The #AskIoT team sits down with Andrew Howard to discuss what security actually means, the risks associated with IoT solutions and devices and misconceptions the public has when it comes to security in IoT.

On this episode, we dive into the basics of security in IoT including what it is, areas that need to be addressed and who is at risk. Andrew addresses how companies should approach cybersecurity and what needs to be done by manufacturers, software providers, the government and the public to ensure our devices are as secure as possible.

The episode concludes with our #AskIoT segment and a final word from Andrew. He leaves us with a reminder that there's a lot of momentum in the industry to improve and the most difficult factor in IoT security is that very few devices are the same, limiting them and making it difficult to build one size fits all solutions.

#AskIoT Questions:

1. Which industry is most at risk to security threats in IoT?
2. How do you handle building security into legacy systems?
3. How should non-technical companies approach IoT adoption?

If you’re interested in connecting with Andrew, you can find him on LinkedIn!

About Kudelski Security: Kudelski Security is a premier cybersecurity solutions provider, working with the most security-conscious organizations in Europe and across the United States. Our long-term approach to client partnerships enables us to continuously evaluate their security posture to design and deliver solutions to reduce business risk, maintain compliance and increase overall security effectiveness.

Have any IoT related questions you want us to ask on a future episode? If so, tweet us @iotforall or use the hashtag #AskIoT and we will be sure to see it!

Transcript:

- [Ken] You are listening to the IoT For All Media Network.

- [Ryan] Hello, everyone. And welcome to another episode of the IoT For All Podcast on the IoT For All Media Network. I'm your host, Ryan Chacon, one of the co-creators of IoT For All. Now, before we jump into this episode, please don't forget to subscribe on your favorite podcast platform or join our newsletter at iotforall.com/newsletter. You can catch all the newest episodes as soon as they come out. So, without further ado, please enjoy this episode of the IoT For All Podcast. Welcome, Andrew, to the IoT For All Podcast. Thanks for being on with us. We're happy to have you. And I'd love for you to kind of start of this episode just kind of giving a brief introduction to who you are, to kind of fill in our audience.

- [Andrew] Sure, thanks for having me. My name's Andrew Howard. I'm the Chief Technology Officer for a security provider known as Kudelski Security. I'm based in Atlanta, but have been in the IoT game for the last couple of decades, well before it was called IoT. So, excited to talk about IoT and the security ramifications.

- [Ryan] Great, yeah, I know kind of talked about this in our pre-interview conversation, but for us, at least for Calum and I, this is gonna be a good area for us to learn a lot from you, so expect a lot of, maybe basic questions, but I think our audience will appreciate getting kind of a real view on what IoT security is about and kind of correcting any misalignments and stuff like that.

- [Calum] Yeah, this is the real reason behind the IoT For All Podcast. For me and Ryan

- Yeah.

- [Calum] To pick the brains of experts.

- [Ryan] Yeah, I think the best way to kind of move on now that you made an introduction is talk a little bit more about your company, what are you guys doing in the IoT space, I know it's obviously security focused. But if you could just kind of shed some light on what the company does as it applies to IoT, that'd be wonderful.

- [Andrew] Sure, so we are a Swiss-based security provider. So, headquarters is in Geneva, Switzerland, but we've expanded into the US, publicly traded on the Swiss Exchange, several thousand employees. Our company and the portfolio of companies that we're associated with are all in the security space. So the heritage of the business is providing security for satellite streams. So whenever you watch that cable program in your home on whatever cable provider you have, if you still have one, that content is likely provided and protected by us.

- [Ryan] Okay.

- So we work with content makers and protect that content. We have other businesses that protect physical spaces. So we run the largest public access protection business in the world, through a company known as SKIDATA. If you go see an Atlanta Falcons game and you scan your ticket into that game, they provide that capability. And then, finally, we run a cyber security business that's focused on helping enterprises protect their infrastructure, and their data, and their crown jewels, help their businesses operate efficiently and securely. And so, IoT falls into, really, all those categories. It's really horizontal across everything we do. But from a security perspective, IoT is part of every single company's future that we work with. I mean, there's not an enterprise out there that isn't trying to move their product base into IoT, leverage someone else's product in IoT to make their business more efficient, or frankly, just has IoT device deployed throughout their enterprise. And so our customer is typically the CIO or the chief information security officer, and IoT is of very big interest for them. And so our company provides solutions and advice across the IoT spectrum, from helping clients make decisions about what IoT devices to buy and how to integrate them and how to securely operate them, to helping product manufactures secure their devices, make sure their devices operate smoothly and securely at scale, all the way to telecommunications providers that are providing the backbone infrastructure across the world to allow IoT devices to communication over the cellular infrastructure efficiently and securely. So our technology is embedded in many of the products you use every day, as well as the advice we give helps enterprises do the right there.

- [Calum] So to ask a very basic question, what does security mean? Because there are, I would imagine, many pieces to it. There's the physical security and there's likely many others but for those who are thinking, "Okay, that's great." I hear a lot about security, I think that's a good thing. What does that actually mean in practice?

- [Andrew] So, if I gave an academic answer, I would say something like, security is there to protect the confidentiality, or the privacy, the integrity, and the availability of data or a solution. That's a very academic answer. In the IoT space, what security means is, make sure that the device operates as expected, make sure that whenever it communicates with other devices or back to the cloud or some main system, that it does that in a secure way, make sure that no rogue devices connect into the IoT infrastructure, and prevent third parties, or potentially the user of a device, from doing anything, accidentally or maliciously, that the designers of that device and the owners of the data didn't intend to happen. So security means make everything work as expected and keep the bad guys, and potentially the users who could be the bad guys unintentionally, from doing anything stupid.

- [Calum] So what would be some of the examples of security breaches? Whether that's from users doing something stupid, or from mal or bad actors?

- [Andrew] So the most public information out there that is regularly discussed in the media is particularly around IoT cameras. I mean, that's where you'll see the most public facing breaches that occur, where you've got cameras that are accessed by third parties, malicious actors, and they access those cameras, bypass the security that may or may not exist on those. And we can talk more about what that looks like or doesn't look like. And access video streams that they were not supposed to see. So this is, in the most simple case, this is someone looking at your nanny cam and shouldn't be looking at it. In the most extreme cases, this is people looking at video streams in very sensitive areas, such as government buildings or laboratories. And then in alternative cases, this is third parties accessing cameras, not caring about the video streams and simply taking advantage of the computing power inside the camera to go launch an attack on somebody else. And if you think about the millions of cameras that are out there, or billions of cameras that are out there, if you can gain access to a lot of them, that's a lot of computing power you can use to go do bad things. And that simple example around cameras really applies to IoT devices everywhere. People are trying to gain access to them to either gain access to data that their not supposed to have access to, or take advantage of the device to do something more nefarious.

- [Calum] Yeah, I think that's a really important point to highlight. I think when many people think of security, they think of how it impacts them directly. So, "Oh, someone's taken over my security camera. "Well, that's not so bad, it's not pointing at anything "that I wouldn't want them to see." But there's also the consideration of not just on the individual level, but on the aggregate level. If you now have thousands or millions of this devices with compute power, as you say, then these nefarious actors or parties can use those to launch attacks against infrastructure. And I believe, and I'm somewhat ignorant here, but this was the basis of the Mirai botnet attack a few years ago, correct?

- [Andrew] Yes, so in the Mirai botnet, the developers of that attack came up with a way to gain access to a large number of cameras. Thousands of them, millions of them. Cameras that were on the internet, publicly accessible by the internet, and were able to have all those cameras go make requests to different infrastructure websites that they wanted to take down, and basically conducted an out of service attack. So, since so many requests to a specific website from those millions of cameras, the website goes down. So, that botnet generated gigabits of traffic. So a very effective approach. And this is the kind of more scarier end of IoT security. If you're a IoT device manufacture, you do not want your IoT device being a part of these botnets. It's not good for your brand, it opens you up to liability.

- [Ryan] Within IoT, what is worth being concerned about from a security perspective, and from your perspective, and what isn't? Because from what I've seen, there's a lot of things that might be genuine concerns, but then other things that there might be a lot of chatter around, but don't really merit the level of concern that is leveled at them? So, from your perspective, looking back on the past few years and the current state, what are some of the areas that you think need to be addressed, and then what things, if any, are people talking about, that aren't really concerns to you?

- [Andrew] Sure, so I'll try and answer this question from the viewpoint of a product manufacturer. And the only reason I say that is, because depending on your viewpoint, that answer can be very different. For example, if I try and answer it from the perspective of an individual worried about privacy. But for someone out there trying to build a product or use a product as a company, so like an enterprise perspective, I think there's a spectrum, and I'll say that the spectrum gets amplified based on the scale of the attack. So, on the kind of far right, most scariest end of the spectrum, is any kind of security breach on an IoT device that leads to physical harm. So this is your connected manufacturing floors, connected nuclear plants, connected cars. I mean, the attacks that can happen on these physical devices that if someone manipulates the devices or sends a bad signal to the device or out of services the device and leads to physical harm, those are things you should be concerned about. And I'll say for our client base, that tends to be where there's a lot of focus, because that part of the industry, connected vehicles, connected transportation, connected industrial items, there's a lot of focus on how to connect those, how to do better connectivity and smarter connectivity, because it leads to more efficiency and cost savings. But there are super, mega physical security risks. So that is definitely being worth putting some focus on. I would say kind of one step inside of that is this class of security attacks that I'll refer to as integrity attacks. And these are attacks where someone is not trying to destroy an IoT device or pull data off an IoT device, or even make the IoT device do anything it's not supposed to do. All they're trying to do is modify the data on the IoT device such so that whenever that data gets pulled back to the cloud or the mainframe that's consolidating all that data, it messes with the results that impact something else, okay? And so the example there is sensors in the field. So if someone could theoretically, not just theoretically, but could deploy an attack that modifies enough sensors in the field that impacts the decision making that's made behind the scenes. And so, this is particularly concerning in kind of military-style environment where they're dependent on sensors in the field to make tactical decisions in the fight. And so those are very concerning. Those same concerns apply in places where financial decisions are being made based on data being collected from IoT sensors in the field. And outside of consumer goods, a lot of IoT is based on sensors. So the integrity of the data on those sensors is incredibly important. And then you kind of step in one more level, and I think what would be concerning there is someone pulling very sensitive data that has huge financial impact off of a system. So this would be intellectual property or design information that could really impact a company. And then what I think is even kind of farther left than that is individual privacy information, so PII or PHI, personally identifiable information, personal health information, et cetera, credit card data, that impacts a user. And I'll say, to talk a little bit about scale, on the right side of that where there's people getting hurt, it only takes one incident for it to be really bad. And so you've gotta build your security to keep that one incident from happening. On the left side of the scale, where we're talking about individual privacy data, if only one incident happens, that's bad for the consumer, but the product manufacturer probably doesn't care. But you scale that up to 100 million users and now the product manufacturer cares. So it's all about scale and perspective, but that's what I'm worried about.

- [Ryan] So from the product manufacturer perspective, who's at risk? Because immediate thought that comes to mind for me is you're saying, "Okay, someone might be trying to steal "personal information, credit card information, to get financial data to maybe even steal money." But if there's a company out there, or a product manufacturer that's thinking, "Well, I don't store that data, so therefore, "I'm not at risk," is that true? Or is everyone at risk? Or are there particularly entities or kinds of organizations that are more likely to be targeted?

- [Andrew] Everyone's at risk. So where this conversation typically happens is, if there's a breach on an IoT device, kind of who's at fault? Is it the IoT device manufacturer? Is it the company that's using that IoT device for some purpose? Is it a third party? And the answer is it's complicated and it could be everyone. I mean, in my opinion, the IoT device manufacturer has an obligation to do the right thing and provide common sense security precautions against reasonable attacks on their device, and then the enterprise that uses that device has an obligation to make sure that the controls that the manufacturer deployed work and make sense, and then the consumer of that device has some obligation to make sure they're okay with their personally identifiable information being on that device. I mean, there's a need to everyone to know what's going on. And unfortunately, in typical cases, all three of those parties turned a blind eye to the problem. At best case, one of them might care.

- [Ryan] Yeah, one of the things I was actually, it kind of ties into your comments there, I was looking around your guy's website and kind of learning about your approach. And I'd kind of love to hear you talk a little bit more about your guy's approach to IoT security. And you talk about, at least there's four points on your website that you mention, I think are interesting. Device security, data security, access management, and active security. Especially that active security side of things. Can you just explain to the audience what those four areas kind of entail in an IoT sense? And then kind of expand on how you guys help maintain security going forward, so to ensure that IoT devices are protected, as they scale, as they grow, as new attacks kind of come to light?

- [Andrew] Sure, so we work with device manufacturers who are making everything from consumer goods and consumer devices to devices that end up being on power plant floors, to manufacturing floors, to connected cars. We talk about these four areas. We first talk about device security. So this is security of the device to make sure that it can withstand physical attacks to the device. So, what we're trying to help the manufacturer prevent is someone buying one of these devices, taking it home, opening it up, and being able to extract sensitive information, such as cryptography keys, from the device and then using those cryptography keys or other sensitive information, such as intellectual property, to go launch some larger attack on the IoT ecosystem of that device. So this is particularly concerning, this is particularly important whenever that device is part of an access control system or is a decision-making device. It's the device that allows something else to happen. You don't want someone to be able to open that device and make changes on the fly. So we wanna go protect the device and make sure that it can identify itself to the network, that it's authentic, and that all the software that runs on that device is protected, so that someone can't load their own software onto the device. A lot of the attacks that we see, at scale, are about people pushing bad software updates or malicious software updates, to a large number of devices. So we wanna go protect the physical device, then we wanna make sure that device can authenticate itself to the network, or to the ecosystem. Identify itself and protect the software that it executes. Then we talk about data. We wanna protect that data wherever it lives. When it lives on the device and is stored on the device, when its in transport back to wherever it's going, and then once it hits the cloud or whatever other system or ecosystem that's behind that cloud. And in many of these IoT environments, there's a lot of focus on the security in transport, because that's typically the easiest place to secure the data. You just encrypt the channel. TLS, SSL, other methods. But often people forget about the data that lives on the device. You wanna protect the confidentiality and the integrity of these devices, of the data on these devices, for the reasons I talked about earlier. But there's also a concern once that data leaves the device, because in many of these environments, that ecosystem in the cloud is incredibly complex with a lot of different players and a lot of different regulations in place that create a lot of challenges for IoT device manufacturers. And this is what leads us into access management. So once that data is where it needs to be, whether it's on the device or in the cloud, who has access to it, where can they access it, when can the access it, under what circumstances can they access it? We also help product manufacturers control access to their features, because many device manufacturers will build an IoT device that has a lot of capability, but they'll only expose half of that capability to the people who pay one price and expose the other half of the capability to the people that pay the higher price. You can think about this just like a cell phone that has capability that's not yet turned on. We help them make sure that people don't go turn on capability that they actually haven't already paid for. This helps protect those revenue streams. And then the act of security is what you do once there's an attack. So if these devices are under attack, what options do you have? And unfortunately, for most IoT systems today, there just aren't a lot of options. Your options are basically cut it off from the network. And frankly, most partners that we work with, historically, have been lucky to even be able to do that. So active security says, if an attack is detected, either on the device or in the cloud or through some other means, what are you gonna do about it? And what our viewpoint is, is that the device itself needs some capability to deploy countermeasures to try to stop the attack. We also need the cloud that manages that device to be able to deploy countermeasures in a smart way. That may include turning the device off, it may include just cutting it from the network, it may include bricking the device, so making it basically lock up like you lock up a lost cell phone. Or it could include some other countermeasure that's a little more creative. So you smash all those kind of four things together. Device security, data security, access management, and active security, and you've got a fairly robust IoT architecture that can withstand attack and can adapt.

- [Ryan] That's great, and talk you us a little bit about when the companies that you're working with, kind of take me through their journey, as far as, what phase are they kind of coming to you and reaching out? Like what does that buyer's experience or journey look like? Are they coming to you pretty early on and saying, "Here's our devices, here's what we're looking to build, "and we need help securing them"? Or are they coming to you later, after maybe an attack has happened, they realize they didn't put the emphasis on security when they should have? Kind of when are they coming to you and how active are you guys in kind of building the solution to help them secure their individual devices?

- [Andrew] We run into device manufacturers kind of in two major categories of development. So the first one is, "I have a legacy device "that I've been running forever and now it's time "to connect it to the internet," okay? And so, simple examples like washing machine manufacturers who now want, dish washing manufacturers who want consumers to be able to manage the status of their dish washing load through their phone, okay? And make settings and do maintenance. And so they're taking a legacy device and then basically just smashing IoT capability into it. That scenario is what, for most companies we run into, particularly the companies that have been around for a while, so not startups. And frankly, and more often than not, it's, from a security perspective, pretty scary. Because you're talking about connecting a device that was never intended to be connected to the internet. The people who built that original device had no concept that it would be ever connected to any kind of network. And then the other type of manufacturer we run into is someone who's doing it from scratch. And that's a little bit of an easier situation for us, as long as we can get kind of early into the design phase, because once the device is built, or pretty close to being built, if security wasn't taken into consideration, you basically are in the same state as the first category. You just have a legacy device that wasn't built properly. So to do this security thing right, you really gotta be thinking about security from a very early stage in the design process.

- [Ryan] Makes a ton of sense. I guess when people are coming to you to help build these solutions, are there any really big misconceptions that they're coming to you with? Or maybe fears that are not as realistic or as realized as maybe they think there are? I know we talked a little bit about this earlier in Calum's question, but more specifically to any individual Applications or client's that you've been working with?

- [Andrew] Yeah, I mean, the most common thing we hear is, "Why would anybody attack my device, it's just a," for example,

- Right.

- [Andrew] "A connected toothbrush," right? I mean, that's pretty common. And so it takes some education to get them past that. And then the second thing we hear is that, the device manufacturer's not concerned about physical attacks. "Hey, if somebody opens up my specialized device, "I don't really care, because it's just one device," you know? Whereas they're very concerned about network-based attacks.

- [Ryan] Mm-hmm.

- [Andrew] That could, theoretically, attack the entire infrastructure. And those are, in most, not all, but most cases, big misconceptions.

- [Calum] I find it really interesting bringing in the physical aspect, because something that strikes me about IoT is the fact that, if you're going to be dealing with thousands, or even millions of devices, old paradigms might not work. And my thinking is that, in the past, it may have been possible, if you had physical devices, to put them in a secure location where the likelihood of someone getting access to them would be very low. And so then maybe it's not as important to have that physical security. And maybe that's where some of these misconceptions are coming from. But when you're dealing with thousands and millions of devices deployed who knows where, then the odds of someone being able to get access to even one of those, yes, maybe the one device isn't a concern, but it then becomes very important that they aren't able to enter through that device into the larger network, or to spoof information through it, which could have ramifications, is that kind of a correct read on IoT and security?

- [Andrew] I think that's a proper read. If you are building an IoT device, the last thing you wanna have happen is have your device be the reason that your customer got hacked.

- [Calum] Mm-hmm.

- [Andrew] Okay, or breached. And even if it's not, even if they didn't attack your device, even if they didn't extract any data off your device and your device operated as expected, if they used your device as a mechanism to get into the client network, that's almost worst. And I think you're right, I mean, there's definitely a mentality, especially on the industrial side of the equation, that disconnecting things from the internet makes them secure. And I could have a whole podcast on why that's not the case. But all IoT is doing is connecting a bunch of devices that were never intended to be connected and really forcing some new thought about what it's gonna take to secure them.

- [Calum] Yeah, and to make it real for our audience who are thinking, "Okay, how seriously should it be taken?" I was reading an article the other day on the TRITON malware. Are you familiar with that? Yeah, so from my very limited understanding, it was from 2017, and it was malware that was identified in a petrochemical plant in Saudi Arabia. And so, being a petrochemical plant, that could have resulted in people actually dying. And so, as more and more of our infrastructure becomes connected, that has many benefits, but it also opens up these possibilities where people could literally be killed or seriously harmed with attacks on infrastructure.

- [Andrew] I think you're right. And in my industry, the kind of wake-up moment for a lot of people around this has been Stuxnet, which is the SCADA system attack in Iran, first uncovered in about 2010, where malware was put onto a nuclear centrifuge to make it spin out of control. And what's interesting about that attack is a couple of things. First, you've got someone attacking kind of a physical system in a very public way. The second thing is, is that device was not internet connected, okay? So they were able to hop the internet disconnection to make this attack happen. And so, if attackers could do it when the device is not connected to the internet, just imagine what that can do once their internet connected if the proper precautions aren't taken.

- [Calum] Right. And I think there was another one recently with Russia attacking Ukraine's electric infrastructure, I believe?

- [Andrew] Correct, and there are examples of this in the US where people have taken over emergency broadcast systems in different states. I mean, there are countless examples of these industrial attacks,