Practical Internet of Things Security Second Edition Design a security framework for an Internet connected ecosystem Brian Russell Drew Van Duren BIRMINGHAM - MUMBAI Practical Internet of Things Security Second Edition Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Gebin George Acquisition Editor: Prachi Bisht Content Development Editor: Deepti Thore, Dattatraya More Technical Editor: Varsha Shivhare Copy Editor: Safis Editing Project Coordinator: Jagdish Prabhu Proofreader: Safis Editing Indexer: Mariammal Chettiyar Graphics: Jisha Chirayil Production Coordinator: Jyoti Chauhan First published: June 2016 Second edition: November 2018 Production reference: 1291118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78862-582-1 www.packtpub.com To my wife, Charmae; daughter, Trinity; and son, Ethan. Thanks for all the memories. – Brian Russell To my wife, Robin; son, Jakob; and daughter, Lindsey. I love you so much. You provide me the greatest support, security, and enjoyment in life imaginable. – Drew Van Duren mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content Packt.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Brian Russell is the founder of TrustThink, LLC, where he leads multiple efforts towards the development of trusted IoT solutions. He has over 20 years of information security experience and has led complex system security engineering programs in the areas of cryptographic modernization, cryptographic key management, unmanned aerial systems, and connected vehicle security. He is the co-chair of the Cloud Security Alliance (CSA) IoT Working Group and was the recipient of the 2015 and 2016 CSA Ron Knode Service Award. Brian is an adjunct professor at the University of San Diego (USD) in the Cyber Security Operations and Leadership program. I would like to express my gratitude for all the people that have helped with this book. To my co-author, Drew Van Duren—it's been a pleasure working with you. To the editors at Packt, thanks for your patience as we closed in on completion, and to my family—thank you for all of the support. I'd also like to acknowledge the active members over the years in the CSA IoT Working Group, as I have learned a lot from each of you about IoT security. Drew Van Duren has provided 20 years of support to commercial and government customers in their efforts to secure safety-of-life and national security systems. He has provided extensive applied cryptographic design, key management expertise, and system security architecture design through rigorous integration of system security design with the core engineering disciplines. Drew has managed as Technical Director the two largest FIPS 140-2 test laboratories, security-consulted for the New York City Connected Vehicle Pilot Deployment, and participated in multiple standards groups such as the RTCA, SAE, and IEEE 1609 working group. Today, he supports the IEEE P1920 committee heading security architecture for unmanned aircraft aerial networks. I would like to thank the outstanding mentors I have worked with throughout my career. Thank you to my grandfather, Glenn Foster, for planting seeds of scientific and engineering curiosity. Brian Russell, it has been extremely rewarding collaborating with you over the years. Lastly, much gratitude to my parents, Toney and GloryLynn Van Duren, for such fierce dedication and support through my formative years. About the reviewer Aaron Guzman is a security consultant serving as the Head of Automotive and IoT Testing with Aon's Cyber Solutions Group. Aaron has extensive public speaking experience, delivering conference presentations, training, and workshops globally. Aaron is a chapter leader for the Open Web Application Security Project (OWASP) Los Angeles, Cloud Security Alliance SoCal (CSA SoCal), a technical editor, and the co-author of IoT Penetration Testing Cookbook with Packt Publishing. Over the years, he has contributed to many IoT security guidance publications and leads the OWASP Embedded Application Security project. Follow Aaron's latest research on Twitter at @scriptingxss. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Chapter 1: A Brave New World 5 Defining the IoT 7 Defining cyber-physical systems 8 Cybersecurity versus IoT security 9 The IoT of today 10 An IoT-enabled energy grid 12 Modernizing the transportation ecosystem 13 Smart manufacturing 13 Smart cities spread across the globe 14 The importance of cross-industry collaboration 15 The IoT ecosystem 17 Physical devices and controllers 17 The hardware 18 Real-time operating systems 18 Gateways 20 IoT integration platforms and solutions 21 Connectivity 21 Transport protocols 22 Network protocols 22 Data link and physical protocols 22 IEEE 802.15.4 23 ZWave 23 Bluetooth low energy 23 Cellular communications 24 Messaging protocols 25 MQTT 26 CoAP 27 XMPP 28 DDS 28 AMQP 29 Data accumulation 29 Data abstraction 31 Applications 32 Collaboration and processing 35 The IoT of tomorrow 35 Autonomous systems 35 Cognitive systems 36 Summary 37 Chapter 2: Vulnerabilities, Attacks, and Countermeasures 38 Table of Contents Primer on threats, vulnerability, and risks 39 The classic pillars of information assurance 39 Threats 41 Vulnerability 41 Risks 43 Primer on attacks and countermeasures 44 Common IoT attack types 44 Attack trees 46 Building an attack tree 47 Fault (failure) trees and CPS 51 Fault tree and attack tree differences 52 Merging fault and attack tree analysis 53 Example anatomy of a deadly cyber-physical attack 54 Today's IoT attacks 57 Attacks 59 Authentication attacks 60 Distributed Denial of Service (DDoS) 60 Application security attacks 60 Wireless reconnaissance and mapping 61 Security protocol attacks 61 Physical security attacks 62 Lessons learned and systematic approaches 62 Threat modeling an IoT system 63 Step 1 – identify the assets 65 Step 2 – create a system/architecture overview 66 Step 3 – decompose the IoT system 69 Step 4 – identify threats 72 Step 5 – document the threats 75 Step 6 – rate the threats 75 Summary 77 Chapter 3: Approaches to Secure Development 78 The Secure Development Life Cycle (SDLC) 79 Waterfall 79 Requirements 81 Design 82 Implementation 82 Verification 83 Spiral 84 Agile 86 Security engineering in Agile 86 DevOps 89 Handling non-functional requirements 93 Security 94 Threat modeling 94 Other sources for security requirements 99 Safety 99 [ ii ] Table of Contents Hazard analysis 99 Hazard and operability studies (HAZOPs) 100 Fault-tree analysis 100 Failure modes and effects analysis (FMEA) 100 Resilience 101 The need for software transparency 101 Automated security analysis 102 Engaging with the research community 104 Summary 104 Chapter 4: Secure Design of IoT Devices 105 The challenge of secure IoT development 105 Speed to market matters 106 Internet-connected devices face a deluge of attacks 107 The IoT introduces new threats to user privacy 107 IoT products and systems can be physically compromised 108 Skilled security engineers are hard to find (and retain) 109 Secure design goals 110 Design IoT systems that mitigate automated attack risks 110 Design IoT systems with secure points of integration 111 Designing IoT systems to protect confidentiality and integrity 113 Applying cryptography to secure data at rest and in motion 113 Enabling visibility into the data life cycle and protecting data from manipulation 115 Implementing secure OTA 115 Design IoT systems that are safe 116 Design IoT systems using hardware protection measures 117 Introduce secure hardware components within your IoT system 117 Incorporate anti-tamper mechanisms that report and/or react to attempted physical compromise 119 Design IoT systems that remain available 120 Cloud availability 120 Guarding against unplanned equipment failure 121 Load balancing 121 Design IoT systems that are resilient 122 Protecting against jamming attacks 122 Device redundancy 124 Gateway caching 124 Digital configurations 124 Gateway clustering 125 Rate limiting 125 Congestion control 125 Provide flexible policy and security management features to administrators 126 Provide logging mechanisms and feed integrity-protected logs to the cloud for safe storage 127 Design IoT systems that are compliant 127 The US IoT Cybersecurity Improvement Act (draft) 128 ENISA's baseline security recommendations 128 DHS guiding principles for secure IoT 129 [ iii ]