A small crowd braved the government shutdown, a BART strike and San Francisco's trademark fog to attend SANS' first Securing the Internet of Things Summit in San Francisco, CA. A short recap:
I started out by making fun of some of the hype out there - the bottom line is the IoT is just everything with an IP address - which is why some at the summit call it the "Internet of Everyting". I offered a simple history of IoT "waves" and the security implications:
- Wave 1 Information Technology: PCs, servers, routers, switches, firewalls - IT things produced by IT companies and bought and managed by IT people.
- Wave 2 Operational Technology: machines/appliances with embedded IT built by non-IT companies, and bought and (somewhat) managed by non-IT people (at first)
- Wave 3 Personal Technology: devices with embedded software made largely by consumer-facing companies bought by consumers and largely unmanaged
- Wave 4 Sensor Technology: limited function point measuremeant and control interfaces made by both IT and non-IT companies, bought by both IT and non-IT people at businesses, and by consumers, as part of larger systems. largely unmanaged by anyone - at first.
We have already experienced the security problems of the first 3 waves - Wave 4 is where most of the sexy new hype is coming from.
Asheem Chandna of Greylock partners then gave a talk from the financial side of the IoT, showing their projections that IoT is likely to have faster global penetration rate than the previous record holder - smart phones.
We then had a panel that was more of an interactive audience discussion, with Adam Bosnian, of Cyber-Ark; Rick Doten, DMI: Wolfgang Kandek, Qualys; and Billy Rios, Cylance around risks and solutions for IoT security issues
Stacey Cannady of Cisco presented on Trusted Computing concepts and the use of TPM to provide cryptography support and strong attestation for IoT devices and their software loads.
Earl Perkins of Gartner talked about the integration of IT and OT and physical security as it relates to IoT.
Greg Brown of Intel/McAfee talked about real world challenges in distributed sensor systems and showed some of the latest Intel technology.
Jon Clay of Trend Micro showed some of their threat research on vulnerabilities in marine navigation IoT systems and other areas.
Nitesh Dhanjani closed out the day demonstrated his own hacks into Internet addressable lightbulbs, baby monitors and home electronics control devices. A quick summary: turn them all off, or your WiFi off, if you ever make the mistake of letting anyone into your house.
To sum it all up: lots of opportunity to avoid the mistakes we made in Waves 1 and 2, and take advantages of some of the advances made by the best in breed of Wave 3. the Internet of Things doesn't have to be a security nightmare - but will it be?