Eurotech, profile picture
Uploaded byEurotech
6,434 views

IoT Security Elements

This document discusses security considerations for M2M and IoT systems. It notes that security must be implemented holistically across the entire architecture, including at the device, communication, and application layers. PKI is recommended for authentication. The document outlines various threats and motivations for attackers. It then describes Eurotech's Everyware IoT security elements, which include X.509 certificate management, encrypted and authenticated messaging using MQTT, tenant segregation, secure access to interfaces and consoles, a secure execution environment on devices and platforms, and remote management using VPN. Auditing and penetration testing are also performed.

Business
Related topics:
IoT Security Focus

Embed presentation

Downloaded 522 times
M2M / IoT Security Eurotech's Everyware IoT Security Elements Overview 23 September 2015 Robert Andres
M2M / IoT Security The confidentiality, integrity, and availability of our customers’ data and IoT infrastructure is of the utmost importance to Eurotech, as is maintaining our customers’ trust and confidence. Security therefore is an important aspect of everything we do… Eurotech Security & Privacy Statement
M2M / IoT Security Holistic Approach is required… M2M Communication Infrastructure Device Firmware / Application Business Application Sensors & Device Hardware Business Application Integration • Every company / organization can be a target • Security has to be fundamental part of the overall architecture • Security technology best practice has to take into account the specific aspects of distributed, unattended, mobile systems / devices • Security has to be implemented end-to-end and in the individual elements
M2M / IoT Security Enemies Everywhere, Many Reasons … Attackers / Hackers Profiles: • Hackers (white hat) • Cracker (black hat, criminal) • Script Kiddies • Competitors • Criminal Organizations • Governments Financial, Business, Political Motives • Espionage, industrial espionage • Sabotage, disruption of business • Theft, fraud (also resources) • Manipulation • Cyberwar Intangible Motives • Curiosity • Revenge, infamy • Self-worth Harm, Steal, Play
M2M / IoT Security Attackers / Hackers Targets Quality, Performance, Availability, Reputation • Service interruption & malfunction • Manipulation of equipment, actuators • Damage to image and financial results Know-How, Intellectual Property • Data • Code • Process information Resources • Systems / distributed systems • Bandwidth Attackers / Hackers Profiles: • Hackers (white hat) • Cracker (black hat, criminal) • Script Kiddies • Competitors • Criminal Organizations • Governments Harm, Steal, Play
Everyware Security Architecture Foundation for IoT Security • Device has a validated identity • IoT platform has a validated identity • Mutual authentication for communication • Encrypted and signed messages • Secure execution environment (devices & IoT platform) • Secure software management / distribution • State-of-the art network & system security (firewall, hardening) • Role based access control • Secure management access
Everyware Security Architecture Underling Principles • Build solutions based on open and industry standards • Leveraging proven IT/enterprise/Internet class security technologies and partnerships • Including security, scalability and resiliency in design from day one • Security technology best practice has to take into account the specific aspects of distributed, unattended, mobile systems / devices • Security has to be implemented end-to-end and in the individual elements • Encapsulate the complexity of an end-to-end security solution • Continuous testing and auditing
M2M / IoT Security Security Focus Points Things Gateways / Smart Devices IoT / OT Platform Application IoT Device Cloud Security •Authentication (verified) •PKI / certificate management •Trusted execution environment •Network security / firewall •Access control (role based) •… IoT Device Security • Authentication (verified) • Service discovery / provisioning / pairing • Trusted execution environment • Network security / firewall • Secure Boot Communication Security • Authentication (verified) • Encryption • Message integrity • MitM protection • DNS spoofing protection
M2M / IoT Security Strong Authentication / Trust Anchors / Verification @ Things Gateways / Smart Devices IoT / OT Platform Application DNSSEC / DANE Infrastructure
M2M / IoT Security Authentication: Alternatives Many alternatives of identification / authentication can be found, not all of them are suitable for M2M/IoT in terms of functionality, security level and scalability: • ID (just identification, no proof of anything) • Username and Password • Biometric solutions • One-time Password • API Key • TPM based solutions • Public Key Infrastructure (PKI) PKI is widely recognized as the one of the strongest authentication mechanism
M2M / IoT Security Authentication: Public Key Infrastructure PKI is widely recognized as one of the the strongest authentication mechanism • Trusted and well established technology • High level of standardization and interoperability • Very scalable • Allows for mutual authentication • Can be used for many applications, including: • Signing messages • Signing documents • Logon & authentication • Certificates / keys in files and tokens • CA / root of trust options • CA-Signed • Self-Signed Certificates
M2M / IoT Security Certificate Based Authentication in Everyware Cloud Everyware Cloud Authentication Foundation • Integrated X.509 certificate management / PKI • Individual certificates per device / service • Foundation for using cryptographic methods most effectively • Based on industry and open standards
The Eurotech IoT Approach : E2E Security Aspects Overview Application Infrastructure Application Layer Communication Infrastructure Field Infrastructure MQTT M2M Integration Platform Client Device HW Communication Infrastructure API´s Communication channels / sessions M2M/IoT Integration Platform - Deployment options / infrastructure - SW architecture and elements Communication channels / sessions - SSL/TLS - Pairing Infrastructure security aspects - SIM card management Multi-Service Gateway - Hardware - SW architecture and elements Field technology, protocols, communication All levels: - Authentication / root of trust - Integrity / hardening of solution - Efficiency (unattended, distributed) - Best practice processes Security Assessment, Testing and Validation (3rd party)
EDC Security Overview (Everyware Cloud, Public Cloud Offering) • Secure Transmission of Data. All MQTT traffic is encrypted over an SSL connection. All Console access is exclusively available over an encrypted HTTPS connection. All REST API access is exclusively available over an encrypted HTTPS connection. • Physical Access to Data. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. • Logical Access to Data Store. All databases are protected through strict firewall rules from external access and they are only accessible from the mid-tier machines. In the database, data is segregated by account through a unique tenant Id. At the MQTT broker, broker data and traffic is segregated between accounts using virtual machine segregation.
EDC Security Overview (Everyware Cloud, Public Cloud Offering) • Identity and Access Management. Confidentiality and integrity are ensured through a role based access control model and access control lists which follow the Principle of Least Privilege and are enforced through all the layers of the architecture. Each account manages a list of users and controls the user’s credentials. Everyware Cloud has a configurable lockout policy per account, which may blocks user’s credentials after a certain number of failed login attempts. Logins to Everyware Console can be further protected through the use of a Two Factor Authentication (2FA). Everyware Cloud does support individual device certificate based authentication to support also customer managed PKI solutions • Vulnerability Management. Independent certified security firm performs remote vulnerability assessments, including network/host and applications. Eurotech will ensure Internal and External vulnerability scanning is conducted quarterly and after any major changes to the environment, and remediates any critical security issues found within a reasonable time frame and report the results of the remediation. 15
The Eurotech IoT Approach : E2E Overview System Infrastructure Application Infrastructure Layer Application Layer Communication Infrastructure Field Infrastructure MQTT M2M Integration Platform Client Device HW Device, Gateway, OS, Security Device Application Framework Certifications, etc Aggregators & On- Premise Platforms M2M Integration / Application Enablement / Device and Application Management Platform SIM Card & Communication Infrastructure Management Optimum M2M / IoT Protocols Public Cloud Private Cloud Sensors, HMIs, Actuators, etc. aPaaS SaaS Enterprise Applications Big Data Databases Analytics Enterprise IT Mining CEP ERP CRM …. Communication Infrastructure
The M2M Integration Platform Remote Access / VPN M2M Integration Platform @ Alerts Control Center MQTT (Always-On) VPN On-Demand VPN Server Applications Remote Access Devices
An Introduction to EDC Security – Upcoming Versions of EC & ESF Everyware Device Cloud - Security
EDC Security Elements @ Integrated Certificate Management / PKI • Certificate Management – Dedicated administrative web panel – Standard X509 certificate format – Certificate chain support – Certificate validations and export functionalities – Trusted message server signed digest over MQTT – EDC jobs to provision, renew and revoke certificates • Integrity • Authenticity • Non-repudiation of origin Ensures:
EDC Security Elements @ Secure Messaging / MQTT • All MQTT traffic is encrypted over an SSL connection. • Data messages are subject to an algorithm of data transformation: data must be serialized before being transmitted with the same protocol that is used by the receiver (subscriber) to be de-serialized. • Device Management Messages published by EC are signed to guarantee authenticity and message integrity.
EDC Security Elements @ Tenant Segregation • Secure multi-tenant implementation • At the MQTT broker, broker data and traffic is segregated between accounts using virtual machine segregation • All data (telemetrics, device events,…) are archived in a Big Data (no SQL) database and kept isolated by Virtual Private DB
EDC Security Elements @ Access to Console over encrypted HTTPS only • Secure enforced passwords (12 chars long complex password) • Password stored one-way-encrypted only • Configurable lock-out policy per account • Option: Two factor authentication based on one-time-password via QR code on mobile phone + username & password
EDC Security Elements @ Secure Programmable Interfaces • Programmable interfaces (REST API, WEBSOCKETS) available exclusively over an encrypted HTTPS connection
• The MQTT connection is always initiated by the gateway and remains always open. The opening session is an outbound MQTT connection from the local area network, possibly behind the firewall, towards Everyware Cloud. • At all points only minimal number of open ports (MQTT, HTTPS, SSL, VPN) • All databases in Everyware Cloud are protected through strict firewall rules from external access and they are only accessible from the mid-tier machines. • Devices are firewall protected EDC Security Elements Firewall Protection and reduced “attack footprint” @
• OSGi Security: Signed Bundles Checks (Integrity, Authenticity) • ESF Security Manager • Environment Integrity Checks • Environment Hardening • Allowed Jar Signatures • Allowed Bundle Access • Device Unique Master Password (Code Obfuscation, String Encryption) • Encrypted Configuration Storage • SSL Mutual Authentication • Device Management Checks (Integrity, Authenticity) • Remote Certificate Management EDC Security Elements @ Secure Execution Environment (Device, ESF)
EDC Security Elements • OSGi Security – Signed Bundles Checks • Integrity • Authenticity • ESF Security Manager – Environment Integrity Checks – Environment Hardening – Allowed Jar Signatures – Allowed Bundle Access – Device Unique Master Password • Code Obfuscation • String Encryption – Encrypted Configuration Storage – SSL Mutual Authentication – Device Management Checks • Integrity • Authenticity – Remote Certificate Management ESF Java SE Embedded OSGi ESF Security ESF Security Manager ESF Certificate Manager ESF SSL Manager ESF Bundles Application JKS ESF JKS SSL Encrypted Configuration Snapshots ESF Security Manager Overview
EDC Security Elements @ Remote Management / VPN • Secure administrator initiated transparent IP connection between remote systems and devices in the field • Gateways behind firewalls can be reached • No IP addressing conflicts prevent or complicate the establishment of connections • Using the established MQTT channel for initiating the VPN connection from the remote device (openVPN, soon IPSEC)
EDC Security Elements @ Auditing / Penetration Testing • Eurotech performs regularly vulnerability assessments, like Code Injection, Cross Site Request Forgery, credentials stealing, etc…, including network/host and applications. • Eurotech ensures internal and external vulnerability scanning is conducted periodically and after any major changes to the environment
EDC Security Overview (Subset, Examples) EC 4.0 Device to Cloud to Application Security Architecture •X.509 Certificate based authentication •Integrated PKI / Certificate management Security “in the Cloud” (IoT / OT Platform) •Allowed traffic is secure and authenticated •Application / Interface servers: no ports open other than 443 (HTTPS) •Secure cloud infrastructure •Signed Code / secure execution environment Securing Device to Cloud (Communication Security) •Allowed traffic is secure and authenticated •Broker / infrastructure / perimeter defense – Firewalling – All in-bound ports other than Broker ports are closed • Everyware VPN service Securing the Device •Firewall •OSGi / Signed Code / secure execution environment •Secure Boot on Hardware Java VM Code Linux
www.eurotech.com Thank You!

More Related Content

PPTX
Edge Computing.pptx
byPriyaMaurya52
 
PDF
Lecture 1 - Introduction to IoT
byAlexandru Radovici
 
PDF
Internet of Things(IOT)_Seminar_Dr.G.Rajeshkumar
byRAJESHKUMARG12
 
PPT
Fog computing
byValarmathi Srinivasan
 
PPTX
IOT Presentation Seminar PPT
byHimanshu Jaswal
 
PDF
Data in Motion vs Data at Rest
byInternap
 
PPTX
Edge computing
byAbhayDhupar
 
PDF
IOT Security
bySylvain Martinez
 
Edge Computing.pptx
byPriyaMaurya52
 
Lecture 1 - Introduction to IoT
byAlexandru Radovici
 
Internet of Things(IOT)_Seminar_Dr.G.Rajeshkumar
byRAJESHKUMARG12
 
Fog computing
byValarmathi Srinivasan
 
IOT Presentation Seminar PPT
byHimanshu Jaswal
 
Data in Motion vs Data at Rest
byInternap
 
Edge computing
byAbhayDhupar
 
IOT Security
bySylvain Martinez
 

What's hot

PPTX
Internet of things (IoT)
byAnkur Pipara
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
byKoenig Solutions Ltd.
 
PPTX
Public cloud
byDr.Neeraj Kumar Pandey
 
PPTX
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
byMohan Kumar G
 
PPTX
Cloud Computing- components, working, pros and cons
byAmritpal Singh Bedi
 
ODP
Ambient intelligence
byNikhil Patteri
 
PPTX
CLOUD COMPUTING UNIT-1
byDr K V Subba Reddy
 
PPTX
Firewall ppt
byOECLIB Odisha Electronics Control Library
 
PDF
Cisco Internet of Things
byPanduit
 
PPT
Cloud Computing Security Challenges
byYateesh Yadav
 
PPTX
Internet of things - challenges scopes and solutions
byShivam Kumar
 
PDF
Internet of Things (IOT) - Technology and Applications
byDr. Mazlan Abbas
 
PDF
IoT and m2m
bypavan penugonda
 
PDF
CS8791 Cloud Computing - Question Bank
bypkaviya
 
PPTX
Iot architecture
byNiranjan Kumar
 
PPTX
Introduction to IOT
byZubayer Al Billal Khan
 
PDF
Building Blocks for IoT Devices
byAnil Gorthy
 
PPT
Peer to Peer services and File systems
byMNM Jain Engineering College
 
PPTX
Iot ppt
byKrishna Saini
 
PDF
Smartie - Project overview
byDunavNET
 
Internet of things (IoT)
byAnkur Pipara
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
byKoenig Solutions Ltd.
 
Public cloud
byDr.Neeraj Kumar Pandey
 
Internet-of-things- (IOT) - a-seminar - ppt - by- mohan-kumar-g
byMohan Kumar G
 
Cloud Computing- components, working, pros and cons
byAmritpal Singh Bedi
 
Ambient intelligence
byNikhil Patteri
 
CLOUD COMPUTING UNIT-1
byDr K V Subba Reddy
 
Firewall ppt
byOECLIB Odisha Electronics Control Library
 
Cisco Internet of Things
byPanduit
 
Cloud Computing Security Challenges
byYateesh Yadav
 
Internet of things - challenges scopes and solutions
byShivam Kumar
 
Internet of Things (IOT) - Technology and Applications
byDr. Mazlan Abbas
 
IoT and m2m
bypavan penugonda
 
CS8791 Cloud Computing - Question Bank
bypkaviya
 
Iot architecture
byNiranjan Kumar
 
Introduction to IOT
byZubayer Al Billal Khan
 
Building Blocks for IoT Devices
byAnil Gorthy
 
Peer to Peer services and File systems
byMNM Jain Engineering College
 
Iot ppt
byKrishna Saini
 
Smartie - Project overview
byDunavNET
 

Viewers also liked

PDF
The 5 elements of IoT security
byJulien Vermillard
 
PPT
IoT security (Internet of Things)
bySanjay Kumar (Seeking options outside India)
 
PDF
Overview of IoT and Security issues
byAnastasios Economides
 
PDF
Internet of Things - Privacy and Security issues
byPierluigi Paganini
 
PDF
Security in the Internet of Things
byForgeRock
 
PDF
The Internet of Things: Privacy and Security Issues
byEuropean Union Agency for Network and Information Security (ENISA)
 
PDF
IoT Security: Problems, Challenges and Solutions
byLiwei Ren任力偉
 
PPT
Internet of Things and its applications
byPasquale Puzio
 
PPTX
IoT Security Risks and Challenges
byOWASP Delhi
 
PDF
Internet of Things: Challenges and Issues
byrjain51
 
PDF
Internet of Things
byVala Afshar
 
PPTX
IoT - IT 423 ppt
byMhae Lyn
 
PDF
What exactly is the "Internet of Things"?
byDr. Mazlan Abbas
 
PDF
What is the Internet of Things?
byFelix Grovit
 
PPTX
Security in IoT
bygr9293
 
PDF
IoT architecture
bySumit Sharma
 
PPTX
Internet of things security "Hardware Security"
byAhmed Mohamed Mahmoud
 
PPT
THE INTERNET OF THINGS
byRamana Reddy
 
PDF
Internet of Things and Security challenges
byAnastasios Economides
 
The 5 elements of IoT security
byJulien Vermillard
 
IoT security (Internet of Things)
bySanjay Kumar (Seeking options outside India)
 
Overview of IoT and Security issues
byAnastasios Economides
 
Internet of Things - Privacy and Security issues
byPierluigi Paganini
 
Security in the Internet of Things
byForgeRock
 
The Internet of Things: Privacy and Security Issues
byEuropean Union Agency for Network and Information Security (ENISA)
 
IoT Security: Problems, Challenges and Solutions
byLiwei Ren任力偉
 
Internet of Things and its applications
byPasquale Puzio
 
IoT Security Risks and Challenges
byOWASP Delhi
 
Internet of Things: Challenges and Issues
byrjain51
 
Internet of Things
byVala Afshar
 
IoT - IT 423 ppt
byMhae Lyn
 
What exactly is the "Internet of Things"?
byDr. Mazlan Abbas
 
What is the Internet of Things?
byFelix Grovit
 
Security in IoT
bygr9293
 
IoT architecture
bySumit Sharma
 
Internet of things security "Hardware Security"
byAhmed Mohamed Mahmoud
 
THE INTERNET OF THINGS
byRamana Reddy
 
Internet of Things and Security challenges
byAnastasios Economides
 

Similar to IoT Security Elements

PDF
IoT Security in Action - Boston Sept 2015
byEurotech
 
PDF
Medical & Healthcare IoT M2M Solutions
byEurotech
 
PPTX
Cloud Identity Management
byDamian T. Gordon
 
PDF
Internet of Things (IoT) Security Measures Insights from Patents
byAlex G. Lee, Ph.D. Esq. CLP
 
PDF
Encapsulating Complexity in IoT Solutions
byEurotech
 
PDF
Internet of Things, Cloud and Big Data
byEurotech
 
PDF
IoT/M2M Security
byYu-Hsin Hung
 
PDF
Developing Interoperable Components for an Open IoT Foundation
byEurotech
 
PDF
how to implement an IoT architecture
byRoberto Siagri
 
PDF
Stop Wasting Energy on M2M
byEurotech
 
PPTX
Con8823 access management for the internet of things-final
byOracleIDM
 
PPTX
Unit_3.pptx
byRAMESHMRA21130030110
 
PDF
M2M Application Enablement with the Everyware Cloud Platform
byEurotech
 
PDF
Emerging IoT in the Energy Sector
byEast Midlands Cyber Security Forum
 
PPTX
Removing Security Roadblocks to IoT Deployment Success
byMicrosoft Tech Community
 
PDF
Ericsson Technology Review: End-to-end Security Management for the IoT
byEricsson
 
PDF
IRJET- Data and Technical Security Issues in Cloud Computing Databases
byIRJET Journal
 
PDF
oneM2M - Facing the challenges of M2M security and privacy
byoneM2M
 
PDF
IoT Solutions Made Simple with Everyware IoT
byEurotech
 
PPTX
Security aspect of IOT.pptx
byPrinceGupta789219
 
IoT Security in Action - Boston Sept 2015
byEurotech
 
Medical & Healthcare IoT M2M Solutions
byEurotech
 
Cloud Identity Management
byDamian T. Gordon
 
Internet of Things (IoT) Security Measures Insights from Patents
byAlex G. Lee, Ph.D. Esq. CLP
 
Encapsulating Complexity in IoT Solutions
byEurotech
 
Internet of Things, Cloud and Big Data
byEurotech
 
IoT/M2M Security
byYu-Hsin Hung
 
Developing Interoperable Components for an Open IoT Foundation
byEurotech
 
how to implement an IoT architecture
byRoberto Siagri
 
Stop Wasting Energy on M2M
byEurotech
 
Con8823 access management for the internet of things-final
byOracleIDM
 
Unit_3.pptx
byRAMESHMRA21130030110
 
M2M Application Enablement with the Everyware Cloud Platform
byEurotech
 
Emerging IoT in the Energy Sector
byEast Midlands Cyber Security Forum
 
Removing Security Roadblocks to IoT Deployment Success
byMicrosoft Tech Community
 
Ericsson Technology Review: End-to-end Security Management for the IoT
byEricsson
 
IRJET- Data and Technical Security Issues in Cloud Computing Databases
byIRJET Journal
 
oneM2M - Facing the challenges of M2M security and privacy
byoneM2M
 
IoT Solutions Made Simple with Everyware IoT
byEurotech
 
Security aspect of IOT.pptx
byPrinceGupta789219
 

More from Eurotech

PDF
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
byEurotech
 
PDF
Integrating electrical systems easily – accelerating the path towards sustain...
byEurotech
 
PDF
Enabling supply chain flexibility and IoT scale with zero touch provisioning
byEurotech
 
PDF
Automatic People and Passenger Counters
byEurotech
 
PDF
Intelligent IoT gateway: pushing analytics at the edge
byEurotech
 
PDF
Eclipse kura in industry 4.0 david woodard
byEurotech
 
PDF
Building IoT Mashups for Industry 4.0 with Eclipse Kura and Kura Wires
byEurotech
 
PDF
OSGi and Java in Industrial IoT
byEurotech
 
PDF
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
byEurotech
 
PDF
Vivere del Cambiamento: tracciare la rotta verso l'industria 4.0
byEurotech
 
PDF
Real World IoT Architectures and Projects with Eclipse IoT
byEurotech
 
PDF
L’IoT industriale e i vantaggi competitivi della trasformazione digitale
byEurotech
 
PDF
Reshaping Business Through IoT: Key Technology Factors to Consider
byEurotech
 
PDF
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
byEurotech
 
PDF
Eurotech and Red Hat collaboration simplifies Internet of Things integration ...
byEurotech
 
PDF
Real World IoT Architecture Use Cases
byEurotech
 
PDF
Simplify Internet of Things with an Intelligent Gateway
byEurotech
 
PDF
Internet of Things: a reality check
byEurotech
 
PDF
IoT the driver of Business Innovation: better products, new services and...
byEurotech
 
PDF
HPC the new normal
byEurotech
 
From Tracks to Highways: Boosting Infrastructure Safety with Mobile Edge AIoT
byEurotech
 
Integrating electrical systems easily – accelerating the path towards sustain...
byEurotech
 
Enabling supply chain flexibility and IoT scale with zero touch provisioning
byEurotech
 
Automatic People and Passenger Counters
byEurotech
 
Intelligent IoT gateway: pushing analytics at the edge
byEurotech
 
Eclipse kura in industry 4.0 david woodard
byEurotech
 
Building IoT Mashups for Industry 4.0 with Eclipse Kura and Kura Wires
byEurotech
 
OSGi and Java in Industrial IoT
byEurotech
 
IoT Solutions for Smart Energy Smart Grid and Smart Utility Applications
byEurotech
 
Vivere del Cambiamento: tracciare la rotta verso l'industria 4.0
byEurotech
 
Real World IoT Architectures and Projects with Eclipse IoT
byEurotech
 
L’IoT industriale e i vantaggi competitivi della trasformazione digitale
byEurotech
 
Reshaping Business Through IoT: Key Technology Factors to Consider
byEurotech
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
byEurotech
 
Eurotech and Red Hat collaboration simplifies Internet of Things integration ...
byEurotech
 
Real World IoT Architecture Use Cases
byEurotech
 
Simplify Internet of Things with an Intelligent Gateway
byEurotech
 
Internet of Things: a reality check
byEurotech
 
IoT the driver of Business Innovation: better products, new services and...
byEurotech
 
HPC the new normal
byEurotech
 

Recently uploaded

PDF
What Is Setup for Decoration | Machine Reality Explained
byInkdnylon
 
PDF
How to Buy Verified Bybit Accounts in 2026.pdf
bymarketing
 
PPTX
Myntra Seller Commission & Fees Guide | Ecommerce Account Management by Miloy...
byMiloy And Company
 
PDF
Your presence tells your story in real time
byPatrice Bisiot
 
PDF
Serhii Herasymov: Expert sales in outsource companies: your technical special...
byLviv Startup Club
 
PDF
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
PDF
J Hamilton M&G - 4 Feb 2026 FINAL (1).pdf
byHenry Tapper
 
PPTX
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
PPTX
QUALITY-AUDIT: ISO 9001:2015 Internal Audit Summary Report -.pptx
byAlyumaeRoseTajaleflo
 
PDF
On Demand Service Provider App Development
byV3CUBE TECHNOLABS
 
PDF
Kirill Klip GEM Royalty TNR Gold Presentation
byKirill Klip
 
DOCX
DLL MAPEH 6 Q4 WEEK 6.docxdwefwefweffwe
byandreajanelleabando2
 
PPTX
Why NJ State's Apostille Rejections Happen More Often Than You Think
byNew Jersey Mobile Notary & Apostille Services
 
PDF
A Brief Introduction About Xin Yi Hoo
byXin Yi Hoo
 
DOCX
DLL MAPEH 6 Q4 WEEK 5.docxfwffewwefweff
byandreajanelleabando2
 
PPTX
PUC_Centre_Machines_Presentation.pptxknjn
bysaksham9021187243
 
PDF
Company Valuation webinar - Feb 2026.pdf
byFelixPerez547899
 
PDF
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
DOCX
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
DOCX
How to Buy Verified Bybit Accounts in 2026 not risk .docx
bymarketing
 
What Is Setup for Decoration | Machine Reality Explained
byInkdnylon
 
How to Buy Verified Bybit Accounts in 2026.pdf
bymarketing
 
Myntra Seller Commission & Fees Guide | Ecommerce Account Management by Miloy...
byMiloy And Company
 
Your presence tells your story in real time
byPatrice Bisiot
 
Serhii Herasymov: Expert sales in outsource companies: your technical special...
byLviv Startup Club
 
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
J Hamilton M&G - 4 Feb 2026 FINAL (1).pdf
byHenry Tapper
 
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
QUALITY-AUDIT: ISO 9001:2015 Internal Audit Summary Report -.pptx
byAlyumaeRoseTajaleflo
 
On Demand Service Provider App Development
byV3CUBE TECHNOLABS
 
Kirill Klip GEM Royalty TNR Gold Presentation
byKirill Klip
 
DLL MAPEH 6 Q4 WEEK 6.docxdwefwefweffwe
byandreajanelleabando2
 
Why NJ State's Apostille Rejections Happen More Often Than You Think
byNew Jersey Mobile Notary & Apostille Services
 
A Brief Introduction About Xin Yi Hoo
byXin Yi Hoo
 
DLL MAPEH 6 Q4 WEEK 5.docxfwffewwefweff
byandreajanelleabando2
 
PUC_Centre_Machines_Presentation.pptxknjn
bysaksham9021187243
 
Company Valuation webinar - Feb 2026.pdf
byFelixPerez547899
 
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
How to Buy Verified Bybit Accounts in 2026 not risk .docx
bymarketing
 

IoT Security Elements

  • 1.
    M2M / IoTSecurity Eurotech's Everyware IoT Security Elements Overview 23 September 2015 Robert Andres
  • 2.
    M2M / IoTSecurity The confidentiality, integrity, and availability of our customers’ data and IoT infrastructure is of the utmost importance to Eurotech, as is maintaining our customers’ trust and confidence. Security therefore is an important aspect of everything we do… Eurotech Security & Privacy Statement
  • 3.
    M2M / IoTSecurity Holistic Approach is required… M2M Communication Infrastructure Device Firmware / Application Business Application Sensors & Device Hardware Business Application Integration • Every company / organization can be a target • Security has to be fundamental part of the overall architecture • Security technology best practice has to take into account the specific aspects of distributed, unattended, mobile systems / devices • Security has to be implemented end-to-end and in the individual elements
  • 4.
    M2M / IoTSecurity Enemies Everywhere, Many Reasons … Attackers / Hackers Profiles: • Hackers (white hat) • Cracker (black hat, criminal) • Script Kiddies • Competitors • Criminal Organizations • Governments Financial, Business, Political Motives • Espionage, industrial espionage • Sabotage, disruption of business • Theft, fraud (also resources) • Manipulation • Cyberwar Intangible Motives • Curiosity • Revenge, infamy • Self-worth Harm, Steal, Play
  • 5.
    M2M / IoTSecurity Attackers / Hackers Targets Quality, Performance, Availability, Reputation • Service interruption & malfunction • Manipulation of equipment, actuators • Damage to image and financial results Know-How, Intellectual Property • Data • Code • Process information Resources • Systems / distributed systems • Bandwidth Attackers / Hackers Profiles: • Hackers (white hat) • Cracker (black hat, criminal) • Script Kiddies • Competitors • Criminal Organizations • Governments Harm, Steal, Play
  • 6.
    Everyware Security Architecture Foundationfor IoT Security • Device has a validated identity • IoT platform has a validated identity • Mutual authentication for communication • Encrypted and signed messages • Secure execution environment (devices & IoT platform) • Secure software management / distribution • State-of-the art network & system security (firewall, hardening) • Role based access control • Secure management access
  • 7.
    Everyware Security Architecture UnderlingPrinciples • Build solutions based on open and industry standards • Leveraging proven IT/enterprise/Internet class security technologies and partnerships • Including security, scalability and resiliency in design from day one • Security technology best practice has to take into account the specific aspects of distributed, unattended, mobile systems / devices • Security has to be implemented end-to-end and in the individual elements • Encapsulate the complexity of an end-to-end security solution • Continuous testing and auditing
  • 8.
    M2M / IoTSecurity Security Focus Points Things Gateways / Smart Devices IoT / OT Platform Application IoT Device Cloud Security •Authentication (verified) •PKI / certificate management •Trusted execution environment •Network security / firewall •Access control (role based) •… IoT Device Security • Authentication (verified) • Service discovery / provisioning / pairing • Trusted execution environment • Network security / firewall • Secure Boot Communication Security • Authentication (verified) • Encryption • Message integrity • MitM protection • DNS spoofing protection
  • 9.
    M2M / IoTSecurity Strong Authentication / Trust Anchors / Verification @ Things Gateways / Smart Devices IoT / OT Platform Application DNSSEC / DANE Infrastructure
  • 10.
    M2M / IoTSecurity Authentication: Alternatives Many alternatives of identification / authentication can be found, not all of them are suitable for M2M/IoT in terms of functionality, security level and scalability: • ID (just identification, no proof of anything) • Username and Password • Biometric solutions • One-time Password • API Key • TPM based solutions • Public Key Infrastructure (PKI) PKI is widely recognized as the one of the strongest authentication mechanism
  • 11.
    M2M / IoTSecurity Authentication: Public Key Infrastructure PKI is widely recognized as one of the the strongest authentication mechanism • Trusted and well established technology • High level of standardization and interoperability • Very scalable • Allows for mutual authentication • Can be used for many applications, including: • Signing messages • Signing documents • Logon & authentication • Certificates / keys in files and tokens • CA / root of trust options • CA-Signed • Self-Signed Certificates
  • 12.
    M2M / IoTSecurity Certificate Based Authentication in Everyware Cloud Everyware Cloud Authentication Foundation • Integrated X.509 certificate management / PKI • Individual certificates per device / service • Foundation for using cryptographic methods most effectively • Based on industry and open standards
  • 13.
    The Eurotech IoTApproach : E2E Security Aspects Overview Application Infrastructure Application Layer Communication Infrastructure Field Infrastructure MQTT M2M Integration Platform Client Device HW Communication Infrastructure API´s Communication channels / sessions M2M/IoT Integration Platform - Deployment options / infrastructure - SW architecture and elements Communication channels / sessions - SSL/TLS - Pairing Infrastructure security aspects - SIM card management Multi-Service Gateway - Hardware - SW architecture and elements Field technology, protocols, communication All levels: - Authentication / root of trust - Integrity / hardening of solution - Efficiency (unattended, distributed) - Best practice processes Security Assessment, Testing and Validation (3rd party)
  • 14.
    EDC Security Overview (EverywareCloud, Public Cloud Offering) • Secure Transmission of Data. All MQTT traffic is encrypted over an SSL connection. All Console access is exclusively available over an encrypted HTTPS connection. All REST API access is exclusively available over an encrypted HTTPS connection. • Physical Access to Data. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. • Logical Access to Data Store. All databases are protected through strict firewall rules from external access and they are only accessible from the mid-tier machines. In the database, data is segregated by account through a unique tenant Id. At the MQTT broker, broker data and traffic is segregated between accounts using virtual machine segregation.
  • 15.
    EDC Security Overview (EverywareCloud, Public Cloud Offering) • Identity and Access Management. Confidentiality and integrity are ensured through a role based access control model and access control lists which follow the Principle of Least Privilege and are enforced through all the layers of the architecture. Each account manages a list of users and controls the user’s credentials. Everyware Cloud has a configurable lockout policy per account, which may blocks user’s credentials after a certain number of failed login attempts. Logins to Everyware Console can be further protected through the use of a Two Factor Authentication (2FA). Everyware Cloud does support individual device certificate based authentication to support also customer managed PKI solutions • Vulnerability Management. Independent certified security firm performs remote vulnerability assessments, including network/host and applications. Eurotech will ensure Internal and External vulnerability scanning is conducted quarterly and after any major changes to the environment, and remediates any critical security issues found within a reasonable time frame and report the results of the remediation. 15
  • 16.
    The Eurotech IoTApproach : E2E Overview System Infrastructure Application Infrastructure Layer Application Layer Communication Infrastructure Field Infrastructure MQTT M2M Integration Platform Client Device HW Device, Gateway, OS, Security Device Application Framework Certifications, etc Aggregators & On- Premise Platforms M2M Integration / Application Enablement / Device and Application Management Platform SIM Card & Communication Infrastructure Management Optimum M2M / IoT Protocols Public Cloud Private Cloud Sensors, HMIs, Actuators, etc. aPaaS SaaS Enterprise Applications Big Data Databases Analytics Enterprise IT Mining CEP ERP CRM …. Communication Infrastructure
  • 17.
    The M2M IntegrationPlatform Remote Access / VPN M2M Integration Platform @ Alerts Control Center MQTT (Always-On) VPN On-Demand VPN Server Applications Remote Access Devices
  • 18.
    An Introduction toEDC Security – Upcoming Versions of EC & ESF Everyware Device Cloud - Security
  • 19.
    EDC Security Elements @ IntegratedCertificate Management / PKI • Certificate Management – Dedicated administrative web panel – Standard X509 certificate format – Certificate chain support – Certificate validations and export functionalities – Trusted message server signed digest over MQTT – EDC jobs to provision, renew and revoke certificates • Integrity • Authenticity • Non-repudiation of origin Ensures:
  • 20.
    EDC Security Elements @ SecureMessaging / MQTT • All MQTT traffic is encrypted over an SSL connection. • Data messages are subject to an algorithm of data transformation: data must be serialized before being transmitted with the same protocol that is used by the receiver (subscriber) to be de-serialized. • Device Management Messages published by EC are signed to guarantee authenticity and message integrity.
  • 21.
    EDC Security Elements @ TenantSegregation • Secure multi-tenant implementation • At the MQTT broker, broker data and traffic is segregated between accounts using virtual machine segregation • All data (telemetrics, device events,…) are archived in a Big Data (no SQL) database and kept isolated by Virtual Private DB
  • 22.
    EDC Security Elements @ Accessto Console over encrypted HTTPS only • Secure enforced passwords (12 chars long complex password) • Password stored one-way-encrypted only • Configurable lock-out policy per account • Option: Two factor authentication based on one-time-password via QR code on mobile phone + username & password
  • 23.
    EDC Security Elements @ SecureProgrammable Interfaces • Programmable interfaces (REST API, WEBSOCKETS) available exclusively over an encrypted HTTPS connection
  • 24.
    • The MQTTconnection is always initiated by the gateway and remains always open. The opening session is an outbound MQTT connection from the local area network, possibly behind the firewall, towards Everyware Cloud. • At all points only minimal number of open ports (MQTT, HTTPS, SSL, VPN) • All databases in Everyware Cloud are protected through strict firewall rules from external access and they are only accessible from the mid-tier machines. • Devices are firewall protected EDC Security Elements Firewall Protection and reduced “attack footprint” @
  • 25.
    • OSGi Security:Signed Bundles Checks (Integrity, Authenticity) • ESF Security Manager • Environment Integrity Checks • Environment Hardening • Allowed Jar Signatures • Allowed Bundle Access • Device Unique Master Password (Code Obfuscation, String Encryption) • Encrypted Configuration Storage • SSL Mutual Authentication • Device Management Checks (Integrity, Authenticity) • Remote Certificate Management EDC Security Elements @ Secure Execution Environment (Device, ESF)
  • 26.
    EDC Security Elements •OSGi Security – Signed Bundles Checks • Integrity • Authenticity • ESF Security Manager – Environment Integrity Checks – Environment Hardening – Allowed Jar Signatures – Allowed Bundle Access – Device Unique Master Password • Code Obfuscation • String Encryption – Encrypted Configuration Storage – SSL Mutual Authentication – Device Management Checks • Integrity • Authenticity – Remote Certificate Management ESF Java SE Embedded OSGi ESF Security ESF Security Manager ESF Certificate Manager ESF SSL Manager ESF Bundles Application JKS ESF JKS SSL Encrypted Configuration Snapshots ESF Security Manager Overview
  • 27.
    EDC Security Elements @ RemoteManagement / VPN • Secure administrator initiated transparent IP connection between remote systems and devices in the field • Gateways behind firewalls can be reached • No IP addressing conflicts prevent or complicate the establishment of connections • Using the established MQTT channel for initiating the VPN connection from the remote device (openVPN, soon IPSEC)
  • 28.
    EDC Security Elements @ Auditing/ Penetration Testing • Eurotech performs regularly vulnerability assessments, like Code Injection, Cross Site Request Forgery, credentials stealing, etc…, including network/host and applications. • Eurotech ensures internal and external vulnerability scanning is conducted periodically and after any major changes to the environment
  • 29.
    EDC Security Overview (Subset,Examples) EC 4.0 Device to Cloud to Application Security Architecture •X.509 Certificate based authentication •Integrated PKI / Certificate management Security “in the Cloud” (IoT / OT Platform) •Allowed traffic is secure and authenticated •Application / Interface servers: no ports open other than 443 (HTTPS) •Secure cloud infrastructure •Signed Code / secure execution environment Securing Device to Cloud (Communication Security) •Allowed traffic is secure and authenticated •Broker / infrastructure / perimeter defense – Firewalling – All in-bound ports other than Broker ports are closed • Everyware VPN service Securing the Device •Firewall •OSGi / Signed Code / secure execution environment •Secure Boot on Hardware Java VM Code Linux
  • 30.