Orchestrating and Automating Security for the Internet of Things: Delivering Advanced Security Capabilities from Edge to Cloud for IoT, 1st edition
Published by Cisco Press (May 29, 2018) © 2018
- Anthony Sabella
- Rik Irons-Mclean
- Marcelo Yannuzzi
eTextbook
- Available for purchase from all major ebook resellers, including InformIT.com.
- To request a review copy, click on the "Request a Review Copy" button.
- A print text (hardcover or paperback)
- Free shipping
- Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards.
The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You’ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples.
This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them.
- Leverage SDN, NFV, fog and cloud compute concepts and architectures to deliver unprecedented security in IoT environments
- Master best-practice IoT security methodologies through real world use cases
- Overlay advanced IoT security concepts and technologies onto current IoT deployments, and establish a strong architectural foundation for new deployments
- Preview the future direction of IoT technologies and security
Foreword xxvii
Introduction xxix
Part I Introduction to the Internet of Things (IoT) and IoT Security
Chapter 1 Evolution of the Internet of Things (IoT) 1
Defining the Internet of Things 2
Making Technology and Architectural Decisions 5
Is the Internet of Things Really So Vulnerable? 8
Summary 9
References 10
Chapter 2 Planning for IoT Security 11
The Attack Continuum 11
The IoT System and Security Development Lifecycle 13
Phase 1: Initiation 15
Phase 2: Acquisition and Development 15
Phase 3: Implementation 16
Phase 4: Operations and Maintenance 17
Phase 5: Disposition 17
The End-to-End Considerations 17
Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21
Segmentation 21
New Approach 25
Summary 30
References 30
Chapter 3 IoT Security Fundamentals 31
The Building Blocks of IoT 31
The IoT Hierarchy 35
Primary Attack Targets 37
Layered Security Tiers 43
Summary 46
References 47
Chapter 4 IoT and Security Standards and Best Practices 49
Today’s Standard Is No Standard 49
Defining Standards 53
The Challenge with Standardization 56
IoT “Standards” and “Guidance” Landscape 58
Architectural or Reference Standards 59
Industrial/Market Focused 61
Standards for NFV, SDN, and Data Modeling for Services 63
Data Modeling and Services 67
Communication Protocols for IoT 70
Physical and MAC Layers 73
Network Layer 73
Transport Layer 74
Application Layer 74
Specific Security Standards and Guidelines 75
Summary 79
References 80
Chapter 5 Current IoT Architecture Design and Challenges 83
What, Why, and Where? A Summary 85
Approaches to IoT Architecture Design 88
An X-Centric Approach 91
The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98
The Information-Centric IoT Approach 100
The Data-Centric IoT Approach 104
System Viewpoint: A Cloudy Perspective 106
Middleware 118
Lambda Architecture 119
Full IoT Stack/Universal 120
General Approaches 120
Internet of Things Architecture Reference Architecture (IoT-A RA) 120
ITU-T Y.2060 125
IoT World Forum (IoTWF) Reference Model 126
oneM2M Reference Architecture 129
IEEE P2413 IoT Architecture 132
The OpenFog Consortium Reference Architecture 133
Alliance for the Internet of Things Innovation (AIOTI) 138
Cloud Customer Architecture for IoT 140
Open Connectivity Foundation and IoTivity 142
Industrial/Market Focused 144
The Industrial Internet Consortium (IIC) 144
Industry 4.0 148
OPC Unified Architecture (OPC UA) 150
Cisco and Rockwell Automation Converged Plantwide Ethernet 153
Cisco Smart Grid Reference Model: GridBlocks 153
NFV- and SDN-Based Architectures for IoT 154
Approaches to IoT Security Architecture 156
Purdue Model of Control Hierarchy Reference Model 157
Industrial Internet Security Framework (IISF) IIC Reference Architecture 160
Cloud Security Alliance Security Guidance for IoT 165
Open Web Application Security Project (OWASP) 168
Cisco IoT Security Framework 168
The IoT Platform Design of Today 172
Security for IoT Platforms and Solutions 178
Challenges with Today’s Designs: The Future for IoT Platforms 179
Summary 183
References 183
Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoT
Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185
A Bit of History on SDX and NFV and Their Interplay 185
Software-Defined Networking 188
OpenFlow 192
Open Virtual Switch 195
Vector Packet Processing 198
Programming Protocol-Independent Packet Processors (P4) 201
OpenDaylight 203
Extending the Concept of Software-Defined Networks 212
Network Functions Virtualization 217
Virtual Network Functions and Forwarding Graphs 221
ETSI NFV Management and Orchestration (MANO) 225
The Impact of SDX and NFV in IoT and Fog Computing 235
Summary 248
References 249
Chapter 7 Securing SDN and NFV Environments 251
Security Considerations for the SDN Landscape 251
1: Securing the Controller 252
2: Securing Controller Southbound Communications 256
3: Securing the Infrastructure Planes 260
4: Securing Controller Northbound Communications 263
5: Securing Management and Orchestration 268
6: Securing Applications and Services 270
Security Considerations for the NFV Landscape 272
NFV Threat Landscape 273
Secure Boot 274
Secure Crash 275
Private Keys Within Cloned Images 276
Performance Isolation 278
Tenant/User Authentication, Authorization, and Accounting (AAA) 279
Authenticated Time Service 281
Back Doors with Test and Monitor Functions 281
Multi-administrator Isolation 282
Single Root I/O Virtualization (SRIOV) 283
SRIOV Security Concerns 285
Summary 285
References 285
Chapter 8 The Advanced IoT Platform and MANO 287
Next-Generation IoT Platforms: What the Research Says 287
Next-Generation IoT Platform Overview 291
Platform Architecture 294
Platform Building Blocks 295
Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303
Example Use Case Walkthrough 308
Event-Based Video and Security Use Case 309
Summary 321
References 321
Part III Security Services: For the Platform, by the Platform
Chapter 9 Identity, Authentication, Authorization, and Accounting 323
Introduction to Identity and Access Management for the IoT 324
Device Provisioning and Access Control Building Blocks 326
Naming Conventions to Establish “Uniqueness” 327
Secure Bootstrap 328
Immutable Identity 328
Bootstrapping Remote Secure Key Infrastructures 329
Device Registration and Profile Provisioning 330
Provisioning Example Using AWS IoT 331
Provisioning Example Using Cisco Systems Identity Services Engine 334
Access Control 336
Identifying Devices 336
Endpoint Profiling 337
Profiling Using ISE 337
Device Sensor 340
Methods to Gain Identity from Constrained Devices 345
Energy Limitations 346
Strategy for Using Power for Communication 347
Leveraging Standard IoT Protocols to Identify Constrained Devices 348
Authentication Methods 351
Certificates 351
Trust Stores 355
Revocation Support 356
SSL Pinning 357
Passwords 357
Limitations for Constrained Devices 358
Biometrics 359
AAA and RADIUS 361
A/V Pairs 362
802.1X 363
MAC Address Bypass 365
Flexible Authentication 366
Dynamic Authorization Privileges 367
Cisco Identity Services Engine and TrustSec 368
RADIUS Change of Authorization 368
Access Control Lists 374
TrustSec and Security Group Tags 376
TrustSec Enablement 379
SGACL 384
Manufacturer Usage Description 390
Finding a Policy 390
Policy Types 390
The MUD Model 392
AWS Policy-based Authorization with IAM 394
Amazon Cognito 395
AWS Use of IAM 395
Policy-based Authorization 395
Accounting 397
How Does Accounting Relate to Security? 398
Using a Guideline to Create an Accounting Framework 398
Meeting User Accounting Requirements 400
Scaling IoT Identity and Access Management with Federation Approaches 402
IoT IAM Requirements 403
OAuth 2.0 and OpenID Connect 1.0 404
OAuth 2.0 404
OpenID Connect 1.0 405
OAuth2.0 and OpenID Connect Example for IoT 405
Cloud to Cloud 406
Native Applications to the Cloud 408
Device to Device 409
Evolving Concepts: Need for Identity Relationship Management 411
Summary 414
References 415
Chapter 10 Threat Defense 417
Centralized and Distributed Deployment Options for Security Services 418
Centralized 418
Distributed 420
Hybrid 422
Fundamental Network Firewall Technologies 422
ASAv 423
NGFWv 423
Network Address Translation 424
Overlapping 425
Overloading or Port Address Translation 425
Packet Filtering 426
Industrial Protocols and the Need for Deeper Packet Inspection 428
Common Industrial Protocol 428
Lack of Security 429
Potential Solutions: Not Good Enough 430
Alternative Solution: Deep Packet Inspection 430
Sanity Check 431
User Definable 432
Applying the Filter 432
Application Visibility and Control 433
Industrial Communication Protocol Example 435
MODBUS Application Filter Example 436
Intrusion Detection System and Intrusion Prevention System 437
IPS 438
Pattern Matching 438
Protocol Analysis 439
IDS/IPS Weakness 439
Advanced Persistent Threats and Behavioral Analysis 440
Behavior Analysis Solutions 441
Protocols Used to Gain Additional Visibility 442
Network as a Sensor 444
Pairing with Contextual Information and Adaptive Network Control 446
Encrypted Traffic Analytics 450
Malware Protection and Global Threat Intelligence 455
Cisco Advanced Malware Protection and TALOS 456
DNS-Based Security 462
Umbrella (DNS Security + Intelligent Proxy) 463
Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466
ETSI MANO Components in the Use Case 468
VMs (Services) Being Instantiated in the Use Case 469
Use Case Explanation 469
Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486
Solution Components 487
NFVIS 488
Orchestration 490
vBranch Function Pack 490
Summary 495
References 495
Chapter 11 Data Protection in IoT 499
Data Lifecycle in IoT 507
Data at Rest 518
Data Warehouses 521
Data Lakes 522
Data in Use 524
Data on the Move 527
Protecting Data in IoT 531
Data Plane Protection in IoT 531
Protecting Management Plane Data in IoT 565
Protecting Control Plane Data 566
Considerations When Planning for Data Protection 567
Summary 573
References 574
Chapter 12 Remote Access and Virtual Private Networks (VPN) 575
Virtual Private Network Primer 575
Focus for This Chapter 576
Site-to-Site IPsec VPN 576
IPsec Overview 577
IKEv1 Phase 1 579
IKEv1 Phase 2 582
Internet Key Exchange Protocol Version 2 584
Benefits of IKEv2 over IKEv1 586
Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588
IPsec Databases 589
Use Case: IKE/IPsec Within the NSF 589
Interface Requirements 590
Applying SDN-Based IPsec to IoT 592
Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592
Software-Based Extranet Using Orchestration and NFV 594
Traditional Approach 594
Automating Extranet Using Orchestration Techniques and NFV 595
Software-Based Extranet Use Case 597
Remote Access VPN 598
SSL-Based Remote Access VPN 598
Reverse Proxy 599
Clientless and Thin Client VPN 599
Client Based: Cisco AnyConnect Secure Mobility Client 611
Modules 612
Using AnyConnect in Manufacturing: Use Case Example 617
Summary 622
References 622
Chapter 13 Securing the Platform Itself 625
(A) Visualization Dashboards and Multitenancy 627
(B) Back-End Platform 631
Scenario 1: A New Endpoint Needs to Be Connected to the Network 639
Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639
Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641
Docker Security 653
Kubernetes Security and Best Practices 656
(C) Communications and Networking 658
(D) Fog Nodes 660
(E) End Devices or “Things” 666
Summary 667
References 667
Part IV Use Cases and Emerging Standards and Technologies
Chapter 14 Smart Cities 669
Use Cases Introduction 669
The Evolving Technology Landscape for IoT 670
The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672
Smart Cities 676
Smart Cities Overview 678
The IoT and Secure Orchestration Opportunity in Cities 688
Security in Smart Cities 693
Smart Cities Example Use Cases 696
Use Case Automation Overview and High-Level Architecture 701
Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702
Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705
Event-Based Video: Secure Data Pipeline and Information Exchange 709
Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714
Emergency Fleet Integration 718
Automated Deployment of the Use Cases 721
Summary 725
References 727
Chapter 15 Industrial Environments: Oil and Gas 729
Industry Overview 733
The IoT and Secure Automation Opportunity in Oil and Gas 735
The Upstream Environment 738
Overview, Technologies, and Architectures 739
Digitization and New Business Needs 742
Challenges 743
The Midstream Environment 744
Overview, Technologies, and Architectures 744
Digitization and New Business Needs 747
Challenges 748
The Downstream and Processing Environments 749
Overview, Technologies, and Architectures 749
Digitization and New Business Needs 752
Challenges 753
Security in Oil and Gas 754
Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763
Use Case Overview 763
Use Case Description 765
Deploying the Use Case 767
Preconfiguration Checklist 773
Automated Deployment of the Use Cases 777
Securing the Use Case 778
Power of SGT as a CoA 781
Auto-Quarantine Versus Manual Quarantine 782
Leveraging Orchestrated Service Assurance to Monitor KPIs 783
Evolving Architectures to Meet New Use Case Requirements 788
Summary 792
References 794
Chapter 16 The Connected Car 797
Connected Car Overview 800
The IoT and Secure Automation Opportunity for Connected Cars 809
The Evolving Car Architecture 824
Security for Connected Cars 830
Connected Car Vulnerabilities and Security Considerations 838
Connected Car Security and Automation Use Case 849
Use Case Overview 852
Use Case Automation Overview 854
Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855
Secure Network: Segmentation, Zones, and Interzone Communication 857
Secure Content: Intrusion Detection and Prevention 858
Secure Intelligence: Secure Internet Access from the Vehicle 861
The Future: Personalized Experience Based on Identity 862
Federal Sigma VAMA: Emergency Fleet Solution 863
Automated Deployment of the Use Case 867
Summary 871
References 871
Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873
A Smarter, Coordinated Approach to IoT Security 876
Blockchain Overview 880
Blockchain for IoT Security 888
Machine Learning and Artificial Intelligence Overview 890
Machine Learning 893
Deep Learning 894
Natural Language Processing and Understanding 895
Neural Networks 896
Computer Vision 898
Affective Computing 898
Cognitive Computing 898
Contextual Awareness 899
Machine Learning and Artificial Intelligence for IoT Security 899
Summary 900
References 901
9781587145032 TOC 4/25/2018
Anthony Sabella, CCIE No. 5374, is the lead cybersecurity architect for the Enterprise Chief Technology Office at Cisco and has worked at Cisco for eight years. Anthony leads innovative work streams on methods to break free from manual tasks by applying the latest virtualization and orchestration techniques to cybersecurity. He combines this with machine learning concepts and the ingestion of intelligence feeds, to design effective solutions that can self-manage and self-heal. Anthony applies these concepts across a variety of use cases, including financial institutions, healthcare, energy, and manufacturing (examples included in this book).
Before joining Cisco, Anthony worked as principal engineer for a global service provider for 13 years, where he created cybersecurity solutions for enterprise customers. Anthony was also the cofounder and CTO for a technology consulting firm responsible for designing cybersecurity solutions for both commercial and enterprise customers. Anthony’s expertise has resulted in speaking engagements at major conferences around the world for both Cisco and its major partners. Anthony holds a master’s degree in computer science and an active CCIE, and he is a contributing member in the IEEE Cyber Security community.
Rik Irons-Mclean is the Industry Principal for Oil & Gas at Cisco. Rik has worked at Cisco for 11 years and has had lead roles in IoT/IIoT, communications and security for power utilities and process control industries, and energy management and optimization. He has led technical global teams in taking new products to market in all theaters, specializing in driving new technology adoption in both established and emerging markets. Before joining Cisco, he worked for a Cisco service provider partner for eight years, where he focused on converged solutions.
Rik has represented Cisco in a number of industry and standards bodies, including Open Process Automation, IEC 61850 for industrial communications, and IEC 62351 for industrial security. Additionally, he elected the U.K. lead for Cigre SC D2 for communications and security in the power industry. Rik has written for a number of industry publications and authored whitepapers on such topics as industrial cybersecurity, IoT security, distributed industrial control systems, next-generation operational field telecoms, fog computing, and digital IoT fabric architectures.
Rik holds a bachelor of science degree and a master of business administration degree, focused on international leadership. He is currently studying for a doctorate in cybersecurity.
Marcelo Yannuzzi is a principal engineer at the Chief Strategy Office in Cisco. Marcelo leads strategic innovation in the areas of IoT, security, and novel architectures fusing cloud and fog computing. He has led flagship innovations across different industry verticals, some of which are outlined in this book. Marcelo also provides strategic advisory on new business opportunities and technologies for Cisco and start-ups.
Before joining Cisco, Marcelo was the head of the Advanced Network Architectures Lab at the Department of Computer Architecture in a Barcelona university. He was the cofounder and CTO of a start-up for which Cisco was its first customer. Marcelo is the author of more than 100 peer-reviewed publications, including top journals and conferences in the areas of IoT, fog computing, security, NFV, software-defined systems (SDX), multilayer network management and control, sensor networks, and mobility. Marcelo has led several European research projects and contracts in the industry, and his research was funded multiple times by Cisco. He is a frequent speaker and invited panelist at major conferences and forums. He held previous positions as an assistant professor at the physics department in a university’s school of engineering.
Marcelo holds a bachelor’s degree in electrical engineering and both a master of science degree and a Ph.D. in computer science.
Need help? Get in touch