unexpected and complex implications of the internet of everything ( ioe )
DESCRIPTION
Unexpected and Complex Implications of the Internet of Everything ( IoE ). Jeff Stollman Secure Identity Consulting. Agenda. Defining Terms Promise and Implications Issues Prompted by IoT Legal Perspective Q&A. Defining terms. What is it?. SCADA. Netbooks. Servers. Smart Phones. - PowerPoint PPT PresentationTRANSCRIPT
IIW | 06 May 2014
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014
Jeff StollmanSecure Identity Consulting
Unexpected and Complex Implications of the
Internet of Everything (IoE)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Agenda Defining Terms Promise and Implications Issues Prompted by IoT Legal Perspective Q&A
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
DEFINING TERMS
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
What is it?
Internet of Things
Internet of EverythingSe
nsor
Net
wor
ksSmart Appliances
ServersNetbooks
Smart P
hone
s
Industrial Controllers
SCADA
Databa
ses
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Definition
The Internet of Everything is:
ANY device that is connected to a network.
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Constituent Devices
1. SENSOR 2. PROCESSOR 3. ACTUATOR
4. Combinations of the above
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
IoE is a superset
Traditional IT SCADA devices New Smart devices
IoE
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
PROMISE AND IMPLICATIONSUse Cases
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
The Promise
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Home Appliances – Security and Privacy
Who is ordering your perishables?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Irrigation & Flood Control - Security
Who is ensuring data integrity?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Farming – Information Ownership
Who owns the data you collect?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Automotive Management – Privacy and Liability
Who is controlling your vehicle?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Electric Vehicle Recharging Systems – Security and Liability
Who is paying for power from your outlet?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Smart Packaging – Privacy and Liability
Who can learn what drugs you are taking?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Physical Security – Privacy
Does privacy exist anymore?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Electrical Grid – Security and LIability
Who is managing your power?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
ISSUES PROMPTED BY IOT
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
IoT prompts several areas of concern Security
- Security issues of IoT are not new, but new solutions will be required. Privacy
Privacy issues of IoT are not new, but new solutions will be required. Ownership
- Device ownership enters a new gray area.- Data ownership represents a brave new world of possibility.
Liability- Liability, as well, opens up a Pandora’s box of complex issues.
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Security Questions1. As traditional enterprise perimeters disintegrate into a web of devices, how do we
secure devices1. From an adversary manipulating sensor input data ?
1. E.g., holding a lighter below an outdoor temperature sensor that triggers an emergency response)
2. While this could happen today, I submit that the additional layer of abstraction provided by the IoT may prompt less scrutiny of physical security and increase the vulnerability of such systems.
2. From an adversary manipulating output from a sensor or input to a processor?1. E.g., dividing the output from sensors on a harvester in half to create the
impression of a bad crop, causing commodity prices to rise2. compromising the video feed from a surveillance camera during a burglary 3. or the altimeter in an airplane to cause it to crash
3. From an adversary compromising the instruction code in the processor1. E.g., changing the rule that prompts an alarm to take no action instead
4. From an adversary compromising the instruction feed from the processor or the input feed to the actuator
1. E.g., dividing the changing ON to OFF or a LOW setting to HIGH
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Security Questions cont’d.
2. Who is responsible for controlling access to the data?2. At rest -- on the device3. In transit -- between devices
3. Who is responsible for allowing a “man-in-the-middle” attack when there is no perimeter?
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Practical Questions1. Will all devices need enough intelligence to manage their own access control?
1. Will all devices need to be servers to do so?
2. If devices have enough intelligence (i.e., processing power and storage) to manage access control, will they also have enough processing power and storage to be victims of malware and/or hacking?
3. Once enough devices are deployed to be of interest to adversaries (e.g., malware and hack publishers), will the burden of managing access to devices outweigh the benefits to be gained from them?