OnionOrangeBread12.05.15 IoT Security Update

Last week NMI hosted the IoT Security Summit at the home of the code breakers – Bletchley Park.

As we explained previously

[in this post ], we believe there is plenty that can be done collaboratively to help liberate the IoT: share learning, reduce market barriers whilst raising fit-for-purpose defence barriers (…in multiple environments with expanding attack surfaces – phew, that’s a mouthful).

Of course, it isn’t possible to cover every facet in one sitting, however we did cover much of the landscape from the national interests and opportunities, applicable cryptography, case study examples of hacks and attacks (consumer, automotive and beyond), views from the chip, software and mobile operator perspectives. All this before finishing up with a panel discussion which included Europe’s first cyber-security accelerator; CyLon.

IoT Security Warning sign_Image 1During the proceedings, we heard example after example of how organisations had been caught exposed while often simple remedies could have been used to reduce business risk and increase customer protection. We also heard that it’s not “the” Internet of Things rather “an” (i.e. instance of) Internet of Things that needs to be considered for proper security. Definitively – it’s not a case of if things go wrong rather, when. It’s not all done when the product leaves the factory – along with the measures that can be applied before releasing products, companies also need to have a plan ready for when vulnerabilities are exposed in the field. Just like the good boy scout, you need to be prepared and you must have a mechanism for patching security flaws in operation – and most likely at scale (humans in the loop are decidedly inefficient for many applications).

Reducing the attack surface was part of the mantra of the day – which is where I have taken inspiration for the title of this blog post: not only does security need to be layered (enter the onion), it also needs to be segmented (enter the orange) and then sliced (enter the bread – anybody have better food themed suggestions?). In this way, conceptually at least, vulnerabilities can be reduced.

IoT-ThreatMapThumbAt the very start of the event planning process we thought it would be a good idea to somehow map the vulnerability landscape – create a threat map – to show in a very simple way where the most vulnerable attack points are likely to be. Beecham Research (our analyst friends and partner for the event) took the suggestion to completion and unveiled their first version of the IoT Threat Map during the panel session. You can download a free copy of that map here [ Beecham IoT Threat Map ].

With trust as a central theme, a good number of recommendations and ideas came forth during the proceedings – especially how we (industry, customers and all other stakeholders) all might work together to progress the robustness and quality of IoT systems. Whilst ideas are a good starting point, action is desired hence we asked the question:

Should NMI assemble a group of interested parties to identify and take next steps to address the priority issues raised today?

The votes are now in and counted – I am pleased to say that 97% of respondents voted yes (and in the interest of disclosure I will add a caveat that 2 of those voting suggested it would only be a yes if something tangible came from the group).

So there you have it – watch this space – we will be working with this new community to determine what is right and proper for NMI to help in liberating the IoT.

[Copies of the talks and presentation materials will also be available to attendees and members on this website shortly.]

Article by John Moor, VP New Segment Development, NMI

[dcwsb inline=”true”]