IoT Security – A Joint Responsibility

Download Slides

The speaker asked not to publish the video of their contribution.

Internet of Things (IoT) will be one of the most important parts of the next generation of Internet and will thereby also become an attractive target for hackers.

IoT within this context are not only things like small Bluetooth beacons that push advertisements to your mobile device while shopping in the city or devices that automatically water your plants at home, IoT devices are also present in hospitals, manufacturing lines as well as used for complex home automation and building automation.

This vast number of different devices and use cases also need different protection levels – but in the end – it is always a joint responsibility to secure the next generation of Internet.

Siemens is doing comprehensive work during development of IoT devices to assure a high level of security right from the beginning of the product lifecycle. Within product development departments Siemens applies an holistic security approach which focuses not only on IT-Security to keep hackers out of important parts of the development and manufacturing cycle (like network separation and next generation threat detection), but also to have the right processes in place to assure proper data handling and access protection (full range from basic code card readers to complex single access entry control systems). Besides this holistic approach, Siemens products need to undergo threat and risk analysis to identify potential risk and to define countermeasures in very early steps of the lifecycle.

Siemens also applies different security validation techniques - such as static and dynamic code analysis or security testing - to its IoT products. Before the product launch Siemens’ internal team of pentesters is trying to identify uncaught security issues.

For secure operation of its IoT devices, Siemens provides secure operational guidelines and dedicated security sections in handbooks. This should help an operator to understand the security impact and how to set up the device within the customers environment in a secure and safe manner.

And guess what – not all devices are made for putting them directly on the Internet without any additional protection or perimeter in front of it. Within the operational phase of the product lifecycle Siemens provides fixes for known vulnerabilities and secure maintenance support. This is also the phase where the responsibility of the operator comes into the game, because secure operation of critical infrastructures and safety of our communities is a joint responsibility.

The responsibility of the operator is to specify the security requirements for the solution in such a way, that the solution fits to the risks and intended use as well as the operational environment. This means that the operator is responsible for ensuring that the security is kept at the highest possible level within the life-time of the solution. These activities are supported by security related patches, guidelines and manuals of the manufacturer.

Another very important player in this joint approach is every single security researcher within the community. Although Siemens – as well as other manufacturers – are trying to doevery possible step to assure that their products are secure, over the years those devices operate in the field and the chances rise that there will be new and formerly unknown security issues. This is where researchers often help to uncover security issues by reporting them to the manufacturers in a responsible way and thereby help to fix them in a timely manner keeping the operational environment secure.

But manufacturers, operators and researchers are not the whole cake. National CERTs as well as governments also play an important role. They monitor threats and risks for the community as well as weaknesses in those technologies, give guidance and support the operating entities. This is a very important task as they act independent from manufacturers and often have a broader view of the community they are responsible for. National CERTs can leverage governmental resources (e.g., law enforcement or requests to ISPs) to identify assets at risk and to inform the operators about risks and protection mechanisms which is very often impossible for manufacturers. Governments can create laws that regulate a common minimum protection level for critical operation environments and push operators to implement the corresponding processes and techniques.

This talk will demonstrate why IoT security and thereby security of the next generation of the Internet only can be assured if all parties are walking in the same direction: Manufacturers, Security Researchers, Operators and National CERTs.

About the Speakers

Dr. Michael Spreitzenbarth

Dr.-Ing. Michael Spreitzenbarth has studied Business-Informatics with a major focus on IT-Security and digital forensics at the University of Mannheim. Between the years 2010 and 2013 he worked as an PhD candidate and researcher at the University of Erlangen-Nuremberg. His research topics were forensic analysis of smartphones (mainly Android-based devices) and detection as well as automated analysis of mobile malware and other potential unwanted applications. During this time he worked as an freelancing consultant within numerous IT-Security related projects for various customers. Since April 2013 Michael Spreitzenbarth is working for Siemens AG with a major focus on securing mobile devices, incident response and analysis of business critical as well as potentially malicious applications. In his free time he is still doing research as well as consultancy in the area of mobile security (mainly mobile malware analysis and digital forensics) and is giving lectures and talks in the afore mentioned topics at the University of Erlangen-Nuremberg and at the Landshut University of Applied Sciences.