Did you know that today, there are over 30 billion connected IoT devices? And that in 2020, that number will double? Do you know how these devices connect to the internet? To each other? To their manufacturer? How many IoT devices are used within your company? If you’re a security professional you’ll need to be able to answer these questions and more. In this session, Jackson Shaw discusses the convergence (collision?) of IoT with IT and OT, what it means to him as a consumer and what it means to us as identity and IT security professionals.
Like, you know, well, this is lively enough.
Very good. I you've been talking about context in and the identity and authorization space for the years. I, I know you're giving lots of talks and that, and that, that in that space now, now I just learned that you're going to talk about convergence. How does these two concepts relate? Well,
That's a good question. You know, I almost have to flip to my first slide to tell you about how, how I got into this. I, I'm not even sure that there's a, that there's a, a convergence, there's a convergence in a, in a way which I'll talk about, but generally speaking, there's a lot of difficulty around convergence in this particular area. When a lot of thet devices don't even use T C P I P so I think that was one of my findings from this. So it's, it's an interesting, it's an interesting question to which I think the answer causes a lot of problems that people aren't thinking about. Right, right. Yet.
Which, but it relates what one Rav was saying. I, in the second presentation yes, yes. Saying actually we need to come into a vision or in a state where the vision that, or which implements the vision, that the data knows what's happening around it. Yes. And extending this to the thing is what, the thing, that thing knows actually what's happening. Yeah. And that relates it to context.
Yeah. And, and I, I hope I can shed a little bit of light on, on, on this problem. You're
You. Thank you. So good afternoon, everybody as introduced I'm Jackson Shaw with Dell, the whole commercial I will give for Dell is if you're using a Dell laptop, thank you very much. We really appreciate it. 31 years ago on Monday, Michael Dell founded Dell. So you helped with that. If you happen to be using a Mac or an iPhone, or you have an apple watch, thank you. Because I own a lot of apple stock. So th this, this is an important area, you know, for, for Dell, you can see here on the slides that we're part of this open interconnect foundation, we're part of the, you know, industrial internet consortium, which is more on the hardware side of the world. And then of course, the PHY Alliance, which is more on the software side of the world and my transition from, I guess, literally from the day I I've been in this business from a software company to a company that does hardware and software has been very interesting because I get a very different light on some of the problems. So let's, let's run through some of this.
So this has been really exciting for me. Literally last October, I got called by the folks Kuppinger and said, Hey, would you do a keynote? I said, of course, I'd love to do a keynote. Let me send you some, some, some thoughts. And they said, no, we want you to talk about IOT, to which I said, I don't know anything about IOT. And I literally did not at the time. I'm not sure if I do now, but I, I certainly knew zero then, but I'm an identity guy. I'm not a hardware guy. I never have been. So this has been very exciting for me. I have found out thatt is the buzzword of the year. It's kind of like, this is the year of PKI. Now it's, this is the year oft. And it will be for the next five years. I'm sure. The interesting thing is maybe there's some connection betweent and PKI, but we'll get to that.
So everything is IOT and it's everywhere. It's very, very difficult to find good examples of enterprise IOT devices. And trust me for the last six, seven months I have been doing that. I've been looking, I've been going to all kinds of conferences and, and doing a lot of research in this area, except for things like HVAC. And we'll talk more about that. Finding a definition of IOT is like 10 years ago, when we were all talking about what identity and access management was or what identity management was or what directory synchronization was in the old days, it was everything and everything and that's and anything. And, and that's kind of what it is today. So what is the good doctor found out? So the internet of things, there's a whole bunch of different definitions. This, this top one I think was from Wikipedia. Then I found another one that sort of condensed it. And I finally condensed it down to my definition at the very bottom, which is basically an autonomous interconnected device, autonomous meaning there isn't a keyboard. You're not interacting with it. There's no screen, you set it up. If there's even set up and off it goes,
I have found this out IOT is extremely antisocial. And, and what do I mean by that IOT devices don't really talk to each other. So you get an IOT device from one manufacturer and it doesn't talk to an IOT device of another manufacturer. And what does that lead to? It leads to this issue of you having to create multiple accounts on multiple different systems, doing multiple different setups across, you know, again, multiple different systems.
How do you connect your device could be through multiple different protocols. Again, I thought this was all T C P I P little. Did I know when I started researching this, that there were standards like, well, I mean, we know about Bluetooth and wifi, but I didn't know what zigb was. I certainly didn't know what SCADA was Z wave. And I found out that a lot of these things may run on an ethernet cable, but they're not IP based. So how do you, how do you do this inter operation? How do you handle security across all these different things is certainly a challenge from that perspective. If it was all TCP, I P we'd probably be in a little bit better shape.
So the, the, the other thing is that every device manufacturer we're solving these problems in, in different ways. And you know, the, the result of that is this particular thing where, you know, you have the Phillips hue lights, and you have the, the, I can't remember their name with the land OT guys and those lights don't interact. Okay. There's absolutely no interaction between them. And there are obvious reasons for that commercial reasons that people are doing that. But this is, this is one of the big problems with this, because what it's gonna force us to is how do we get these guys talking to each other at a security and identity perspective, which is, which is gonna be difficult.
So I, I, I went to CES. How many people have been to CES the consumer electronic show in Las Vegas, few people, my God, you haven't been to a conference since you've gone to that. 120,000 people descend on Las Vegas and the queues just to get on a train, to come into the conference center are 40 minutes long, was unbelievable. The whole conference, both sides of the conference center filled with stuff. And of course, quite a lot of it was IOT devices. And I spent, again, a lot of time looking at all these devices to see what, what would I think was applicable in, in the enterprise. This first thing on the left just was absolutely fascinating. This autonomous robot, you, you put this in your company, you it's got some kind of a GPS, Bluetooth gizmo on it. You sign into it when you're at home and you want to have a meeting with one of your colleagues.
You say, I wanna meet with Soandso and this thing goes off and drives down to so-and-so's office or to the conference room and the screen lights up. And you have your chat with, with me sitting at home. The only thing about it is because it's video. That means I have to not be in my robe when I'm, when I'm having that chat, but we, you know, we'll get to that safety and security. I mean, literally this whole aspect of, of perimeter security, both from a, a lock perspective and a video perspective is, is going the way of T and some interesting challenges there. And of course, environmental around things like, you know, temperature and, and knowing how many people are using which rooms and how much you can turn down temperature and how much electricity is being used and those kind of things. So that's kind of the future stuff that I saw.
There's a lot more that was applicable in the consumer world, but in the, in the, in the corporations that you guys work at, we'll see more of this over time. There's lots and lots of IOT and IOT data sources. We commissioned, you know, a, a white paper and a survey. And we, we got back some of this information. And for me, some of the most interesting things was how people want to use geolocation data, where people are from an IOT perspective. And I'm gonna give an example of that and something, some research that we did ourselves,
And there's lots of potential. There's a lot of discussion about realtime data, realtime decision making, okay. Things being put up into the cloud information about, you know, your particular environment, information about proximity, where you are in a building, or where you are from a location perspective, health information, being transmitted automatically. And the data analytics is another thing that you're seeing and hearing a lot about, you know, this cloud based, pushing everything up into the cloud to be analyzed up in the cloud in, in big data. A lot of the vendors you've heard come out and talk about that. Amazon, Microsoft, et cetera.
And why, why do I want to tell you there's lots of potential, because this is an interesting thing that I think you're gonna see happen, where you're not gonna have much of a choice about IOT. And I'll take the small example of these little plugs. These little plugs are smart monitors. They're of course, IOT networked. They will monitor the electricity being used in devices and will learn to know when to turn devices off. And the, the watch word behind it, or the, the marketing is, is, is saved 50% on your electricity cost. And this is important because CFOs and other people are gonna see this. And they're gonna say, I want to save 50% on operating cost, and you are gonna be the person that says, well, what about the identity issues? What about the security issues? And those are all gonna be pushed to the wayside because saving 50% on electricity is much more important. So I just see this as something that's gonna get pushed down to all of us over time and will be a problem we have to deal with.
So how pervasive is IOT? You know, I started October, November researching this. I thought, while there's not really much IOT out there again, this survey basically showed that 47% of the companies we surveyed were already using IOT devices to some way, shape or form. I think that's partially because if you look at the definition or you think about IOT, you can almost say it's everything. So I think it's already here. You know, as I use this little illustration from the old Poltergeist movie, if you're old enough to remember it, they're here. If you don't think they're in your, in your environment, they are, they, they are actually here now. So what is this? What have I found out about this? So we know that the devices are here and they're in your enterprise.
And basically this is, this is what I found out. It's it's, these devices are here and it's the wild west. So to take the, the connotation, it's, it's literally like the Cowboys and Indians all fighting amongst themselves around things like identity, security, privacy, how these things are configured, how these things are built. It's just, it's just an amazing situation. I've never seen this kind of, you know, discontinuity across an industry. And, you know, I would, if you wanna see it in real life, just go into Google news alerts and sign up Fort security and have your inbox flooded with all the things that are going on in the web around this, right now, all the notifications, all the discussions. It's, it's really incredible.
You guys know this guy, you're local salesman. You're gonna ask him for an IOT platform. And of course they, no problem. We sell those. You're gonna be able to buy these IOT. Actually, you can buy IOT platforms right now from a lot of different vendors. And they all come with their own, their own issues along with the IOT devices that connect to them. And I've got some examples here just to, just to give some color. I, I footnote all this stuff. So when you get the slides, you can go look at the articles. There was a, a fridge that was installed in a company. Somebody thought, oh, it's a great idea. We'll get maintenance updates about, about these fridges over the, over the network. They, they configured it. And somehow it got attacked and started sending spam. And a few months later, they found out that it was the source of three quarters of a million spam emails that were being sent outside the company from within the company.
So you can imagine that that was, that was a pretty interesting, fine for them. How about this one? Does this worry? You, it really worries me now. I wanna, I wanna state very categorically. This is not Dell. This is not a Dell IP traffic analysis. This is Jackson's home network. I literally got, I mean, we make firewalls, I got a firewall installed. It, turned it on configured it. And I, a little while ago, I turned on the G I P stuff. And this blew me away. United States, 88% as one would expect, or 87% as one would expect. I thought the next country might be Canada since that's where I'm from. And I always there and I thought, well, what is this? I'm ordering Chinese food over the internet all the time or something, right from China. No 6% of my traffic. In fact, since I've updated, I, since I've done this, I looked at the, the stats before I came here.
It's now 8%, 8% of my traffic is with China. And I have absolutely no idea why. And the, the learning piece for me was, I wish I would've done this before I installed all my IOT devices. Now I've got probably IOT devices that you guys have. I have a Samsung TV. I have a couple of apple devices. I have a Sonos audio player, and I have a NAS device, which one of these devices, or is it something else that is actually driving this traffic to, and from China? I don't know the answer to that, but that's one of the things I'm I'm working on. So I just wanted to point this out to you that this is an important aspect of IOT. One point, I don't think firewalls are smart enough for today and tomorrow's IOT threat environment. Okay. I'll talk a little bit more about that, but I honestly, it's not that I don't think they have the capability. I don't think they have the smarts today to make it really easy to manage this kind of a, a, a problem.
So two recent IOT incidents, I don't know if you're familiar with these, just have basically blown me away. This one have got a little bit more publicity. So maybe you heard about it. Google nest. I apologize for using Google. If there's anybody in the audience from Google wireless passwords stored on the device, unencrypted, there was a mini USB port, which gave root access to the device. And then the people who compromised it, basically, this is what they wrote. Once the entry point within the nest device was in place. We were then able to compromise just about everything within that network. Now you might say, well, Jackson, does that really matter? It's it's your nest thermostat at home? Well, it does matter because whether it's my nest thermostat at home and I'm VPN in to Dell, it could be an entry point. If they can jump, if they can jump over the wireless.
The second thing is there are lots of these devices now being installed in corporations around the world, not just nest, but intelligent IOT based thermostats. And that can become an entry point for an attacker. The fact that it has to be physically touched doesn't mean anything because a person has, you have guests, you have malicious employees. There are a lot of issues. The second thing this just happened, maybe within two weeks completely blew me away. I found out because home Depot was empty of the shelves of this product. And I had friends who used it had completely had recalls. You have to ship the appliances back. I'm like, well, that's crazy. Why are people shipping the appliances back? Well, they ship the appliance with a one year SSL certificate, which expired a year after they started shipping. So it expired. I think it was April 19th and credit to wink that they had a very secure channel setup between doing updates with the IOT devices and their corporate cloud-based update service secured by this SSL certificate.
Once it expired, no more updates. So guess what happened? All the devices stopped working exactly 1159 that particular day, the technical workout work around. Most customers couldn't do. So guess what? Everybody has to ship the appliance back. So a little bit of a cost. So what can you do? Well, you can just say no, but are you really gonna say no to employees, diabetes monitors or, or the watch that's sending my data back to my hospital. No, you're not gonna do that. Can you call Ghostbusters a number of years ago, one of my employers used to walk around with a wifi analyzer and they found a wifi port. They would basically take you, take your wifi equipment away from you. And you're not gonna be able to do that with, with IOT, either there's standards that are coming, which is, which is awesome, or other standards that are there.
But some of these things don't even use T C P I P like anything that's backnet related arm is doing something really interesting where they're putting polar SSL onto their, onto their, their chip sets and they're shipping those chip sets. Awesome. Awesome thing. Glad to see that they're doing that, but I look at op I, I don't know polar SSL, but I also remember very recently something called open SSL and they found a few problems with that. So I'm not sure how these guys are gonna figure out some of these problems. And then some of the encryption being used with these devices is very weak. Again, no security. You can't really say no IOT for you either. There are a lot of standards coming to help with this. The only point I wanna make about this is there aren't standards that fully solve the problem today. So again, back to this wild west story.
So let me give you a real quick example of our practical use. This is the device in question. I decided that I wanted to see if we could use this for privileged access management. We put a few of these in the office and said, if you're not within this area, bounded by these devices, you can't get a privileged account. I thought it was an awesome idea, but as we went along, we found out that these aren't tamper proof, you can just take it off a wall, fly to Munich, and suddenly you've got ability to get privileged, to count Munich they're you can open them up so you can fiddle with them and they lack non-repudiation there isn't a certificate. There's no OTP. There's no way for me to assure myself that I'm topic talking to the device that I actually installed. So we had to rule it out as a solution, but it was a good idea.
So last slide. What are some of my thoughts on this security is not priority one for most IOT vendors. I've, I've literally found that out. It's, you know, we have our own issues around software vendors, but I'm telling you, it's literally the wild west with IOT vendors over the next two years, the IOT devices and services market will be chaotic. There's no question about that. And you're gonna be forced into it. The new IOT ready platforms will enable vendors to integrate these first wave of IOT devices and sensors enable 'em to communicate with vendors, customers, infrastructure. This is you guys. And as I point out again here with the, with the chart, you really need to have to be thinking about what you're doing. You're gonna be forced into this because of operational issues around saving electricity and, and, and all of these things, your, your bosses are gonna come to you and say, we're doing this. We're gonna analyze things in the cloud. And then you'll be left with figuring this out. So my recommendations question, how is the security handled in your IOT devices? Who's reviewed it? Has it been externally reviewed? Has it been penetration tested? No, one's really even doing that, to be honest detect you can't remediate unless you detect before and after like my example of the traffic with China,
You have to contain, you have to segment your corporate ID, it devices from anything, IOT related, easy to say, a lot of firewalls do that, but not very easy to necessarily implement in a company. And that's something you you're gonna have to think hard about
Everything around is in flux. Like I said, I've never seen anything so wild west, and you really have to stay on top of it. It's easy to get notifications about Microsoft patches. It's easy to get vulnerability notifications from the government, but what about IOT devices? Where are all those collected? You know, it's again, it's the wild west. So please visit our booth. We have RFID tags. They're very easy. We just put them in your hand with this little instrument, and then you can go around. You can open doors. So with that, thank you very much. I hope this was useful to you. Forget
My problem. Thank you so much. Great presentation. I unfortunately have already had a very, very short question because of time, the 6% of China. Yes. Did, did you manage to find out, was it, was, was it a virus or malware?
Haven't I haven't figured it out. I have this strange feeling that it is actually one of my devices that seems to be
Going back and forth. Oh, it's I know it's not my watch gift.
It's not, it's not your watch. I
Took that before I got my watch. And by the way, if anyone wants to see my, my apple watch, it's only one Euro a look. So just come by.
Thank you. Thank you so much. Good
How can we help you