9/27/2017

SECURING THE INTERNET OF THINGS

(IOT) WITH BLOCKCHAIN AND OTHER
MEASURES
Allison Clift-Jennings
CEO, Filament
Evan Glover
Chief Software and Services Counsel, NCR Corporation
Amanda M. Witt
Partner, Kilpatrick Townsend & Stockton LLP

1
 9/27/2017

ROADMAP
• The Risk Landscape
• Securing IoT Today
• What is Blockchain?
• Securing IoT with Blockchain
• Blockchain in Practice - Filament

INTERNET OF THINGS – WHO’S WATCHING?

• Industry experts predict that the number of

connected devices for the Internet of Things (Iot)
will reach over 20.4 billion by 2020.
• In March 2017, the maker of an internet-enabled
vibrator that can be controlled remotely by an
app agreed to pay $3.75 million to
settle a suit alleging it had secretly
collected intimate information from
users, such as when and on what
settings the device was used.

2
 9/27/2017

WHEN DDOS ATTACKS!

• Existing IoT single point of failure infrastructure
makes it vulnerable to attack.
• In Denial of Service (DoS/DDOS) attacks, servers
are targeted and brought down by being flooded
with traffic from compromised devices.
• In October 2016, the Dyn attack (a DDOS attack)
took down a number of major websites through
weakly protected IoT devices,
including webcams and DVRs.

THE ANATOMY OF THE DYN ATTACK

• Dyn is a DNS company that supports websites like Twitter,
Amazon, Netflix…
• A malware strain, Mirai, searches for IoT devices protected
by factory-default usernames and passwords.
• In the attack on Dyn, Mirai-based botnet enlisted IoT devices
in attacks that sent an excess amount of traffic at various
websites until they could no longer accommodate legitimate
visitors or users.
• The Dyn attack was built on the backs of hacked IoT devices
(primarily compromised digital video recorders (DVRs)
and IP cameras made by a Chinese company).

3
 9/27/2017

FTC’S TOP 6 TIPS FOR IOT SECURITY

1. Security by Design: Build security into devices at the outset, rather than as an
afterthought in the design process.
2. Training: Train employees about the importance of security, and ensure that
security is managed at an appropriate level in the organization.
3. Vendor Management: Ensure that outside service providers are capable of
maintaining reasonable security, and provide reasonable oversight of such
providers.
4. Defense-in-Depth: When a security risk is identified, consider a “defense-in-
depth” strategy whereby multiple layers of security may be used to defend
against a particular risk.
5. Access Control: consider measures to keep unauthorized users
from accessing a consumer’s device, data, or personal information stored on the
network.
6. Life Cycle Security: monitor connected devices throughout their expected
life cycle, and where feasible, provide security patches to cover known
risks.

FEDERAL IOT LEGISLATION ON THE WAY?

• As of August 2017, a bipartisan group of U.S. senators
planned to introduce a new bill that would require vendors
that provide Internet-connected devices to the U.S.
government to ensure that their products are patchable and
conform to industry security standards.
• The proposed law would also prohibit vendors from supplying
devices that have unchangeable passwords or possess known
security vulnerabilities.
• It would also expand legal protections for cyber researchers
working in "good faith" to hack devices.

4
 9/27/2017

SECURITY BY DESIGN
• Important to incorporate security into all
phases of IoT product design and
deployment.
• Require manufacturers to address all
known vulnerabilities.
• Over-the-air security updates are critical.

CAN BLOCKCHAIN SECURE THE IOT?

• Blockchain can be used to enable IoT ecosystems to break
from the traditional broker-based networking paradigm,
where devices rely on a central cloud server to identify and
authenticate individual devices.
• The current infrastructure will have significant challenges
with billions of connected devices – computational costs will
increase significantly.
• Blockchain will also enable data monetization, where owners
of IoT devices and sensors can share the generated IoT
data in exchange for real-time micropayments.

5
 9/27/2017

IS BLOCKCHAIN THE MISSING LINK?

• Relying on the immutable record of entries created by
blockchain, an environment of connected IoT devices can be
secured can use blockchain to reliably organize, share and
store streams of data.
• Logistics companies can use blockchain’s smart contracts to
identify changes in temperature, location, and other
shipment attributes.
• Blockchain’s encrypted and distributed ledger system creates
a safer environment for keeping data unharmed by malicious
third parties – as there is no single point of
failure.

WHAT IS BLOCKCHAIN?
• Blockchain is a decentralized ledger.
• There is a peer-to-peer Internet-connected common
network of nodes.
• The nodes operate under common rules (protocol).
• For a transaction to be included in the blockchain,
the network must reach consensus on the compliance
of such transaction with the applicable protocol.
• Nodes are responsible for validating transactions
and helping to maintain consensus.

6
 9/27/2017

BLOCKCHAIN IN PICTURES

WHAT THE HECK IS MINING?

• “Miners” are members of the network who are
responsible for creating new blocks that are added to
the blockchain.
• Mining transactions requires that the operator of the
mining node expend resources in terms of computing
power and electricity.
• In order to ensure a robust network of mining nodes, blockchain
protocols provide incentives to miners by issuing them newly issued
cryptocurrency (e.g., BTC) if they successfully mine a block (i.e., a
collection of transactions together with certain additional
information, such as the hash of the previous block).
• The most commonly used incentive/mining structure is
known as “proof-of-work.”

7
 9/27/2017

BLOCKCHAIN CHALLENGES
• In August 2017, a hacker pulled off the 2nd largest digital currency
heist ever and stole $31 million worth of Ether in minutes.
• The hack was made possible by exploiting a vulnerability in the
default smart contract code that the Parity client gives the user
for deploying multi-signature wallets.
• The attacker essentially reinitialized the contract by delegating
through the library method, overwriting the owners on the original
contract.
• Due to nature of blockchain, the hack cannot be
reversed.

BLOCKCHAIN & SMART CONTRACTS

• Using smart contracts, Modum is a logistics company
that can verify data before shipment occurs.
• Its system of smart contracts will automatically update
the distributed ledger when transfers are made in
accordance with predetermined requirements.
• Ethereum smart contracts serve as an automated
compliance auditor by providing trustless evaluation of
the data collected by sensors and determining if
regulatory requirements were satisfied.

8
 9/27/2017

Blockchain in Practice:
F I LAM E N T

CONNECTING THE UNCONNECTED

Filament is working to connect the 70% of

industrial infrastructure that’s still offline

9
 9/27/2017

FILAMENT SERVES A CRITICAL NEED IN

THE IoT ECOSYSTEM
PROBLEM

OPPORTUNITY

SOLUTION

USE CASES

TEAM

APPENDIX

PROBLEM
Filament’s team
OPPORTUNITY
was able to
SOLUTION
retrofit this drill
USE CASES in less than one
TEAM week.
APPENDIX

10
 9/27/2017

APPENDIX

PRODUCT
DETAILS
• As a digital representation of the
device for identity and discovery
PIPELINE DETAILS

BLOCKCHAIN
Filament • For immutable “proof-of-
USAGE leverages the payment” record (receipt)

SECURITY
Blockchain in a • When applicable, for the payment
DECENTRALIZED
ADVANTAGE few specific ways directly between devices or
directly between humans and
RADIO DETAIL devices

INDUSTRIAL
CHALLENGES

Filament’s platform provides

APPENDIX
hardened security on two levels
PRODUCT
DETAILS

PIPELINE DETAILS • At the Hardware level (Security for data at rest)

BLOCKCHAIN
• Secure private and public key storage on dedicated
USAGE
hardware secure element
SECURITY
• encrypted firmware updates, signed by Filament
DECENTRALIZED
ADVANTAGE • At the Network level (Security for data in transit)

RADIO DETAIL • Secure end-to-end encryption required, not optional

INDUSTRIAL • Perfect forward secrecy for protection against possible

CHALLENGES future key compromise

• No leaking of metadata

11
 9/27/2017

APPENDIX

PRODUCT
We believe • Central servers are a bottleneck
DETAILS there’s to free markets
PIPELINE DETAILS fundamentally
• In centralized systems, privacy
BLOCKCHAIN more value in a concerns slow down adoption
USAGE
decentralized
SECURITY
internet of things • Devices must be able to
operate independently of their
DECENTRALIZED
ADVANTAGE
than in a siloed manufacturers
one.*
RADIO DETAIL
• The cloud is not available in
INDUSTRIAL many circumstances
*Source: Declaration of Device
CHALLENGES
Independence

Filament networks don’t

require cloud connectivity;
Private Wireless they create ad-hoc networks
APPENDIX
Connectivity over long-range radio (LoRa).
PRODUCT 10 miles
DETAILS
RANGE (16 km)

PIPELINE DETAILS

BLOCKCHAIN
USAGE
BLE for short-range
device connections Bluetooth WiFi Filament
SECURITY
5,000
DECENTRALIZED devices
DENSITY
ADVANTAGE

RADIO DETAIL
Sub-GHz for long-range
connections and difficult
INDUSTRIAL environments
CHALLENGES
Bluetooth WiFi Filament

12
 9/27/2017

QUESTIONS?

CONTACT US
Allison Clift-Jennings, CEO, Filament
allison@filament.com
@amcjen
Evan Glover, Chief Software and Services Counsel, NCR
Corporation
Amanda Witt, Partner, Kilpatrick Townsend & Stockton LLP
awitt@kilpatricktownsend.com
@AMWitt

13
 9/27/2017

HOW DID THINGS GO?

(WE REALLY WANT TO KNOW)
Did you enjoy this session? Is there any way we could make it better?
Let us know by filling out a speaker evaluation.

• Start by opening the IAPP Events App

• Select this session and tap “Rate the Session”

• Once you’ve answered all three questions, tap “Done” and you’re
all set

• Thank you!

14