The #AskIoT team sits down with Andrew Howard to discuss what security actually means, the risks associated with IoT solutions and devices and misconceptions the public has when it comes to security in IoT.

On this episode, we dive into the basics of security in IoT including what it is, areas that need to be addressed and who is at risk. Andrew addresses how companies should approach cybersecurity and what needs to be done by manufacturers, software providers, the government and the public to ensure our devices are as secure as possible.

The episode concludes with our #AskIoT segment and a final word from Andrew. He leaves us with a reminder that there’s a lot of momentum in the industry to improve and the most difficult factor in IoT security is that very few devices are the same, limiting them and making it difficult to build one size fits all solutions.

#AskIoT Questions:

  1. Which industry is most at risk to security threats in IoT?
  2. How do you handle building security into legacy systems?
  3. How should non-technical companies approach IoT adoption?

If you’re interested in connecting with Andrew, you can find him on LinkedIn!

About Kudelski Security: Kudelski Security is a premier cybersecurity solutions provider, working with the most security-conscious organizations in Europe and across the United States. Our long-term approach to client partnerships enables us to continuously evaluate their security posture to design and deliver solutions to reduce business risk, maintain compliance and increase overall security effectiveness.

Have any IoT related questions you want us to ask on a future episode? If so, tweet us @iotforall or use the hashtag #AskIoT and we will be sure to see it!

Transcript:

– [Ken] You are listening to the IoT For All Media Network.

– [Ryan] Hello, everyone. And welcome to another episode of the IoT For All Podcast on the IoT For All Media Network. I’m your host, Ryan Chacon, one of the co-creators of IoT For All. Now, before we jump into this episode, please don’t forget to subscribe on your favorite podcast platform or join our newsletter at iotforall.com/newsletter. You can catch all the newest episodes as soon as they come out. So, without further ado, please enjoy this episode of the IoT For All Podcast. Welcome, Andrew, to the IoT For All Podcast. Thanks for being on with us. We’re happy to have you. And I’d love for you to kind of start of this episode just kind of giving a brief introduction to who you are, to kind of fill in our audience.

– [Andrew] Sure, thanks for having me. My name’s Andrew Howard. I’m the Chief Technology Officer for a security provider known as Kudelski Security. I’m based in Atlanta, but have been in the IoT game for the last couple of decades, well before it was called IoT. So, excited to talk about IoT and the security ramifications.

– [Ryan] Great, yeah, I know kind of talked about this in our pre-interview conversation, but for us, at least for Calum and I, this is gonna be a good area for us to learn a lot from you, so expect a lot of, maybe basic questions, but I think our audience will appreciate getting kind of a real view on what IoT security is about and kind of correcting any misalignments and stuff like that.

– [Calum] Yeah, this is the real reason behind the IoT For All Podcast. For me and Ryan

– Yeah.

– [Calum] To pick the brains of experts.

– [Ryan] Yeah, I think the best way to kind of move on now that you made an introduction is talk a little bit more about your company, what are you guys doing in the IoT space, I know it’s obviously security focused. But if you could just kind of shed some light on what the company does as it applies to IoT, that’d be wonderful.

– [Andrew] Sure, so we are a Swiss-based security provider. So, headquarters is in Geneva, Switzerland, but we’ve expanded into the US, publicly traded on the Swiss Exchange, several thousand employees. Our company and the portfolio of companies that we’re associated with are all in the security space. So the heritage of the business is providing security for satellite streams. So whenever you watch that cable program in your home on whatever cable provider you have, if you still have one, that content is likely provided and protected by us.

– [Ryan] Okay.

– So we work with content makers and protect that content. We have other businesses that protect physical spaces. So we run the largest public access protection business in the world, through a company known as SKIDATA. If you go see an Atlanta Falcons game and you scan your ticket into that game, they provide that capability. And then, finally, we run a cyber security business that’s focused on helping enterprises protect their infrastructure, and their data, and their crown jewels, help their businesses operate efficiently and securely. And so, IoT falls into, really, all those categories. It’s really horizontal across everything we do. But from a security perspective, IoT is part of every single company’s future that we work with. I mean, there’s not an enterprise out there that isn’t trying to move their product base into IoT, leverage someone else’s product in IoT to make their business more efficient, or frankly, just has IoT device deployed throughout their enterprise. And so our customer is typically the CIO or the chief information security officer, and IoT is of very big interest for them. And so our company provides solutions and advice across the IoT spectrum, from helping clients make decisions about what IoT devices to buy and how to integrate them and how to securely operate them, to helping product manufactures secure their devices, make sure their devices operate smoothly and securely at scale, all the way to telecommunications providers that are providing the backbone infrastructure across the world to allow IoT devices to communication over the cellular infrastructure efficiently and securely. So our technology is embedded in many of the products you use every day, as well as the advice we give helps enterprises do the right there.

– [Calum] So to ask a very basic question, what does security mean? Because there are, I would imagine, many pieces to it. There’s the physical security and there’s likely many others but for those who are thinking, “Okay, that’s great.” I hear a lot about security, I think that’s a good thing. What does that actually mean in practice?

– [Andrew] So, if I gave an academic answer, I would say something like, security is there to protect the confidentiality, or the privacy, the integrity, and the availability of data or a solution. That’s a very academic answer. In the IoT space, what security means is, make sure that the device operates as expected, make sure that whenever it communicates with other devices or back to the cloud or some main system, that it does that in a secure way, make sure that no rogue devices connect into the IoT infrastructure, and prevent third parties, or potentially the user of a device, from doing anything, accidentally or maliciously, that the designers of that device and the owners of the data didn’t intend to happen. So security means make everything work as expected and keep the bad guys, and potentially the users who could be the bad guys unintentionally, from doing anything stupid.

– [Calum] So what would be some of the examples of security breaches? Whether that’s from users doing something stupid, or from mal or bad actors?

– [Andrew] So the most public information out there that is regularly discussed in the media is particularly around IoT cameras. I mean, that’s where you’ll see the most public facing breaches that occur, where you’ve got cameras that are accessed by third parties, malicious actors, and they access those cameras, bypass the security that may or may not exist on those. And we can talk more about what that looks like or doesn’t look like. And access video streams that they were not supposed to see. So this is, in the most simple case, this is someone looking at your nanny cam and shouldn’t be looking at it. In the most extreme cases, this is people looking at video streams in very sensitive areas, such as government buildings or laboratories. And then in alternative cases, this is third parties accessing cameras, not caring about the video streams and simply taking advantage of the computing power inside the camera to go launch an attack on somebody else. And if you think about the millions of cameras that are out there, or billions of cameras that are out there, if you can gain access to a lot of them, that’s a lot of computing power you can use to go do bad things. And that simple example around cameras really applies to IoT devices everywhere. People are trying to gain access to them to either gain access to data that their not supposed to have access to, or take advantage of the device to do something more nefarious.

– [Calum] Yeah, I think that’s a really important point to highlight. I think when many people think of security, they think of how it impacts them directly. So, “Oh, someone’s taken over my security camera. “Well, that’s not so bad, it’s not pointing at anything “that I wouldn’t want them to see.” But there’s also the consideration of not just on the individual level, but on the aggregate level. If you now have thousands or millions of this devices with compute power, as you say, then these nefarious actors or parties can use those to launch attacks against infrastructure. And I believe, and I’m somewhat ignorant here, but this was the basis of the Mirai botnet attack a few years ago, correct?

– [Andrew] Yes, so in the Mirai botnet, the developers of that attack came up with a way to gain access to a large number of cameras. Thousands of them, millions of them. Cameras that were on the internet, publicly accessible by the internet, and were able to have all those cameras go make requests to different infrastructure websites that they wanted to take down, and basically conducted an out of service attack. So, since so many requests to a specific website from those millions of cameras, the website goes down. So, that botnet generated gigabits of traffic. So a very effective approach. And this is the kind of more scarier end of IoT security. If you’re a IoT device manufacture, you do not want your IoT device being a part of these botnets. It’s not good for your brand, it opens you up to liability.

– [Ryan] Within IoT, what is worth being concerned about from a security perspective, and from your perspective, and what isn’t? Because from what I’ve seen, there’s a lot of things that might be genuine concerns, but then other things that there might be a lot of chatter around, but don’t really merit the level of concern that is leveled at them? So, from your perspective, looking back on the past few years and the current state, what are some of the areas that you think need to be addressed, and then what things, if any, are people talking about, that aren’t really concerns to you?

– [Andrew] Sure, so I’ll try and answer this question from the viewpoint of a product manufacturer. And the only reason I say that is, because depending on your viewpoint, that answer can be very different. For example, if I try and answer it from the perspective of an individual worried about privacy. But for someone out there trying to build a product or use a product as a company, so like an enterprise perspective, I think there’s a spectrum, and I’ll say that the spectrum gets amplified based on the scale of the attack. So, on the kind of far right, most scariest end of the spectrum, is any kind of security breach on an IoT device that leads to physical harm. So this is your connected manufacturing floors, connected nuclear plants, connected cars. I mean, the attacks that can happen on these physical devices that if someone manipulates the devices or sends a bad signal to the device or out of services the device and leads to physical harm, those are things you should be concerned about. And I’ll say for our client base, that tends to be where there’s a lot of focus, because that part of the industry, connected vehicles, connected transportation, connected industrial items, there’s a lot of focus on how to connect those, how to do better connectivity and smarter connectivity, because it leads to more efficiency and cost savings. But there are super, mega physical security risks. So that is definitely being worth putting some focus on. I would say kind of one step inside of that is this class of security attacks that I’ll refer to as integrity attacks. And these are attacks where someone is not trying to destroy an IoT device or pull data off an IoT device, or even make the IoT device do anything it’s not supposed to do. All they’re trying to do is modify the data on the IoT device such so that whenever that data gets pulled back to the cloud or the mainframe that’s consolidating all that data, it messes with the results that impact something else, okay? And so the example there is sensors in the field. So if someone could theoretically, not just theoretically, but could deploy an attack that modifies enough sensors in the field that impacts the decision making that’s made behind the scenes. And so, this is particularly concerning in kind of military-style environment where they’re dependent on sensors in the field to make tactical decisions in the fight. And so those are very concerning. Those same concerns apply in places where financial decisions are being made based on data being collected from IoT sensors in the field. And outside of consumer goods, a lot of IoT is based on sensors. So the integrity of the data on those sensors is incredibly important. And then you kind of step in one more level, and I think what would be concerning there is someone pulling very sensitive data that has huge financial impact off of a system. So this would be intellectual property or design information that could really impact a company. And then what I think is even kind of farther left than that is individual privacy information, so PII or PHI, personally identifiable information, personal health information, et cetera, credit card data, that impacts a user. And I’ll say, to talk a little bit about scale, on the right side of that where there’s people getting hurt, it only takes one incident for it to be really bad. And so you’ve gotta build your security to keep that one incident from happening. On the left side of the scale, where we’re talking about individual privacy data, if only one incident happens, that’s bad for the consumer, but the product manufacturer probably doesn’t care. But you scale that up to 100 million users and now the product manufacturer cares. So it’s all about scale and perspective, but that’s what I’m worried about.

– [Ryan] So from the product manufacturer perspective, who’s at risk? Because immediate thought that comes to mind for me is you’re saying, “Okay, someone might be trying to steal “personal information, credit card information, to get financial data to maybe even steal money.” But if there’s a company out there, or a product manufacturer that’s thinking, “Well, I don’t store that data, so therefore, “I’m not at risk,” is that true? Or is everyone at risk? Or are there particularly entities or kinds of organizations that are more likely to be targeted?

– [Andrew] Everyone’s at risk. So where this conversation typically happens is, if there’s a breach on an IoT device, kind of who’s at fault? Is it the IoT device manufacturer? Is it the company that’s using that IoT device for some purpose? Is it a third party? And the answer is it’s complicated and it could be everyone. I mean, in my opinion, the IoT device manufacturer has an obligation to do the right thing and provide common sense security precautions against reasonable attacks on their device, and then the enterprise that uses that device has an obligation to make sure that the controls that the manufacturer deployed work and make sense, and then the consumer of that device has some obligation to make sure they’re okay with their personally identifiable information being on that device. I mean, there’s a need to everyone to know what’s going on. And unfortunately, in typical cases, all three of those parties turned a blind eye to the problem. At best case, one of them might care.

– [Ryan] Yeah, one of the things I was actually, it kind of ties into your comments there, I was looking around your guy’s website and kind of learning about your approach. And I’d kind of love to hear you talk a little bit more about your guy’s approach to IoT security. And you talk about, at least there’s four points on your website that you mention, I think are interesting. Device security, data security, access management, and active security. Especially that active security side of things. Can you just explain to the audience what those four areas kind of entail in an IoT sense? And then kind of expand on how you guys help maintain security going forward, so to ensure that IoT devices are protected, as they scale, as they grow, as new attacks kind of come to light?

– [Andrew] Sure, so we work with device manufacturers who are making everything from consumer goods and consumer devices to devices that end up being on power plant floors, to manufacturing floors, to connected cars. We talk about these four areas. We first talk about device security. So this is security of the device to make sure that it can withstand physical attacks to the device. So, what we’re trying to help the manufacturer prevent is someone buying one of these devices, taking it home, opening it up, and being able to extract sensitive information, such as cryptography keys, from the device and then using those cryptography keys or other sensitive information, such as intellectual property, to go launch some larger attack on the IoT ecosystem of that device. So this is particularly concerning, this is particularly important whenever that device is part of an access control system or is a decision-making device. It’s the device that allows something else to happen. You don’t want someone to be able to open that device and make changes on the fly. So we wanna go protect the device and make sure that it can identify itself to the network, that it’s authentic, and that all the software that runs on that device is protected, so that someone can’t load their own software onto the device. A lot of the attacks that we see, at scale, are about people pushing bad software updates or malicious software updates, to a large number of devices. So we wanna go protect the physical device, then we wanna make sure that device can authenticate itself to the network, or to the ecosystem. Identify itself and protect the software that it executes. Then we talk about data. We wanna protect that data wherever it lives. When it lives on the device and is stored on the device, when its in transport back to wherever it’s going, and then once it hits the cloud or whatever other system or ecosystem that’s behind that cloud. And in many of these IoT environments, there’s a lot of focus on the security in transport, because that’s typically the easiest place to secure the data. You just encrypt the channel. TLS, SSL, other methods. But often people forget about the data that lives on the device. You wanna protect the confidentiality and the integrity of these devices, of the data on these devices, for the reasons I talked about earlier. But there’s also a concern once that data leaves the device, because in many of these environments, that ecosystem in the cloud is incredibly complex with a lot of different players and a lot of different regulations in place that create a lot of challenges for IoT device manufacturers. And this is what leads us into access management. So once that data is where it needs to be, whether it’s on the device or in the cloud, who has access to it, where can they access it, when can the access it, under what circumstances can they access it? We also help product manufacturers control access to their features, because many device manufacturers will build an IoT device that has a lot of capability, but they’ll only expose half of that capability to the people who pay one price and expose the other half of the capability to the people that pay the higher price. You can think about this just like a cell phone that has capability that’s not yet turned on. We help them make sure that people don’t go turn on capability that they actually haven’t already paid for. This helps protect those revenue streams. And then the act of security is what you do once there’s an attack. So if these devices are under attack, what options do you have? And unfortunately, for most IoT systems today, there just aren’t a lot of options. Your options are basically cut it off from the network. And frankly, most partners that we work with, historically, have been lucky to even be able to do that. So active security says, if an attack is detected, either on the device or in the cloud or through some other means, what are you gonna do about it? And what our viewpoint is, is that the device itself needs some capability to deploy countermeasures to try to stop the attack. We also need the cloud that manages that device to be able to deploy countermeasures in a smart way. That may include turning the device off, it may include just cutting it from the network, it may include bricking the device, so making it basically lock up like you lock up a lost cell phone. Or it could include some other countermeasure that’s a little more creative. So you smash all those kind of four things together. Device security, data security, access management, and active security, and you’ve got a fairly robust IoT architecture that can withstand attack and can adapt.

– [Ryan] That’s great, and talk you us a little bit about when the companies that you’re working with, kind of take me through their journey, as far as, what phase are they kind of coming to you and reaching out? Like what does that buyer’s experience or journey look like? Are they coming to you pretty early on and saying, “Here’s our devices, here’s what we’re looking to build, “and we need help securing them”? Or are they coming to you later, after maybe an attack has happened, they realize they didn’t put the emphasis on security when they should have? Kind of when are they coming to you and how active are you guys in kind of building the solution to help them secure their individual devices?

– [Andrew] We run into device manufacturers kind of in two major categories of development. So the first one is, “I have a legacy device “that I’ve been running forever and now it’s time “to connect it to the internet,” okay? And so, simple examples like washing machine manufacturers who now want, dish washing manufacturers who want consumers to be able to manage the status of their dish washing load through their phone, okay? And make settings and do maintenance. And so they’re taking a legacy device and then basically just smashing IoT capability into it. That scenario is what, for most companies we run into, particularly the companies that have been around for a while, so not startups. And frankly, and more often than not, it’s, from a security perspective, pretty scary. Because you’re talking about connecting a device that was never intended to be connected to the internet. The people who built that original device had no concept that it would be ever connected to any kind of network. And then the other type of manufacturer we run into is someone who’s doing it from scratch. And that’s a little bit of an easier situation for us, as long as we can get kind of early into the design phase, because once the device is built, or pretty close to being built, if security wasn’t taken into consideration, you basically are in the same state as the first category. You just have a legacy device that wasn’t built properly. So to do this security thing right, you really gotta be thinking about security from a very early stage in the design process.

– [Ryan] Makes a ton of sense. I guess when people are coming to you to help build these solutions, are there any really big misconceptions that they’re coming to you with? Or maybe fears that are not as realistic or as realized as maybe they think there are? I know we talked a little bit about this earlier in Calum’s question, but more specifically to any individual Applications or client’s that you’ve been working with?

– [Andrew] Yeah, I mean, the most common thing we hear is, “Why would anybody attack my device, it’s just a,” for example,

– Right.

– [Andrew] “A connected toothbrush,” right? I mean, that’s pretty common. And so it takes some education to get them past that. And then the second thing we hear is that, the device manufacturer’s not concerned about physical attacks. “Hey, if somebody opens up my specialized device, “I don’t really care, because it’s just one device,” you know? Whereas they’re very concerned about network-based attacks.

– [Ryan] Mm-hmm.

– [Andrew] That could, theoretically, attack the entire infrastructure. And those are, in most, not all, but most cases, big misconceptions.

– [Calum] I find it really interesting bringing in the physical aspect, because something that strikes me about IoT is the fact that, if you’re going to be dealing with thousands, or even millions of devices, old paradigms might not work. And my thinking is that, in the past, it may have been possible, if you had physical devices, to put them in a secure location where the likelihood of someone getting access to them would be very low. And so then maybe it’s not as important to have that physical security. And maybe that’s where some of these misconceptions are coming from. But when you’re dealing with thousands and millions of devices deployed who knows where, then the odds of someone being able to get access to even one of those, yes, maybe the one device isn’t a concern, but it then becomes very important that they aren’t able to enter through that device into the larger network, or to spoof information through it, which could have ramifications, is that kind of a correct read on IoT and security?

– [Andrew] I think that’s a proper read. If you are building an IoT device, the last thing you wanna have happen is have your device be the reason that your customer got hacked.

– [Calum] Mm-hmm.

– [Andrew] Okay, or breached. And even if it’s not, even if they didn’t attack your device, even if they didn’t extract any data off your device and your device operated as expected, if they used your device as a mechanism to get into the client network, that’s almost worst. And I think you’re right, I mean, there’s definitely a mentality, especially on the industrial side of the equation, that disconnecting things from the internet makes them secure. And I could have a whole podcast on why that’s not the case. But all IoT is doing is connecting a bunch of devices that were never intended to be connected and really forcing some new thought about what it’s gonna take to secure them.

– [Calum] Yeah, and to make it real for our audience who are thinking, “Okay, how seriously should it be taken?” I was reading an article the other day on the TRITON malware. Are you familiar with that? Yeah, so from my very limited understanding, it was from 2017, and it was malware that was identified in a petrochemical plant in Saudi Arabia. And so, being a petrochemical plant, that could have resulted in people actually dying. And so, as more and more of our infrastructure becomes connected, that has many benefits, but it also opens up these possibilities where people could literally be killed or seriously harmed with attacks on infrastructure.

– [Andrew] I think you’re right. And in my industry, the kind of wake-up moment for a lot of people around this has been Stuxnet, which is the SCADA system attack in Iran, first uncovered in about 2010, where malware was put onto a nuclear centrifuge to make it spin out of control. And what’s interesting about that attack is a couple of things. First, you’ve got someone attacking kind of a physical system in a very public way. The second thing is, is that device was not internet connected, okay? So they were able to hop the internet disconnection to make this attack happen. And so, if attackers could do it when the device is not connected to the internet, just imagine what that can do once their internet connected if the proper precautions aren’t taken.

– [Calum] Right. And I think there was another one recently with Russia attacking Ukraine’s electric infrastructure, I believe?

– [Andrew] Correct, and there are examples of this in the US where people have taken over emergency broadcast systems in different states. I mean, there are countless examples of these industrial attacks, which I think are quite unnerving.

– [Calum] Yes, and for our audience, take this seriously .

– [Andrew] Take it seriously.

– [Ryan] Yeah, how, if any, is the government kind of playing a role into IoT security? Are they implementing any type of regulations? Are they trying to formulate some level of standards for certain devices? I mean, or is it something they haven’t really gone into, because IoT, to some degree, is still early?

– [Andrew] Oh no, I mean, this is something that the government is very focused on.

– [Ryan] Okay.

– [Andrew] And it comes across through a variety of different agencies. But Homeland Security, DHS, has a huge focus on this. The big demand out there in the market is for an IoT security standard. And just like there is a security standard for how to build Windows server, somebody, the thought process is, there should be a standard for how to build an IoT device securely.

– [Ryan] Mm-hmm.

– [Andrew] And there are certain attempts to do this through DHS and through NIST and through ISO and through a variety of other standards bodies. The challenge is that every IoT device is a little bit different, and often the environments that these IoT devices have to operate in, offers some significant constraints that make security difficult. And I can dig into that more if you want me to, but these devices don’t tend to be homogeneous, I mean, they tend to all be a little different, which makes standardization very difficult.

– [Ryan] Yeah, that makes complete sense. We had a guest on a couple weeks ago and we were talking about just general IoT products in the consumer space and talking about the advice that he had for buying IoT devices for their home, and as if you’re going outside of the main popular brands and just kind of going on Amazon and typing in “voice assistant” or “smart home hub” or whatever and there’s so many generic ones. A lot of them are from foreign countries, and this is kind of running into a very big security risk, like you kind of mentioned earlier with the cameras. And then ones coming from China were actually taking that video data and actually sending it back to China and you didn’t know that was happening. So I just kind of would like to get your thoughts on kind of the advice you have for consumers when it comes to buying IoT devices outside the enterprise space, and if there’s kind of, do you stay away from generic? I mean, that’s kind of the advice we were given on multiple podcasts, which makes totally sense, or if there’s anything that you think people should be kind of thinking about when they’re actually trying to deal with IoT devices outside of an enterprise setting?

– [Andrew] Oh, I think that’s a good question. I think the first thing that the consumer should just recognize is that, that IoT device that they’re buying, whether they’re buying it from a known provider or an unknown provider, in some point in its lifecycle in your home, is likely going to be vulnerable to attack and compromise, whether that’s now or in the future. So you can go buy that device now and the vendor will stand behind it, but it’s likely that some patch in the future will put that device at risk. So I mean, my advice to consumers is, you just, you need to be smart, so somewhat assume that that device is acting like it shouldn’t. Buying well-known, US-based brands, tends to be to your advantage.

– Mm-hmm.

– [Andrew] Because it is to company’s interest, like AWS, or Amazon and Google to build secure products, where devices from other countries that may not be the case. But that’s no guarantee. And then the second thing is, is that you need to have some good hygiene about these devices. So, first, if they require passwords, make sure they have passwords that are secure. If your device can require multifactor authentication, where you have to use your phone

– Right.

– Or some other device to authenticate to it, that’s a good thing. Put them on a separate virtual land on your home router, if it supports that.

– Okay.

– [Andrew] Just be smart. And if you do the smart things and understand the risks that you’re taking, even with those smart things, you’re probably okay. If you put sensitive data on a device, you are taking your risk that that sensitive data will be taken.

– [Ryan] Absolutely. I know we’re kind of jumping around here to different topics, consumer, enterprise, government, all that kind of stuff. But I wanted to kind of circle back to talk a little bit more about the work you guys do at your company and kind of attaching it to individual-Applications and maybe talking about the whole experience you’ve had with individual clients in a certain vertical. Obviously, I’m not looking for any names here, but I know on your website you guys talked about connected vehicles and fleet management. Could you kind of take that example and talk a little bit more in-depth about how that works? What kind of problems are people coming to you with in that space? Looking for security solutions and how you guys are assessing the possible risks, and then kind of building the security to protect them?

– [Andrew] Sure, so if you’re talking about fleet management or vehicle management, you’re talking about dongles. So a dongle called OBD2, which is a diagnostic dongle, just that plugs into that little port underneath the steering wheel.

– Right.

– [Andrew] So if you’ve seen the Progressive commercial apps and they talk about that little plug that they plug into your car, that’s plugging into that OBD2 dongle, that OBD2 port. So these fleet management companies go out there and they build these OBD2 dongles that plug into that port, they talk ever cellular, predominantly. So it’s got a 3G, 4G, or 5G connection on something like Verizon. And it’s got a GPS antenna inside there, GPS modem, and it’s got some other sensors in it that track information about where the vehicle is, where it’s been, and then it has the ability to interact with the vehicle and draw some diagnostic information. So that’s how they work, and so the idea being, if you plug one of these things into your 10,000 cars in your fleet, you now know where they are all at one time, which, I know in the fleet industry, just doing inventory of all the vehicles within the fleet is a huge hours, huge amount of hours to go do, huge money waste. So, theoretically, now I just open my app and I can see where all my cars are, run all the reports, great. Here’s the problem is that, that OBD2 port that that dongle is plugging into, was never designed to be plugged into a connective device. Runs typically on something called the CAN bus, which is the kind of automobile network inside the car, has virtually zero security built-in. So if your car is driving 100 miles per hour down the highway and something or someone sends a message down that OBD2 port, through that CAN bus that the car should turn the wheel 270-degrees as fast as possible, even though that command makes zero sense whatsoever, the car will respect it. And so, this is a classic case of connecting something that shouldn’t have been connected. And where we would work in that case is a couple of things. One, help them connect that OBD2 dongle to the network securely, so that someone can’t come in and take it over while I’m driving. And then secondarily, put some security in place to make sure that even if a bad command is sent to the dongle, it doesn’t pass that command onto the car. And we provide a lot of other features, for example, to make sure that bad firmware isn’t put on the device and that if someone opens the device they can’t do anything with it. And that the data that’s sent back up to the cloud is authentic. You wouldn’t want someone to steal a car and say that car is in Kansas when they’ve actually taken it to California, as an example. So we try and protect the business model of the fleet manager, make sure it’s a safe experience for the driver, and then finally, provide a lot of nice, rich data that’s authentic and has high integrity for the fleet management.

– [Ryan] Okay, great. Calum has some experience in this world. I’d love to kind of get his thoughts on what he’s experienced and come across.

– [Calum] Yeah, I’ve had some personal experience working on Applications that involved the OBD or tracking devices. And I think it’s interesting the point you raise, because this is a repeat theme, regarding putting IoT into or onto things that were not designed for that. And this OBD tracker example is a perfect example of that, where it’s great, because it has power and it has certain codes you can pull from the car, like, battery voltage or things like that, which is great. And so being able to get that information can be very useful, but fundamentally, these OBD ports, and for those who are curious, it stands for ‘on-board diagnostics’, that those are not meant for these trackers in them. And so we actually, in our previous podcast episode, were talking about exactly this, is that as nice as it would be to start from greenfield or many of these IoT solutions, unfortunately, there’s a world that already exists. And so, building on top of that is necessary, but it also has a lot of challenges, because things weren’t necessarily designed from the beginning to take security into mind, or for the potential of one day becoming connected.

– [Andrew] Right, and I think that is OBD2 dongle example was a pretty nice example of the problem. And you could just imagine how bad it can get. I mean, I can go wreck a bunch of cars, which is bad, but the same example applies to nuclear facilities, right ? Centrifuges, right? And so it doesn’t take many of those to blow up to a big problem. So these situations where IoT is connected to a physical device, or a physical unit that transports or provides safety, is where I think there’s a lot of necessary concern.

– [Ryan] Yeah, I appreciate that. I think this would be a good point for us to transition into our “Ask IoT Questions”. I know Shannon could jump in here in a second. Just to give the audience a little context to this, the “Ask IoT” section of the show, which we’ve been doing in all of our episodes, is an opportunity for us to kind of collect questions from the audience, from conversations that we’ve seen on social media, pull them into the context of this conversation and allow the three of us to kind of discuss them. Though usually more general, sometimes a little specific, but most the time they’re more general, they kind of appeal to a large audience. So, Shannon, if you wanna jump in real quick and kind of ask us the first questions and then we can kind of chat and then go ahead, I think you have, right, three of them today?

– [Shannon] Sure, which industry is most at risk to security threats in IoT?

– [Ryan] Andrew, you wanna take that one?

– [Andrew] Sure, I think the easy answer is what we just talked about,

– Okay.

– [Andrew] The industrial space. I think another answer might be the medical space. I mean, that’s where I see a lot of future risk, as we’re plugging in dialysis machines, and heart pumps, and insulin pumps, and pacemakers, and all kinds of things that, at scale, or even in small numbers, have a lot of human risk.

– Okay.

– [Calum] It would seem to me that there are, actually two things I would be thinking about. There’s not only risk. Two elements would be, like, the ease of a security breach, but also the ramifications if it happened. And so, sectors in which lives are on the line, whether it’s like, medical or military context, or large power plants that could cause a lot of damage, even if they are more hardened, there might still be more risk there, because the consequences of that, versus some IoT toy, which maybe is easier and therefore, higher risk to be hacked, but less of a target to people, because there’s less value there or just less potential harm. So, I don’t know, those are my thoughts on thinking about it, is not only the, perhaps, ease of risk of security breach, but then also, what are the effects that could happen from that.

– [Ryan] Andrew, I’m curious to get your thoughts if we kind of transition this same question to the consumer space, because a lot of people who listen do buy IoT devices for their home, for their personal interests. What kind of devices do you think are most at risk, or should people be most weary of purchasing for their own consumer or individual benefit?

– [Andrew] Oh, I’d be concerned about them all. But that’s-

– [Calum] Your job.

– [Andrew] You gotta live your life at the same time , but I think on the, you should be more paranoid about devices that are a little more unique and get less scrutiny, okay? So what I mean by that is there’s good reasons to be concerned about an Amazon Echo, okay?

– Mm-hmm.

– [Andrew] I’ve got concerns about that, that we could talk about. The reality is, is that there are a lot of those out there, there’s a lot of people looking at it, so if there are concerns, those are likely to see daylight, whereas, if this is some one-off device that you bought on the road, out of country, or got through the mail from a suspicious website , the likelihood of there potentially being a problem there, if it’s not in widespread usage, is much higher. So it’s not a great answer, other than to say, the more popular the device, the more likely it is that if there are problems, they’ll see daylight.

– [Ryan] Have you come across any devices, that you can specifically mention, that have really scared you?

– [Andrew] Yeah, I mean, so we pretty regularly see back doors in devices.

– Okay.

– [Andrew] So these are like maintenance accounts on devices, that should have been removed. And I’ve seen those back doors on all types of devices. But I’ve also seen them in, kind of, some fairly high-profile systems that are in a lot of different enterprises, that really make me nervous. So, and without specifically mentioning devices, I’ll say that a lot companies that build these devices leave back doors for good reasons, and I understand why they do it, but they shouldn’t do it, and they should announce that they do it. It’s scary that they’re there.

– [Ryan] Great, Shannon, you wanna, and I know Calum wants to jump off in a second, but you wanna go with at least the third question?

– Sure.

– I think this’ll be a good one to kind of aim at Calum, to kind of start with.

– [Shannon] Sure, how should non-technical companies approach IoT adoption.

– [Calum] Wow, that is a broad question. Well, first, listen to this podcast, which you’re already doing, so good job. Hmm, yeah, I guess this is a good question for me, coming from a non-technical background myself. So, I was a philosophy major and now in the IT industry, which, for some people, is surprising. I think, though I joked about podcast, really getting yourself educated is the most important step, because in the early stages, you don’t know what you don’t know. And so, being able to ask the right questions, you need enough understanding to even know what questions to ask. And so, I don’t think there is a single right way, but probably the fastest path forward is to talk with people who are in the industry, whether that’s peers at other companies who are pursuing IT initiatives or IoT companies in the space who you see putting out really valuable content, reach out to them. Say, “Hey, I have some questions,” and that’ll give you a good starting spot to begin figuring out what you don’t know, and then following up, to dive deeper into the things that matter to you and your organization.

– [Ryan] Yeah, I think that’s great. Andrew, any thoughts there?

– [Andrew] Two thoughts. One is, don’t try and do this yourself.

– [Calum] Yup.

– [Andrew] I mean, outside counsel is a good idea. And I don’t just mean online content. I mean go hire a consultant. If this is new, if this is a greenfield topic to you, hire a consultant, get some help, the money will be worth it. And then the second say is, build as little as you can from scratch. So don’t go build your own identity system, don’t go build your own encryption system, don’t go build your own message passing framework. Go use solutions, open-source, close-source, that are out there, that are well vetted. And if you do that, you’ll save yourself a lot of heartache down the line.

– [Ryan] Great, I just wanna read you the third question. I know Calum has to jump out. But Shannon, you wanna ask that third question? Because I think it’s really good to get Andrew’s thoughts on it.

– [Shannon] Andrew, how do you handle building security into legacy systems?

– [Andrew] Oh, you’re in trouble. Legacy systems are tough. So I mean, you’ve got a couple options. So, one option is, if they system can come offline, and can be pulled off the production line for awhile, then you’ve got options. The reason systems are legacy, is typically because they cannot be shutdown. They have high availability requirements, they’re important to whatever process they’re executing. You particularly see this in the critical infrastructure space. Energy, water, et cetera. So your next options are try and bolt security on top. So, the device is gonna be insecure and you’re just gonna have to live with that, but you can wrap it in security. So, what you see there is a lot of different companies building gateways, and dongles, and carves that can be inserted in devices that kind of wrap the device in security. As an example, the device only knows how to do unencrypted communication, it encrypts it for them. It’s not great, but it’s better than nothing. And then the third thing is just monitor them very closely.

– [Ryan] Mm-hmm.

– [Andrew] If you can’t secure it, you might as well know what’s happening.

– [Ryan] That’s great. From your experience, does it seem like there’s more of a monetary investment to those kind of processes? Like installing or building security into legacy systems, than building them from scratch?

– [Andrew] I think everyone wants to get rid of their legacy systems.

– Okay.

– [Andrew] So no, I think the focus is on new systems.

– [Ryan] I agree with you. Most of our conversations we’ve had with individuals from around the industry is they understand the legacy systems exist, but they almost cause more of a headache than anything else. And if you can build them from scratch in that greenfield environment, you’re gonna be better off setting yourself up for success into the future. So I think we’re all in alignment there. And security, I don’t think, is any different.

– [Andrew] Yeah, the only place I see that inverse is in environments where devices have 10-plus year lifespans.

– Gotcha, okay. that makes sense. Well, this has been great. I wanna wrap up the show just seeing if there’s anything you wanted to leave our audience with. And if the audience has questions or any follow up thoughts after this, if there’s a way to connect with you, whether it’s LinkedIn, Twitter, et cetera, I’d love to kind of have you kind of finish the show off by giving us that information or tell us something that’s interesting.

– [Andrew] I think I’d wrap up by saying I don’t think the sky is falling. So we talked about a lot of scary things.

– [Ryan] Mm-hmm.

– [Andrew] But I see a lot of momentum in the industry to try and improve. Five years ago, if I was sitting in boardrooms, this type of security topic never came up. Now it’s on the top of the risk register for many different companies out there. What makes this IoT security problem particularly difficult is that very few IoT devices are the same. The underlying platforms are different, the memory, power, and storage requirements are different, and often very limiting. And that creates scenarios where it’s hard to build one-size-fits all solutions.

– [Ryan] Mm-hmm.

– [Andrew] So, get some outside help and I think this will improve over time, especially as more common platforms become available.

– [Ryan] Okay, great. And then if our audience has any questions or ways to kind of want to chat with your further, is there a way that’s best to kind of engage with you? If not, if there’s nothing, that’s fine .

– [Andrew] I’d point people to our website.

– Okay.

– That’s probably the best

– Perfect.

– [Andrew] Place to start. It’s Kudelski Security. K-U-D-E-L-S-K-I security.com

– [Ryan] Perfect, we’ll make sure we link that up in the notes. But yeah, thank you so much for being on today. I think the information was great. You taught Calum and I a ton, and we’re able to answer a lot of common misconceptions that I think are our there. When it comes to security, it always seems to be the one thing people bring up as like a hesitation to get into IoT. And hopefully we were able to put some of those to rest, or at least give them better information around them so that, because there’s a ton of benefit and value in IoT and what IoT industry’s trying to allow business to do. And security is something that needs to be taken very seriously, but at the same time, achieving what they’re trying to achieve is definitely something that’s possible. But there are security solutions, like yours, out there that can help and make sure that the devices are secure and that they don’t have to worry about those elements.

– [Andrew] Absolutely, well I really appreciate the time.

– Absolutely.

– Thanks so much.

– [Ryan] All right, everyone. Thanks again, for joining us this week on the IoT For All Podcast. I hope you enjoyed this episode, and if you did, please leave us a rating or review and be sure to subscribe to our podcast on whichever platform you’re listening to us on. Also, if you have a guest you’d like to see on the show, please drop us a note at ryanatiotforall.com and we’ll do everything we can to get them as a featured guest. Other than that, thank you again for listening and we’ll see you next time.

Special Guest
Andrew Howard
Andrew Howard
As CEO, Andrew focuses on expanding the international footprint for Kudelski Security’s unique blend of cybersecurity capabilities. This includes working with clients, partners, and new strategic alliances to optimize approaches to minimizing cybe...
As CEO, Andrew focuses on expanding the international footprint for Kudelski Security’s unique blend of cybersecurity capabilities. This includes working with clients, partners, and new strategic alliances to optimize approaches to minimizing cybe...
Hosted By
IoT For All
IoT For All
IoT For All is creating resources to enable companies of all sizes to leverage IoT. From technical deep-dives, to IoT ecosystem overviews, to evergreen resources, IoT For All is the best place to keep up with what's going on in IoT.
IoT For All is creating resources to enable companies of all sizes to leverage IoT. From technical deep-dives, to IoT ecosystem overviews, to evergreen resources, IoT For All is the best place to keep up with what's going on in IoT.