IoT Security and the Guidelines in Japan 3. IoT Security Guidelines - - PowerPoint PPT Presentation

SLIDE 1

IoT Security and the Guidelines in Japan

April 11th, 2017

• Mr. Takashi Michikata

Deputy Director, ICT Security Office Ministry of Internal Affairs and Communications, JAPAN

‹#›

Content 1. What is IoT 2. Cyber Threats to IoT 3. IoT Security Guidelines in Japan 4. Conclusion

‹#›

Content 1. What is IoT 2. Cyber Threats to IoT 3. IoT Security Guidelines in Japan 4. Conclusion

‹#› 3

IoT stands for “Internet of Things” ITU-T Recommendation (Y.2060) defines IoT as “A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.”

What is IoT

SLIDE 2

‹#› 4

Is the concept of IoT old? British entrepreneur Kevin Ashton in MIT coined the term in 1999.

• Wikipedia

Is IoT available everywhere? ➢ The total number of IoT devices in the world will grow from 15.8 billion in 2013 to about 53 billion in 2020.

• IHS Technology

Has the technology development finally caught up the concept?

(Photo by Larry D. Moore CC BY-SA 4.0)

Is IoT a Buzz Word?

‹#›

5

Source: Gartner, “Forecast Analysis: Internet of Things, Endpoints and Associated Services, Worldwide, 2014 Update”, December, 2014

5

[million units] [year]

Automotive Consumer Applications

Generic Business Vertical Business More than HALF of IoT Devices will be used in

Consumer Applications

Number of IoT Devices and Areas of the Use

‹#›

Content 1. What is IoT 2. Cyber Threats to IoT 3. IoT Security Guidelines in Japan 4. Conclusion

‹#› Hacking an automobile by remote control

Footage captured by CCTV are published on the Internet

Security Protections on IoT are necessary as IoT devices such as automobiles and cameras are starting to be connected to the Internet through WiFi or cellular phone networks.

Hacking from a remote location through a cellular phone network. Taking over the entire control of an automobile including a steering and braking control through a car navigation system. It was proved that accidents affecting human lives could

• ccur, and a car company recalled about 1.4 million

vehicles. A large number of footage captured by CCTVs located in Japan are disclosed overseas through the Internet because of the insufficient security protection. Some users do not even notice that their cameras are connected to the Internet.

Attacker Attacker

(Source) WIRED

New Types of Cyber Threats to IoT

SLIDE 3

‹#›

Network Incident analysis Center for Tactical Emergency Response (NICTER)

■ TCP SYN ■ TCP SYN/ACK ■ TCP ACK ■ TCP FIN ■ TCP RESET ■ TCP PUSH ■ TCP Other ■ UDP ■ ICMP

・NICTER shows geographical positions of a packet’s src and dst from the IP addresses in real- time ■ National Institute of Information and Communication Technology (NICT) has Network Incident

analysis Center for Tactical Emergency Response (NICTER) that monitors malicious incoming cyber traffic to a dark net (a chunk of about 300,000 unused IP addresses.)

# of packets observed by NICTER

[Billion]

55 128 26 13

What is the percentage of observed cyber attacks to IoT? Cyber Attacks observed by NICTER in 2016

2 3

• f observed

9

cyber attacks to IoT

1 4

in 2015

DDoS Cyber Attack Case by IoT

➢ Dyn’s managed DNS infrastructure were under two large DDoS attacks in October, 2016 and the major customers including Amazon and Twitter were affected. ➢ The attacks were caused by Mirai IoT botnet. Similar cases were reported in UK and Germany.

• About 100,000 IoT devices created massive

traffic to the Dyn’s system

• The total traffic volume reached 1.2 Tbps

■2323/TCP # of

• bserved

packets ■2323/TCP # of hosts Many scan packets generated in IoT devices worldwide had been observed by NICTER since the beginning of September

source: http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/

‹#›

Examples of Infected IoT Devices

Source: Yoshioka’s Research Laboratory, Yokohama National University, Japan

SLIDE 4

‹#›

Case on Hacked IoT Device (1)

12

Malicious Email Header sent from a certain IP address Exactly same time

‹#› 13

The device with the IP address seem to locate nowhere in the woods. But why?

Case on Hacked IoT Device (2)

‹#› 14

Then, a solar power controller was found

Case on Hacked IoT Device (3)

‹#›

Case on Hacked IoT Device (4)

• The Email contains a brief message saying “Wait for your response.”
• It has a zipped attached file which wraps an executable file(.jpeg.exe.).

15

SLIDE 5

‹#›

Hard to manage the devices Always online Long product lifecycle Almost no protections available such as anti-virus software

Why is IoT vulnerable to Cyber Attacks?

‹#›

Content 1. What is IoT 2. Cyber Threats to IoT 3. IoT Security Guidelines in Japan 4. Conclusion

‹#›

18 Source: Cloud Security Alliance , “Security Guidance for Early Adopters of the Internet of Things (IoT)”, April 2015

➢ Cloud Security Alliance, USA, published “Security Guidance for Early Adopters

• f the Internet of Things” and it recommends security protection strategies on

each one of IoT service layers as edge devices, gateways/applications, and enterprise computing/cloud storage/data analytics.

18

CSA’s “Security Guidance for Early Adopters of the Internet of Things”

‹#›

19

➢ The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats. ➢ The recommendations covers Q&As such as “What are some IoT devices?”, “What are the IoT Risks?”, and “What an IoT Risk Might Look Like to You?”

Source: FBI, “Internet of Things Poses Opportunities for Cyber Crime”

■ Consumer Protection and Defense Recommendations

• Isolate IoT devices on their own protected networks;
• Disable UPnP on routers;
• Consider whether IoT devices are ideal for their intended purpose;
• Purchase IoT devices from manufacturers with a track record of providing secure devices;
• When available, update IoT devices with security patches;
• Consumers should be aware of the capabilities of the devices and appliances installed in their homes

and businesses.;

• Use current best practices when connecting IoT devices to wireless networks, and when connecting

remotely to an IoT device;

• Ensure all default passwords are changed to strong passwords. Do not use the default password

determined by the device manufacturer. etc.” 19

FBI’s “Internet of Things Poses Opportunities for Cyber Crime”

SLIDE 6

‹#›

• The objective of the Guidelines is to show required basic security protections for

IoT based on “Security by Design Principle” and to lead IoT stakeholders to take proactive actions in industries with consideration of specific natures of IoT. It also aims to create an environment where users can utilize IoT devices, systems, and services securely.

• The objective of the Guidelines is not to clarify all the legal responsibility of the

stakeholders when they are involved in a cyber security incident but to promote their awareness of necessity of IoT security protections and to lead them to share necessary information among the stakeholders.

• The objective of the Guidelines is to expect the stakeholders to consider

appropriate security protections based on what they must protect and risks they face, rather than to require the stakeholders to take a single standardized security protection.

IoT Acceleration Consortium, Ministry of Internal Affairs and Communications, and Ministry of Economy, Trade and Industry published the IoT Security Guidelines on 5th July in 2016. The guidelines has the following objective.

IoT Security Guidelines in Japan and the Objective

‹#›

Phases Guidelines Main points

Policies Establish basic policies based on the nature of IoT

• Commit to IoT security by management teams
• Prepare for internal fraud or human error

Analysis Recognize security risks

• f IoT
• Identify what should be protected
• Assume risks resulting from connections

Design Consider a design to protect what should be protected

• Consider a design that does not cause any trouble to connected

counterparts

• Evaluate and verify a design to ensure safety and security

Implement ation and connection Consider Protections on Network Side

• Connect IoT devices to the network properly based on the function and

purpose

• Keep initial settings in mind

Operation and maintenan ce Maintain a safe and secure state and transmit and share information

• Maintain a safe and secure state after shipping and releasing
• Grasp all IoT risks after shipping and releasing, and advise all

stakeholders of what to be observed

• Recognize each stakeholder's roles in IoT systems and services
• Evaluate vulnerable devices and give appropriate cautions

Recommendations for General Public

• Refrain from purchasing and using devices or services for which those

call centers or support services are not available

• Pay attention to initial settings
• Turn off the power of devices if they are no longer in use
• Delete all data when disposing of devices
• This guidelines specifies rules for providers of IoT devices, systems and services on each

step of their required operations (policies, analysis, design, implementation, connection,

• peration and maintenance)

Overview of IoT Security Guidelines

‹#›

• Make initial settings with consideration of security at the time of constructing or using IoT systems or

services so that the systems or services will not become vulnerable and easy targets of external

• attacks. Alert users to initial settings.
• Design IoT systems and services with consideration of the network configurations and security

functions based on the functions, the applications and the computing performance. Consider security protections on the higher level such as network connections through IoT secure gateways when security protections are not achievable on individual IoT devices due to the limited computing performance.

• Keep initial settings in mind

Example of Secure Network Connection for IoT Devices

Secure device

IoT Secure gateway

User

Virtualizati

• n of IoT

devices

Manufacturers and venders

The Internet

Devices that protect their own security Devices that cannot maintain sufficient security

Firmware Update

• Connect IoT devices to the network properly based on the function and purpose

[Implementation & Connection] Guideline 4: Consider Protections on Network Side

‹#›

• Turn off the power if devices are no longer in use. Otherwise, these devices could be unlawfully used if they remain

connected to the Internet.

• Turn off the power if devices are no longer in use
• Dispose devices carefully to avoid information leakage to others. Delete all information before disposing of or selling

the devises.

• Delete all data when disposing of devices
• When using a device for the first time, make ID and password settings properly for the device. Do not leave the factory

default setting password as it is, do not share a password with other people, and do not reuse the same password for any other device.

• Follow the procedure in the instruction manual and try updating.
• Pay attention to the initial settings
• Refrain from purchasing and using devices or services for which no inquiry or support service is available
• It will be difficult to respond properly to problems of devices connected to the Internet if there are no service

inquiry or support desks for the devices. Refrain from purchasing and using devices or services for which have no inquiry or support service available.

Attention! Maintenance service will be expired within 3 years.

Recommendations for the General Public

SLIDE 7

‹#›

Content 1. What is IoT 2. Cyber Threats to IoT 3. IoT Security Guidelines in Japan 4. Conclusion

‹#›

Cyber security issue on IoT has already become a real threat. Current cyber security protection on IoT is not well enough compared with PCs. You must act now and the Guideline would be helpful for you to start. Conclusion

URL for the IoT Security Guidelines: http://www.iotac.jp/wp-content/uploads/2016/01/IoT-Security-Guidelines_ver.1.0.pdf