We started with discussion of the Federal Drug Administration recall of 465,000 pacemakers that attackers can gain unauthorized access to issue commands, change settings and maliciously disrupt.

One of the vulnerabilities allowed an attacker to significantly reduce the battery life of a pacemaker. “The pacemakers do not restrict or limit the number of correctly formatted ‘RF wake-up’ commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life” Notice the parallel to the traditional cyber traffic based denial of service attack. In the cyber realm, the primary concern from the flood is the amount of traffic limiting access for legitimate visitors. In the IoT realm, the primary concern from the flood is the battery impact for the user.

We also heard briefly about proposed legislation involving baseline security requirements for IoT products.

Next we heard from  Mark Szewczul, CISSP, is an IoT Security Architect at Zimperium and technical contributor to the Cloud Security Alliance’s Future-Proofing the Connected World. He took us on whirlwind tour of best practices in secure IoT development. His ~forty slides are available here (PDF).

The core of the presentation focused on 13 areas of focus in secure IoT development. For example:
6. Protect Data – Security Considerations for Selecting IoT Communication Protocols:
•Wired & wireless scanning & mapping attacks
•Protocol attacks
•Evesdropping attacks (loss of confidentiality)
•Cryptographic algorithm and key management attacks
•Spoofing and masquerading (authentication attacks)
•Denial of Service and jamming

A good starting point for IoT security principles, testing, and mitigation is at the OWASP Internet of Things (IoT) Project.

Miscellaneous
Light interview on security/resiliency in power grid (MP3, starts at:20:39)
White paper on the “Blueborne” bluetooth vulnerability (PDF, detailed, lengthy)