Chapter 13 - 02 - Discuss the Security in IoT-enabled Environments - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician loT and OT Security Exam 212-82 Stack-wise IoT Security Prmcxples User Device(s) D Gateway Ym ;l | |,. = 87 Secure Device Layer Connection L] H—l >= Secure Communication Layer Cloud ‘ | Applications Processes, Practices, (CRM, ERP, SCM, PLM) B 0 N [ — and Policies U 2 | = — Secure Cloud Layer Secure Process Layer Copyright © by EC. Cil AN Rights Reserved. Reproductionis Strictly Prohibited Stack-wise IoT Security Principles Several 10T devices are connected to the network and eventually to the cloud, which causes vulnerability to many threat vectors. To develop end-to-end (E2E) loT solutions, the device, communication, cloud, and process layers should be secured. For this purpose, the following stack-wise 10T security principles should be implemented. User Device(s) Gateway D *m;ll Secure Device Layer. L L Connection o —B Cloud Applications (CRM, ERP, SCM, PLM) | tmts O | Secure Communication Processes, Practices, and Policies § -| Secure Cloud Layer Layer Secure Process Layer Figure 13.9: Stack-wise IoT security principles loT Security Principles on the Device Layer = Need for device intelligence to handle complex security tasks: Most loT devices communicate with services, the cloud, servers, etc., through the Internet or Wi-Fi. As these devices are powered by microprocessors, they are unable to handle the complexity of Internet connectivity and should not be utilized for front-line duty in loT applications. Smart devices are secure and robust. They have embedded security features and can handle security, encryption, authentication, etc. Hence, smart devices should be used for front-line duty in loT applications. = Security advantage of processing at the edge: Smart loT devices have an edge processing feature that processes data locally before sending the data to the cloud, thus Module 13 Page 1582 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician loT and OT Security Exam 212-82 eliminating the need to forward a large quantity of data to the cloud. Edge processing enhances security by processing the data, packing the data into separate packets, and sending the data securely to the information with them. desired location. It allows users to keep sensitive loT Security Principles on the Communication Layer Initiate a connection to the cloud but not from the cloud: Instead of connecting loT devices with the Internet, they should be connected to the cloud. Incoming connections should be disallowed. Connection to the cloud establishes a bi-directional channel, through which the user can control the 10T device remotely. Inherent security of a message: All communications with loT devices should be carefully handled. The user must enforce lightweight message-based protocols for 10T devices that consist of options for double encryption, filtering, queuing, etc. With proper labeling, the messages will be handled securely. For example, double encryption secures client data when the data pass through the message switch. loT Security Principle on the Cloud Layer Identification, authentication, and encryption for machines, rather than humans: Users access cloud services with a password. Occasionally, cloud services use two-factor authentication consisting of a password and a one-time password generator. For humans, passwords are the accepted method of authentication, but machines handle digital certificates while accessing cloud services. The system of digital certificates is used not only to authenticate transactions but also to encrypt the channel from the device to the cloud before the transaction. The cryptographic identification provided by the digital certificate cannot be achieved with a user ID and password. loT Security Principle on the Process Layer Security of remote control and updates: The remote control of an IoT device allows the user to perform remote diagnostics of the device, set new configurations, retrieve files, etc. The key to secure updates and remote control is to ensure that incoming connections to the device are disallowed; however, the device should establish a secure bi-directional connection with the cloud and utilize a message switch as a communication channel. Module 13 Page 1583 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician 1oT and OT Security Exam 212-82 IoT " 1 ‘ (o Framework Security N Considerations (™ EDGE ~ GATEWAY * Communications encryption * Storage encryption * Update components = No default passwords CLOUD PLATFORM MOBILE * Multi-directional encrypted communications * Encrypted communications * = Strong authentication of all * = Secure web interface * * Automatic updates = * Encrypted storage Automatic updates * Multi-factor authentication = Account lockout mechanism the components Authentication Local storage security Encrypted communications channels IoT Framework Security Considerations To design secure and protected loT devices, security issues should be properly considered. One of the most important considerations is the development of a secure loT framework for building the device. Ideally, a framework should be designed in a way that provides default security, so that the developers do not have to consider it later. Security evaluation criteria for the loT framework are broken down into four parts. Each part has its own security-related concerns that are discussed in the evaluation criteria for each part. The security evaluation criteria for the 10T devices are discussed below: = Edge The edge is the main surroundings and physical device contains various in the IoT ecosystem components like that interacts with sensors, actuators, its operating systems, hardware and network, and communication capabilities. It is heterogeneous and can be deployed anywhere and in any condition. Therefore, an ideal framework for an edge would be such that it provides cross-platform components so that it can be deployed and work in any physical condition possible. Other framework considerations for an edge would be proper communications and storage encryption, no default credentials, strong passwords, use of the latest up-todate components, etc. = Gateway The gateway acts as the first step for an edge into the world of the Internet as it connects smart devices to cloud components. It is referred to as a communication aggregator that allows communication with a secure and trusted local network as well Module 13 Page 1584 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician loT and OT Security as a secure connection with an untrusted Exam 212-82 public network. It also provides a layer of security to all the devices connected to it. The gateway serves as an aggregation point for the edge; therefore, it has a crucial security role in the ecosystem. An ideal framework for the gateway should incorporate strong encryption techniques for secure communications between endpoints. In addition, the authentication mechanism for the edge components should be as strong as any other component in the framework. Wherever possible, the gateway should be designed in such a way that it authenticates multi-directionally to carry out trusted communication between the edge and the cloud. Automatic updates should also be provided to the device for countering vulnerabilities. * (Cloud Platform In an loT ecosystem, the cloud component is referred to as the central aggregation and data management point. Access to the cloud must be restricted. The cloud component is usually at higher risk, as it is the central point of data aggregation for most of the data in the ecosystem. It also includes a command and control (C2) component, which is a centralized computer that issues various commands for the distribution of extensions and updates. A secure framework for the cloud component should communications, strong authentication credentials, a secure web storage, automatic updates, etc. = include encrypted interface, encrypted Mobile In an loT ecosystem, the mobile interface plays an important part, particularly the data needs to be collected and managed. Using mobile interfaces, users can and interact with the edge in their home or workplace from miles away. Some applications provide users with only limited data from specific edge devices, others allow complete manipulation of the edge components. Proper attention be given to the mobile interface, as they are prone to various cyber-attacks. where access mobile while should An ideal framework for the mobile interface should include a proper authentication mechanism for the user, an account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels, and security of data transmitted over the channel. Module 13 Page 1585 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.