$99

Need Custom Training for Your Team?

Get Quote

Call Us

Toll Free (844) 397-3739

Inquire About This Course

Instructors

Thumb 2e97d4ae 7b60 4ca9 862b ebe4d1973304

Brian Russell

Brian Russell is a chief engineer for cyber security solutions at Leidos where he leads multiple engineering and R&D efforts. He specializes in security for the Internet of Things (IoT) and has led engineering programs supporting the security of Unmanned Aerial Systems (drones) and connected vehicles. Brian has led the design and development of security monitoring systems, high assurance encryption solutions and cryptographic key management systems. He is co-author of the book “Practical Internet of Things Security”, serves as Chair of the Cloud Security Alliance (CSA) IoT Working Group and is an adjunct professor at the University of San Diego (USD). He has served on the editorial panel for the Center for Internet Security (CIS) 20 Critical Security Controls and on the Federal Communications Commission (FCC) IoT and 5G Security Working Groups.
Thumb 15d4dbfe 3cd5 4dad bbde 5edec2e07cb2

Drew Van Duren

Drew Van Duren has provided extensive cryptographic and cyber-physical system security expertise to commercial enterprise and government agencies. He has consulted the Federal Aviation Administration on unmanned aircraft security, the US Department of Transportation Federal Highway Administration on connected vehicle risks and security, and many commercial cryptographic vendors in their security device implementations. Drew is also co-founder of Responsible Robotics LLC, a company dedicated to the safe and secure integration of robotic aerial systems in the national airspace.

Securing Enterprise Internet of Things Implementations

Instructors: Brian Russell,  Drew Van Duren

Life Cycle Cyber Security Management for Connected Systems and Devices

This course provides the steps needed to design and implement an IoT Security Program.

Authors of "Practical Internet of Things Security” - Instructor Brian Russell is the chief engineer for cyber security solutions at Leidos and also serves as Chair of the Cloud Security Alliance (CSA) IoT Working Group. Instructor Drew Van Duren has fifteen years experience providing cryptographic and cyber-physical system security expertise to commercial enterprise and government agencies.

Course Description

The Internet of Things (IoT) promises to revolutionize business processes through connectivity, analysis and automation. As new IoT systems are developed and integrated into corporate communication networks, new attack surfaces are also introduced. These attack surfaces provide adversaries with new ways to steal services, compromise information or trigger worst-case physical impacts against connected infrastructures. Security practitioners and information technology staff must be able to methodically analyze threats to IoT devices, information, and the infrastructure that supports them in order to choose the right security solutions and processes for locking down an IoT-enabled business. The IoT is broad in scope and encompasses all industries in various forms. IoT devices can range from connected vehicles and unmanned aerial systems (e.g., drones) at the larger end of the scale, to single-purpose sensors comprised of a microcontroller, sensor, battery and not much more. Organizations will soon be filled with many different types of IoT devices, some of which require additional safety and security measures due to their ability to cause effects in the physical world. These Cyber Physical Systems (CPS) will be prime attack targets and proper concern should be afforded to them in an Enterprise IoT Security Program. This course should be of interest to information technology professionals and security engineers responsible for architecting and implementing new IoT-based capabilities within an enterprise. This course will provide the steps required to design and implement an IoT Security Program. It will begin by providing an understanding of the unique threats associated with the IoT and the differences when compared with traditional Information Technology (IT) systems. It will provide a guide for employing an IoT security lifecycle within your organization that includes robust security engineering processes, the ability to integrate IoT devices into existing security infrastructure (e.g., identity and access management, security monitoring systems), and detailed information regarding how to perform an IoT Privacy Impact Assessment (PIA) and Safety Impact Assessment. The course will also discuss how to create a secure IoT device and how to securely integrate IoT devices to the Cloud.

What am I going to get from this course?
  • Advise business leaders on the risks related to introducing IoT systems
  • Design a life-cycle security plan to mitigate the risk introduced by IoT systems
  • Extend your current security program to support the integration of new IoT systems
  • Identify and mitigate safety and privacy concerns introduced by new IoT systems
  • Plan to leverage the cloud to securely support your IoT systems
  • Gain familiarity with fundamental cryptographic controls needed to safeguard IoT systems
  • Test the security of your IoT system implementations

Prerequisites and Target Audience

What will students need to know or do before starting this course?
This course is designed as a introduction to IoT security for the Enterprise.  Prior to taking this course students should have:
1) A basic understanding of IoT concepts and technologies
2) A basic understanding of networking concepts
Who should take this course? Who should not?
  • IT Staff charged with implemented new IoT systems
  • Cyber security analysts and engineers charged with securing new IoT systems
  • Security managers that need to understand where to start with defending enhanced business connectivity
  • Product developers that need to understand what their business customers face when securing the Internet of Things

Curriculum

Module 1: Course Overview and Objectives
Lecture 1 Introduction, Intended Audience and Course Objectives

This lecture introduces the course and explains our objectives and intended audiences for the course.

Lecture 2 Exploring the IoT

The IoT means different things to different people. At its core, the IoT is about connecting physical assets. What actual instances of the IoT look like however depends heavily on the industry you are discussing. For Smart Cities, the IoT may consist of smart parking meters, connected trash cans, environmental sensors and connected traffic infrastructure. In the transportation sector, the IoT consists of Road Side Units (RSUs) and Connected Cars. In the consumer sector, the IoT is seen in the many devices available for your smart home. This lecture dives into an exploration of the IoT.

Lecture 3 IoT in the Enterprise

Businesses and other organizations employ IoT solutions to enhance customer experiences, increase revenues, decrease costs or achieve some other business or mission goal. This lecture examines the implementation of IoT solutions in an enterprise context. View 2 external resources for an in-depth discussion on the role of IoT in the enterprise: 1) Porter, Heppelmann 2014. How Smart Connected Products are Transforming Competition. Harvard Business Review. 2) Porter, Heppelmann 2015. How Smart Connected Products are Transforming Companies. Harvard Business Review.

Module 2: IoT Vulnerabilities, Attacks, and Countermeasures
Lecture 4 Intro and Primer on Threats, Vulnerabilities, and Risks

This lecture begins an introduction to information assurance (IA). We discuss the pillars of IA and then dive into a primer on threats, vulnerabilities and risks. This lecture positions you to better understand the need to perform security engineering and threat modeling for your IoT systems and solutions. View the external resources "RSA Panel Discussion: The Future of Ransomware on the Internet of Things (IoT)" for a discussion focused on the coming intersection of the IoT and ransomware.

Lecture 5 Primer on Attacks and Countermeasures

This lecture begins to explore the types of attacks in which IoT components are susceptible.

Lecture 6 Building an Attack Tree

This lecture dives into the process for creating an attack tree. We provide an example that you can follow to create attack trees for your organization.

Lecture 7 Fault Trees

We talk about the intersection of safety and security engineering in this course. Fault trees are within the domain of safety engineering. Here we discuss their applicability to creating a safe and secure IoT system.

Lecture 8 Anatomy of an Attack

This lecture explores a theoretical attack against a cyber-physical system.

Lecture 9 Examining Today's IoT Attacks

Here we examine some recent IoT-related attacks in the news.

Lecture 10 Threat Modeling a Smart Parking System

Given this module's focus on the attacks that can be levied on IoT systems, we close with a detailed look at threat modeling an example IoT system. Threat models are a useful tool for security engineers to identify where to focus their efforts given their unique system characteristics. Here we walk through a threat model example.

Module 3: IoT Security Engineering
Lecture 11 The Challenge of Developing Secure IoT Products

There are many reasons why we hear news stories regarding the insecurity of the IoT. Many of those reasons stem from the challenges associated with developing secure IoT products. This lecture reviews some of those security challenges that developers are facing as they try to field the next big smart, connected device to their customers. Download the attached Cloud Security Alliance Report titled "Future Proofing the Connected World" for in-depth guidance on designing and developing secure IoT products.

Lecture 12 Security Design from the Start

This lecture explores the concept of designing security into IoT products and systems. We review methods for integrating security engineering into your development lifecycles. We also talk a bit more about the need for threat modeling, privacy impact assessments and safety impact assessments.

Lecture 13 Integrating Secure Components into Your System Design

This lecture touches on the need to consider the security of components that you incorporate into your IoT systems and solutions, as well as security controls that you should consider integrating with your IoT implementations.

Module 4: The IoT Security Lifecycle
Lecture 14 Secure Implementation and Integration

In our previous module we discussed integration of security into the development lifecycle. We now explore the need to include security in the operational lifecycle of your IoT systems. We kick this off by talking through the steps you need to take to begin the secure implementation and integration process of an IoT solution for your enterprise.

Lecture 15 Secure Operations and Maintenance

This lecture moves into a talk on ways to secure IoT systems during their operations. We look at monitoring, authentication/authorization, key and certificate management and other security lifecycle considerations.

Lecture 16 Secure Disposal

The need to securely dispose of Information Technology (IT) assets is sometimes not considered a top priority within organizations, however there are remnants of information that live on when those assets are no longer needed. This lecture discusses the need to wipe devices of any sensitive information including cryptographic keys.

Module 5: Employing Cryptography for IoT Security
Lecture 17 Cryptography Fundamentals

The field of cryptography can seem intimidating, however security engineers should understand cryptographic fundamentals associated with applying confidentiality and integrity protections to their systems. This lecture gives students a solid understanding of those fundamentals.

Lecture 18 Cryptographic Modules

Cryptographic modules provide secure processing for cryptographic algorithms (e.g., AES) and protocols (e.g., TLS). Standards such as Federal Information Processing Standard (FIPS) 140-2 provide safeguards to buyers that a module has undergone certain testing, however that alone is not sufficient to ensure the security of an implementation. This lecture discusses additional considerations for those relying upon cryptographic modules to safeguard their sensitive keys and cryptographic primitives.

Lecture 19 Cryptographic Key Management Fundamentals

The management of keys is one of the most important considerations related to the security of a product or system. Key management focuses on the secure request, generation, distribution and disposal of keys and certificates for devices. This lecture provides a discussion of these topics. Review the external resource: "VPKI hits the highway" for an introduction to the Public Key Infrastructure (PKI) systems that will provision certificates to Connected Automobiles in the United States. Reference: Weil, Tim. "VPKI Hits the Highway." SecuringIT (2017): n. pag. Web.

Lecture 20 Cryptographic Controls in the IoT Protocols

This lecture looks at how cryptography is incorporated into various IoT communication and messaging protocols. Review the external resource discussing Simon and Speck, Block Ciphers for the Internet of Things to gain an understanding of new ciphers being developed to support the IoT. Beaulieu, Ray, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. "Simon and Speck: Block Ciphers for the Internet of Things." National Security Agency (2015): n. pag. Web.

Quiz 1 Understanding Cryptography and Key Management for the IoT

This quiz reviews some fundamental concepts related to cryptography and key management for the IoT.

Module 6: IoT Privacy
Lecture 21 Examining IoT Privacy Challenges

This lecture talks through some of the privacy challenges that have been introduced by the IoT. Privacy is a complex issue as the IoT consists of sensors, cameras and other equipment that can capture, record and store imagery and voice data.

Lecture 22 Privacy Impact Assessment (PIA) Guide

How do you identify the privacy concerns associated with your specific IoT implementation and stakeholder community. Performing a privacy impact assessment (PIA) allows you to take a methodical look at these issues so you can take the steps necessary to mitigate them. This lecture instructs on how to perform a PIA.

Lecture 23 Privacy-by-Design (PbD) Concepts

Although it is important to perform a PIA for your IoT systems, that is not the end of the matter. Privacy-by-Design (PbD) concepts show how to build privacy safeguards in from the beginning.

Module 7: Secure Cloud Integration
Lecture 24 Cloud IoT, Fog and Service Providers

The Cloud provides a connectivity layer for IoT products and solutions, and hosts the services that allow enterprises to realize value from their IoT implementations. Cloud services for the IoT include among other things data analytics, messaging, machine learning, voice control, product management and information sharing. This Lesson discusses the relationship between the cloud and the IoT and begins to look at considerations for procuring cloud service providers and security as a service providers to protect your IoT assets.

Lecture 25 More on Cloud Service Providers (CSPs) and Security-as-a-Service Providers

This lecture continues the discussion on security controls associated with cloud service providers and security as a service providers.

Lecture 26 Incorporating PKI and Monitoring with the Cloud

Certificates are often used to secure endpoint communications in IoT systems. Certificates can support mutual authentication between an IoT device and cloud service. Management of these certificates is most often accomplished through PKI. This section discusses the intersection of PKI and IoT/cloud technologies.

350