The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.
These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.
This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.
IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.
It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.
To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.
Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
“IoT security” has long been a hot topic, with many articles and conferences insisting that the biggest single obstacle to growth in this industry is the lack of a comprehensive solution to secure IoT devices and ecosystems. But in many ways, the challenge of IoT security is not a new one, and there are clear parallels between IoT security and other industries that have needed to secure their critical assets and business models. Understanding the technical and commercial structure of these approaches provides excellent guidance for IoT device manufacturers on how to address their security needs as well.
The focus of this article is on the global pay television market. Like many industries leveraging the Internet of Things, pay-TV involves high-value business models (more than US$200 billion in annual revenues), vulnerable edge devices subject to attack (set-top boxes), and a quickly evolving threat landscape that requires an active and dynamic approach to security.
A Short History of Pay-TV Security
From the very beginning of digital pay TV’s launch in the 1990’s, service providers turned to a small group of specialized Conditional Access System (CAS) companies whose expertise was in securing the pay-TV business model against piracy using smart card-based solutions that they either developed themselves in-house or customized based on available industry chips. Smart cards were the technology of choice for pay TV because they provided a hardware-based root of trust, securely storing the keys necessary decrypt access to pay-TV services. Smart cards also allowed service providers to implement and manage a single security solution across a variety of different set-top box vendors and devices, as well as offering the advantage of being replaceable, enabling service providers to “swap” cards in case of security issues.
By defining this “intermediary” role for CAS vendors in between the device manufacturers and the pay-TV operators who used those devices, it not only allowed each party to focus on their core strengths and business activities, but it also created a clear definition of who was responsible for the security lifecycle management of pay-TV services. And considering the average life of a set-top is almost 10 years and that CAS systems are under constant attack, that role is a critical one in order to create a sustainable pay-TV business model.
This is very important to consider when we think about IoT device security. The question of “who is responsible for what” is one that needs to be unequivocal. In the world of pay TV, this was a byproduct of the fact that the companies providing CAS technologies were effectively different companies than those providing the devices themselves. Therefore, security responsibilities were clearly defined, and when breaches occurred (as they inevitably did), pay-TV operators knew exactly to whom they could turn for support. As a result, this successful model still remains dominant today in broadcast pay television, and the technology provided by CAS vendors has continued to evolve over time to fend off wave after wave of pirate attacks.
Becoming a Trusted, Strategic Security Partner
As CAS vendors become the trusted security experts in pay TV, operators also began to ask for their help with the end-to-end definition of their security architectures and choice of other technologies, like chipsets and set-top boxes. In fact, CAS vendors ultimately took responsibility for certifying the end-to-end implementation of pay-TV security, with the other parties in the chain required to submit their technologies for evaluation and approval. As the industry evolved further and new video distribution methods (namely the internet) and devices (like PCs, tablets and smartphones) became popular, CAS vendors were called on to adapt their security technologies to this environment as well. This role in helping design security into new devices, adapting it to new networks and evolving it over time is critical to IoT as well.
In addition, as pirates started to leverage the internet to distribute content illegally in new ways, CAS vendors were called on to provide managed anti-piracy services. This included both monitoring the internet and dark web for piracy as well as the response measures required to actively manage it. Today, CAS market leaders like Kudelski Group’s NAGRA are able to cover the entire end-to-end security needs of their customers, helping them to design, integrate, certify, run and sustain high levels of security over time, protecting their critical assets and business models. This same breadth of products and services is also important to consider when selecting an IoT security vendor.
Other Industries Embrace Similar Models
Pay TV is not the only industry to embrace the model of an independent security partner. Others as varied as banking, telecommunications and IT, all of which involve billions of dollars in revenue at risk of fraud, have also turned to trusted third-party security providers as well, also frequently using smart cards. This technology has protected a wide range of different types of businesses:
- Banking applications, where smart cards have been used as payment and credit cards
- Telecommunications, where smart cards (in the form of SIM cards) have been used to secure the secrets required for phones to access mobile networks
- Corporate IT, where smart cards give secure access to company networks and resources
Smart card-based systems for all these industries are designed to resist attacks from even the most determined hackers and pirates, and as a consequence, these industries have resisted sustained efforts from organized criminals to undermine their businesses. As a result, the technology has evolved and flourished. Smart cards have been so successful because they provide a secure device for storing data and executing security functions that need to remain “secret”, preventing counterfeit and pirate solutions from becoming widespread.
Whom Do You Trust?
Fast forward to IoT and many device manufacturers seem to be repeating mistakes that were already made and solved in these other industries many years ago. The worst mistake is that many IoT devices seem to be designed without any security at all, or with security only as an afterthought. Many IoT silicon vendors – whose real expertise lies in delivering functionality and connectivity – see this as an opportunity to position “security” as a selling point for their chips in the hope they can differentiate their products in what is often a low-margin business. But designing security into IoT chipsets is not enough to secure end-to-end security lifecycle management provided by the specialized security vendors like the ones mentioned above. The key question is whether or not the security provider is committed to the long-term protection of the end customer’s business model and has the infrastructure and operational experience to be the long-term guarantor of end-to-end IoT security.
What Does Good IoT Security Require?
Let’s assume for the moment that device manufacturers and service providers embrace the concept of identifying a partner to be responsible for security. What should they look for?
- Deep relationships with key chipset vendors and the ability to influence their designs are required
- The flexibility to deliver a root of trust using a variety of different protection methods (integrated secure element, SIM card, TEE, etc) in order to achieve maximum device reach.
- The ability to provision devices with secrets, either in the production process or over the air (OTA) based on close collaboration with these chipset vendors.
- The ability to quickly update code on deployed products in case of hacking
- The ability to constantly monitor (via in-field diagnostics) any deployed products to anticipate potential security compromises (by using techniques such as artificial intelligence-based behavioral monitoring, for example)
- The presence of proprietary security mechanisms embedded into the silicon in order to activate countermeasures (as has historically been done with smart cards) in the event of a security breach
- Cryptographic algorithms and other security elements should be changeable in the field on deployed products to counteract piracy on deployed devices.
Most of these things require a strong collaboration on design between IC vendors and security vendors in order to align with the required features. Is such collaboration likely to happen? In industries like pay-TV, it has become the norm. Whether it becomes the norm with IoT will depend greatly on the decisions made by device manufacturers when they chose their security partners and IC vendors. Sometimes at the outset, it may appear efficient to select a “one-stop shop” solution, but a judicious reflection needs to consider the long term, and a key question is “who do I call when bandits knock at my door?”
Final Key Questions
In summary, IoT device makers and service providers are invited to consider two very important questions that are critical to IoT success.
- Does your security provider have the technical ability and operational experience to help you withstand both basic and advanced attacks?
- Is their commercial business model aligned with your needs for long-term security lifecycle management, keeping your IoT products secure over the long term?
Selecting a trusted, strategic security partner who has the ability and relationships to execute on the required technical features and services to enable sustainable business models is crucial. Once these types of questions become seriously considered in the IoT market, we will be able to make progress on removing “security” from the list of barriers holding back the full potential of the Internet of Things.
Whether you were ready for it or not, your network is likely supporting hundreds if not thousands of connected endpoints at this very moment. When we talk about IoT, especially in the enterprise, we’re not just talking about connected refrigerators anymore. IoT is powering manufacturing lines, medical devices, and entire cities.
The possibilities for IoT have never been greater, and neither have the stakes. Just look at what happened in 2016 when Mirai, the infamous IoT botnet, took down major websites like Netflix, Twitter, and Amazon via a massive distributed denial-of-service attack using hundreds of thousands of compromised IoT devices.
Nonetheless, 2018 will be the tipping point for IoT in the enterprise with nearly half expected to deploy IoT solutions by the end of the year. What has made the explosion of IoT adoption possible is also its Achilles heel? The diversity and volume of device manufacturers, platforms, and use cases have made it nearly impossible to standardize any type of security controls. Many device manufacturers don’t even prioritize security, often because their customers don’t. The onus, therefore, is and will likely continue to be on the consumer – whether that’s an individual or an enterprise.
A lack of standard security controls isn’t the only thing standing in the way of securing IoT environments. IoT environments look different than traditional enterprise networks. They’re inherently more complicated and fragmented, requiring a different approach to security architecture. This also makes it much more difficult to have visibility and control over every connected device. Industry standards and regulations are just as fragmented and obscure. Many organizations have published their own set of best practices, but there is not a universally agreed upon standard as of yet.
To that end, Kudelski Security has spent the last year researching the current state of IoT in the enterprise and the best practices for securing it. The findings are presented in our IoT Security Reference Architecture, which is designed to help enterprise security teams build a strategy for secure IoT deployments using a combination of people, process, and technology.
Inside the architecture, the team provides an overview of the differences between IoT and traditional network environments; the IoT security threats, challenges, and business impacts enterprises face; IoT security best practices at the people, process, and policy level; and the security controls and technical measures IoT enterprises should have in place.
The reference architecture takes into account numerous security guidelines and standards, with the two primary sources of inspiration being ENISA’s Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures and the Industrial Internet Consortium’s Industrial Internet of Things Volume G4: Security Framework. (A full list of IoT guidelines is available in the report.)
This guide is best-suited to organizations who already have IoT devices deployed in their environment. We recommend comparing the best practices presented in the architecture with existing security controls to identify security gaps or complementary technology solutions to improve IoT security efforts.
To download the IoT Security Reference Architecture, click here.
IoT and a Growing Attack Surface
There is no doubt that the IoT brings with it tremendous opportunities to deliver more and richer data to drive operational efficiency and smart decision making. But as IoT devices proliferate, they also increase the overall attack surface and expose organizations to additional threats. It has always been clear that it is far more cost-effective to implement good data security during the design phase of any product or system, and exponentially more expensive to fix it after there’s been a breach. Even though IoT security has been commonly recognized for years as one of the key barriers to successful IoT implementation, many management boards have yet to make the necessary investment in it. So how does a product manager or security officer justify the business case for implementing the right level of IoT data security from the start?
Now thanks to new research released from the Ponemon Institute and IBM this month, those costs can now be quantified based on the real-life experience of 477 different companies who have gone through data breaches themselves, and the scope and cost of the problem can be better understood. In summary, the bad news is that the implementation of IoT devices has indeed increased the attack surface and the overall cost of recovery from data breaches, but the good news is that organizations implementing robust data encryption and incident response services have significantly lowered the cost of those breaches. Let’s look at some of the highlights in more detail.
IoT Data Breach Trends 2017-2018
More than 2000 IT and compliance professionals whose companies had suffered data breaches over the past 12 months were interviewed for the study.
- They reported that the total cost of an average customer data breach was a staggering US$3.86 million.
- That’s a year-over-year cost increase of 6.4%
- The average cost per stolen consumer record of $148.
- For healthcare, that figure skyrockets to a whopping $408 per lost or stolen patient record.
- Companies making extensive use of IoT devices saw the average cost per stolen customer record increase incrementally by $5, suggesting indeed that deploying IoT devices can tangibly increase the risk of data loss.
That said, organizations who had taken proactive measures to encrypt most of their data (whether coming from their IT or IoT infrastructure) saw the average cost per stolen record adjusted down by $13, while those who had strong incident response (IR) capabilities – either in-house or with trusted third-party cybersecurity experts – were able to generate another $14 savings per stolen record. That suggests that an organization employing both capabilities might save more than 18% on the cost of a data breach. That means a savings of $700,000 on an average breach. And the survey further shows that companies who have had a single material breach have a 27.9% chance of suffering from an addition breach within the following two years, driving the breach costs (but also the potential savings of good security) even higher.
But we have now also entered the era of the “mega-breach”, according to the report. Ponemon measured for the first time the impact of breaches of between 1 and 50 million records and showed that they had a cost of $40 million and $350 million respectively. When companies invest in IR and encryption technologies for this type of volumes, the savings generated run far into the millions of dollars. How many records do you have and what would be the total costs to you of such a breach if your company were to suffer one? That’s important to know and contributes directly to your IoT and cybersecurity business case.
Justifications Beyond Data: the Kudelski Group Analysis
But even with this excellent justification for IoT security investment, data breaches are only one potential factor that should be considered as part of the overall business case. Our experience at the Kudelski Group is that devices can also be compromised if not properly protected and could by hijacked by botnets designed to launch distributed attacks on popular websites or services. They could also be hacked to provide false data to their owners, which in the case of industries like power, health care and energy could cause serious productivity, availability, fraud, damage or – even worse – safety issues. The same is true in reverse, where unauthorized commands mistakenly accepted by insufficiently protected devices could cause them to behave in ways that are dangerous – think automotive, aviation and smart buildings. These device security scenarios must also be considered when creating the business case for IoT security but were not the subject of this study.
All the elements discussed so far fall under the category of “risk mitigation”, and while they are very compelling and must be considered, IoT also brings great promises of new features, new business models and operational efficiencies that positively and directly impact the bottom line. Organizations should rightly include (realistic) forecasts for value that IoT will add to the business over the long term. When all these factors are combined, we believe that the justification for a management board to invest in the proper design and implementation of robust, sustainable IoT device and data security as well as managed security and incident response services is overwhelming. And that’s why some of the world’s most recognized and security-conscious brands are already working with us to secure their connected futures.
As Black Hat continues to draw closer we wanted to take a moment to highlight some talks that we are excited about. There is a lot of great content, so picking just a few was difficult, but these are the presentations that I and some of my colleagues are looking forward to attending.
AI & ML in Cyber Security – Why Algorithms are Dangerous
By Raffael Marty
The topic of AI disciplines is one I spend quite a bit of time talking about myself. It seems you can’t turn anywhere these days without encountering some product claiming to use a subset of AI in some “advanced” way. A healthy dose of real-world challenges helps cut through the marketing hype and get to core issues. This talk is a much-welcomed reality check.
Blockchain Autopsies – Analyzing Ethereum Smart Contract Deaths
By Jay Little
Blockchain technologies aren’t just for cryptocurrencies. This technology is gaining more and more acceptance in the business world and being used or evaluated to solve a range of business challenges. Blockchain technologies aligned with business challenges, like Ethereum Smart Contracts, have a higher chance of success and longevity. Understanding how these contracts work as well as the various risks they present, is critical.
Applied Self-Driving Car Security
By Charlie Miller, Chris Valasek
Come on, who doesn’t love the thought of hacking self-driving cars? What’s even better is getting this information from the experts on the subject. In the not too distant future, we will share the road with people taking a nap, eating lunch, and texting. Okay, we do that now, but in the future people may not have control of their cars the way they do today. Highlighting these risks now helps us avoid running into them tomorrow. This presentation promises to be informative and entertaining.
Understanding and Exploiting Implanted Medical Devices
By Billy Rios, Jonathan Butts
Self-driving cars are one thing, but IoT gets scarier when it’s inside your body. Increased attack surface from a device inside your body is the stuff of nightmares and Hollywood movies. This presentation promises to shed light on these risks.
WebAssembly: A New World of Native Exploits on the Browser
By Justin Engler, Tyler Lukasiewicz
WebAssembly is a technology supported by all of the major browsers that allows for the compilation of languages like C, C++, and Rust for the web. WebAssembly makes a promise of better performance and increased security, but is it a lot of hot air? This talk highlights this technology and the security risks it introduces.
Squeezing a Key Through a Carry Bit
By Filippo Valsorda
Although this presentation isn’t some destruction-of-the-Internet-style vulnerability, it demonstrates a great example of why no small bug should be ignored. In an amazing feat of crypto engineering, by exploiting a single bit bug, the presenter shows how a cryptographer’s worse nightmare comes true. Secret keys can be recovered in about 500 submissions on average. Don’t miss this highly technical talk on the cryptography track that shows a small bug can yield a big result.
Kudelski Security Events
We also have a few events happening while we are out in Vegas.
Join us for our Kudelski Security Bash party Tuesday night from 6-9pm in the Foundation Room at Mandalay Bay.
We are also doing a couple of breakout debriefs from 4:30-6pm on Wednesday, August 8th, and Thursday, August 9th. Wednesday’s session is on IoT and Operational Technology security. Thursday’s session is on Blockchain. Use the following link to RSVP for these sessions.
If you are hanging out for Defcon as well, check out our presentation:
Reaping and Breaking Keys at Scale: When Crypto Meets Big Data
Presented by Yolan Romailler and Nils Amiet.
In this talk, we show how we collected over 300 million public keys leveraging our scanning infrastructure and our open source fingerprinting tool, Scannerl, and tested them for vulnerabilities such as the recent ROCA vulnerability or factorization using batch-GCD. We performed this analysis on a 280 vCPU cluster and are able to test new keys against our dataset in just a few minutes thanks to a novel in-house distributed implementation of the algorithm. As a result of our research, we could have impersonated hundreds of people, mimicked thousands of servers and performed MitM attacks on over 200k websites. Fun stuff.
If you see any of us around the week after next, say hello. See you at Black Hat and Defcon!
As CIO’s and CISO’s who walk the halls of healthcare institutions know all too well, the number of devices being enabled in the Internet of Things and Internet of Medical Things around us is exploding exponentially. With this explosion, complexities arise in security, data collection, storage, and especially lifecycle management. Devices have varying degrees of security and lifespans that range from two years up to 15 years, adding complications to management strategies.
Medical devices are the next perfect storm as a security threat vector and lifecycle management is now becoming predicated on risk and security vulnerabilities within the legacy device ecosystem. Hackers increasingly turn to medical technology used by providers as the next mechanism to commandeer and attack networks and hold organizations for ransom. Medical IoT devices are connected to a vast array of sensors, monitors and numerous applications making them an ideal entry point into the larger hospital networks and an easy way to propagate attacks to other systems.
The FDA started to make cybersecurity a priority in 2013 as a requirement for connected medical devices; however, due to the long development cycle of these devices and long time to get certified for use in the market, the rollout is slow. This will result in a significant lag in the introduction of connected devices that have embedded cyber threat resilience components that can thwart modern threats. This creates an incredibly complex lifecycle management challenge for healthcare technology.
Cybersecurity challenges are now becoming the primary driver for lifecycle management of medical technology. Older compromised systems present a sizeable risk to cybersecurity and leave every member of the C-Suite asking how to tackle this challenge. Often these systems have little to no update capabilities, are outside of vendor support or have been replaced with newer, better supported product lines. Vendor support for cybersecurity vulnerabilities typically takes time to create, test and patch before they can be deployed across the entire device population. As an example, an EEG monitor has a typical lifespan of 10 years. During that period security vulnerabilities will change and morph making it difficult for manufacturers to keep pace with the cybersecurity threat landscape. Even worse, securing these devices ultimately rests on the provider.
One must keep in mind that vulnerability testing is complex because of the various systems, subsystems and chipsets that are embedded in these devices. Most organizations simply do not have a $10 million budget to create a lab or staff who has the functional expertise to effectively perform hardware and software vulnerability testing with the rigor required to pass a security audit. Organizations must hire vendors who have the needed technical expertise, specialized staff and equipment in ferreting out vulnerabilities in purpose-built devices. It is not enough to perform a software scan on a device and assume it is secure.
So what approach should an organization take to lowering their risk on medical devices with varying usable lifespans and cybersecurity protections?
Evaluate Your Environment For Risk
- Identify devices that are end of life. These devices will have no updates released, which exposes them to risk. Furthermore, discovered vulnerabilities may not be announced by the company. We recommend you replace these devices with supported systems.
- Identify systems that are no longer covered by service contracts or lack current operating systems capable of being secured. This issue is similar to devices that are end of life, and should also be replaced or covered by a new service contract.
- Audit prospective vendors security, patch management and cyber-security countermeasures to ensure satisfactory risk mitigation
- Contract for penetration testing of on premise devices. It’s important to cover both the hardware and software of the device in this assessment.
- Consider WIFI, Bluetooth, SD card and proprietary RF interfaces as potential areas of compromise on devices. Ensure there are controls in place to monitor and protect devices over all communication protocols. Disable protocols that are not in use if possible.
- Create a risk profile for each device used in your environment and a risk score and then prioritize based on that risk creating a lifecycle management posture rooted in security.
Global Risk And Compliance
- Have an action plan: Create standard operating procedures for what to do when medical devices are compromised
- Create a risk framework for each device to determine what to do if a device is infected with malware or has been compromised by a hacker
- Include medical devices in your governance plan to ensure that compromises are dealt with at an appropriate level and escalation paths are included
- Ensure you have logs for each device with current firmware versions, patches, etc. and ensure you have a process and policy to perform medical device updates.
- Create Incident response plans specific to breaches involving medical devices and have a team assembled. Include retainers for breach mitigation and post-mortem cyber forensics.
By implementing and monitoring the product lifecycle, leaders, CSOs and CISOs can better plan when to introduce new operational technology in the environment. Ensuring that each of these devices will not negatively impact your operations is critical for continuity of care and allowing for the transformative delivery of healthcare services and improved patient outcomes. Implementing a lifecycle management approach to medical device refreshes rooted in a security framework will allow providers to keep pace with the rapidly evolving threat landscape that is currently plaguing the industry, while ensuring compliance and minimizing security threats and vulnerabilities in the process.