Orchestrating and Automating Security for the Internet of Things Delivering Advanced Security Capabilities from Edge to Cloud for IoT

Master powerful techniques and approaches for securing IoT systems of all kinds?current and emerging

Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards.

The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You?ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples.

This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them.

· Understand the challenges involved in securing current IoT networks and architectures

· Master IoT security fundamentals, standards, and modern best practices

· Systematically plan for IoT security

· Leverage Software-Defined Networking (SDN) and Network Function Virtualization (NFV) to harden IoT networks

· Deploy the advanced IoT platform, and use MANO to manage and orchestrate virtualized network functions

· Implement platform security services including identity, authentication, authorization, and accounting

· Detect threats and protect data in IoT environments

· Secure IoT in the context of remote access and VPNs

· Safeguard the IoT platform itself

· Explore use cases ranging from smart cities and advanced energy systems to the connected car

· Preview evolving concepts that will shape the future of IoT security

Foreword xxvii

Introduction xxix

Part I Introduction to the Internet of Things (IoT) and IoT Security

Chapter 1 Evolution of the Internet of Things (IoT) 1

Defining the Internet of Things 2

Making Technology and Architectural Decisions 5

Is the Internet of Things Really So Vulnerable? 8

Summary 9

References 10

Chapter 2 Planning for IoT Security 11

The Attack Continuum 11

The IoT System and Security Development Lifecycle 13

Phase 1: Initiation 15

Phase 2: Acquisition and Development 15

Phase 3: Implementation 16

Phase 4: Operations and Maintenance 17

Phase 5: Disposition 17

The End-to-End Considerations 17

Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21

Segmentation 21

New Approach 25

Summary 30

References 30

Chapter 3 IoT Security Fundamentals 31

The Building Blocks of IoT 31

The IoT Hierarchy 35

Primary Attack Targets 37

Layered Security Tiers 43

Summary 46

References 47

Chapter 4 IoT and Security Standards and Best Practices 49

Today’s Standard Is No Standard 49

Defining Standards 53

The Challenge with Standardization 56

IoT “Standards” and “Guidance” Landscape 58

Architectural or Reference Standards 59

Industrial/Market Focused 61

Standards for NFV, SDN, and Data Modeling for Services 63

Data Modeling and Services 67

Communication Protocols for IoT 70

Physical and MAC Layers 73

Network Layer 73

Transport Layer 74

Application Layer 74

Specific Security Standards and Guidelines 75

Summary 79

References 80

Chapter 5 Current IoT Architecture Design and Challenges 83

What, Why, and Where? A Summary 85

Approaches to IoT Architecture Design 88

An X-Centric Approach 91

The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98

The Information-Centric IoT Approach 100

The Data-Centric IoT Approach 104

System Viewpoint: A Cloudy Perspective 106

Middleware 118

Lambda Architecture 119

Full IoT Stack/Universal 120

General Approaches 120

Internet of Things Architecture Reference Architecture (IoT-A RA) 120

ITU-T Y.2060 125

IoT World Forum (IoTWF) Reference Model 126

oneM2M Reference Architecture 129

IEEE P2413 IoT Architecture 132

The OpenFog Consortium Reference Architecture 133

Alliance for the Internet of Things Innovation (AIOTI) 138

Cloud Customer Architecture for IoT 140

Open Connectivity Foundation and IoTivity 142

Industrial/Market Focused 144

The Industrial Internet Consortium (IIC) 144

Industry 4.0 148

OPC Unified Architecture (OPC UA) 150

Cisco and Rockwell Automation Converged Plantwide Ethernet 153

Cisco Smart Grid Reference Model: GridBlocks 153

NFV- and SDN-Based Architectures for IoT 154

Approaches to IoT Security Architecture 156

Purdue Model of Control Hierarchy Reference Model 157

Industrial Internet Security Framework (IISF) IIC Reference Architecture 160

Cloud Security Alliance Security Guidance for IoT 165

Open Web Application Security Project (OWASP) 168

Cisco IoT Security Framework 168

The IoT Platform Design of Today 172

Security for IoT Platforms and Solutions 178

Challenges with Today’s Designs: The Future for IoT Platforms 179

Summary 183

References 183

Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoT

Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185

A Bit of History on SDX and NFV and Their Interplay 185

Software-Defined Networking 188

OpenFlow 192

Open Virtual Switch 195

Vector Packet Processing 198

Programming Protocol-Independent Packet Processors (P4) 201

OpenDaylight 203

Extending the Concept of Software-Defined Networks 212

Network Functions Virtualization 217

Virtual Network Functions and Forwarding Graphs 221

ETSI NFV Management and Orchestration (MANO) 225

The Impact of SDX and NFV in IoT and Fog Computing 235

Summary 248

References 249

Chapter 7 Securing SDN and NFV Environments 251

Security Considerations for the SDN Landscape 251

1: Securing the Controller 252

2: Securing Controller Southbound Communications 256

3: Securing the Infrastructure Planes 260

4: Securing Controller Northbound Communications 263

5: Securing Management and Orchestration 268

6: Securing Applications and Services 270

Security Considerations for the NFV Landscape 272

NFV Threat Landscape 273

Secure Boot 274

Secure Crash 275

Private Keys Within Cloned Images 276

Performance Isolation 278

Tenant/User Authentication, Authorization, and Accounting (AAA) 279

Authenticated Time Service 281

Back Doors with Test and Monitor Functions 281

Multi-administrator Isolation 282

Single Root I/O Virtualization (SRIOV) 283

SRIOV Security Concerns 285

Summary 285

References 285

Chapter 8 The Advanced IoT Platform and MANO 287

Next-Generation IoT Platforms: What the Research Says 287

Next-Generation IoT Platform Overview 291

Platform Architecture 294

Platform Building Blocks 295

Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303

Example Use Case Walkthrough 308

Event-Based Video and Security Use Case 309

Summary 321

References 321

Part III Security Services: For the Platform, by the Platform

Chapter 9 Identity, Authentication, Authorization, and Accounting 323

Introduction to Identity and Access Management for the IoT 324

Device Provisioning and Access Control Building Blocks 326

Naming Conventions to Establish “Uniqueness” 327

Secure Bootstrap 328

Immutable Identity 328

Bootstrapping Remote Secure Key Infrastructures 329

Device Registration and Profile Provisioning 330

Provisioning Example Using AWS IoT 331

Provisioning Example Using Cisco Systems Identity Services Engine 334

Access Control 336

Identifying Devices 336

Endpoint Profiling 337

Profiling Using ISE 337

Device Sensor 340

Methods to Gain Identity from Constrained Devices 345

Energy Limitations 346

Strategy for Using Power for Communication 347

Leveraging Standard IoT Protocols to Identify Constrained Devices 348

Authentication Methods 351

Certificates 351

Trust Stores 355

Revocation Support 356

SSL Pinning 357

Passwords 357

Limitations for Constrained Devices 358

Biometrics 359

AAA and RADIUS 361

A/V Pairs 362

802.1X 363

MAC Address Bypass 365

Flexible Authentication 366

Dynamic Authorization Privileges 367

Cisco Identity Services Engine and TrustSec 368

RADIUS Change of Authorization 368

Access Control Lists 374

TrustSec and Security Group Tags 376

TrustSec Enablement 379

SGACL 384

Manufacturer Usage Description 390

Finding a Policy 390

Policy Types 390

The MUD Model 392

AWS Policy-based Authorization with IAM 394

Amazon Cognito 395

AWS Use of IAM 395

Policy-based Authorization 395

Accounting 397

How Does Accounting Relate to Security? 398

Using a Guideline to Create an Accounting Framework 398

Meeting User Accounting Requirements 400

Scaling IoT Identity and Access Management with Federation Approaches 402

IoT IAM Requirements 403

OAuth 2.0 and OpenID Connect 1.0 404

OAuth 2.0 404

OpenID Connect 1.0 405

OAuth2.0 and OpenID Connect Example for IoT 405

Cloud to Cloud 406

Native Applications to the Cloud 408

Device to Device 409

Evolving Concepts: Need for Identity Relationship Management 411

Summary 414

References 415

Chapter 10 Threat Defense 417

Centralized and Distributed Deployment Options for Security Services 418

Centralized 418

Distributed 420

Hybrid 422

Fundamental Network Firewall Technologies 422

ASAv 423

NGFWv 423

Network Address Translation 424

Overlapping 425

Overloading or Port Address Translation 425

Packet Filtering 426

Industrial Protocols and the Need for Deeper Packet Inspection 428

Common Industrial Protocol 428

Lack of Security 429

Potential Solutions: Not Good Enough 430

Alternative Solution: Deep Packet Inspection 430

Sanity Check 431

User Definable 432

Applying the Filter 432

Application Visibility and Control 433

Industrial Communication Protocol Example 435

MODBUS Application Filter Example 436

Intrusion Detection System and Intrusion Prevention System 437

IPS 438

Pattern Matching 438

Protocol Analysis 439

IDS/IPS Weakness 439

Advanced Persistent Threats and Behavioral Analysis 440

Behavior Analysis Solutions 441

Protocols Used to Gain Additional Visibility 442

Network as a Sensor 444

Pairing with Contextual Information and Adaptive Network Control 446

Encrypted Traffic Analytics 450

Malware Protection and Global Threat Intelligence 455

Cisco Advanced Malware Protection and TALOS 456

DNS-Based Security 462

Umbrella (DNS Security + Intelligent Proxy) 463

Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466

ETSI MANO Components in the Use Case 468

VMs (Services) Being Instantiated in the Use Case 469

Use Case Explanation 469

Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486

Solution Components 487

NFVIS 488

Orchestration 490

vBranch Function Pack 490

Summary 495

References 495

Chapter 11 Data Protection in IoT 499

Data Lifecycle in IoT 507

Data at Rest 518

Data Warehouses 521

Data Lakes 522

Data in Use 524

Data on the Move 527

Protecting Data in IoT 531

Data Plane Protection in IoT 531

Protecting Management Plane Data in IoT 565

Protecting Control Plane Data 566

Considerations When Planning for Data Protection 567

Summary 573

References 574

Chapter 12 Remote Access and Virtual Private Networks (VPN) 575

Virtual Private Network Primer 575

Focus for This Chapter 576

Site-to-Site IPsec VPN 576

IPsec Overview 577

IKEv1 Phase 1 579

IKEv1 Phase 2 582

Internet Key Exchange Protocol Version 2 584

Benefits of IKEv2 over IKEv1 586

Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588

IPsec Databases 589

Use Case: IKE/IPsec Within the NSF 589

Interface Requirements 590

Applying SDN-Based IPsec to IoT 592

Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592

Software-Based Extranet Using Orchestration and NFV 594

Traditional Approach 594

Automating Extranet Using Orchestration Techniques and NFV 595

Software-Based Extranet Use Case 597

Remote Access VPN 598

SSL-Based Remote Access VPN 598

Reverse Proxy 599

Clientless and Thin Client VPN 599

Client Based: Cisco AnyConnect Secure Mobility Client 611

Modules 612

Using AnyConnect in Manufacturing: Use Case Example 617

Summary 622

References 622

Chapter 13 Securing the Platform Itself 625

(A) Visualization Dashboards and Multitenancy 627

(B) Back-End Platform 631

Scenario 1: A New Endpoint Needs to Be Connected to the Network 639

Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639

Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641

Docker Security 653

Kubernetes Security and Best Practices 656

(C) Communications and Networking 658

(D) Fog Nodes 660

(E) End Devices or “Things” 666

Summary 667

References 667

Part IV Use Cases and Emerging Standards and Technologies

Chapter 14 Smart Cities 669

Use Cases Introduction 669

The Evolving Technology Landscape for IoT 670

The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672

Smart Cities 676

Smart Cities Overview 678

The IoT and Secure Orchestration Opportunity in Cities 688

Security in Smart Cities 693

Smart Cities Example Use Cases 696

Use Case Automation Overview and High-Level Architecture 701

Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702

Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705

Event-Based Video: Secure Data Pipeline and Information Exchange 709

Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714

Emergency Fleet Integration 718

Automated Deployment of the Use Cases 721

Summary 725

References 727

Chapter 15 Industrial Environments: Oil and Gas 729

Industry Overview 733

The IoT and Secure Automation Opportunity in Oil and Gas 735

The Upstream Environment 738

Overview, Technologies, and Architectures 739

Digitization and New Business Needs 742

Challenges 743

The Midstream Environment 744

Overview, Technologies, and Architectures 744

Digitization and New Business Needs 747

Challenges 748

The Downstream and Processing Environments 749

Overview, Technologies, and Architectures 749

Digitization and New Business Needs 752

Challenges 753

Security in Oil and Gas 754

Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763

Use Case Overview 763

Use Case Description 765

Deploying the Use Case 767

Preconfiguration Checklist 773

Automated Deployment of the Use Cases 777

Securing the Use Case 778

Power of SGT as a CoA 781

Auto-Quarantine Versus Manual Quarantine 782

Leveraging Orchestrated Service Assurance to Monitor KPIs 783

Evolving Architectures to Meet New Use Case Requirements 788

Summary 792

References 794

Chapter 16 The Connected Car 797

Connected Car Overview 800

The IoT and Secure Automation Opportunity for Connected Cars 809

The Evolving Car Architecture 824

Security for Connected Cars 830

Connected Car Vulnerabilities and Security Considerations 838

Connected Car Security and Automation Use Case 849

Use Case Overview 852

Use Case Automation Overview 854

Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855

Secure Network: Segmentation, Zones, and Interzone Communication 857

Secure Content: Intrusion Detection and Prevention 858

Secure Intelligence: Secure Internet Access from the Vehicle 861

The Future: Personalized Experience Based on Identity 862

Federal Sigma VAMA: Emergency Fleet Solution 863

Automated Deployment of the Use Case 867

Summary 871

References 871

Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873

A Smarter, Coordinated Approach to IoT Security 876

Blockchain Overview 880

Blockchain for IoT Security 888

Machine Learning and Artificial Intelligence Overview 890

Machine Learning 893

Deep Learning 894

Natural Language Processing and Understanding 895

Neural Networks 896

Computer Vision 898

Affective Computing 898

Cognitive Computing 898

Contextual Awareness 899

Machine Learning and Artificial Intelligence for IoT Security 899

Summary 900

References 901

9781587145032 TOC 4/25/2018

Anthony Sabella, CCIE No. 5374, is the lead cybersecurity architect for the Enterprise Chief Technology Office at Cisco and has worked at Cisco for eight years. Anthony leads innovative work streams on methods to break free from manual tasks by applying the latest virtualization and orchestration techniques to cybersecurity. He combines this with machine learning concepts and the ingestion of intelligence feeds, to design effective solutions that can self-manage and self-heal. Anthony applies these concepts across a variety of use cases, including financial institutions, healthcare, energy, and manufacturing (examples included in this book).

Before joining Cisco, Anthony worked as principal engineer for a global service provider for 13 years, where he created cybersecurity solutions for enterprise customers. Anthony was also the cofounder and CTO for a technology consulting firm responsible for designing cybersecurity solutions for both commercial and enterprise customers. Anthony’s expertise has resulted in speaking engagements at major conferences around the world for both Cisco and its major partners. Anthony holds a master’s degree in computer science and an active CCIE, and he is a contributing member in the IEEE Cyber Security community.

Rik Irons-Mclean is the Industry Principal for Oil & Gas at Cisco. Rik has worked at Cisco for 11 years and has had lead roles in IoT/IIoT, communications and security for power utilities and process control industries, and energy management and optimization. He has led technical global teams in taking new products to market in all theaters, specializing in driving new technology adoption in both established and emerging markets. Before joining Cisco, he worked for a Cisco service provider partner for eight years, where he focused on converged solutions.

Rik has represented Cisco in a number of industry and standards bodies, including Open Process Automation, IEC 6185