O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Practical Internet of Things Security - Second Edition

Book Description

A practical, indispensable security guide that will navigate you through the complex realm of securely building and deploying systems in our IoT-connected world

Key Features

  • Learn best practices to secure your data from the device to the cloud
  • Use systems security engineering and privacy-by-design principles to design a secure IoT ecosystem
  • A practical guide that will help you design and implement cyber security strategies for your organization

Book Description

With the advent of the Internet of Things (IoT), businesses have to defend against new types of threat. The business ecosystem now includes the cloud computing infrastructure, mobile and fixed endpoints that open up new attack surfaces. It therefore becomes critical to ensure that cybersecurity threats are contained to a minimum when implementing new IoT services and solutions.

This book shows you how to implement cybersecurity solutions, IoT design best practices, and risk mitigation methodologies to address device and infrastructure threats to IoT solutions.

In this second edition, you will go through some typical and unique vulnerabilities seen within various layers of the IoT technology stack and also learn new ways in which IT and physical threats interact. You will then explore the different engineering approaches a developer/manufacturer might take to securely design and deploy IoT devices. Furthermore, you will securely develop your own custom additions for an enterprise IoT implementation. You will also be provided with actionable guidance through setting up a cryptographic infrastructure for your IoT implementations. You will then be guided on the selection and configuration of Identity and Access Management solutions for an IoT implementation. In conclusion, you will explore cloud security architectures and security best practices for operating and managing cross-organizational, multi-domain IoT deployments.

What you will learn

  • Discuss the need for separate security requirements and apply security engineering principles on IoT devices
  • Master the operational aspects of planning, deploying, managing, monitoring, and detecting the remediation and disposal of IoT systems
  • Use Blockchain solutions for IoT authenticity and integrity
  • Explore additional privacy features emerging in the IoT industry, such as anonymity, tracking issues, and countermeasures
  • Design a fog computing architecture to support IoT edge analytics
  • Detect and respond to IoT security incidents and compromises

Who this book is for

This book targets IT Security Professionals and Security Engineers (including pentesters, security architects and ethical hackers) who would like to ensure the security of their organization's data when connected through the IoT. Business analysts and managers will also find this book useful.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Practical Internet of Things Security Second Edition
  3. Dedication
  4. About Packt
    1. Why subscribe?
    2. Packt.com
  5. Contributors
    1. About the authors
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. A Brave New World
    1. Defining the IoT
      1. Defining cyber-physical systems
    2. Cybersecurity versus IoT security
    3. The IoT of today
      1. An IoT-enabled energy grid
      2. Modernizing the transportation ecosystem
      3. Smart manufacturing
      4. Smart cities spread across the globe
      5. The importance of cross-industry collaboration
    4. The IoT ecosystem
      1. Physical devices and controllers
        1. The hardware
        2. Real-time operating systems
        3. Gateways
        4. IoT integration platforms and solutions
      2. Connectivity
        1. Transport protocols
        2. Network protocols
        3. Data link and physical protocols
          1. IEEE 802.15.4
        4. ZWave
        5. Bluetooth low energy
        6. Cellular communications
      3. Messaging protocols
        1. MQTT
        2. CoAP
        3. XMPP
        4. DDS
        5. AMQP
      4. Data accumulation
      5. Data abstraction
      6. Applications
      7. Collaboration and processing
    5. The IoT of tomorrow
      1. Autonomous systems
      2. Cognitive systems
    6. Summary
  8. Vulnerabilities, Attacks, and Countermeasures
    1. Primer on threats, vulnerability, and risks 
      1. The classic pillars of information assurance
      2. Threats
      3. Vulnerability
      4. Risks
    2. Primer on attacks and countermeasures
      1. Common IoT attack types
      2. Attack trees
        1. Building an attack tree
      3. Fault (failure) trees and CPS
        1. Fault tree and attack tree differences
        2. Merging fault and attack tree analysis
      4. Example anatomy of a deadly cyber-physical attack
    3. Today's IoT attacks
      1. Attacks
        1. Authentication attacks
        2. Distributed Denial of Service (DDoS)
        3. Application security attacks
        4. Wireless reconnaissance and mapping
        5. Security protocol attacks
        6. Physical security attacks
    4. Lessons learned and systematic approaches
      1. Threat modeling an IoT system
        1. Step 1 – identify the assets
        2. Step 2 – create a system/architecture overview
        3. Step 3 – decompose the IoT system
        4. Step 4 – identify threats
        5. Step 5 – document the threats
        6. Step 6 – rate the threats
    5. Summary
  9. Approaches to Secure Development
    1. The Secure Development Life Cycle (SDLC)
      1. Waterfall
        1. Requirements
        2. Design
        3. Implementation
        4. Verification
      2. Spiral
      3. Agile
        1. Security engineering in Agile
      4. DevOps
    2. Handling non-functional requirements 
      1. Security
        1. Threat modeling
        2. Other sources for security requirements
      2. Safety
        1. Hazard analysis
          1. Hazard and operability studies (HAZOPs)
          2. Fault-tree analysis
          3. Failure modes and effects analysis (FMEA)
      3. Resilience
    3. The need for software transparency
      1. Automated security analysis
      2. Engaging with the research community
    4. Summary
  10. Secure Design of IoT Devices
    1. The challenge of secure IoT development
      1. Speed to market matters
      2. Internet-connected devices face a deluge of attacks
      3. The IoT introduces new threats to user privacy
      4. IoT products and systems can be physically compromised
      5. Skilled security engineers are hard to find (and retain)
    2. Secure design goals
      1. Design IoT systems that mitigate automated attack risks
      2. Design IoT systems with secure points of integration
      3. Designing IoT systems to protect confidentiality and integrity
        1. Applying cryptography to secure data at rest and in motion
        2. Enabling visibility into the data life cycle and protecting data from manipulation 
        3. Implementing secure OTA
      4. Design IoT systems that are safe
      5. Design IoT systems using hardware protection measures
        1. Introduce secure hardware components within your IoT system
        2. Incorporate anti-tamper mechanisms that report and/or react to attempted physical compromise
      6. Design IoT systems that remain available
        1. Cloud availability
        2. Guarding against unplanned equipment failure 
        3. Load balancing 
      7. Design IoT systems that are resilient
        1. Protecting against jamming attacks
        2. Device redundancy 
        3. Gateway caching
        4. Digital configurations
        5. Gateway clustering
        6. Rate limiting
        7. Congestion control
        8. Provide flexible policy and security management features to administrators 
        9. Provide logging mechanisms and feed integrity-protected logs to the cloud for safe storage
      8. Design IoT systems that are compliant 
        1. The US IoT Cybersecurity Improvement Act (draft)
        2. ENISA's baseline security recommendations
        3. DHS guiding principles for secure IoT
        4. FDA guidance on IoT medical devices
    3. Summary
  11. Operational Security Life Cycle
    1. Defining your security policies
    2. Defining system roles 
    3. Configuring gateway and network security
      1. Securing WSN 
        1. Establishing good key management practices for WSNs. 
        2. Establishing physical protections 
      2. Ports, protocols, and services
      3. Gateways 
      4. Network services
      5. Network segmentation and network access controls
    4. Bootstrapping and securely configuring devices
      1. Configuring device security 
    5. Setting up threat intelligence and vulnerability tracking
      1. Vulnerability tracking
      2. Threat intelligence
      3. Honeypots
    6. Managing assets 
    7. Managing keys and certificates
      1. Handling misbehavior
    8. Managing accounts, passwords, and authorizations
    9. Managing firmware and patching updates
    10. Monitoring your system
      1. RF monitoring
    11. Training system stakeholders
      1. Security awareness training for employees
      2. Security administration training for the IoT
    12. Performing penetration testing
      1. Red and blue teams
        1. Evaluating hardware security
        2. The airwaves
        3. IoT penetration test tools
    13. Managing compliance
      1. HIPAA
      2. GDPR
      3. Monitoring for compliance
    14. Managing incidents
      1. Performing forensics
    15. Performing end-of-life maintenance
      1. Secure device disposal and zeroization
      2. Data purging
      3. Inventory control
        1. Data archiving and managing records
    16. Summary
  12. Cryptographic Fundamentals for IoT Security Engineering
    1. Cryptography and its role in securing the IoT
      1. Types and uses of cryptographic primitives in the IoT
      2. Encryption and decryption
        1. Symmetric encryption
          1. Block chaining modes
          2. Counter modes
        2. Asymmetric encryption
      3. Hashes
      4. Digital signatures
        1. Symmetric (MACs)
      5. Random number generation
      6. Ciphersuites
    2. Cryptographic module principles
    3. Cryptographic key management fundamentals
      1. Key generation
      2. Key establishment
      3. Key derivation
      4. Key storage
      5. Key escrow
      6. Key lifetime
      7. Key zeroization
      8. Accounting and management
      9. Summary of key management recommendations
    4. Examining cryptographic controls for IoT protocols
      1. Cryptographic controls built into IoT communication protocols
        1. ZigBee
        2. Bluetooth-LE
        3. Near Field Communication (NFC)
      2. Cryptographic controls built into IoT messaging protocols
        1. MQTT
        2. CoAP
        3. DDS
        4. REST
    5. Future-proofing IoT cryptography
      1. Crypto agility
      2. Post quantum cryptography
    6. Summary
  13. Identity and Access Management Solutions for the IoT
    1. An introduction to IAM for the IoT
    2. The identity life cycle
      1. Establish naming conventions and uniqueness requirements
        1. Naming a device
      2. Secure bootstrap
      3. Credential and attribute provisioning
        1. Local access
      4. Account monitoring and control
      5. Account updates
      6. Account suspension
      7. Account/credential deactivation/deletion
    3. Authentication credentials
      1. Passwords
      2. Symmetric keys
      3. Certificates
        1. X.509
        2. IEEE 1609.2
      4. Biometrics
      5. Authorization for the IoT
    4. IoT IAM infrastructure
      1. 802.1x
      2. PKI for the IoT
        1. PKI primer
        2. Trust stores
        3. PKI architecture for privacy
        4. Revocation support
          1. OCSP
          2. OCSP stapling
          3. SSL pinning
    5. Authorization and access control
      1. OAuth 2.0
      2. Authorization and access controls within publish/subscribe protocols
      3. Access controls within communication protocols
      4. Decentralized trust via blockchain ledgers
    6. Summary
  14. Mitigating IoT Privacy Concerns
    1. Privacy challenges introduced by the IoT
      1. A complex sharing environment
        1. Wearables
        2. Smart homes
      2. Metadata can leak private information
      3. New privacy approaches for credentials
      4. Privacy impacting on IoT security systems
      5. New methods of surveillance
    2. Guide to performing an IoT PIA
      1. Overview
      2. Authorities
      3. Characterizing collected information
      4. Uses of collected information
      5. Security
      6. Notice
      7. Data retention
      8. Information sharing
      9. Redress
      10. Auditing and accountability
    3. Privacy by design
    4. Privacy engineering recommendations
      1. Privacy throughout the organization
      2. Privacy-engineering professionals
      3. Privacy-engineering activities
      4. Understanding the privacy landscape
    5. Summary
  15. Setting Up an IoT Compliance Monitoring Program
    1. IoT compliance
      1. Implementing IoT systems in a compliant manner
      2. An IoT compliance program
        1. Executive oversight
        2. Policies, procedures, and documentation
        3. Training and education
          1. Skills assessments
          2. Cybersecurity tools
          3. Data security
          4. Defense in depth
          5. Privacy
          6. The IoT, networks, and the cloud
          7. Threats/attacks
          8. Certifications
        4. Testing
        5. Internal compliance monitoring
          1. Install/update sensors
          2. Automated search for flaws
          3. Collect results
          4. Triage
          5. Bug fixes
          6. Reporting
          7. System design updates
        6. Periodic risk assessments
          1. Black box testing
          2. White box assessments
          3. Fuzz testing
    2. A complex compliance environment
      1. Challenges associated with IoT compliance
      2. Examining existing compliance standards, support for the IoT
        1. Underwriters Laboratory IoT certification
        2. NERC CIP
        3. HIPAA/HITECH
        4. PCI DSS
        5. The NIST Risk Management Framework (RMF)
    3. Summary
  16. Cloud Security for the IoT
    1. The role of the cloud in IoT systems 
      1. A notional cloud security approach 
      2. Moving back toward the edge
    2. The concept of the fog
    3. Threats to cloud IoT services
    4. Cloud-based security services for the IoT
      1. Device onboarding
        1. Hardware-to-cloud security
        2. Identity registries
          1. Naming your devices
        3. Onboarding a device into AWS IoT
      2. Key and certificate management
        1. Third-party solutions
      3. Policy management 
        1. Group management
        2. Permissions
      4. Persistent configuration management
      5. Gateway security 
        1. Authentication to the gateway
      6. Device management
      7. Compliance monitoring
      8. Security monitoring
    5. Summary
  17. IoT Incident Response and Forensic Analysis
    1. Threats to both safety and security
    2. Defining, planning, and executing an IoT incident response
      1. Incident response planning
        1. IoT system categorization
        2. IoT incident response procedures
      2. The cloud provider's role
      3. IoT incident response team composition
      4. Communication planning
      5. Operationalizing an IRP in your organization
    3. Detection and analysis
      1. Analyzing the compromised system
      2. Analyzing the IoT devices involved
      3. Escalation and monitoring
      4. Containment, eradication, and recovery
      5. Post-incident activities (recovery)
    4. IoT forensics
      1. Post-incident device forensics
      2. New data sources for crime solving
        1. Smart electrical meters and water meters
        2. Wearables
        3. Home security cameras
        4. Home assistants
    5. Summary
  18. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think