Securely enabling the Internet of Things · Q3 2016 Intel IoT Solutions Alliance Member Cumulocity Partnership DigiCert Partnership Q4 2016 ... device registration, certificate provisioning,

12/1/2016

1

Confidential and Proprietary -- © 2016 Device Authority

Securely enabling the Internet of ThingsBy Robert Dobson| Pre-Sales Director EMEA


www.deviceauthority.com

Agenda

1. Introduction

2. Why does IoT Security need a rethink?

3. What does Device Authority provide to deliver Security Enablement and Automation?

4. Summary

5. Questions & Answers

12/1/2016

2



Device Authority History

Q2 2016

CompanyMerge

GartnerCool Vendor

UK’s Most Innovative Small Cyber

Security Company

MachineShopPartnership

Q4 2015 Q1 2016

ThingWorxPartnership

SymantecAlliance

InVMAPartnership

Q3 2016

Intel IoT SolutionsAlliance Member

CumulocityPartnership

DigiCertPartnership

Q4 2016


Why does IoT Securityneed a re-think?

12/1/2016

3



A couple of recent real world example attacks

• Malware introduced to camera because of weak security posture

• Default Username/Password used and no way to update them, or the software!

• Cameras used as a small “army” to create DDOS attack (Twiter, Netflix etc… attacked)

• Wireless connected lightbulbs (Zigbee) remotely hacked from car or drone

• Gained access by exploiting hard coded symmetric keys and introduced malicious firmware

• Attacker could turn on/off tower block lighting, this could be extended to large installations



A shift in IoT Security ownership

Customers security posture is left to the manufacturer to define.

Manufacture centric approach…

Present (Manufacturer) Future (End customer)

Customers are moving toward defining their own security posture specified for the needs of their

business, supply chain and product

12/1/2016

4



Challenges Facing Security and IoT

Attack surface is expanding beyond traditional IT systems

Multiple off-ramps into untrusted networks

Enrolling a large number of devices securely and efficiently is difficult!

Edge devices become compromised as they typically have a poorly security posture

Devices can be used maliciously to attack services and cause havoc

IoT velocity and scale is challenging traditional networking and certificate

management techniques

Security is normally an after thought!Lack of standards is driving complacency


What does Device Authorityprovide to deliver SecurityEnablement and Automation?

12/1/2016

5



Security Enablement and Automation Solutions

Secure Device Provisioning

• Policy Based Enrolment• Dynamic Trust Anchor• Customer Security Domain

PKI Credential Management

• Secure Delivery of Keys & Certs • Encrypted Credential Store• Credential Rotation and Re-Provisioning• Automated Certificate Binding and Authorization

Policy Driven Encryption

• End to End Data Encryption (AES 256) • Dynamic Session Based Keys• Selective Field Level Encryption• Transport Independent

Security Posture

Secure OTA Updates

• Encrypted Update Package Delivery• Data Integrity Update Validation• Device Bound Authentication of

Update Nodes• Granular Policy Controls



Dynamic Device Key Generation

1. Dynamic Device Authentication

2. Device-derived Crypto

Device Authentication Keys are dynamically generated and

unique to each device for each authentication session

Device-derived Crypto Keys and IV’s are generated from

the dynamic device authentication process

Dynamic Device Keys are not stored on devices

or servers and are never passed over the network

12/1/2016

6


KeyScaler™ PlatformArchitecture Security

Dashboard

PolicyManagement

Device Management

AssetManagement

Reporting& Notifications

Key RotationControls

LicenseManagement

APIControls

Management Control Panel

IoT Devices& Applications

DeviceAuthentication

Policy Enforcement

Derived KeyManagement

AssetDelivery

LicenseManagement

APIServices

Device & Events Stats

Device Authority Engine (DAE)

Service AccessController

AssetRepository

System andSecurity Logs

PolicyRepository

DeviceRegistry

KMS KeyStore

Service Connectors

IoT Platform and Service Partners

DA Agent/Library



KeyScaler™ : Secure Certificate Delivery

Manufacturer-Independent Security Posture - Customer-specific certificates and credentials are provisioned and controlled independently from the device manufacturing process.

Automated Camera Security Management - KeyScaler enables rapid deployment and ongoing security management for surveillance cameras through automated device registration, certificate provisioning, renewing and password management.

Scalability – KeyScaler provides large-scale security automation for system integrators and customers with hundreds or thousands of cameras across multiple facilities or geographic locations.

Integrity Validation - KeyScaler provides a mechanism to check Firmware and executable verification with automated policy enforcement and alert notification. Detect changes in the edge device, which allows the customer to quarantine the device and disable network connectivity to it (DDoS Prevention).

12/1/2016

7



KeyScaler: Secure Password Management and Provisioning

Device Registration

Credential Delivery(encrypted password)

DA AgentKeyScaler™ with

Certificate Management Module

1

PasswordUpdate

4

PasswordGeneration & Storage

5

2

Administrative Control Panel

Access

Automated default password change for initial camera provisioning with ongoing policy-driven password rotation

Automated Admin Password Management (Upcoming Release)

• Provisioning and management of device-specific passwords to remove vulnerabilities of manufacturer-default passwords

• Automated, policy-driven password rotation to support large-scale camera deployments

• Eliminates security vulnerabilities and large-scale manual password management required after administrator staffing changes



Summary

• IoT Security goes beyond the scope of a traditional IT Security System

• Security needs to be considered End to End through what ever architecture you deploy

• Attack surface should be minimized using dynamic session based crypto keys where possible

• Automate on-boarding devices at scale in a secure frictionless way

• Tailor your security posture to your requirements using policy driven, field level encryption for data at rest and in transit

• Use tools that allow you to quarantine and blacklist devices which seem untrustworthy

• Automate delivery, rotation and revocation of certificates securely when using standard PKI certs

• Support an elevated security posture for device and firmware updates

12/1/2016

8



Thank you!

Contact us:

[email protected] Pre Sales Director


@IoT_Dobson

http://info.deviceauthority.com/blog-da

Securely enabling the Internet of Things · Q3 2016 Intel IoT Solutions Alliance Member Cumulocity Partnership DigiCert Partnership Q4 2016 ... device registration, certificate provisioning,

Documents