This document discusses security considerations for M2M and IoT systems. It notes that security must be implemented holistically across the entire architecture, including at the device, communication, and application layers. PKI is recommended for authentication. The document outlines various threats and motivations for attackers. It then describes Eurotech's Everyware IoT security elements, which include X.509 certificate management, encrypted and authenticated messaging using MQTT, tenant segregation, secure access to interfaces and consoles, a secure execution environment on devices and platforms, and remote management using VPN. Auditing and penetration testing are also performed.
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Eurotech IoT Security Elements
1. M2M / IoT Security
Eurotech's
Everyware IoT Security Elements
Overview
23 September 2015
Robert Andres
2. M2M / IoT Security
The confidentiality, integrity, and availability
of our customers’ data and IoT infrastructure
is of the utmost importance to Eurotech,
as is maintaining our customers’ trust and
confidence.
Security therefore is an important aspect of
everything we do…
Eurotech Security & Privacy Statement
3. M2M / IoT Security
Holistic Approach is required…
M2M
Communication
Infrastructure
Device
Firmware /
Application
Business
Application
Sensors &
Device
Hardware
Business
Application
Integration
• Every company / organization can be a target
• Security has to be fundamental part of the overall architecture
• Security technology best practice has to take into account the specific
aspects of distributed, unattended, mobile systems / devices
• Security has to be implemented end-to-end and in the individual
elements
5. M2M / IoT Security
Attackers / Hackers Targets
Quality, Performance, Availability,
Reputation
• Service interruption &
malfunction
• Manipulation of equipment,
actuators
• Damage to image and financial
results
Know-How, Intellectual Property
• Data
• Code
• Process information
Resources
• Systems / distributed systems
• Bandwidth
Attackers / Hackers
Profiles:
• Hackers (white hat)
• Cracker (black hat, criminal)
• Script Kiddies
• Competitors
• Criminal Organizations
• Governments
Harm,
Steal,
Play
6. Everyware Security Architecture
Foundation for IoT Security
• Device has a validated identity
• IoT platform has a validated identity
• Mutual authentication for communication
• Encrypted and signed messages
• Secure execution environment (devices & IoT platform)
• Secure software management / distribution
• State-of-the art network & system security (firewall, hardening)
• Role based access control
• Secure management access
7. Everyware Security Architecture
Underling Principles
• Build solutions based on open and industry standards
• Leveraging proven IT/enterprise/Internet class security technologies
and partnerships
• Including security, scalability and resiliency in design from day one
• Security technology best practice has to take into account the
specific aspects of distributed, unattended, mobile systems /
devices
• Security has to be implemented end-to-end and in the individual
elements
• Encapsulate the complexity of an end-to-end security solution
• Continuous testing and auditing
9. M2M / IoT Security
Strong Authentication / Trust Anchors / Verification
@
Things Gateways /
Smart Devices
IoT / OT
Platform
Application
DNSSEC / DANE
Infrastructure
10. M2M / IoT Security
Authentication: Alternatives
Many alternatives of identification / authentication can be found, not all
of them are suitable for M2M/IoT in terms of functionality, security level
and scalability:
• ID (just identification, no proof of anything)
• Username and Password
• Biometric solutions
• One-time Password
• API Key
• TPM based solutions
• Public Key Infrastructure (PKI)
PKI is widely recognized as the one of the strongest authentication
mechanism
11. M2M / IoT Security
Authentication: Public Key Infrastructure
PKI is widely recognized as one of the the strongest authentication
mechanism
• Trusted and well established technology
• High level of standardization and interoperability
• Very scalable
• Allows for mutual authentication
• Can be used for many applications, including:
• Signing messages
• Signing documents
• Logon & authentication
• Certificates / keys in files and tokens
• CA / root of trust options
• CA-Signed
• Self-Signed Certificates
12. M2M / IoT Security
Certificate Based Authentication in Everyware Cloud
Everyware Cloud Authentication Foundation
• Integrated X.509 certificate management / PKI
• Individual certificates per device / service
• Foundation for using cryptographic methods most
effectively
• Based on industry and open standards
13. The Eurotech IoT Approach : E2E
Security Aspects Overview
Application
Infrastructure
Application
Layer
Communication
Infrastructure
Field Infrastructure
MQTT
M2M
Integration
Platform
Client
Device HW
Communication
Infrastructure
API´s
Communication channels / sessions
M2M/IoT Integration Platform
- Deployment options / infrastructure
- SW architecture and elements
Communication channels / sessions
- SSL/TLS
- Pairing
Infrastructure security aspects
- SIM card management
Multi-Service Gateway
- Hardware
- SW architecture and elements
Field technology, protocols, communication
All levels:
- Authentication / root of trust
- Integrity / hardening of solution
- Efficiency (unattended, distributed)
- Best practice processes
Security
Assessment,
Testing and
Validation
(3rd party)
14. EDC Security
Overview (Everyware Cloud, Public Cloud Offering)
• Secure Transmission of Data. All MQTT traffic is encrypted over an SSL connection.
All Console access is exclusively available over an encrypted HTTPS connection. All
REST API access is exclusively available over an encrypted HTTPS connection.
• Physical Access to Data. AWS’s data centers are state of the art, utilizing innovative
architectural and engineering approaches.
• Logical Access to Data Store. All databases are protected through strict firewall
rules from external access and they are only accessible from the mid-tier machines. In
the database, data is segregated by account through a unique tenant Id. At the MQTT
broker, broker data and traffic is segregated between accounts using virtual machine
segregation.
15. EDC Security
Overview (Everyware Cloud, Public Cloud Offering)
• Identity and Access Management. Confidentiality and integrity are ensured through
a role based access control model and access control lists which follow the Principle of
Least Privilege and are enforced through all the layers of the architecture. Each
account manages a list of users and controls the user’s credentials. Everyware Cloud
has a configurable lockout policy per account, which may blocks user’s credentials
after a certain number of failed login attempts. Logins to Everyware Console can be
further protected through the use of a Two Factor Authentication (2FA). Everyware
Cloud does support individual device certificate based authentication to support also
customer managed PKI solutions
• Vulnerability Management. Independent certified security firm performs remote
vulnerability assessments, including network/host and applications. Eurotech will
ensure Internal and External vulnerability scanning is conducted quarterly and after
any major changes to the environment, and remediates any critical security issues
found within a reasonable time frame and report the results of the remediation.
15
16. The Eurotech IoT Approach : E2E
Overview
System
Infrastructure
Application
Infrastructure
Layer
Application
Layer
Communication
Infrastructure
Field Infrastructure
MQTT
M2M
Integration
Platform
Client
Device HW
Device, Gateway,
OS, Security
Device Application Framework
Certifications, etc
Aggregators & On-
Premise Platforms
M2M Integration / Application Enablement /
Device and Application Management Platform
SIM Card &
Communication Infrastructure
Management
Optimum
M2M / IoT
Protocols
Public
Cloud
Private
Cloud
Sensors, HMIs, Actuators, etc.
aPaaS SaaS
Enterprise Applications
Big Data
Databases
Analytics
Enterprise IT
Mining
CEP
ERP CRM ….
Communication
Infrastructure
17. The M2M Integration Platform
Remote Access / VPN
M2M Integration Platform
@
Alerts
Control
Center
MQTT (Always-On)
VPN On-Demand
VPN
Server
Applications
Remote
Access
Devices
18. An Introduction to EDC Security –
Upcoming Versions of EC & ESF
Everyware Device Cloud - Security
19. EDC Security Elements
@
Integrated Certificate Management / PKI
• Certificate Management
– Dedicated administrative web panel
– Standard X509 certificate format
– Certificate chain support
– Certificate validations and export functionalities
– Trusted message server signed digest over MQTT
– EDC jobs to provision, renew and revoke certificates
• Integrity
• Authenticity
• Non-repudiation of origin
Ensures:
20. EDC Security Elements
@
Secure Messaging / MQTT
• All MQTT traffic is encrypted over an SSL connection.
• Data messages are subject to an algorithm of data transformation:
data must be serialized before being transmitted with the same
protocol that is used by the receiver (subscriber) to be de-serialized.
• Device Management Messages published by EC are signed to
guarantee authenticity and message integrity.
21. EDC Security Elements
@
Tenant Segregation
• Secure multi-tenant implementation
• At the MQTT broker, broker data and traffic is segregated between
accounts using virtual machine segregation
• All data (telemetrics, device events,…) are archived in a Big Data (no
SQL) database and kept isolated by Virtual Private DB
22. EDC Security Elements
@
Access to Console over encrypted HTTPS only
• Secure enforced passwords (12 chars long complex password)
• Password stored one-way-encrypted only
• Configurable lock-out policy per account
• Option: Two factor authentication based on one-time-password
via QR code on mobile phone + username & password
23. EDC Security Elements
@
Secure Programmable Interfaces
• Programmable interfaces (REST API, WEBSOCKETS)
available exclusively over an encrypted HTTPS connection
24. • The MQTT connection is always initiated by the gateway and remains always
open. The opening session is an outbound MQTT connection from the local
area network, possibly behind the firewall, towards Everyware Cloud.
• At all points only minimal number of open ports (MQTT, HTTPS, SSL, VPN)
• All databases in Everyware Cloud are protected through strict firewall rules
from external access and they are only accessible from the mid-tier machines.
• Devices are firewall protected
EDC Security Elements
Firewall Protection and reduced “attack footprint”
@
27. EDC Security Elements
@
Remote Management / VPN
• Secure administrator initiated transparent IP connection
between remote systems and devices in the field
• Gateways behind firewalls can be reached
• No IP addressing conflicts prevent or complicate the
establishment of connections
• Using the established MQTT channel for initiating the VPN
connection from the remote device (openVPN, soon IPSEC)
28. EDC Security Elements
@
Auditing / Penetration Testing
• Eurotech performs regularly vulnerability assessments, like Code
Injection, Cross Site Request Forgery, credentials stealing, etc…,
including network/host and applications.
• Eurotech ensures internal and external vulnerability scanning is
conducted periodically and after any major changes to the environment
29. EDC Security
Overview (Subset, Examples) EC 4.0
Device to Cloud to Application Security Architecture
•X.509 Certificate based authentication
•Integrated PKI / Certificate management
Security “in the Cloud” (IoT / OT Platform)
•Allowed traffic is secure and authenticated
•Application / Interface servers: no ports open other than 443 (HTTPS)
•Secure cloud infrastructure
•Signed Code / secure execution environment
Securing Device to Cloud (Communication Security)
•Allowed traffic is secure and authenticated
•Broker / infrastructure / perimeter defense
– Firewalling
– All in-bound ports other than Broker ports are closed
• Everyware VPN service
Securing the Device
•Firewall
•OSGi / Signed Code / secure execution environment
•Secure Boot
on
Hardware
Java VM
Code
Linux