Risk

When a burglar invading your home, you don’t find who the burglar was; first you find the place he or she entered the house. Similarly, you don’t wait for it to happen; you secure your house to minimize the risk in the first place. This is the same way we need to secure our IT infrastructure in the first place. In this example, the burglar is not the threat; instead, the actions he or she can perform is the threat. In the context of IoT, the threats are that someone can get to the sensors, hold the data hostage, and reduce reliability of service.

The possibility of a problem and expectation of loss due to that problem is called risk. In Figure 14-1, which displays a risk flowchart in software, we identify risk and use qualitative (i.e., probability and impact matrix) or quantitative methods (i.e., Expected Monetary Value (EMV), Monte Carlo, and decision tree) for evaluating risk. If it goes above a threshold value, then there are five main methods to manage that risk: accept, avoid, transfer, mitigate, or exploit.

Accepting the risk sounds bad because you log it and take no action. The transfer method is unacceptable, as you transfer the impact and management of the risk to someone else, and I am not covering any risk that can be exploitable here. This leaves you with only two choices: Avoid risk by changing your plans completely or mitigate risk by limiting the impact of a risk, so that if it does occur, the problem it creates is smaller and easier to fix.

We need to systematically evaluate the security and potential attacks. As part of the security development life cycle, Microsoft developed a Threat Modeling tool that can be downloaded from https://aka.ms/threatmodelingtool. It allows software architects to identify and mitigate potential security issues early when they are relatively easy and cost-effective to resolve. Threat modeling helps identify the vulnerable entry points in all the assets within a system.

Referring back to the Azure IoT architecture I described in Chapter 3, the threat model of that architecture will look like Figure 14-2.

Threat modeling provides us with a methodical approach to performing a security evaluation of a system or system design. To illustrate the threat modeling process, we will evaluate threats to a smart refrigerator, which orders milk from your favorite grocery store based on a real-time analysis of the refrigerator’s contents and your purchasing and consumption history.

You now have the choice to avoid risk by changing your plans or mitigate risk as recommended by the Threat Modeling tool.

Privacy

The confidentiality of data has always been and remains a primary concern. For any organization, small or large, there are legal, regulatory, and commercial obligations to protect intellectual property and customer data, especially intellectual property, financial, and health care data. This emphasis is applicable to data collected manually or by IT systems. Among all the issues, intellectual property confidentiality and human privacy are critical.

Privacy is the most important subject we discuss today. Organizations are even more responsible to protect the privacy of users. Unfortunately, the definition of privacy is vague, changes from person to person, and has different ranking levels. is the definition is so vague that something we share on social media, we assume cannot be shared by an organization. In fact, many countries have privacy legislation, and therefore it is a fundamental human right. I am not debating the true definition of privacy here, but would like to mention the GDPR legislation passed in 2016.

Individual certification as a Certified Information Privacy Professional (CIPP) from the International Association of Privacy Professionals (IAPP) focuses on data privacy.

Safety

Safety and security are closely related linguistically, so here I use them interchangeably. The safety focus is frequently driven by the security impacts that an organization has historically experienced, known as reactive actions. Most of the time, managers understand security only after critical data are exposed to the public, corrupted, or deleted. At that point they start making security a priority and start approving budgets for security-related projects. By that time, though, damage has already been done.

Networks, computer systems, and sensors are typical IoT or industrial system assets, and security begins with these assets. In most cases there exists a tight coupling between network design and operational processes; therefore, to avoid any business process impacts, securing the network and all communication channels is even more important.

Securing a network sounds simple when talking about a small, confined environment like a few buildings situated within a known boundary (e.g., a manufacturing unit). Disconnecting an internal network from a public network is as simple as said it seems. In geographically distributed environments, it is not possible to disconnect from the public network entirely. For those networks, we need sophisticated network devices and explicit partnering with Internet service providers. Modern networking equipment offers a rich set of access control and secured communications capabilities.

Whether you’re just getting started with an IoT project or you’ve already implemented it, it’s important to regularly perform a cybersecurity audit to determine whether you need to take additional steps to protect your devices.

IoT Standards and Regulations

The National Institute of Standards and Technology (NIST) defines national standards on security, encryption, and networking. The organization also provides guides for the security of connected devices. They also maintain national and internationally recognized standards regarding security. Supporting materials can be found at http://csrc.nist.gov.

The U.S. Department of Homeland Security mandates guidance for Congress, other agencies, and the private sector regarding cybersecurity standards under the National Security Telecommunications Advisory Committee. Supporting materials can be found at https://www.dhs.gov/topic/cybersecurity.

A part of the U.S. Department of Commerce called the National Telecommunications and Information Administration controls U.S. radio spectrum allocation, domain naming, and security. More information can be found at https://www.ntia.doc.gov.

In Europe, the European Union Agency for Cybersecurity issues standards and publications on various information security practices. In Australia, the IoT Alliance Australia maintains a set of guidelines and practices.

IEEE IoT is a multidisciplinary organization comprised of academic institutions, government bodies, and industry and engineering professionals to drive IoT development. More information is available at iot.ieee.org.

The Computer Emergency Response Team identifies and responds to national high-impact computer security emergencies (https://www.us-cert.gov/ncas/current-activity).

The Children’s Online Privacy Protection Act (COPPA) requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age.

HIPAA covers regulations and guidance on anything related to health care. It is applicable to wearables to. The HIPAA Security Rule identifies 18 criteria that define Protected Health Information (PHI).

GDPR, mentioned earlier, outlines a set of data subject rights. These include breach notifications, right to access, right to be forgotten, data portability, and privacy by design.

Bonus Read: Azure Sphere

I know you need help protecting your data, privacy, physical safety, and infrastructure, and you are looking for an end-to-end solution. Azure IoT Edge allows you to offload most of the cloud processing near the device. Therefore, we need even more security on an Edge device and Azure Sphere aims to provide security solutions for such IoT devices. This bonus read is about Azure Sphere, a comprehensive IoT security solution including hardware, OS, and cloud components developed by Microsoft.

The Azure Sphere platform, shown in Figure 14-3, consists of the integration of three key technical components working as one: a brand new secured silicon chip, the Azure Sphere OS, and the Azure Sphere Security Service.

The Azure Secured Sphere OS is based on Microsoft’s custom Linux-based microcontroller OS that is built for security and agility to create a trustworthy platform for new IoT experiences. It runs a custom Linux kernel developed by Microsoft fit in just 4 MB of RAM and based on mainline Linux 4.9. Every device has a certificate on it and is known by Microsoft before that Azure Sphere is sold. Therefore, Microsoft maintains the OS and updates it using over-the-air (OTA) updates. It connects to the other components and the Azure Sphere Security Service (AS3).

AS3, the Cloud Security service layer on Azure Sphere communication between Azure and the device, uses HTTPS and the same trusted certificates for authentication. It is integrated with Azure IoT Hub for device provisioning and machine-to-machine (M2M) communication. Although Azure is the preferred cloud for Sphere, it can be connected to any cloud-based device management layer.

Secured and Certified Azure Sphere’s chip (MCU) is built by Microsoft’s silicon partners, so they possess the hardware root of trust needed. Currently the certified chip is MT3620AN, where Microsoft will support OS and security service updates through July 2031. The custom Linux-based OS mentioned earlier runs on this certified chip.

I believe security should start with hardware and extends to your solution end to end to deliver a holistic, secure system that protects you from almost all threats. Most of the time we put effort into building a perfect architecture and developing a solution, but we ignore the hardware piece. With many IoT devices suffering from security vulnerabilities and trojans, this MCU is a solution. These three components create and provide a complete, secure software environment for IoT application development.

So far in this book we have used Raspberry Pi. Is Raspberry Pi different from Azure Sphere? Yes, these are two different platforms. However, they both offer a few similar features for building IoT solutions. For example, they both have processing units, RAM, connectivity like Wi-Fi, GPIO ports to extend the capability, and so on. The biggest difference is the security features of the Azure Sphere platform that do not exist for Raspberry Pi. There are many cases where either a Raspberry Pi or Azure Sphere device could be used to build an IoT solution. If security is important to your IoT project, however, Azure Sphere might be the best platform.

Even if the price is your primary decision factor, Azure Sphere is not too costly. At the time of writing, there were two approved Azure Sphere development kits recommended by Microsoft (see https://azure.microsoft.com/en-us/services/azure-sphere/get-started/) and available for less than $100, and a mini board is available for less than $35, which is sufficient for any regular project. There are no ongoing subscription fees or consumption fees associated with your Azure Sphere purchase or the Azure Sphere Security Service from Microsoft. Pricing and support for Azure Sphere certified MCU MT3620AN is less than $8.65. This is already included in the purchase price of the development kit.

Getting Your Device Ready

As I mentioned, there are broadly two development kits available. You’ve probably got one from Avnet and Seeed from their available device options. This lab can be run on any of these. As shown in Figure 14-4, I am using Avnet because the Avnet Azure Sphere starter kit contains a MediaTek MT3620 MCU and includes a three-axis accelerometer, three-axis gyro, temperature sensor, and ambient light sensor.

You can use Visual Studio or the Visual Studio Core CLI command to develop Sphere security-enabled applications on a certified board. Developing solutions for Azure Sphere requires Visual Studio Enterprise, Professional, or Community 2019 version 16.4 or higher.

Download the Azure Sphere SDK from https://aka.ms/AzureSphereSDKDownload. You will see the Azure Sphere Developer command prompt shortcut on your Start menu.

Download the Azure Sphere SDK extension for Visual Studio from https://marketplace.visualstudio.com/items?itemName=AzureSphereTeam.AzureSphereSDKforVisualStudio2019.

Claiming a Device

An Azure Sphere can be claimed only once; that is, once activated, the device cannot be sold or transferred to another person or organization. If you are purchasing a preowned device, make sure it is not yet claimed. The process of claiming is not straightforward and not well documented online.

If you try to register and claim the device using a .hotmail.com, .live.com, or .outlook.com account using the command azsphere login --newuser <your account>@hotmail.com, you will see this error:

AADSTS50020: User account '<your account>@hotmail.com' from identity provider 'live.com' does not exist in tenant 'Azure Sphere' and cannot access the application '0b1cxxxx-xxxx-xxxx-xxxx-7d7dxxxxc87f'(Azure Sphere Utility) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

First, log in to your Azure Portal (https://portal.azure.com) using your live.com account. If you are using a work account, you need administrative privileges on Azure Active Directory. Most of the organization would not provide this level or role on Azure Active Directory; therefore, for this lab I am using a personal Azure account.

1. 1.

   Search for and select Azure Active Directory.

    
2. 2.

   In the left pane, under Manage, select Users.

    
3. 3.

   Click +New User

    
4. 4.

   Select the Create User option. Notice in Figure 14-5 that the domain is already present with the name <your account>hotmail.onmicrosoft.com.

    

1. 5.

   On the User page, enter the user information as shown in Figure 14-6.

    

1. 6.

   Click Create to add the new user to your Azure Active Directory organization, as shown in Figure 14-7.

    

1. 7.

   Open the Azure Sphere Developer command prompt.

    
2. 8.
   Execute the following command to log in to Azure Sphere using a new user account.

   D:>azsphere login --newuser sphere@<your account>hotmail.onmicrosoft.com

   Registration successful. Press any key to log in with your new account.

   >

   Login successful as 'sphere@<your account>hotmail.onmicrosoft.com'.

   warn: You don't have access to any Azure Sphere tenants.

   warn: Type 'azsphere tenant create --name <name>' or, if you have used Azure Sphere before, type 'azsphere tenant migrate'.
    
3. 9.

   Use your browser to complete the sign-in process and change the user password when prompted, as shown in Figure 14-8.

    

1. 10.
   Next, create a new tenant:

   D:>azsphere tenant create --name iotazurespheretenant

   warn: You have logged in with the following account:

   warn: [email protected] (21b1xxxx-xxxx-xxxx-xxxx-5225xxxx4c1e)

   warn: Do you want to use this account to create a new Azure Sphere tenant using the attached device?

   warn: You cannot change the tenant name 'iotazurespheretenant' once it has been created.

   Enter 'yes' to continue. Enter anything else to exit.

   > yes

   Created a new Azure Sphere tenant:

    --> Tenant Name: iotazurespheretenant

    --> Tenant ID:   '65axxxxx-xxxx-xxxx-xxxx-f49xxxxfb851

   Selected Azure Sphere tenant 'iotazurespheretenant' as the default.

   You may now wish to claim the attached device into this tenant using 'azsphere device claim'.

   When you create a new tenant, your user identity is automatically made an administrator of the tenant. Make sure your tenant is created.

   D:>azsphere tenant list

   ID                                   Name                 Roles

   --                                   ----                 -----

   '65axxxxx-xxxx-xxxx-xxxx-f49xxxxfb851 iotazurespheretenant Administrator
    
2. 11.
   Claim your device

   D:>azsphere device claim

   Claiming device.

   Successfully claimed device ID '5E1Exxxxxxxxxxxxxxxxx8B' into tenant 'iotazurespheretenant' with ID '65axxxxx-xxxx-xxxx-xxxx-f49xxxxfb851'.
    

Between the time when the device is manufactured and it is sold to you, Microsoft might have issued multiple updates that were missed for your device. We need to check and update the OS to avoid any errors like this:

error: The device did not accept the device capability configuration. Please check the Azure Sphere OS on your device is up-to-date using 'azsphere device show-deployment-status'.

Execute the following command to find out which version of the Azure Sphere OS your device is currently running.

D: >azsphere device show-deployment-status

Your device is running Azure Sphere OS version 19.05.

The Azure Sphere Security Service is targeting this device with Azure Sphere OS version 20.05.

warn: Your device is running an older Azure Sphere OS version (19.05). It has not yet started receiving the available update to version 20.05.

warn: Your device is not connected to Wi-Fi. Your device may be connected via Ethernet. If not, please check the Wi-Fi configuration on your device and try again.

Go to https://aka.ms/AzureSphereUpgradeGuidance for further advice and support.

Add your Wi-Fi network to the device. Replace <yourSSID> with the name of your network. Note the network SSIDs are case-sensitive. Replace <WifiPassword> with your WPA/WPA2 key. Azure Sphere devices do not support wired equivalent privacy (WEP).

D: >azsphere device wifi add --ssid "<yourSSID>" --psk "<WifiPassword>"

Add network succeeded:
SSID	<yourSSID>
Configuration state	enabled
Connection state	unknown
Security state	psk
Targeted scan	False

Confirm if Wi-Fi is working on your Azure Sphere device.

D: >azsphere device wifi show-status

SSID	<yourSSID>
Configuration state	enabled
Connection state	connected
Security state	psk
Frequency	5765
Mode	Station
Key management	WPA2-PSK
WPA State	COMPLETED
IP Address	192.168.0.31
MAC Address	xx:xx:xx:xx:xx:xx

It is time to relax. The Azure Sphere device is now checking for any available updates for Azure Sphere OS. Download and installation could take as much as 15 to 20 minutes and might cause the device to restart. Actually, the device checks in three different ways:

1. 1.

   Each time the device boots.

    
2. 2.

   When it connects to the Internet for the first time.

    
3. 3.

   Once every 24-hour interval thereafter.

    

Execute show-deployment-status again to make sure the latest OS deployment update has completed.

D: >azsphere device show-deployment-status

Your device is running Azure Sphere OS version 20.05.

The Azure Sphere Security Service is targeting this device with Azure Sphere OS version 20.05.

Your device has the expected version of the Azure Sphere OS: 20.05.

Finally, enable app development on the device. This will assign the device to the default Development device group and adds the device capability to accept applications for debugging.

D: >azsphere device enable-development

Device ID: '5E1Exxxxxxxxxxxxxxxxx8B '

Downloading device capability configuration.

Application updates have already been disabled for this device.

Enabling application development capability on attached device.

Applying device capability configuration to device.

The device is rebooting.

Installing debugging server to device.

Deploying 'C:Program Files (x86)Microsoft Azure Sphere SDKDebugToolsgdbserver.imagepackage' to the attached device.

Image package 'C:Program Files (x86)Microsoft Azure Sphere SDKDebugToolsgdbserver.imagepackage' has been deployed to the attached device.

Application development capability enabled.

Successfully set up device for application development, and disabled application updates.

(Device ID: '5E1Exxxxxxxxxxxxxxxxx8B ')

If you see any error in executing this command, that means the OS is still updating and requires a manual reset.

Congratulations! Your Azure Sphere device is now enabled and ready for debugging and closed to cloud application updates until you explicitly change that setting using the azsphere device enable-cloud-test command.

Currently custom applications can only be developed in C. You can now proceed to explore device capability by creating sample applications using the new Project type Azure Sphere MT3620 Blank template in Visual Studio 2019, as shown in Figure 14-9.

C-based solutions are usually lengthy and require significant knowledge of the language. Building applications using C is outside the scope of this book. There are quite a few samples provided by Avnet (https://github.com/Avnet) and third-party developers to clone, and they can be executed on your device as is.

Summary

This chapter detailed the risks of IoT security. IoT projects are more vulnerable because of their surface area, from hardware to software and everything in between. Therefore, an architect must be cognizant of security at each level.

Protecting privacy is challenging for the IoT, and you need to budget time and money for this important task. In this chapter, we’ve covered identifying risk, threats, and how to mitigate them. You can use the Threat Modeling tool to flag all the threats and learn how to mitigate them. I provided a list of government and private organizations that provide standardization and technical roadmaps of this technology.

As a bonus, I added a brief introduction to Azure Sphere, the security offering from Microsoft.

This book has attempted to provide practical advice for designing and deploying many types of complex IoT systems. I have thoroughly enjoyed presenting unique use cases and solving them practically with different technology in each chapter. I hope you enjoyed learning them, too.