book

Practical Internet of Things Security

by Brian Russell, Drew Van Duren

June 2016

Intermediate to advanced

336 pages

9h 15m

English

Packt Publishing

Read now

Unlock full access

eBooks, discount offers, and moreWhy subscribe?
What this book covers

ErrataPiracyQuestions
Defining the IoTCybersecurity versus IoT security and cyber-physical systems
Energy industry and smart gridConnected vehicles and transportationManufacturingWearablesImplantables and medical devices
The things in the IoTThe IoT device lifecycleIoT device implementationIoT service implementationIoT device and service deploymentThe hardwareOperating systemsIoT communicationsMessaging protocolsMQTTCoAPXMPPDDSAMQPGatewaysTransport protocolsNetwork protocolsData link and physical protocolsIEEE 802.15.4ZWavePower Line CommunicationsCellular communicationsIoT data collection, storage, and analyticsIoT integration platforms and solutions
The future – cognitive systems and the IoT
Primer on threats, vulnerability, and risks (TVR)The classic pillars of information assuranceThreatsVulnerabilityRisks
Common IoT attack typesAttack treesBuilding an attack treeFault (failure) trees and CPSFault tree and attack tree differencesMerging fault and attack tree analysisExample anatomy of a deadly cyber-physical attack
AttacksWireless reconnaissance and mappingSecurity protocol attacksPhysical security attacksApplication security attacks
Threat modeling an IoT systemStep 1 – identify the assetsStep 2 – create a system/architecture overviewStep 3 – decompose the IoT systemStep 4 – identify threatsStep 5 – document the threatsStep 6 – rate the threats
Building security in to design and developmentSecurity in agile developmentsFocusing on the IoT device in operation
Safety and security designThreat modelingPrivacy impact assessmentSafety impact assessmentComplianceMonitoring for complianceSecurity system integrationAccounts and credentialsPatching and updatesAudit and monitoringProcesses and agreementsSecure acquisition processSecure update processEstablish SLAsEstablish privacy agreementsConsider new liabilities and guard against risk exposureEstablish an IoT physical security planTechnology selection – security products and servicesIoT device hardwareSelecting an MCUSelecting a real-time operating system (RTOS)IoT relationship platformsXivelyThingWorxCryptographic security APIsAuthentication/authorizationEdgeSecurity monitoring
The secure IoT system implementation lifecycleImplementation and integrationIoT security CONOPS documentNetwork and security integrationExamining network and security integration for WSNsExamining network and security integration for connected carsPlanning for updates to existing network and security infrastructuresPlanning for provisioning mechanismsIntegrating with security systemsIoT and data busesSystem security verification and validation (V&V)Security trainingSecurity awareness training for usersSecurity administration training for the IoTSecure configurationsIoT device configurationsSecure gateway and network configurationsOperations and maintenanceManaging identities, roles, and attributesIdentity relationship management and contextAttribute-based access controlRole-based access controlConsider third-party data requirementsManage keys and certificatesSecurity monitoringPenetration testingRed and blue teamsEvaluating hardware securityThe airwavesIoT penetration test toolsCompliance monitoringAsset and configuration managementIncident managementForensicsDisposeSecure device disposal and zeroizationData purgingInventory controlData archiving and records management
Cryptography and its role in securing the IoTTypes and uses of cryptographic primitives in the IoTEncryption and decryptionSymmetric encryptionBlock chaining modesCounter modesAsymmetric encryptionHashesDigital signaturesSymmetric (MACs)Random number generationCiphersuites
Key generationKey establishmentKey derivationKey storageKey escrowKey lifetimeKey zeroizationAccounting and managementSummary of key management recommendations
Cryptographic controls built into IoT communication protocolsZigBeeBluetooth-LENear field communication (NFC)Cryptographic controls built into IoT messaging protocolsMQTTCoAPDDSREST
An introduction to identity and access management for the IoT
Establish naming conventions and uniqueness requirementsNaming a deviceSecure bootstrapCredential and attribute provisioningLocal accessAccount monitoring and controlAccount updatesAccount suspensionAccount/credential deactivation/deletion
PasswordsSymmetric keysCertificatesX.509IEEE 1609.2BiometricsNew work in authorization for the IoT
802.1xPKI for the IoTPKI primerTrust storesPKI architecture for privacyRevocation supportOCSPOCSP staplingSSL pinning
OAuth 2.0Authorization and access controls within publish/subscribe protocolsAccess controls within communication protocols
Privacy challenges introduced by the IoTA complex sharing environmentWearablesSmart homesMetadata can leak private information alsoNew privacy approaches for credentialsPrivacy impacts on IoT security systemsNew methods of surveillance
OverviewAuthoritiesCharacterizing collected informationUses of collected informationSecurityNoticeData retentionInformation sharingRedressAuditing and accountability
Privacy embedded into designPositive-sum, not zero-sumEnd-to-end securityVisibility and transparencyRespect for user privacy
Privacy throughout the organizationPrivacy engineering professionalsPrivacy engineering activities
IoT complianceImplementing IoT systems in a compliant mannerAn IoT compliance programExecutive oversightPolicies, procedures, and documentationTraining and educationSkills assessmentsCyber security toolsData securityDefense-in-depthPrivacyThe IoT, network, and cloudThreats/attacksCertificationsTestingInternal compliance monitoringInstall/update sensorsAutomated search for flawsCollect resultsTriageBug fixesReportingSystem design updatesPeriodic risk assessmentsBlack boxWhite box assessmentsFuzz testing
Challenges associated with IoT complianceExamining existing compliance standards support for the IoTUnderwriters Laboratory IoT certificationNIST CPS effortsNERC CIPHIPAA/HITECHPCI DSSNIST Risk Management Framework (RMF)
Cloud services and the IoTAsset/inventory managementService provisioning, billing, and entitlement managementReal-time monitoringSensor coordinationCustomer intelligence and marketingInformation sharingMessage transport/broadcastExamining IoT threats from a cloud perspective
AWS IoTMicrosoft Azure IoT suiteCisco Fog ComputingIBM Watson IoT platformMQTT and REST interfaces
Authentication (and authorization)Amazon AWS IAMAzure authenticationSoftware/firmware updatesEnd-to-end security recommendationsMaintain data integritySecure bootstrap and enrollment of IoT devicesSecurity monitoring
IoT-enablers of the cloudSoftware defined networking (SDN)Data servicesContainer support for secure development environmentsContainers for deployment supportMicroservicesThe move to 5G connectivityCloud-enabled directionsOn-demand computing and the IoT (dynamic compute resources)New distributed trust models for the cloudCognitive IoT
Threats both to safety and security
Incident response planningIoT system categorizationIoT incident response proceduresThe cloud provider's roleIoT incident response team compositionCommunication planningExercises and operationalizing an IRP in your organizationDetection and analysisAnalyzing the compromised systemAnalyzing the IoT devices involvedEscalate and monitorContainment, eradication, and recoveryPost-incident activities

Content preview from Practical Internet of Things Security

Authentication credentials

IoT messaging protocols often support the ability to use different types of credentials for authentication with external services and other IoT devices. This section examines the typical options available for these functions.

Passwords

Some protocols, such as MQTT, only provide the ability to use a username/password combination for native-protocol authentication purposes. Within MQTT, the CONNECT message includes the fields for passing this information to an MQTT Broker. In the MQTT Version 3.1.1 specification defined by OASIS, you can see these fields within the CONNECT message (reference: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html):

Note

Note that there are no protections applied to support the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Practical Internet of Things Security - Second Edition

Publisher Resources