This course covers the current state of the art security of Internet of Things, including all aspect of security of Firmware, Middleware and IoT communication protocols. It also provides a 360 degree view of all kinds of security initiatives in IoT domain for those who are not deeply familiar with IoT standards, evolution and future. The course also explains 30 principle risk considerations of current and proposed NIST standards for IoT security and OSWAP model for IoT security
It provides detailed guideline for drafting IoT security standards for an organization
- Give introduction of all the technology stacks, data model and vulnerability of IoT
- Drawing the layers of vulnerability at each stack and between the stack
- Vulnerability from vendors and third party devices
- Learning about the NIST standard of IoT security.
This course is intended for:
- Engineers/managers/security experts who are assigned to develop IoT projects or audit/review security risks.
We recommend that attendees of this course have one of the following prerequisites:
- Basic knowledge devices, electronics systems and data systems
- Basic understanding of software and systems
- Basic understanding of Statistics (in Excel levels)
- Understanding of Telecommunication Verticals
1. Basic and advanced concepts of IoT architecture from security perspective
- A brief history of evolution of IoT technologies
- Data models in IoT system – definition and architecture of sensors, actuators, device, gateway, communication protocols
- Third party devices and risk associated with vendors supply chain
- Technology ecosystem – device providers, gateway providers, analytics providers, platform providers, system integrator -risk associated with all the providers
- Edge driven distributed IoT vs Cloud driven central IoT : Advantage vs risk assessment
- Management layers in IoT system – Fleet management, asset management, Onboarding/Deboarding of sensors , Digital Twins. Risk of Authorizations in management layers
- Demo of IoT management systems- AWS, Microsoft Azure and Other Fleet managers
- Introduction to popular IoT communication protocols – Zigbee/NB-IoT/5G/LORA/Witespec – review of vulnerability in communication protocol layers
- Understanding the entire Technology stack of IoT with a review of Risk management
2. A check-list of all risks and security issues in IoT
- Firmware Patching- the soft belly of IoT
- Detailed review of security of IoT communication protocols- Transport layers ( NB- IoT, 4G, 5G, LORA, Zigbee etc. ) and Application Layers – MQTT, Web Socket etc.
- Vulnerability of API end points -list of all possible API in IoT architecture
- Vulnerability of Gate way devices and Services
- Vulnerability of connected sensors -Gateway communication
- Vulnerability of Gateway- Server communication
- Vulnerability of Cloud Database services in IoT
- Vulnerability of Application Layers
- Vulnerability of Gateway management service- Local and Cloud based
- Risk of log management in edge and non-edge architecture
3. OWASP model of IoT security, top 10 security risk
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
- Microsoft Threat Model – STRIDE
- Details of STRIDE Model
- Security device and gateway and server communication – Asymmetric encryption
- X.509 certification for Public key distribution
- SAS Keys
- Bulk OTA risks and techniques
- API security for application portals
- Deactivation and delinking of rogue device from the system
- Vulnerability of AWS/Azure Security principles
- Review of NISTIR 8228 standard for IoT security -30 point risk consideration Model
- Third party device integration and identification
- Service identification & tracking
- Hardware identification & tracking
- Communication session identification
- Management transaction identification and logging
- Log management and tracking
- Securing debugging mode in a Firmware
- Physical Security of hardware
- Hardware cryptography – PUF ( Physically Unclonable Function) -securing EPROM
- Public PUF, PPUF
- Nano PUF
- Known classification of Malwares in Firmware (18 families according to YARA rule)
- Study of some of the popular Firmware Malware -MIRAI, BrickerBot, GoScanSSH, Hydra etc.
- Oct. 21, 2016, a huge DDoS attack was deployed against Dyn DNS servers and shut down many web services including Twitter. Hackers exploited default passwords and user names of webcams and other IoT devices, and installed the Mirai botnet on compromised IoT devices. This attack will be studied in detail.
- IP cameras can be hacked through buffer overflow attacks
- Philips Hue lightbulbs were hacked through its ZigBee link protocol
- SQL injection attacks were effective against Belkin IoT devices
- Cross-site scripting (XSS) attacks that exploited the Belkin WeMo app and access data and resources that the app can access
- Tracking and identifying all the services in Gateways
- Never use MAC address- use package id instead
- Use identification hierarchy for devices- board ID, Device ID and package ID
- Structure the Firmware Patching to perimeter and conforming to service ID
- PUF for EPROM
- Secure the risks of IoT management portals/applications by two layers of authentication
- Secure all API- Define API testing and API management
- Identification and integration of same security principle in Logistic Supply Chain
- Minimize Patch vulnerability of IoT communication Protocols
- Define the lexicon of IoT security / Tensions
- Suggest the best practice for authentication, identification, authorization
- Identification and ranking of Critical Assets
- Identification of perimeters and isolation for application
- Policy for securing critical assets, critical information and privacy data