Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Next Generation Embedded Systems Security for IOT: Powered by Kaspersky

L. Duke Golden
L. Duke Golden

In an increasingly connected world full of new IOT technologies, the security risks are becoming the single biggest challenge as we advance toward a fully tech-enabled society. Kaspersky's security strategy is always - SECURE BY DESIGN.

Related slideshows

Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
 
Introducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentIntroducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light Agent
 
1 of 20
Download to read offline
NEXT-GENERATION EMBEDDED SYSTEMS SECURITY FOR IOT: Powered by KASPERSKY SECURE OS
2 EVERYTHING WILL BE CONNECTED – WHETHER WE LIKE IT OR NOT
THE INTERNET OF THINGS – BUT WHY NOW? AN EXPLOSION OF NETWORK POSSIBILITIES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System2 BILLIONSOFDEVICES 50 40 30 20 10 0 90 92 94 96 98 00 02 04 06 08 10 12 14 16 18 20 YEAR 1992 1,000,000 2003 0.5 BILLION 2009 IoT INCEPTION 2012 8.7 BILLION 2014 14.4 BILLION 2015 18.2 BILLION 2017 28.4 BILLION 2016 22.9 BILLION 2018 34.8 BILLION 2019 42.1 BILLION 2020 50.1 BILLION 2013 11.2 BILLION 1998 2001 2003 2005 2007 2009 2011 Initial WDM Deployments 8 x 2.5GB Increased # of λ 8-40 x 2.5G Introduction of 10GB λ Additional λ increases Introduction of 40GB λ Premiere of OTN Automatic Optical Switching ROADM – Bandwidth Flexibility 100GB λ FMC 400GBλ Network Evolution 1TBλ
RICH IoT DEVICES ARE THE MOST VULNERABLE “Things” Sensor & Actuator Processing Communication Local Network Gateway(s) Wired/wireless Power line BAN, PAN, LAN The Internet Back-End Services Remote Server User access and control Business Data Analysis Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System4
IoT ATTACKS MIRAI Mirai’s name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August 2016. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox, a common tool for IoT embedded devices. BASHLITE Infects Linux systems in order to launch distributed denial-of- service attacks (DDoS). In 2014 BASHLITE exploited the Shellshock software bug to exploit devices running BusyBox. In 2016 it was reported that one million devices have been infected with BASHLITE. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System5
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System6 MAIN CONSIDERATIONS FROM A CYBER SECURITY PERSPECTIVE  Human mistakes  Usage of 3rd party software and libraries  Software Complexity (Number of Lines of Code increasing dramatically) INSECURE DESIGN VULNERABILITIES  Time to market pressure  Rapidly changing technology landscape INSECURITY OF CONVENTIONAL OPERATING SYSTEMS
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System7 WHY CONVENTIONAL OPERATING SYSTEMS ARE DANGEROUS…  Monolithic system where any module can call any other one  With help of exploitation of arbitrary code execution vulnerability it is possible to call any other module regardless of security settings  Uncontrolled usage of 3rd party libraries  Adversaries can get control over whole system with help of only one vulnerability  Poor security settings due to various reasons (lack of expertise, other priorities, lack of time…)  Wide attack surface Interactive user Device Driver Libraries Commands Application Programs OS System Call Interface … Device Driver Device Driver … DriverInterface Trap Table Monolithic Kernel Module Process Management Memory Management File Management Device Mgmt Infrastructure
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System8 THE ONLY REAL SOLUTION TO THE PROBLEM… Create an environment that simply won't allow the program to perform undeclared functions and prevent exploiting of vulnerabilities. MAIN PRINCIPLES OF SECUREOS Secure by design system MILS with reference monitor approach Microkernel based Meets specific requirements for embedded systems
SPECIFIC REQUIREMENTS FOR AN EMBEDDED OPERATING SYSTEM SMALL SIZE AND MINIMUM RESOURCE USAGE Most of the embedded systems use limited hardware resources (RAM, ROM, CPU) OUT OF THE BOX SECURITY – OR AS CLOSE AS POSSIBLE Most embedded systems have somewhat unique security requirements. Simplicity in security settings reduces time to market and effort required to roll out Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System9 STABLE FUNCTIONALITY EVEN WHEN UNDER ATTACK One has to think about possible threats and threat vectors in advance – and maintain stability throughout COMPLIANCE WITH INDUSTRY STANDARDS A system has to be designed and programmed in accordance With industrial safety and security standards
10 KASPERSKYOS // OVERVIEW  Designed for embedded connected systems with specific requirements for cyber security  Based on the separation kernel which guarantees the control of all internal system communications  Behavior of every module is pre described via security policies  Separate business applications from security (easier to develop and support, decrease time to market, increase security and safety)  MILS architecture Domain separation/isolation Flexible internal communications control via Kaspersky Security System (KSS) Kaspersky Secure OS
BENEFITS OF KASPERSKYOS INHERENT SECURITY KasperskyOS is an operating system that is secure by design and we intend to keep it that way by using the best practices of software development FLEXIBLE SECURITY CONFIGURATION Well-designed configuration tools make it easy to create declarative rule definitions and combinations of rules to control interactions in the system. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System11 VERSATILE MODULAR ARCHITECTURE Building the system based on loosely coupled modules helps to minimize the amount of trusted code and tailor each solution to the customer’s specific needs SEPARATION OF APPLICATION FEATURES FROM SECURITY FUNCTIONS The security architecture is designed to separate security functions from application business logic, making both configuring security policies and developing applications easier
12 BEYOND THE OS: EMBEDDED SECURITY FOR ALL… • Default Deny only installation mode • Low system requirements (256MB system memory) • Low traffic consumption (no regular AV updates) • No internet connection required • Executable files, DLLs, Drivers • Hash sum check, signatures check, destination check • Optional 2-layer check for whitelisted applications with Kaspersky Private Security Network …EVEN THOSE RUNNING LESS SECURE OPERATING SYSTEMS: • Windows XP Embedded • Windows 2009 Embedded • Windows XP Pro • Windows 7 Embedded POSReady • Windows 7 Embedded Standard • Windows Embedded 8.0 Standard • Windows 10 IoT Kaspersky Embedded Systems Security
USE CASES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System13 Telecoms and Network Equipment IoT and Industrial IoT Connected Cars Endpoints POS Terminals Linux Systems security enhancement
USE CASES – General Usage IoT Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System14 Isolation of every single module Minimization impact of vulnerabilities Protection of sensitive data (i.e. encryption keys, user’s data, secure storage) Secure boot  System Security by design - the only way to secure IoT devices! 1. Smart CCTV camera (does image processing on a device and send processed data to a server) 2. Smart hub (all sensors and end devices connected to it) EXAMPLE Connected to the Internet and Powerful enough (not MCU based) devices like: KASPERSKYOS
USE CASES – IOT FOR CONNECTED CARS Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System15 Isolation of infotainment from safety critical system (advanced driver assistance systems, AUTOSAR) Minimise impact of vulnerabilities in every domain Protection of sensitive data (i.e. encryption keys, logs, telematics data) from unauthorised access Secure boot and protection against unauthorised modification of firmware and software (i.e. malware infection, unauthorised modifications)  System Security by Design  Can be used in Central gateway, Head unit or specific ECU/TCU KASPERSKY SECURE HYPERVISOR
CONNECTED CAR MAIN INTERNAL VULNERABILITY POINTS Head UnitECUs Vehicle Buses
POTENTIAL THREAT VECTORS Private Data Key StoreHeadUnit Browser Keypad ECU Man-in-the-Middle Attack Attack from Mobile Device Attack on Key / Certificate Stores Sniffing of User Data Attack from Downloaded Apps Malware Delivery Thru Data Storage Device Malicious Firmware Update Remote Attack on Vehicle Bus Compromised Actuator Exploiting Software Vulnerabilities Operating System Attack on OBD2
CONNECTED CAR SECURITY LAYERS & KL SECURITY Car Gateway Threat vectors KL Technologies •Man in-The-Middle-Attack •Attack From Downloaded Apps Server Security, Solutions for Data Centers, DDoS Protection, Security Intelligence Services (SIS) •Sniffing of User Data •Attack From Downloaded Apps •Exploiting Software Vulnerabilities Security and Vulnerability Mgmt (SVM), IDS & IPS, Security Intelligence Services (SIS), Mobile SDK •Attack from Apps in Mobile Device •Exploiting SW Vulnerabilities •Malicious Firmware Update •Malware Delivery Thru Data Storage Devices IDS & IPS, Security and Vulnerability Mgmt, Anti-Malware, Security Intelligence Services (SIS), Kaspersky Secure Hypervisor, Kaspersky Security System (KSS), KasperskyOS •Compromised Engine Actuator •Attack on Vehicle Bus Security Intelligence Services, Kaspersky Embedded Systems Security •Attack on Key •Malicious Firmware Update •Attack on Vehicle Bus Flexible Security Policy Control Framework (KSS), Encryption, Security Hypervisor, Security Intelligence Services, KasperskyOS Car Network ECU Car Cloud Services Network Access
Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System19 END-TO-END IOT SECURITY – POWERED BY KASPERSKY IoT and Industrial IoT – Powered By Kaspersky Kaspersky Embedded Systems Security Kaspersky Secure Operating System Kaspersky Industrial CyberSecurity DDoS Protection Security Intelligence Services
20 Questions? L. Duke Golden Strategic Accounts Manager, DACH duke.golden@kaspersky.com +49 (0)151 544 39 309 www.kaspersky.com

More Related Content

Next Generation Embedded Systems Security for IOT: Powered by Kaspersky

  • 1. NEXT-GENERATION EMBEDDED SYSTEMS SECURITY FOR IOT: Powered by KASPERSKY SECURE OS
  • 2. 2 EVERYTHING WILL BE CONNECTED – WHETHER WE LIKE IT OR NOT
  • 3. THE INTERNET OF THINGS – BUT WHY NOW? AN EXPLOSION OF NETWORK POSSIBILITIES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System2 BILLIONSOFDEVICES 50 40 30 20 10 0 90 92 94 96 98 00 02 04 06 08 10 12 14 16 18 20 YEAR 1992 1,000,000 2003 0.5 BILLION 2009 IoT INCEPTION 2012 8.7 BILLION 2014 14.4 BILLION 2015 18.2 BILLION 2017 28.4 BILLION 2016 22.9 BILLION 2018 34.8 BILLION 2019 42.1 BILLION 2020 50.1 BILLION 2013 11.2 BILLION 1998 2001 2003 2005 2007 2009 2011 Initial WDM Deployments 8 x 2.5GB Increased # of λ 8-40 x 2.5G Introduction of 10GB λ Additional λ increases Introduction of 40GB λ Premiere of OTN Automatic Optical Switching ROADM – Bandwidth Flexibility 100GB λ FMC 400GBλ Network Evolution 1TBλ
  • 4. RICH IoT DEVICES ARE THE MOST VULNERABLE “Things” Sensor & Actuator Processing Communication Local Network Gateway(s) Wired/wireless Power line BAN, PAN, LAN The Internet Back-End Services Remote Server User access and control Business Data Analysis Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System4
  • 5. IoT ATTACKS MIRAI Mirai’s name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August 2016. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox, a common tool for IoT embedded devices. BASHLITE Infects Linux systems in order to launch distributed denial-of- service attacks (DDoS). In 2014 BASHLITE exploited the Shellshock software bug to exploit devices running BusyBox. In 2016 it was reported that one million devices have been infected with BASHLITE. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System5
  • 6. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System6 MAIN CONSIDERATIONS FROM A CYBER SECURITY PERSPECTIVE  Human mistakes  Usage of 3rd party software and libraries  Software Complexity (Number of Lines of Code increasing dramatically) INSECURE DESIGN VULNERABILITIES  Time to market pressure  Rapidly changing technology landscape INSECURITY OF CONVENTIONAL OPERATING SYSTEMS
  • 7. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System7 WHY CONVENTIONAL OPERATING SYSTEMS ARE DANGEROUS…  Monolithic system where any module can call any other one  With help of exploitation of arbitrary code execution vulnerability it is possible to call any other module regardless of security settings  Uncontrolled usage of 3rd party libraries  Adversaries can get control over whole system with help of only one vulnerability  Poor security settings due to various reasons (lack of expertise, other priorities, lack of time…)  Wide attack surface Interactive user Device Driver Libraries Commands Application Programs OS System Call Interface … Device Driver Device Driver … DriverInterface Trap Table Monolithic Kernel Module Process Management Memory Management File Management Device Mgmt Infrastructure
  • 8. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System8 THE ONLY REAL SOLUTION TO THE PROBLEM… Create an environment that simply won't allow the program to perform undeclared functions and prevent exploiting of vulnerabilities. MAIN PRINCIPLES OF SECUREOS Secure by design system MILS with reference monitor approach Microkernel based Meets specific requirements for embedded systems
  • 9. SPECIFIC REQUIREMENTS FOR AN EMBEDDED OPERATING SYSTEM SMALL SIZE AND MINIMUM RESOURCE USAGE Most of the embedded systems use limited hardware resources (RAM, ROM, CPU) OUT OF THE BOX SECURITY – OR AS CLOSE AS POSSIBLE Most embedded systems have somewhat unique security requirements. Simplicity in security settings reduces time to market and effort required to roll out Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System9 STABLE FUNCTIONALITY EVEN WHEN UNDER ATTACK One has to think about possible threats and threat vectors in advance – and maintain stability throughout COMPLIANCE WITH INDUSTRY STANDARDS A system has to be designed and programmed in accordance With industrial safety and security standards
  • 10. 10 KASPERSKYOS // OVERVIEW  Designed for embedded connected systems with specific requirements for cyber security  Based on the separation kernel which guarantees the control of all internal system communications  Behavior of every module is pre described via security policies  Separate business applications from security (easier to develop and support, decrease time to market, increase security and safety)  MILS architecture Domain separation/isolation Flexible internal communications control via Kaspersky Security System (KSS) Kaspersky Secure OS
  • 11. BENEFITS OF KASPERSKYOS INHERENT SECURITY KasperskyOS is an operating system that is secure by design and we intend to keep it that way by using the best practices of software development FLEXIBLE SECURITY CONFIGURATION Well-designed configuration tools make it easy to create declarative rule definitions and combinations of rules to control interactions in the system. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System11 VERSATILE MODULAR ARCHITECTURE Building the system based on loosely coupled modules helps to minimize the amount of trusted code and tailor each solution to the customer’s specific needs SEPARATION OF APPLICATION FEATURES FROM SECURITY FUNCTIONS The security architecture is designed to separate security functions from application business logic, making both configuring security policies and developing applications easier
  • 12. 12 BEYOND THE OS: EMBEDDED SECURITY FOR ALL… • Default Deny only installation mode • Low system requirements (256MB system memory) • Low traffic consumption (no regular AV updates) • No internet connection required • Executable files, DLLs, Drivers • Hash sum check, signatures check, destination check • Optional 2-layer check for whitelisted applications with Kaspersky Private Security Network …EVEN THOSE RUNNING LESS SECURE OPERATING SYSTEMS: • Windows XP Embedded • Windows 2009 Embedded • Windows XP Pro • Windows 7 Embedded POSReady • Windows 7 Embedded Standard • Windows Embedded 8.0 Standard • Windows 10 IoT Kaspersky Embedded Systems Security
  • 13. USE CASES Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System13 Telecoms and Network Equipment IoT and Industrial IoT Connected Cars Endpoints POS Terminals Linux Systems security enhancement
  • 14. USE CASES – General Usage IoT Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System14 Isolation of every single module Minimization impact of vulnerabilities Protection of sensitive data (i.e. encryption keys, user’s data, secure storage) Secure boot  System Security by design - the only way to secure IoT devices! 1. Smart CCTV camera (does image processing on a device and send processed data to a server) 2. Smart hub (all sensors and end devices connected to it) EXAMPLE Connected to the Internet and Powerful enough (not MCU based) devices like: KASPERSKYOS
  • 15. USE CASES – IOT FOR CONNECTED CARS Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System15 Isolation of infotainment from safety critical system (advanced driver assistance systems, AUTOSAR) Minimise impact of vulnerabilities in every domain Protection of sensitive data (i.e. encryption keys, logs, telematics data) from unauthorised access Secure boot and protection against unauthorised modification of firmware and software (i.e. malware infection, unauthorised modifications)  System Security by Design  Can be used in Central gateway, Head unit or specific ECU/TCU KASPERSKY SECURE HYPERVISOR
  • 16. CONNECTED CAR MAIN INTERNAL VULNERABILITY POINTS Head UnitECUs Vehicle Buses
  • 17. POTENTIAL THREAT VECTORS Private Data Key StoreHeadUnit Browser Keypad ECU Man-in-the-Middle Attack Attack from Mobile Device Attack on Key / Certificate Stores Sniffing of User Data Attack from Downloaded Apps Malware Delivery Thru Data Storage Device Malicious Firmware Update Remote Attack on Vehicle Bus Compromised Actuator Exploiting Software Vulnerabilities Operating System Attack on OBD2
  • 18. CONNECTED CAR SECURITY LAYERS & KL SECURITY Car Gateway Threat vectors KL Technologies •Man in-The-Middle-Attack •Attack From Downloaded Apps Server Security, Solutions for Data Centers, DDoS Protection, Security Intelligence Services (SIS) •Sniffing of User Data •Attack From Downloaded Apps •Exploiting Software Vulnerabilities Security and Vulnerability Mgmt (SVM), IDS & IPS, Security Intelligence Services (SIS), Mobile SDK •Attack from Apps in Mobile Device •Exploiting SW Vulnerabilities •Malicious Firmware Update •Malware Delivery Thru Data Storage Devices IDS & IPS, Security and Vulnerability Mgmt, Anti-Malware, Security Intelligence Services (SIS), Kaspersky Secure Hypervisor, Kaspersky Security System (KSS), KasperskyOS •Compromised Engine Actuator •Attack on Vehicle Bus Security Intelligence Services, Kaspersky Embedded Systems Security •Attack on Key •Malicious Firmware Update •Attack on Vehicle Bus Flexible Security Policy Control Framework (KSS), Encryption, Security Hypervisor, Security Intelligence Services, KasperskyOS Car Network ECU Car Cloud Services Network Access
  • 19. Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System19 END-TO-END IOT SECURITY – POWERED BY KASPERSKY IoT and Industrial IoT – Powered By Kaspersky Kaspersky Embedded Systems Security Kaspersky Secure Operating System Kaspersky Industrial CyberSecurity DDoS Protection Security Intelligence Services
  • 20. 20 Questions? L. Duke Golden Strategic Accounts Manager, DACH duke.golden@kaspersky.com +49 (0)151 544 39 309 www.kaspersky.com