iot security elements

M2M / IoT Security

Eurotech's

Everyware IoT Security Elements

Overview

23 September 2015

Robert Andres

M2M / IoT Security

The confidentiality, integrity, and availability

of our customers’ data and IoT infrastructure

is of the utmost importance to Eurotech,

as is maintaining our customers’ trust and

confidence.

Security therefore is an important aspect of

everything we do…

Eurotech Security & Privacy Statement

M2M / IoT Security Holistic Approach is required…

M2M

Communication

Infrastructure

Device

Firmware /

Application

Business

Application

Sensors &

Device

Hardware

Business

Application

Integration

• Every company / organization can be a target

• Security has to be fundamental part of the overall architecture

• Security technology best practice has to take into account the specific

aspects of distributed, unattended, mobile systems / devices

• Security has to be implemented end-to-end and in the individual

elements

M2M / IoT Security Enemies Everywhere, Many Reasons …

Attackers / Hackers

Profiles:

• Hackers (white hat)

• Cracker (black hat, criminal)

• Script Kiddies

• Competitors

• Criminal Organizations

• Governments

Financial, Business, Political Motives

• Espionage, industrial espionage

• Sabotage, disruption of business

• Theft, fraud (also resources)

• Manipulation

• Cyberwar

Intangible Motives

• Curiosity

• Revenge, infamy

• Self-worth

Harm,

Steal,

Play

M2M / IoT Security Attackers / Hackers Targets

Quality, Performance, Availability,

Reputation

• Service interruption &

malfunction

• Manipulation of equipment,

actuators

• Damage to image and financial

results

Know-How, Intellectual Property

• Data

• Code

• Process information

Resources

• Systems / distributed systems

• Bandwidth

Attackers / Hackers

Profiles:

• Hackers (white hat)

• Cracker (black hat, criminal)

• Script Kiddies

• Competitors

• Criminal Organizations

• Governments

Harm,

Steal,

Play

Everyware Security Architecture Foundation for IoT Security

• Device has a validated identity

• IoT platform has a validated identity

• Mutual authentication for communication

• Encrypted and signed messages

• Secure execution environment (devices & IoT platform)

• Secure software management / distribution

• State-of-the art network & system security (firewall, hardening)

• Role based access control

• Secure management access

Everyware Security Architecture Underling Principles

• Build solutions based on open and industry standards

• Leveraging proven IT/enterprise/Internet class security technologies

and partnerships

• Including security, scalability and resiliency in design from day one

• Security technology best practice has to take into account the

specific aspects of distributed, unattended, mobile systems /

devices

• Security has to be implemented end-to-end and in the individual

elements

• Encapsulate the complexity of an end-to-end security solution

• Continuous testing and auditing

M2M / IoT Security Security Focus Points

Things Gateways /

Smart Devices IoT / OT

Platform Application

IoT Device Cloud Security •Authentication (verified)

•PKI / certificate management

•Trusted execution environment

•Network security / firewall

•Access control (role based)

•…

IoT Device Security • Authentication (verified)

• Service discovery / provisioning / pairing

• Trusted execution environment

• Network security / firewall

• Secure Boot

Communication Security • Authentication (verified)

• Encryption

• Message integrity

• MitM protection

• DNS spoofing protection

M2M / IoT Security

Strong Authentication / Trust Anchors / Verification

@

Things Gateways /

Smart Devices IoT / OT

Platform Application

DNSSEC / DANE

Infrastructure

M2M / IoT Security Authentication: Alternatives

Many alternatives of identification / authentication can be found, not all

of them are suitable for M2M/IoT in terms of functionality, security level

and scalability:

• ID (just identification, no proof of anything)

• Username and Password

• Biometric solutions

• One-time Password

• API Key

• TPM based solutions

• Public Key Infrastructure (PKI)

PKI is widely recognized as the one of the strongest authentication

mechanism

M2M / IoT Security Authentication: Public Key Infrastructure

PKI is widely recognized as one of the the strongest authentication

mechanism

• Trusted and well established technology

• High level of standardization and interoperability

• Very scalable

• Allows for mutual authentication

• Can be used for many applications, including:

• Signing messages

• Signing documents

• Logon & authentication

• Certificates / keys in files and tokens

• CA / root of trust options

• CA-Signed

• Self-Signed Certificates

M2M / IoT Security Certificate Based Authentication in Everyware Cloud

Everyware Cloud Authentication Foundation

• Integrated X.509 certificate management / PKI

• Individual certificates per device / service

• Foundation for using cryptographic methods most

effectively

• Based on industry and open standards

The Eurotech IoT Approach : E2E Security Aspects Overview

Application

Infrastructure

Application

Layer

Communication

Infrastructure

Field Infrastructure

MQTT

M2M

Integration

Platform

Client

Device HW

Communication

Infrastructure API´s

Communication channels / sessions

M2M/IoT Integration Platform

- Deployment options / infrastructure

- SW architecture and elements

Communication channels / sessions

- SSL/TLS

- Pairing

Infrastructure security aspects

- SIM card management

Multi-Service Gateway

- Hardware

- SW architecture and elements

Field technology, protocols, communication

All levels:

- Authentication / root of trust

- Integrity / hardening of solution

- Efficiency (unattended, distributed)

- Best practice processes

Security

Assessment,

Testing and

Validation

(3rd party)

EDC Security Overview (Everyware Cloud, Public Cloud Offering)

• Secure Transmission of Data. All MQTT traffic is encrypted over an SSL connection.

All Console access is exclusively available over an encrypted HTTPS connection. All

REST API access is exclusively available over an encrypted HTTPS connection.

• Physical Access to Data. AWS’s data centers are state of the art, utilizing innovative

architectural and engineering approaches.

• Logical Access to Data Store. All databases are protected through strict firewall

rules from external access and they are only accessible from the mid-tier machines. In

the database, data is segregated by account through a unique tenant Id. At the MQTT

broker, broker data and traffic is segregated between accounts using virtual machine

segregation.

EDC Security Overview (Everyware Cloud, Public Cloud Offering)

• Identity and Access Management. Confidentiality and integrity are ensured through

a role based access control model and access control lists which follow the Principle of

Least Privilege and are enforced through all the layers of the architecture. Each

account manages a list of users and controls the user’s credentials. Everyware Cloud

has a configurable lockout policy per account, which may blocks user’s credentials

after a certain number of failed login attempts. Logins to Everyware Console can be

further protected through the use of a Two Factor Authentication (2FA). Everyware

Cloud does support individual device certificate based authentication to support also

customer managed PKI solutions

• Vulnerability Management. Independent certified security firm performs remote

vulnerability assessments, including network/host and applications. Eurotech will

ensure Internal and External vulnerability scanning is conducted quarterly and after

any major changes to the environment, and remediates any critical security issues

found within a reasonable time frame and report the results of the remediation.

15

The Eurotech IoT Approach : E2E Overview

System

Infrastructure

Application

Infrastructure

Layer

Application

Layer

Communication

Infrastructure

Field Infrastructure

MQTT

M2M

Integration

Platform

Client

Device HW

Device, Gateway,

OS, Security

Device Application Framework

Certifications, etc

Aggregators & On-

Premise Platforms

M2M Integration / Application Enablement /

Device and Application Management Platform

SIM Card &

Communication Infrastructure

Management

Optimum

M2M / IoT

Protocols

Public

Cloud

Private

Cloud

Sensors, HMIs, Actuators, etc.

aPaaS SaaS

Enterprise Applications

Big Data

Databases

Analytics

Enterprise IT

Mining

CEP

ERP CRM ….

Communication

Infrastructure

The M2M Integration Platform Remote Access / VPN

M2M Integration Platform

@

Alerts Control

Center

MQTT (Always-On)

VPN On-Demand

VPN

Server

Applications Remote

Access

Devices

An Introduction to EDC Security –

Upcoming Versions of EC & ESF

Everyware Device Cloud - Security

EDC Security Elements

@

Integrated Certificate Management / PKI

• Certificate Management

– Dedicated administrative web panel

– Standard X509 certificate format

– Certificate chain support

– Certificate validations and export functionalities

– Trusted message server signed digest over MQTT

– EDC jobs to provision, renew and revoke certificates

• Integrity

• Authenticity

• Non-repudiation of origin

Ensures:


@

Secure Messaging / MQTT

• All MQTT traffic is encrypted over an SSL connection.

• Data messages are subject to an algorithm of data transformation:

data must be serialized before being transmitted with the same

protocol that is used by the receiver (subscriber) to be de-serialized.

• Device Management Messages published by EC are signed to

guarantee authenticity and message integrity.


@

Tenant Segregation

• Secure multi-tenant implementation

• At the MQTT broker, broker data and traffic is segregated between

accounts using virtual machine segregation

• All data (telemetrics, device events,…) are archived in a Big Data (no

SQL) database and kept isolated by Virtual Private DB


@

Access to Console over encrypted HTTPS only

• Secure enforced passwords (12 chars long complex password)

• Password stored one-way-encrypted only

• Configurable lock-out policy per account

• Option: Two factor authentication based on one-time-password

via QR code on mobile phone + username & password


@

Secure Programmable Interfaces

• Programmable interfaces (REST API, WEBSOCKETS)

available exclusively over an encrypted HTTPS connection

• The MQTT connection is always initiated by the gateway and remains always

open. The opening session is an outbound MQTT connection from the local

area network, possibly behind the firewall, towards Everyware Cloud.

• At all points only minimal number of open ports (MQTT, HTTPS, SSL, VPN)

• All databases in Everyware Cloud are protected through strict firewall rules

from external access and they are only accessible from the mid-tier machines.

• Devices are firewall protected

EDC Security Elements Firewall Protection and reduced “attack footprint”

@

• OSGi Security: Signed Bundles Checks

(Integrity, Authenticity)

• ESF Security Manager • Environment Integrity Checks

• Environment Hardening

• Allowed Jar Signatures

• Allowed Bundle Access

• Device Unique Master Password (Code Obfuscation, String Encryption)

• Encrypted Configuration Storage

• SSL Mutual Authentication

• Device Management Checks (Integrity, Authenticity)

• Remote Certificate Management


@

Secure Execution Environment (Device, ESF)


• OSGi Security

– Signed Bundles Checks

• Integrity

• Authenticity

• ESF Security Manager

– Environment Integrity Checks

– Environment Hardening

– Allowed Jar Signatures

– Allowed Bundle Access

– Device Unique Master Password

• Code Obfuscation

• String Encryption

– Encrypted Configuration Storage

– SSL Mutual Authentication

– Device Management Checks

• Integrity

• Authenticity

– Remote Certificate Management

ESF

Java SE Embedded

OSGi

ESF Security

ESF Security Manager

ESF Certificate Manager

ESF SSL Manager

ESF Bundles

Application

JKS ESF JKS SSL Encrypted

Configuration

Snapshots

ESF Security Manager Overview


@

Remote Management / VPN

• Secure administrator initiated transparent IP connection

between remote systems and devices in the field

• Gateways behind firewalls can be reached

• No IP addressing conflicts prevent or complicate the

establishment of connections

• Using the established MQTT channel for initiating the VPN

connection from the remote device (openVPN, soon IPSEC)


@

Auditing / Penetration Testing

• Eurotech performs regularly vulnerability assessments, like Code

Injection, Cross Site Request Forgery, credentials stealing, etc…,

including network/host and applications.

• Eurotech ensures internal and external vulnerability scanning is

conducted periodically and after any major changes to the environment

EDC Security Overview (Subset, Examples) EC 4.0

Device to Cloud to Application Security Architecture

•X.509 Certificate based authentication

•Integrated PKI / Certificate management

Security “in the Cloud” (IoT / OT Platform)

•Allowed traffic is secure and authenticated

•Application / Interface servers: no ports open other than 443 (HTTPS)

•Secure cloud infrastructure

•Signed Code / secure execution environment

Securing Device to Cloud (Communication Security)

•Allowed traffic is secure and authenticated

•Broker / infrastructure / perimeter defense

– Firewalling

– All in-bound ports other than Broker ports are closed

• Everyware VPN service

Securing the Device

•Firewall

•OSGi / Signed Code / secure execution environment

•Secure Boot

on

Hardware

Java VM

Code

Linux

www.eurotech.com

Thank You!