Chapter 13 - 02 - Discuss the Security in IoT-enabled Environments - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC
Tags
Related
- Certified Cybersecurity Technician IoT and OT Security PDF
- Certified Cybersecurity Technician IoT and OT Security PDF
- IoT Security - Introduction to IoT Security PDF
- Introduction to IoT Security PDF
- Information Systems Security PDF
- Week 1 Introduction: The Danger (CS 6353) Network and System Security PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 loT and OT Security Prmcxples Stack-wise...
Certified Cybersecurity Technician Exam 212-82 loT and OT Security Prmcxples Stack-wise IoT Security Pnncxples Applications Processes, Practices, User Device(s) Gateway Connection Cloud (CRM, ERP, SCM, PLM) and Policies [B U0 = N U 2 D ‘m Ym ] ;l | L]n ‘ () [ — || |,. = g |5; P= H-l H—l = > C~3 =v | - =| Secure Device Layer 87 Secure Communication | Secure Cloud Layer — Secure Process Layer Layer Copyright © by EC. EC CilIL AN Rights Rights Reserved. ReproductionIsis Strictly Prohibited Stack-wise IoT Security Principles Several 10T devices are connected to the network and eventually to the cloud, which causes vulnerability to many threat vectors. To develop end-to-end (E2E) loT solutions, the device, communication, cloud, and process layers should be secured. For this purpose, the following stack-wise 10T security principles should be implemented. Applications Processes, Practices, User Device(s) Gateway Connection Cloud (CRM, ERP, SCM, PLM) and Policies D ‘mg| *m;ll ". o ~—> —B | tmts imt O § &=| - | LEmmL | Secure Device Layer Secure Communication Secure Cloud Layer Secure Process Layer Layer Figure 13.9: Stack-wise 0T IoT security principles loT Security Principles on the Device Layer = Need for device intelligence to handle complex security tasks: Most |oT loT devices communicate with services, the cloud, servers, etc., through the Internet or Wi-Fi. As these devices are powered by microprocessors, they are unable to handle the complexity of Internet connectivity and should not be utilized for front-line duty in loT applications. Smart devices are secure and robust. They have embedded security features and can handle security, encryption, authentication, etc. Hence, smart devices should be used for front-line duty in loT applications. = Security advantage of processing at the edge: Smart loT devices have an edge processing feature that processes data locally before sending the data to the cloud, thus Module 13 Page 1582 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 loT and OT Security eliminating the need to forward a large quantity of data to the cloud. Edge processing enhances security by processing the data, packing the data into separate packets, and sending the data securely to the desired location. It allows users to keep sensitive information with them. loT Security Principles on the Communication Layer Initiate a connection to the cloud but not from the cloud: Instead of connecting loT devices with the Internet, they should be connected to the cloud. Incoming connections should be disallowed. Connection to the cloud establishes a bi-directional channel, through which the user can control the 10T device remotely. Inherent security of a message: All communications with loT devices should be carefully handled. The user must enforce lightweight message-based protocols for 10T devices that consist of options for double encryption, filtering, queuing, etc. With proper labeling, the messages will be handled securely. For example, double encryption secures client data when the data pass through the message switch. loT Security Principle on the Cloud Layer Identification, authentication, and encryption for machines, rather than humans: Users access cloud services with a password. Occasionally, cloud services use two-factor authentication consisting of a password and a one-time password generator. For humans, passwords are the accepted method of authentication, but machines handle digital certificates while accessing cloud services. The system of digital certificates is used not only to authenticate transactions but also to encrypt the channel from the device to the cloud before the transaction. The cryptographic identification provided by the digital certificate cannot be achieved with a user ID and password. loT Security Principle on the Process Layer Security of remote control and updates: The remote control of an IoT device allows the user to perform remote diagnostics of the device, set new configurations, retrieve files, etc. The key to secure updates and remote control is to ensure that incoming connections to the device are disallowed; however, the device should establish a secure bi-directional connection with the cloud and utilize a message switch as a communication channel. Module 13 Page 1583 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 1oT and OT Security l1oT IoT Framework " 1 Security Security ‘ N Considerations (o (™ ~ EDGE GATEWAY CLOUD PLATFORM MOBILE * Communications encryption * Multi-directional encrypted * Encrypted communications * Local storage security communications * Storage encryption * Secure web interface * Encrypted communications = Strong authentication of all = Authentication channels * Update components the components = Encrypted storage * Multi-factor authentication = No default passwords * Automatic updates * Automatic updates = Account lockout mechanism IoT Framework Security Considerations To design secure and protected loT devices, security issues should be properly considered. One of the most important considerations is the development of a secure loT framework for building the device. Ideally, a framework should be designed in a way that provides default security, so that the developers do not have to consider it later. Security evaluation criteria for the loT framework are broken down into four parts. Each part has its own security-related concerns that are discussed in the evaluation criteria for each part. The security evaluation criteria for the 10T devices are discussed below: = Edge The edge is the main physical device in the IoT ecosystem that interacts with its surroundings and contains various components like sensors, actuators, operating systems, hardware and network, and communication capabilities. It is heterogeneous and can be deployed anywhere and in any condition. Therefore, an ideal framework for an edge would be such that it provides cross-platform components so that it can be deployed and work in any physical condition possible. Other framework considerations for an edge would be proper communications and storage encryption, no default credentials, strong passwords, use of the latest up-to- date components, etc. = Gateway The gateway acts as the first step for an edge into the world of the Internet as it connects smart devices to cloud components. It is referred to as a communication aggregator that allows communication with a secure and trusted local network as well Module 13 Page 1584 Certified Cybersecurity Technician Copyright © by EC-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 loT and OT Security as a secure connection with an untrusted public network. It also provides a layer of security to all the devices connected to it. The gateway serves as an aggregation point for the edge; therefore, it has a crucial security role in the ecosystem. An ideal framework for the gateway should incorporate strong encryption techniques for secure communications between endpoints. In addition, the authentication mechanism for the edge components should be as strong as any other component in the framework. Wherever possible, the gateway should be designed in such a way that it authenticates multi-directionally to carry out trusted communication between the edge and the cloud. Automatic updates should also be provided to the device for countering vulnerabilities. * (Cloud Platform In an loT ecosystem, the cloud component is referred to as the central aggregation and data management point. Access to the cloud must be restricted. The cloud component is usually at higher risk, as it is the central point of data aggregation for most of the data in the ecosystem. It also includes a command and control (C2) component, which is a centralized computer that issues various commands for the distribution of extensions and updates. A secure framework for the cloud component should include encrypted communications, strong authentication credentials, a secure web interface, encrypted storage, automatic updates, etc. = Mobile In an loT ecosystem, the mobile interface plays an important part, particularly where the data needs to be collected and managed. Using mobile interfaces, users can access and interact with the edge in their home or workplace from miles away. Some mobile applications provide users with only limited data from specific edge devices, while others allow complete manipulation of the edge components. Proper attention should be given to the mobile interface, as they are prone to various cyber-attacks. An ideal framework for the mobile interface should include a proper authentication mechanism for the user, an account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels, and security of data transmitted over the channel. Module 13 Page 1585 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
