SlideShare una empresa de Scribd logo

Securing the IoT Value Chain with AWS

G
Gabriel Paredes Loza

This session provides some insights on the importance of end-to-end security for the adoption, development, and scalability of IoT solutions. The session also gives light on the trade-offs companies need to make in order to build a secure IoT platform, while ensuring the necessary levels of innovation and agile developments are in place. The session then closes by showing how the AWS Cloud can support systems integrators and businesses in achieving the desired security posture.

Tecnología
1 de 26
SECURING THE IOT VALUE CHAIN WITH AWS Business Unit Manager – IoT | Storm Reply GABRIEL PAREDES LOZA June 2022
2 Reply © 2022 All rights reserved. Do not distribute without written authorization INTRODUCTION Gabriel Paredes Loza BU Manager – IoT @ Storm Reply AWS Cloud Expert with a passion for IoT and Bigdata solutions
3 • IoT Value Chain • Overview • Security Considerations • IoT Software Development Life Cycle (SDLC) • Phases • Security Measures with AWS • Conclusions • Q&A Reply © 2022 All rights reserved. Do not distribute without written authorization TODAY’S AGENDA 24.06.2022 / Securing the IoT Value Chain with AWS
IOT VALUE CHAIN
WHAT DOES VALUE CHAIN MEAN IN IOT TERMS? Different components, in Combination with one another or Separately, Add Value to the overall Solution, and to the End User. Main difference stands in the Complexity and interaction of the Physical and the Virtual worlds of an IoT Solution. 5 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Overview WHY SHOULD I CARE ABOUT SECURITY? • 76%* of IoT Projects Fail due to Lack of Interdisciplinary Collaboration and Cybersecurity Vulnerabilities. • Underestimating Undesired Threats: • Firm’s Reputation due to Data Theft, Ransomware • Man-In-The-Middle with disastrous consequences at large scale (AVs, Healthcare, Oil & Gas, etc.) * Source: IoT For All, https://www.iotforall.com/why-76-percent-iot-projects-fail-how-to-achieve-success
6 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN End-2-End Security End-2-End Governance Hardware Development Life Cycle (HDLC) Actors Physical Value Chain (Device, etc.) Logical Value Chain (IoT Platform, Firmware, etc.) Overview Processes Technologies Software Development Life Cycle (SDLC) Design Provisioning Operating Repurposing • IoT Leaders / Managers • Chief Information Security Officers (CISOs) • IT Managers • Device Manufacturers • System Integrators (SI) • HW Engineers • Platform Owners • System Integrators (SI) • SW Engineers • IoT SW Developers • Device Manufacturers • Information Security Experts • IT / Security Solution Architects Its Physical and Logical nature makes IoT Initiatives complex to design, develop, utilize, and maintain Actors Processes Technologies Holistic Approach Design Provisioning Operating Disposing Service Operating Provisioning End Users
7 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Define Accountability Define Trust Models Increase Visibility Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Actors Processes Technologies
8 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Factor-In Security Leverage Emerging Technologies Start from the Basics Actors Processes Technologies
9 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Document Efforts Seek for Expertise Verify Previous Cases Actors Processes Technologies
10 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Risk-Based Approach Educate Users Security Culture Actors Processes Technologies
IOT SOFTWARE DEVELOPMENT LIFE CYCLE
Ø Detailed Version of Logical IoT Value Chain Ø Different SDLC Models: § Waterfall (Sequential) § Spiral (Iterative) § Agile (DevSecOps) Ø Heterogeneous SW: § Devices FW § IoT Services / SW § Network Protocols § APIs Source Code § GWs, Backend Code Ø IoT Software Development cannot neglect underlying Hardware 12 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT SDLC Phases of the Software Development Life Cycle Design Provisioning Operating / Disposing 1 Defining Concepts/ Requirements Software Design 2 Development / Implementation Testing and Acceptance Deployment and Integration 3 Maintenance and Disposal Confidentiality Integrity Availability
Ø 2 Expected Outputs: Ø Context Ø Functionalities Ø Ensures Consistency through Quality Gateways 13 IOT SDLC Security Measures – Requirements Collection Reply © 2022 All rights reserved. Do not distribute without written authorization Externally-Driven Requirements Internally-Driven Requirements Physical-Hardware Requirements Security Hardware Software • User • Business • Functional • Legal & Regulatory • 3rd-Party Dependencies • Security Standards • Certification Objectives • IoT Threats / Attack Vectors • Hardware Security Modules (HSM) • Secure Boot, Root-of-Trust (RoT) Mechanisms Device Manufactures Software Engineers Security Engineers Business Analysts Defining Concepts/ Requirements Software Design Design 1
14 IOT SDLC Security Measures – Requirements Collection Ø Considers the Cyber- Physical nature of IoT for Interoperability of Legacy-Coded / Outdated Devices * Depending on the application of IoT and Industry, other frameworks might be more appropriate (e. g. STRIDE, OWASP Top 10, etc.) Security Risk Assessment with Frameworks (e. g. MITRE ATT&CK*) • Critical Assets • External Dependencies • Data Flows AWS Well Architected Framework (Security Pillar + IoT Lens) AWS Organizations AWS IoT Device Management AWS Systems Manager Security Hardware Software Device Manufactures Software Engineers Security Engineers Business Analysts Maintain Asset Inventory for all IoT (and Non-) Assets & Categorize them Monitor & Review Requirements Periodically throughout the SDLC Defining Concepts/ Requirements Software Design Design 1 Reply © 2022 All rights reserved. Do not distribute without written authorization
15 IOT SDLC Security Measures – Software Design Ø Spans the whole SDLC, from High-Level Architecture (modules) to Detailed Architecture (functions & methods) Ø Considers Safety aspects for Cyber-Physical interaction (Actuators, Sensors in Environment, Human Safety, etc.) Ø Designs Security Foundations to avoid future Costlier Remediations Defining Concepts/ Requirements Software Design Design 1 Requirements System Specifications Software Specifications Reply © 2022 All rights reserved. Do not distribute without written authorization IoT / Software Security Requirements • FOTA • Remote Credentials Management • Access Control • Policies Configuration • Security Lifecycle 1. Decompose App. Architecture in functional components 2. Categorize and Prioritize Threats 3. Plan & Prioritize Controls 4. Define Countermeasures for Attacks & Vulnerabilities: Chain of Trust Recovery Plan Security Mechanisms Functional & Business Requirements Software Engineers Security Engineers Product Owners
Ø Design IoT Devices & Systems with Unique IDs; Apply Auth & Access Control at each Interface 16 IOT SDLC Security Measures – Software Design (Authentication & Authorization) AWS Certificate Manager Amazon Cognito AWS Identity Access Management (IAM) AWS Secrets Manager AWS Key Management Service (AWS KMS) AWS Well Architected Framework (Security Pillar + IoT Lens) Defining Concepts/ Requirements Software Design Design 1 Reply © 2022 All rights reserved. Do not distribute without written authorization
17 IOT SDLC Software Design – Example of what NOT TO DO!! Defining Concepts/ Requirements Software Design Design 1 Requirements System Specifications Software Specifications Reply © 2022 All rights reserved. Do not distribute without written authorization Incident’s Root Cause • Undefined Security Mechanisms (Remote Credentials Management) • No update-certificate mechanism • Root Certificate became Blacklisted Outcome / Security Incident • 30% of devices not able to connect • 4+ weeks of service unavailability • Huge involvement of AWS and the CA • Only 2 future options: • Ignore the issue (Reputation – Unmeasurable) • Replace deprecated devices (> 1M€ !!!) Suggestions Ø Invest, early, enough resources and time during the Design and Requirements Phase Ø Define a Certificate Trust Store to manage/ store Root Certificate(s) Ø DO NOT store required root certificate(s) without the possibility to update them (e. g. as part of the firmware or hardcoded in the software) !!!
18 IOT SDLC Security Measures – Software Development, Testing, and Acceptance 2 Ø Mind Hardware & Software Constraints in IoT Devices Ø Includes in the loop IaaC Ø Assesses 3rd-party / Open- Source APIs, libraries BEFORE Integration Ø Manual Checklist-Based Code Peer Reviews to Detect Vulnerabilities not Identified by Automation Ø E2E Reply’s IoT Security Test Unit Development / Implementation Testing and Acceptance Provisioning Design Specifications Code Development Automation & Testing Secure Coding Guidelines & Standards • ETSI TS 303 645 V2.1 • IoT Security Compliance Framework • OWASP ISVS • ENISA Baseline Security Recommendations for IoT Automation & Scalability • Code Reviews (manual) • Configuration Management • CI / CD Strategy (DevSecOps) Software Engineers Security Engineers Product Owners Testing Strategy • Static Code Testing (SAST) • Dynamic Analysis / Testing • Design Testing Environment • Penetration Testing of ALL SW • Holistic approach: End Devices, Firmware, Communications, etc.) Reply © 2022 All rights reserved. Do not distribute without written authorization
19 IOT SDLC IoT DevSecOps CI/CD Pipeline with SCA, SAST, DAST Practices, and Security Events Management 2 Development / Implementation Testing and Acceptance Provisioning Reply © 2022 All rights reserved. Do not distribute without written authorization
20 IOT SDLC Software Development – Example of what NOT TO DO!! 2 Development / Implementation Testing and Acceptance Provisioning Design Specifications Code Development Automation & Testing Incident’s Root Cause • Human Error • IaC GitHub Public Repository • AWS Admin Credentials hardcoded in IaC • No centralized logging was in place Outcome / Security Incident • Hackers got access to credentials • AWS account was hacked • >200k€ of AWS costs over a weekend • RCA & Resolution took 2 Working Days Suggestions Ø Include Static Application Security Testing (SAST) ALSO to the Infrastructure as Code (IaC) Ø Periodically Educate the workforce over security best practices when developing code Ø Use the Least-Privilege Principle when assigning permissions Reply © 2022 All rights reserved. Do not distribute without written authorization
21 IOT SDLC Security Measures – Deployment, Integration, and Maintenance Deployment Strategy • Consider Rollout/ Rollback, Timings, Downtime Requirements • Include Final Security Reviews (FSRs) by subject matter security experts Ø Considers Heterogeneity of Deployment Environments Ø Create and Test Business Continuity and Disaster Recovery Plans Ø Consider lifetime of IoT Devices and plan ahead Ø Defines special Asset & User Authorization methods for self-enrolling devices (e. g. over the air) Maintenance and Disposal 3 Deployment and Integration Operating / Disposing End Users Production Teams Development Teams System Integrators Maintenance Strategy • Define Security Auditing & Monitoring Procedures in IoT and IT Environments • Define Incident Management with Proactive Detection & Response Procedures • Conduct Penetration Testing of IoT Software and its Infrastructure (IaC) Disposal Strategy • Define Data Erasure Mechanisms to preserve Privacy Management for Sensitive Data Types Reply © 2022 All rights reserved. Do not distribute without written authorization
22 IOT SDLC Security Measures – Deployment, Integration, and Maintenance AWS IoT Device Defender AWS Security Hub Amazon CloudWatch AWS CloudTrail Amazon GuardDuty AWS Config Maintenance and Disposal 3 Deployment and Integration Operating / Disposing CloudEndure Disaster Recovery AWS Backup Ø Other AWS Services for Security Auditing & Monitoring in IoT and IT Environments: Reply © 2022 All rights reserved. Do not distribute without written authorization
CONCLUSIONS
24 CONCLUSIONS How can Enterprises and Developers make sure Cybersecurity does not represent a blocker for successful IoT Initiatives? ü Consider ALL the Actors, Processes, and Technologies involved in the IoT Value Chain ü Factor-in Security Investments to Avoid Costly Remediations ü Forge a Security-First Culture in the Organization ü Engage the Right Partners ü Test Software in Every Stage of the Chain, and Test it Often Key Takeaways Reply © 2022 All rights reserved. Do not distribute without written authorization
Q & A
THANK YOU Gabriel Paredes Loza BU Manager @ Storm Reply

Recomendados

Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentOnward Security
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 
Certified Internet of Things Specialist ( CIoTS )
Certified Internet of Things Specialist ( CIoTS ) Certified Internet of Things Specialist ( CIoTS )
Certified Internet of Things Specialist ( CIoTS ) GICTTraining
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksPriyanka Aash
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
Iio t security std
Iio t security stdIio t security std
Iio t security stdPlantconnectiot
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemCA Technologies
 

Recomendados

Cybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentCybersecurity Implementation and Certification in Practice for IoT Equipment
Cybersecurity Implementation and Certification in Practice for IoT EquipmentOnward Security
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 
Certified Internet of Things Specialist ( CIoTS )
Certified Internet of Things Specialist ( CIoTS ) Certified Internet of Things Specialist ( CIoTS )
Certified Internet of Things Specialist ( CIoTS ) GICTTraining
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksPriyanka Aash
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
Iio t security std
Iio t security stdIio t security std
Iio t security stdPlantconnectiot
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemCA Technologies
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105 Thomas Treml
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsSolarWinds
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Security and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsSecurity and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsIRJET Journal
 
IOT Software Development Company.pdf
IOT Software Development Company.pdfIOT Software Development Company.pdf
IOT Software Development Company.pdfNishaadequateinfosof
 
MT82 IoT Security Starts at Edge
MT82 IoT Security Starts at EdgeMT82 IoT Security Starts at Edge
MT82 IoT Security Starts at EdgeDell EMC World
 
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)Codit
 
Industry 4.0 Security
Industry 4.0 SecurityIndustry 4.0 Security
Industry 4.0 SecurityDuncan Purves
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Codit
 
IoTforReal Seminar slidedeck
IoTforReal Seminar slidedeckIoTforReal Seminar slidedeck
IoTforReal Seminar slidedeckCodit
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析Onward Security
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?Emertxe Information Technologies Pvt Ltd
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfibramax
 
Internet of things
Internet of thingsInternet of things
Internet of thingsRoutecoMarketing
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DividePriyanka Aash
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Más contenido relacionado

Similar a Securing the IoT Value Chain with AWS

.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105 Thomas Treml
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsSolarWinds
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Security and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsSecurity and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsIRJET Journal
 
IOT Software Development Company.pdf
IOT Software Development Company.pdfIOT Software Development Company.pdf
IOT Software Development Company.pdfNishaadequateinfosof
 
MT82 IoT Security Starts at Edge
MT82 IoT Security Starts at EdgeMT82 IoT Security Starts at Edge
MT82 IoT Security Starts at EdgeDell EMC World
 
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)Codit
 
Industry 4.0 Security
Industry 4.0 SecurityIndustry 4.0 Security
Industry 4.0 SecurityDuncan Purves
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Codit
 
IoTforReal Seminar slidedeck
IoTforReal Seminar slidedeckIoTforReal Seminar slidedeck
IoTforReal Seminar slidedeckCodit
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析Onward Security
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?Emertxe Information Technologies Pvt Ltd
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfibramax
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DividePriyanka Aash
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 

Similar a Securing the IoT Value Chain with AWS (20)

.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Security and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsSecurity and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of things
 
IOT Software Development Company.pdf
IOT Software Development Company.pdfIOT Software Development Company.pdf
IOT Software Development Company.pdf
 
MT82 IoT Security Starts at Edge
MT82 IoT Security Starts at EdgeMT82 IoT Security Starts at Edge
MT82 IoT Security Starts at Edge
 
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
#IoTforReal Seminar slidedeck (Codit Belgium - Ghelamco Arena Gent)
 
Industry 4.0 Security
Industry 4.0 SecurityIndustry 4.0 Security
Industry 4.0 Security
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
 
IoTforReal Seminar slidedeck
IoTforReal Seminar slidedeckIoTforReal Seminar slidedeck
IoTforReal Seminar slidedeck
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product Development
 
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
Demystifying IoT skills : What does it take to become a FullStack IoT engineer?
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdf
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity Divide
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Securing the IoT Value Chain with AWS

  • 1. SECURING THE IOT VALUE CHAIN WITH AWS Business Unit Manager – IoT | Storm Reply GABRIEL PAREDES LOZA June 2022
  • 2. 2 Reply © 2022 All rights reserved. Do not distribute without written authorization INTRODUCTION Gabriel Paredes Loza BU Manager – IoT @ Storm Reply AWS Cloud Expert with a passion for IoT and Bigdata solutions
  • 3. 3 • IoT Value Chain • Overview • Security Considerations • IoT Software Development Life Cycle (SDLC) • Phases • Security Measures with AWS • Conclusions • Q&A Reply © 2022 All rights reserved. Do not distribute without written authorization TODAY’S AGENDA 24.06.2022 / Securing the IoT Value Chain with AWS
  • 5. WHAT DOES VALUE CHAIN MEAN IN IOT TERMS? Different components, in Combination with one another or Separately, Add Value to the overall Solution, and to the End User. Main difference stands in the Complexity and interaction of the Physical and the Virtual worlds of an IoT Solution. 5 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Overview WHY SHOULD I CARE ABOUT SECURITY? • 76%* of IoT Projects Fail due to Lack of Interdisciplinary Collaboration and Cybersecurity Vulnerabilities. • Underestimating Undesired Threats: • Firm’s Reputation due to Data Theft, Ransomware • Man-In-The-Middle with disastrous consequences at large scale (AVs, Healthcare, Oil & Gas, etc.) * Source: IoT For All, https://www.iotforall.com/why-76-percent-iot-projects-fail-how-to-achieve-success
  • 6. 6 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN End-2-End Security End-2-End Governance Hardware Development Life Cycle (HDLC) Actors Physical Value Chain (Device, etc.) Logical Value Chain (IoT Platform, Firmware, etc.) Overview Processes Technologies Software Development Life Cycle (SDLC) Design Provisioning Operating Repurposing • IoT Leaders / Managers • Chief Information Security Officers (CISOs) • IT Managers • Device Manufacturers • System Integrators (SI) • HW Engineers • Platform Owners • System Integrators (SI) • SW Engineers • IoT SW Developers • Device Manufacturers • Information Security Experts • IT / Security Solution Architects Its Physical and Logical nature makes IoT Initiatives complex to design, develop, utilize, and maintain Actors Processes Technologies Holistic Approach Design Provisioning Operating Disposing Service Operating Provisioning End Users
  • 7. 7 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Define Accountability Define Trust Models Increase Visibility Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Actors Processes Technologies
  • 8. 8 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Factor-In Security Leverage Emerging Technologies Start from the Basics Actors Processes Technologies
  • 9. 9 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Document Efforts Seek for Expertise Verify Previous Cases Actors Processes Technologies
  • 10. 10 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT VALUE CHAIN Security Considerations Comprehensive Approach to Security Security By Design Leverage Standards & Good Practices Cultivate Cyber Security Expertise Forging Better Relations Among Actors Risk-Based Approach Educate Users Security Culture Actors Processes Technologies
  • 12. Ø Detailed Version of Logical IoT Value Chain Ø Different SDLC Models: § Waterfall (Sequential) § Spiral (Iterative) § Agile (DevSecOps) Ø Heterogeneous SW: § Devices FW § IoT Services / SW § Network Protocols § APIs Source Code § GWs, Backend Code Ø IoT Software Development cannot neglect underlying Hardware 12 Reply © 2022 All rights reserved. Do not distribute without written authorization IOT SDLC Phases of the Software Development Life Cycle Design Provisioning Operating / Disposing 1 Defining Concepts/ Requirements Software Design 2 Development / Implementation Testing and Acceptance Deployment and Integration 3 Maintenance and Disposal Confidentiality Integrity Availability
  • 13. Ø 2 Expected Outputs: Ø Context Ø Functionalities Ø Ensures Consistency through Quality Gateways 13 IOT SDLC Security Measures – Requirements Collection Reply © 2022 All rights reserved. Do not distribute without written authorization Externally-Driven Requirements Internally-Driven Requirements Physical-Hardware Requirements Security Hardware Software • User • Business • Functional • Legal & Regulatory • 3rd-Party Dependencies • Security Standards • Certification Objectives • IoT Threats / Attack Vectors • Hardware Security Modules (HSM) • Secure Boot, Root-of-Trust (RoT) Mechanisms Device Manufactures Software Engineers Security Engineers Business Analysts Defining Concepts/ Requirements Software Design Design 1
  • 14. 14 IOT SDLC Security Measures – Requirements Collection Ø Considers the Cyber- Physical nature of IoT for Interoperability of Legacy-Coded / Outdated Devices * Depending on the application of IoT and Industry, other frameworks might be more appropriate (e. g. STRIDE, OWASP Top 10, etc.) Security Risk Assessment with Frameworks (e. g. MITRE ATT&CK*) • Critical Assets • External Dependencies • Data Flows AWS Well Architected Framework (Security Pillar + IoT Lens) AWS Organizations AWS IoT Device Management AWS Systems Manager Security Hardware Software Device Manufactures Software Engineers Security Engineers Business Analysts Maintain Asset Inventory for all IoT (and Non-) Assets & Categorize them Monitor & Review Requirements Periodically throughout the SDLC Defining Concepts/ Requirements Software Design Design 1 Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 15. 15 IOT SDLC Security Measures – Software Design Ø Spans the whole SDLC, from High-Level Architecture (modules) to Detailed Architecture (functions & methods) Ø Considers Safety aspects for Cyber-Physical interaction (Actuators, Sensors in Environment, Human Safety, etc.) Ø Designs Security Foundations to avoid future Costlier Remediations Defining Concepts/ Requirements Software Design Design 1 Requirements System Specifications Software Specifications Reply © 2022 All rights reserved. Do not distribute without written authorization IoT / Software Security Requirements • FOTA • Remote Credentials Management • Access Control • Policies Configuration • Security Lifecycle 1. Decompose App. Architecture in functional components 2. Categorize and Prioritize Threats 3. Plan & Prioritize Controls 4. Define Countermeasures for Attacks & Vulnerabilities: Chain of Trust Recovery Plan Security Mechanisms Functional & Business Requirements Software Engineers Security Engineers Product Owners
  • 16. Ø Design IoT Devices & Systems with Unique IDs; Apply Auth & Access Control at each Interface 16 IOT SDLC Security Measures – Software Design (Authentication & Authorization) AWS Certificate Manager Amazon Cognito AWS Identity Access Management (IAM) AWS Secrets Manager AWS Key Management Service (AWS KMS) AWS Well Architected Framework (Security Pillar + IoT Lens) Defining Concepts/ Requirements Software Design Design 1 Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 17. 17 IOT SDLC Software Design – Example of what NOT TO DO!! Defining Concepts/ Requirements Software Design Design 1 Requirements System Specifications Software Specifications Reply © 2022 All rights reserved. Do not distribute without written authorization Incident’s Root Cause • Undefined Security Mechanisms (Remote Credentials Management) • No update-certificate mechanism • Root Certificate became Blacklisted Outcome / Security Incident • 30% of devices not able to connect • 4+ weeks of service unavailability • Huge involvement of AWS and the CA • Only 2 future options: • Ignore the issue (Reputation – Unmeasurable) • Replace deprecated devices (> 1M€ !!!) Suggestions Ø Invest, early, enough resources and time during the Design and Requirements Phase Ø Define a Certificate Trust Store to manage/ store Root Certificate(s) Ø DO NOT store required root certificate(s) without the possibility to update them (e. g. as part of the firmware or hardcoded in the software) !!!
  • 18. 18 IOT SDLC Security Measures – Software Development, Testing, and Acceptance 2 Ø Mind Hardware & Software Constraints in IoT Devices Ø Includes in the loop IaaC Ø Assesses 3rd-party / Open- Source APIs, libraries BEFORE Integration Ø Manual Checklist-Based Code Peer Reviews to Detect Vulnerabilities not Identified by Automation Ø E2E Reply’s IoT Security Test Unit Development / Implementation Testing and Acceptance Provisioning Design Specifications Code Development Automation & Testing Secure Coding Guidelines & Standards • ETSI TS 303 645 V2.1 • IoT Security Compliance Framework • OWASP ISVS • ENISA Baseline Security Recommendations for IoT Automation & Scalability • Code Reviews (manual) • Configuration Management • CI / CD Strategy (DevSecOps) Software Engineers Security Engineers Product Owners Testing Strategy • Static Code Testing (SAST) • Dynamic Analysis / Testing • Design Testing Environment • Penetration Testing of ALL SW • Holistic approach: End Devices, Firmware, Communications, etc.) Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 19. 19 IOT SDLC IoT DevSecOps CI/CD Pipeline with SCA, SAST, DAST Practices, and Security Events Management 2 Development / Implementation Testing and Acceptance Provisioning Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 20. 20 IOT SDLC Software Development – Example of what NOT TO DO!! 2 Development / Implementation Testing and Acceptance Provisioning Design Specifications Code Development Automation & Testing Incident’s Root Cause • Human Error • IaC GitHub Public Repository • AWS Admin Credentials hardcoded in IaC • No centralized logging was in place Outcome / Security Incident • Hackers got access to credentials • AWS account was hacked • >200k€ of AWS costs over a weekend • RCA & Resolution took 2 Working Days Suggestions Ø Include Static Application Security Testing (SAST) ALSO to the Infrastructure as Code (IaC) Ø Periodically Educate the workforce over security best practices when developing code Ø Use the Least-Privilege Principle when assigning permissions Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 21. 21 IOT SDLC Security Measures – Deployment, Integration, and Maintenance Deployment Strategy • Consider Rollout/ Rollback, Timings, Downtime Requirements • Include Final Security Reviews (FSRs) by subject matter security experts Ø Considers Heterogeneity of Deployment Environments Ø Create and Test Business Continuity and Disaster Recovery Plans Ø Consider lifetime of IoT Devices and plan ahead Ø Defines special Asset & User Authorization methods for self-enrolling devices (e. g. over the air) Maintenance and Disposal 3 Deployment and Integration Operating / Disposing End Users Production Teams Development Teams System Integrators Maintenance Strategy • Define Security Auditing & Monitoring Procedures in IoT and IT Environments • Define Incident Management with Proactive Detection & Response Procedures • Conduct Penetration Testing of IoT Software and its Infrastructure (IaC) Disposal Strategy • Define Data Erasure Mechanisms to preserve Privacy Management for Sensitive Data Types Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 22. 22 IOT SDLC Security Measures – Deployment, Integration, and Maintenance AWS IoT Device Defender AWS Security Hub Amazon CloudWatch AWS CloudTrail Amazon GuardDuty AWS Config Maintenance and Disposal 3 Deployment and Integration Operating / Disposing CloudEndure Disaster Recovery AWS Backup Ø Other AWS Services for Security Auditing & Monitoring in IoT and IT Environments: Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 24. 24 CONCLUSIONS How can Enterprises and Developers make sure Cybersecurity does not represent a blocker for successful IoT Initiatives? ü Consider ALL the Actors, Processes, and Technologies involved in the IoT Value Chain ü Factor-in Security Investments to Avoid Costly Remediations ü Forge a Security-First Culture in the Organization ü Engage the Right Partners ü Test Software in Every Stage of the Chain, and Test it Often Key Takeaways Reply © 2022 All rights reserved. Do not distribute without written authorization
  • 25. Q & A
  • 26. THANK YOU Gabriel Paredes Loza BU Manager @ Storm Reply