Session 1:Basic and Advanced concepts of IoT
architecture from security perspective |
A brief history of evolution of
IoT technologies
Data models in IoT system –
definition and architecture of sensors, actuators,
device, gateway, communication protocols
Third party devices and risk
associated with vendors supply chain
Technology ecosystem – device
providers, gateway providers, analytics providers,
platform providers, system integrator -risk associated with all the providers
Edge driven distributed IoT vs
Cloud driven central IoT : Advantage vs risk
assessment
Management layers in IoT system –
Fleet management, asset management,
Onboarding/Deboarding of sensors , Digital Twins. Risk of Authorizations in
management layers
Demo of IoT management systems-
AWS, Microsoft Azure and Other Fleet managers
Introduction to popular IoT
communication protocols –
Zigbee/NB-IoT/5G/LORA/Witespec – review of vulnerability in communication
protocol layers
Understanding the entire
Technology stack of IoT with a review of Risk
management
|
Session 2:A check-list of all risks and security
issues in IoT |
Firmware Patching- the soft belly
of IoT
Detailed review of security of
IoT communication protocols- Transport layers (
NB-IoT, 4G, 5G, LORA, Zigbee etc. ) and Application Layers – MQTT, Web Socket
etc.
Vulnerability of API end points
-list of all possible API in IoT
architecture
Vulnerability of Gate way devices
and Services
Vulnerability of connected
sensors -Gateway communication
Vulnerability of Gateway- Server
communication
Vulnerability of Cloud Database
services in IoT
Vulnerability of Application
Layers
Vulnerability of Gateway
management service- Local and Cloud based
Risk of log management in edge
and non-edge architecture
|
Session 3:OSASP Model of IoT security , Top 10
security risk |
I1 Insecure Web Interface
I2 Insufficient
Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security
Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security
|
Session 4:Review and Demo of AWS-IoT and Azure IoT
security principle |
Microsoft Threat Model – STRIDE
Details of STRIDE Model
Security device and gateway and
server communication – Asymmetric encryption
X.509 certification for Public
key distribution
SAS Keys
Bulk OTA risks and techniques
API security for application
portals
Deactivation and delinking of
rogue device from the system
Vulnerability of AWS/Azure
Security principles
|
Session 5:Review of evolving NIST
standards/recommendation for IoT |
Review of NISTIR 8228 standard
for IoT security -30 point risk consideration Model
Third party device integration
and identification
Service identification & tracking
Hardware identification &
tracking
Communication session
identification
Management transaction
identification and logging
Log management and tracking
|
Session 6:Securing Firmware/ Device |
Securing debugging mode in a
Firmware
Physical Security of hardware
Hardware cryptography – PUF (
Physically Unclonable Function) -securing EPROM
Public PUF, PPUF
Nano PUF
Known classification of Malwares
in Firmware ( 18 families according to YARA
rule )
Study of some of the popular
Firmware Malware -MIRAI, BrickerBot, GoScanSSH,
Hydra etc
|
Session 7:Case Studies of IoT Attacks |
Oct. 21, 2016, a huge DDoS attack
was deployed against Dyn DNS servers and shut
down many web services including Twitter . Hackers exploited default passwords
and user names of webcams and other IoT devices, and installed the Mirai botnet
on compromised IoT devices. This attack will be studied in detail
IP cameras can be hacked through
buffer overflow attacks
Philips Hue lightbulbs were
hacked through its ZigBee link protocol
SQL injection attacks were
effective against Belkin IoT devices
Cross-site scripting (XSS)
attacks that exploited the Belkin WeMo app and access
data and resources that the app can access
|
Session 8: Securing Distributed IoT via Distributer
Ledger – BlockChain and DAG (IOTA) [3 hours]s |
Distributed ledger technology–
DAG Ledger, Hyper Ledger, BlockChain
PoW, PoS, Tangle – a comparison
of the methods of consensus
Philips Hue lightbulbs were
hacked through its ZigBee link protocol
Difference between Blockchain,
DAG and Hyperledger – a comparison of their
working vs performance vs decentralization
Real Time, offline performance of
the different DLT system
P2P network, Private and Public
Key- basic concepts
How ledger system is implemented
practically- review of some research
architecture
IOTA and Tangle- DLT for IoT
Some practical application
examples from smart city, smart machines, smart cars
|
Session 9:The best practice architecture for IoT
security |
Tracking and identifying all the
services in Gateways
Never use MAC address- use
package id instead
Use identification hierarchy for
devices- board ID, Device ID and package ID
Structure the Firmware Patching
to perimeter and conforming to service ID
PUF for EPROM
Secure the risks of IoT
management portals/applications by two layers of
authentication
Secure all API- Define API
testing and API management
Identification and integration of
same security principle in Logistic Supply
Chain
Minimize Patch vulnerability of
IoT communication Protocols
|
Session 10:Drafting IoT security Policy for your
organization |
Define the lexicon of IoT security / Tensions
Suggest the best practice for authentication, identification, authorization
Identification and ranking of Critical Assets
Identification of perimeters and isolation for application
Policy for securing critical assets, critical information and privacy data
|