how to benefit from iot - and not breaking the...
TRANSCRIPT
![Page 1: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/1.jpg)
![Page 2: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/2.jpg)
How to benefit from IoT
- and not breaking the law
![Page 3: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/3.jpg)
Before we start - a personal observation
![Page 4: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/4.jpg)
All data may be sensitive
These sensors just popped up in my home automationsystem!
Is my favourite neighbour at home?
![Page 5: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/5.jpg)
The IoT landrush #1
1021 Exhibitors works with IOT 4 Exhibitors works with IOT security
![Page 6: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/6.jpg)
IoT Landrush #2 – hacking
16th October 2016
![Page 7: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/7.jpg)
EU’s General data protection regulation
ORGANIZATIONSPERSONAL DATA
WHEN? RISKS
May 252018
2% / 4%Global
revenue
![Page 8: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/8.jpg)
Fines up to 4%↓
measurable consequence↓
creates management attention↓
security
![Page 9: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/9.jpg)
6 pillars of the GDPR
GDPR
The right to be
forgotten
Privacy by
design
Breach notifi-
cations
Risk and impact assess-ments
ConsentData
porta-bility
![Page 10: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/10.jpg)
2/3 of all connectedthings are personal
![Page 11: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/11.jpg)
GDPR applies to everything!
PEOPLE
SOFTWARE/COMPUTERS THINGS
![Page 12: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/12.jpg)
+DIGITAL SECURITY
PHYSICAL SECURITY SECURITY
=
GDPR includes physical security
![Page 13: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/13.jpg)
IoT may become a nightmare↓
Internet of Listeners?↓
The Army of Things?
![Page 14: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/14.jpg)
Hacking a blood infusion pump
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm (May 2015)
• Telnet and FTP services accessible without authentication
• Immediate administrator level access • Easy to tamper the pump’s operation • Hospital’s wireless keys stored in clear text• No firmware update security
![Page 15: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/15.jpg)
FDA issued a warning only
![Page 16: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/16.jpg)
“Go Ahead, Hackers. Break My Heart”
Marie Moe, Security ReseacherSINTEF and pacemaker user
https://www.wired.com/
• FDA:• Bad security – too bad!
• GDPR• Leaking personal data – BAD!
• The good news:• Privacy cannot exist without
security
![Page 17: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/17.jpg)
IoT is more than the things
Constrained devices, often battery powered
Powered computers and gateways
![Page 18: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/18.jpg)
IoT architecture example
Switch Wifi access point
MobileAppsLocal
server/GW
Low power
wifi
Wired actuators and sensors
Actuators and sensorsover WIFI
AdminPortal
RESTAPI
Web Socket
API
Cloud server
RESTAPI
Web Socket
API
CustomerPortal
Browser
3rd party
Service
Customer’s local infrastructure Internet Cloud
![Page 19: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/19.jpg)
Switch Wifi access point
MobileAppsLocal
server
Low power
wifi
Wired luminaries and sensors
Luminaries and sensorsover WIFI
AdminPortal
RESTAPI
Web Socket
API
Cloud server
RESTAPI
Web Socket
API
CustomerPortal
Browser
3rd party
Service
Customer’s local infrastructure Internet Cloud
Authentication, A
uthorisation
Authentication, A
uthorisation, Identity Managem
ent
Certificates
IoT architecture example
![Page 20: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/20.jpg)
Things need secure identities
• Things may last <20 years!• Renewal of keys and algorithms
• Secure software update• Protect data at rest and in transport• Secure onboarding/ exhange• Problem: low power sensor networks
![Page 21: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/21.jpg)
Certificate enrolment for billions of things
• Endorsers
• Partners
![Page 22: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/22.jpg)
Critical todo #1:
– Identity and access management from physical device to the cloud
![Page 23: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/23.jpg)
Critical todo #2:Strong Authentication and Digital signing
- secure access to data - verify owner of data- verify age- manage consent
![Page 24: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/24.jpg)
Critical todo #3:
-Use technology to enforce digital and physical access policies across your organization
EASY TO USE AUTHENTICATION & AUTHORISATION
IMPROVE PHYSICAL
ACCESS ROUTINES
ENFORCE POLICIES AND LOG
EVERYTHING
STRONG IDENTITES TO EVERYTHING
![Page 25: How to benefit from IoT - and not breaking the lawfiles.messe.de/abstracts/74969_HODO11_20_NexusSoeland.pdf · 1021Exhibitors works with IOT security . Exhibitors works with IOT](https://reader034.vdocument.in/reader034/viewer/2022042319/5f0941307e708231d425f47a/html5/thumbnails/25.jpg)
Conclusions:
IDENTITY OF THINGS IS
MANDATORY
PRIVACY IS GOOD FOR SECURITY
RESULTING IN LESS OPERATIONAL RISK