Hi everyone, Ed Amarosa here, and I want to talk to you a little bit about
provide an introduction to the topic of Internet of Things, IoT Security.
Now IoT devices are things that for
the most part are connected the networks but are not your computer,
not your smartphone, it's just kind of everything else.
That might include like a big aircraft engine,
might be connected in some sense to the public Internet, or
wind turbines out in a fields somewhere might be connected to the Internet.
Providing telemetry back to a research center or
accepting command say, from some control center.
Or connected cars eventually becoming autonomous,
these are all connected up to networks.
And all of them to some degree are vulnerable to malicious hacking.
Now, today, we count something like six billion of these things connected
across the Internet, or they speak to you.
But by say 2020, the projection is up.
This will grow dramatically,
potentially to like 20 billion of these things connected up.
Just a aircraft engine alone might have 1,000 in different
parts that are beaconing out information about temperature and
position and sensing and velocity and on and on and on.
So these are very interesting problems from a perspective of a cybersecurity
engineer.
So the first, let's kind of go through in these things.
I'll take the first things, it's just the the IoT device its themselves.
They can be categorized into a couple of different classes.
First, we would say they're call them industrial control devices.
Things that have consequence if hacked to some critical infrastructure component,
tend to use the term industrial control for that.
But it's not just about industrial control, it's more critical infrastructure
like a heat pump at a power plant, or we mentioned an aircraft engine,
or say some really important safety device in a transportation system.
You don't want these things to be hacked, you don't want the integrity of them to be
affected or modified because people could lose their lives.
The second class is kind of everything else like we joke about connected
refrigerators and entertainment systems and
video records and children's toys and appliances in our home.
These are certainly connected to the Internet.
They are clearly IoT devices, your wearables, and
other things would be in that category.
And yeah, you don't want them to be hacked but for
the most part would probably not produce some significant consequence.
And then you can say that there's kind of a category that lives in
the middle of those two.
Right, there's clearly critical infrastructure affecting,
they're clearly not.
And then things in the middle would be like for example, medical devices.
Now you'd say, gosh, an insulin pump shouldn't be hacked and
kill somebody, but it doesn't cascade, right?
For the most part, if I attack an insulin pump and cause someone to become ill,
it's an isolated, it's a nefarious disgusting sort of attack.
But it's not the same thing as a power plant that could be attacked and
kill all sorts of things.
So, a lot of engineers tend to categorize things in those sort of buckets.
It's really two buckets and then a combination.
Industrial control, IoT sort of consumer, and then things that are in the middle.
Now what are the problems here?
The first is that none of these devices that exist today,
legacy versions of these where design what security in mind.
That probably of an operating system, but that's probably no good way to patch them.
No good way to do vulnerability management on them,
no good way to update systems with security that needs to be done.
They just want a design like that.
A heat pump in a factory that connects up to the Internet was not designed for
cybersecurity, it just wasn't, that wasn't a consideration.
It was a mechanical engineer who saw a heat pump could be controlled with
a computer.
Hey, let's put it on a network.
Hey, let's build a monitoring system.
Wow, I can control all the heat pumps from this one room.
Not thinking about cyber, but thinking about utility.
So the first problem we have in IoT security is this issue of legacy.
The second is a problem of protocol.
So yes, some of them do run IP but a lot of them are running proprietary protocols.
There's one very popular one called Modbus.
There's others that are running analog signaling like voltages, 28 voltage or
20 volts 0, or things in between, turning things on and turning things off.