Mobile & Web Interaction Local Interaction Internet ISP Device Field Gateway Device Device Device Device Device Cloud Gateway Local Portals and APIs Local Gateway Personal Environment and Networks Control System Analytics Homes, Vehicles, Vessels, Factories, Farms, Oil Platforms, … Control System Analytics Data Management MNO Gateway (Mobile) Network Operators Watches, Glasses, Work Tools, Hearing Aids, Robotic Assistance,
Download ReportTranscript Mobile & Web Interaction Local Interaction Internet ISP Device Field Gateway Device Device Device Device Device Cloud Gateway Local Portals and APIs Local Gateway Personal Environment and Networks Control System Analytics Homes, Vehicles, Vessels, Factories, Farms, Oil Platforms, … Control System Analytics Data Management MNO Gateway (Mobile) Network Operators Watches, Glasses, Work Tools, Hearing Aids, Robotic Assistance,
Mobile & Web Interaction Local Interaction Internet ISP Device Field Gateway Device Device Device Device Device Cloud Gateway Local Portals and APIs Local Gateway Personal Environment and Networks Control System Analytics Homes, Vehicles, Vessels, Factories, Farms, Oil Platforms, … Control System Analytics Data Management MNO Gateway (Mobile) Network Operators Watches, Glasses, Work Tools, Hearing Aids, Robotic Assistance, … Cloud Portals and APIs Vehicle Fleets, Sea Vessels, LV Smart Grids, Cattle, … Data Management Cloud Systems City Buildings Energy Health Mobility Fire Protection Lighting Electricity Distribution Patient Tracking Traffic Flow Pollution Control Water Wind/Solar/Geothermal Vital Monitoring Traffic Alerts Flood Control Energy Management Gas Distribution Implants Rule Enforcement Medical Emergency Climate Control Fuel Distribution Disability Aids Toll Collection Drinking Water Air Quality Power Plants OR Equipment Bus/Tram/Train Solid Waste Lifts and Escalators Nuclear Waste Lab Equipment Taxi Waste Water Signage Coal Mining Radiology Equipment Street Quality Mobile Care Air Traffic Control Public Order Safety Management Oil/Gas Production Diabetes Airports IT engineers know how to make digital things secure. • • • • • • Secure Development Lifecycle Secure Network Technologies Threat & Vulnerability Mitigation Monitoring and Alerting Software/Firmware Auto-Updates Privacy Models OT engineers knows how to make physical things safe and secure • Standards, Procedures, Training, Continuous Improvement • Physical access management • Hazard and Risk Analysis • Monitoring and Maintenance • Fail Safe and Safety Equipment Security Development Lifecycle & Operational Security Assurance Protect Network and Identity Isolation Least Privilege / Just-in-Time (JIT) Access Vulnerability / Update Management Auditing and Certification Detect Respond Live Site Penetration Testing Centralized Logging and Monitoring Fraud and Abuse Detection Breach Containment Coordinated Security Response Customer Notification http://microsoft.com/sdl Data Privacy Protection and Controls People and Device Identity Federation, Data Attestation Secure Networks, Transport and Application Protocols, Segmentation Trustworthy Platform Hardware, Signed Firmware, Secure Boot/Load Tamper/Intrusion Detection Physical Access Security Cloud Field Gateways Devices Data Data Data Application Edge Application Identity and Access Control Global Network Local Network Local Network Host Host Host Physical Physical Physical Policies, Procedures, Guidance Cost Computational Capabilities $1 Sensor Memory/Storage Capacity Energy Consumption/Source Component Quality IoT Sweet Spot $400 Phones $1000 PCs $10000 Server Local Interaction Device Device Device Local Portals and APIs Local Gateway Device Control System Analytics Data Management LAN LAN VPN PLC • • • • • • T,I,D S,T,R,I,D,E T,I,D S,T,R,I,D,E Machine Control Logic Service Desk Operator Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege PL C S,R T,I,D T,I,D T,I,D T,I,D Configuration T,R,I,D • • • • • • Not a whole lot … Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege T,I Operator Machine Control Logic Service Desk T,I Configuration … and they even broaden the attack surface area by fusing the networks T,I Operator Machine Control Logic Service Desk T,I 1. Pwn This Configuration 2. Pwn That Vehicle Control Vehicle Own one, own them all MNO Private APN Diagnostics CAN BUS / “Telematics Box” Entertainment Public APN Vehicle Vehicle ERP VPN Gateway Vehicle CRM … Fleet, Vehicle, and Driver Solutions … More issues: + Addressing and Discovery + Temporal Coupling Access Control Policies Device Identity Registry/Directory Q Client Service Gateway Q Connections are deviceinitiated and outbound (CG)NAT Firewall Field Gateway Router Device does not actively listen for unsolicited traffic Public address, full and well defendable server platform No inbound ports open, attack surface is minimized Isolated Network Port Mapping is automatic, outbound • • • • Mobile Backend Device Authentication Authorization (Access Policy Enforcement) DoS Defense Application Layer Integration (vs. Link/Network) Q Service Gateway (CG)NAT Router Mobile Cell Q Temporal Decoupling Logical Addressing (CG)NAT Firewall Router Mobile Cell 2 Berlin Token expresses current membership of the device in the solution context. Asymmetrically signed by directory. Cacheable. Expires periodically. Tokens Device Identity Registry/Directory Access Policies Trust Diagnostics Control Hard real-time Near real-time Datacenter(“Cloud”) ERP Telematics Gateway Entertainment CAN BUS / “Telematics Box” Vehicle AMQP 1.0 Link Bi-Directional Secure Reliable Transfer Application Level No Peer Exposure CRM Fleet, Vehicle, and Driver Solutions … … Control Value-Add Services, Analysis and Optimization Servicing AMQP 1.0 Link Bi-Directional Secure Reliable Transfer Application Level No Inbound Ports Cloud Portals and APIs OPC UA Gateway Device Device Device Local Portals and APIs Local Gateway Device Control System Analytics Cloud Gateway Control System Analytics Data Management Data Management Cloud Systems x Millions Device Software Management Connectivity Data Flow Device Identity Management x GByte/sec Event Storage Real Time Analytics Time Series and State Storage Historic and Predictive Analytics x PByte IoT Hub Data and Command Flow M M Event Hub Field Gateway OPC UA, CoAP, AllJoyn, … Self-Hosted Gateway MQTT, Custom Per-device command queues IoT Hub Gateway HTTPS AMQPS HTTPS, AMQPS Identity Registry Provisioning Communication Management M Device Management Provisioning APIs IoT Hub Data and Command Flow M M Event Hub Field Gateway OPC UA, CoAP, AllJoyn, … Self-Hosted Gateway MQTT, Custom Hyper-Scale Identity Registry for millions of devices per IoT Hub OSS Device Agents M Can federate Provisioning identity with Communication and via Azure Active Management Directory Per-device command queues IoT Hub Gateway HTTPS AMQPS HTTPS, AMQPS Identity Registry Device Management Provisioning APIs IoT Hub M M Secure by Principle. IoT Hub does not permit insecure Data and Command Flow connections. TLS is always enforced. Event Hub Field Gateway OPC UA, CoAP, AllJoyn, … OSS Device Agents Provisioning Communication Management Self-Hosted Gateway MQTT, Custom IoT Hub Gateway HTTPS, AMQPS M TLS/X509 initially; TLS/PSK & TLS/RPK on roadmap for computePer-device constrained devices and bandwidth command limited or expensive metered links. queues HTTPS AMQPS APIs Native support for Service Assisted Communication model, potentially Identity Registry holding millions of concurrent bidirectional connections. Device Management Provisioning AMQP 1.0 (with WebSockets), HTTP/2 IoT Hub Data and Command Flow M M Event Hub Field Gateway OPC UA, CoAP, AllJoyn, … Self-Hosted Gateway MQTT, Custom Channel-level authentication and authorization against the gateway OSS Device Agents Provisioning Communication Management M IoT Hub Gateway HTTPS, AMQPS Per-device command queues are messages All tagged with HTTPS APIs originator on service side AMQPSallowing detection of in-payload origin spoofing attempts Identity Registry Device Management Validation Provisioning of signatures against identity registry and blacklists (for signature tokens) IoT Hub M M Field Gateway OPC UA, CoAP, AllJoyn, … OSS Device Agents Provisioning Communication Management Self-Hosted Gateway MQTT, Custom Device management Data and Command Flow foundation capabilities for device state inventory and Event Hub update delivery M Per-device command queues IoT Hub Gateway HTTPS AMQPS HTTPS, AMQPS Identity Registry Device Management Provisioning APIs Cloud Field Gateways Devices Data Data Data Application Edge Application Identity and Access Control Global Network Local Network Local Network Host Host Host Physical Physical Physical Policies, Procedures, Guidance STRIDE STRIDE STRIDE STRIDE STRIDE http://microsoft.com/sdl http://azure.microsoft.com/en-us/support/trust-center/ ISO 27001/27002 Government) SOC 1/SSAE 16/ISAE 3402 PCI DSS Level 1 and SOC 2 United Kingdom G-Cloud Cloud Security Alliance Australian Government CCM IRAP FedRAMP Singapore MTCS Standard FISMA HIPAA FBI CJIS (Azure CDSA EU Model Clauses Food and Drug Administration 21 CFR Part 11 FERPA FIPS 140-2 CCCPPF MLPS free cloud development courses Try Microsoft Azure for free AzureAppService for free