classify and Prioritize Assets
    3. Gain Visibility to Support and Augment the Strategy.

    You’ve now done the critical work to develop a segmentation strategy that matches your needs.

  44. Tomi Engdahl says:

    Security in an IoT World: Your Big Data Problem is Getting Bigger

    It’s that time of year for prediction articles and the number has become almost overwhelming. This year, one of the trending topics I’ve noticed is the growth in Internet of Things (IoT) and connected devices and an expected surge in cyber risks. Technology vendors, industry analysts and government experts are all pointing to the need for IoT security. But is this really a prediction, or simply a case of history repeating itself? The attack surface is growing yet again – granted at a drastically higher volume with many more devices – and new threats are emerging to take advantage of these additional vectors. Sounds like a pretty familiar scenario to me.

    Gartner projects that to address these risks, we’ll spend $1.93 billion on IoT security in 2019. Ruggero Contu, research director at Gartner commented that “coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider’s alliances with partners or the core system that the devices are enhancing or replacing.” The report goes on to say that the absence of “security by design” along with a lack of prioritization and implementation of security best practices and tools is hampering IoT security uptake.

    Once again, history is repeating itself: Until protection catches up, threat actors will remain ahead of defenders which puts organizations in detection and response mode. To take the right actions quickly to mitigate damage, security operators need a deep understanding of what is happening in their environment and where to focus attention. But as I discussed in my previous article, we have significant room for improvement when it comes to our containment efforts.


Leave a Comment

Your email address will not be published. Required fields are marked *