Selected Topics

in CS
Chapter 9 Introduction
to Internet of Things
The Internet of Things (IoT)

The
Internet
Smart
Earth:
An
Internet Internet of
Clouds Things
IBM
Dream
Smart Earth
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

What is IoT?
 The Internet of Things (IoT) is the
network of physical objects—devices,
vehicles, buildings and other items
embedded with electronics, software,
sensors, and network connectivity—that
enables these objects to collect and
exchange data.
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

Various Names, One Concept

 M2M (Machine to Machine)
 “Internet of Everything” (Cisco Systems)
 “World Size Web” (Bruce Schneier)
 “Skynet” (Terminator movie)
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

Where is IoT?

It’s everywhere!
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

Smart
Appliances

Wearabl
e Tech

Healthcar
e
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

The IoT Market

 As of 2013, 9.1 billion IoT units

 Expected to grow to 28.1 billion IoT
devices by 2020
 Revenue growth from $1.9 trillion in 2013
to $7.1 trillion in 2020
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

Why be concerned about IoT?

 It’s just another computer, right?

 All of the same issues we have with access control,

vulnerability management, patching, monitoring,
etc.

 Imagine your network with 1,000,000 more devices

 Any compromised device is a foothold on the

network
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

Does IoT add additional risk?

 Are highly portable devices captured during
vulnerability scans?

 Where is your network perimeter?

 Are consumer devices being used in areas – like

health care – where reliability is critical?

 Do users install device management software on

other computers? Is that another attack vector?
 Information Security
Office of Budget and Finance

Why it is easy to attack IoT Education – Partnership –

Solutions

 Default, weak, and hardcoded credentials

 Difficult to update firmware and OS
 Lack of vendor support for repairing
vulnerabilities
 Vulnerable web interfaces (SQL injection, XSS)
 Coding errors (buffer overflow)
 Clear text protocols and unnecessary open ports
 DoS / DDoS
 Physical theft and tampering
 Information Security
Case Study: Trane
Office of Budget and Finance
Education – Partnership –
Solutions

 Connected thermostat vulnerabilities

detected by Cisco’s Talos group allowed
foothold into network
 12months to publish fixes for 2
vulnerabilities
 21months to publish fix for 1
vulnerability
 Device owners may not be aware of
fixes, or have the skill to install updates
Trane
 Trane,an industry leader in
heating, ventilation, and air
conditioning services and
solutions, discovered a
fundamental need for helping
their customers operate more
effectively and efficiently.
 Trane’s goal is to offer
predictive service in real-time to
satisfy customers the first time,
every time.
Solution:
 Trane relies on Service Lifecycle
Management solutions from PTC and the
power of smart, connected products in their
service-centric approach to taking care of
customers.
 They can anticipate and prevent break-fix
problems by receiving predictive data and
turn it into actionable information before
failures occur.
 This not only improves product uptime and
performance but also increases the value
that intelligent services can provide to their
customers’ business performance.
Results

 PTChas helped Trane leverage

smart, connected products in their
mission to help their customers
make their buildings better for life.
 Traneproduct design teams use
product performance insights gained
through service data for continuous
product and service improvement.
 Information Security
Office of Budget and Finance

Case Study: Lessons Learned Education – Partnership –

Solutions

 All software can contain vulnerabilities

 Public not informed for months
 Vendors may delay or ignore issues
 Product lifecycles and end-of-support
 Patching IoT devices may not scale in
large environments
 Information Security
Office of Budget and Finance
Education – Partnership –

Recommendations
Solutions

Accommodate IoT with existing practices:

 Policies, Procedures, & Standards

 Awareness Training

 Risk Management

 Vulnerability Management

 Forensics
 Information Security
Office of Budget and Finance

Recommendations Education – Partnership –

Solutions

 Plan for IoT growth:

 Additional types of logging, log storage: Can you

find the needle in the haystack?

 Increased network traffic: will your firewall / IDS /

IPS be compatible and keep up?

 Increased demand for IP addresses both IPv4 and

IPv6

 Increased network complexity – should these

devices be isolated or segmented?
 Information Security
Office of Budget and Finance
Education – Partnership –
Solutions

Threat vs. Opportunity

 Ifmisunderstood and misconfigured, IoT

poses risk to our data, privacy, and safety

 Ifunderstood and secured, IoT will

enhance communications, lifestyle, and
delivery of services
Opportunities of IoT in 3 Dimensions

(courtesy of Wikipedia, 2010)