Contents
Part IIntroduction to the Internet of Things (IoT) and IoT Security
Chapter 1 Evolution of the Internet of Things (IoT)
Defining the Internet of Things
Making Technology and Architectural Decisions
Is the Internet of Things Really So Vulnerable?
Chapter 2 Planning for IoT Security
The IoT System and Security Development Lifecycle
Phase 2: Acquisition and Development
Phase 4: Operations and Maintenance
Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix
Chapter 3 IoT Security Fundamentals
Chapter 4 IoT and Security Standards and Best Practices
Today’s Standard Is No Standard
The Challenge with Standardization
IoT “Standards” and “Guidance” Landscape
Architectural or Reference Standards
Standards for NFV, SDN, and Data Modeling for Services
Communication Protocols for IoT
Specific Security Standards and Guidelines
Chapter 5 Current IoT Architecture Design and Challenges
What, Why, and Where? A Summary
Approaches to IoT Architecture Design
The People-/User-Centric IoT Approach (Internet of People and Social IoT)
The Information-Centric IoT Approach
System Viewpoint: A Cloudy Perspective
Internet of Things Architecture Reference Architecture (IoT-A RA)
IoT World Forum (IoTWF) Reference Model
The OpenFog Consortium Reference Architecture
Alliance for the Internet of Things Innovation (AIOTI)
Cloud Customer Architecture for IoT
Open Connectivity Foundation and IoTivity
The Industrial Internet Consortium (IIC)
OPC Unified Architecture (OPC UA)
Cisco and Rockwell Automation Converged Plantwide Ethernet
Cisco Smart Grid Reference Model: GridBlocks
NFV- and SDN-Based Architectures for IoT
Approaches to IoT Security Architecture
Purdue Model of Control Hierarchy Reference Model
Industrial Internet Security Framework (IISF) IIC Reference Architecture
Cloud Security Alliance Security Guidance for IoT
Open Web Application Security Project (OWASP)
The IoT Platform Design of Today
Security for IoT Platforms and Solutions
Challenges with Today’s Designs: The Future for IoT Platforms
Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT
A Bit of History on SDX and NFV and Their Interplay
Programming Protocol-Independent Packet Processors (P4)
Extending the Concept of Software-Defined Networks
Network Functions Virtualization
Virtual Network Functions and Forwarding Graphs
ETSI NFV Management and Orchestration (MANO)
The Impact of SDX and NFV in IoT and Fog Computing
Chapter 7 Securing SDN and NFV Environments
Security Considerations for the SDN Landscape
Securing the Controller Application
Securing the Underlying Operating System
Securing the Controller East-West Communications
2: Securing Controller Southbound Communications
Leveraging Inherent Protocol Security Options
3: Securing the Infrastructure Planes
4: Securing Controller Northbound Communications
5: Securing Management and Orchestration
6: Securing Applications and Services
Security Considerations for the NFV Landscape
Private Keys Within Cloned Images
Tenant/User Authentication, Authorization, and Accounting (AAA)
Back Doors with Test and Monitor Functions
Single Root I/O Virtualization (SRIOV)
Chapter 8 The Advanced IoT Platform and MANO
Next-Generation IoT Platforms: What the Research Says
Next-Generation IoT Platform Overview
Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service
Model-Driven and Service-Centric
Event-Based Video and Security Use Case
Part IIISecurity Services: For the Platform, by the Platform
Chapter 9 Identity, Authentication, Authorization, and Accounting
Introduction to Identity and Access Management for the IoT
Device Provisioning and Access Control Building Blocks
Naming Conventions to Establish “Uniqueness”
Bootstrapping Remote Secure Key Infrastructures
Device Registration and Profile Provisioning
Provisioning Example Using AWS IoT
Provisioning Example Using Cisco Systems Identity Services Engine
Methods to Gain Identity from Constrained Devices
Strategy for Using Power for Communication
Leveraging Standard IoT Protocols to Identify Constrained Devices
Limitations for Constrained Devices
Dynamic Authorization Privileges
Cisco Identity Services Engine and TrustSec
RADIUS Change of Authorization
TrustSec and Security Group Tags
Dynamic Segmentation Based on RBAC
Inline Tagging Mediums (Ethernet and L3 Crypto)
SGACL for North–South and East–West
Automation of SGACLs and Dynamic Segmentation
Manufacturer Usage Description
AWS Policy-based Authorization with IAM
How Does Accounting Relate to Security?
Using a Guideline to Create an Accounting Framework
Meeting User Accounting Requirements
Scaling IoT Identity and Access Management with Federation Approaches
OAuth 2.0 and OpenID Connect 1.0
OAuth2.0 and OpenID Connect Example for IoT
Native Applications to the Cloud
Evolving Concepts: Need for Identity Relationship Management
Centralized and Distributed Deployment Options for Security Services
Fundamental Network Firewall Technologies
Overloading or Port Address Translation
Industrial Protocols and the Need for Deeper Packet Inspection
Potential Solutions: Not Good Enough
Alternative Solution: Deep Packet Inspection
Application Visibility and Control
Industrial Communication Protocol Example
MODBUS Application Filter Example
Intrusion Detection System and Intrusion Prevention System
Advanced Persistent Threats and Behavioral Analysis
Protocols Used to Gain Additional Visibility
Network-Based Application Recognition
Network Security Event Logging
Algorithms for Security Events
Pairing with Contextual Information and Adaptive Network Control
Cisco TrustSec Fields in Flexible NetFlow
Detecting Threats Using Encrypted Traffic Analytics
Malware Protection and Global Threat Intelligence
Cisco Advanced Malware Protection and TALOS
Point-in-Time Detection, Retrospective Security, and Sandboxing
Example of How the Firewall Uses the Malware Feature
Umbrella (DNS Security + Intelligent Proxy)
Using Umbrella to Help Protect Healthcare
Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack
ETSI MANO Components in the Use Case
VMs (Services) Being Instantiated in the Use Case
Activation Sequence Basics and NSO Service Creation (VNFD, NSD, and NSR)
Fulfillment and Assurance Sequences Basics
Metrics and Actions and Dynamic Mapping
Dynamic Mapping in the Data Model
Fulfillment and Assurance Sequence Examples
Service Chaining and Traffic Flow
Chapter 11 Data Protection in IoT
Message Queuing Telemetry Transport Protocol
Other Considerations Related to Data Availability in RabbitMQ
Example: Orchestrated Security on RabbitMQ at the Fog Node Level
Cisco Edge and Fog Processing Module (EFM)
Data Virtualization: Enabling Single Query Models in IoT
Protecting Management Plane Data in IoT
Considerations When Planning for Data Protection
Chapter 12 Remote Access and Virtual Private Networks (VPN)
Virtual Private Network Primer
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE) Overview
IKE Modes (Main and Aggressive)
Internet Key Exchange Protocol Version 2
Software-Defined Networking-Based IPsec Flow Protection IETF Draft
Use Case: IKE/IPsec Within the NSF
Applying SDN-Based IPsec to IoT
Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels)
Software-Based Extranet Using Orchestration and NFV
Automating Extranet Using Orchestration Techniques and NFV
Software-Based Extranet Use Case
SSL VPN for Multiple Solutions
Clientless and Thin Client VPN
Tunnel Groups and Group Policies
Application Access (Bookmarks, Port Forwarding, Smart Tunnels)
Clientless Example for IoT: Oil and Gas
Client Based: Cisco AnyConnect Secure Mobility Client
Using AnyConnect in Manufacturing: Use Case Example
Chapter 13 Securing the Platform Itself
(A) Visualization Dashboards and Multitenancy
Scenario 1: A New Endpoint Needs to Be Connected to the Network
Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants
Kubernetes Security and Best Practices
(C) Communications and Networking
Part IVUse Cases and Emerging Standards and Technologies
The Evolving Technology Landscape for IoT
The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary
The IoT and Secure Orchestration Opportunity in Cities
Smart Cities Example Use Cases
Use Case Automation Overview and High-Level Architecture
Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes
Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding
Event-Based Video: Secure Data Pipeline and Information Exchange
Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis
Automated Deployment of the Use Cases
Chapter 15 Industrial Environments: Oil and Gas
The IoT and Secure Automation Opportunity in Oil and Gas
Overview, Technologies, and Architectures
Digitization and New Business Needs
Overview, Technologies, and Architectures
Digitization and New Business Needs
The Downstream and Processing Environments
Overview, Technologies, and Architectures
Digitization and New Business Needs
Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access
Automated Deployment of the Use Cases
Security Use Case #1: Identifying, Authenticating, and Authorizing the Sensor for Network Use
Security Use Case #2: Detecting Anomalous Traffic with Actionable Response
Auto-Quarantine Versus Manual Quarantine
Leveraging Orchestrated Service Assurance to Monitor KPIs
Security Use Case #4: Securing the Data Pipeline
Evolving Architectures to Meet New Use Case Requirements
The IoT and Secure Automation Opportunity for Connected Cars
Connected Car Vulnerabilities and Security Considerations
Connected Car Security and Automation Use Case
Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates
Secure Network: Segmentation, Zones, and Interzone Communication
Secure Content: Intrusion Detection and Prevention
Secure Intelligence: Secure Internet Access from the Vehicle
The Future: Personalized Experience Based on Identity
Federal Sigma VAMA: Emergency Fleet Solution
Automated Deployment of the Use Case
Chapter 17 Evolving Concepts That Will Shape the Security Service Future
A Smarter, Coordinated Approach to IoT Security
Machine Learning and Artificial Intelligence Overview
Natural Language Processing and Understanding
Machine Learning and Artificial Intelligence for IoT Security