Hi everyone, Ed Amarosa here, and I want to talk to you a little bit about provide an introduction to the topic of Internet of Things, IoT Security. Now IoT devices are things that for the most part are connected the networks but are not your computer, not your smartphone, it's just kind of everything else. That might include like a big aircraft engine, might be connected in some sense to the public Internet, or wind turbines out in a fields somewhere might be connected to the Internet. Providing telemetry back to a research center or accepting command say, from some control center. Or connected cars eventually becoming autonomous, these are all connected up to networks. And all of them to some degree are vulnerable to malicious hacking. Now, today, we count something like six billion of these things connected across the Internet, or they speak to you. But by say 2020, the projection is up. This will grow dramatically, potentially to like 20 billion of these things connected up. Just a aircraft engine alone might have 1,000 in different parts that are beaconing out information about temperature and position and sensing and velocity and on and on and on. So these are very interesting problems from a perspective of a cybersecurity engineer. So the first, let's kind of go through in these things. I'll take the first things, it's just the the IoT device its themselves. They can be categorized into a couple of different classes. First, we would say they're call them industrial control devices. Things that have consequence if hacked to some critical infrastructure component, tend to use the term industrial control for that. But it's not just about industrial control, it's more critical infrastructure like a heat pump at a power plant, or we mentioned an aircraft engine, or say some really important safety device in a transportation system. You don't want these things to be hacked, you don't want the integrity of them to be affected or modified because people could lose their lives. The second class is kind of everything else like we joke about connected refrigerators and entertainment systems and video records and children's toys and appliances in our home. These are certainly connected to the Internet. They are clearly IoT devices, your wearables, and other things would be in that category. And yeah, you don't want them to be hacked but for the most part would probably not produce some significant consequence. And then you can say that there's kind of a category that lives in the middle of those two. Right, there's clearly critical infrastructure affecting, they're clearly not. And then things in the middle would be like for example, medical devices. Now you'd say, gosh, an insulin pump shouldn't be hacked and kill somebody, but it doesn't cascade, right? For the most part, if I attack an insulin pump and cause someone to become ill, it's an isolated, it's a nefarious disgusting sort of attack. But it's not the same thing as a power plant that could be attacked and kill all sorts of things. So, a lot of engineers tend to categorize things in those sort of buckets. It's really two buckets and then a combination. Industrial control, IoT sort of consumer, and then things that are in the middle. Now what are the problems here? The first is that none of these devices that exist today, legacy versions of these where design what security in mind. That probably of an operating system, but that's probably no good way to patch them. No good way to do vulnerability management on them, no good way to update systems with security that needs to be done. They just want a design like that. A heat pump in a factory that connects up to the Internet was not designed for cybersecurity, it just wasn't, that wasn't a consideration. It was a mechanical engineer who saw a heat pump could be controlled with a computer. Hey, let's put it on a network. Hey, let's build a monitoring system. Wow, I can control all the heat pumps from this one room. Not thinking about cyber, but thinking about utility. So the first problem we have in IoT security is this issue of legacy. The second is a problem of protocol. So yes, some of them do run IP but a lot of them are running proprietary protocols. There's one very popular one called Modbus. There's others that are running analog signaling like voltages, 28 voltage or 20 volts 0, or things in between, turning things on and turning things off. So it's all over the map in terms of the way the control system and a control device would operate. The vagaries of the mechanical engineer who designed it will determine the specifics of how the interaction works. So putting like a firewall in between them it's just simple, it's just not an easy sort of thing to do. So you put these things together, this issue of a dramatic growth of number devices that themselves are not well protected, systems are not designed for that. And then you put protocols in place, whether connecting to control systems. Where the protocols are all over the map, it becomes extremely difficult to retrofit security onto this. So what I think is happening is that we do the best we can with retrofit. We build appliances and things in certain cases that do the best they can with existing legacy. But a next generation IoT is going to have to be in place over the next 20 years, where we design security into them from the beginning. We build the devices that are hardened, we make it easy to update and patch them, we build native encryption into these things. We have them natively able to produce or support encrypted protocols that have authentication, digital signing. All the things you learn about in cybersecurity in the IoT infrastructure, they're not there now. They have to be there, so you either overlay them or you design them in natively. And if you've got a bunch of old heat pumps in a factory, good luck doing something overlaid. You're going to have to rethink that, and that's going to be a suicidal cost that we we'll have to just deal with. Because if we don't, then we're going to see some pretty massive attacks on IoT. In the subsequent video, I'll give you an example one. But for now, I hope this has been a good introduction to sort of the landscape of security in the context of IoT and industrial control, thanks.
