Index
Symbols
5G, 800
6LoWPAN (IPv6 Low Power Wireless Personal Area Network), 74
802.1X authentication, 363-365
802.1X Flexible Authentication, 366-367
802.11p, 800
A
AAA (authentication, authorization, accounting), 279, 337, 361-362
framework guidelines, 399
centralizing, 268
ODL, 206
standard configuration example, 342-343
acceptance, 16
access-accept messages, 362
access-challenge messages, 362
access control
building blocks, 326
complex devices, 345
constrained devices, 345
restrictions, 345
data protection, 504
device identification, 336-337
AAA configuration example, 342-343
differentiated authorization privileges, 345
internal/external clients, 341
port security, 341
probe configuration, 344
success, 344
equipment health monitoring example, 778-781
Internet draft, 390
Keystone, 640
LDAP, 639
MUD, 390
module, 392
URLs, emitting, 390
multitenancy data sharing, 641, 644
new endpoints, connecting, 639
physical access, 505
power for communication, 347-348
RabbitMQ, 546
role-based. See RBAC
automation, 388
benefits, 384
consumer/provider matrix, 384-386
east–west, 387
microsegmentation, 387
north–south, 387
classification, 380
enforcement, 384
inline tagging, 383
Access control lists. See ACLs
access-reject messages, 362
access-request messages, 362
accidental incidents, 755
data protection, 505
framework guideline, 399
accreditation, 16
acknowledgeable relationship, 414
ACLs (access control lists), 262
SDN data plane, securing, 262
automation, 388
benefits, 384
consumer/provider matrix, 384-386
east–west, 387
microsegmentation, 387
north–south, 387
web-type, 606
acquisition and development phase (SDLC), 14-16
actionable IRM, 413
actions, monitoring, 477
activation sequence example, 472, 474
activation status (VNFs), 474
active networking, 185
Adaptive Network Control (ANC), 446-447
Adaptive Security Appliance virtualized (ASAv), 422-423, 470
ADAS (advanced driver assistance systems), 805
AD-SAL (API-driven service abstraction layers), 209-210
Advanced Malware Protection. See AMP
Advanced Message Queuing Protocol (AMQP), 74, 544
Advanced Persistent Threats (APTs), 440-441
AE (application entity), 131
affective computing, 898
aggregators, 101
aggressive mode (IKEv1 phase 1), 582
AGI (Artificial General Intelligence), 891
agility
NFV, 221
OpenFog reference architecture pillar, 135
SDN, 192
AHs (authentication headers), 578
AI (Artificial Intelligence), 98, 878-879
affective computing, 898
components, 891
contextual awareness, 899
cybersecurity systems, 878
DL alignment, 894
hybrid subsymbolic/symbolic, 892
ML collaboration, 899
natural language processing (NLP), 895-896
people-/user-centric approaches, 98
AIC (availability, integrity, confidentiality), 43
AIOTI (Alliance for the Internet of Things Innovation), 59, 138-140
algorithms
elliptic curve cryptographic algorithms, 353
encryption, 580
hashing, 580
security events, 445
state convergence, 475
Alliance for Telecommunications Industry Solutions (ATIS), 65
alliances, standardization efforts, 56
allocating IT staff, 6
always on strategy, 347
AM (authentication manager), 102
Amazon Web Services. See AWS
AMP (Advanced Malware Protection), 456, 616
AnyConnect client, 616
file policies, 461
point-in-time detection, 456-457
sandboxing, 458
Umbrella service integration, 465
AMQP (Advanced Message Queuing Protocol), 74, 544
analysis
data, 526
functional requirements, 15
nonfunctional security requirements, 15
protocols, 439
security assurance requirements, 16
analytics, 5
ANC (Adaptive Network Control), 446-447
ANNs (artificial neural networks), 896-897
anomaly detection. See behavioral analysis
anomaly traffic detection, 780-781
ANPR (automatic number plate recognition), 820
anti-tamper and detection, 169
any endpoint, anywhere concept, 25
configuration, 612
deployment, 611
manufacturing example, 617
authorization, 621
identity, authentication, posture, 618
AMP, 616
endpoint compliance, 614
Network Access Manager, 614
API (application programming interface), 19
back-end platform security, 634-635
deployment preparations, 316
northbound
fog nodes, 662
ODL, 206
northbound (NB APIs), 43
OVS, 197
SDN, 191
southbound
fog nodes, 667
ODL, 204
API-driven service abstraction layers (AD-SAL), 209-210
app entities, 139
Apple Face ID/TouchID, 359
application entity (AE), 131
application layers, 46
communication, 74
ITU-T Y.2060 reference model, 125
SDN, 191
application programming interfaces. See API
application-specific integrated circuit (ASIC), 374
application visibility and control. See AVC
applications
access, clientless SSL VPNs, 604-609
authenticity, 271
blockchain distributed ledger, 884
certification, 271
cloud-native functions, 242
cloud-ready functions, 242
detectors, 433
fog-ready functions, 242
future connected car, 815
hierarchy, 36
IoT-A RA, 123
isolating, 271
penetration testing, 271
SDN, securing, 252-253, 270-271
secure development, 271
vertical, 679
APTs (Advanced Persistent Threats), 440-441
architectural reference model (ARM), 121, 177
ANNs, 897
blockchain, 886
bringing IT and OT technologies together, 157
cloud-centric, 32
accessibility, 109
advantages, 109
characteristics, 107
compliance, 110
costs, 109
disadvantages, 110
environmental benefits, 109
extensibility, 109
interoperability, 110
IoT adoption, accelerating, 111
maintenance, 109
privacy, 110
QoS, 112
real-time processing, 112
reliability, 109
scalability, 109
security, 110
Cloud Customer Architecture for IoT, 140-142
digital roadway, 806
documentation, 27
enterprise-centric, 32
equipment health monitoring example, 772
Federal Sigma VAMA, 864
fog computing, 112
communications, 114
complexity, 118
cross-vertical replicability, 117
data handling, 115
disadvantages, 117
edge computing, compared, 113
governance, 117
heterogeneity, 117
mobility, 116
reliability, 117
requirements, 115
security, 117
speed, 116
full IoT stack, 120
Cloud Customer Architecture, 140-142
gateway-centric, 32
hub-centric, 32
IoTWF reference model, 126-129
ISE integrated, 337
ITU-T Y.2060 reference model, 125-126
middleware, 118
mobile-centric, 32
next-generation IoT platforms, 294-295
NFV ETSI, 229
OF, 193
oil and gas industry security, 756-757
open process automation based on Purdue Model of Control, 159
perspectives, 136
security layers, 137
stakeholder views, 137
OVS, 196
people-centric approach, 98-100
references, 87
segmented based on Purdue Model of Control, 157
server-side, 99
edge computing, 112
thing-centric, 32
CPwE, 153
Garner defined-centric views, 97
hub-centric, 94
ARMs (architectural reference models), 121, 177
ARP attacks, 41
Artificial General Intelligence (AGI), 891
Artificial Intelligence. See AI
artificial neural networks (ANNs), 896-897
Artik, 176
ASAv (Adaptive Security Appliance virtualized), 422-423, 470
ASDM (ASA Security Device Manager), 612
ASI (Artificial Super Intelligence), 891
ASIC (application-specific integrated circuit), 374
assets
classification, 27
identification, 27
improvements, 742
assurance
IISF, 162
information (IA), 37
ASTM E2158-01, 827
ASTM PS 105-99, 827
ATIS (Alliance for Telecommunications Industry Solutions), 65
attacks
AMP, 456
file policies, 461
point-in-time detection, 456-457
sandboxing, 458
ARP, 41
authentication, 41
CSRF, 265
data breach costs, 418
Ethernet, 41
classification, 27
risk scores, 28
jamming, 41
MAC flooding, 41
MITM, 40
oil and gas industry, 755
protocols, 42
TALOS, 456
targets, 39
threat identification, 27
vectors, 38
wireless, 41
attestation, devices, 315
Attribute Value pairs (A/V pairs), 362
audible warning systems, 820
audio systems, police cars, 820
authentication, 38
attacks, 41
A/V pairs, 362
certificates, 352
Cisco IoT security framework, 170
constrained device limitations, 358
data protection, 504
digital certificates, 352
IEEE 1609.2, 353
SSL pinning, 357
equipment health monitoring example access privileges, 778-780
flexible, 403
HMAC, 264
HTTP, 264
IPsec peers, 579
MAB (MAC address bypass), 365
public key cryptography, 352
servers, 363
southbound SDN controller communication, 258
time service, 281
tokens, 265
trust stores, 355
authentication, authorization, and accounting. See AAA
authentication headers (AHs), 578
authentication manager (AM), 102
authenticators, 363
authenticity, 271
authorization
Cisco IoT security framework, 170
data protection, 504
differentiated privileges, 345
dynamic forms, 368
dynamic privileges, 367
equipment health monitoring example access privileges, 778-780
ISE, 368
northbound SDN controller communications, securing, 267
policy-based, 403
RADIUS CoA, 368
Request/Response codes, 369
session identification, 369
RBAC dynamic segmentation, 378
remote HMI access, 621
session identification, 369
automation, 388
benefits, 384
consumer/provider matrix, 384-386
east–west, 387
microsegmentation, 387
north–south, 387
classification, 380
enforcement, 384
inline tagging, 383
automatic number plate recognition (ANPR), 820
automation, 5
connected cars deployment, 815, 867-870
driving system levels, 803-804
equipment health monitoring example, 777-778
extranets
orchestration and NFV, 596
software-based, 597
template-based orchestration and NFV, 595
gas and oil industry, 752
next-generation IoT platforms, 299
oil and gas industry security, 742-763
asset improvements, 742
equipment health monitoring example. See equipment health monitoring example
field operations, 789
human efficiency and productivity, 742
trends, 743
reusable templates, 469
secure oil and gas opportunities, 735
security, 876
SGACLs, 388
smart cities, 691-692, 721-725
autonomous vehicles
Ethernet approaches, 825
operational lifecycle, 851
sensor data sharing systems and technologies, 824
systems and technologies, 823
autoquarantining versus manual quarantine, 782
autoscaling, KPI, 483
data protection, 505
high, 269
IISF, 162
NFV, 220
OpenFog reference architecture pillar, 135
availability, integrity, confidentiality (AIC), 43
AVC (application visibility and control), 423, 433, 437
application subcategories, 434
detection sources, 433
detectors, 434
industrial communication protocol example, 435
MODBUS application filter example, 436-437
A/V pairs (Attribute Value pairs), 362
AV-Test, 455
AWS (Amazon Web Services), 176
Amazon Cognito, 395
device registration process, 331-333
policy-based authorization, 394-395
Ayla IoT Platform, 176
Azure, 176
B
B2B (business-to-business) services, 806
back-end architectural layer, 86
containerized services management, 649-653
NSO, 646
options, 631
overcloud/undercloud, 634
requirements, 631
VFM, 648
backing up data, 570
bandwidth, fog computing, 115
battery management, police vehicles, 821
BBF (Broadband Forum Member), 65
contextual information with adaptive network control, pairing, 446
encrypted traffic analytics, 450-454
ETA
cryptographic compliance, 454
WannaCry, 454
oil and gas pump station example, 447-450
solutions, 441
Flexible NetFlow protocol, 444
NBAR2, 444
NSEL (Network Security Event Logging), 444
Big Data Architectures and the Data Lake (Serra), 523
biometric authentication, 359-360
bitumen, 740
adoption of IoT, accelerating, 887
architectures, 886
challenges, 886
characteristics, 880
compliance, 887
components, 883
computational resources, 886
consensus algorithm, 883
distributed ledger applications, 884
human skills gap, 886
ledger, 883
private, 884
process flow, 882
public, 884
reactive data protection mechanisms, 572
scalability, 886
startups total funding, 880
storage, 886
transactions, 886
types, 884
Bluemix platform, 177
bookmarks, clientless SSL VPN application access, 604-605
bootstrapping, secure, 328
Bosch IoT Suite, 176
bring your own certificates (BYOC), 333
bring your own device (BYOD), 21
Broadband Forum Member (BBF), 65
brokers, 350
BRSKI (Bootstrapping Remote Secure Key Infrastructure), 329-330
BSI (British Standards Institute), 686-687
BSquare DataV, 176
BSS (business support systems), 223
bug scrubs, 270
building blocks, 35
access control, 326
next-generation IoT platforms, 295-303
fog levels, 302
heterogeneous, 297
infrastructure, 301
management, 297
multitenancy, 296
operation, 297
UIs, 297
virtualization, 297
buildings, smart cities, 680
business-to-business (B2B), 806
business value, 5
businesses
benefits, 54
business-focused services, 805
needs challenges, 863
support systems (BSS), 223
BYOC (bring your own certificates), 333
BYOD (bring your own device), 21
C
CA (certificate authority), 451
cabinets
fog nodes, 660
monitoring with event-based video, 709-712
data pipeline security, 713-714
triggers, 710
on demand access control, 714-718
CAN (controller area network), 824
canned policies (ISE), 340
CAP (consistency, availability, and partition) theorem, 568-569
CAPEX reduction, 219
carrier-neutral facility (CNF), 418
Carriots IoT Platform, 177
Casado, Martin, 186
catalogs, security, 656
CCTV (closed circuit television) video security use case, 309
architecture overview, 313
cabinet monitoring, 314
description, 312
triggers, 312
center architectural layer, 86
center hierarchy, 36
Center for the Protection of National Infrastructure (CPNI), 842
centralized deployment security example, 418-420
dynamic mapping, 478
ETSI MANO components, 468
fulfillment and assurance sequences, 474-475, 479-480
KPI SESSION_COUNT metric, 482-483
KPI VNF monitoring methods, 479
NSD catalog, 471
NSR, 472
reusable templates, 469
VNFs, monitoring, 475
VNFD catalog, 470
certificate authority (CAs), 451
Certificate Revocation Lists (CRLs), 259, 356
certificates, 352
digital, 352
IEEE 1609.2, 353
SSL pinning, 357
DTLS, 350
managing, 333
certifications
applications, 271
security, 16
cgroups, 654
choices provided by standards, 54
CIA (confidentiality, integrity, and availability), 43, 503
CIGRE (International Council on Large Electrical Systems), 66
CIP (Common Industrial Protocol), 428-429, 432
Cisco
Adaptive Security Appliance virtualized (ASAv), 422-423, 470
AnyConnect client. See AnyConnect client
CPwE, 153
ENCS, 489
Identity Services Engine (ISE), 336
IoT Cloud Connect, 176
IoT Ready, 329
IoT security framework, 168-171
Kinetic IoT Platform, 177
Next Generational Firewall virtualized (NGFWv), 422-423
NSO, 646
Overlay Transport (OTV), 259
Secure Development Lifecycle, 644
SIO, 456
UCS E-Series servers, 489
citizen experiences, smart cities, 681
City Management Interface, 696
classes, constrained devices, 345-346
classical models versus machine learning, 893
classification
assets, 27
TrustSec, 380
client application detectors, 434
client-based SSL VPNs, 611-612
clientless comparison, 600
configuration, 612
deployment, 611
manufacturing example, 617
authorization, 621
identity, authentication, posture, 618
AMP, 616
endpoint compliance, 614
Network Access Manager, 614
plug-ins, 609
port forwarding, 606
smart tunnels, 607
web-type ACLs, 606
client-based comparison, 600
components, 602
DAP, 609
group policies, 602
tunnel groups, 601
clients
802.1X, 363
AnyConnect, 611
configuration, 612
deployment, 611
Device Sensor, 341
MQTT, 350
vhost, adding, 642
closed circuit television. See CCTV video security use case
cloud-centric architecture, 32, 95-96
accessibility, 109
advantages, 109
characteristics, 107
compliance, 110
costs, 109
disadvantages, 110
environmental benefits, 109
extensibility, 109
fog computing comparison, 241
fog fusion, 242
hybrid, 107
interoperability, 110
IoT adoption, accelerating, 111
maintenance, 109
privacy, 110
private, 107
public, 107
QoS, 112
real-time processing, 112
reliability, 109
scalability, 109
security challenges, 110
Cloud Customer Architecture for IoT, 140-142
cloud-native functions, 242
cloud-ready functions, 242
Cloud Security Alliance. See CSA document
CNF (carrier-neutral facility), 418
CoA (Certificate of Authenticity)
RADIUS, 368
Request/Response codes, 369
session identification, 369
SGT, 781
CoAP (Constrained Application Protocol), 349-350
Cognito (Amazon), 395
collaborative security, 899
collecting data, 507
Common Industrial Protocol (CIP), 428-429, 432
common service functions (CSFs), 131
common services entity (CSE), 131
communication, 71
application layers, 74
channel vulnerabilities, 839
data, 790
fog computing, 114
IoT-centric model, 72
last-mile, 71
MAC layers, 73
node hierarchy, 36
OSI, 70
physical layers, 73
police vehicles, 821
protocols, 70
SDN controller
smart cities, 682
technologies, 740
transport layers, 74
complex devices, 345
complexity
connected car security, 835
fog computing, 118
minimizing, 309
compliance
blockchain, 887
cloud computing, 110
cryptographic, 454
security, 5
smart cities, 682
components
AI, 891
blockchain, 883
EFM, 561
full IoT stacks, 674
ICN architecture, 101
NaaS, 445
NFV framework, 64
OF, 193
oil and gas industry security, 757
smart cities, 679
SSL VPNs, 602
computational resources, 886
computer vision, 898
computing data, 508
concierge services, 805
ConfD, deployment preparations, 316
confidentiality, 37
Cisco IoT security framework, 169
data, 568
data protection, 505
RabbitMQ, 549
confidentiality, integrity, and availability (CIA), 43, 503
configuring
AnyConnect client, 612
management and control, 17
RabbitMQ, 643
connected cars
automated driving system levels, 803-804
business-focused services, 805
categories, 801
customer-focused services, 805
data enabling solutions, 814
data value, 813
digital roadway architecture, 806
embedded era, 802
emergency fleet vehicles example, 852-854
architecture overview, 854
intrusion detection and prevention, 858-860
onboard systems deployment, 864-865
personalized experiences, 862-863
segmentation and zoning, 857-858
Wi-Fi hotspot security, 861-862
estimated car sales 2015–2021, 798
Ethernet approaches, 825
future applications and services, 815
high-tech entrants, 804
industry trends, 798
infotainment era, 802
interoperability, 826
interoperable infrastructure requirements, 829
intrusion detection and prevention, 858-860
leadership, 799
low prices of technology, 804
mobility concepts, 805
onboard systems deployment, 864-865
operational challenges, 863
operational lifecycle, 851
orchestration platform principles, 848
orchestration requirements, 818
overview, 800
personalized experiences through identity management, 862-863
ANPR, 820
audible and visual warning systems, 820
battery management, 821
integrated approach, 821
mobile data terminals, 820
onboard systems and technologies, 819
onboard telematics, 821
operational challenges, 821
orchestrated services, enabling with consolidated orchestrated hardware, 822
radios, 820
speed detection, 820
speed recognition devices, 820
vehicle tracking, 820
video camera and audio systems, 820
wearables, 821
Wi-Fi hotspots, 821
regulatory and policy constraints, 805
revenue and operational opportunities, 816
security, 830
attack surface, 831
challenges, 835
connectivity challenges, 840
considerations, 839
consolidation, 849
data-centric and application-centric fusion, 849
design implementations, 847
driver concerns, 837
encryption, 837
industry alliances, 847
reasons for, 830
safety-criticality, 836
U.K. supply chain guidelines, 842-845
upgrades/patches, 840
U.S. supply chain guidelines, 845-846
smart city emergency fleet vehicles integration, 719-721
Europe, 827
Japan, 827
U.K., 827
U.S., 826
technology transition, 802
trends driving changes, 804
urban customers, 805
V2X era, 802
vehicle maintenance data, 813
vendor ecosystem, 809
Wi-Fi hotspot security, 861-862
connectivity
connected car security, 835
connected cars, 840
IoT, 4
new endpoints, 639
platforms, 173
consensus algorithm, 883
consistency, availability, and partition (CAP), 568-569
consistency, next-generation IoT platforms, 291
consolidation
connected car security, 849
smart cities, 698
consortia, standardization efforts, 56
constrainable relationship, 414
Constrained Application Protocol (CoAP), 349-350
constrained devices, 345
limitations, 358
restrictions, 345
Constrained Object Signing and Encryption (COSE), 409
consumer/provider matrix, 384-386
consumers
ICN, 102
software extensions, 173
spaces, SDN-based IPsec IoT, 592
consumption, data, 526
containerized services, back-end platform management, 649-653
context processing, CN, 102
contextual automation, 304, 307
contextual awareness, 899
contextual relationships, 414
continuous monitoring, 17
control layer, SDN, 190
control planes
SDN, 262
security, 659
controller area networks (CANs), 824
controllers
ODL, 206
SDN
east-west communications, securing, 254-256
northbound communications, securing, 263-268
southbound communications, securing, 256-260
controlling
Cisco IoT security framework, 170
configuration, 17
oil and gas industry security, 755
OpenFog Consortium architecture, 136
power, 702
security, 16
converged multifaceted platforms, 246-248
Converged Plantwide Ethernet (CPwE), 153
co-operative awareness basic service standards, 827
core networks hierarchy, 36
Core Root of Trust Management (CRTM), 663
COSE (Constrained Object Signing and Encryption), 409
costs, 16
cloud computing, 109
CPNI (Center for the Protection of National Infrastructure), 842
CPS PWG (Cyber Physical Systems Public Working Group), 77
CPU, reserving, 278
CPwE (Converged Plantwide Ethernet), 153
crashes, 275
Create, Read, Update, and Delete (CRUD), 628-630
criticality, connected car security, 836
CRLs (Certificate Revocation Lists), 259, 356
cross-certification, 355
cross-fog applications, 136
cross-site scripting (XSS), 635
cross-vertical compound IoT applications, 3
cross-vertical replicability, fog computing, 117
CRSF (cross-site forgery attacks), 265, 636
CRTM (Core Root of Trust Management), 663
CRUD (Create, Read, Update, and Delete), 628-630
cryptography
compliance, 454
D-H (Diffie-Hellman), 580
public key, 352
CSA (Cloud Security Alliance) document, 110, 165-168
IoT-specific security controls, 167
recommended security controls, 165-166
security standards, 77
smart city recommendations, 695
CSDL (Cisco Secure Development Lifecycle), 644-646
CSE (common services entity), 131
CSFs (common service functions), 131
CSRF (cross-site request forgery), 636
CTA (Cognitive Threat Analytics), 453
custom application detectors, 434
customer-focused services, 805
customer profiling, 805
Cyber Physical Systems Public Working Group (CPS PWG), 77
cyberattacks, 454
cybersecurity
connected car standards, 827
connected cars, 830
attack surface, 831
challenges, 835
connectivity challenges, 840
considerations, 839
consolidation, 849
data-centric and application-centric fusion, 849
design implementations, 847
driver concerns, 837
emergency fleet vehicles example. See emergency fleet vehicles example
encryption, 837
industry alliances, 847
intrusion detection and prevention, 858-860
onboard system deployment, 864-865
operational challenges, 863
operational lifecycle, 851
orchestration platform principles, 848
personalized experiences through identity management, 862-863
reasons for, 830
safety-criticality, 836
segmentation and zoning, 857-858
U.K. supply chain guidelines, 842-845
upgrades/patches, 840
U.S. supply chain guidelines, 845-846
NIST best practices, 659
Cloud Security Alliance recommendations, 695
threats, 694
standard, 829
D
dACLs (downloadable access control lists), 374
daemons, Docker, 654
DAP (Dynamic Access Policies), 609
dashboard back-end platform, 635-637
dashboards, 627
data
analysis and exposure, 526
anomaly detection. See behavioral analysis
app centric, 697
Big Data, 526
breach costs, 418
centricity, 104
collecting, 507
computing, 508
confidentiality, 568
connected cars
analysis technologies, 817
enabling solutions, 814
future services and applications, 815
monetization, 815
consumption, 526
distribution, 527
durability, 529
end-to-end considerations, 18
endpoint collected, 520
flows, oil and gas industry, 790
four Vs, 813
information, compared, 524
ingestion, 524
IoT, 4
leveraging, 509
categories, 511
collection, 507
computing, 508
data categories, 509
leveraging, 509
moving, 508
management and analytics, 5
mobile terminals, 820
modeling
dynamic mapping, 478
languages, 68
normalization process, 513-517
OpenFog Consortium architecture, 136
permissions, 399
persistency, 529
pipeline
architectural layer, 86
deployment preparations, 316
IoT platforms, 288
planes
MQTT. See MQTT
protection, 531
RabbitMQ. See RabbitMQ
security, 659
preparation, 526
access control, 504
accounting, 505
authentication, 504
authorization, 504
availability, 505
backups, 570
CIA, 503
confidentiality, 505
data virtualization, 564
digital twins, 569
functions, 504
integrity, 505
MQTT. See MQTT
nonrepudiation, 506
physical access, 505
RabbitMQ. See RabbitMQ
sanitization, 17
segmentation of responsibilities, 500-502
semistructured, 510
sensor, 824
sharing
security, 9
smart cities management, 682
stores, 658
structured, 509
topics, 641
transport, 104
unstructured, 511
vehicle maintenance, 813
velocity, 813
veracity, 813
volume, 813
Data Center Interconnect (DCI), 259
data-centric architecture, 104-105
Data Distribution Service (DDS), 105
Data Plane Development Kit (DPDK), 200
databases, IPsec, 589
Datagram Transport Layer Security (DTLS), 74, 349, 612
DataV, 176
DCI (Data Center Interconnect) protocols, 259
DDS (Data Distribution Service), 105
dead-peer detection (DPD), 584
decentralized decisions, Industry 4.0, 148
decentralized environmental notification standards, 827
decision pipeline, end-to-end considerations, 18
decomposing IoT platform, 27
Dedicated Short-Range Communications (DSRC), 353, 800, 827
deep packet inspection (DPI), 430-432
Def Stan 05-138, 829
delivering next-generation IoT platforms, 293
deployment
AnyConnect client, 611
connected cars
equipment health monitoring example, 766-771, 777-778
event-based video and security use case, 316-319
Federal Sigma VAMA architecture, 864
function packs, 317
hybrids, 422
next-generation IoT platforms, 292
OpenStack, 632
OTT, 89
security enforcement, 90
services-based, 33
smart cities, automating, 723-725
VFs, 317
design
connected car security, 847
IoT platforms, 87
detection, anomaly traffic, 780-781
detectors (application), 433-434
development
end-to-end considerations, 19
IoT platforms, 178
secure applications, 271
security test and evaluation, 16
Device Level Ring (DLR), 429
AAA configuration example, 342-343
differentiated authorization privileges, 345
internal/external clients, 341
port security, 341
probe configuration, 344
success, 344
devices
attestation and trust, 315
building blocks for access control, 326
complex, 345
constrained, 345
limitations, 358
restrictions, 345
discovery, 102
edge, 302
ETA, 453
fog, 302
IoT, 123
ITU-T Y.2060 reference model, 126
managed devices per IT person in financial and retail customers, 411-412
onboarding, 102
power for communication, 347-348
predicted connection rate, 325
Cisco Identity Services Engine example, 334-336
Cisco Identity Services Engine example, 334-336
security, 9
sharing, 315
trust, establishing, 328
trust stores, 355
D-H (Diffie-Hellman) groups, 580
DHCP (Dynamic Host Control Protocol), 390
differentiating IoT platform, 174
digital certificates, 352
IEEE 1609.2, 353
SSL pinning, 357
digital IoT twins, 295
digital marketing, 805
digital roadway architecture, 806
digital signatures
applications, 271
encrypting, compared, 540
digital technology, 735
digital twins, 569
digitization, oil and gas industry, 737-738
oil and gas industry downstream environment, 752
oil and gas industry midstream environment
pipeline management, 747
oil and gas industry upstream environment
automation, 742
trends, 743
pipeline management applications, 744
direct exchanges, 544
disabling services, 270
disposal, hardware and software, 17
disposition phase, SDLC, 14, 17
distributed control systems, 750
distributed deployment, NFVIS example, 486
hardware requirements, 488-490
NFVIS benefits, 488
orchestration, 490
vBranch Function Pack, 490-493
VMs supported, 490
distributed ledger technology. See blockchains
distributing data, 527
DLR (Device Level Ring), 429
DLUX (OpenDaylight User Experience), 207
DNS (Domain Name System), 462
DNS-based security, 462
recursive, 462
Umbrella, 463
AMP Threat Grid, 465
healthcare industry protection, 465-466
intelligent proxy services, 464-465
response categories, 463
Docker daemon, 654
downloadable access control lists (dACLs), 374
downstream environment (oil and gas industry), 734, 749
digitization, 752
distributed control systems, 750
IoT benefits, 752
new business needs, 752
overview, 749
refining and processing architecture, 750
DPD (dead-peer detection), 584
DPDK (Data Plane Development Kit), 200
DPI (deep packet inspection), 430-432
DREAD model, 28
driver safety data, connected cars, 815
drivers
NEDs, 300
DRTM (Dynamic Root of Trust Management), 663
DSLinks, 563
DSRC (Dedicated Short-Range Communications), 353, 800, 827
DTLS (Datagram Transport Layer Security), 74, 349, 612
durability, data, 529
dynamic access policies (DAP), 609
dynamic authorization
forms, 368
ISE, 368
privileges, 367
RADIUS CoA, 368
Request/Response codes, 369
session identification, 369
dynamic mapping, 478
dynamic NAT, 424
Dynamic Root of Trust Management (DRTM), 663
E
EAPOL (Extensible Authentication Protocol over LAN), 363
east–west
SDN controller communications, securing, 254-256
SGACLs, 387
ECDH (Elliptic Curve Diffie Hellman), 353
ECDSA (Elliptic Curve Digital Signature Algorithm), 329, 353
ecosystems
IoT-specific security controls, 167
recommended security controls, 165-166
groupins (smart cities), 683
Edge and Fog Processing Module (EFM), 560-564
edge computing, 112
embedded systems, 237
fog computing, compared, 113, 240
legacy systems, 237
edge devices, 302
edge networks, 36
edge nodes, 35
edge tier
Cloud Customer Architecture for IoT, 141
IIRA, 146
EdgeX Foundry platform, 177
EFM (Edge and Fog Processing Module), 560-564
components, 561
computation, 562
data collection, 562
DSLinks, 563
permissions, 563
quarantine, 563
Electronic Security Perimeters (ESP), 23
elliptic curve cryptographic algorithms, 353
Elliptic Curve Diffie Hellman (ECDH), 353
Elliptic Curve Digital Signature Algorithm (ECDSA), 329
embedded era (connected cars), 802
embedded probes, 338
embedded systems (ES), 101, 237
emergency fleet vehicles example, 852-854
architecture overview, 854
intrusion detection and prevention, 858-860
onboard systems deployment, 864-865
personalized experiences, 862-863
segmentation and zoning, 857-858
smart city integration, 719-721
Wi-Fi hotspot security, 861-862
emergency police vehicles, 821
ANPR, 820
audible and visual warning systems, 820
battery management, 821
integrated approach, 821
mobile data terminals, 820
onboard systems and technologies, 819-821
onboard telematics, 821
operational challenges, 821
orchestrated services, enabling with consolidated orchestrated hardware, 822
radios, 820
speed detection, 820
speed recognition devices, 820
vehicle tracking, 820
video camera and audio systems, 820
wearables, 821
Wi-Fi hotspots, 821
Encapsulating Security Payload (ESP), 578
Encrypted Traffic Analytics (ETA), 450-454
encryption
algorithms, 580
connected cars, 837
digitally signing, compared, 540
southbound SDN controller communication, 258
transport, 532
ENCS (Enterprise Network Compute System), 489
end-to-end
development framework, 19
human interaction, 19
manageability and orchestration, 17-18
openness, 18
performance, 20
scalability, 20
endpoints
any endpoint, anywhere concept, 25
architectural layer, 85
compliance module, 614
data collection storage, 520
hierarchy, 35
IDs, 637
IoT, 3
new, connecting, 639
security, 9
transport encryption, 532
energy
efficiency, 220
enforcement (security)
TrustSec, 384
types of deployments, 90
ENFV (Enterprise Network Virtualization), 486-487
enterprise-centric architectures, 32, 96-97, 154-156
Enterprise Resource Planning (ERP), 37
enterprise risks, 12
enterprise software extensions, 173
enterprise tier, 141
entity-based reference model, 123
E&P (exploration and production), 733
equipment health monitoring example, 763-765
access control, 781
anomaly traffic detection, 780-781
architecture, 772
data pipeline security, 786-788
data pipelines, 771
limitations, 765
operational lifecycle, 772
preconfiguration checklist, 773-775
quarantines, 782
requirements, 767
ERP (Enterprise Resource Planning), 37
ES (embedded systems), 101, 237
ESC
NSO activation sequence request, 472-474
NSO fulfillment and assurance sequences, 474-475
VNFs, monitoring, 475
actions, 477
dynamic mapping, 478
metrics, 476
prerequisites, 475
E-Series servers, 489
ESP (Electronic Security Perimeters), 23
ESP (Encapsulating Security Payload), 578
ETA (Encrypted Traffic Analytics), 451
cryptographic compliance, 454
WannaCry, 454
Ethernet
attacks, 41
connected cars, 825
inline tagging format, 383
EtherNet/IP, 429
ETL (Extract-Transform-Load) model, 521
ETSI (European Telecommunications Standards Institute), 18, 59, 187
architectural standards, 59
MANO, 18
centralized security example, 468
NFV centralized components, 419
NFV
architecture, 229
standards, 66
NFV MANO, 225
benefits, 232
challenges, 229
decoupling service intentions from instantiation process, 230-231
OSS/BSS interoperability, 232
security standards, 76
TS 102 637, 827
TS 102 637-1, 827
TS 102 637-2, 827
TS 102 637-3, 827
TS 102 637-4, 827
EUIs (Extended Unique Identifiers), 327
European connected car standards, 827
European Lighthouse Integrated Project, 120
European Telecommunications Standards Institute. See ETSI
event-based videos
security use case, 309
architecture overview, 313
cabinet monitoring, 314
description, 312
triggers, 312
data pipeline security, 713-714
triggers, 710
evolution of IoT, 236
evolving technology IoT landscape, 670-671
exchanges
RabbitMQ, 544
explicit trust, 355
exploration and production (E&P), 733
exposure, data, 526
Extended Unique Identifiers (EUIs), 327
extensibility
cloud computing, 109
OPC UA, 151
Extensible Authentication Protocol over LAN (EAPOL), 363
Extensible Messaging and Presence Protocol (XMPP), 74, 258
external clients, 341
Extract-Transform-Load (ETL) model, 521
extranets, 594
automating with orchestration and NFV, 596
automating with template-based orchestration and NFV, 595
software-based automation, 597
traditional approach, 594
F
Face ID, 359
fanout exchanges, 544
FCAPS (fault management, configuration management, accounting management, performance management, and security management), 126
FD.io (Fast Data–input/output), 198
Federal Sigma VAMA, deployment
FFV
ETSI architectural framework, 229
benefits, 232
challenges, 229
decoupling service intentions from instantiation process, 230-231
OSS/BSS interoperability, 232
FIB (forwarding information base), 199
field operations automation, oil and gas industry, 789
file policies, 461
Filet-o-Firewall vulnerabilities, 42
filtering
CIP, 432
filters, applying, 432
packets
sanity checking, 431
user definable, 432
financial services, connected cars, 806
fingerprint IDs, 359
Firefox percentage of web pages, 450
firepower-based application detectors, 434
Firepower Management Center (FMC), 459
Firepower Threat Defense (FTD), 459-461
Firepower Threat Defense virtualized (FTDv), 422
firewalls
ASAv, 423
contextual information with adaptive network control, pairing, 446
Flexible NetFlow protocol, 444
oil and gas pump station example, 447-450
defined, 422
encrypted traffic analytics, 450-454
ETA
cryptographic compliance, 454
WannaCry, 454
Filet-o-Firewall, 42
IDS/IPS, 437
protocol analysis, 439
industrial protocols, 428
lack of security, 429
potential solutions, 430
IPS, 438
NAT, 424
NGFWv, 423
overlapping, 425
PAT, 425
Fitbit Aria IoT IAM example, 406
cloud to cloud, 406
device to device, 409
native applications to cloud, 408
self-registration, 408
fleet management, connected cars, 806
flexibility
authentication, 403
NFV, 220
Flexible NetFlow (FNF), 444, 447
FlexRay networks, 824
flows
data, oil and gas industry, 790
Fitbit Aria example, 408
flows per second (FPS), 443
FMC (Firepower Management Center), 459
FNF (Flexible NetFlow) protocol, 444
fog computing, 112
cloud computing comparison, 241
cloud fusion, 242
communications, 114
complexity, 118
containerized services, 650
cross-vertical replicability, 117
data handling, 115
disadvantages, 117
edge computing, compared, 113, 240
governance, 117
hierarchy, 36
heterogeneity, 117
levels, 302
mobility, 116
nodes, 240
data analysis, 526
data at rest, 521
operating systems, 664
RabbitMQ orchestrated security example, 552-558
southbound APIs, 667
OpenFog convergence with NFV MANO, 243-245
reliability, 117
requirements, 115
SDX/NFV role, 243
smart traffic example, 238-241
speed, 116
Forbes IoT platform key areas, 288
forwarding
information base (FIB), 199
P4, 202
ports, 606
four Vs of data, 813
FPS (flows per second), 443
FQDN (fully qualified domain name), 602
fracking, 739
frameworks
accounting, 399
IIAF, 144
assurance, 162
implementation, 164
system characteristics, 162
trustworthiness, 161
NFV, 63
components, 64
Nirvana Stack, 212
OWASP, 168
P4, 201
front-end UIs security, 630, 657
FTD (Firepower Threat Defense), 459-461
FTDv (Firepower Threat Defense virtualized), 422
fulfillment sequences, 474-475, 479-481
full IoT stack architectures, 120
addressing, 670
Cloud Customer Architecture, 140-142
components, 674
next-generation IoT platforms, 293
fully qualified domain name (FQDN), 602
Function Packs
next-generation platforms, 675
smart cities, 722
YANG model, 306
functional architectures
IoT-A RA, 124
oneM2M, 131
functional requirements, 15, 827
functions
cloud-native, 242
cloud-ready, 242
data protection, 504
fog-ready, 242
OF, 194
OVS, 197
VFs, 298
Future Internet, 3
G
Gartner-defined centric views, 97
Gartner Hype Cycle for Emerging Technologies 2017, 879
Gartner IoT platform recommendations, 289-290
gateways
hierarchy, 35
IoT-A RA, 123
GDPR (General Data Protection Regulation), 499, 571
General Electric Predix, 177
Google Cloud Platform, 176
governance
fog computing, 117
security, 5
smart cities, 682
graph nodes, 199
group policies, SSL VPNs, 602
guidelines
accounting framework, 399
implementation, 53
oil and gas industry, 757
H
handling data
fog computing, 115
police vehicles, 821
hardware
connected cars, 827
disposal, 17
gateway, 40
specific platforms, 173
Hash Based Message Authentication (HMAC), 264
hashing algorithms, 580
header exchanges, 546
healthcare
industry protection with Umbrella, 465-466
smart cities, 681
heterogeneity, 86
fog computing, 117
next-generation IoT platforms, 297
Hewlett-Packard Enterprise Universal of Things Platform, 176
hierarchical data flow model, 158
hierarchy
applications, 36
architecture layers, 85
business processes and services, 86
center/back-end, 86
data pipeline and processing, 86
infrastructure and transport, 85
integration, 86
security, 86
things and endpoints, 85
business processes, 37
center, 36
communication nodes, 36
core networks, 36
edge networks, 36
edge nodes, 35
endpoints, 35
fog networks, 36
gateways, 35
microservices, 36
services, 37
things, 35
high availability
NFV, 220
SDN orchestration, 269
high-level architecture, smart cities, 701
high-level groups, identification, 25
high reliability, next-generation IoT platforms, 293
HMAC (Hash Based Message Authentication), 264
HMI (Human Machine Interface), remote access, 617
authorization, 621
identity, authentication, posture, 618
horizontal approaches, smart cities, 685
HTTP (Hypertext Transfer Protocol), 74, 264
HTTPS (HTTP over TLS), 598
HTTPS (Secure HTTP), 74
hub-centric architecture, 32, 94
human efficiency and productivity, oil and gas industry automation, 742
human interaction, end-to-end considerations, 19
human layer, 44
Human Machine Interface. See HMI
hybrid clouds, 107
hybrid deployments, 422
hybrid mode, 190
hybrid subsymbolic/symbolic AI, 892
Hypertext Transfer Protocol (HTTP), 74, 264
I
I am the Cavalry, 77
IA (information assurance), 37
IaaS (infrastructure-as-a service), 108, 173
IACS (Industrial Automation and Control System), 21
IAM (identity and access management)
existing, 325
IoT
OpenID Connect 1.0, 405
scaling, 402
self-registration, 408
IBM
Bluemix, 177
Watson, 176
ICN (information-centric network), 100-104
challenges, 103
components, 101
data transport, 104
existing technologies, 103
features, 101
middleware, 102
migration, 104
scalability, 103
security, 103
ICS (Industrial Control Systems), 38
Purdue Model of Control reference model, 160
hierarchical data flow model, 158
open process automation, 159
segmented architecture based on, 157
Cisco Identity Services Engine example, 334-336
LDAP management, 639
personalized connected car experiences, 862-863
trusted devices, establishing, 328
identifying
assets, 27
device types, 26
encrypted network traffic threats, 451-453
equipment health monitoring example access privileges, 778-780
high-level groups, 25
risk, 25
classification, 27
risk scores, 28
threat modeling, 27
sessions, 369
subgroups, 26
identities. See IDs
identity and access management. See IAM
Identity Relationship Management (IRM), 326, 413-414
Identity Services Engine. See ISE
IDMZ (Industrial DMZ), 158, 759
IDS (intrusion detection system), 437
protocol analysis, 439
smart city services on demand connectivity, 717-718
IEC (International Electrotechnical Commission)
2020 Platform Whitepaper, 155
62351 standard, 78
62443 standard, 78, 500-502, 756
IoT platform definition, 88
IEEE (Institute of Electrical and Electronics Engineers), 59
802.1X authentication, 363-365
802.1X Flexible Authentication, 366-367
802.11-2012 Standard for Information Technology, 826
1455-1999, 826
1609.1-2006, 826
1609.2-2016, 826
1609.2 certificates, 353
1609.3-2016, 826
1609.4-2016, 827
1609.12-2016, 827
architectural standards, 59
SDN standards, 66
security standards, 76
smart city recommendations, 683
smart city standards, 685
IETF (Internet Engineering Task Force), 60
architectural standards, 60
RFC 6241, 258
SDN/NFV standards, 66
IIAF (Industrial Internet Architecture Framework), 144
IIC (Industrial Internet Consortium), 61, 144
industrial/market standards, 61
security standards, 78
IIoT (Industrial Internet of Things), 3
IIRA (Industrial Internet reference architecture), 144-146
IISF (Industrial Internet Security Framework), 160-165
assurance, 162
implementation, 164
system characteristics, 162
trustworthiness, 161
IKE (Internet Key Exchange), 578, 589
IKE_AUTH exchange, 586
IKEv1
IKEv2 comparison, 586
aggressive mode, 582
authentication method, 579
D-H (Diffie-Hellman) groups, 580
encryption algorithms, 580
hashing algorithms, 580
PFS, 584
IKEv2 (Internet Key Exchange Protocol Version 2), 584-586
IKEv1 comparison, 586
phase 2 attributes, 588
images
computer vision, 898
Docker, 654
immutable relationships, 413
implementation
end to end security, 164
guidelines, 53
Industry 4.0, 148
ODL, 208
P4, 203
policies, 53
procedures, 54
reference, 87
regulations, 53
requirements, 86
standards, 53
inband SGT propagation, 381
inbound packet filtering, 426
incident handling standard, connected cars, 829
incident management standard, connected cars, 828
incompatibility, 49
independent network applications, 207
Industrial Automation and Control System (IACS), 21
industrial communication protocols AVC example, 435
Industrial Control Systems. See ICS
Industrial DMZ (IDMZ), 158
industrial environments
assurance, 162
implementation, 164
system characteristics, 162
trustworthiness, 161
Purdue Model of Control Hierarchy framework, 5, 160
hierarchical data flow model, 158
open process automation, 159
segmented architecture based on, 157
industrial-focused standards, 61-63
Industrial Internet Architecture Framework (IIAF), 144
Industrial Internet Consortium. See IIC
Industrial Internet Reference Architecture (IIRA), 144-146
Industrial Internet Security Framework. See IISF
Industrial Internet of Things (IIoT), 3
industrial protocols
lack of security, 429
potential solutions, 430
industry compliance standards, 23
industry convergence and multifaceted platforms, 246-248
Industry Specification Group (ISG), 187
information
assurance (IA), 37
data, compared, 524
modeling, 151
preservation, 17
security, 828
technology security awareness and training standard, 829
technology standard, 826
transparency, 148
information-centric network. See ICN
infotainment era (connected cars), 802, 805
infrastructure
architectural layer, 85
connected car interoperable, 829
next-generation IoT platforms, 301
operational efficiency (smart cities), 681
SDN, 189
control plane, 262
management, 261
operations, 261
infrastructure-as-a service (IaaS), 108, 173
ingestion, data, 524
initiation phase (SDLC), 14-15
inline tagging, 383
innovation, NFV, 221
input nodes, 199
insecure devices, 9
inspection, 16
Institute of Electrical and Electronics Engineers. See IEEE
integration
architectural layer, 86
Cloud platform, 177
system, 16
integrity, 37
data protection, 505
RabbitMQ, 549
Intel IoT Platform, 177
intelligent proxy services, 464-465
Intelligent Transportation Systems (ITS), 826-827
intended outcomes, next-generation IoT platforms, 303-308
contextual automation, 307
interfaces. See also UIs
HMI remote access, 617
authorization, 621
identity, authentication, posture, 618
OpenFlow, 257
SDN-based IPsec flow protection, 590-591
smart cities, 696
internal application detectors, 434
International Council on Large Electrical Systems (CIGRE), 66
International Telecommunications Union (ITU), 2
Internet Engineering Task Force. See IETF
Internet Key Exchange (IKE), 578, 589
Internet Key Exchange Protocol Version 2. See IKEv2
Internet of People (IoP), 98
Internet Protocol (IP), 73, 169
Internet Reliable Transaction Protocol (IRTP), 60
Internet Research Task Force. See IRTF
Internet Security Association and Key Management Protocol (ISAKMP), 578
Internet Security Research Group (ISRG), 451
Internet Society (ISOC), 66
Internet of Things. See IoT
Internet of Things Architecture Reference Architecture (IoT-A RA), 120-125
cloud computing, 110
connected car requirements, 829
connected cars, 826
ETSI FNV MANO, 232
Industry 4.0, 148
IoT platforms, 178
next-generation IoT platforms, 299
next-generation platforms, 672
Inter-Vertical Interface, 696
Intra-Application Connectivity Interface, 696
intrusion detection system. See IDS
intrusion prevention system. See IPS
I/O, single root virtualization, 283-285
IoP (Internet of People), 98
IoT (Internet of Things)
building blocks, 35
business value, 5
Cloud Connect, 176
communication, 72
connectivity, 4
cross-vertical compound applications, 3
custom, 7
data, 4
devices, 123
endpoints, 3
entities, 139
evolution, 236
Global Council, 78
IAM
OpenID Connect 1.0, 405
performance, 403
policy-based authorization, 403
privacy, 403
scalability, 403
scaling, 402
security best practices, 404
IAP, 77
implementation, 86
interest over time, 2
ITU definition, 2
next-generation. See next-generation IoT
open standard/open architecture systems, 7
platforms
building out solutions, 175
data pipeline, 288
decomposing, 27
design, 87
development, 178
differentiating, 174
interoperability, 178
key areas, 288
market, 172
maturity, 174
next-generation. See next-generation IoT
orchestration, 288
top IoT platforms for 2018, 176-177
Ready, 329
SaaS, 7
scalability, 5
Security Foundation, 76
servers, 102
staff allocation, 6
Suite platform, 176
things, 3
threats, 8
transformation into PaaS, 7
IoT-A RA (Internet of Things Architecture Reference Architecture), 120-125
entity-based reference model, 123
functional architecture, 124
reference model, 121
IoT layer, AIOTI architecture, 138
IoTWF (IoT World Forum) reference model, 126-129
IP (Internet Protocol), 73, 169
iPhone Face ID system, 360
IPS (intrusion prevention system), 438
protocol analysis, 439
smart city services on demand connectivity, 717-718
IPsec
AHs (authentication headers), 578
databases, 589
ESP, 578
IKE, 578
IPsec/IKE within NSF, 589
peer authentication, 579
SDN-based
site-to-site VPNs, 576
IKEv1/v2 phase 1 attributes, 586-587
IKEv1/v2 phase 2 attributes, 588
IKEv2 versus IKEv1, 586
Software-Defined Networking (SDN)-based IPsec Flow Protection Internet draft, 588
IPSO Alliance, 60
IPv6 Low Power Wireless Personal Area Network (6LoWPAN), 74
IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), 73
IRM (Identity Relationship Management), 326, 413-414
IRTF (Internet Research Task Force), 60
SDN standards, 66
security standards, 78
IRTP (Internet Reliable Transaction Protocol), 60
ISAKMP (Internet Security Association and Key Management Protocol), 578
ISE (Identity Services Engine), 336
authorization, 368
canned policies, 340
collector and analyzer, 338
consumer/provider matrix, 384-386
embedded probes, 338
integrated architecture, 337
on demand access control example, 715-717
TrustSec controller, 378
ISG (Industry Specification Group), 187
ISO 27-35, 828
ISO 9797-1, 828
ISO 12207, 828
ISO 15408, 828
ISO 27001, 828
ISO 27002, 828
ISO 27010, 828
ISO 27018, 828
ISO 27034, 828
ISO 29101, 828
ISO 29119, 829
ISOC (Internet Society), 66
isolation
applications, 271
performance and latency, 278
ISRG (Internet Security Research Group), 451
IT
bringing together with OT technologies, 157
connected cars standard, 828
OT convergence, 156
staff allocation, 6
IT/OT
convergence, 159
integration, 788
technology separation, 758-759
ITS (Intelligent Transportation Systems), 826-827
ITU (International Telecommunications Union), 2
ITU-T (ITU Telecommunication Standardization Sector), 60, 66
ITU-T Y.2060 reference model, 125-126
J
jamming attacks, 41
Japan connected car standards, 827
JavaScript, 635
JOSE (JavaScript Object Signing and Encryption), 409
K
Kaa platform, 177
Key Performance Indicators. See KPIs
keys
IKE, 578
public, 352
QKD, 276
Keystone, 640
Kinetic IoT Platform, 177
KPIs (Key Performance Indicators), 20, 274
autoscaling, 483
VM_SCALING metric, 481
Kubernetes security best practices, 656-658
L
L2MP (Layer 2 Multipath), 259
languages
data modeling, 68
natural language processing (NLP), 895-896
last-mile communication, 71
latency
fog computing, 115
performance struggle, 278
Layer 2 Multipath (L2MP), 259
Layer 3 inline tagging format, 383
layered data bus, 146
layered security, 43
application, 46
device, 45
human, 44
physical, 44
layers
AIOTI architecture, 138
Cloud Customer Architecture for IoT, 141
connected car security, 850-851
device, 126
IoT, 138
MAC, 73
MQTT, 532
network
AIOTI architecture, 138
ITU-T Y.2060 reference model, 125
AAA, 206
controllers, 206
DLUX, 207
independent network applications, 207
MD-SAL, 205
NeXT UI, 207
northbound APIs, 206
plug-ins, 204
southbound APIs, 204
OPC UA, 150
physical, 73
applications layer, 191
control layer, 190
infrastructure layer, 189
service support, 125
transport, 74
LDAP (Lightweight Directory Access Protocol)
data pipeline security, 713-714
data topics, 641
ID management, 639
Keystone comparison, 640
MUD URLs, emitting, 390
multitenancy data sharing, 641, 644
RabbitMQ queries, 548
vhost clients, adding, 642
least privilege, SDN orchestration, 269
ledger, blockchains, 883
legacy systems, 237
legislation standards, 54
Let’s Encrypt, 451
Level 1 vehicles, 804
Level 2 vehicles, 804
Level 3 vehicles, 804
Level 4 vehicles, 804
Level 5 vehicles, 804
levels of automated driving systems, 803-804
leveraging data, 509
lifecycle service orchestration (LSO), 226-229
lifecycles
categories, 511
collection, 507
computing, 508
data categories, 509
leveraging, 509
moving, 508
secure remote management, 704-705
system (SDLC), 13
LINs (local interconnect networks), 824
lldpSystemDescription variable, 343
LLN (low-power and lossy networks), 73
local interconnect networks (LINs), 824
local service gateway (LSG), 101
local sys_admin accounts, creating, 399
logging SDN orchestration, 270
logical segmentation, 22
loops, attacks, 41
low-power and lossy networks (LLNs), 73
lower power strategy, 347
LSG (local service gateway), 101
LSO (lifecycle service orchestration), 226-229
LTE-V (LTE-Vehicle), 800
LTI Mosaic, 177
M
M2M (Machine-to-Machine), 3, 173
M4 Rack Server, 489
MAB (MAC address bypass), 365
MAC addresses
EUIs, 327
flooding, 41
layers, 73
machine learning. See ML
main mode (IKEv1 phase 1), 580-581
maintenance
cloud computing, 109
oil and gas industry, 752
malicious incidents, oil and gas industry security, 755
Malware Block policy, 387
malware protection
AMP, 456
file policies, 461
point-in-time detection, 456-457
sandboxing, 458
TALOS, 456
man-in-the-middle attacks (MITM), 40
managed device count per IT person for financial and/or retail customers, 411-412
management
configuration, 17
containerized services, 649-653
data, 5
IoT-A RA, 124
next-generation IoT platforms, 297
police vehicle systems, 821
publish-subscribe, 102
management planes
SDN, 261
security, 658
management UIs (user interfaces), 627-628
MANO (Management and Orchestration), 18
end-to-end considerations, 17-18
next-generation IoT platforms, 297-301
next-generation platforms, 671
NFV ETSI, 225
benefits, 232
challenges, 229
decoupling service intentions from instantiation process, 230-231
OSS/BSS interoperability, 232
OpenFog Consortium architecture, 136
manual versus autoquarantining, 782
manufacturer usage description. See MUD
Manufacturers Alliance for Productivity and Innovation (MAPI), 62
manufacturing
AnyConnect client example, 617
authorization, 621
identity, authentication, posture, 618
clientless portal example, 603
CPwE, 153
segmentation of data responsibilities, 500, 502
Manufacturing 4.0, 3
Manufacturing Execution (MES), 37
manufacturing focused approaches
CPwE, 153
Manufacturer Usage Description. See MUD
MAPI (Manufacturers Alliance for Productivity and Innovation), 62
market-focused standards, 61-63
market IoT platform, 172
Marz, Nathan, 120
maturity, IoT platform, 174
mbed platform, 177
McKeown, Nick, 186
MD5 (Message Digest Algorithm), 580
MD-SAL (model-driven service abstraction layer)
ODL, 205
MEC (Multi-access Edge Computing), 237-238
Media Oriented Systems Transport (MOST), 825
mediums, 41
MEF (Metro Ethernet Forum), 66
memory, reserving, 278
menu access permissions, 399
MES (Manufacturing Execution), 37
message authentication codes, 828
Message Digest Algorithm (MD5), 580
Message Queue Telemetry Transport. See MQTT
message sets for vehicle/roadside communications standard, 826
metrics
monitoring, 476
VMs, scaling, 481
Metro Ethernet Forum (MEF), 66
microsegmentation, 387
microservices, 36
Microsoft
Azure, 176
DREAD model, 28
middleware
architectures, 118
ICN, 102
midstream environment (oil and gas industry),734, 744
digitization, 747
new business needs, 747
migration, ICN challenges, 104
million packets per second (MPPS), 199
MindSphere, 176
minimizing complexity, 309
MITM (man-in-the-middle attacks), 40
ML (machine learning), 98, 878-879, 893
AI collaboration, 899
classical models approach, comparison, 893
connected cars, 815
people-/user-centric approaches, 98
supervised, 894
mobile-centric architectures, 32, 93-94
mobile data terminals, police vehicles, 820
mobility, fog computing, 116
Mocana by Mocana platform, 177
MODBUS application filter example, 436-437
models
reference, 87
service abstraction layer (MD-SAL), 205
modules
AMP, 616
endpoint compliance, 614
Network Access Manager, 614
MUD, 392
pluggable authentication (PAM), 646
monitoring
actions, 477
continuous, 17
data pipeline security, 713-714
triggers, 710
metrics, 476
police vehicle systems, 821
power, 702
VNFs, 475
dynamic mapping, 478
fulfillment and assurance sequences, 479-480
KPI monitoring methods, 479
prerequisites, 475
Mosaic, 177
MOST (Media Oriented Systems Transport), 825
MPPS (million packets per second), 199
MQTT (Message Queuing Telemetry Transport Protocol), 350-351, 532-533, 540
brokers, 350
clients, 350
layers, 532
repudiation, 543
transport protection, 532
MUD (Manufacturer Usage Description), 78, 390
driver development, 516
Internet draft, 390
module, 392
telemetry sensors, adding to street cabinets, 707
URLs, emitting, 390
Multi-access Edge Computing (MEC), 237-238
multi-administrator isolation, 282-283
multitenancy
deployment preparations, 315
next-generation IoT platforms, 296
smart cities, 698
TEEs, 666
N
NaaS (Network as a Service), 444-446
NAC (Network Access Control), 42
namespaces, 654
naming services, 102
NAT (network address translation), 424-425
National Highway Traffic Safety Administration (NHTSA), 803, 845-846
National Institute of Standards and Technologies. See NIST
National Service Framework (NSF), 589
native applications, 408
NAT-T (NAT-Traversal), 583
natural intelligence (NI), 890
natural language processing (NLP), 895-896
navigation services, 805
NB APIs (northbound APIs), 43
NBAR2 (Network-Based Application Recognition), 444
NEDs (Network Element Drivers), 300, 316
NERC (North American Electric Reliability Corporation), 78
NETCONF (IETF RFC 6241), 258
Netrounds, 784
Network Access Control (NAC), 42
Network Access Manager, 614
network address translation (NAT), 424-425
Network as a Service (NaaS), 444-446
Network-Based Application Recognition (NBAR2), 444
Network Element Drivers (NEDs), 300, 316
network enforced policies, 170
network functions virtualization. See NFV
network functions virtualization infrastructure. See NFVI
AIOTI architecture, 138
ITU-T Y.2060 reference model, 125
Network Security Event Logging (NSEL), 444
Network Services Descriptors (NSD) catalog, 471
network services entity (NSE), 131
Network Services Orchestrator. See NSO
Network Storage Resource (NSR), 472
Network Visibility Module (NVM), 615-616
networks
active networking, 185
AIOTI architecture, 139
IoT-A RA, 123
low-power and lossy, 73
proximity, 146
smart cities, 682
next-gen IPS (NGIPS), 423
Next Generation Firewall virtualized (NGFWv), 422-423
next-generation IoT, 291
fog levels, 302
heterogeneous, 297
infrastructure, 301
management, 297
multitenancy, 296
operation, 297
UIs, 297
virtualization, 297
complexity, minimizing, 309
consistency, 291
delivery, 293
deployment, 292
event-based video and security use case, 309-321
architecture overview, 313
cabinet monitoring, 314
description, 312
triggers, 312
evolving technology landscape, 670
Function Packs, 675
high reliability, 293
contextual automation, 307
MANO, 671
reference architecture, 293
requirements, 308
scaling, 293
services, 299
standards, 292
NeXT UI, 207
NFV (network function virtualization), 7, 63, 187
adoption acceleration, 218
agility, 221
CAPEX reduction, 219
components, 64
energy efficiency, 220
extranet automation, 596
flexibility, 220
fog computing, 243
high availability, 220
history, 187
innovation, 221
IoT enabling capabilities, 235
multi-administrator isolation, 282-283
ODL alignment (OPNFV), 67, 211
OPEX reduction, 219
SDN, compared, 187
security, 272
authenticated time service, 281
multi-administrator isolation, 282-283
performance isolation, 278
secure crash, 275
threat landscape, 273
template-based extranet automation, 595
VNFC, 221
NFVI (network functions virtualization infrastructure), 222-223, 486
hardware requirements, 488-490
NFVIS benefits, 488
orchestration, 490
vBranch Function Pack, 490-493
VMs supported, 490
NFVO (NFV orchestrator), 226
containerized services, 650
NSO, 646
NGFWv (Next Generation Firewall virtualized), 422-423
NGIPS (next-gen IPS), 423
NHTSA (National Highway Traffic Safety Administration), 803, 845-846
NI (natural intelligence), 890
Nirvana Stack, 212
NIST (National Institute of Standards and Technologies), 77
CPS PWG, 77
cybersecurity best practices, 659
NISTIR 7628 guidelines, 77
security recommendations, 15
SP 800-30, 829
SP 800-50, 829
SP 800-61, 829
SP 800-88, 829
SP 800-1600 Systems Security Engineering publication, 77
NISTIR 7628 guidelines, 77
NLP (natural language processing), 895-896
nodes
edge, 35
fog, 240
cabinets, 660
communications, 664
data analysis, 526
data at rest, 521
drives, 664
northbound communications, 662
operating system security, 664
RA, 662
RabbitMQ orchestrated security example, 552-558
runtime environments, 665
southbound APIs, 667
virtualization, 665
graph, 199
input, 199
nonfunctional security requirements analysis, 15
nonrepudiation, 38
data protection, 506
MQTT, 543
northbound SDN controller communications, securing, 267-268
RabbitMQ, 552
normal off power strategy, 347
North American Electric Reliability Corporation (NERC), 78
northbound APIs (NB APIs), 43
fog nodes, 662
ODL, 206
OVS, 197
SDN, 191
northbound SDN controller communications, securing, 263-266
authorization, 267
checks and balances, 268
north–south SGACLs, 387
NSD (Network Services Descriptors) catalog, 471
NSE (network services entity), 131
NSEL (Network Security Event Logging), 444
NSF (National Service Framework), 589
NSO (Network Services Orchestrator), 646
centralized security example, 469
fulfillment and assurance sequences, 474-475
NSD catalog, 471
NSR, 472
VNFD catalog, 470
PAM, 646
scalability, 647
NSR (Network Storage Resource), 472
NVM (Network Visibility Module), 615-616
O
OAM (operation and management), 192
OASIS (Organization for the Advancement of Structured Information Standards), 61
OAuth 2.0
Object Management Group, 60
OCF (Open Connectivity Foundation), 60, 142
OCSP (Online Certificate Status Protocol), 259
ODCA (Open Data Centre Alliance), 67
ODD (operational design domain), 804
implementation, 208
Nirvana Stack, 212
objectives, 204
OPNFV, 211
reference architecture, 204-207
AAA, 206
controllers, 206
DLUX, 207
independent network applications, 207
MD-SAL, 205
NeXT UI, 207
northbound APIs, 206
plug-ins, 204
southbound APIs, 204
SDN standards, 67
SDNi, 254
ODVA (Open DeviceNet Vendors Association), 61
components, 193
functions, 194
interface, 257
ONF, 193
strength, 192
OFC (OpenFog Consortium), 61
perspectives, 136
security layers, 137
stakeholder views, 137
offloading traffic, 198
OIF (Optical Internetworking Forum), 67
oil and gas industry, 729
data flows, 790
demand and consumption, 730
digital technology investments, 735
downstream environment, 749
activities, 734
digitization, 752
distributed control systems, 750
IoT benefits, 752
new business needs, 752
overview, 749
refining and processing architecture, 750
E&P (exploration and production), 733
equipment health monitoring, 763-765
access control, 781
anomaly traffic detection, 780-781
architecture, 772
limitations, 765
operational lifecycle, 772
preconfiguration checklist, 773-775
quarantines, 782
requirements, 767
fatality rate, 731
field operations automation, 789
future communication requirements, 790
IoT and digitization examples, 737-738
IoT goals, 731
IoT impact, 789
IT/OT integration, 788
maintenance, 752
midstream environment, 744
activities, 734
digitization, 747
new business needs, 747
pipeline architecture, 744
pipeline management applications, 744-746
new requirements, 788
price per barrel of oil, 730
secure automation opportunities, 735
accidental incidents, 755
automation requirements, 762-763
budget constraints, 762
components, 757
control systems, 755
IDMZ, 759
IEC 62443 approach, 756
IT/OT technology separation, 758-759
malicious incidents, 755
risk outcomes, 755
standards and guidelines, 757
vulnerabilities, 754
upstream environment
activities, 733
communication and solution technologies, 740
fracking, 739
oil sands mining, 740
overview, 739
oil sands mining, 740
OLE for Process Control (OPC), 62
on demand access control, 714-718
onboard systems, deployment, 864-865
onboard telematics, 821
onboarding
attack target, 40
CSFs, 131
functional architecture, 131
industrial/market standards, 62
layered model, 130
ONF (Open Networking Foundation), 67, 186, 193, 257
Online Certificate Status Protocol (OSCP), 259, 357
Online Trust Alliance. See OTA
OPC (OLE for Process Control), 62
OPC Foundation, 152
OPC-UA (OPC Unified Architecture), 150-152
Open API Initiative, 61
Open Connectivity Foundation (OCF), 60, 142
Open Data Centre Alliance (ODCA), 67
Open DeviceNet Vendors Association (ODVA), 61
Open Group Open Process Automation, 61
open interoperable standards, 55
Open Networking Foundation (ONF), 67, 186, 193, 257
Open Platform for NFV (OPNFV), 67, 211
open platforms, smart cities, 677
open process automation architecture, Purdue Model of Control, 159
open standards, 55
Open Systems Interconnection (OSI), 70
Open vSwitch. See OVS
Open Web Application Security Project (OWASP), 76, 168
OpenDaylight. See ODL
OpenDaylight User Experience (DLUX), 207
OpenFlow. See OF
OpenFog Consortium. See OFC
OpenID Connect 1.0, 405
openness, 86
end-to-end considerations, 18
OpenFog reference architecture pillar, 135
SDN, 192
smart city platforms, 697
OpenStack platform, 632
operation and management (OAM), 192
operation support systems (OSS), 223
operational design domain (ODD), 804
operational lifecycle, 772
operational plane, 261
Operational Technology (OT), IT convergence, 156-157, 788
operationalization, back-end platforms, 633-634
operations
next-generation IoT platforms, 297
operations and maintenance phase (SDLC), 14, 17
OPEX reduction, 219
OPNFV (Open Platform for NFV), 67, 211
Optical Internetworking Forum (OIF), 67
Oracle Integrated Cloud, 177
orchestration, 5
extranet automation, 596
NFVIS distributed deployment, 490
police vehicles, 822
RabbitMQ fog node level security example, 552-558
system of systems platform for smart cities, 699-700
template-based extranet automation, 595
Organization for the Advancement of Structured Information Standards (OASIS), 61
OSCP (Online Certificate Status Protocol), 357
OSI (Open Systems Interconnection) model, 70
OSS (operation support systems), 223
OT (Operational Technology), IT convergence, 156-157, 788
OTA (Online Trust Alliance), 76
lifecycle management, 821
security standards, 76
OTA (over-the-air), 821
OTV (Cisco Overlay Transport), 259
out of band SGT propagation, 381
outbound packet filtering, 426
overcloud, 634
overlapping firewalls, 425
architecture, 196
capabilities, 196
features, 198
functions, 197
traffic management, 197
traffic offloading, 198
Ovum Research IoT platform recommendations, 290
OWASP (Open Web Application Security Project), 76, 168
P
P4 (Programming Protocol-Independent Packet Processors), 201-203
forwarding model, 202
framework, 201
implementation, 203
PaaS (Platform as a Service), 7, 108
packets
filtering
sanity checking, 431
user definable, 432
PAD (Peer Authorization Database), 589
PAM (pluggable authentication modules), 646
partial solutions, 88
passwords, authentication, 357-358
PAT (port address translation), 425
patches, 840
PCI-SIG (PCI Special Interest Group), 284
peer systems, 124
penetration testing, 271
people (IoT), 4
people-centric architecture approach, 98-100
Perfect Forward Secrecy (PFS), 584
performance
end-to-end considerations, 20
IoT IAM, 403
isolation, 278
OpenFog Consortium architecture, 136
V2V standard requirements, 827
permissions
data, 399
EFM, 563
menu access, 399
RabbitMQ, 546
persistency, data, 529
personal health monitoring services, 805
personalized connected car experiences, 815, 862-863
perspective approach. See system viewpoint
PFS (Perfect Forward Secrecy), 584
phasor measurement unit (PMU) zones, 23
PHY (physical layers), 213
physical access, 505
physical entities, 123
physical layers (PHY), 73, 213
physical segmentation, 21
pillars
IA, 37
OpenFog reference architecture, 133-135
pipelines (oil and gas)
architecture, 744
digitization, 747
management applications, 744-746
new business needs, 747
PKI (Private Key Infrastructure), 351-355
placement, platforms, 89
planning security, 16
Platform as a Service (PaaS), 7
Platform Exchange Grid (pxGrid), 446
platforms
containerized services management, 649-653
options, 631
overcloud/undercloud, 634
requirements, 631
VFM, 648
converged and multifaceted, 246-248
definition, 88
independence, 151
open, 677
OTT IoT, 673
placement, 89
public shared, 89
plug-ins
clientless SSL VPN application access, 609
ODL, 204
RabbitMQ, 548
pluggable authentication modules (PAM), 646
PMU (phasor measurement unit) zones, 23
point-in-time protection, 456-457
police vehicles, 821
ANPR, 820
audible and visual warning systems, 820
battery management, 821
integrated approach, 821
mobile data terminals, 820
onboard systems and technologies, 819-821
onboard telematics, 821
operational challenges, 821
orchestrated services, enabling with consolidated orchestrated hardware, 822
radios, 820
smart city integration, 719-721
speed detection, 820
speed recognition devices, 820
vehicle tracking, 820
video camera and audio systems, 820
wearables, 821
Wi-Fi hotspots, 821
policies
authorization, 403
implementation, 53
network enforced, 170
port address translation (PAT), 425
portals
ports
application detectors, 434
forwarding, 606
security, 341
power
monitoring and controlling in smart cities, 702
preconfiguration checklist, 773-775
Predix, 177
presentation, 5
preserving information, 17
preshared keys. See PSKs
preventing threats. See IPS
preventive automated maintenance, 742
privacy
cloud computing, 110
Cloud Customer Architecture for IoT, 142
connected cars standard, 828
IISF, 162
IoT-A RA, 124
IoT IAM, 403
people-/user-centric approaches, 100
private blockchain, 884
private clouds, 107
privileges, dynamic authorization, 367
proactive data protection mechanisms, 567-571
proactive mode (SDN), 190
probes
Device Sensor, 344
embedded within ISE, 338
ISE profiling capability leveraging, 338
processing
architectural layer, 86
context, 102
attributes, associating, 331
certificate and associated key pair, 332
certificate management, 333
connection kit, downloading, 332
temperature sensor, adding to registry, 331
Cisco Identity Services Engine example, 334-336
profiling ISE process, 337-340
Programming Protocol-Independent Packet Processors. See P4
propagation, TrustSec, 381-383
protecting data, 531
backups, 570
data virtualization, 564
digital twins, 569
components, 561
computation, 562
data collection, 562
DSLinks, 563
permissions, 563
quarantine, 563
layers, 532
nonrepudiation, 543
transport encryption, 532
access control, 546
confidentiality, 549
exchanges, 544
fog node orchestration example, 552-558
integrity, 549
nonrepudiation, 552
permissions, 546
plug-ins, 548
protocols, 41
6LoWPAN, 74
AMQP, 74
analysis, 439
CIP, 428
communication, 70
DCI, 259
Flexible NetFlow, 444
IKE, 578
aggressive mode, 582
authentication mode, 579
D-H groups, 580
encryption algorithms, 580
hashing algorithms, 580
IKEv2 comparison, 586
IKEv1 comparison, 586
industrial
lack of security, 429
potential solutions, 430
IP, 73
IPsec. See IPsec
L2MP, 259
MQTT. See MQTT
OTV, 259
OVS supported, 196
RPL, 73
SNMP, 259
SXP, 381
TCP, 74
TLS, 74
UDP, 74
vulnerabilities, 42
VXLAN, 259
prototype with OAuth2, 410
provisioning devices, 326, 330-331
Cisco Identity Services Engine example, 334-336
proximity
IIRA, 146
PSKs (preshared keys), 349
cracking, 41
IPsec peer authentication, 579
public blockchains, 884
public clouds, 107
public keys, 352
public platforms, 89
public services, on demand access control, 714-718
public shared platforms, 89
publish-subscribe management, 102
Purdue Model of Control, 157-160
open process automation, 159
segmentation of data responsibilities, 500-502
segmented architecture based on, 157
pxGrid (Platform Exchange Grid), 446
Q
QKD (quantum key distribution), 276
QoS (Quality of Service), cloud computing, 112
quadruple silo, 683
quarantines
EFM, 563
equipment health monitoring example, 782
R
RA (remote attestation), 662
access control, 546
confidentiality, 549
configuring, 643
exchanges, 544
fog node level orchestration example, 552-558
fog node running TEEs deployment, 554
orchestrated transaction, 556-558
tenant administrator responsibilities, 555-556
integrity, 549
nonrepudiation, 552
permissions, 546
plug-ins, 548
Radio Frequency Identification (RFID), 327
radios, police vehicles, 820
A/V pairs, 362
CoA, 368
Request/Response codes, 369
session identification, 369
message types, 362
RAMI 4.0, 148
ransomware programs, 454
rating threats, 28
RawPublicKey, 349
RBAC (role-based access control), 169
Cisco IoT security framework, 169
dynamic segmentation based on, 378
multitenancy data sharing, 644
reactive data protection mechanisms, 571-573
reactive mode (SDN), 189
real-time processing, cloud computing, 112
recommendations, IoT platforms, 289-290
recursive DNS, 462
reference architectures, 87
next-generation IoT platforms, 293
AAA, 206
controllers, 206
DLUX, 207
independent network applications, 207
MD-SAL, 205
NeXT UI, 207
northbound APIs, 206
plug-ins, 204
southbound APIs, 204
perspectives, 136
security layers, 137
stakeholder views, 137
RAMI 4.0, 148
reference implementation, 87
reference models, 87
AIOTI architecture, 138
IoT-A RA, 121
IoTR-A RA entity-based, 123
Purdue Model of Control, 157-160
hierarchical data flow model, 158
open process automation, 159
segmented architecture based on, 157
Cisco Identity Services Engine example, 334-336
regulations, 53
regulatory bodies, 56
RelayR IoT Middleware Platform, 177
reliability, 86
cloud computing, 109
high, 293
IISF, 162
OpenFog reference architecture pillar, 135
SDN, 190
standards, 54
remediation
threats, 878
remote access
connected cars, 806
Human Management Interface (HMI), 617
VPNs, 598
remote access SSL-based VPNs, 598
AnyConnect client, 611
configuration, 612
deployment, 611
manufacturing example, 617-621
client-based comparison, 600
components, 602
DAP, 609
group policies, 602
tunnel groups, 601
HTTPS, 598
multiple solutions, 599
reverse proxy, 599
remote attestation (RA), 662
repeatability, 597
reporting, 16
Representational State Transfer. See REST
Request/Response codes (CoA), 369-371
requirements
back-end platform security, 631
connected car interoperability infrastructures, 829
connected car orchestration, 818
equipment health monitoring example, 767
fog computing, 115
IoT implementation and operation, 86
next-generation IoT platforms, 308
oil and gas industry, 760-761, 788-790
SDN-based IPsec flow protection interface, 590
security, 75
reserving CPU/memory, 278
resilience, IISF, 162
REST (Representational State Transfer), 349
restrictions, constrained devices, 345
retrospection malware detection, 457-458
reusable templates, 469
reverse proxy, 599
RFID (Radio Frequency Identification), 327
risks
biometric authentication, 360
identifying, 25
classification, 27
risk scores, 28
threat modeling, 27
oil and gas industry security malicious/accidental attacks, 755
scores, 28
roaming protection, AnyConnect client, 614-615
Rockwell Automation, 153
role-based access control. See RBAC
roles
RPL (IPv6 Routing Protocol for Low-Power and Lossy Networks), 73
RSA-encrypted nonces, 579
RSA signatures, 579
rules, centralized security, 483-486
runtime environments, 665
S
SaaS (Software as a Service)
cloud computing deployment, 108
IoT, 7
SAD (Security Association Database), 589
SAE (Society of Automotive Engineers)
automated driving system levels, 803-804
International connected car standards, 827-829
J2735, 827
J2945/1, 827
J3061, 827
J3101, 827
safety
IISF, 162
standards, 54
SA_INIT Exchange, 585
Salesforce IoT Cloud, 176
Samsung Artik, 176
sandboxing, 458
sanity checking, 431
SANS paper, Security Evaluation of Z-Wave Wireless Protocol, 40
SAP Cloud Platform, 177
SASL (Simple Authentication and Security Layer), 547
blockchain, 886
cloud computing, 109
data-centric architectures, 105
end-to-end considerations, 20
ICN, 103
IoT, 5
IRM, 413
KPI, 483
next-generation IoT platforms, 293
NSO, 647
OpenFog reference architecture pillar, 135
standards, 54
VMs, 481
SDK (software development kits), 20
SDLC (System Development Lifecycle), 13
acquisition and development, 14-16
assessment, 14
operations and maintenance, 14, 17
SDN (software-defined networking), 7, 64-65, 185, 188
agility, 192
architectures, 154-156, 189-192
applications layer, 191
control layer, 190
infrastructure layer, 189
northbound API, 191
southbound API, 191
controllers
east-west communication, securing, 254-256
northbound communication, securing, 263-268
southbound communication, securing, 256-260
history, 185
infrastructure
control plane, 262
management, 261
operations, 261
IPsec
NFV, compared, 187
OAM, 192
implementation, 208
Nirvana Stack, 212
objectives, 204
OPNFV, 211
reference architecture, 204-207
components, 193
functions, 194
ONF, 193
strength, 192
openness, 192
architecture, 196
capabilities, 196
features, 198
functions, 197
traffic management, 197
traffic offloading, 198
forwarding model, 202
framework, 201
implementation, 203
reliability, 190
scalability, 191
SDX
fog computing, 243
IoT enabling capabilities, 235
security
controller east-west communications, 254-256
controller northbound communications, 263-268
controller southbound communications, 256-260
underlying operating system, 253
underlying operating system, 253
data plane programmability, 200
directed graph of nodes, 199
DPDK, 200
SDNi (SDN Controller Inter-communication), 254-255
SDO (standards development organizations), 130
SD-PHY (software-defined PHY), 213
SDR (software-defined radio), 212-214
SD-WANs (software-defined wide-area networks), 186
SDWN (software-defined wireless networking), 186
SDX (software-defined X), 186
fog computing, 243
history, 186
IoT enabling capabilities, 235
secure bootstrapping, 328
secure crash, 275
Secure Hash Algorithm (SHA), 580
Secure HTTP (HTTPS), 74
Secure Key Exchange Mechanism (SKEME), 578
Secure Sockets Layer. See SSL
Secure Technology Alliance, 76
Secure Unique Device Identification (SUDI), 328-329
architectural layer, 86
assurance requirements analysis, 16
automating, 876
catalogs, 656
cloud computing, 110
collaborative, 899
compliance and governance, 5
connected cars, 830
attack surface, 831
challenges, 835
connectivity challenges, 840
considerations, 839
consolidation, 849
data-centric and application-centric fusion, 849
design implementations, 847
driver concerns, 837
encryption, 837
industry alliances, 847
reasons for, 830
safety-criticality, 836
U.K. supply chain guidelines, 842-845
upgrades/patches, 840
U.S. supply chain guidelines, 845-846
control, 16
control planes, 659
data planes, 659
data sharing, 9
data stores, 658
DNS-based. See DNS-based security
end-to-end considerations, 20
endpoints, 9
enforcing, 90
fog agents, 666
ICN, 103
insecure devices, 9
IoT-A RA, 124
Kubernetes best practices, 656-658
layers, 43
application, 46
device, 45
human, 44
physical, 44
management planes, 658
NFV, 272
authenticated time service, 281
multi-administrator isolation, 282-283
performance isolation, 278
secure crash, 275
threat landscape, 273
NIST recommendations, 15
accidental incidents, 755
automation requirements, 762-763
budget constraints, 762
components, 757
control systems, 755
IDMZ, 759
IEC 62443 approach, 756
IT/OT technology separation, 758-759
malicious incidents, 755
new requirements, 788
risk outcomes, 755
standards and guidelines, 757
vulnerabilities, 754
OPC UA, 151
OpenFog Consortium architecture, 136
OpenFog reference architecture pillar, 134
planning, 16
police vehicles, 821
requirements, 75
risk assessments, 15
SDN
controller east-west communications, 254-256
controller northbound communications, 263-268
controller southbound communications, 256-260
underlying operating system, 253
Cloud Security Alliance recommendations, 695
threats, 694
spanning the enterprise, 12
technology lifecycles, 9
threats, 8
Security Association Database (SAD), 589
Security Evaluation of Z-Wave Wireless Protocol, 40
security events algorithms, 445
Security Group Firewall (SGFW), 384
Security Group Tag ACL (SGACL), 384
Security Group Tags. See SGTs
Security Intelligence Operations (SIO), 456
Security Policy Database (SPD), 589
architectures, 157
connected car security, 857
data responsibilities, 500-502
dynamic decryption, 592
dynamic RBAC-based, 378
industry compliance standards, 23
logical, 22
physical, 21
security policies, 22
self-registration workflow, 334-336
semantics, people-/user-centric approaches, 99
semistructured data, 510
sensors
data, sharing, 824
smart cities
sequences
event-based video and security use case, 319-320
fulfillment and assurance, 474-481
Serra, James, 523
servers
architecture, 99
authentication, 363
IoT, 102
UCS E-Series, 489
services
architectural layer, 86
catalogs, 656
next-generation IoT platforms, 304
NFVIS distributed deployment, 494-495
cloud computing deployment, 108
connected cars, 805
containerized, managing, 649-653
disabling SDN orchestration, 270
discovery, 102
future connected car, 815
hierarchy, 37
ICN, 102
IoT-A RA, 123
microservices, 36
naming, 102
network orchestrator. See NSO
next-generation IoT platforms, 299, 304
support layer, 125
sessions
tickets, 533
SGACL (Security Group Tag ACL), 384
automation, 388
benefits, 384
consumer/provider matrix, 384-386
east–west, 387
microsegmentation, 387
north–south, 387
SGFW (Security Group Firewall), 384
SGIP (Smart Grid Interoperability Panel), 62
SGT (Security Group Tag), 376-377
dynamic assignment, 380
enforcement, 384
equipment health monitoring example, 781
inline tagging, 383
NetFlow records information, 447
RBAC-based segmentation, 378
static assignment, 380
static/dynamic assignment, 380
SGT Exchange Protocol (SXP), 381
SHA (Secure Hash Algorithm), 580
sharing
devices, 315
sensor data, 824
Shenker, Scott, 186
show authentication session command, 371
Siemens MindSphere, 176
signatures, 579
siloed systems, police vehicles, 821
silos, 683
Simple Authentication and Security Layer (SASL), 547
Simple Network Management Protocol (SNMP), 259
single root I/O virtualization (SRIOV), 283-285
SIO (Security Intelligence Operations), 456
SIoT (social IoT), 98
site-to-site IPsec VPNs, 576
aggressive mode, 582
authentication method, 579
D-H (Diffie-Hellman) groups, 580
encryption algorithms, 580
hashing algorithms, 580
NAT-T (NAT-Traversal), 583
PFS, 584
quick mode, 582
phase 2 attributes, 588
versus IKEv1, 586
SKEME (Secure Key Exchange Mechanism), 578
smart cities
benefits, 693
buildings, 680
challenges, 684
citizen experience, 681
common components, 679
common platform implementation, 696
compliance, 682
connected cars, 806
consolidation, 698
cybersecurity, 682
data-app centric, 697
data management, 682
defined, 676
deployment automation, 723-725
economic impact of IoT deployments, 688
ecosystem groupings, 683
emergency vehicle fleet management, 719-721
governance, 682
growth, 678
healthcare, 681
high-level architecture, 701
horizontal approaches, 685
infrastructure operational efficiency, 681
interface types, 696
investments, 676
IoT orchestration capabilities, 691
market segments, 676
multitenancy, 698
networking and communications, 682
open platforms, 677
platform openness, 697
power monitoring and control, 702
public service connectivity on demand, 714-718
quadruple silo, 683
secure remote application lifecycle management, 704-705
services benefiting from automation capabilities, 691-692
street cabinet monitoring, 705-709
system of systems, 690, 699-700
threats, 678
traditional city operating models, 685
transportation and urban mobility, 680
vendors, 689
vertical applications overview, 679
virtualization of power controllers, 702, 704
workforces, 681
smart factories, 148
Smart Grid Interoperability Panel (SGIP), 62
smart traffic system fog example, 238-241
smart tunnels, 607
SMC (Stealthwatch Management Console), 445, 453
SNMP (Simple Network Management Protocol), 259
social IoT (SIoT), 98
Society of Automotive Engineers. See SAE
software
disposal, 17
extranet automation, 597
lifecycle processes, 828
Software as a Service. See SaaS
software-defined networking. See SDN
software-defined PHY (SD-PHY), 213
software-defined radio (SDR), 212-214
software-defined wide-area networks (SD-WANs), 186
software-defined X. See SDX
software development kits (SDK), 20
solution technologies, oil and gas upstream environment, 740
Sourcefire Vulnerability Research team (VRT), 456
southbound APIs
fog nodes, 667
ODL, 204
SDN, 191
southbound SDN controller communications, securing, 256-259
authentication, 258
checks and balances, 260
encryption, 258
revocation, 259
SNMP, 259
SP 800-1600 Systems Security Engineering publication, 77
SPD (Security Policy Database), 589
speed
detection services, 820
fog computing, 116
recognition devices, 820
SRIOV (single root I/O virtualization), 283-285
SSL (Secure Sockets Layer), 598
AnyConnect client, 611
configuration, 612
deployment, 611
manufacturing example, 617-621
client-based comparison, 600
components, 602
DAP, 609
group policies, 602
tunnel groups, 601
HTTPS, 598
multiple solutions, 599
pinning, 357
reverse proxy, 599
stakeholder views, OpenFog Consortium, 137
standards
advantages, 57
alignment, 50
alliances, 56
bodies, 56
business benefits, 54
choices, 54
choosing, 57
Europe, 827
Japan, 827
U.K., 827
U.S., 826
consortia, 56
history, 50
implementation, 53
legislation, 54
main groups, 58
next-generation IoT platforms, 292
oil and gas industry security, 757
open, 55
regulatory bodies, 56
reliability, 54
safety, 54
scalability, 54
standards bodies, 56
standards development organizations (SDO), 130
state convergence algorithm, 475
static NAT, 424
static SGT assignment, 380
Stealthwatch Flow Collector, 445, 453
Stealthwatch Management Console (SMC), 445
storage
blockchain, 886
endpoint collected data, 520
ICN, 102
structured data, 509
subgroups, identifying, 26
SUDI (Secure Unique Device Identification), 328-329
supervised ML, 894
supply chain guidelines, 842-845
SXP (SGT Exchange Protocol), 381
system
application detectors, 433
hierarchy
applications, 36
business processes, 37
center, 36
communication nodes, 36
core networks, 36
edge networks, 36
edge nodes, 35
endpoints, 35
fog networks, 36
gateways, 35
microservices, 36
services, 37
things, 35
integration, 16
interaction, 5
System Development Lifecycle. See SDLC
system of systems, smart cities, 690, 699-700
advantages, 109
characteristics, 107
disadvantages, 110
fog computing, 112
communications, 114
data handling, 115
disadvantages, 117
edge computing, compared, 113
requirements, 115
OpenFog reference architecture, 136
T
TALOS (Advanced Malware Protection), 456
TAM (ternary content addressable memory), 374
targeted marketing, connected cars, 815
targets, attacks, 39
TCP (Transmission Control Protocol), 74
technical assistance, Industry 4.0, 148
technologies
downstream environment (oil and gas), 750-752
Gartner Hype Cycle for Engineering Technologies 2017, 879
lifecycles, 9
oil and gas industry, 744
transition, 802
upstream environment (oil and gas), 739
TEEs (trusted execution environments), 302, 666, 711
telecom industry
revenue gap, 218
telemetry sensors, adding to street cabinets, 706-707
Telit Application Enablement Platform, 177
templates
extranet automation, 595
reusable, 469
tenants
execution environments, 302, 666, 711
multitenancy, 296
ternary content addressable memory (TAM), 374
testing
developmental security test and evaluation, 16
penetration, 271
Tetra (Terrestrial Trunked Radio), 820
thing-centric architecture, 32, 92-93
Thing Shadow, 397
things
architectural layer, 85
attack target, 39
attacks, 40
hierarchy, 35
IoT, 3
ThingWorx IoT platform, 176
Thread Group, industrial/market standards, 62
threats, 8
AI cybersecurity systems, 878
AMP, 456
file policies, 461
point-in-time detection, 456-457
sandboxing, 458
AnyConnect protection, 616
data breach costs, 418
detecting. See IDS
documenting, 27
encrypted network traffic, 451-453
modeling, 27
NFV, 273
preventing. See IPS
public shared platforms, 89
rating, 28
remediation, 878
SDN orchestration, 269
TALOS, 456
WannaCry, 454
tiers
Cloud Customer Architecture for IoT, 141
IIRA, 146
time service, 281
TLS (Transport Layer Security), 74, 539
TND (Trusted Network Detection), 613
tokens
authentication, 265
biometric, 360
top IoT platforms for 2018, 176-177
topic exchanges, 545
TouchID, 359
TPM (Trust Platform Module), 355
traditional city operating models, 685
traffic
contextual information with adaptive network control, pairing, 446
oil and gas pump station example, 447-450
solutions, 441
equipment health monitoring example, 780-781
ETA
cryptographic compliance, 454
WannaCry, 454
offloading, 198
OVS management, 197
transactions
blockchain, 886
people-/user-centric approaches, 99
transferable relationships, 414
Transmission Control Protocol (TCP), 74
transport architectural layer, 85
transport encryption, 532
Transport Layer Security (TLS), 74, 539
transport layers, communication, 74
transportation
smart cities, 680
smart traffic fog computing example, 238-241
triggers, smart city event-based video, 710
trust
CRTM, 663
DRTM, 663
execution environments, 302, 666, 711
explicit, 355
IISF, 161
relationships, 171
stores, 355
Trust Platform Module (TPM), 355
Trusted Network Detection (TND), 613
classification, 380
controllers, 368
enforcement, 384
fields (Flexible NetFlow), 447
inline tagging, 383
tunnels
smart, 607
SSL VPNs, 601
Twistlock, 654
U
UCS C220 M4 Rack Server, 489
UCS E-Series servers, 489
UDP (User Datagram Protocol), 74
UIs (user interfaces), 297
next-generation IoT platforms, 297
U.K. connected car standards, 827
Umbrella, 463
AMP Threat Grid, 465
healthcare industry protection, 465-466
intelligent proxy services, 464-465
response categories, 463
umbrella groups for IoT security, 61
undercloud, back-end platforms, 634
underlying operating systems, securing, 253
uniform resource indicators (URIs), 327
unique identifiers
EUIs, 327
universal architectures, 89, 120
CPwE, 153
Universal IoT Platform, 176
Universal Plug and Play (UPnP), 42
unstructured data, 511
updates
SDN orchestration, 270
upgrading connected car security, 840
UPnP (Universal Plug and Play), 42
upstream environment (oil and gas industry), 733
communication and solution technologies, 740
fracking, 739
oil sands mining, 740
overview, 739
urban mobility, smart cities, 680
URIs (uniform resource indicators), 327
U.S.
connected car standards, 826
supply chain guidelines, 845-846
User Datagram Protocol (UDP), 74
users
application detectors, 433
interfaces. See UIs
interaction, 124
packet filtering, 432
V
V2C (vehicle-to-cloud), 807
V2D (vehicle-to-device), 808
V2G (vehicle-to-grid), 808
V2I (vehicle-to-infrastructure), 807
V2P (vehicle-to-pedestrian), 807
V2V (vehicle-to-vehicle), 807, 827
V2X (vehicle-to-everything), 802, 808
value
automating security, 876
vBranch Function Pack, 490-493
Vector Packet Processing (VPP), 198-200
vectors, attack, 38
vehicle-to-cloud (V2C), 807
vehicle-to-device (V2D), 808
vehicle-to-everything (V2X), 802, 808
vehicle-to-grid (V2G), 808
vehicle-to-infrastructure (V2I), 807
vehicle-to-pedestrian (V2P), 807
vehicle-to-vehicle (V2V), 807, 827
vehicles
care services, 806
maintenance services, 813
tracking, 820
vendors
ecosystem, 809
smart cities, 689
veracity, data, 813
vertical applications, 679
VFs (virtual functions), 298, 317
VFM (Virtual Function Manager), 245, 300
back-end platform, 648
containerized services, 650
vhosts
clients, adding, 642
video
cameras, police vehicles, 820
computer vision, 898
data pipeline security, 713-714
triggers, 710
architecture overview, 313
cabinet monitoring, 314
description, 312
triggers, 312
VIM (Virtual Infrastructure Manager), 228, 300
containerized services, 650
Virtual Extensible Lan (VXLAN), 259
Virtual Function Manager. See VFM
virtual functions (VFs), 298, 317
Virtual Infrastructure Manager. See VIM
virtual LANs. See VLANs
Virtual Machines. See VMs
virtual network function component (VNFC), 221
Virtual Network Function Descriptor (VNFD) catalog, 470
virtual network functions. See VNFs
virtual routing and forwarding (VRF), 23
virtualization
centralized deployment. See centralized deployment security example
data, 564
distributed deployment, 486-495
fog nodes, 665
next-generation IoT platforms, 297
VNFs, 278
visibility
Cisco IoT security framework, 170
visual warning systems, police cars, 820
visualization, 627
VLANs (virtual LANs)
logical segmentation, 22
VMs (Virtual Machines)
alive rule, 484
centralized security example, 469
NFVIS supported, 490
overloaded/underloaded rules, 484
scaling, 481
VM_ALIVE rule, 484
VM_OVERLOADED rule, 484
VM_UNDERLOADED_EMPTY rule, 484
VMware IoT platform key areas, 288
VNFs (virtual network functions), 154, 187
activation status, 474
centralized deployment, 419
crashes, 275
fulfillment and assurance sequences, 474-475
monitoring, 475
dynamic mapping, 478
fulfillment and assurance sequences, 479-480
KPI monitoring methods, 479
prerequisites, 475
performance isolation, 278
time service authentication, 281
virtualization, 278
VNFC (virtual network function component), 221
VNFD (Virtual Network Function Descriptor) catalog, 470
volume, data, 813
VPNs
extranets. See extranets
remote access SSL-based. See remote-access SSL-based VPNs
site-to-site IPsec, 576
IKEv1 phase 1, 579-582, 586-587
IKEv2 versus IKEv1, 586
VPP (Vector Packet Processing), 198-200
VRF (virtual routing and forwarding), 23
VRT (Vulnerability Research team), 456
vulnerabilities
JavaScript, 635
oil and gas industry security, 754
VXLAN (Virtual Extensible Lan), 259
W
WANs (wide-area networks), 214-217
WannaCry, 454
Watson, 176
WAVE (Wireless Access in Vehicular Environments) standards, 826
wearables, police vehicles, 821
web application detectors, 434
websites
AIOTI, 59
ATIS, 65
BBF, 65
BRSKI Internet Draft, 330
CIGRE, 66
Cisco Kinetic IoT Platform, 177
CPwE, 153
CSA, 77
DDS, 105
EdgeX Foundry, 177
FD.io, 198
GridBlocks, 153
I am the Cavalry, 77
IBM Bluemix, 177
IEC 62351 standard, 78
IEC 62443 standard, 78
Intel IoT Platform, 177
IoT
IAP, 77
Global Council, 78
IoTivity, 60
Security Foundation, 76
IPSO Alliance, 60
ISOC, 66
ITS, 826
MAPI, 62
MEF, 66
NERC, 78
NIST, 77
NIST SP 800-1600 Systems Security Engineering publication, 77
OASIS, 61
Object Management Group, 60
OCF, 60
ODCA, 67
ODVA, 61
OFC, 61
OIF, 67
oneM2M, 62
ONF, 67
OPC, 62
Open API Initiative, 61
Open Group Open Process Automation, 61
OpenDaylight Foundation, 67
OPNFV, 67
OTA, 76
PCS PWG, 77
RelayR IoT Middleware, 177
SAP Cloud Platform, 177
Secure Technology Alliance, 76
SGIP, 62
Telit Application Enablement Platform, 177
Thread Group, 62
web-type ACLs, 606
wide-area networks (WANs), 214, 217
Wi-Fi hotspots
police vehicles, 821
wireless attacks, 41
Wireless Access in Vehicular Environments (WAVE), 826
workforces, smart cities, 681
X
X.509 certificates, 352-353, 390
Gartner-defined centric views, 97
hub-centric, 94
information-centric. See ICN
XMPP (Extensible Messaging and Presence Protocol), 74, 258
XSS (cross-site scripting), 635
Y
YANG, 68
deployment preparations, 316
Function Pack, 306
MUD, 391
Z
zoning
connected car security, 857-858
PMU, 23
ZT (ZeroTouch), 667