Cisco Networking Academy IoT Security 1.1 - Chapter 2: IoT Systems and Architectures
Data Abstraction
(Aggregation and access) Level 5 of the IoT Reference Model Focused on rendering the data and its storage in ways to enable application development.
Connectivity
(Communication and processing units) Level 2 of the IoT reference model Responsible for reliable and timely data transmission between devices and the network, across networks, and between the network and data processing in Level 3
Edge (Fog) Computing
(Data element analysis and transformation) Level 3 of the IoT Reference Model Converts the data into information that is suitable for storage and higher level processing.
Collaboration & Processes
(Involving people and business processes) Level 7 of the IoT reference model Transcends multiple applications to include the communication and collaboration required between people and business processes
Physical Devices & Controllers
(The "Things" of IoT) Level 1 of the IoT Reference Model Includes a wide range of endpoint devices that send and receive information.
Application
(reporting, analytics, control) Level 6 of the IoT Reference Model. Information interpretation based on the nature of the device data and business needs.
Data Accumulation
(storage) Level 4 of the IoT Reference Model Data in motion is converted to data at rest. The data is also transformed so that it can be consumed by upper levels.
Benefits of Layered Models
-Assist in protocol design - foster competition because products from different vendors can work together - prevent technology or capability changes in one layer from affecting other layers above and below - provide a common language to describe networking functions and capabilities.
IoT Reference Model
7 level model to guide and accelerate IoT deployments. Provides common terminology and helps clarify how information flows and is processed for a unified IoT industry.
OSI Model
Application, Presentation, Session, Transport, Network, Data Link, Physical
TCP/IP Model
Application, transport, Internet, and network access
Internet of Things - Architecture (Iot-A)
Commonly referred to as IoT-A, this model is more formally known as the Architectural Reference Model (ARM) for the Internet of Things. Maintained by the IoT Forum.
Network Access Layer (TCP/IP)
Controls the hardware devices and media that make up the network. Equivalent to the physical and data link layers of the OSI model.
ETSI Model
Created by the European Telecommunications Standards Institute An architecture for machine-to-machine (M2M) communications to provide a common framework for understanding the placement of various standards and protocols in an IoT system. Contains 3 domains.
Industrial Internet Reference Architecture (IIRA)
Created by the Industrial Internet Consortium (IIC). Standards-based framework used by systems architects to design industrial systems
Internet Layer
Determines the best path through the network
System-Wide IoT Security Requirements
Ensure data privacy (at a minimum personally identifiable information) Minimize attack surface Log critical events Provide at least minimal security operations support (at a minimum monitor systems for sec incidents, address new vulnerabilities and investigate sec breaches)
Availability
Ensures information can be accessed when it is required. Also means that devices can not be damaged or tampered with.
RPL
Found in the simplified Communication Layer and Internet layer of the TCP/IP model This is a Routing Protocol for Low-Power and Lossy Networks that uses ipv6. Lossy networks are classified as those with devices that typically have high loss rates, low data rates, and instability.
6LoWPAN
Found in the simplified Communication Layer and crosses into the simplified device later. Found in internet layer and crossing into network access layer. This is an Internet Engineering Task Force (IETF) standard for IPv6 Low-power Wireless devices in a Personal Area Network that provides a way for ipv6 to conform to the IEEE 802.15.4 standard.
IPv6
Found in the simplified Communication Layer and in the Internet Layer of the TCP/IP model. 128-bit addressing space, 340 undecillion addresses
Transport Control Protocol (TCP)
Found in the simplified Communication Layer and the Transport Layer (TCP/IP model). this is a reliable transport protocol that guarantees data delivery through a system of synchronizations and acknowledgement messages.
UDP
Found in the simplified Communication Layer and the transport layer of the TCP/IP model. unreliable protocol with no mechanism for guaranteed data delivery
Thread
Found in the simplified Communication Layer, works across the Transport and Internet Layers of the TCP/IP model. This is a standard for home automation that uses Internet Protocol version 6 (IPv6) for routing on top of an IEEE 802.15.4 wireless network.
IEEE 802.15.4
Found in the simplified Device Layer and Network Access Layer of TCP/IP model This is the Institute of Electrical and Electronic Engineers standard for low-rate wireless personal area networks (LR-WPANs) that is meant to be used by low-cost, low-speed devices
CIA Triad
Guides the fundamental requirements of a cybersecurity operation. Confidentiality, Integrity, Availability
List 6 standards or protocols in the simplified device layer
IEEE 802.15.4, BLE, Wifi, NFC, Cellular, (LoraWAN/Sigfox/NB-IoT)
Purdue Model for Control Hierarchy
IoT model used in the manufacturing industry that segments devices and equipment into hierarchical functions. Enterprise zone - Enterprise Network (level 5) - Site Business Planning and Logistics Network (level 4) Demilitarized zone Manufacturing Zone - Site Manufacturing Operations and Control (level 3) -Area Supervisory Control (level 2) -Basic Control (level 1) -Process (level 0) Safety Zone - Safety-Critical
Message Queuing Telemetry Transport (MQTT)
Lightweight publish and subscribe messaging protocol in the APPLICATION LAYER designed for resource-constrained devices that use TCP.
LoRaWan, Sigfox, NB-IoT
Low-power wide area network (LPWAN) protocols designed to carry small data payloads over long distances at low transfer rates
Application IoT Security Requirements
No default of weak credentials Secure web interfaces (credentials secured)
Integrity
Prevents improper addition, modification, or disclosure of data and information. A hash of the data should be tamper-proof. Access controls also in place to protect stored data.
Application Layer (TCP/IP)
Represents data to the user and controls dialogs
DREAD
Risk assessment tool to rate threats discovered in STRIDE process Damage + Reproducibility + Exploitability + Affected users + Discoverability
HyperText Transfer Protocol (HTTP/HTTPS)
Robust APPLICATION PROTOCOL for getting and posting data
Communication IoT Security Requirement
Secure Communications (prevent interception and falsification, verify authentic sources)
Device IoT Security Requirements
Secure boot and System Integrity (TPM for HW components) Hardened and secure system (remove unnecessary network services) Secure firmware and operating system updates
IoT Simplified Model
Similar to the ETSI M2M standardized architecture which converts each domain to Application Communication and Device layers for the Functional Layers. The corresponding Data management layers would be Cloud, Fog and Mist.; IoT security permeates all layers
Identify Security Objectives categories
Step 1 of the Threat Modelling Process for Vulnerability Assessment Identity (evidence for who/what access what) Financial (risks) Reputation Privacy and Regulation (irrigation sensor vs fitness device) Availability Guarantees (tolerance for downtime) Safety (physical welfare)
Document the IoT System Architecture
Step 2 of the Threat Modelling Process for Vulnerability Assessment components in communication and device layers flow of data technologies, protocols and standards
Decompose the IoT System
Step 3 of the Threat Modelling Process for Vulnerability Assessment Use info from step 2 identify trust boundaries entry points sensitive data, secure resources input validation, authentication, authorization, configuration
Identify and Rate Threats
Step 4 of the Threat Modelling Process for Vulnerability Assessment STRIDE & DREAD
Recommend Mitigation Techniques and Technologies
Step 5 of the Threat Modelling Process for Vulnerability Assessment
Network Layer
The OSI layer that addresses data packets, routes the packets from a source to a destination through the network, and ensures the delivery of those packets. Provides a data path or route.
Network Domain
The domain of the ETSI model where data exists on the local network and is transported to the Application Domain using wired and wireless protocols, such as Multiprotocol Label Switching (MPLS), Long-Term Evolution (LTE), and Worldwide Interoperability for Microwave Access (WiMax).
Application Domain
The domain of the ETSI model where management functions can occur such as data analytics, connectivity management, smart energy management, fleet management, or any application that consumes the data from IoT devices.
Session Layer
The fifth layer in the OSI model. This layer establishes and maintains communication between two nodes on the network. It can be considered the "traffic cop" for network communications.
Physical Layer
The lowest, or first, layer of the OSI model. Protocols in this layer generate and detect signals so as to transmit and receive data over a network medium. These protocols also set the data transmission rate and monitor data error rates, but do not provide error correction.
Data Link Layer
The second layer in the OSI model. This layer bridges the networking media with the Network layer. Its primary function is to divide the data it receives from the Network layer into frames that can then be transmitted by the Physical layer.
Presentation Layer
The sixth layer of the OSI model. Protocols in the Presentation layer translate between the application and the network. Here, data are formatted in a schema that the network can understand, with the format varying according to the type of network used. The Presentation layer also manages data encryption and decryption, such as the scrambling of system passwords.
Zigbee
This includes a suite of protocols and uses low-power digital radios based on the IEEE 802.15.4 wireless standard. It includes protocols at the Application and Communication layers but most at the APPLICATION LAYER.
M2M Device Domain
This is where end devices, such as sensors, actuators, and controllers, connect to the network through M2M gateways using various protocols, such as IEEE, 802.15.4 and Bluetooth.
Confidentiality
This requirement maintains control on information access and disclosure. Transmitted and stored data is encrypted for privacy
List 6 standards or protocols in the simplified communication layer
Thread, TCP, UDP, RPL, IPv6, 6LoWPAN
STRIDE
Vulnerability Assessment to identify threats Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege
List 4 Protocols and/or Standards at Application Layer of the simplified IoT Model
Zigbee, HTTP/HTTPS, MQTT, CoAP
Constrained Application Protocol (CoAP)
a specialized APPLICATION PROTOCOL designed for transmission of data by constrained devices on M2M networks.
Security in the IoT Reference Model
permeates all levels in the IoT Reference model
Application Layer (OSI)
provides a wide variety of applications with the ability to access the services of the lower layers. Provides a user interface for displaying received info to user. Contains protocols used for process-to-process communications.
Transport Layer (TCP/IP)
provides reliable communications for multiple simultaneous sessions.
Transport Layer (OSI)
responsible for providing communication with the application by acknowledging and sequencing the packets to and from the application. Segments, transfers, and reassembles data.
Wi-Fi
simplified - Device layer TCP IP - network access layer This is a collection of IEEE 802.11 standards for wireless local area networks (WLANs) that operate in the 2.4 GHz and 5 GHz frequencies.
NFC
simplified - Device layer TCP IP - network access layer This is a collection of protocols for device-to-device communications when the devices are very close to one another (within 4 cm or 1.6 inches).
Bluetooth Low Energy (BLE)
simplified - Device layer TCP IP - network access layer This is a wireless personal area network (WPAN) protocol that uses the 2.4 GHz radio frequency. The LE version provides much-reduced power consumption without sacrificing range.
Cellular
simplified - Device layer and crossing into Communication layer TCP IP - network access layer crossing into Internet and bridging to Transport This includes all the cellular technologies covered by the 3rd Generation Partnership Project (3GPP) such as 4th generation (4G), LTE, and 5th generation (5G)
Threat Modeling Process for Vulnerability Assessment
step 1 Identify Security Objectives step 2 Document the IoT System Architecture step 3 Decompose the IoT System step 4 Identify and Rate Threats step 5 Recommend Mitigation
OWASP Top security vulnerabilities
weak passwords insecure network services insecure ecosystem interfaces (api, cloud)
