securing industrial iot
play

Securing Industrial IoT Device Attestation, Software Updates, and - PowerPoint PPT Presentation

May 31, 2023 •535 likes •794 views

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017,

  1. Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017, Singapore Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 1/#

  2. Intro and Expertise ● ● ● ● ● ● ● ● Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 2/#

  3. Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 3/#

  4. Insecure Things… Mirai Mirai: IP Cameras hack in October/November Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 4/#

  5. Insecure Things… Wannacry Targeting the most devices: Now: PCs - Soon? IoT! - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 5/#

  6. Outline Securing Industrial IoT: Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 6/#

  7. Outline Securing Industrial IoT: Attestation - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 7/#

  8. Outline Securing Industrial IoT: Attestation - Software Update - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 8/#

  9. Outline Securing Industrial IoT: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 9/#

  10. Outline Securing Industrial IoT: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 10/#

  11. System Security Remote Attestation Remote Attestation (RA) is an interactive protocol ● A useful tool to detect software attacks ○ e.g., malwares injected on a device, firmware replacement ○ Allows a prover to compute a cryptographic proof of the status ● of its configuration (e.g., SW+data) Called a measure, typically a hash of what you want to measure ○ Security is ensured by HW support on the prover ○ A verifier collects this proof remotely and checks whether the ● collected measure is “valid” or not, i.e., is an expected one Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 11/#

  12. System Security Remote Attestation In a 1 verifier and 1 prover setting RA is a well-established research area Problem: How to verify the integrity of a network of devices ? More efficiently than individually! ○ Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 12/#

  13. System Security Remote Attestation We proposed SANA, a protocol for network attestation that: Improves scalability via in-network aggregation of proofs ● Is end-to-end secure ● Security relies mainly on OAS unforgeability ○ Improved resiliency to hardware attacks ○ Detects attempts to modify attestation proofs from devices ○ Has manageable overhead on the (low) end devices ● Is publicly verifiable ● Verification is linear in the number of “bad provers” ● Depends on the “strength” of the attacker ○ If the network is OK has constant verification overhead ● Most frequent case in practice ○ Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 13/#

  14. System Security Remote Attestation We evaluated SANA [1] Implementing it on a research platform ● Via simulation (for large scale tests) ● [1] M Ambrosin, M Conti, A Ibrahim, G Neven, AR Sadeghi, M Schunter. SANA: Secure and Scalable Aggregate Network Attestation. In ACM CCS 2016 Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 14/#

  15. Outline Securing: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 15/#

  16. Update distribution architecture Management entity Software updates ○ Device monitoring ○ Commands delivery ○ May be deployment’s owner Proprietary or third-party distribution network CDN, NDN, Fog Layer, ... ○ Data Caching & Aggregation Deployment Heterogeneous ◽ Potentially large scale ◽ Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 16/#

  17. Update adv. model Trusted entity Can be controlled by an adversary Cannot be trusted for Integrity ○ Authenticity ○ Confidentiality ○ Guarantees availability Device integrity may be compromised Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 17/#

  18. Update design requirements Minimize windows of exposure [Bilge and Dumitras, ACM CCS ‘12] 1. Window of exposure Patch is Vulnerability is Patch is Vulnerability is Exploit is Vulnerability is delivered and discovered by released introduced created by publicly installed the vendor the attacker disclosed End-to-end security and scalability 2. #9 of OWASP IoT top 10 Vulnerabilities (*) Access control on the software 3. Software may be proprietary ○ (*) https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 18/#

  19. Updaticator Protocol for end-to-end updates confidentiality and integrity Uses Ciphertext-Policy Attribute-Based Encryption (CP-ABE) To enforce access control based on device attributes ○ Allows linear complexity in the number of attributes ○ Leverages untrusted caches to speed up distribution Evaluated on top of ICN/NDN Novel networking paradigm providing cache at the network layer ○ Results showed improved scalability w.r.t. Direct fetching ○ [1] M Ambrosin, C Busold, M Conti, AR Sadeghi, M Schunter. Updaticator: Updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In ESORICS 2014 Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 19/#

  20. Outline Securing: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 20/#

  21. IoT permission models Existing IoT frameworks only have permission based access control • Permissions control what data an app can access • Permissions do not control how apps use data, once they have access Did not work on mobile (see Android permissions) ...will not work on IoT! Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 21/#

  22. Potential Abuses APP Sink Consumer App Publisher of Sensitive Data Source Sink • Unlock door if face is • App needs to compute on recognized sensitive data to provide useful service • Home-owner can check • But has the potential to leak activity from Internet data Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 22/#

  23. FlowFence Label-based flow control Language-based flow control • Component-level information tracking • Restructure apps to obey flow rules • Flow enforcement through label policies • Developer declares flows FlowFence • Support of diverse publishers and consumers of data, with publisher and consumer flow policies • Allows use of existing languages, tools, and OSes [1] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, A. Prakash. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In USENIX Security 2016 Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 23/#

  24. Thanks! Thanks! Mauro Conti conti@math.unipd.it Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 24/#

  25. Backup slides... ...Backup slides beyond this point... Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 25/#

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE

616 views • 15 slides
Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken Wai-Kin Au School of Computing Science University of Glasgow Zhaohui Tang School of Infocomm Republic Polytechnic, Singapore 1 Introduction

576 views • 21 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses in Arizona Arizona L. William Staudenmaier One Arizona Center 400 East Van Buren Street, Suite 1900 Phoenix, Arizona 85004 2202 602.382.6000 |

574 views • 32 slides
Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS

Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS

Securing a future for our horses. Securing a future for our sport. TABLE OF CONTENTS Industry-United Initiative ............................................ 2 The TAA Difference .................................................... 3 Life After

466 views • 19 slides
Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton

Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran

1.12k views • 42 slides
Applying SE to Securing the Energy Future Level 4 - Public 2017 Our Energy Future is at Risk

Applying SE to Securing the Energy Future Level 4 - Public 2017 Our Energy Future is at Risk

2017 Applying SE to Securing the Energy Future Level 4 - Public 2017 Our Energy Future is at Risk Our Critical Infrastructure is at high risk from High-Impact threats EMP Space Weather Cyber (Industrial Controls) Wanted:

212 views • 18 slides
Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with

Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with

Securing home Wi-Fi with WPA3 personal Raoul Dijksman and Erik Lamers Securing home Wi-Fi with WPA3 personal Making Wi-Fi great again With security this time, right? Securing home Wi-Fi with WPA3 personal - July 3 rd 2020 2 Why is WPA3

853 views • 28 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 |

SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 |

NON-PROFIT PRESENTATION TIPS FOR NON-PROFIT PRESENTATION TIPS FOR SECURING DONATIONS SECURING DONATIONS nonprofit.212mediastudios.com | 574.269.0720 | info@212mediastudios.com Having an efgective communication strategy is the fjrst step for your

116 views • 9 slides
Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The

Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The

Getting Acquainted W ith Zoom Outline Securing Your Computer Your Invitation The Waiting Room Working with Audio Working with Video Using the Tool Tray Chat In the Meeting When Things Go Wrong 2 Securing Your

325 views • 14 slides
Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K.

Securing Home Networks Securing Home Networks protocols protocols A SWN04 A SWN04 K. MASMOUDI, K. MASMOUDI, H. AFIFI H. AFIFI Boston, 08/2004 6 th PCRD Integrated Project Goal : provide secure communication

450 views • 22 slides
LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland Securing a Mobile Phone Securing a Mobile Phone Securing a Mobile Phone Securing a Mobile Phone Can We Have it Both Ways? Safe Secure Privacy-friendly

892 views • 62 slides
INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy

INDUSTRIAL STRATEGY November 2012 Why do we need industrial strategy Industrial strategy activity The Heseltine Review 2 Structural changes in the international economy will impact the UK Globalisation and rise of BRICS are changing

748 views • 12 slides
and Applications in MicroTCA Sven Stubbe with support from Jan Marjanovic and Aaron Gornott

and Applications in MicroTCA Sven Stubbe with support from Jan Marjanovic and Aaron Gornott

Implementation of GigE Vision Standard and Applications in MicroTCA Sven Stubbe with support from Jan Marjanovic and Aaron Gornott Hamburg, 06.12.2018 Implementation of GigE Vision Standard and Applications in MicroTCA Sven Stubbe, 06.12.2018

308 views • 11 slides
Highlights of TI2-LHC Synchronization Test with Beam M. Lamont and S. Redaelli on behalf of the

Highlights of TI2-LHC Synchronization Test with Beam M. Lamont and S. Redaelli on behalf of the

CMS Commissioning Meeting August 15 th , 2008 CERN - Geneva (CH) Highlights of TI2-LHC Synchronization Test with Beam M. Lamont and S. Redaelli on behalf of the OP team Outline Introduction: goals / layouts Beam and magnet availability

766 views • 24 slides
BONE ANATOMY Daniel D Bikle, MD, PhD Professor of Medicine, UCSF 1 7/11/2019 Origin of Bone

BONE ANATOMY Daniel D Bikle, MD, PhD Professor of Medicine, UCSF 1 7/11/2019 Origin of Bone

7/11/2019 Basics of Bone Biology BONE ANATOMY Daniel D Bikle, MD, PhD Professor of Medicine, UCSF 1 7/11/2019 Origin of Bone Cells Bone Remodeling Proliferation M-CSF & Differentiation C-Fms Resting Phase Activation Osteoclast

116 views • 8 slides
SMB3 Multichannel with Samba/CTDB and Gluster Gnther Deschner <gd@samba.org> Sachin

SMB3 Multichannel with Samba/CTDB and Gluster Gnther Deschner <gd@samba.org> Sachin

SMB3 Multichannel with Samba/CTDB and Gluster Gnther Deschner <gd@samba.org> Sachin Prabhu <sprabhu@redhat.com> A g e n d a S a mb a / C T D B C l u s t e r i n g w i t h G l u s t e r F S

322 views • 31 slides
FROM HARDWARE TO 0-DAY Or how to buy a security camera and never use it for its intended purpose

FROM HARDWARE TO 0-DAY Or how to buy a security camera and never use it for its intended purpose

FROM HARDWARE TO 0-DAY Or how to buy a security camera and never use it for its intended purpose PIETRO OLIVA WHOAMI Name: Pietro Oliva Twitter: @0xsysenter Current role: Security researcher (R3) Previous roles: Security

795 views • 30 slides
On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

Intro Why FPGA (and what the FPGA is all about) Software approach simulation first Going to the hardware Whats next Contact info On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why FPGA (and

770 views • 12 slides
SoC Design SoC Design g L Lecture Lecture 6: IP Cores 6 IP C : IP Cores IP C Shaahin

SoC Design SoC Design g L Lecture Lecture 6: IP Cores 6 IP C : IP Cores IP C Shaahin

SoC Design SoC Design g L Lecture Lecture 6: IP Cores 6 IP C : IP Cores IP C Shaahin Hessabi Shaahin Hessabi Department of Computer Engineering Department of Computer Engineering Sharif University of Technology Sharif University of

328 views • 28 slides
Machine Learning on a Heterogeneous Cluster NaifTarafdar , Giuseppe Di Guglielmo, Philip C

Machine Learning on a Heterogeneous Cluster NaifTarafdar , Giuseppe Di Guglielmo, Philip C

AIgean: An Open Framework for Machine Learning on a Heterogeneous Cluster NaifTarafdar , Giuseppe Di Guglielmo, Philip C Harris, Jeffrey D Krupa, Vladimir Loncar , Dylan S Rankin, Nhan Tran , Zhenbin Wu , Qianfeng Shen and

712 views • 47 slides

More recommend