2024 Security BSides // Garry Coldwells

[Applause] good man yeah quick nose dive just to take the start there bsides kman thank you so much for having me back again three years in a row and uh still back so that's good I love it um I'm going to talk about iot today from a broad perspective down a little bit to kind of you know how you can get get our arms around and how we need to deal with this thing I'll talk a little bit about scope um I'll talk very specifically about the perspective from retail side and from Healthcare um if everyone's good with that uh I will delve into more Automotive just briefly in terms of what I see and what I've dealt with um

because that is a very key area that it's going to be very interesting and one of the examples I have for when things go bad is the 2015 Jeep Cherokee debacle so I'll will touch on that just briefly as well um again appreciate you having me here um I love this little you know Meme there you know classic meme picture but you know just rendered for today's sort of world that's you know the thing of like okay so everything talks to everything these days um you know to the point of literally had a conversation outside with with Andy from uh from E eshore and you know we're talking about iot the prevalence of devices how many things we have in our

lives today that record data that are functionally significant to us in terms of inputs and how we can share this information out to you know our part our third parties you know that we deal with Etc um the example he shared was for example his cat feeder so while he's away you know he's based in jamaer he can look in Kingston and see what the status is on the cat treats right now and if he needs to he can hit the button a few times and pop a few treats out and the cat's happy you know amazing Simplicity in in technology uh but the question mark of course from the security guard's perspective is like

what else is that device doing that we don't know about and what else is it talking to internally or externally that we don't know about and that's you know once we start into those S of questions things get really interesting of course so let's dive in a little bit um the broad perception is that you know iot is rough with issues um there's all sorts of simple things that are that are wrong with these devices um the examples of course default passwords we can insecure web interfaces we can insecure Cloud infrastructures that we communicate through these things through um insecure mobile interfaces on these things all of these of course proven these Legion examples for for these things being the

case authentication failures and issues and lack of encrypted Communications uh I would extend that on you know beyond that into um back doors intentional or otherwise we're seeing more and more these days in terms of foreign States adversarially attacking OT devices right the current referencing that's been in the media for the last two weeks is that the Chinese alone of 600,000 Personnel that's a 50 to1 ratio versus what the US currently has in defense is 600,000 odd Personnel that will that are on the attack side for that um if you look at the two most significant threats in OT in terms of what we've seen from Russia what we've seen from China in terms of

the the campaigns and the persistency and what what happens those two vectors those two sort of adversaries are coming hard to get control of OT and iot devices um interestingly we do also see some you know sort of somewhat friendly Nations every night again pop up one of those all references the Swiss with what they did with the camera systems a couple of years ago so part of the issue we deal with here is prevalence right 50 billion devices and growing um that's the part I'm saying about getting your hands around the space right so it's enough if you think about like I'll give you my own personal example right I'm not wearing it now because it's busy

charging but I have an aura which gives me all my personal health stats right so that's as a as a device that's already just you know it's a wearable that's giving me all my data it's communicating through an app on my phone um so there's there's cloud storage there's you know on Device Storage there's a communication path between the ring my device is the transit device and the ultimate you know application res resident in the cloud for the processing and the the return of data to me and I assume that all of this is great and wonderful and it's you know it's not going to cause me a problem but that's just one device I have two lots of

camera systems at my home one is a ring doorbell the other one is or a series of cameras throughout the house with key spots that I wanted to monitor you know I look at the Smart TVs I look at the fridge I look at you know stuff that we have in the kitchen that has some sort of you know sentience if you want to look at it that way and what we're dealing with is is a myriad of devices which are performing function for me which give me some remote capability some ability to communicate with other parties should I allow them to and that's the key message I want to put in there is please if you're going to use

anything that's OT enabled iot stuff please understand what the communication paths are if you have the capability please look at your network at home see what's outbound see where it's coming from understand the relationship between that smart TV and its update server or the providers of streaming technology that you draw as a function because you not everything is is what what it would seem in there you need to be very careful with these things classic example ipv is incredibly popular in Canada now it's nothing to do with the over Char charging that that the uh that the uh the regular providers have it's it's just because people are from other countries other regions that don't have the facility to get their you

know Regional TV capabilities other than ipv so you have these little Linux drro boxes that are out there that are performing this function they connect to all kinds of different stuff other than just the streaming component so if we look at it from a business perspective though office technology monitoring of office technology in office you know in space that's obviously you know a very big thing a lot of stuff around production today um the Advent of RFID as a measuring function and and a reporting function obviously within you know within within storefront and and um Supply capability took off dramatically about 20 years ago and that's really changed the whole landscape to the point that you look at

these new the new Amazon warehouses where you know people are essentially absent and the devices perform all the functions and of drawing stuff and packaging stuff together um and so where that leads so that's supply chain penis has been a huge component of the iot conversation retail and Hospitality again you know the old days of having my bar you know my bartender come into to work you know Mount the mount the bottle with the little tot measure on there and give me a you know give me a shot from there that sort of stuff's gone because maintaining the you know what you had then what you needed to order from that stuff was just time consuming when you

have measurement Technologies today that would give us the ability to measure that TT it's you know it's exactly a tot that goes out there so you know if it's it's it's a single or double shot it gets measured out exactly and that references instantly down to the database that tells us where we're at in terms of stocks so we're not running out of RAM and Brandy and Jin and what have you when bsides is in town and you know you look at sort of the school landscape hospitals hospitals a massive one I will touch on that very specifically because I've got one that I'm dealing with at the moment that's really really interesting um and then

state and local government of course you know everything that's that's within there including the protected infrastructures that you would have for ICS and scada and how they relate to the the overall practice as well if you'll be bear with me one second let me talk about the hospital one because that's interesting iot encompasses a lot of different spaces and what's happened is as technologists have looked at the space and try to figure out how they can address the security aspects of what you know you'd have Within These different areas we've seen specialization so companies have come out whose specialization is in these specific areas right and so medical as an example the medical iot thing is essentially

considered a sub practice of iot these days there's enough companies there that are servicing just that piece which is interesting um I'll give an example so sick kids hospital in Toronto as is my example they're busy rebuilding their entire campus right so they're about a 40-year-old infrastructure currently across six different buildings they're going to collapse that down um and rebuild a number of them and so the new towers essentially will come online from 2028 forward and just one of the examples that was shared with me by their ciso they're looking at a 20-story building there where the intention is to have every layer of is functionally every floor of that that building run almost like a like a home device like as

a home network right the the hand approach um within that though they're looking at uh the total for the building will be 52,000 sensor devices that will operate within that infrastructure so you think about that in just one building in a campus the new campus will be four buildings there one building of four and the amount of information that goes through those infrastructures like at every level and then shared across the stack and fed up to the cloud and to their data center as a backup infrastructure getting your arms around that maintaining the security of everything that's going to happen within there is going to be an enormous task right that's one of the reasons we're

having like this conversation started last year so we take a five-year view in terms of like where are we today with iot and medical iot and what do we need to get to what will we build out that'll be significant then and need to understand for right how do we handle that that volume of information how do we how do we essentially Cascade it down to those individual levels right and then extrapolate the data up so that those that need to see it can have can see the entire picture it's not a trivial architecture it's really quite exciting quite interesting I'll just reference the retail one just briefly as well I'm going to I'll show you an example later

from the retail space from an industry organization in Canada that's building out um retail space in a very big way and their intent is to have everything smart and enabled their biggest building is out in Burnaby BC um but overall they got 40 million square feet under management and what they're intending to do is have all the core functions that you would imagine within that device from security from it all the operation stuff all the critical operation stuff that goes within those devices to The Lighting systems public addressing you know everything um needs to be needs to be iot needs to be OT enabled and the security of all this stuff is is given them a lot of headache so again the

architecture that you need to build in around that has been incredibly interesting and I'll show you the model that uh that Andy there has developed which is kind of a maturity model for the entire industry in Canada to embrace so that they can get into OT and start you know the embracing the iot journey and having a good measure of how things can be done so couple of really good examples um I did take this slide just straight from Zen armo to be fair to them that's where I kept the the badging on it um this is a great reference right just shows you a couple of things over time so if you look at the examples here 2010

stucks net I'm sure most people have read Kim's book they know what what went on there um for its time foundational stuff really interesting you know the ability to essentially remotely get those uh get those devices to spin faster than they were intended to so that we can ruin their access and and Destroy them you know pretty interesting stuff um the first bot Nets that came out right where the majority of the botnet was iot related um and all the different devices that were Incorporated in there were essentially beaconing out and connecting to other devices and spreading things so the first time we saw this really going far the third example that Jeep Cherokee example right we're changing the radio

essentially impacted device function the accelerator function goes away right so by touching the radio the thing was infected enough that it would take away the accelerator right very very dangerous not like this is not you know it's as a proof of concept it's it's quite a worrying thing that you would see I actually just read something last night that uh so the UK was the first country in May of this year May 24 second of may they put out their first draft of legal protection that is required by technology companies that want to supply iot so any connected devices any iot related stuff in the UK at least has to account for how how things are secured and how the users

will be protected from those devices and from misuse of those devic prices you look at this example here and you see what's happening in the vehicle space this is a very very critical thing so the article I read last night didn't give un fortunately didn't give any referencing and sourcing on you know who they were quoting what they was going on but the principle they were discussing was in bitter and contentious breakups of relationships these days how more and more people are are leveraging connected Vehicles as a way to get revenge on their their EGS which is like that's really leaning into it a lot you know so yeah just beware Mirai in 2016 obviously another

great example that was very public very well understood um went across again a whole series of different devices and and took advantage of those things the cuded medical device stuff in in 2017 again proofing concept that that leaked out into the wild um and the ability within those to start fiddling with pacemakers and things along that lines that have a material impact on people's lives again just sounding the alarms for you know for what should happen so my call out there is you look at that so that's 2017 and then seven years later the UK as the Standalone country in the world so far has put together just even the draft of legislation of what you know

what you should be dealing with um and we talk about 50 billion devices so you'll see that the problem we're dealing with is the technology leads the protection comes after as always and then the legislation is always way behind right so as a practice area for those that are here from government um it's prob a good idea to have a lot of conversations and get into some depth with with people that are involved in the space and start figuring out what you we need to do and how we can help anybody that uh that needs to in there um looking further on 2017 in Reaper 2021 um the second ver iteration sorry 2020 the second iteration of morai

um and then 20 2021 the vard example with the Swiss got in their back door their their camera system and were able to cause a lot of Havoc within that so just a couple of nice examples just some things to sort of put things top of mind so that's the bad side of it that's the issue that's the problem side let's lean a little bit to the other side and start looking at the solution side what we can do how we should think about these things and this slide for those that will read it goes top left to the right and down and across again um key things about iot discoveries number one but we

have to know the devices that are out there what we don't know we can't protect right so we have to know what the devices are what their state is you know in terms of like currency Etc so have all that stuff classified and and and codified and recorded in some way that's meaningful to us we have to understand the device Communications how they're supposed to work and versus how they actually do work right that sounds a bit silly but if you know for those that are practitioners you'll understand what I'm saying there right it things things are supposed to go across specific ports updates are supposed to work a certain way etc etc and then you

know they things get deployed and then you suddenly have weird things going on and you start realizing yeah things there's a problem here um once you have the discovery once you understand the communication paths then only can you start looking at it and this is zero trust conversation from last year's conversation here um then only can you start embracing the zero trust approach and start locking things down right doing your segmentation validating um leas privilege a this is what that should say I apologize um validating that you're applying least priv access to everything that you you have going through there from their continuous monitoring right so we've defined what the device is communication path is set we set segmentation in place

now we validate that we're actually doing it and nothing changes because it's in the changes that things start happening to us right who in this room hasn't had an issue with a change that someone else did and did or did not publish successfully that causes you pain oh yeah there's my people right there you know what we're talking about right it's the router update that happened last night that suddenly causes the problem with the mail server that nobody could see coming but you know nobody knew about etc etc I'm in the firewall space a lot and it's always the firewall and it never is the firewall it's always the other stuff but hey um yeah Simplicity of operations um and and

looking at once you have so once you have a handle on this once you start looking at your policies you start figuring out your monitoring you get a handle on what's coming through you start feeling quite comfortable about this and then start leading into Automation and automation is what starts making it real that's when you get the 50 billion devices and put it down into a into a structure that you can actually get a handle on and actually start running so from an operationalist perspective you can start breathing you can start realizing yes we've got we got we' well classified we're well structured we've got Protections in place they are effective we start grouping logs and alerts into functional

bits that we don't have to look at everything and start bringing our window down in terms of what we're going to react to and that that's when the team can start getting hand on things so getting to the automation workflow is a critical piece and I'll detail that in a bit more uh as we go along for those that were here three years ago when I was doing the conversation about how the you know the the sock is dying and how automation's going to take over a lot of that function that's what we were talking about then that's still what we're talking about today this is this is common this is a practice that is

well established to get to the next level let's get into the operation stuff very specifically what we're going to look at here is again Define the assets set the you know look at the look at the communications protocols look at the the access control that's applied around there and for Simplicity you'll see a lot of product names around there those are just generically recognized as kind of the leaders in their space right a number of those are competitors of ours and that's great we just this is an OT conversation from a general perspective this is not about um you know any relation to uh to product at all but what you'll see there is you start looking at through the

space here right so asset management at the top network access control start looking down detection and response capabilities you look down at your endpoints Network management piece IP address management um vulnerability management the one thing that's not on there that I would like to them include in this this vision is identity right because it's identity for the person as well as for the function and for those that need to understand the difference function is an identity because it is something that that per per forms you know a capability for us that we need to be aware of so it could be a device the code within the device that performs that function for us I consider as as a

functional identity right the person that calls the device that runs the applications that do the things identity as well but these two things need to come together but that gives us the ability to look at the space look at the different technologies that may or may not apply some of those you may be familiar with some we may not and that's fine um and start looking in you know what are the capabilities that you have on this in the scale now across the space that could start addressing these things for us and so look at the Integrations that are available between those Technologies so the very top example up there is great right I have

an endpoint device it registers that there's something wrong with what's going on in that that you know within that registry maybe and it needs to communicate out and it'll it'll tell its host management function but if it tells service now as well and service now can automatically create a ticket for me that will get Associated to the correct team that go back and fix that for me and we can automate that piece so that we don't have six people doing these things now we have a person that can reference oh I've got a service now ticket I can check the you know the path of what's come through where it came from I can look at the management system

go to that in point it is a problem let's fix it amazing automation's going to win it for us we just have to get there and this is like an example of the path um once you have that you can get into automating the workflows and that's where I'm talking about the collaboration between the different technologies that are applying there so if my endpoint technology can tell me that when something's going wrong and it can talk to the switch the router or the firewall to involve the neck and the neck can as a function of policy put things into quarantine block them until we can remediate and then again communicate with service now and the

other pieces and again this is where the identity should come in including the identity source and again remediate and lock out that identity while we figure this out that again gets us to a state so the iot devices that are unmanaged where this is important is we need to be able to validate what's going on in those those iot devices right Healthcare example infusion pump you know it's monitorable to a certain degree it's not going to get updated to frequently because while that thing works everyone says leave it alone because the last time we did the update the whole floor went down we couldn't do operations for that day everything got backed up everyone has a nightmare we're never

going to touch these things again of course we have to but it means our our change control and the process that we apply to those things has to be that much more structured and the stricture that we'll apply to why we're doing that is going to be at a level that we've never seen before so workflow Automation and iot where where that applies ties those things together for us to give us the sense that we have some continuity of action across those different uh spaces and then labels new new use cases to come up because if we're if we're doing that well and a new device comes into to scope that'll get flagged immediately because of course our policies typically

wouldn't allow that right so even if we allow we we we know we need those Pathways we're going to create the policies that'll allow these things through structure our workflow so that these can now be accommodated if that thing is wrong for some reason or is not operating as we'd expect we'll see it and we'll know really key importance equally again for medical iot where where device updating is not that frequent or that that that encouraged um the ability to look at into that and see when things change right so again my infusion pump that was running version 402 performs a certain way and it updates a certain way well now they just upgraded the the encryption keys on that

device so what used to work from a window size now no longer works not these things aren't updating anymore they're not talking to anything why well because the router that's up ahead of it isn't set up to to handle packets of that size right and we only know that when the stuff starts flagging right so there's a lot that can go into these devices and a lot go into these flows where we can start paying attention to things once the automation is feeding that through for us and then again ecosystem you can have an extensive ecosystem you can have 40 million square feet under management you can have 52,000 sensors in a single building once

you build out the ability to take in a lot of information process it effectively use the communications and automations that are available and and then authenticate sorry then enhance those through things like sore technology Etc and so that's where that leans to in the next sort of uh next sort of thing I just put this one in because when you have these conversations one of the things that comes up everyone hates them everyone's scared of them uh they are a pathway they are there are a capability right apis are absolutely valid there's millions of reasons why this would be a good thing for you but from an iot perspective to rely on apis to to tell

me what the device is and for me to do do anything with the device in terms of updates Etc we should be very careful about that one of the things again with the 600,000 Chinese that are attacking things they love this pathway because this is not this and XML are not incredibly well understood and so you know little bit of little bit of fun there obviously with that again a classic meme um but API integration is the way to to understand what's going on in there not using the automations the workflows and everything that's available definitely a no no so if we look at what we have let's look at an integration of workflow um with an endpoint detection response

right extended detection response and how that can accelerate your workflows um Maria I think this might be familiar um what we need there is complete asset visibility um single pane of glass potentially that's the ideal few people get to that in practice but it is an ideal that everyone works towards and if you look at the bottom left there we look at the device that we manage as well as the other stuff like Shadow it and the shadow iot and the other things that are completely unmanaged we need to embrace the two views in our approach right we can't have and there are Technologies out there that will only say like hey I do medical iot I

recognize these are my device list I'll have these 400 devices are recognized and beyond that it's not good luck we don't touch that stuff right that a point that that Point's not is not a solution for you that's just a point product that does certain things for you you have to be able to have a capability across this that handles breadth because there'll always be new there'll always be adjustment there'll always be change so locked in hardcoded I only do these you know specific counter things is not the approach that you want to be having here so you have to have an approach to incorporate both of those things and again referencing to endpoint as a

function within there is key right devices that don't look at the endpoint capability and I'm not saying you have to have an agent on every single iot device but where possible if you have some sort of an agent that can Beacon to you or have a have a sensor nearby that can reference the communication and Beacon that to you that is tremendously useful so how we accelerate the sock workflows we need visibility into all connected devices Right iot medical iot iot and just it Ops functionally within there as well so we have to we have to embrace the entire landscape again 40 million sare feet of retail space everything's in in scope right we con

exclude anything in that we have to have a holistic asset visibility again we got to recognize everything across there even if it goes back to Old School DHCP beaconing that gets us you know referencing for what that Mach address is what the devices that's out there we look at you know we look at the logs for what's going through that sensor we can see and pin down to you know what it potentially is that's operating there and can build a supposition that someone will actually go and validate that's okay right if it's got to be manual to get you started totally fine um single pan of glass to accelerate your sock workflows that again is the ideal right

if we can have the feed up of information such that it's efficient that it feeds up to there phenomenal for us and then where that leads to sim and sore integration and again referencing back to three years ago's talk right where I spoke about sore intent here is to have diverse work diverse workflows diverse security inputs right all sorts of different log capability feed to a device structure that will give us intelligence allow us to have uh reporting and monitoring and response capability around that right so when you see these series of triggers that we think is this how do we want to handle that right what does the workflow Say what Does the SIM do does the Sim

communicate to me does it create a ticket does it flag does it create a war room so that everyone can jump in and we can then work you know the scenario um in the sore case does it automatically remediate that for me and why wouldn't you if you're handling billions of alerts a day why wouldn't you remediate automatically so I security right so we want out of boox integration and capability so we want broad integration we broad capability we want a group and series of technologies that understand these things that can feed us that Telemetry from the Telemetry we want then the intelligence to pull these things together so our decision trees can can present to us what the responses would

be and the stock automation can be can be done within there through the S technology be with me there we go what that may look like this is just an example and this is medical it's a medical system specifically that I'm looking at here um where we get device context we can simplify resolution and this example is again from the sore perspective this is saying here is the context that I'm looking for these are the devices that I'm looking for so these are the DMS devices that are beaconing out you know communication as they're being used so the users are using them we're seeing information flow this is good what we see in there is a visual

representation of the devices where they communic communicate to what this communication paths go on to if there's a feed on from there and what the volumes of data are what any issues or threats or risks that we would want to call out can be done so in that sort of view um and then a breakout within that'll suggest things like device currency device state um you know where the devices in terms of device identification if we have that tag for those and what that allows is that we can then recommend actions to lower risk based on what we see we can drill into those individual risk points and and delve into it do a single click

integration or sorry a single click connect through to navigate down to um what the end device is if we need to the visualization obviously speaks for itself is it's a nice clean flow that allows us to see where things are going and so this is kind of the end state of where we want to get to in our process of embracing all this and getting it done a quick talk if I may just diverge slightly so I spoke about medical iot I spoke about retail a little bit um where things got interesting I'm going to talk about this um recc it's a working group within Canadian retail uh essentially theyve they've figured out they need to

operate as an industry together to get their arms around the the iot risk and and containing it and so they put this recc group together there's the link there for anyone that may be interested Andy Rodriguez is the guy that's driving this model within the group so he's one of the leaders within the group um he is on LinkedIn very good guy to reach out to he's very open to talk and you discuss with anyone that needs it um they're property Tech specifically so they're looking at and I'll give you another example one of the newest buildings they put up in Toronto took 5 years to build was completed about a year ago it's 7 .6

acres and they've got something in the order of 170,000 iot sensors in that Dev in that in that infrastructure again everything from the lights to you know the security systems understanding the architecture that was required for there required three there was three different Consulting groups that that consulted on that um all of whom came to a consensus on how they would expect to build that out and even then three years into that had to go back to the drawing board and redraw draw everything right we had issues around power we had issues around monitoring we had issues around who would own the information you know like you know there's common areas for those those projects which go so like the

building owner owns some of it some of it is subbed out to the security organization some of it subbed out to other you know like the lighting system who knew isn't owned by the building it's owned by the people that are actually supplying the lighting on a contract basis so every two years they contracted to come back in and update and refresh things Etc so they own that infrastructure completely there's literally a Demar on the electronic panel that's theirs and then they go forward from there right stuff that nobody considered and so that's where you get into these interesting things around you know what are we going to do for them how do we feed their

information through the infrastructure that we're building to take care of all of this such that they can perform their function which we've contracted them to deliver for us it's not it's not that we can say like go away we're not going to do it it has to be done and so you figure these things out as you go which is kind of interesting um that part about the stakeholders for industry is really is really quite something because not everybody's equally understanding of how powerful iot is their part within it so we talked to the guys that Supply the security Technologies right so the alarms locks smart locks you know the cameras Etc they're completely all over it they know

exactly what's going on they can tell you ports protocols updates you know frequencies everything like meantime of failure everything's well established again we talked to the lighting guys that's kind of not their thing they don't really want to be bothered with it you got to hound them a little bit to kind of get the information and chase them to get it done interesting but you know this maturity model that we're trying to develop through that working group is uh is is helping set the perception of how things will be as we go forward which is cool on the automotive side I'm going to start with the end one first blackbery right everyone remembers those I'm sure

everyone you know above 30 at least had one at some stage right everyone everyone remember those devices right once they changed from the wheel to the ball it was rubbish but hey okay um I still missed the wheel it was amazing you could drive and type you know not supposed to but of course you do um black Brew today the biggest piece of that their business is in Car Technology right they were a Communications company they bought an endpoint technology company to secure the endpoint and they put together essentially their their world viw now is they want to be in car technology for every car they can possibly be contract to to deliver on phenomenal phenomenal business change

like then there will never be the communications juggernut they were not to say they wouldn't ever be as big as they previously were they're on their way back in terms of you know capability but in terms of what they deliver and how they do it today absolutely fascinating to see what that company's pulling off and what they can build in there the middle one there vehicular is someone that's going to come at them very hard and compete so this is a fleet manager agement infrastructure that a guy by the name of RJ Khan in Canada's developed and their intent is to take the old school Fleet Management and incorporate iot within there so understand you know what is

what's happening within those those fleet vehicles so where government for example you know what's happening within the buses the trams Etc that are that are on our streets where are they how are they running you know what are the state of those devices like with everything with within those so you know the display if the display screen's broken we don't want to wait until that things comes back and that you know the report gets logged that someone will read in a week to go and fix the display know about it now in the command center for Toronto Transit why not have that Splash up and tell them displays out right or engine's running too hot oil's

too low whatever the case might be that's where aj is kind of pulling this the stuff together to look at a fleet perspective and look at how you maintain the fleet as efficiently as possible by understanding as I go forward minute to minute what's happening with your Fleet and wherever it is so very cool stuff and he's a very he's very security-minded so he's coming it from the right perspective there and then geotab is another interesting one has everyone anyone ever heard of geotab kind of an interesting little uh project that 20 odd years ago two South African brothers that came to Canada pulled their done time in essay understood GPS to a degree that like only the the

biggest nerds and Geeks could possibly understand but bless their hearts they put together a technology around Vehicle Management that references GPS technology and the advances in GPS today as an iot function to allow to secure where is my device or where's my vehicle how is it operating what speed is it traveling what routes does it go right so if the UPS truck goes back and forth on the street a few times looking for the house that's a problem for UPS they don't want that and that software will tell them what's going on right well the truck got stolen and it's somewhere else on the island who would know that will tell us exactly where it is what state

it's in ETC and so that has turned into a massive massive business the growth in that company is absolutely phenomenal because there's just more and more application for vehicle security vehicle monitoring and you know everything that goes with that in terms of efficiencies that that that software can drive for you so pretty pretty smart stuff well withth looking up and reading what they're up to um and again from from an iot perspective cloud-based infrastructur is very smart lean lean lean company they bit you know like they have hardly anyone that works there but what they get done is absolutely brilliant so well worth a look so this is Andy's model or the team's model it starts at the top um

with a very weird looking you know sort of what is that is it a quer I don't know I'm not a musical guy but that weird looking musical note looking thing um with the kickoff phase the one thing I'll call out in this model immediately it goes through the circle the circle is essentially it's like an aorus it's never actually expected to end you just keep you know processing through as you add and as you adjust and as things change you adjust within them but again you look at the principles are the same as what we say from the industry broadly Define right so look at the device define you know what what's going on in

there what's required perform the discovery so validate what's out there validate what we need from those validate um any exceptions at this phase right so if there's things that are not going to be done those have to be called out in here you then Implement so actually put these in play start working with them get your first bits of telemetry back make sure you're getting what you expected and take care of what you're not go to monitor at this point you're running the infrastructure it's a monitoring phase at this point it's it's you you sort of you're at the stage now where you're you're running you kind of expected everything's running as it's supposed to be and what n now happens if

we have anything that's off the rails here that gets interesting right uh enforce so any problems that occur we have to obviously enforce you know how we're going to operate around those apply any strictures that are needed at this point right recover so once an incident occurred once that device or that device series is is problematic has been isolated is now able to come back on how do we recover it what is the process to validate that it's clean and it's going to come back in and perform as expected again Etc refine right so take the learnings that we've had from this process to to that fa up to this phase document the refinement spread it

out through the rest of the industry so that everyone knows so if you know if the if Cadillac Fair viws Tower in downtown Toronto experiences an issue from an iot perspective with one device type that causes them some issue let the rest of the industry know through that process as well really clean very clever very good and then back to the start right so that that wheel just keeps turning what are your thoughts as a model something you guys would think would be interesting really

good of course yeah oh very much yeah my question is kind mold in the house kind of grows under the radar from a compliance point of

yeah yeah so back to the point about the 50 billion devices the biggest problem with iot is people consume and then think about I wonder if I should be doing something around the security of this or this is good for me in my household I wonder if my kids will be affected by this I wonder if this is going to be an attack Vector for someone we literally started I'll give you a great example a company called CDW in Toronto did a great um example of how simple this is to do they had someone pick literally a square Grid in a neighborhood they sent then a guy to go and Ward Drive the neighborhood and with

a camera crew from CTV actually just showed they literally recorded the guy driving down the road picking up a scent you know like basically got a got a got an electronic footprint off a house hacked the Wi-Fi hacked the door hacked the cameras and it was like 13 minutes um that's that's the that's the problem that's the example so I would I would posit like I'm the I'm the positive example because I'm a security person it's my mindset before before the ring camera got it installed I knew what the operating parameters were what the update cycle like what's required what Communications it needs then it goes in most of the world goes the other way of like cool a ring camera

you know so when I'm not there the Amazon guy I can see him deliver the package or if someone rings the bell and I'm in Jamaica right now great I can see who it is and let them in or not that's you know use first think later is the problem with iot completely yeah and so that's when any model that accounts for this is useful but yes to the N point I actually had this conversation with uh with Adam outside uh on the attack side there's not enough understanding and stricture and call out of from an industry perspective of how we get arms around this and and structure it for individual functional pieces yeah cool um we are on questions now so good

timing um anybody needs to converse further we can do it right now as questions and answers otherwise you know hit me up on LinkedIn I uh I'll answer questions all all year I literally answered a question a couple of weeks ago from some of I said last year so appreciate the input and uh let's have some questions please I'll thank you thanks br oh there we go uh thank you for a wonderful presentation I am not an IT geek so I'm not sure if my question is well iot great so I see these instances when you're trying to create an account and they ask you to link say to your Gmail and me being lazy and not wanting

to have too many passwords is that iot is it safe is a good thing to do or not not iot but it is a general security principle um where password complexity is something that you should maintain right because that's that's one of the things that's in your hand to protect what you own and have so when it comes to you know creating a password for use of an application or a function like email Etc the more complex your password will be the theory is the greater your you know the greater the time that would be required to hack it and break it um there are some password managers that people recommend I've found personally you know and one password is a Canadian

company that's had a history of issues now of failings um there are password management functions you could look at that can do some of that for you and keep those passwords and you can then call them as needed there is also the ability if you if you think about the way that you could create a pneumonic that's personal to you um I'll just give you an example which is completely fake so please you know don't go after my Gmail account after this with it but if I stay like hey I'm interested in diving um I like the Cayman and yesterday I dived Royal Palms Ledges or yeah Royal Palms ledge I could make a password out of

that using capital letters numbers and symbols such that would mean to me that on that date I dive this thing and I can use that as many characters essentially as I would like it would be very hard for someone to figure out and guess right so I I run a system like that where I just I have a series of passwords um all of which are unique and individual but all of them have some meaning to me and then it's it's a question of just keeping the gry mattera functional to keep it together does that answer your question close enough we can talk some more after yeah please uh okay I have an Alexa at home

yes good which makes me very nervous when I'm chatting and I'm seeing the little light go off there and it makes me then even more apparent paranoid when I'm in the office you're in a place that's meant to be confidential but I've got a phone but my Ser is listening I've got a watch that's my series listen how paranoid do we need to be so the answer is very paranoid absolutely like I would caution that you have to expect with Technologies like these that you're describing you have to expect that your information is exposed and I think that's a sound principle to start from right I mean I think everyone in the room has probably had the example with

their iPhone where they think oh that looks like a budgie and then tomorrow I'm you know fire up Instagram and suddenly there's Budgy feed and I'm like what the hell I just mentioned that word once you know in passing and now I'm suddenly getting this information there's Legion examples of of how these things affect our lives not necessarily in an nefarious or a bad way but they potentially could be you know H how do you secure your office environment when everyone has one of these you have to have so again you have to have infrastructure in the office that understands every device every communication path and what is sanctioned and not you then take the

unsanctioned and you essentially just send them out the front door right everything within the infrastructure needs to be locked down so that those unsanctioned devices can't communicate internally right that's step one and as far as devices go if you want to have an experience with a device that's not going to listen to you and you know give you the budgie feed update tomorrow you'd have to look at either you know locking that down to the basically make it unfunctional or looking at something like the unplugged devices that are coming online now where they're they're specifically built so that there is no tracking cap no possibility of tracking in those devices but you limit your capability your function like your watch

is gone forget about that you know you have to then give up and understand what you're going to be sacrificing thank you that was good please okay so I I am a my entire home is smart every almost everything in my home is is smart except the dog um so so and and to your point where we go and we see stuff on Amazon that is cool and it has a function so I I bought I bought this little switch Smart Switch yeah to be able to reboot my habitat you know yeah in the event that it hangs and stuff and and so I set this thing up and and then I went to look at the features of it and

then then noticed that this thing is advertised in my public IP and I ripped it out um yeah I'm guilty of that yeah it's supposed to be it security I should know better but um that being said the one thing that struck me is that over to the corporate side now we should be purchasing or our procurement policies should be drivve and the standards well our standards for for iot devices should be driving our procure policies for for getting them abut which means that which means that we shouldn't be bringing stuff into our corporate environment that we don't absolutely understand of course how they work yeah it seems obvious saying it here and after your presentation it's incredibly

difficult for people to get right because at the end of the day time and security are always in contention right and if it's going to take me time to secure the things properly inevitably someone from up top coming down saying hey just move it along get this thing get this thing going I'll give you an example there's a I can't name the company but there's a chip manufacturer that everybody in this room probably would remember from history but doesn't know currently that operates in the US I was lucky enough to have a conversation with their Architects last year and they described how they operate so in their environment not one single thing that anybody could

walk into that building can communicate out so everyone has a locker outside they come in they leave the there and every communication within that building is completely understood and locked down so not like if you if you took a device in there even if you could get a device in and you try to get it connected or you try to connect to anything else it is going to go nowhere but they've got 30 years of building that practice and that experience and having that hard you know theory of how they want to operate and and living it that's the exception most organizations are r with problems that's why guys like RJ and James come in do analyses of you know different

infrastructures and there's problems all over the place because these are common issues for everybody please there's one at the back there and one in the middle yep we going to go the back first just one sec y am I the back yeah uh maybe you could speak from your experience um in regards to power utility companies yes the Cayman Islands is about to seriously ramp up its um layout of solar both for households and utility scale good now a lot of these uh houses that have had solar on them for maybe 20 years have been using um what I'll just call bespoke Management systems for the solar yeah um it's important that the regulator here and

the local power CU communicate with each other to to understand um if there's standards for these Management systems on houses and the the risk there is in regards to frequency control from the main utility because if you've got a street or if you've got a development with 100 houses on or 50 50 condos on and you're all using the same solar power systems with the same uh control modules say from China or something right and it gets attacked or it goes offline you can have a major pump or a major drop in the frequency levels or power requirements from C and they're going to have a real problem with that that that scenario is the one

that keeps a lot of people not only in critical infrastructure but in in federal government like in top level government awake at night because those the legions of the attackers that are referenced a lot of what their task is is to map out all those things get some sort of current you know some sort of footprint in there that they can maintain and have it ready for when they need it so is anybody further ahead are there any defined approaches yes looking at this I see entities that are ahead because they're hard structured on on how they secure their Technologies yeah but those again it's convenience it's operational you know demands from from the board and how

they want to how they want to operate it's time it goes into those but you could look at like the Canadian as an example not that I've had you know current referencing on them but I know for example the Canadian nuclear power infrastructures are amongst the foremost in the world in terms of their their infrastructure for security and how they're operating yeah so it it can be done uh it's hard and it's it needs ongoing to the point ongoing monitoring and and refinement but yeah thanks last one in the middle here it was just a question about um have you seen have you got a customer previously who was that much uh concern about privacy as uh the question that we

just got before about price did you say uh privacy oh privacy yes absolutely yeah so one of actually that's one of the reasons why we sometimes see a hard push on exceptions in in securing iot is where people's privacy comes into account right so example Canadian context um you know if if we have a if we have an if there's a medical iot device that'll record something on my behalf right so I walk around I have a heart problem I walk around for two weeks with a little monitor on me I take that in it records the data they dump the data down I don't have the ability to ask them that they clear the the machine

before the next person gets it but from the Canadian legal context what I do have is an expectation of the Privacy for the life of me the patient for that dump of data that they just recorded privacy is an absolutely great lever but it can go both ways right so it can be an exception or it can be an inclusion depending on how things are seen yeah thank you I'm over time thank you all so much welcome to have a conversation outside if you need