Hardware, Software & the Internet of Things
June 23–25, 2015 • San Francisco, CA

IoT security cornerstones

Brian Witten (Symantec)
5:25pm–6:05pm Thursday, 06/25/2015
Location: Generals Residence
Slides:   1-PPTX 

Prerequisite Knowledge

We'll make no assumptions on knowledge. We'll explain the basics of cryptography and key management in terms that lay people can understand and the typical engineer can apply. We'll do the same in contrasting computing architectures, micro-controller speeds, and flash sizes. It will help to have at least "heard" of openSSL, but even that isn't required.


As the ever-growing billions of internet-connected devices shape our lives, through things like smart homes, connected cars, and the Industrial Internet, these devices and services need security. However, the security they must have is radically different from the security needed in traditional information technology. In contrast, IoT devices can’t have security “bolted on” after the device reaches a customer. Instead, IoT devices must have security built in from the start. Unfortunately, this is harder than it sounds, and not much guidance exists on how to do it right.

We’ll present four simple cornerstones of security for IoT. We’ll describe how each of these must be adapted to work, both practically AND effectively, in the often (very) challenging environments of IoT and the Industrial Internet. We’ll describe how these cornerstones mitigate an extremely wide range of threats. We’ll present performance data on how newer implementations of newer algorithms now make legitimate security possible even in seriously constrained environments, such as 8-bit, 8 MHz micro-controllers with only 30kb flash, and battery-constrained devices that depend on energy harvesting.

These cornerstones include:

  • Authentication and encryption for severely constrained devices in IoT
  • Secure boot and code-signing for limited-resource devices in IoT
  • Runtime security for severely constrained and intermittently connected devices in IoT
  • Building in safe and secure management, including update mechanisms, in severely constrained environments, and a monitoring framework for analyzing advanced threats and emergent risks.
Photo of Brian Witten

Brian Witten


Brian Witten is senior director of engineering at Symantec. Brian leads strategy for high-growth areas. Over the past few years, Brian has led engineering on Android, Symentec Endpoint Protection (SEP.cloud), and reputation-based security for enterprise, as well as encryption and identity technologies. Prior to that, Brian created Symantec Government Research Labs and Symantec Research Labs Europe, as well as several new technologies now used in Symantec’s enterprise and Norton consumer offerings. An experienced information security expert, Brian has worked closely with leading universities, government organizations, and industry partners in information security for 19 years. Prior to joining Symantec, Witten worked at the Defense Advanced Research Projects Agency (DARPA), the U.S. military’s central research and development organization charged with sponsoring revolutionary, high-payoff research, where he managed an R&D investment portfolio of more than $150 million in U.S. and international efforts.