Orchestrating and Automating Security for the Internet of Things: Delivering Advanced Security Capabilities from Edge to Cloud for IoT, 1st edition

Published by Cisco Press (May 29, 2018) © 2018

  • Anthony Sabella
  • Rik Irons-Mclean
  • Marcelo Yannuzzi

eTextbook

$76.99

  • Available for purchase from all major ebook resellers, including InformIT.com.
  • To request a review copy, click on the "Request a Review Copy" button.
$63.99

  • A print text (hardcover or paperback) 
  • Free shipping
  • Also available for purchase as an ebook from all major ebook resellers, including InformIT.com

Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards.


The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You’ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples.

This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them.


Students will learn to:
  • Leverage SDN, NFV, fog and cloud compute concepts and architectures to deliver unprecedented security in IoT environments
  • Master best-practice IoT security methodologies through real world use cases
  • Overlay advanced IoT security concepts and technologies onto current IoT deployments, and establish a strong architectural foundation for new deployments
  • Preview the future direction of IoT technologies and security

Foreword xxvii

Introduction xxix

Part I Introduction to the Internet of Things (IoT) and IoT Security

Chapter 1 Evolution of the Internet of Things (IoT) 1

Defining the Internet of Things 2

Making Technology and Architectural Decisions 5

Is the Internet of Things Really So Vulnerable? 8

Summary 9

References 10

Chapter 2 Planning for IoT Security 11

The Attack Continuum 11

The IoT System and Security Development Lifecycle 13

    Phase 1: Initiation 15

    Phase 2: Acquisition and Development 15

    Phase 3: Implementation 16

    Phase 4: Operations and Maintenance 17

    Phase 5: Disposition 17

The End-to-End Considerations 17

Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21

    Segmentation 21

    New Approach 25

Summary 30

References 30

Chapter 3 IoT Security Fundamentals 31

The Building Blocks of IoT 31

The IoT Hierarchy 35

Primary Attack Targets 37

Layered Security Tiers 43

Summary 46

References 47

Chapter 4 IoT and Security Standards and Best Practices 49

Today’s Standard Is No Standard 49

Defining Standards 53

The Challenge with Standardization 56

IoT “Standards” and “Guidance” Landscape 58

    Architectural or Reference Standards 59

    Industrial/Market Focused 61

Standards for NFV, SDN, and Data Modeling for Services 63

    Data Modeling and Services 67

Communication Protocols for IoT 70

    Physical and MAC Layers 73

    Network Layer 73

    Transport Layer 74

    Application Layer 74

Specific Security Standards and Guidelines 75

Summary 79

References 80

Chapter 5 Current IoT Architecture Design and Challenges 83

What, Why, and Where? A Summary 85

Approaches to IoT Architecture Design 88

    An X-Centric Approach 91

    The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98

    The Information-Centric IoT Approach 100

    The Data-Centric IoT Approach 104

    System Viewpoint: A Cloudy Perspective 106

    Middleware 118

    Lambda Architecture 119

    Full IoT Stack/Universal 120

General Approaches 120

    Internet of Things Architecture Reference Architecture (IoT-A RA) 120

    ITU-T Y.2060 125

    IoT World Forum (IoTWF) Reference Model 126

    oneM2M Reference Architecture 129

    IEEE P2413 IoT Architecture 132

    The OpenFog Consortium Reference Architecture 133

    Alliance for the Internet of Things Innovation (AIOTI) 138

    Cloud Customer Architecture for IoT 140

    Open Connectivity Foundation and IoTivity 142

Industrial/Market Focused 144

    The Industrial Internet Consortium (IIC) 144

    Industry 4.0 148

    OPC Unified Architecture (OPC UA) 150

    Cisco and Rockwell Automation Converged Plantwide Ethernet 153

    Cisco Smart Grid Reference Model: GridBlocks 153

NFV- and SDN-Based Architectures for IoT 154

Approaches to IoT Security Architecture 156

    Purdue Model of Control Hierarchy Reference Model 157

    Industrial Internet Security Framework (IISF) IIC Reference Architecture 160

    Cloud Security Alliance Security Guidance for IoT 165

    Open Web Application Security Project (OWASP) 168

    Cisco IoT Security Framework 168

The IoT Platform Design of Today 172

    Security for IoT Platforms and Solutions 178

    Challenges with Today’s Designs: The Future for IoT Platforms 179

Summary 183

References 183

Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoT

Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185

A Bit of History on SDX and NFV and Their Interplay 185

Software-Defined Networking 188

    OpenFlow 192

    Open Virtual Switch 195

    Vector Packet Processing 198

    Programming Protocol-Independent Packet Processors (P4) 201

    OpenDaylight 203

    Extending the Concept of Software-Defined Networks 212

Network Functions Virtualization 217

    Virtual Network Functions and Forwarding Graphs 221

    ETSI NFV Management and Orchestration (MANO) 225

The Impact of SDX and NFV in IoT and Fog Computing 235

Summary 248

References 249

Chapter 7 Securing SDN and NFV Environments 251

Security Considerations for the SDN Landscape 251

    1: Securing the Controller 252

    2: Securing Controller Southbound Communications 256

    3: Securing the Infrastructure Planes 260

    4: Securing Controller Northbound Communications 263

    5: Securing Management and Orchestration 268

    6: Securing Applications and Services 270

Security Considerations for the NFV Landscape 272

    NFV Threat Landscape 273

    Secure Boot 274

    Secure Crash 275

    Private Keys Within Cloned Images 276

    Performance Isolation 278

    Tenant/User Authentication, Authorization, and Accounting (AAA) 279

    Authenticated Time Service 281

    Back Doors with Test and Monitor Functions 281

    Multi-administrator Isolation 282

    Single Root I/O Virtualization (SRIOV) 283

    SRIOV Security Concerns 285

Summary 285

References 285

Chapter 8 The Advanced IoT Platform and MANO 287

Next-Generation IoT Platforms: What the Research Says 287

Next-Generation IoT Platform Overview 291

    Platform Architecture 294

    Platform Building Blocks 295

    Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303

Example Use Case Walkthrough 308

    Event-Based Video and Security Use Case 309

Summary 321

References 321

Part III Security Services: For the Platform, by the Platform

Chapter 9 Identity, Authentication, Authorization, and Accounting 323

Introduction to Identity and Access Management for the IoT 324

    Device Provisioning and Access Control Building Blocks 326

    Naming Conventions to Establish “Uniqueness” 327

    Secure Bootstrap 328

    Immutable Identity 328

    Bootstrapping Remote Secure Key Infrastructures 329

    Device Registration and Profile Provisioning 330

    Provisioning Example Using AWS IoT 331

    Provisioning Example Using Cisco Systems Identity Services Engine 334

Access Control 336

    Identifying Devices 336

    Endpoint Profiling 337

    Profiling Using ISE 337

    Device Sensor 340

    Methods to Gain Identity from Constrained Devices 345

    Energy Limitations 346

    Strategy for Using Power for Communication 347

    Leveraging Standard IoT Protocols to Identify Constrained Devices 348

Authentication Methods 351

    Certificates 351

    Trust Stores 355

    Revocation Support 356

    SSL Pinning 357

    Passwords 357

    Limitations for Constrained Devices 358

    Biometrics 359

    AAA and RADIUS 361

    A/V Pairs 362

    802.1X 363

    MAC Address Bypass 365

    Flexible Authentication 366

Dynamic Authorization Privileges 367

    Cisco Identity Services Engine and TrustSec 368

    RADIUS Change of Authorization 368

    Access Control Lists 374

    TrustSec and Security Group Tags 376

    TrustSec Enablement 379

    SGACL 384

Manufacturer Usage Description 390

    Finding a Policy 390

    Policy Types 390

    The MUD Model 392

AWS Policy-based Authorization with IAM 394

    Amazon Cognito 395

    AWS Use of IAM 395

    Policy-based Authorization 395

Accounting 397

    How Does Accounting Relate to Security? 398

    Using a Guideline to Create an Accounting Framework 398

    Meeting User Accounting Requirements 400

Scaling IoT Identity and Access Management with Federation Approaches 402

    IoT IAM Requirements 403

    OAuth 2.0 and OpenID Connect 1.0 404

    OAuth 2.0 404

    OpenID Connect 1.0 405

    OAuth2.0 and OpenID Connect Example for IoT 405

    Cloud to Cloud 406

    Native Applications to the Cloud 408

    Device to Device 409

Evolving Concepts: Need for Identity Relationship Management 411

Summary 414

References 415

Chapter 10 Threat Defense 417

Centralized and Distributed Deployment Options for Security Services 418

    Centralized 418

    Distributed 420

    Hybrid 422

Fundamental Network Firewall Technologies 422

    ASAv 423

    NGFWv 423

    Network Address Translation 424

    Overlapping 425

    Overloading or Port Address Translation 425

    Packet Filtering 426

Industrial Protocols and the Need for Deeper Packet Inspection 428

    Common Industrial Protocol 428

    Lack of Security 429

    Potential Solutions: Not Good Enough 430

Alternative Solution: Deep Packet Inspection 430

    Sanity Check 431

    User Definable 432

    Applying the Filter 432

Application Visibility and Control 433

    Industrial Communication Protocol Example 435

    MODBUS Application Filter Example 436

Intrusion Detection System and Intrusion Prevention System 437

    IPS 438

    Pattern Matching 438

    Protocol Analysis 439

    IDS/IPS Weakness 439

Advanced Persistent Threats and Behavioral Analysis 440

    Behavior Analysis Solutions 441

    Protocols Used to Gain Additional Visibility 442

    Network as a Sensor 444

    Pairing with Contextual Information and Adaptive Network Control 446

    Encrypted Traffic Analytics 450

Malware Protection and Global Threat Intelligence 455

    Cisco Advanced Malware Protection and TALOS 456

DNS-Based Security 462

    Umbrella (DNS Security + Intelligent Proxy) 463

Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466

    ETSI MANO Components in the Use Case 468

    VMs (Services) Being Instantiated in the Use Case 469

    Use Case Explanation 469

Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486

    Solution Components 487

    NFVIS 488

    Orchestration 490

    vBranch Function Pack 490

Summary 495

References 495

Chapter 11 Data Protection in IoT 499

Data Lifecycle in IoT 507

Data at Rest 518

    Data Warehouses 521

    Data Lakes 522

Data in Use 524

Data on the Move 527

Protecting Data in IoT 531

    Data Plane Protection in IoT 531

    Protecting Management Plane Data in IoT 565

    Protecting Control Plane Data 566

    Considerations When Planning for Data Protection 567

Summary 573

References 574

Chapter 12 Remote Access and Virtual Private Networks (VPN) 575

Virtual Private Network Primer 575

    Focus for This Chapter 576

Site-to-Site IPsec VPN 576

    IPsec Overview 577

    IKEv1 Phase 1 579

    IKEv1 Phase 2 582

    Internet Key Exchange Protocol Version 2 584

    Benefits of IKEv2 over IKEv1 586

Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588

    IPsec Databases 589

    Use Case: IKE/IPsec Within the NSF 589

    Interface Requirements 590

Applying SDN-Based IPsec to IoT 592

    Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592

Software-Based Extranet Using Orchestration and NFV 594

    Traditional Approach 594

    Automating Extranet Using Orchestration Techniques and NFV 595

    Software-Based Extranet Use Case 597

Remote Access VPN 598

    SSL-Based Remote Access VPN 598

    Reverse Proxy 599

    Clientless and Thin Client VPN 599

    Client Based: Cisco AnyConnect Secure Mobility Client 611

    Modules 612

    Using AnyConnect in Manufacturing: Use Case Example 617

Summary 622

References 622

Chapter 13 Securing the Platform Itself 625

(A) Visualization Dashboards and Multitenancy 627

(B) Back-End Platform 631

    Scenario 1: A New Endpoint Needs to Be Connected to the Network 639

    Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639

    Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641

    Docker Security 653

    Kubernetes Security and Best Practices 656

(C) Communications and Networking 658

(D) Fog Nodes 660

(E) End Devices or “Things” 666

Summary 667

References 667

Part IV Use Cases and Emerging Standards and Technologies

Chapter 14 Smart Cities 669

Use Cases Introduction 669

The Evolving Technology Landscape for IoT 670

The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672

Smart Cities 676

Smart Cities Overview 678

The IoT and Secure Orchestration Opportunity in Cities 688

Security in Smart Cities 693

Smart Cities Example Use Cases 696

    Use Case Automation Overview and High-Level Architecture 701

    Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702

    Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705

    Event-Based Video: Secure Data Pipeline and Information Exchange 709

    Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714

    Emergency Fleet Integration 718

    Automated Deployment of the Use Cases 721

Summary 725

References 727

Chapter 15 Industrial Environments: Oil and Gas 729

Industry Overview 733

The IoT and Secure Automation Opportunity in Oil and Gas 735

The Upstream Environment 738

    Overview, Technologies, and Architectures 739

    Digitization and New Business Needs 742

    Challenges 743

The Midstream Environment 744

    Overview, Technologies, and Architectures 744

    Digitization and New Business Needs 747

    Challenges 748

The Downstream and Processing Environments 749

    Overview, Technologies, and Architectures 749

    Digitization and New Business Needs 752

    Challenges 753

Security in Oil and Gas 754

Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763

    Use Case Overview 763

    Use Case Description 765

    Deploying the Use Case 767

    Preconfiguration Checklist 773

    Automated Deployment of the Use Cases 777

    Securing the Use Case 778

    Power of SGT as a CoA 781

    Auto-Quarantine Versus Manual Quarantine 782

    Leveraging Orchestrated Service Assurance to Monitor KPIs 783

Evolving Architectures to Meet New Use Case Requirements 788

Summary 792

References 794

Chapter 16 The Connected Car 797

Connected Car Overview 800

The IoT and Secure Automation Opportunity for Connected Cars 809

    The Evolving Car Architecture 824

Security for Connected Cars 830

    Connected Car Vulnerabilities and Security Considerations 838

Connected Car Security and Automation Use Case 849

    Use Case Overview 852

    Use Case Automation Overview 854

    Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855

    Secure Network: Segmentation, Zones, and Interzone Communication 857

    Secure Content: Intrusion Detection and Prevention 858

    Secure Intelligence: Secure Internet Access from the Vehicle 861

    The Future: Personalized Experience Based on Identity 862

    Federal Sigma VAMA: Emergency Fleet Solution 863

    Automated Deployment of the Use Case 867

Summary 871

References 871

Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873

A Smarter, Coordinated Approach to IoT Security 876

Blockchain Overview 880

Blockchain for IoT Security 888

Machine Learning and Artificial Intelligence Overview 890

Machine Learning 893

Deep Learning 894

Natural Language Processing and Understanding 895

Neural Networks 896

Computer Vision 898

Affective Computing 898

Cognitive Computing 898

Contextual Awareness 899

Machine Learning and Artificial Intelligence for IoT Security 899

Summary 900

References 901

 

9781587145032    TOC    4/25/2018

 

Anthony Sabella, CCIE No. 5374, is the lead cybersecurity architect for the Enterprise Chief Technology Office at Cisco and has worked at Cisco for eight years. Anthony leads innovative work streams on methods to break free from manual tasks by applying the latest virtualization and orchestration techniques to cybersecurity. He combines this with machine learning concepts and the ingestion of intelligence feeds, to design effective solutions that can self-manage and self-heal. Anthony applies these concepts across a variety of use cases, including financial institutions, healthcare, energy, and manufacturing (examples included in this book).

Before joining Cisco, Anthony worked as principal engineer for a global service provider for 13 years, where he created cybersecurity solutions for enterprise customers. Anthony was also the cofounder and CTO for a technology consulting firm responsible for designing cybersecurity solutions for both commercial and enterprise customers. Anthony’s expertise has resulted in speaking engagements at major conferences around the world for both Cisco and its major partners. Anthony holds a master’s degree in computer science and an active CCIE, and he is a contributing member in the IEEE Cyber Security community.


Rik Irons-Mclean is the Industry Principal for Oil & Gas at Cisco. Rik has worked at Cisco for 11 years and has had lead roles in IoT/IIoT, communications and security for power utilities and process control industries, and energy management and optimization. He has led technical global teams in taking new products to market in all theaters, specializing in driving new technology adoption in both established and emerging markets. Before joining Cisco, he worked for a Cisco service provider partner for eight years, where he focused on converged solutions.

Rik has represented Cisco in a number of industry and standards bodies, including Open Process Automation, IEC 61850 for industrial communications, and IEC 62351 for industrial security. Additionally, he elected the U.K. lead for Cigre SC D2 for communications and security in the power industry. Rik has written for a number of industry publications and authored whitepapers on such topics as industrial cybersecurity, IoT security, distributed industrial control systems, next-generation operational field telecoms, fog computing, and digital IoT fabric architectures.


Rik holds a bachelor of science degree and a master of business administration degree, focused on international leadership. He is currently studying for a doctorate in cybersecurity.

Marcelo Yannuzzi is a principal engineer at the Chief Strategy Office in Cisco. Marcelo leads strategic innovation in the areas of IoT, security, and novel architectures fusing cloud and fog computing. He has led flagship innovations across different industry verticals, some of which are outlined in this book. Marcelo also provides strategic advisory on new business opportunities and technologies for Cisco and start-ups.


Before joining Cisco, Marcelo was the head of the Advanced Network Architectures Lab at the Department of Computer Architecture in a Barcelona university. He was the cofounder and CTO of a start-up for which Cisco was its first customer. Marcelo is the author of more than 100 peer-reviewed publications, including top journals and conferences in the areas of IoT, fog computing, security, NFV, software-defined systems (SDX), multilayer network management and control, sensor networks, and mobility. Marcelo has led several European research projects and contracts in the industry, and his research was funded multiple times by Cisco. He is a frequent speaker and invited panelist at major conferences and forums. He held previous positions as an assistant professor at the physics department in a university’s school of engineering.

Marcelo holds a bachelor’s degree in electrical engineering and both a master of science degree and a Ph.D. in computer science.

Need help? Get in touch

Video
Play
Privacy and cookies
By watching, you agree Pearson can share your viewership data for marketing and analytics for one year, revocable by deleting your cookies.

Pearson eTextbook: What’s on the inside just might surprise you

They say you can’t judge a book by its cover. It’s the same with your students. Meet each one right where they are with an engaging, interactive, personalized learning experience that goes beyond the textbook to fit any schedule, any budget, and any lifestyle.