Orchestrating and Automating Security for the Internet of Things: Delivering Advanced Security Capabilities from Edge to Cloud for IoT

Master powerful techniques and approaches for securing IoT systems of all kinds–current and emerging Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards. The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You’ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples. This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them. · Understand the challenges involved in securing current IoT networks and architectures · Master IoT security fundamentals, standards, and modern best practices · Systematically plan for IoT security · Leverage Software-Defined Networking (SDN) and Network Function Virtualization (NFV) to harden IoT networks · Deploy the advanced IoT platform, and use MANO to manage and orchestrate virtualized network functions · Implement platform security services including identity, authentication, authorization, and accounting · Detect threats and protect data in IoT environments · Secure IoT in the context of remote access and VPNs · Safeguard the IoT platform itself · Explore use cases ranging from smart cities and advanced energy systems to the connected car · Preview evolving concepts that will shape the future of IoT security

Table of Contents:
Foreword xxvii Introduction xxix Part I Introduction to the Internet of Things (IoT) and IoT Security Chapter 1 Evolution of the Internet of Things (IoT) 1 Defining the Internet of Things 2 Making Technology and Architectural Decisions 5 Is the Internet of Things Really So Vulnerable? 8 Summary 9 References 10 Chapter 2 Planning for IoT Security 11 The Attack Continuum 11 The IoT System and Security Development Lifecycle 13 Phase 1: Initiation 15 Phase 2: Acquisition and Development 15 Phase 3: Implementation 16 Phase 4: Operations and Maintenance 17 Phase 5: Disposition 17 The End-to-End Considerations 17 Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21 Segmentation 21 New Approach 25 Summary 30 References 30 Chapter 3 IoT Security Fundamentals 31 The Building Blocks of IoT 31 The IoT Hierarchy 35 Primary Attack Targets 37 Layered Security Tiers 43 Summary 46 References 47 Chapter 4 IoT and Security Standards and Best Practices 49 Today’s Standard Is No Standard 49 Defining Standards 53 The Challenge with Standardization 56 IoT “Standards” and “Guidance” Landscape 58 Architectural or Reference Standards 59 Industrial/Market Focused 61 Standards for NFV, SDN, and Data Modeling for Services 63 Data Modeling and Services 67 Communication Protocols for IoT 70 Physical and MAC Layers 73 Network Layer 73 Transport Layer 74 Application Layer 74 Specific Security Standards and Guidelines 75 Summary 79 References 80 Chapter 5 Current IoT Architecture Design and Challenges 83 What, Why, and Where? A Summary 85 Approaches to IoT Architecture Design 88 An X-Centric Approach 91 The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98 The Information-Centric IoT Approach 100 The Data-Centric IoT Approach 104 System Viewpoint: A Cloudy Perspective 106 Middleware 118 Lambda Architecture 119 Full IoT Stack/Universal 120 General Approaches 120 Internet of Things Architecture Reference Architecture (IoT-A RA) 120 ITU-T Y.2060 125 IoT World Forum (IoTWF) Reference Model 126 oneM2M Reference Architecture 129 IEEE P2413 IoT Architecture 132 The OpenFog Consortium Reference Architecture 133 Alliance for the Internet of Things Innovation (AIOTI) 138 Cloud Customer Architecture for IoT 140 Open Connectivity Foundation and IoTivity 142 Industrial/Market Focused 144 The Industrial Internet Consortium (IIC) 144 Industry 4.0 148 OPC Unified Architecture (OPC UA) 150 Cisco and Rockwell Automation Converged Plantwide Ethernet 153 Cisco Smart Grid Reference Model: GridBlocks 153 NFV- and SDN-Based Architectures for IoT 154 Approaches to IoT Security Architecture 156 Purdue Model of Control Hierarchy Reference Model 157 Industrial Internet Security Framework (IISF) IIC Reference Architecture 160 Cloud Security Alliance Security Guidance for IoT 165 Open Web Application Security Project (OWASP) 168 Cisco IoT Security Framework 168 The IoT Platform Design of Today 172 Security for IoT Platforms and Solutions 178 Challenges with Today’s Designs: The Future for IoT Platforms 179 Summary 183 References 183 Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoT Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185 A Bit of History on SDX and NFV and Their Interplay 185 Software-Defined Networking 188 OpenFlow 192 Open Virtual Switch 195 Vector Packet Processing 198 Programming Protocol-Independent Packet Processors (P4) 201 OpenDaylight 203 Extending the Concept of Software-Defined Networks 212 Network Functions Virtualization 217 Virtual Network Functions and Forwarding Graphs 221 ETSI NFV Management and Orchestration (MANO) 225 The Impact of SDX and NFV in IoT and Fog Computing 235 Summary 248 References 249 Chapter 7 Securing SDN and NFV Environments 251 Security Considerations for the SDN Landscape 251 1: Securing the Controller 252 2: Securing Controller Southbound Communications 256 3: Securing the Infrastructure Planes 260 4: Securing Controller Northbound Communications 263 5: Securing Management and Orchestration 268 6: Securing Applications and Services 270 Security Considerations for the NFV Landscape 272 NFV Threat Landscape 273 Secure Boot 274 Secure Crash 275 Private Keys Within Cloned Images 276 Performance Isolation 278 Tenant/User Authentication, Authorization, and Accounting (AAA) 279 Authenticated Time Service 281 Back Doors with Test and Monitor Functions 281 Multi-administrator Isolation 282 Single Root I/O Virtualization (SRIOV) 283 SRIOV Security Concerns 285 Summary 285 References 285 Chapter 8 The Advanced IoT Platform and MANO 287 Next-Generation IoT Platforms: What the Research Says 287 Next-Generation IoT Platform Overview 291 Platform Architecture 294 Platform Building Blocks 295 Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303 Example Use Case Walkthrough 308 Event-Based Video and Security Use Case 309 Summary 321 References 321 Part III Security Services: For the Platform, by the Platform Chapter 9 Identity, Authentication, Authorization, and Accounting 323 Introduction to Identity and Access Management for the IoT 324 Device Provisioning and Access Control Building Blocks 326 Naming Conventions to Establish “Uniqueness” 327 Secure Bootstrap 328 Immutable Identity 328 Bootstrapping Remote Secure Key Infrastructures 329 Device Registration and Profile Provisioning 330 Provisioning Example Using AWS IoT 331 Provisioning Example Using Cisco Systems Identity Services Engine 334 Access Control 336 Identifying Devices 336 Endpoint Profiling 337 Profiling Using ISE 337 Device Sensor 340 Methods to Gain Identity from Constrained Devices 345 Energy Limitations 346 Strategy for Using Power for Communication 347 Leveraging Standard IoT Protocols to Identify Constrained Devices 348 Authentication Methods 351 Certificates 351 Trust Stores 355 Revocation Support 356 SSL Pinning 357 Passwords 357 Limitations for Constrained Devices 358 Biometrics 359 AAA and RADIUS 361 A/V Pairs 362 802.1X 363 MAC Address Bypass 365 Flexible Authentication 366 Dynamic Authorization Privileges 367 Cisco Identity Services Engine and TrustSec 368 RADIUS Change of Authorization 368 Access Control Lists 374 TrustSec and Security Group Tags 376 TrustSec Enablement 379 SGACL 384 Manufacturer Usage Description 390 Finding a Policy 390 Policy Types 390 The MUD Model 392 AWS Policy-based Authorization with IAM 394 Amazon Cognito 395 AWS Use of IAM 395 Policy-based Authorization 395 Accounting 397 How Does Accounting Relate to Security? 398 Using a Guideline to Create an Accounting Framework 398 Meeting User Accounting Requirements 400 Scaling IoT Identity and Access Management with Federation Approaches 402 IoT IAM Requirements 403 OAuth 2.0 and OpenID Connect 1.0 404 OAuth 2.0 404 OpenID Connect 1.0 405 OAuth2.0 and OpenID Connect Example for IoT 405 Cloud to Cloud 406 Native Applications to the Cloud 408 Device to Device 409 Evolving Concepts: Need for Identity Relationship Management 411 Summary 414 References 415 Chapter 10 Threat Defense 417 Centralized and Distributed Deployment Options for Security Services 418 Centralized 418 Distributed 420 Hybrid 422 Fundamental Network Firewall Technologies 422 ASAv 423 NGFWv 423 Network Address Translation 424 Overlapping 425 Overloading or Port Address Translation 425 Packet Filtering 426 Industrial Protocols and the Need for Deeper Packet Inspection 428 Common Industrial Protocol 428 Lack of Security 429 Potential Solutions: Not Good Enough 430 Alternative Solution: Deep Packet Inspection 430 Sanity Check 431 User Definable 432 Applying the Filter 432 Application Visibility and Control 433 Industrial Communication Protocol Example 435 MODBUS Application Filter Example 436 Intrusion Detection System and Intrusion Prevention System 437 IPS 438 Pattern Matching 438 Protocol Analysis 439 IDS/IPS Weakness 439 Advanced Persistent Threats and Behavioral Analysis 440 Behavior Analysis Solutions 441 Protocols Used to Gain Additional Visibility 442 Network as a Sensor 444 Pairing with Contextual Information and Adaptive Network Control 446 Encrypted Traffic Analytics 450 Malware Protection and Global Threat Intelligence 455 Cisco Advanced Malware Protection and TALOS 456 DNS-Based Security 462 Umbrella (DNS Security + Intelligent Proxy) 463 Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466 ETSI MANO Components in the Use Case 468 VMs (Services) Being Instantiated in the Use Case 469 Use Case Explanation 469 Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486 Solution Components 487 NFVIS 488 Orchestration 490 vBranch Function Pack 490 Summary 495 References 495 Chapter 11 Data Protection in IoT 499 Data Lifecycle in IoT 507 Data at Rest 518 Data Warehouses 521 Data Lakes 522 Data in Use 524 Data on the Move 527 Protecting Data in IoT 531 Data Plane Protection in IoT 531 Protecting Management Plane Data in IoT 565 Protecting Control Plane Data 566 Considerations When Planning for Data Protection 567 Summary 573 References 574 Chapter 12 Remote Access and Virtual Private Networks (VPN) 575 Virtual Private Network Primer 575 Focus for This Chapter 576 Site-to-Site IPsec VPN 576 IPsec Overview 577 IKEv1 Phase 1 579 IKEv1 Phase 2 582 Internet Key Exchange Protocol Version 2 584 Benefits of IKEv2 over IKEv1 586 Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588 IPsec Databases 589 Use Case: IKE/IPsec Within the NSF 589 Interface Requirements 590 Applying SDN-Based IPsec to IoT 592 Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592 Software-Based Extranet Using Orchestration and NFV 594 Traditional Approach 594 Automating Extranet Using Orchestration Techniques and NFV 595 Software-Based Extranet Use Case 597 Remote Access VPN 598 SSL-Based Remote Access VPN 598 Reverse Proxy 599 Clientless and Thin Client VPN 599 Client Based: Cisco AnyConnect Secure Mobility Client 611 Modules 612 Using AnyConnect in Manufacturing: Use Case Example 617 Summary 622 References 622 Chapter 13 Securing the Platform Itself 625 (A) Visualization Dashboards and Multitenancy 627 (B) Back-End Platform 631 Scenario 1: A New Endpoint Needs to Be Connected to the Network 639 Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639 Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641 Docker Security 653 Kubernetes Security and Best Practices 656 (C) Communications and Networking 658 (D) Fog Nodes 660 (E) End Devices or “Things” 666 Summary 667 References 667 Part IV Use Cases and Emerging Standards and Technologies Chapter 14 Smart Cities 669 Use Cases Introduction 669 The Evolving Technology Landscape for IoT 670 The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672 Smart Cities 676 Smart Cities Overview 678 The IoT and Secure Orchestration Opportunity in Cities 688 Security in Smart Cities 693 Smart Cities Example Use Cases 696 Use Case Automation Overview and High-Level Architecture 701 Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702 Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705 Event-Based Video: Secure Data Pipeline and Information Exchange 709 Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714 Emergency Fleet Integration 718 Automated Deployment of the Use Cases 721 Summary 725 References 727 Chapter 15 Industrial Environments: Oil and Gas 729 Industry Overview 733 The IoT and Secure Automation Opportunity in Oil and Gas 735 The Upstream Environment 738 Overview, Technologies, and Architectures 739 Digitization and New Business Needs 742 Challenges 743 The Midstream Environment 744 Overview, Technologies, and Architectures 744 Digitization and New Business Needs 747 Challenges 748 The Downstream and Processing Environments 749 Overview, Technologies, and Architectures 749 Digitization and New Business Needs 752 Challenges 753 Security in Oil and Gas 754 Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763 Use Case Overview 763 Use Case Description 765 Deploying the Use Case 767 Preconfiguration Checklist 773 Automated Deployment of the Use Cases 777 Securing the Use Case 778 Power of SGT as a CoA 781 Auto-Quarantine Versus Manual Quarantine 782 Leveraging Orchestrated Service Assurance to Monitor KPIs 783 Evolving Architectures to Meet New Use Case Requirements 788 Summary 792 References 794 Chapter 16 The Connected Car 797 Connected Car Overview 800 The IoT and Secure Automation Opportunity for Connected Cars 809 The Evolving Car Architecture 824 Security for Connected Cars 830 Connected Car Vulnerabilities and Security Considerations 838 Connected Car Security and Automation Use Case 849 Use Case Overview 852 Use Case Automation Overview 854 Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855 Secure Network: Segmentation, Zones, and Interzone Communication 857 Secure Content: Intrusion Detection and Prevention 858 Secure Intelligence: Secure Internet Access from the Vehicle 861 The Future: Personalized Experience Based on Identity 862 Federal Sigma VAMA: Emergency Fleet Solution 863 Automated Deployment of the Use Case 867 Summary 871 References 871 Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873 A Smarter, Coordinated Approach to IoT Security 876 Blockchain Overview 880 Blockchain for IoT Security 888 Machine Learning and Artificial Intelligence Overview 890 Machine Learning 893 Deep Learning 894 Natural Language Processing and Understanding 895 Neural Networks 896 Computer Vision 898 Affective Computing 898 Cognitive Computing 898 Contextual Awareness 899 Machine Learning and Artificial Intelligence for IoT Security 899 Summary 900 References 901 9781587145032 TOC 4/25/2018