NEW OSINT Gathering and Analysis Course at SANS San Francisco Fall 2018! Save $200.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Internet of Things

Featuring 13 Papers as of October 16, 2018

  • Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged - Discover and Defend Your Assets Analyst Paper (requires membership in SANS.org community)
    by Doug Wylie and Dean Parsons - September 26, 2018 

    The benefits derived from information technology (IT) and operational technology (OT) convergence are enabling more effective management of contemporary control systems. However, the unique challenges of IT/OT convergence make managing and securing an industrial control system (ICS) more difficult. This paper explores how industrial and information system administrators can build stronger cybersecurity programs to protect IT/OT systems.


  • PiOT – a small form factor defense for indefensible devices by James Leyte-Vidal - August 2, 2018 

    For several years, trending observed has shown the ever-increasing growth of network-connected ‘things’ – items like appliances, lighting, controllers and, others that have not typically been network connected in the past. This has resulted in a significant increase in attack surface in networks that connect these devices, as many of these ‘things’ have not been designed or implemented with security in mind. While the industry continues to work with these manufacturers to offer better, more secure alternatives, there are many devices out there today that present a risk. To combat this issue, and to help mitigate this risk, we present PioT. PioT is a RaspberryPi-based device intended to be placed in front of vulnerable IoT devices. In conjunction with traffic monitoring and logging tools, PioT is intended to be a robust, expandable platform for monitoring and responding to attempted access to vulnerable IoT devices. In this paper, we will outline the PioT build process and show the capability to observe access to an IoT device. The total cost for this build is less than $100.


  • The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - July 18, 2018 

    IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.


  • Building the New Network Security Architecture for the Future Analyst Paper (requires membership in SANS.org community)
    by Sonny Sarai - January 22, 2018 

    With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.


  • Privacy and the Internet of Things by Peter Milley - October 25, 2017 

    The Internet of Things has gotten a lot of attention over the past year or so, and for good reason. From a security perspective, Internet-connected devices are easy targets, especially when they are not designed with security in mind. But, in addition to the concerns of botnets and DoS attacks, some newer devices also raise information privacy concerns.


  • Can the "Gorilla" Deliver? Assessing the Security of Google's New "Thread" Internet of Things (IoT) Protocol STI Graduate Student Research
    by Kenneth Strayer - October 6, 2017 

    Security incidents associated with Internet of Things (IoT) devices have recently gained high visibility, such as the Mirai botnet that exploited vulnerabilities in remote cameras and home routers. Currently, no industry standard exists to provide the right combination of security and ease-of-use in a low-power, low-bandwidth environment. In 2014, the Thread Group, Inc. released the new Thread networking protocol. Google's Nest Labs recently open-sourced their implementation of Thread in an attempt to become a market standard for the home automation environment. The Thread Group claims that Thread provides improved security for IoT devices. But in what way is this claim true, and how does Thread help address the most significant security risks associated with IoT devices? This paper assesses the new IEEE 802.15.4 "Thread" protocol for IoT devices to determine its potential contributions in mitigating the OWASP Top 10 IoT Security Concerns. It provides developers and security professionals a better understanding of what risks Thread addresses and what challenges remain.


  • Securing the Home IoT Network STI Graduate Student Research
    by Manuel Leos Rivas - April 5, 2017 

    The Internet of Things (IoT) has proven its ability to cause massive service disruption because of the lack of security in many devices. The vulnerabilities that allow those denial of service attacks are often caused due to poor or no security practices when developing or installing the products. The common home network is not designed to protect against the design errors in IoT devices that expose the privacy of the users. The affordable price of single board computers (SBC) and their small power requirements and customization capabilities can help improve the protection of the home IoT network. SBC can also add powerful features such as auditing, inspection, authentication, and authorization to improve controls pertaining to who and what can have access. Implementing a home-control gateway when properly configured reduces some common risks associated with IoT such as vendor-embedded backdoors and default credentials. Having an open source trusted device with a configuration shared and audited by many experts can reduce many of the bugs and misconfigurations introduced by vendor security program deficiencies.


  • Detecting Attacks Against The 'Internet of Things' by Adam Kliarsky - March 30, 2017 

    The need to detect attacks against our networks has exploded with the rapid adoption of connected devices affectionately dubbed the "Internet of Things" (or IoT). Manufacturers are rapidly producing devices to meet consumer and market demand which creates a shortened time-to-market in manufacturing. The level of security in the product development lifecycle becomes questionable, as well as production standards. Vulnerabilities have been showing up targeting the physical interfaces of IoT devices, wireless protocols, and user interfaces. It is imperative that intrusion analysts understand how to assess the attack surface, analyze threats, and develop the capability to detect attacks in IoT environments. This paper will review threats, vulnerabilities, attacks, and intrusion detection as it applies to the IoT.


  • A security assessment of Z-Wave devices and replay attack vulnerability by Mark Devito - August 31, 2016 

    Within many modern homes, there exists a compelling array of vulnerable wireless devices. These devices present the potential for unauthorized access to networks, personal data and even the physical home itself. The threat originates from the Internet-connected devices, a ubiquitous collection of devices the consumer market dubbed the Internet of Things (IoT). IoT devices utilize a variety of communication protocols; a replay attack against the Z-Wave protocol was accomplished and demonstrated at ShmooCon 2016. The attack was carried out using two HackRF radios. This paper attempts to conduct a similar attack but employing a $35 US SDR, a $130 US sub-1Ghz dongle, and readily available Open Source applications, instead of the more expensive HackRF hardware.


  • Developments in Car Hacking STI Graduate Student Research
    by Roderick Currie - January 7, 2016 

    In the developed world, there is arguably no appliance more prevalent in people’s lives than the automobile.


  • Accessing the inaccessible: Incident investigation in a world of embedded devices STI Graduate Student Research
    by Eric Jodoin - June 24, 2015 

    There are currently an estimated 4.9 billion embedded systems distributed worldwide. By 2020, that number is expected to have grown to 25 billion. Embedded systems can be found virtually everywhere, ranging from consumer products such as Smart TVs, Blu-ray players, fridges, thermostats, smart phones, and many more household devices. They are also ubiquitous in businesses where they are found in alarm systems, climate control systems, and most networking equipment such as routers, managed switches, IP cameras, multi-function printers, etc. Unfortunately, recent events have taught us these devices can also be vulnerable to malware and hackers. Therefore, it is highly likely that one of these devices may become a key source of evidence in an incident investigation. This paper introduces the reader to embedded systems technology. Using a Blu-ray player embedded system as an example; it demonstrates the process to connect to and then access data through the serial console to collect evidence from an embedded system non-volatile memory.


  • The Perfect ICS Storm by Glenn Aydell - June 8, 2015 

    As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest “trend” of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.


  • Securing the “Internet of Things” Survey Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - January 15, 2014 

    Survey reveals the risks introduced by an increasing array of "smart" things with wireless or Internet connections.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.