SlideShare a Scribd company logo

Secure IOT Gateway

L
LF Events

LinuxCon Tokyo 2016 focused on developing secure IoT gateways. The presentation discussed gateway architecture choices like ARM and x86 processors. Connectivity options for sensors like Bluetooth and WiFi were also covered. Security is a major concern, and the talk evaluated both reactive measures like intrusion detection and proactive approaches like mandatory access control. Maintaining gateways over long product lifecycles requires techniques like live kernel patching and signed over-the-air updates to securely deploy upgrades. Embedded Linux provides a robust software platform for building reliable and secure IoT gateways.

Technology
1 of 23
Download to read offline
LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead, MontaVista Software
Setting the Stage • This presentation will focus on developing Secure Gateways (Edge Computing & Connectivity) in the IoT Architecutre • Primarily discussion will be on Architecture, Security, and Maintainence features Sensors Gateway Cloud/Database & Analytics Applications L i n u x
Agenda Architecture Connectivity Security Maintainability Summary and Q&A
Architecture: Modern vs Wild West
Architecture choices Embedded processor considerations: – Processor family • ARM • Intel x86 • PowerPC and MIPS possible but not as popular – Power consumption • ARM: low power, advanced PM features • Intel x86: limited PM options
Architecture choices (ctd) Embedded processor considerations: – Performance • ARM: Good core performance on lower Ghz • Intel x86: ”Add Ghz -> more perf” – Optimizations • Security offload • Virtualization – Deployment model • SOC model vs. ”generic compute” • Longevity?
Ecosystem  Intel vs. ARM really • PPC and MIPS thin and fading ecosystem • Ubuntu, Fedora, Debian, OpenSUSE, MontaVista, WindRiver, and Enea all have/will have x86 and ARM support for mainstream distros • LINARO (ARM lead)  Yocto project (Intel lead) • Consolidate embedded development on OE/bitbake
Connectivity
Sensors, Sensors everywhere!  Simple sensor data drives the IoT engine • Fitness trackers, heart monitors, oil and pressure temperature gauges, & packet latency in SDN Gateway L i n u x  What connects them • Wireless: Bluetooth, Wi-fi, Cellular Modem, (3G/4G/5G), Zigbee, & 6loPAN • The bus lineup: Canbus, Profibus, & Modbus • Serial, SPI, I2C • Near Field Communication (NFC) • Prioprietary  Implications • Selected architecture must support (directly or USB/PCI) ALL • Drivers as well...possible port from different architecture • Enough performance • Maintain versions • Brace for the new
To the Cloud  Data from sensors is the lifeblood of IoT • Connects to cloud or database • Gateways can filter/preprocess data • Push must be secure (encrypted and authenticated) • Connectivity is bi-redirectional so IoT Gateway must be secure from the cloud  IoTivity  Community framework to connect end devices  Alljoyn Open Source Framework  Connect and communicate across transports/OSes
Security
Recent Real-World Examples • DHS confirms Public Sector Control system hacked – Attacking inadequate perimeter security, an attacker could compromise the SCADA system with capability to inject commands and read data at will – The controlled device was brought down for maintenance so no damage done • Boeing and Airbus – Hacker used in-flight Wi-Fi connection to hack into flight control systems – Allegedly controlled thrust for engines, oxygen mask deployment, etc. • Drones – Johns Hopkins University research demonstrated 3 different ways to send unwanted commands – Could force drones to land or just crash • Personal vehicles – Jeep hacked through navigation and Corvette hacked by SMS – Activate wipers, apply brakes, disable engine & brakes
Design Considerations • Building security primarily in the Gateway? – Edge devices are constrained on hardened channel – Requires encryption for the channel and two-way authentication for setup • Trusted edge vs. Edge Computing - two polars? – Moving computing to the edge can help build end-to- end efficiency, but requires edge and gateway devices to handle the security – Can also be seen as a way to fence out security threats for some layers of the processing so they cannot be exploited from the Cloud • Lifecycle: secure firmware updates and CVEs – The Edge is relying on the IT-supported backend to handle the updates, requires careful consideration for the technology and process • Provide monitoring for end-to-end data on the Gateway – Using DPI for heuristics- based detection of exploits • Combining types of security: physical, networking, system integrity and isolation of domains Architectural Functional
IoT Platform Virtualization & Security vTPM Guest VM Container Openflow DPDK LXC/Docker KVM EMBEDDED LINUX SELinux / sVirt Application Application Hardware Platform LXC/Docker Application 3rd Party Container Monitoring / Auditing Bootloader TPM (x86) Root of Trust CVEFixes and-Maintenance Network Security - IPSec HW offload - Policy Configuration Live Patching Policy Configuration based on System Requirements TrustZone (ARM) DPDK FIPS
Types of Security Measures • Reactive Measures – Common Vulnerabilities and Exposures (CVEs) • https://cve.mitre.org/ • The standard list for holes in common systems • Very important to cover the affected parts in your product; MontaVista will do this for you – Intrusion-detection systems • Take action based on perceived attack • Several systems exist for Linux (LIDS, auditd, inotify, tripwire..) – Auditing and logging • Knowing you’ve been attacked prevents further damage • Collect evidence for litigation against the attacker • Example tools: Auditd, syslog, inotify, SELinux.. • Proactive Measures – Mandatory Access Control (MAC) • Minimizes the damage that unknown exploits can do to your system • Increases the chances to block 0-day exploits (unknown vulnerabilities) – System Certification • Provide Common Criteria or similar certification for your product or platform • MontaVista’s Linux is certifiable and we can help with the process – Root of Trust
• Full featured and lightweight virtualization solutions Embedded Linux Container Core Isolation Application LXC/Docker Container Application KVM Application OS Guest VM  KVM Full virtualization  Docker Application containers  LXC Full-system Containers  Core Isolation Dataplane and RT applications Virtualization Technology for Isolation
• Make Security a Priority • Implement Mixture – Reactive – Proactive • Stay Current
Maintenance
IoT Maintainability Requirements • Product life cycle support • Ability to upgrade application, kernel, drivers, userland, or whole system • Upgrades done with little to no “human” interaction and downtime – Wireless delivery • Secure updates – Authentication – Encryption
Addressing IoT Maintenance with Linux • Long Term Support (LTS) Kernel – Can be extended beyond 10+ years in commercial Linux distributions • SMART package manager – Allows for source or binary distribution – Flexible to update userland, application, etc. • Live kernel patching • Crypto API support • Trusted Platform Module (TPM) and TrustZone for secure OTA updates
IoT: Signed OTA Updates • IoT devices and Gateways have embedded requirements for small footprint but still a very high demand for security • The process relies on the Kernel Live Patches, RPMs, or Container images being hashed and signed by a certificate that can be validated by the TPM or TEE on the target system if necessary – Can also support two-way signatures by using standard RPM signing using GPG keys, potentially enforced by the server-side TPM. • Such processes are adopted by OSVs like Symantec, Redbend and practically all product manufacturers that are concerned about running trusted/secure SW on the devices. • Without secure updates, the integrity of the platform cannot be maintained. ServerDevice Decrypt and verify signature Update Data Generate, Sign and Encrypt Host OS Update Data Pubkey- TPM SecKey- Host PubKey- Host SecKey- TPM Deliver update • RPM / deb / IPK • Docker, VM image • Kernel (Live) Patch TPM TPM/TEE SDK Linux Linux
Summary • Embedded Linux offers solid software platform to IoT Gateway developers – Architecture – Connectivity • Security is IMPORTANT to implement • High uptime maintainability
Thank You Questions/Discussion jgallagher@mvista.com

Recommended

IoT architecture
IoT architectureIoT architecture
IoT architectureSumit Sharma
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Sources of IoT (JNTUK - UNIT 1)
Sources of IoT (JNTUK - UNIT 1)Sources of IoT (JNTUK - UNIT 1)
Sources of IoT (JNTUK - UNIT 1)FabMinds
 
Internet of things using Raspberry Pi
Internet of things using Raspberry PiInternet of things using Raspberry Pi
Internet of things using Raspberry PiYash Gajera
 
Iot architecture
Iot architectureIot architecture
Iot architectureAnam Iqbal
 
Fog Computing
Fog ComputingFog Computing
Fog ComputingPachipulusu Giridhar
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsAbdullah Alfadhly
 
M2M systems layers and designs standardizations
M2M systems layers and designs standardizationsM2M systems layers and designs standardizations
M2M systems layers and designs standardizationsFabMinds
 

Recommended

IoT architecture
IoT architectureIoT architecture
IoT architectureSumit Sharma
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Sources of IoT (JNTUK - UNIT 1)
Sources of IoT (JNTUK - UNIT 1)Sources of IoT (JNTUK - UNIT 1)
Sources of IoT (JNTUK - UNIT 1)FabMinds
 
Internet of things using Raspberry Pi
Internet of things using Raspberry PiInternet of things using Raspberry Pi
Internet of things using Raspberry PiYash Gajera
 
Iot architecture
Iot architectureIot architecture
Iot architectureAnam Iqbal
 
Fog Computing
Fog ComputingFog Computing
Fog ComputingPachipulusu Giridhar
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsAbdullah Alfadhly
 
M2M systems layers and designs standardizations
M2M systems layers and designs standardizationsM2M systems layers and designs standardizations
M2M systems layers and designs standardizationsFabMinds
 
VANET in Mobile Computing
VANET in Mobile ComputingVANET in Mobile Computing
VANET in Mobile ComputingKABILESH RAMAR
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of thingssreelekha appakondappagari
 
Adaptation of tcp window
Adaptation of tcp windowAdaptation of tcp window
Adaptation of tcp windowpriya Nithya
 
Iot
IotIot
IotAnkit Anand
 
IoT and m2m
IoT and m2mIoT and m2m
IoT and m2mpavan penugonda
 
UNIT-5 IoT Reference Architecture.pdf
UNIT-5 IoT Reference Architecture.pdfUNIT-5 IoT Reference Architecture.pdf
UNIT-5 IoT Reference Architecture.pdfMansiMehta96928
 
An introduction to MQTT
An introduction to MQTTAn introduction to MQTT
An introduction to MQTTAlexandre Moreno
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Iot and cloud computing
Iot and cloud computingIot and cloud computing
Iot and cloud computingeteshagarwal1
 
IoT Connectivity
IoT Connectivity IoT Connectivity
IoT Connectivity Hitesh Mohapatra
 
The constrained application protocol (CoAP)
The constrained application protocol (CoAP)The constrained application protocol (CoAP)
The constrained application protocol (CoAP)Hamdamboy (함담보이)
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to VirtualizationRahul Hada
 
Vanet ppt
Vanet pptVanet ppt
Vanet pptAkash Raghunath
 
Iot architecture
Iot architectureIot architecture
Iot architectureNiranjan Kumar
 
M2M - Machine to Machine Technology
M2M - Machine to Machine TechnologyM2M - Machine to Machine Technology
M2M - Machine to Machine TechnologySamip jain
 
Introduction to MQ Telemetry Transport (MQTT)
Introduction to MQ Telemetry Transport (MQTT)Introduction to MQ Telemetry Transport (MQTT)
Introduction to MQ Telemetry Transport (MQTT)Amarjeetsingh Thakur
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Iot how it works
Iot how it worksIot how it works
Iot how it worksS SIVARAMAKRISHNAN
 
Watson IOT Platform
Watson IOT PlatformWatson IOT Platform
Watson IOT PlatformBrenda Barrioz, CPDS
 
Security issues in manet
Security issues in manetSecurity issues in manet
Security issues in manetflowerjaan
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoTIan Skerrett
 
Iot gateways march 2015
Iot gateways march 2015Iot gateways march 2015
Iot gateways march 2015sgadgil2002
 

More Related Content

What's hot

VANET in Mobile Computing
VANET in Mobile ComputingVANET in Mobile Computing
VANET in Mobile ComputingKABILESH RAMAR
 
Adaptation of tcp window
Adaptation of tcp windowAdaptation of tcp window
Adaptation of tcp windowpriya Nithya
 
UNIT-5 IoT Reference Architecture.pdf
UNIT-5 IoT Reference Architecture.pdfUNIT-5 IoT Reference Architecture.pdf
UNIT-5 IoT Reference Architecture.pdfMansiMehta96928
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Iot and cloud computing
Iot and cloud computingIot and cloud computing
Iot and cloud computingeteshagarwal1
 
The constrained application protocol (CoAP)
The constrained application protocol (CoAP)The constrained application protocol (CoAP)
The constrained application protocol (CoAP)Hamdamboy (함담보이)
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to VirtualizationRahul Hada
 
M2M - Machine to Machine Technology
M2M - Machine to Machine TechnologyM2M - Machine to Machine Technology
M2M - Machine to Machine TechnologySamip jain
 
Introduction to MQ Telemetry Transport (MQTT)
Introduction to MQ Telemetry Transport (MQTT)Introduction to MQ Telemetry Transport (MQTT)
Introduction to MQ Telemetry Transport (MQTT)Amarjeetsingh Thakur
 
Security issues in manet
Security issues in manetSecurity issues in manet
Security issues in manetflowerjaan
 

What's hot (20)

VANET in Mobile Computing
VANET in Mobile ComputingVANET in Mobile Computing
VANET in Mobile Computing
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
 
Adaptation of tcp window
Adaptation of tcp windowAdaptation of tcp window
Adaptation of tcp window
 
Iot
IotIot
Iot
 
IoT and m2m
IoT and m2mIoT and m2m
IoT and m2m
 
UNIT-5 IoT Reference Architecture.pdf
UNIT-5 IoT Reference Architecture.pdfUNIT-5 IoT Reference Architecture.pdf
UNIT-5 IoT Reference Architecture.pdf
 
An introduction to MQTT
An introduction to MQTTAn introduction to MQTT
An introduction to MQTT
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message Queueing
 
Iot and cloud computing
Iot and cloud computingIot and cloud computing
Iot and cloud computing
 
IoT Connectivity
IoT Connectivity IoT Connectivity
IoT Connectivity
 
The constrained application protocol (CoAP)
The constrained application protocol (CoAP)The constrained application protocol (CoAP)
The constrained application protocol (CoAP)
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualization
 
Vanet ppt
Vanet pptVanet ppt
Vanet ppt
 
Iot architecture
Iot architectureIot architecture
Iot architecture
 
M2M - Machine to Machine Technology
M2M - Machine to Machine TechnologyM2M - Machine to Machine Technology
M2M - Machine to Machine Technology
 
Introduction to MQ Telemetry Transport (MQTT)
Introduction to MQ Telemetry Transport (MQTT)Introduction to MQ Telemetry Transport (MQTT)
Introduction to MQ Telemetry Transport (MQTT)
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Iot how it works
Iot how it worksIot how it works
Iot how it works
 
Watson IOT Platform
Watson IOT PlatformWatson IOT Platform
Watson IOT Platform
 
Security issues in manet
Security issues in manetSecurity issues in manet
Security issues in manet
 

Viewers also liked

Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoTIan Skerrett
 
Iot gateways march 2015
Iot gateways march 2015Iot gateways march 2015
Iot gateways march 2015sgadgil2002
 
Open source IoT gateway
Open source IoT gatewayOpen source IoT gateway
Open source IoT gatewayHenryk Konsek
 
Simplify Internet of Things with an Intelligent Gateway
Simplify Internet of Things with an Intelligent GatewaySimplify Internet of Things with an Intelligent Gateway
Simplify Internet of Things with an Intelligent GatewayEurotech
 
Kura M2M IoT Gateway
Kura M2M IoT GatewayKura M2M IoT Gateway
Kura M2M IoT GatewayEurotech
 

Viewers also liked (6)

Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoT
 
Iot gateways march 2015
Iot gateways march 2015Iot gateways march 2015
Iot gateways march 2015
 
Open source IoT gateway
Open source IoT gatewayOpen source IoT gateway
Open source IoT gateway
 
Simplify Internet of Things with an Intelligent Gateway
Simplify Internet of Things with an Intelligent GatewaySimplify Internet of Things with an Intelligent Gateway
Simplify Internet of Things with an Intelligent Gateway
 
Internet of Things - Advantech IoT Gateway Starter Kit
Internet of Things - Advantech IoT Gateway Starter KitInternet of Things - Advantech IoT Gateway Starter Kit
Internet of Things - Advantech IoT Gateway Starter Kit
 
Kura M2M IoT Gateway
Kura M2M IoT GatewayKura M2M IoT Gateway
Kura M2M IoT Gateway
 

Similar to Secure IOT Gateway

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical Device[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical DeviceICS
 
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdfTM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdfssuser8b324e
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Srinivasa Addepalli
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...Rick G. Garibay
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueEurotech
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VRISC-V International
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2MEurotech
 
Is your MQTT broker IoT ready?
Is your MQTT broker IoT ready?Is your MQTT broker IoT ready?
Is your MQTT broker IoT ready?Eurotech
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...sequi_inc
 
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsJava in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsEurotech
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013Dorian Hernandez
 
Industrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningVEDLIoT Project
 
Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Aymeric Weinbach
 
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case StudyCisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case Studynicholas njoroge
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11Waqas Ahmed Nawaz
 

Similar to Secure IOT Gateway (20)

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical Device[Webinar] Software: The Lifeblood of any Medical Device
[Webinar] Software: The Lifeblood of any Medical Device
 
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdfTM4C-IoT-Gateway-with-Security-Protection_0.pdf
TM4C-IoT-Gateway-with-Security-Protection_0.pdf
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
 
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
From the Internet of Things to Intelligent Systems A Developer's Primer - Gar...
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2M
 
Is your MQTT broker IoT ready?
Is your MQTT broker IoT ready?Is your MQTT broker IoT ready?
Is your MQTT broker IoT ready?
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
 
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring StationsJava in the Air: A Case Study for Java-based Environment Monitoring Stations
Java in the Air: A Case Study for Java-based Environment Monitoring Stations
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013
 
Industrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine Learning
 
Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot
 
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case StudyCisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 

More from LF Events

Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionFeature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionLF Events
 
KASan in a Bare-Metal Hypervisor
KASan in a Bare-Metal Hypervisor KASan in a Bare-Metal Hypervisor
KASan in a Bare-Metal Hypervisor LF Events
 
Efficient kernel backporting
Efficient kernel backportingEfficient kernel backporting
Efficient kernel backportingLF Events
 
Raspberry pi Update - Encourage your IOT
Raspberry pi Update - Encourage your IOTRaspberry pi Update - Encourage your IOT
Raspberry pi Update - Encourage your IOTLF Events
 
Introduction to Open-O
Introduction to Open-OIntroduction to Open-O
Introduction to Open-OLF Events
 
CNCF and Fujitsu
CNCF and FujitsuCNCF and Fujitsu
CNCF and FujitsuLF Events
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementLF Events
 
NVMe Over Fabrics Support in Linux
NVMe Over Fabrics Support in LinuxNVMe Over Fabrics Support in Linux
NVMe Over Fabrics Support in LinuxLF Events
 
Linxu conj2016 96boards
Linxu conj2016 96boardsLinxu conj2016 96boards
Linxu conj2016 96boardsLF Events
 
Taking over to the Next Generation
Taking over to the Next GenerationTaking over to the Next Generation
Taking over to the Next GenerationLF Events
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...LF Events
 
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...LF Events
 
Trading Derivatives on Hyperledger
Trading Derivatives on HyperledgerTrading Derivatives on Hyperledger
Trading Derivatives on HyperledgerLF Events
 
Introducing Oracle Linux and Securing It With ksplice
Introducing Oracle Linux and Securing It With kspliceIntroducing Oracle Linux and Securing It With ksplice
Introducing Oracle Linux and Securing It With kspliceLF Events
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction PerformanceLF Events
 
Containers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices InsteadContainers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices InsteadLF Events
 

More from LF Events (16)

Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionFeature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with Encryption
 
KASan in a Bare-Metal Hypervisor
KASan in a Bare-Metal Hypervisor KASan in a Bare-Metal Hypervisor
KASan in a Bare-Metal Hypervisor
 
Efficient kernel backporting
Efficient kernel backportingEfficient kernel backporting
Efficient kernel backporting
 
Raspberry pi Update - Encourage your IOT
Raspberry pi Update - Encourage your IOTRaspberry pi Update - Encourage your IOT
Raspberry pi Update - Encourage your IOT
 
Introduction to Open-O
Introduction to Open-OIntroduction to Open-O
Introduction to Open-O
 
CNCF and Fujitsu
CNCF and FujitsuCNCF and Fujitsu
CNCF and Fujitsu
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and Improvement
 
NVMe Over Fabrics Support in Linux
NVMe Over Fabrics Support in LinuxNVMe Over Fabrics Support in Linux
NVMe Over Fabrics Support in Linux
 
Linxu conj2016 96boards
Linxu conj2016 96boardsLinxu conj2016 96boards
Linxu conj2016 96boards
 
Taking over to the Next Generation
Taking over to the Next GenerationTaking over to the Next Generation
Taking over to the Next Generation
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
 
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
 
Trading Derivatives on Hyperledger
Trading Derivatives on HyperledgerTrading Derivatives on Hyperledger
Trading Derivatives on Hyperledger
 
Introducing Oracle Linux and Securing It With ksplice
Introducing Oracle Linux and Securing It With kspliceIntroducing Oracle Linux and Securing It With ksplice
Introducing Oracle Linux and Securing It With ksplice
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction Performance
 
Containers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices InsteadContainers: Don't Skeu Them Up, Use Microservices Instead
Containers: Don't Skeu Them Up, Use Microservices Instead
 

Recently uploaded

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Secure IOT Gateway

  • 1. LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead, MontaVista Software
  • 2. Setting the Stage • This presentation will focus on developing Secure Gateways (Edge Computing & Connectivity) in the IoT Architecutre • Primarily discussion will be on Architecture, Security, and Maintainence features Sensors Gateway Cloud/Database & Analytics Applications L i n u x
  • 5. Architecture choices Embedded processor considerations: – Processor family • ARM • Intel x86 • PowerPC and MIPS possible but not as popular – Power consumption • ARM: low power, advanced PM features • Intel x86: limited PM options
  • 6. Architecture choices (ctd) Embedded processor considerations: – Performance • ARM: Good core performance on lower Ghz • Intel x86: ”Add Ghz -> more perf” – Optimizations • Security offload • Virtualization – Deployment model • SOC model vs. ”generic compute” • Longevity?
  • 7. Ecosystem  Intel vs. ARM really • PPC and MIPS thin and fading ecosystem • Ubuntu, Fedora, Debian, OpenSUSE, MontaVista, WindRiver, and Enea all have/will have x86 and ARM support for mainstream distros • LINARO (ARM lead)  Yocto project (Intel lead) • Consolidate embedded development on OE/bitbake
  • 9. Sensors, Sensors everywhere!  Simple sensor data drives the IoT engine • Fitness trackers, heart monitors, oil and pressure temperature gauges, & packet latency in SDN Gateway L i n u x  What connects them • Wireless: Bluetooth, Wi-fi, Cellular Modem, (3G/4G/5G), Zigbee, & 6loPAN • The bus lineup: Canbus, Profibus, & Modbus • Serial, SPI, I2C • Near Field Communication (NFC) • Prioprietary  Implications • Selected architecture must support (directly or USB/PCI) ALL • Drivers as well...possible port from different architecture • Enough performance • Maintain versions • Brace for the new
  • 10. To the Cloud  Data from sensors is the lifeblood of IoT • Connects to cloud or database • Gateways can filter/preprocess data • Push must be secure (encrypted and authenticated) • Connectivity is bi-redirectional so IoT Gateway must be secure from the cloud  IoTivity  Community framework to connect end devices  Alljoyn Open Source Framework  Connect and communicate across transports/OSes
  • 12. Recent Real-World Examples • DHS confirms Public Sector Control system hacked – Attacking inadequate perimeter security, an attacker could compromise the SCADA system with capability to inject commands and read data at will – The controlled device was brought down for maintenance so no damage done • Boeing and Airbus – Hacker used in-flight Wi-Fi connection to hack into flight control systems – Allegedly controlled thrust for engines, oxygen mask deployment, etc. • Drones – Johns Hopkins University research demonstrated 3 different ways to send unwanted commands – Could force drones to land or just crash • Personal vehicles – Jeep hacked through navigation and Corvette hacked by SMS – Activate wipers, apply brakes, disable engine & brakes
  • 13. Design Considerations • Building security primarily in the Gateway? – Edge devices are constrained on hardened channel – Requires encryption for the channel and two-way authentication for setup • Trusted edge vs. Edge Computing - two polars? – Moving computing to the edge can help build end-to- end efficiency, but requires edge and gateway devices to handle the security – Can also be seen as a way to fence out security threats for some layers of the processing so they cannot be exploited from the Cloud • Lifecycle: secure firmware updates and CVEs – The Edge is relying on the IT-supported backend to handle the updates, requires careful consideration for the technology and process • Provide monitoring for end-to-end data on the Gateway – Using DPI for heuristics- based detection of exploits • Combining types of security: physical, networking, system integrity and isolation of domains Architectural Functional
  • 14. IoT Platform Virtualization & Security vTPM Guest VM Container Openflow DPDK LXC/Docker KVM EMBEDDED LINUX SELinux / sVirt Application Application Hardware Platform LXC/Docker Application 3rd Party Container Monitoring / Auditing Bootloader TPM (x86) Root of Trust CVEFixes and-Maintenance Network Security - IPSec HW offload - Policy Configuration Live Patching Policy Configuration based on System Requirements TrustZone (ARM) DPDK FIPS
  • 15. Types of Security Measures • Reactive Measures – Common Vulnerabilities and Exposures (CVEs) • https://cve.mitre.org/ • The standard list for holes in common systems • Very important to cover the affected parts in your product; MontaVista will do this for you – Intrusion-detection systems • Take action based on perceived attack • Several systems exist for Linux (LIDS, auditd, inotify, tripwire..) – Auditing and logging • Knowing you’ve been attacked prevents further damage • Collect evidence for litigation against the attacker • Example tools: Auditd, syslog, inotify, SELinux.. • Proactive Measures – Mandatory Access Control (MAC) • Minimizes the damage that unknown exploits can do to your system • Increases the chances to block 0-day exploits (unknown vulnerabilities) – System Certification • Provide Common Criteria or similar certification for your product or platform • MontaVista’s Linux is certifiable and we can help with the process – Root of Trust
  • 16. • Full featured and lightweight virtualization solutions Embedded Linux Container Core Isolation Application LXC/Docker Container Application KVM Application OS Guest VM  KVM Full virtualization  Docker Application containers  LXC Full-system Containers  Core Isolation Dataplane and RT applications Virtualization Technology for Isolation
  • 17. • Make Security a Priority • Implement Mixture – Reactive – Proactive • Stay Current
  • 19. IoT Maintainability Requirements • Product life cycle support • Ability to upgrade application, kernel, drivers, userland, or whole system • Upgrades done with little to no “human” interaction and downtime – Wireless delivery • Secure updates – Authentication – Encryption
  • 20. Addressing IoT Maintenance with Linux • Long Term Support (LTS) Kernel – Can be extended beyond 10+ years in commercial Linux distributions • SMART package manager – Allows for source or binary distribution – Flexible to update userland, application, etc. • Live kernel patching • Crypto API support • Trusted Platform Module (TPM) and TrustZone for secure OTA updates
  • 21. IoT: Signed OTA Updates • IoT devices and Gateways have embedded requirements for small footprint but still a very high demand for security • The process relies on the Kernel Live Patches, RPMs, or Container images being hashed and signed by a certificate that can be validated by the TPM or TEE on the target system if necessary – Can also support two-way signatures by using standard RPM signing using GPG keys, potentially enforced by the server-side TPM. • Such processes are adopted by OSVs like Symantec, Redbend and practically all product manufacturers that are concerned about running trusted/secure SW on the devices. • Without secure updates, the integrity of the platform cannot be maintained. ServerDevice Decrypt and verify signature Update Data Generate, Sign and Encrypt Host OS Update Data Pubkey- TPM SecKey- Host PubKey- Host SecKey- TPM Deliver update • RPM / deb / IPK • Docker, VM image • Kernel (Live) Patch TPM TPM/TEE SDK Linux Linux
  • 22. Summary • Embedded Linux offers solid software platform to IoT Gateway developers – Architecture – Connectivity • Security is IMPORTANT to implement • High uptime maintainability