Practical Internet of Things Security A practical, indispensable security guide that will navigate you through the complex realm of securely building and deploying systems in our IoT-connected world Brian Russell Drew Van Duren BIRMINGHAM - MUMBAI Practical Internet of Things Security Copyright © 2016 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: June 2016 Production reference: 1230616 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78588-963-9 www.packtpub.com Credits Authors Project Coordinator Brian Russell Kinjal Bari Drew Van Duren Proofreader Safis Editing Reviewer Aaron Guzman Indexer Hemangini Bari Commissioning Editor Kartikey Pandey Graphics Kirk D'Penha Acquisition Editor Prachi Bisht Production Coordinator Shantanu N. Zagade Content Development Editor Arshiya Ayaz Umer Cover Work Shantanu N. Zagade Technical Editor Siddhi Rane Copy Editor Safis Editing About the Authors Brian Russell is a chief engineer focused on cyber security solutions for Leidos (https://www.leidos.com/). He oversees the design and development of security solutions and the implementation of privacy and trust controls for customers, with a focus on securing Internet of Things (IoT). Brian leads efforts that include security engineering for Unmanned Aircraft Systems (UAS) and connected vehicles and development security systems, including high assurance cryptographic key management systems. He has 16 years of information security experience. He serves as chair of the Cloud Security Alliance (CSA) Internet of Things (IoT) Working Group, and as a member of the Federal Communications Commission (FCC) Technological Advisory Council (TAC) Cybersecurity Working Group. Brian also volunteers in support of the Center for Internet Security (CIS) 20 Critical Security Controls Editorial Panel and the Securing Smart Cities (SSC) Initiative (http://securingsmartcities.org/). Join the Cloud Security Alliance (CSA) IoT WG @ https://cloudsecurityalliance.org/group/internet-of-things/#_join. You can contact Brian at https://www.linkedin.com/in/brian-russell- 65a4991. I would like to thank my wife, Charmae, and children, Trinity and Ethan. Their encouragement and love during my time collaboration on this project has been invaluable. I would also like to thank all the great volunteers and staff of the Cloud Security Alliance (CSA) Internet of Things (IoT) Working Group, who have worked with me over the past few years to better understand and recommend solutions for IoT security. Lastly, I would like to thank my parents, without whom I would not have the drive to complete this book. Drew Van Duren currently works at Leidos as a senior cryptographic and cybersecurity engineer, highlighting 15 years of support to commercial, US Department of Defense, and US Department of Transportation (USDOT) customers in their efforts to secure vital transportation and national security systems. Originally an aerospace engineer, his experience evolved into cyber-physical (transportation system) risk management, secure cryptographic communications engineering, and secure network protocol design for high assurance DoD systems. Drew has provided extensive security expertise to the Federal Aviation Administration's Unmanned Aircraft Systems (UAS) integration office and supported RTCA standards body in the development of cryptographic protections for unmanned aircraft flying in the US National Airspace System. He has additionally supported USDOT Federal Highway Administration (FHWA) and the automotive industry in threat modeling and security analysis of connected vehicle communications design, security systems, surface transportation systems, and cryptographic credentialing operations via the connected vehicle security credential management system (SCMS). Prior to his work in the transportation industry, Drew was a technical director, managing two of the largest (FIPS 140-2) cryptographic testing laboratories and frequently provided cryptographic key management and protocol expertise to various national security programs. He is a licensed pilot and flies drone systems commercially, and is also a co-founder of Responsible Robotics, LLC, which is dedicated to safe and responsible flight operations for unmanned aircraft. You can reach Drew at https://www.linkedin.com/in/drew-van-duren-33a7b54. I would first like to thank my wife, Robin, and children, Jakob and Lindsey, for their immense love, humor, and patience that shone brightly as I collaborated on this book. They were always keen to provide the diversions when I needed them the most. I would also like to thank my parents for their unceasing love, discipline, and encouragement to pursue diverse interests—model making, engineering, aviation, and music—in my formative years. More than anything, playing the cello has enriched and centered me amid life's demands. Lastly, my gratitude goes to my departed grandparents, especially my maternal grandfather, Arthur Glenn Foster, whose unquenchable scientific and engineering inquisitiveness provided just the footsteps I needed in my young life. About the Reviewer Aaron Guzman is a principal penetration tester from the Los Angeles area with expertise in application security, mobile pentesting, web pentesting, IoT hacking, and network penetration testing. He has previously worked with established tech companies such as Belkin, Symantec, and Dell, breaking code and architecting infrastructures. With Aaron's years of experience, he has given presentations at various conferences, ranging from Defcon and OWASP AppSecUSA to developer code camps across America. He has contributed to many IoT security guideline publications and open source community projects around application security. Furthermore, Aaron is a chapter leader for the Open Web Application Security Project (OWASP), Los Angeles, Cloud Security Alliance SoCal (CSA SoCal), and High Technology Crime Investigation Association of Southern California (HTCIA SoCal). You can follow Aaron's latest research and updates on Twitter at @scriptingxss. www.PacktPub.com eBooks, discount offers, and more Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub. com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM https://www2.packtpub.com/books/subscription/packtlib Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books. Why subscribe? • Fully searchable across every book published by Packt • Copy and paste, print, and bookmark content • On demand and accessible via a web browser Table of Contents Preface ix Chapter 1: A Brave New World 1 Defining the IoT 3 Cybersecurity versus IoT security and cyber-physical systems 5 Why cross-industry collaboration is vital 7 IoT uses today 10 Energy industry and smart grid 11 Connected vehicles and transportation 11 Manufacturing 11 Wearables 12 Implantables and medical devices 12 The IoT in the enterprise 13 The things in the IoT 17 The IoT device lifecycle 17 The hardware 19 Operating systems 20 IoT communications 21 Messaging protocols 23 Transport protocols 27 Network protocols 28 Data link and physical protocols 28 IoT data collection, storage, and analytics 30 IoT integration platforms and solutions 30 The IoT of the future and the need to secure 31 The future – cognitive systems and the IoT 31 Summary 32 [ i ]