Course Outline

Session 1 & 2: Basic and Advanced concepts of IoT architecture from security perspective

  • A brief history of evolution of IoT technologies
  • Data models in  IoT system – definition and architecture of sensors, actuators, device, gateway, communication protocols
  • Third party devices and risk associated with vendors supply chain
  • Technology ecosystem – device providers, gateway providers, analytics providers, platform providers, system integrator -risk associated with all the providers
  • Edge driven distributed IoT vs Cloud driven central IoT : Advantage vs risk assessment
  • Management layers in IoT system – Fleet management, asset management, Onboarding/Deboarding of sensors , Digital Twins. Risk of Authorizations in management layers
  •  Demo of IoT management systems- AWS, Microsoft Azure and Other Fleet managers
  •  Introduction to popular IoT communication protocols – Zigbee/NB-IoT/5G/LORA/Witespec – review of vulnerability in communication protocol layers
  • Understanding the entire Technology stack of IoT with a review of Risk management

Session 3: A check-list of all risks and security issues in IoT

  • Firmware Patching- the soft belly of IoT
  • Detailed review of security of IoT communication protocols- Transport layers ( NB-IoT, 4G, 5G, LORA, Zigbee etc. ) and Application Layers – MQTT, Web Socket etc.
  • Vulnerability of API end points -list of all possible API in IoT architecture
  • Vulnerability of Gate way devices and Services
  • Vulnerability of connected sensors -Gateway communication
  • Vulnerability of Gateway- Server communication
  • Vulnerability of Cloud Database services in IoT
  • Vulnerability of Application Layers
  • Vulnerability of Gateway management service- Local and Cloud based
  • Risk of log management in edge and non-edge architecture

Session 4: OSASP Model of IoT security , Top 10  security risk

  • I1 Insecure Web Interface
  • I2 Insufficient Authentication/Authorization
  • I3 Insecure Network Services
  • I4 Lack of Transport Encryption
  • I5 Privacy Concerns
  • I6 Insecure Cloud Interface
  • I7 Insecure Mobile Interface
  • I8 Insufficient Security Configurability
  • I9 Insecure Software/Firmware
  • I10 Poor Physical Security

Session 5: Review and Demo of AWS-IoT and Azure IoT security principle

  • Microsoft Threat Model – STRIDE
  • Details of STRIDE Model
  • Security device and gateway and server communication – Asymmetric encryption
  • X.509 certification for Public key distribution
  • SAS Keys
  • Bulk OTA risks and techniques
  • API security for application portals
  • Deactivation and delinking of rogue device from the system
  • Vulnerability of AWS/Azure Security principles

Session 6: Review of evolving NIST standards/recommendation for IoT

  • Review of NISTIR 8228 standard for IoT security -30 point risk consideration Model
  • Third party device integration and identification
  • Service identification & tracking
  • Hardware identification & tracking
  • Communication session identification
  • Management transaction identification and logging
  • Log management and tracking

Session 7: Securing Firmware/ Device

  • Securing debugging mode in a Firmware
  • Physical Security of hardware
  • Hardware cryptography – PUF ( Physically Unclonable Function) -securing EPROM
  • Public PUF, PPUF
  • Nano PUF
  • Known classification of Malwares in Firmware ( 18 families according to YARA rule )
  • Study of some of the popular Firmware Malware -MIRAI, BrickerBot, GoScanSSH, Hydra etc.

Session 8: Case Studies of IoT Attacks

  • Oct. 21, 2016, a huge DDoS attack was deployed against Dyn DNS servers and shut down many web services including Twitter . Hackers exploited default passwords and user names of webcams and other IoT devices, and installed the Mirai botnet  on compromised IoT devices.  This attack will be studied in detail
  • IP cameras can be hacked through buffer overflow attacks
  • Philips Hue lightbulbs were hacked through its ZigBee link protocol
  • SQL injection attacks were effective against Belkin IoT devices
  • Cross-site scripting (XSS) attacks that exploited the Belkin WeMo app and access data and resources that the app can access

Session 9: Securing Distributed IoT via Distributer Ledger – BlockChain and DAG (IOTA) [3 hours]

  • Distributed ledger technology– DAG Ledger, Hyper Ledger, BlockChain
  • PoW, PoS, Tangle – a comparison of the methods of consensus
  • Difference between Blockchain, DAG and Hyperledger – a comparison of their working vs performance vs decentralization
  • Real Time, offline performance of the different DLT system
  • P2P network, Private and Public Key- basic concepts
  • How ledger system is implemented practically- review of some research architecture
  • IOTA and Tangle- DLT for IoT
  • Some practical application examples from smart city, smart machines, smart cars

Session 10: The best practice architecture for IoT security

  • Tracking and identifying all the services in Gateways
  • Never use MAC address- use package id instead
  • Use identification hierarchy for devices- board ID, Device ID and package ID
  • Structure the Firmware Patching to perimeter and conforming to service ID
  • PUF for EPROM
  • Secure the risks of IoT management portals/applications by two layers of authentication
  • Secure all API- Define API testing and API management
  • Identification and integration of same security principle in Logistic Supply Chain
  • Minimize Patch vulnerability of IoT communication Protocols

Session 11: Drafting IoT security Policy for your organization

  • Define the lexicon of IoT security / Tensions
  • Suggest the best practice for authentication, identification, authorization
  • Identification and ranking of Critical Assets
  • Identification of perimeters and isolation for application
  • Policy for securing critical assets, critical information and privacy data  

 

Requirements

  • Basic knowledge devices, electronics systems and data systems
  • Basic understanding of software and systems
  • Basic understanding of Statistics (in Excel levels)
  • Understanding of Telecommunication Verticals

Summary

  • An advanced training program covering the current state of the art security of Internet of Things
  • Covers all aspect of  security of Firmware , Middleware and IoT communication protocols 
  • The course provides a 360 degree view of all kinds of security initiatives in IoT domain for those who are not deeply familiar with IoT standards, evolution and future
  • Deeper probe into security vulnerabilities in Firmware, Wireless communication protocols,  device to cloud communication.
  • Cutting across multiple technology domains to develop awareness of security in  IoT systems and its components
  • Live demo of some of the security aspects of gateways, sensors and IoT application clouds
  • The course also explains 30 principle risk considerations of  current and proposed NIST standards for IoT security
  • OSWAP model for IoT security
  • Provides detailed guideline for drafting IoT security standards for an organization

 

Target Audience 

Engineers/managers/security experts who are assigned to develop IoT projects or audit/review security risks.

  21 Hours
 

Number of participants


Starts

Ends


Dates are subject to availability and take place between 9:30 am and 4:30 pm.
Open Training Courses require 5+ participants.

Testimonials (1)

Related Courses

IoT Fundamentals and Frontiers : For Managers, CXO, VP, Investors and Entrepreneurs

  21 Hours

Big Data Business Intelligence for Govt. Agencies

  35 Hours

Industrial IoT (Internet of Things) for Manufacturing Professionals

  21 Hours

IoT Security

  21 Hours

Related Categories