The Internet of Things (IoT) promises to revolutionize business processes through connectivity, analysis and automation. As new IoT systems are developed and integrated into corporate communication networks, new attack surfaces are also introduced. These attack surfaces provide adversaries with new ways to steal services, compromise information or trigger worst-case physical impacts against connected infrastructures. Security practitioners and information technology staff must be able to methodically analyze threats to IoT devices, information, and the infrastructure that supports them in order to choose the right security solutions and processes for locking down an IoT-enabled business.
The IoT is broad in scope and encompasses all industries in various forms. IoT devices can range from connected vehicles and unmanned aerial systems (e.g., drones) at the larger end of the scale, to single-purpose sensors comprised of a microcontroller, sensor, battery and not much more. Organizations will soon be filled with many different types of IoT devices, some of which require additional safety and security measures due to their ability to cause effects in the physical world. These Cyber Physical Systems (CPS) will be prime attack targets and proper concern should be afforded to them in an Enterprise IoT Security Program.
This course should be of interest to information technology professionals and security engineers responsible for architecting and implementing new IoT-based capabilities within an enterprise. This course will provide the
steps required to design and implement an IoT Security Program. It will begin by providing an understanding of
the unique threats associated with the IoT and the differences when compared with traditional Information Technology (IT) systems. It will provide a guide for employing an IoT security lifecycle within your organization
that includes robust security engineering processes, the ability to integrate IoT devices into existing security infrastructure (e.g., identity and access management, security monitoring systems), and detailed information regarding how to perform an IoT Privacy Impact Assessment (PIA) and Safety Impact Assessment. The course will also discuss how to create a secure IoT device and how to securely integrate IoT devices to the Cloud.
What am I going to get from this course?
- Advise business leaders on the risks related to introducing IoT systems
- Design a life-cycle security plan to mitigate the risk introduced by IoT systems
- Extend your current security program to support the integration of new IoT systems
- Identify and mitigate safety and privacy concerns introduced by new IoT systems
- Plan to leverage the cloud to securely support your IoT systems
- Gain familiarity with fundamental cryptographic controls needed to safeguard IoT systems
- Test the security of your IoT system implementations
Prerequisites and Target Audience
What will students need to know or do before starting this course?
This course is designed as a introduction to IoT security for the Enterprise. Prior to taking this course students should have:
1) A basic understanding of IoT concepts and technologies
2) A basic understanding of networking concepts
Who should take this course? Who should not?
- IT Staff charged with implemented new IoT systems
- Cyber security analysts and engineers charged with securing new IoT systems
- Security managers that need to understand where to start with defending enhanced business connectivity
- Product developers that need to understand what their business customers face when securing the Internet of Things
Module 1: Course Overview and Objectives
Introduction, Intended Audience and Course Objectives
This lecture introduces the course and explains our objectives and intended audiences for the course.
Exploring the IoT
The IoT means different things to different people. At its core, the IoT is about connecting physical assets. What actual instances of the IoT look like however depends heavily on the industry you are discussing. For Smart Cities, the IoT may consist of smart parking meters, connected trash cans, environmental sensors and connected traffic infrastructure. In the transportation sector, the IoT consists of Road Side Units (RSUs) and Connected Cars. In the consumer sector, the IoT is seen in the many devices available for your smart home. This lecture dives into an exploration of the IoT.
IoT in the Enterprise
Businesses and other organizations employ IoT solutions to enhance customer experiences, increase revenues, decrease costs or achieve some other business or mission goal. This lecture examines the implementation of IoT solutions in an enterprise context.
View 2 external resources for an in-depth discussion on the role of IoT in the enterprise:
1) Porter, Heppelmann 2014. How Smart Connected Products are Transforming Competition. Harvard Business Review.
2) Porter, Heppelmann 2015. How Smart Connected Products are Transforming Companies. Harvard Business Review.
Module 2: IoT Vulnerabilities, Attacks, and Countermeasures
Intro and Primer on Threats, Vulnerabilities, and Risks
This lecture begins an introduction to information assurance (IA). We discuss the pillars of IA and then dive into a primer on threats, vulnerabilities and risks. This lecture positions you to better understand the need to perform security engineering and threat modeling for your IoT systems and solutions.
View the external resources "RSA Panel Discussion: The Future of Ransomware on the Internet of Things (IoT)" for a discussion focused on the coming intersection of the IoT and ransomware.
Primer on Attacks and Countermeasures
This lecture begins to explore the types of attacks in which IoT components are susceptible.
Building an Attack Tree
This lecture dives into the process for creating an attack tree. We provide an example that you can follow to create attack trees for your organization.
We talk about the intersection of safety and security engineering in this course. Fault trees are within the domain of safety engineering. Here we discuss their applicability to creating a safe and secure IoT system.
Anatomy of an Attack
This lecture explores a theoretical attack against a cyber-physical system.
Examining Today's IoT Attacks
Here we examine some recent IoT-related attacks in the news.
Threat Modeling a Smart Parking System
Given this module's focus on the attacks that can be levied on IoT systems, we close with a detailed look at threat modeling an example IoT system. Threat models are a useful tool for security engineers to identify where to focus their efforts given their unique system characteristics. Here we walk through a threat model example.
Module 3: IoT Security Engineering
The Challenge of Developing Secure IoT Products
There are many reasons why we hear news stories regarding the insecurity of the IoT. Many of those reasons stem from the challenges associated with developing secure IoT products. This lecture reviews some of those security challenges that developers are facing as they try to field the next big smart, connected device to their customers.
Download the attached Cloud Security Alliance Report titled "Future Proofing the Connected World" for in-depth guidance on designing and developing secure IoT products.
Security Design from the Start
This lecture explores the concept of designing security into IoT products and systems. We review methods for integrating security engineering into your development lifecycles. We also talk a bit more about the need for threat modeling, privacy impact assessments and safety impact assessments.
Integrating Secure Components into Your System Design
This lecture touches on the need to consider the security of components that you incorporate into your IoT systems and solutions, as well as security controls that you should consider integrating with your IoT implementations.
Module 4: The IoT Security Lifecycle
Secure Implementation and Integration
In our previous module we discussed integration of security into the development lifecycle. We now explore the need to include security in the operational lifecycle of your IoT systems. We kick this off by talking through the steps you need to take to begin the secure implementation and integration process of an IoT solution for your enterprise.
Secure Operations and Maintenance
This lecture moves into a talk on ways to secure IoT systems during their operations. We look at monitoring, authentication/authorization, key and certificate management and other security lifecycle considerations.
The need to securely dispose of Information Technology (IT) assets is sometimes not considered a top priority within organizations, however there are remnants of information that live on when those assets are no longer needed. This lecture discusses the need to wipe devices of any sensitive information including cryptographic keys.
Module 5: Employing Cryptography for IoT Security
The field of cryptography can seem intimidating, however security engineers should understand cryptographic fundamentals associated with applying confidentiality and integrity protections to their systems. This lecture gives students a solid understanding of those fundamentals.
Cryptographic modules provide secure processing for cryptographic algorithms (e.g., AES) and protocols (e.g., TLS). Standards such as Federal Information Processing Standard (FIPS) 140-2 provide safeguards to buyers that a module has undergone certain testing, however that alone is not sufficient to ensure the security of an implementation. This lecture discusses additional considerations for those relying upon cryptographic modules to safeguard their sensitive keys and cryptographic primitives.
Cryptographic Key Management Fundamentals
The management of keys is one of the most important considerations related to the security of a product or system. Key management focuses on the secure request, generation, distribution and disposal of keys and certificates for devices. This lecture provides a discussion of these topics.
Review the external resource: "VPKI hits the highway" for an introduction to the Public Key Infrastructure (PKI) systems that will provision certificates to Connected Automobiles in the United States.
Reference: Weil, Tim. "VPKI Hits the Highway." SecuringIT (2017): n. pag. Web.
Cryptographic Controls in the IoT Protocols
This lecture looks at how cryptography is incorporated into various IoT communication and messaging protocols.
Review the external resource discussing Simon and Speck, Block Ciphers for the Internet of Things to gain an understanding of new ciphers being developed to support the IoT.
Beaulieu, Ray, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. "Simon and Speck: Block Ciphers for the Internet of Things." National Security Agency (2015): n. pag. Web.
Understanding Cryptography and Key Management for the IoT
This quiz reviews some fundamental concepts related to cryptography and key management for the IoT.
Module 6: IoT Privacy
Examining IoT Privacy Challenges
This lecture talks through some of the privacy challenges that have been introduced by the IoT. Privacy is a complex issue as the IoT consists of sensors, cameras and other equipment that can capture, record and store imagery and voice data.
Privacy Impact Assessment (PIA) Guide
How do you identify the privacy concerns associated with your specific IoT implementation and stakeholder community. Performing a privacy impact assessment (PIA) allows you to take a methodical look at these issues so you can take the steps necessary to mitigate them. This lecture instructs on how to perform a PIA.
Privacy-by-Design (PbD) Concepts
Although it is important to perform a PIA for your IoT systems, that is not the end of the matter. Privacy-by-Design (PbD) concepts show how to build privacy safeguards in from the beginning.
Module 7: Secure Cloud Integration
Cloud IoT, Fog and Service Providers
The Cloud provides a connectivity layer for IoT products and solutions, and hosts the services that allow enterprises to realize value from their IoT implementations. Cloud services for the IoT include among other things data analytics, messaging, machine learning, voice control, product management and information sharing. This Lesson discusses the relationship between the cloud and the IoT and begins to look at considerations for procuring cloud service providers and security as a service providers to protect your IoT assets.
More on Cloud Service Providers (CSPs) and Security-as-a-Service Providers
This lecture continues the discussion on security controls associated with cloud service providers and security as a service providers.
Incorporating PKI and Monitoring with the Cloud
Certificates are often used to secure endpoint communications in IoT systems. Certificates can support mutual authentication between an IoT device and cloud service. Management of these certificates is most often accomplished through PKI. This section discusses the intersection of PKI and IoT/cloud technologies.