Master powerful techniques and approaches for securing IoT systems of all kinds–current and emerging Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards. The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You’ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples. This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them. ·         Understand the challenges involved in securing current IoT networks and architectures ·         Master IoT security fundamentals, standards, and modern best practices ·         Systematically plan for IoT security ·         Leverage Software-Defined Networking (SDN) and Network Function Virtualization (NFV) to harden IoT networks ·         Deploy the advanced IoT platform, and use MANO to manage and orchestrate virtualized network functions ·         Implement platform security services including identity, authentication, authorization, and accounting ·         Detect threats and protect data in IoT environments ·         Secure IoT in the context of remote access and VPNs ·         Safeguard the IoT platform itself ·         Explore use cases ranging from smart cities and advanced energy systems to the connected car ·         Preview evolving concepts that will shape the future of IoT security  

Table of Contents:
Foreword xxvii Introduction xxix Part I Introduction to the Internet of Things (IoT) and IoT Security Chapter 1 Evolution of the Internet of Things (IoT) 1 Defining the Internet of Things 2 Making Technology and Architectural Decisions 5 Is the Internet of Things Really So Vulnerable? 8 Summary 9 References 10 Chapter 2 Planning for IoT Security 11 The Attack Continuum 11 The IoT System and Security Development Lifecycle 13     Phase 1: Initiation 15     Phase 2: Acquisition and Development 15     Phase 3: Implementation 16     Phase 4: Operations and Maintenance 17     Phase 5: Disposition 17 The End-to-End Considerations 17 Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21     Segmentation 21     New Approach 25 Summary 30 References 30 Chapter 3 IoT Security Fundamentals 31 The Building Blocks of IoT 31 The IoT Hierarchy 35 Primary Attack Targets 37 Layered Security Tiers 43 Summary 46 References 47 Chapter 4 IoT and Security Standards and Best Practices 49 Today’s Standard Is No Standard 49 Defining Standards 53 The Challenge with Standardization 56 IoT “Standards” and “Guidance” Landscape 58     Architectural or Reference Standards 59     Industrial/Market Focused 61 Standards for NFV, SDN, and Data Modeling for Services 63     Data Modeling and Services 67 Communication Protocols for IoT 70     Physical and MAC Layers 73     Network Layer 73     Transport Layer 74     Application Layer 74 Specific Security Standards and Guidelines 75 Summary 79 References 80 Chapter 5 Current IoT Architecture Design and Challenges 83 What, Why, and Where? A Summary 85 Approaches to IoT Architecture Design 88     An X-Centric Approach 91     The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98     The Information-Centric IoT Approach 100     The Data-Centric IoT Approach 104     System Viewpoint: A Cloudy Perspective 106     Middleware 118     Lambda Architecture 119     Full IoT Stack/Universal 120 General Approaches 120     Internet of Things Architecture Reference Architecture (IoT-A RA) 120     ITU-T Y.2060 125     IoT World Forum (IoTWF) Reference Model 126     oneM2M Reference Architecture 129     IEEE P2413 IoT Architecture 132     The OpenFog Consortium Reference Architecture 133     Alliance for the Internet of Things Innovation (AIOTI) 138     Cloud Customer Architecture for IoT 140     Open Connectivity Foundation and IoTivity 142 Industrial/Market Focused 144     The Industrial Internet Consortium (IIC) 144     Industry 4.0 148     OPC Unified Architecture (OPC UA) 150     Cisco and Rockwell Automation Converged Plantwide Ethernet 153     Cisco Smart Grid Reference Model: GridBlocks 153 NFV- and SDN-Based Architectures for IoT 154 Approaches to IoT Security Architecture 156     Purdue Model of Control Hierarchy Reference Model 157     Industrial Internet Security Framework (IISF) IIC Reference Architecture 160     Cloud Security Alliance Security Guidance for IoT 165     Open Web Application Security Project (OWASP) 168     Cisco IoT Security Framework 168 The IoT Platform Design of Today 172     Security for IoT Platforms and Solutions 178     Challenges with Today’s Designs: The Future for IoT Platforms 179 Summary 183 References 183 Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoT Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185 A Bit of History on SDX and NFV and Their Interplay 185 Software-Defined Networking 188     OpenFlow 192     Open Virtual Switch 195     Vector Packet Processing 198     Programming Protocol-Independent Packet Processors (P4) 201     OpenDaylight 203     Extending the Concept of Software-Defined Networks 212 Network Functions Virtualization 217     Virtual Network Functions and Forwarding Graphs 221     ETSI NFV Management and Orchestration (MANO) 225 The Impact of SDX and NFV in IoT and Fog Computing 235 Summary 248 References 249 Chapter 7 Securing SDN and NFV Environments 251 Security Considerations for the SDN Landscape 251     1: Securing the Controller 252     2: Securing Controller Southbound Communications 256     3: Securing the Infrastructure Planes 260     4: Securing Controller Northbound Communications 263     5: Securing Management and Orchestration 268     6: Securing Applications and Services 270 Security Considerations for the NFV Landscape 272     NFV Threat Landscape 273     Secure Boot 274     Secure Crash 275     Private Keys Within Cloned Images 276     Performance Isolation 278     Tenant/User Authentication, Authorization, and Accounting (AAA) 279     Authenticated Time Service 281     Back Doors with Test and Monitor Functions 281     Multi-administrator Isolation 282     Single Root I/O Virtualization (SRIOV) 283     SRIOV Security Concerns 285 Summary 285 References 285 Chapter 8 The Advanced IoT Platform and MANO 287 Next-Generation IoT Platforms: What the Research Says 287 Next-Generation IoT Platform Overview 291     Platform Architecture 294     Platform Building Blocks 295     Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303 Example Use Case Walkthrough 308     Event-Based Video and Security Use Case 309 Summary 321 References 321 Part III Security Services: For the Platform, by the Platform Chapter 9 Identity, Authentication, Authorization, and Accounting 323 Introduction to Identity and Access Management for the IoT 324     Device Provisioning and Access Control Building Blocks 326     Naming Conventions to Establish “Uniqueness” 327     Secure Bootstrap 328     Immutable Identity 328     Bootstrapping Remote Secure Key Infrastructures 329     Device Registration and Profile Provisioning 330     Provisioning Example Using AWS IoT 331     Provisioning Example Using Cisco Systems Identity Services Engine 334 Access Control 336     Identifying Devices 336     Endpoint Profiling 337     Profiling Using ISE 337     Device Sensor 340     Methods to Gain Identity from Constrained Devices 345     Energy Limitations 346     Strategy for Using Power for Communication 347     Leveraging Standard IoT Protocols to Identify Constrained Devices 348 Authentication Methods 351     Certificates 351     Trust Stores 355     Revocation Support 356     SSL Pinning 357     Passwords 357     Limitations for Constrained Devices 358     Biometrics 359     AAA and RADIUS 361     A/V Pairs 362     802.1X 363     MAC Address Bypass 365     Flexible Authentication 366 Dynamic Authorization Privileges 367     Cisco Identity Services Engine and TrustSec 368     RADIUS Change of Authorization 368     Access Control Lists 374     TrustSec and Security Group Tags 376     TrustSec Enablement 379     SGACL 384 Manufacturer Usage Description 390     Finding a Policy 390     Policy Types 390     The MUD Model 392 AWS Policy-based Authorization with IAM 394     Amazon Cognito 395     AWS Use of IAM 395     Policy-based Authorization 395 Accounting 397     How Does Accounting Relate to Security? 398     Using a Guideline to Create an Accounting Framework 398     Meeting User Accounting Requirements 400 Scaling IoT Identity and Access Management with Federation Approaches 402     IoT IAM Requirements 403     OAuth 2.0 and OpenID Connect 1.0 404     OAuth 2.0 404     OpenID Connect 1.0 405     OAuth2.0 and OpenID Connect Example for IoT 405     Cloud to Cloud 406     Native Applications to the Cloud 408     Device to Device 409 Evolving Concepts: Need for Identity Relationship Management 411 Summary 414 References 415 Chapter 10 Threat Defense 417 Centralized and Distributed Deployment Options for Security Services 418     Centralized 418     Distributed 420     Hybrid 422 Fundamental Network Firewall Technologies 422     ASAv 423     NGFWv 423     Network Address Translation 424     Overlapping 425     Overloading or Port Address Translation 425     Packet Filtering 426 Industrial Protocols and the Need for Deeper Packet Inspection 428     Common Industrial Protocol 428     Lack of Security 429     Potential Solutions: Not Good Enough 430 Alternative Solution: Deep Packet Inspection 430     Sanity Check 431     User Definable 432     Applying the Filter 432 Application Visibility and Control 433     Industrial Communication Protocol Example 435     MODBUS Application Filter Example 436 Intrusion Detection System and Intrusion Prevention System 437     IPS 438     Pattern Matching 438     Protocol Analysis 439     IDS/IPS Weakness 439 Advanced Persistent Threats and Behavioral Analysis 440     Behavior Analysis Solutions 441     Protocols Used to Gain Additional Visibility 442     Network as a Sensor 444     Pairing with Contextual Information and Adaptive Network Control 446     Encrypted Traffic Analytics 450 Malware Protection and Global Threat Intelligence 455     Cisco Advanced Malware Protection and TALOS 456 DNS-Based Security 462     Umbrella (DNS Security + Intelligent Proxy) 463 Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466     ETSI MANO Components in the Use Case 468     VMs (Services) Being Instantiated in the Use Case 469     Use Case Explanation 469 Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486     Solution Components 487     NFVIS 488     Orchestration 490     vBranch Function Pack 490 Summary 495 References 495 Chapter 11 Data Protection in IoT 499 Data Lifecycle in IoT 507 Data at Rest 518     Data Warehouses 521     Data Lakes 522 Data in Use 524 Data on the Move 527 Protecting Data in IoT 531     Data Plane Protection in IoT 531     Protecting Management Plane Data in IoT 565     Protecting Control Plane Data 566     Considerations When Planning for Data Protection 567 Summary 573 References 574 Chapter 12 Remote Access and Virtual Private Networks (VPN) 575 Virtual Private Network Primer 575     Focus for This Chapter 576 Site-to-Site IPsec VPN 576     IPsec Overview 577     IKEv1 Phase 1 579     IKEv1 Phase 2 582     Internet Key Exchange Protocol Version 2 584     Benefits of IKEv2 over IKEv1 586 Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588     IPsec Databases 589     Use Case: IKE/IPsec Within the NSF 589     Interface Requirements 590 Applying SDN-Based IPsec to IoT 592     Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592 Software-Based Extranet Using Orchestration and NFV 594     Traditional Approach 594     Automating Extranet Using Orchestration Techniques and NFV 595     Software-Based Extranet Use Case 597 Remote Access VPN 598     SSL-Based Remote Access VPN 598     Reverse Proxy 599     Clientless and Thin Client VPN 599     Client Based: Cisco AnyConnect Secure Mobility Client 611     Modules 612     Using AnyConnect in Manufacturing: Use Case Example 617 Summary 622 References 622 Chapter 13 Securing the Platform Itself 625 (A) Visualization Dashboards and Multitenancy 627 (B) Back-End Platform 631     Scenario 1: A New Endpoint Needs to Be Connected to the Network 639     Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639     Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641     Docker Security 653     Kubernetes Security and Best Practices 656 (C) Communications and Networking 658 (D) Fog Nodes 660 (E) End Devices or “Things” 666 Summary 667 References 667 Part IV Use Cases and Emerging Standards and Technologies Chapter 14 Smart Cities 669 Use Cases Introduction 669 The Evolving Technology Landscape for IoT 670 The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672 Smart Cities 676 Smart Cities Overview 678 The IoT and Secure Orchestration Opportunity in Cities 688 Security in Smart Cities 693 Smart Cities Example Use Cases 696     Use Case Automation Overview and High-Level Architecture 701     Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702     Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705     Event-Based Video: Secure Data Pipeline and Information Exchange 709     Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714     Emergency Fleet Integration 718     Automated Deployment of the Use Cases 721 Summary 725 References 727 Chapter 15 Industrial Environments: Oil and Gas 729 Industry Overview 733 The IoT and Secure Automation Opportunity in Oil and Gas 735 The Upstream Environment 738     Overview, Technologies, and Architectures 739     Digitization and New Business Needs 742     Challenges 743 The Midstream Environment 744     Overview, Technologies, and Architectures 744     Digitization and New Business Needs 747     Challenges 748 The Downstream and Processing Environments 749     Overview, Technologies, and Architectures 749     Digitization and New Business Needs 752     Challenges 753 Security in Oil and Gas 754 Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763     Use Case Overview 763     Use Case Description 765     Deploying the Use Case 767     Preconfiguration Checklist 773     Automated Deployment of the Use Cases 777     Securing the Use Case 778     Power of SGT as a CoA 781     Auto-Quarantine Versus Manual Quarantine 782     Leveraging Orchestrated Service Assurance to Monitor KPIs 783 Evolving Architectures to Meet New Use Case Requirements 788 Summary 792 References 794 Chapter 16 The Connected Car 797 Connected Car Overview 800 The IoT and Secure Automation Opportunity for Connected Cars 809     The Evolving Car Architecture 824 Security for Connected Cars 830     Connected Car Vulnerabilities and Security Considerations 838 Connected Car Security and Automation Use Case 849     Use Case Overview 852     Use Case Automation Overview 854     Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855     Secure Network: Segmentation, Zones, and Interzone Communication 857     Secure Content: Intrusion Detection and Prevention 858     Secure Intelligence: Secure Internet Access from the Vehicle 861     The Future: Personalized Experience Based on Identity 862     Federal Sigma VAMA: Emergency Fleet Solution 863     Automated Deployment of the Use Case 867 Summary 871 References 871 Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873 A Smarter, Coordinated Approach to IoT Security 876 Blockchain Overview 880 Blockchain for IoT Security 888 Machine Learning and Artificial Intelligence Overview 890 Machine Learning 893 Deep Learning 894 Natural Language Processing and Understanding 895 Neural Networks 896 Computer Vision 898 Affective Computing 898 Cognitive Computing 898 Contextual Awareness 899 Machine Learning and Artificial Intelligence for IoT Security 899 Summary 900 References 901   9781587145032    TOC    4/25/2018