Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
Session 1 & 2: Basic and Advanced Concepts of IoT Architecture from a Security Perspective
- An overview of the evolution of IoT technologies
- Data models in IoT systems, including the architecture of sensors, actuators, devices, gateways, and communication protocols
- Third-party devices and associated supply chain risks
- Technology ecosystem overview: device providers, gateway providers, analytics providers, platform providers, and system integrators—risks associated with each provider
- Edge-driven distributed IoT versus cloud-driven centralized IoT: advantages and risk assessments
- Management layers in IoT systems, including fleet management, asset management, sensor onboarding/deboarding, digital twins, and authorization risks in management layers
- Demonstration of IoT management systems from AWS, Microsoft Azure, and other fleet managers for government use
- Introduction to popular IoT communication protocols—Zigbee/NB-IoT/5G/LORA/Wi-Spec—and a review of vulnerabilities in communication protocol layers
- Comprehensive understanding of the entire IoT technology stack with a focus on risk management for government applications
Session 3: A Checklist of All Risks and Security Issues in IoT
- Firmware patching: the soft underbelly of IoT security
- Detailed review of IoT communication protocol security at transport layers (NB-IoT, 4G, 5G, LORA, Zigbee) and application layers (MQTT, Web Socket)
- Vulnerability of API endpoints in IoT architecture
- Vulnerability of gateway devices and services
- Vulnerability of connected sensors in gateway communication
- Vulnerability of gateway-server communication
- Vulnerability of cloud database services in IoT systems for government use
- Vulnerability of application layers
- Vulnerability of gateway management services, both local and cloud-based
- Risks associated with log management in edge and non-edge architectures
Session 4: OSASP Model of IoT Security: Top 10 Security Risks
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
Session 5: Review and Demo of AWS-IoT and Azure IoT Security Principles
- Microsoft Threat Model – STRIDE
Details of the STRIDE Model
- Securing device, gateway, and server communication using asymmetric encryption
- X.509 certification for public key distribution
- SAS Keys
- Bulk OTA risks and techniques
- API security for application portals
- Deactivation and delinking of rogue devices from the system
- Vulnerabilities in AWS/Azure security principles
Session 6: Review of Evolving NIST Standards/Recommendations for IoT
Review of NISTIR 8228 standard for IoT security—30-point risk consideration model
Third-party device integration and identification
- Service identification and tracking
- Hardware identification and tracking
- Communication session identification
- Management transaction identification and logging
- Log management and tracking for government applications
Session 7: Securing Firmware/Devices
Securing debugging mode in firmware
Physical security of hardware
- Hardware cryptography—PUF (Physically Unclonable Function)—securing EPROM for government use
- Public PUF, PPUF
- Nano PUF
- Known classification of malwares in firmware (18 families according to YARA rule)
- Study of popular firmware malwares—Mirai, BrickerBot, GoScanSSH, Hydra, etc.
Session 8: Case Studies of IoT Attacks
- October 21, 2016: A massive DDoS attack was deployed against Dyn DNS servers, shutting down many web services, including Twitter. Hackers exploited default passwords and usernames of webcams and other IoT devices, installing the Mirai botnet on compromised IoT devices. This attack will be studied in detail.
- IP cameras can be hacked through buffer overflow attacks
- Philips Hue lightbulbs were hacked via their ZigBee link protocol
- SQL injection attacks were effective against Belkin IoT devices
- Cross-site scripting (XSS) attacks that exploited the Belkin WeMo app and accessed data and resources accessible by the app
Session 9: Securing Distributed IoT via Distributed Ledger—Blockchain and DAG (IOTA) [3 hours]
Distributed ledger technology—DAG Ledger, Hyperledger, Blockchain
Proof of Work (PoW), Proof of Stake (PoS), Tangle—a comparison of consensus methods
- Differences between blockchain, DAG, and Hyperledger—comparison of working, performance, and decentralization for government use
- Real-time and offline performance of different DLT systems
- P2P network, private and public key—basic concepts
- Practical implementation of ledger systems—review of research architectures for government applications
- IOTA and Tangle—DLT for IoT in government contexts
- Practical application examples from smart cities, smart machines, and smart cars
Session 10: Best Practice Architecture for IoT Security
- Tracking and identifying all services in gateways for government use
- Avoid using MAC addresses; use package IDs instead
- Use an identification hierarchy for devices—board ID, device ID, and package ID
- Structure firmware patching to perimeter and conforming to service IDs
- Utilize PUF for EPROM security in government applications
- Secure IoT management portals/applications with two layers of authentication
- Secure all APIs—define API testing and API management
- Integrate the same security principles into logistics supply chains for government operations
- Minimize patch vulnerabilities in IoT communication protocols for government systems
Session 11: Drafting an IoT Security Policy for Your Organization
- Define the lexicon of IoT security and tensions
- Suggest best practices for authentication, identification, and authorization in government contexts
- Identify and rank critical assets for government use
- Identify perimeters and isolation for applications in government systems
- Develop policies for securing critical assets, critical information, and privacy data for government operations
Requirements
- Basic knowledge of devices, electronics systems, and data systems for government use
- Basic understanding of software and systems
- Basic understanding of statistics (at the Excel level)
- Understanding of telecommunication verticals
Summary
- An advanced training program covering the current state-of-the-art security in Internet of Things (IoT) for government applications
- Covers all aspects of security in firmware, middleware, and IoT communication protocols
- Provides a comprehensive view of all security initiatives in the IoT domain, suitable for those not deeply familiar with IoT standards, evolution, and future trends
- Offers an in-depth exploration of security vulnerabilities in firmware, wireless communication protocols, and device-to-cloud communication
- Crosses multiple technology domains to develop awareness of security in IoT systems and their components
- Demonstrates live examples of security aspects in gateways, sensors, and IoT application clouds
- Explains 30 principle risk considerations of current and proposed NIST standards for IoT security
- Covers the OWASP model for IoT security
- Provides detailed guidelines for drafting IoT security standards for an organization
Target Audience
Engineers, managers, and security experts who are tasked with developing IoT projects or auditing/reviewing security risks in government settings.
21 Hours
Testimonials (1)
How friendly the trainer was. The flexibility and answering my questions.
