IoT Security

• Basic knowledge devices, electronics systems and data systems
• Basic understanding of software and systems
• Basic understanding of Statistics (in Excel levels)
• Understanding of Telecommunication Verticals

Summary

• An advanced training program covering the current state of the art security of Internet of Things
• Covers all aspect of  security of Firmware , Middleware and IoT communication protocols 
• The course provides a 360 degree view of all kinds of security initiatives in IoT domain for those who are not deeply familiar with IoT standards, evolution and future
• Deeper probe into security vulnerabilities in Firmware, Wireless communication protocols,  device to cloud communication.
• Cutting across multiple technology domains to develop awareness of security in  IoT systems and its components
• Live demo of some of the security aspects of gateways, sensors and IoT application clouds
• The course also explains 30 principle risk considerations of  current and proposed NIST standards for IoT security
• OSWAP model for IoT security
• Provides detailed guideline for drafting IoT security standards for an organization

Target Audience 

Engineers/managers/security experts who are assigned to develop IoT projects or audit/review security risks.

Over the last three years, engineering in IoT has seen massive changes primarily driven by Microsoft, Google and Amazon. These large behemoths have invested billions of dollars to develop IoT platforms that are  more easy to manage and secure some perimeters of data. Also IoT edge has gained a lot of momentum in both research and deployment as only means for practical IoT implementation.  5G is also promising to transform the business of IoT.  This has led to an unprecedented large swath of new areas of research funding in IoT.

However large scale adaptation of IoT is slow due to security concerns at various levels. Securing Firmware and Gateways is far from ideal.  One of the major issue is, disagreement among different large IoT vendors on the matter of security.  Microsoft Azure, Amazon AWS have  pushed forward with its own security standards. Where as NIST is placing a more comprehensive one.  OWASP model of 10 layers of IoT security did some impact but overall failed to get much ground due to non-adoption from major IoT platform like Azure or Google.
 

Second large area of concern is security of Firmware. Primarily most of the Firmware are  still vulnerable to any patching be it via OTA ( over the top ) or locally via a hardware port.

Course Objective

1.  Give introduction of all the technology stacks, data model and vulnerability  of IoT
2.  Drawing the layers of vulnerability at each stack and between the stack
3.  Vulnerability from vendors and third party devices
4.  Learning about the NIST standard of IoT security

Session 1 & 2: Basic and Advanced concepts of IoT architecture from security perspective

• A brief history of evolution of IoT technologies
• Data models in  IoT system – definition and architecture of sensors, actuators, device, gateway, communication protocols
• Third party devices and risk associated with vendors supply chain
• Technology ecosystem – device providers, gateway providers, analytics providers, platform providers, system integrator -risk associated with all the providers
• Edge driven distributed IoT vs Cloud driven central IoT : Advantage vs risk assessment
• Management layers in IoT system – Fleet management, asset management, Onboarding/Deboarding of sensors , Digital Twins. Risk of Authorizations in management layers
•  Demo of IoT management systems- AWS, Microsoft Azure and Other Fleet managers
•  Introduction to popular IoT communication protocols – Zigbee/NB-IoT/5G/LORA/Witespec – review of vulnerability in communication protocol layers
• Understanding the entire Technology stack of IoT with a review of Risk management

Session 3: A check-list of all risks and security issues in IoT

• Firmware Patching- the soft belly of IoT
• Detailed review of security of IoT communication protocols- Transport layers ( NB-IoT, 4G, 5G, LORA, Zigbee etc. ) and Application Layers – MQTT, Web Socket etc.
• Vulnerability of API end points -list of all possible API in IoT architecture
• Vulnerability of Gate way devices and Services
• Vulnerability of connected sensors -Gateway communication
• Vulnerability of Gateway- Server communication
• Vulnerability of Cloud Database services in IoT
• Vulnerability of Application Layers
• Vulnerability of Gateway management service- Local and Cloud based
• Risk of log management in edge and non-edge architecture

Session 4: OSASP Model of IoT security , Top 10  security risk

• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Software/Firmware
• I10 Poor Physical Security

Session 5: Review and Demo of AWS-IoT and Azure IoT security principle

• Microsoft Threat Model – STRIDE

• Security device and gateway and server communication – Asymmetric encryption
• X.509 certification for Public key distribution
• SAS Keys
• Bulk OTA risks and techniques
• API security for application portals
• Deactivation and delinking of rogue device from the system
• Vulnerability of AWS/Azure Security principles

Session 6: Review of evolving NIST standards/recommendation for IoT

• Service identification & tracking
• Hardware identification & tracking
• Communication session identification
• Management transaction identification and logging
• Log management and tracking

Session 7: Securing Firmware/ Device

• Hardware cryptography – PUF ( Physically Unclonable Function) -securing EPROM
• Public PUF, PPUF
• Nano PUF
• Known classification of Malwares in Firmware ( 18 families according to YARA rule )
• Study of some of the popular Firmware Malware -MIRAI, BrickerBot, GoScanSSH, Hydra etc.

Session 8: Case Studies of IoT Attacks

• Oct. 21, 2016, a huge DDoS attack was deployed against Dyn DNS servers and shut down many web services including Twitter . Hackers exploited default passwords and user names of webcams and other IoT devices, and installed the Mirai botnet  on compromised IoT devices.  This attack will be studied in detail
• IP cameras can be hacked through buffer overflow attacks
• Philips Hue lightbulbs were hacked through its ZigBee link protocol
• SQL injection attacks were effective against Belkin IoT devices
• Cross-site scripting (XSS) attacks that exploited the Belkin WeMo app and access data and resources that the app can access

Session 9: Securing Distributed IoT via Distributer Ledger – BlockChain and DAG (IOTA) [3 hours]

• Difference between Blockchain, DAG and Hyperledger – a comparison of their working vs performance vs decentralization
• Real Time, offline performance of the different DLT system
• P2P network, Private and Public Key- basic concepts
• How ledger system is implemented practically- review of some research architecture
• IOTA and Tangle- DLT for IoT
• Some practical application examples from smart city, smart machines, smart cars

Session 10: The best practice architecture for IoT security

• Tracking and identifying all the services in Gateways
• Never use MAC address- use package id instead
• Use identification hierarchy for devices- board ID, Device ID and package ID
• Structure the Firmware Patching to perimeter and conforming to service ID
• PUF for EPROM
• Secure the risks of IoT management portals/applications by two layers of authentication
• Secure all API- Define API testing and API management
• Identification and integration of same security principle in Logistic Supply Chain
• Minimize Patch vulnerability of IoT communication Protocols

Session 11: Drafting IoT security Policy for your organization

• Define the lexicon of IoT security / Tensions
• Suggest the best practice for authentication, identification, authorization
• Identification and ranking of Critical Assets
• Identification of perimeters and isolation for application
• Policy for securing critical assets, critical information and privacy data