Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IoT Security in Action - Boston Sept 2015


Published on

The Success Story of Everyware Device Cloud by Eurotech secured with DNSSEC and DANE. Joint presentation by Eurotech and Verisign

Published in: Business
  • Be the first to comment

IoT Security in Action - Boston Sept 2015

  1. 1. IoT Security in Action The Success Story of Everyware Device Cloud by Eurotech, secured with DNSSEC and DANE Andrea Ceiner, Eurotech Andrew Cathrow, Verisign IoT Security – Boston, September 2015
  2. 2. This presentation has been prepared by Eurotech S.p.A. (or “Eurotech”). The information contained in this presentation does nor purport to be comprehensive. Neither Eurotech nor any of its officers, employees, advisers or agents accepts any responsibility for/or makes any representation or warranty, express or implied, as to the truth, fullness, accuracy or completeness of the information in this presentation (or whether any information has been omitted from the presentation) or any other information relating to Eurotech, its subsidiaries or associated companies, whether written, oral or in a visual or electric form, transmitted or made available. The distribution of this document in other jurisdictions may be restricted by law, and persons into whose possession this document comes should inform themselves about, and observe, any such restrictions. No reliance may be placed for any purposes whatsoever on the information contained in this document or any other material discussed during this presentation, or on its completeness, accuracy or fairness. The information in this document and any other material discussed at this presentation is subject to verification, completion and change. The information and opinions contained in this document are provided as at the date of the presentation and are subject to change without notice. Some of the information is still in draft form and will only be finalized. By attending the presentation you agree to be bound by the foregoing terms. Trademarks or Registered Trademarks are the property of their respective owners. Disclaimer
  3. 3. • 1.Security • 2.Enterprise • 3.Consumer Privacy. • 4.Data • 5.Storage Management • 6.Server Technologies • 7.Data Center Network Gartner’s Seven Potential IoT Challenges
  4. 4. Enemies Everywhere, Many Reasons … Attackers / Hackers Targets Reasons… •Financial •Business •Political •Intangible Attackers Profiles: • Hackers • Cracker/Criminals • Script Kiddies • Competitors •Organizations/Govs Targets • Quality, Performance, Availability • Reputation • Know-How, Intellectual Property • Resources
  5. 5. Anatomy of an IoT Solution Transforming Bits of Data at the Edge of the Network into Actionable Information in the Business Users’ Hands @ Things Gateways / Smart Devices IoT / OT Platform Application
  6. 6. Requirements for IoT SECURITY at SCALE Efficiently Managed Low Cost Increased Trust Globally Interoperable
  7. 7. M2M / IoT Security Security Focus Points – Extension with Verisign IoT Device Cloud Security • Authentication • PKI Management • Trusted execution environment • Network security / Firewall • Access Control IoT Device Security • Certified Identity • Service discovery • Trusted execution environment • Network security / Firewall • Secure Boot IoT / OT Platform Things Application Gateways / Smart Devices Communication Security • Authentication • Encryption • Man-in-the-middle Protection • Message Integrity
  8. 8. M2M / IoT Security Strong Authentication / Trust Anchors / Verification @ Things Gateways / Smart Devices IoT / OT Platform Application Global DNS
  9. 9. IoT Security: ineffective implementation Why use PKI for Device Identification & Authentication API keys as credential MAC address as identifier Device ID hardcoded on device or configuration file
  10. 10. Trusted Authentication Why PKI based Authentication using DNS ? Public Key Infrastruture (PKI) • Trusted and well established technology • But the scale of IoT introduces new problems and amplifies old issues Managability at scale $$$$$$ $$$$$$ $$$$$$ Cost of Certificates Security Revocation and reissuance “Too many CAs” problem
  11. 11. Trusted Authentication Why PKI based Authentication using DNS ? DNS-based Authentication of Named Entities (DANE): public standard (IETF RFC 6698) Key/certificate management and revocation: effective and easier Compatible with IoT scale and costs Based on Open Standards and Open Source No Lock-in
  12. 12. Authentication & Authorization Everyware Device Cloud integrated with DNSSEC/DANE Ship the Devices towards their final destination3.Shipment over-the-air DISCOVERY  PROVISION  A&A 4.Power ON the Device realtime metrics, events and remotely management within a secure always-on session 5.Device & Data Management Registering Broker Services (Provisioning and Messaging) into the Authoritative DNS 1.Cloud Setup First gateway/device initialization by Manufacturer2.Gateway (ESF) Setup
  13. 13. 4. Power ON the Device Over-the-air DISCOVERY  PROVISION  A&A Here I am, this is my ID … Authenticate me and Authorize me please ! A&A (Birth) WHO IS MY BROKER ? Broker Discovery GIVE ME MY CONFIGURATION PLEASE !Device Provision
  14. 14. STEP 1 - Cloud Services Setup Registering Broker Services onto Authoritative DNS Secure DNS provisioning API - Authoritative DNS - Validating Recursive DNS HTTPS POST Provisioning & Messaging Broker Services 1 2 Broker Service: PROVISIONING Broker Service: MESSAGING
  15. 15. STEP 2 – M2M Gateway (ESF) Setup First gateway/device initialization by Manufacturer HTTPS + 2FA login 2 1 Gateway (ESF) SetUP •Network configuration •Domain Name •Broker Services (Provisioning; Messaging) •Validating Recursive DNS Server •Internal temporary Credentials Create a Provision Request (Pending)
  16. 16. STEP 3 - Shipment Ship Devices to Customer Device Manufacturer Customer
  17. 17. STEP 4 – Power ON the device 4.1 Broker Services DISCOVERY Tiaki 1 HTTPS: DISCOVERY (lookup PTR and associated SRV and TXT Resource Records within a DNS zone) 2 PTR & SRV for Provisioning & Messaging Broker Services Broker Service: PROVISIONING Broker Service: MESSAGING Switch ON the Device Secure DNS Query - Authoritative DNS - Validating Recursive DNS
  18. 18. STEP 4 – Power ON the device 4.2 Device Provision 2 1 MQTTS: CONNECT with INTERNAL credentials Internal Authentication & Procesing only if there is a Pending Provision Request for that Device Provision Request Pending 3 4 MQTTS: DEV ID (CN) 5 6 HTTPS: GET DEV ID (CN) Secure DNS provisioning API - Authoritative DNS - Validating Recursive DNS Generates Certificate (with DEV ID CN) & Publish it to Cloud HTTPS: Propagate Self- signed Certificate
  19. 19. STEP 4 – Power ON the device 4.3 Device Authentication & Authorization (BIRTH event) 2 1 MQTTS: publish TLS+Self-Signed Certificate 3 Authorize the Device Secure DNS Queries - Authoritative DNS - Validating Recursive DNS HTTPS get authentication
  20. 20. STEP 5 – Device & Data Management MQTT+SSL bidirectional messages over TLS Session MQTTS: publish device events and data-metrics MQTTS: publish SW Updates, Device Commands, Device Configuration, … Always-on session
  21. 21. STEP 4 – Power ON the device 4.4 Device Revoke HTTPS Remove Certificate & PropagateNOT Authenticated 3 HTTPS: DISABLE Device 5 1 Block messages from device4 2 mailto/twitter/sms: NOTIFY Unauthenticated Device - Authoritative DNS - Validating Recursive DNS Secure DNS provisioning APISecure DNS Queries
  22. 22. M2M / IoT Security Holistic Approach is required… The confidentiality, integrity, and availability of our customers’ data and IoT infrastructure is of the utmost importance to Eurotech, as it is maintaining our customers’ trust and confidence. That’s why we make M2M/IoT communications SECURE and RELIABLE over INSECURE and UNRELIABLE NETWORKS & MALICIOUS environment. M2M Communication Infrastructure Device Firmware / Application Business Application Sensors & Device Hardware Business Application Integration 1 2 3 4 5 6 7 8 8 8
  23. 23. Thank You