This course introduces a series of advanced and current topics in cyber security, many of which are especially relevant in modern enterprise and infrastructure settings. The basics of enterprise compliance frameworks are provided with introduction to NIST and PCI. Hybrid cloud architectures are shown to provide an opportunity to fix many of the security weaknesses in modern perimeter local area networks. Emerging security issues in blockchain, blinding algorithms, Internet of Things (IoT), and critical infrastructure protection are also described for learners in the context of cyber risk. Mobile security and cloud security hyper-resilience approaches are also introduced. The course completes with some practical advice for learners on how to plan careers in cyber security.
IoT Security
Loading...
來自 New York University Tandon School of Engineering 的課程
Enterprise and Infrastructure Security
90 個評分
New York University Tandon School of Engineering
90 個評分
課程 4(共 4 門,Specialization Introduction to Cyber Security)
從本節課中
Mobility Security and Deception
This module introduces several advanced topics in cyber security including mobility security and deception – and includes suggestions on career planning for future cyber professionals.
與講師見面
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
Computer Science
Hi everyone, Ed Amarosa here, and I want to talk to you a little bit about
provide an introduction to the topic of Internet of Things, IoT Security.
Now IoT devices are things that for
the most part are connected the networks but are not your computer,
not your smartphone, it's just kind of everything else.
That might include like a big aircraft engine,
might be connected in some sense to the public Internet, or
wind turbines out in a fields somewhere might be connected to the Internet.
Providing telemetry back to a research center or
accepting command say, from some control center.
Or connected cars eventually becoming autonomous,
these are all connected up to networks.
And all of them to some degree are vulnerable to malicious hacking.
Now, today, we count something like six billion of these things connected
across the Internet, or they speak to you.
But by say 2020, the projection is up.
This will grow dramatically,
potentially to like 20 billion of these things connected up.
Just a aircraft engine alone might have 1,000 in different
parts that are beaconing out information about temperature and
position and sensing and velocity and on and on and on.
So these are very interesting problems from a perspective of a cybersecurity
engineer.
So the first, let's kind of go through in these things.
I'll take the first things, it's just the the IoT device its themselves.
They can be categorized into a couple of different classes.
First, we would say they're call them industrial control devices.
Things that have consequence if hacked to some critical infrastructure component,
tend to use the term industrial control for that.
But it's not just about industrial control, it's more critical infrastructure
like a heat pump at a power plant, or we mentioned an aircraft engine,
or say some really important safety device in a transportation system.
You don't want these things to be hacked, you don't want the integrity of them to be
affected or modified because people could lose their lives.
The second class is kind of everything else like we joke about connected
refrigerators and entertainment systems and
video records and children's toys and appliances in our home.
These are certainly connected to the Internet.
They are clearly IoT devices, your wearables, and
other things would be in that category.
And yeah, you don't want them to be hacked but for
the most part would probably not produce some significant consequence.
And then you can say that there's kind of a category that lives in
the middle of those two.
Right, there's clearly critical infrastructure affecting,
they're clearly not.
And then things in the middle would be like for example, medical devices.
Now you'd say, gosh, an insulin pump shouldn't be hacked and
kill somebody, but it doesn't cascade, right?
For the most part, if I attack an insulin pump and cause someone to become ill,
it's an isolated, it's a nefarious disgusting sort of attack.
But it's not the same thing as a power plant that could be attacked and
kill all sorts of things.
So, a lot of engineers tend to categorize things in those sort of buckets.
It's really two buckets and then a combination.
Industrial control, IoT sort of consumer, and then things that are in the middle.
Now what are the problems here?
The first is that none of these devices that exist today,
legacy versions of these where design what security in mind.
That probably of an operating system, but that's probably no good way to patch them.
No good way to do vulnerability management on them,
no good way to update systems with security that needs to be done.
They just want a design like that.
A heat pump in a factory that connects up to the Internet was not designed for
cybersecurity, it just wasn't, that wasn't a consideration.
It was a mechanical engineer who saw a heat pump could be controlled with
a computer.
Hey, let's put it on a network.
Hey, let's build a monitoring system.
Wow, I can control all the heat pumps from this one room.
Not thinking about cyber, but thinking about utility.
So the first problem we have in IoT security is this issue of legacy.
The second is a problem of protocol.
So yes, some of them do run IP but a lot of them are running proprietary protocols.
There's one very popular one called Modbus.
There's others that are running analog signaling like voltages, 28 voltage or
20 volts 0, or things in between, turning things on and turning things off.
So it's all over the map in terms of the way the control system and
a control device would operate.
The vagaries of the mechanical engineer who designed it will determine
the specifics of how the interaction works.
So putting like a firewall in between them it's just simple,
it's just not an easy sort of thing to do.
So you put these things together, this issue of a dramatic growth
of number devices that themselves are not well protected,
systems are not designed for that.
And then you put protocols in place, whether connecting to control systems.
Where the protocols are all over the map,
it becomes extremely difficult to retrofit security onto this.
So what I think is happening is that we do the best we can with retrofit.
We build appliances and
things in certain cases that do the best they can with existing legacy.
But a next generation IoT is going to have to be in place over the next 20 years,
where we design security into them from the beginning.
We build the devices that are hardened, we make it easy to update and
patch them, we build native encryption into these things.
We have them natively able to produce or
support encrypted protocols that have authentication, digital signing.
All the things you learn about in cybersecurity in the IoT infrastructure,
they're not there now.
They have to be there, so you either overlay them or
you design them in natively.
And if you've got a bunch of old heat pumps in a factory,
good luck doing something overlaid.
You're going to have to rethink that, and
that's going to be a suicidal cost that we we'll have to just deal with.
Because if we don't, then we're going to see some pretty massive attacks on IoT.
In the subsequent video, I'll give you an example one.
But for now, I hope this has been a good introduction to sort of the landscape
of security in the context of IoT and industrial control, thanks.
