1

the need for security in IoT

Simon Harrison RWE

2

Ab

ou

t M

eAbout MeI a m t h e e n e m y p a r t o f t h e p r o b l e m

s e r i a l c o r p o r a t e i n n o v a t o r t e c h n i c a l l y l i t e r a t e , b u t n o t a n e n g i n e e r I o T e v a n g e l i s t ( i n r e c o v e r y ) B l o c k c h a i n n o v i t i a t e i d e a s g u y - r i s k i s s o m e o n e e l s e ’ s p r o b l e m

3

A b o u t

RWE

2 3 m i l l i o n e n e r g y c u s t o m e r s

6 0 , 0 0 0 e m p l o y e e s

Headquarters in Germany, significant presence in UK and the Netherlands, and across Europe

Our expertise is in energy generation, distribution and retail - but we know that the energy markets are being fundamentally changed by technology, and a group of us are working to find opportunities for the future of RWE

B l o c k c h a i n E n t h u s i a s t s

You may have met Carsten, if you haven't then you will soon. We are moving as fast as we can to explore options around Blockchain and Ethereum

4

1 9 9 9 : I o T N a m e d

2 0 0 0 : F i r s t S m a r t

F r i d g e

1 9 9 0 C o n n e c t e d

T o a s t e r D e m o

For whatever reason - fridges are a popular use case for

IoT - they must be a useful universal reference point

RFID was the first proposed application for things that

could connect - in a variety of domains

I o T a s a n e p i d e m i c

timelineZ

er

o t

o B

illi

on

sWho or what was patient zero? Do we go back to 1832 and the invention of the

electromagnetic telegraph? Morse code? Turing?

Probably the root cause for the Internet of Things was the creation of the Internet,

usually attributed to Tim Berners-Lee in 1989

Within a year of the internet being created, and before

the first web page, there was a connected toaster. Lots

of ‘crazy’ experiments followed - Coke machines, water

fountains etc. all involving some kind of connection

5

2 0 0 0 - 2 0 1 0 : T h e

S t a n d a r d s W a r s

2 0 0 0 - 2 0 1 0 : T h e

M a r k e t s E x p a n d

2 0 0 9 : I o T i s B o r n

Rather than wait to be told that the standards were

ready - the domains just went ahead and built

connected stuff. No one knew they were building out

the Internet of Things

As you might expect, coming from dozens of different

domains, there have been millions of hours logged in

committee trying to agree on standards across the OSI

layers - this work continues

Cisco identifies that more things than people were

connected to the internet - by 2010 there were 1.84

connected devices per person 2 0 1 1 - I P v 6

Very important to allow many many things to be

connected to the internet

6

2 0 1 0 + : R e a l i s a t i o n

N o w : G r o w t h

2 0 2 0 ? : U b i q u i t y

Public awareness grows - through smart phones, or

smart thermostats or smart TVs, people seem to like the

services the IoT enables - Netflix, Home Automation,

Weatables - and trust that it is all OK

Once enterprise began to grasp the concept of

connected things, they realised that their ATMs,

Streetlights, Smart Meters , Trains etc. were part of the

Internet of Things

Predictions vary, but there will be many billions of

connected devices doing many different things for

individuals, businesses and each other

7

R e t r o f i t t i n g s e c u r i t y t o a d e s i g n f o r 5 0 m e n d p o i n t s

A personal storyA n u n s o l v a b l e p r o b l e m

in 2006, I created the first specifications for

the UK gas and electricity smart meters. It

took three years to get to an agreed industry

design and the start of a Government

programme. And then we met the security

experts…..

Cr

itic

al

Inf

ra

st

ru

ct

ur

e

8

C r e a t i n g a P e r f e c t S t o r m

let’s connect everythingIt seems that the rush to interoperability and

interconnection of all systems for the greater

human good is accelerating by the week.

For every nonsensical IoT device, there will be

dozens of practical, efficient and profitable use

cases that connect sensors and actuators.

And in the rush to make things simple and

beautiful and useful, how loud is the voice of

the data security engineer?

Customers are concerned, but not enough to

use 2 factor authentication or passwords that

aren’t “123456” - and…

CUSTOMERS ARE NEVER WRONG

9

what is at risk?N

ES

CO

R M

od

el

Unauthorised access to information - about you, about your home or car,

about your habits. When are you home, what do you listen to, what do

you watch, what do you weigh, when do you sleep - feel violated yet?

C O N F I D E N T I A L I T Y

Modification (or Theft) of information - someone pretending to be you, or

someone else - intercepting information and potentially changing it for

any variety of reasons. Nanny Cam hackers are pretty low on the

spectrum of human integrity, but this is what they exploit

I N T E G R I T Y

Typically denial of service. Frustrating if it is Netflix or your thermostat,

pretty devastating if it is part of a self driving autonomous vehicle. Also

includes things like viruses and other malware - an IoT gateway could be

the achilles heel for data security

A V A I L A B I L I T Y

Mainly for accountability - a way of removing evidence that something

did or did not happen. No need to break in to wipe the security camera

tapes anymore if you can just switch them off

N O N - R E P U D I A T I O N

10

who are the actors?Th

e Ba

d G

uys

The IoT is a global playground - and criminals are incredible innovators.

They will find a weak point in every design and exploit it ruthlessly for

financial gain or power. Ransomware for smart locks?

C R I M I N A L S

People with the means but possibly not much of a motive apart from

causing havoc for their own amusement or the applause of their peer

group.

M I S C H I E F

The ultimate scare story - is this foreign government activity, or worse?

Might not be interested in your Sonos, but could be interested in a

network of substations or geolocation tags on critical infrastructure

vehicles

T E R R O R I S T S

Ex-employees, spurned lovers, the generally unhappy. Looking for revenge

or to cause pain or embarrassment - might not need to be a hacker if

their passwords still work for the alarm or cameras.

D I S C O N T E N T E D

11

IoT domain ubiquityT

HR

EA

T V

EC

TO

RS

C o n n e c t e d H o m e

C o n n e c t e d H e a l t h

S m a r t C i t i e s

F i n a n c e

T r a n s p o r t S y s t e m s

I n f r a s t r u c t u r e

What would be the problem if those risks were exploited by those actors?

CONFIDENTIALITY, AVAILABILITY, INTEGRITY, NON-REPUDIATION

CRIMINALS, MISCHIEF, TERRORISTS, DISCONTENTED

12

not just data securityTh

e in

tern

et o

f THINGS

More criminals, many exceptionally talented can create fake goods that

are indistinguishable from the real thing, but fake nonetheless. That’s bad

but not scary if it’s a Mulberry bag - very much more worrying if it is Olive

Oil, Manuka Honey or Baby Formula

C O U N T E R F E I T I N G

Despite the growth in Solar taking place during the realisation of the

internet of things, very few of them are connected devices - utilities don’t

think like that, and yet they are out there

R E N E W A B L E S

At the moment, a lot of the IoT is concerned with sensing an activity or an

environment - breaches here are worrying enough, but once we start to

add controls to those sensors things can get very worrying

S E N S O R S v s S W I T C H E S

A $10 sensor that monitors critical temperature tolerances for

transporting vaccines? Connects to any phone with bluetooth? Brilliant

solution to a real problem, but also a very tempting target for anyone

looking to steal/disrupt/destabilise

L O G I S T I C S

.

13

pas

swo

rdhow are we feeling?

F o r g o t P a s s w o r d ?

14

M Y P E R S O N A L A U D I T

12Person

80+At Home

??City

!Globally

15

we’re not the crazy ones

DA

ILY

MA

IL C

LIC

KB

AIT

There is a growing list of very

disturbing scare stories about IoT

security

And we need to make it clear this

isn’t just hackers messing around

with the stuff owned by geeks and

early adopters

16

Pro

jec

t N

est

B

ac

kd

oo

r

Th

e s

ky

is

fall

ing

Pr inter of Doom

17

C o m i n g …

ready or not?

Have I said this often enough? We are in the process of connecting everything to

everything else.. These are still discrete networks of devices, with just an internet

backbone crossing domains - but

From an estimate of 1 million

computers in 1992, to over 50

billion connected things in 2020

We are halfway up the ramp,

which started in 2009

M E D I U M F O R E C A S T

C U R R E N T L Y A R O U N D 2 0 b n

Individual sectors could explode in the next 4 years - some estimates run much higher

Entrepreneurial activities differ substantially depending on the type of Entrepreneurial activities differ

Entrepreneurial activities differ substantially depending on the type of Entrepreneurial activities differ

5 0 b n b y 2 0 2 0

1992 2020

18

T h e f u t u r e i s n o t w r i t t e n

Truly the Internet of ThingsD i s c o n n e c t t h e U s e r s

What is moving faster than IoT? What could

resolve most of the human risk around IoT?

Where is a lot of smart money going?

What could possibly go wrong in letting IoT

devices think for themselves, talk to and learn

about each other and use flawless logic to

make decisions?

A f

ina

l c

on

sid

er

at

ion

19

than

k yo

u

thankss i m o n . h a r r i s o n @ r w e . c o m @ r a y g u n s i m o n

w w w . r w e i n n o v a t i o n h u b . c o m