Security Architecture for IOT

Alex | | CiscoLive Barcelona

What have do be done from a security perspective to make IoT safe again?

These are the notes of a talk about IoT security. It tells about the history of IoT and why it is that unsafe. These articles are just notes and may be missing some specific context or could be already outdated.

Intro

First we have to know about the types of technology:

  • IT
  • Operation Technology
  • Consumer Technology

Main Target: Industrial control systems

  • Challenges and Contraints
  • Specific threats and protection mechanisms

Challenges and Constraints

There are different challenges and constrains in each of the technology types. If you know them, it's easier to understand the history of each technology type. The normal IT/ICT part is not mentioned here.

Consumer objects

There are some attributes on consumer technology objects:

  • Physical size
  • inexpenise
  • CPU Power
  • Memory
  • Bandwith
  • Autonomous operation in the field

Who is responsible if something is hacked?

  • ISP
  • Manufacturer
  • Owner
  • CSP
  • User

and not the consumer. He can't protect his IoT gadget himself... in general.

Industriual Control Systems

In the Operation Technology they never thought of security!
Security by obscurity was their way to go.

Convergence of IT and OT ends up in: Industrial IoT. The OT devices and systems get now an IP based connection to other systems and are now vulnerable to attacks over IP.

In Operation Technology the safety and latency are very important. That's why they mostly don't have any authentication mechanisms in place. Mostly the use bus types for connections.

SchneiderElectric: Modbus. Most widely used protocol.

Challenges for OT Security

  • Visbility
  • Control
  • Compliance

Attacks happenend from IoT

What to do against threats in OT / IoT

Zoning the OT systems with the Purdue Reference Model (OSI for Manufactoring). More about it here: Purdue Enterprise Reference Architecture on Wikipedia