Removing Security Roadblocks to IoT Deployment Success
- 3. Connection Security X.509/TLS-Based Handshake and Encryption Device Security X.509 Certificate Based Identity and Attestation Device Provisioning, Authorization & Management Support for Diverse Hardware Secure Modules Securely connect millions of devices… …over a secure internet connection… …to Microsoft Azure – built with security from the ground up Cloud Security Azure Security Center | Azure Active Directory Key Vault | Policy-Based Access Control
- 4. GLOBA L INDUSTR Y REGIONA L HIPAA / HITECHAct FERPAGxP 21 CFR Part11 ISO 27001 SOC 1 Type 2ISO 27018 CSA STAR Self-Assessment FISC Japan CDSA Shared Assessments FACT UK GLBA PCI DSS Level 1 MARS-E FFIEC SOC 2 Type 2 SOC 3 MPAA ISO 22301 Japan My ENISA Japan CS Spain Spain India Canada Privacy GermanyIT Number Act IAF Mark Gold ENS DPA MeitY Privacy Laws Shield Grundschutz workbook CSA STAR Certification CSA STAR Attestation HITRUST IG ToolkitUK Argentina EU UK China China China Singapore Australia New Zealand PDPA Model Clauses G-Cloud DJCP GB 18030 TRUCS MTCS IRAP/CCSL GCIO ISO 27017
- 5. >90% of Fortune 500 use Microsoft Cloud
- 6. Key Questions Does the device have a unique, unforgeable identity that is inseparablefrom the hardware? Is most of the device’s software outside thedevice’s trusted computing base? Is the devicestill protected if the security of one layer of device software is breached? Does a failure in one component of the device requirea reboot of theentire device to return to operation? Does thedevice use certificates instead of passwords for authentication? Is the device’s softwareupdated automatically? Property Hardware-based Small Trusted Defense Compartmentalization Certificate- Renewable Failure Root of Trust Computing Base in Depth based Authentication Security Reporting Does the device report failures toits manufacturer?
- 7. high integrity software operations Choice of Secure Hardware - Many secure silicon providers including - Standards based and custom secure silicon - TPM - DICE https://aka.ms/RightSecureIoTHardware
- 8. Authentication Attestation Access Controls 1 Share Access Secrets (SAS) Tokens Shared Access Key - Permission based - Role based - Action based - Per device granularity 2 Certificate Based Mutual Authentication Certificate Thumbprint 3 Certificate Based Mutual Authentication Certificate Authority IoT Hub Device Connection Security X.509/TLS-Based Handshake and Encryption
- 9. IoT Device Methods Device Twin Properties Desired Reported IoT Hub Device Twin Tags Methods Telemetry Properties Desired Reported Telemetry channel Commands Cloud owned, device visible Device owned, cloud visible Cloud only, device metadata Cloud initiated C2D with response Cloud initiated C2D message
- 10. Device Provisioning Service Automate device provisioning at scale and eliminate security threats from manual handling X X X XIoT Solution US IoT Solution Germany IoT Solution China
- 14. https://azure.microsoft.com/en-us/blog/securing-the-intelligent-edge/ Threats Readily available tools and experience Rich development environment Heterogeneous hardware Physical accessibility Subject to physical analysis like on power and timing, and attacks based on micro-probing, fault injections, and environmental tampering. Non-standard security protocols Expands threat surface across architecture, vendor, and capabilities unlike a relatively more uniform datacenter hardware. The necessary mixture of scripted and compiled software using many technologies to enrich user experience also increases the probability for vulnerabilities. Proprietary hardware procedures for common security needs like secure hardware enforcements for secure boot and firmware updates precludes public scrutiny. The same tools and experience from other disciplines like failure analysis and patent research are easily repurposed for attacks. Requires assertive defense Requires uniformity
- 15. Cloud Gateway ActionsIoT Edge IoT Hub Insights Insights Actions
- 16. A Framework for Ecosystem Managed Security Hardware Root of Trust Secure Boot/Updates Secure Execution Environment Protected General Computing Application execution with runtime integrity checking Privileged executions and systems resource access control Bootstrapping and recovery Trust anchor and tamper resistance Azure IoT Edge Device IoT Hub Principles Realization
- 18. Communicate diligence in security Administered by 3rd Party Labs for transparency (coming soon) Open standards procedures Certificate based signed device promise attestations (coming soon) Promise Standard Secure Element Secure Enclave Secure silicon None Standalone security processor e.g. TPM Integrated security processor Maximum protection to be expected in malicious custody None Secrets like cryptographic keys Secrets and the trusted computing base Typical transactions All with adequate risk mitigation Authentication, session key generation, certificates processing. All secure element transactions plus the trusted computing base for transactions such as metering, billing, secure I/O, secure logging. Maximum grade possible Level 2 Level 4 Level 4 Grade Level 1 Level 2 Level 3 Level 4 Requirements Custom implementations in lieu of using Azure IoT Device SDK Azure IoT Device SDK - Azure IoT Device SDK - FIPS 140-2 Level 2 - Common Criteria EAL 3+ (PP coming soon) - Azure IoT Device SDK - FIPS 140-2 Level 3 - Common Criteria EAL 4+ (PP coming soon)
- 19. IoT Role Example Scenario OEM Investment optimal decision. Decide which market to play in. - Manufacture and certify for secure element devices for solutions with simple needs line authentication - Manufacture and certify for secure enclave devices for solutions with complex needs like monetization SI Cost optimal decisions. Balance device cost with deployments risk assessment - Secure element devices for endpoint identity - Secure enclave devices for endpoint identity and execution integrity Operator Optimal risk management. Balance between device security and personnel access controls - Less elaborate personnel access controls with secure element/enclave promise devices - More elaborate access controls with standard promise devices IoT Edge Module Developer Empowerment. Use signed attestations to programmatically detect and deploy accordingly - Detect and deploy to secure element devices for node count control - Detect and deploy to secure enclave devices for IP protection or metered usage
- 20. SEQUITUR LABS LS1012A SAMA5D2 Demo Demo Blog Blog Blog Runtime Attestation via Hardware RTiC Module Runtime Attestation via Hardware ICM Module IoTHub
- 22. “hackers have infiltrated the critical safety systems for industrial control units used in nuclear, oil and gas plants, halting operations at at least one facility” “The hackers used sophisticated malware, dubbed ‘Triton’, to take remote control of a safety control workstation” “Some controllers entered a failsafe mode as the hackers attempted to reprogram them”
- 23. Properties of TCPS Separation of critical execution Help protect critical infrastructure from malware threats by separating non-critical from critical operations and concentrating on using hardware isolation to protect control of physical systems. Inspectability of execution process Ensure that any code that handles critical operations must be auditable by operators through source code review. Attestability of processing environment During operation, each component must be able to verify that data is received and sent only from trustworthy sources. A component also needs to attest its trustworthiness to other components. Minimizing number of entities that need to be trusted Reducing the number of trusted entities significantly reduces the attack surface for critical infrastructure. In the ideal TCPS solution, the operator will maintain the only root of trust for critical code execution. The device owner/operator is in complete control of critical systems
- 24. SCADA system Factory Line Automation Attack to SCADA System SCADA System Attack vectors on factoryline Attacker Attack to Factory Line Automation Factory Line ControllerController
- 25. SCADA System OPC UA message SCADA application SCADA/HMI System OPC UA message SCADA Application TEE Message Authorization Policy Decision Engine Attacker will simulate user input or directly issue control messages (e.g. OPC UA) using the SCADA system’s message authentication Attacker OPC UA message authenticated by TEE TEE Trusted UI terminal to approve messages Trusted UI (TEE) Protecting the SCADA/HMI system Policy Decision Engine
- 26. i.MX6 + Windows IoT Core Transport stack (TCP/IP) i.MX6 + Windows IoT Core Transport Stack (TCP/IP) TrustZone (OP-TEE) OPC UA L AN Port i.MX6 Security Layer SPI Port i.MX6 SPI-LAN Adapter with TCP/IP Legacy OPC UA Device Attacker OPC UA Protecting factory line automation OPC UA Gateway Controller Factory Line Policy Decision Engine
- 27. Host Operating System Edge Client Transport stack Trusted Execution Environment Security Layer Trusted I/O Cloud services Message Gateway Controller Factory Line Azure Policy Decision Engine Azure Confidential Computing Tamper- resistant logging Configuration and Provisioning Service Factory Line Control
- 28. Additional information about TCPS TCPS Overview http://aka.ms/TCPS_TwoPager_HMI2018 Blog post http://aka.ms/TCPS_HMI2018 Whitepaper http://aka.ms/TCPS_Whitepaper Preview coming soon
- 30. Windows IoT securitypromise Windows IoT provides the best endpoint security to protect your data at rest, in motion and during execution. Windows IoT devices are build with security in mind. Security is not in the way of your development, deployment and operation.
- 34. Is my IoT infrastructure developed, deployed and operated securely? By deploying IoT what security risks am I taking for the rest of my business? Who can evaluate my IoT infrastructure and give me a threat assessment?
- 35. Consider the threats most relevant to your IoT infrastructure Identify the consequences that are most important to your business Select evaluation strategies that provide the most value http://aka.ms/IoTSecurityEval
- 38. Microsoft’s Security Program for Azure IoT connects customers with partners who are experts at evaluating an IoT infrastructure end-to-end. Not all partners may be listed; check internetofyourthings.com for latest status
- 40. Standards for IoT Security None holistic in existence No end-to-end IoT Security standard Existing standards retrofitting IT security to IoT No scope for physical attacks such as tampering Microsoft actively engaged in 25+ standards organizations and consortia to help address IoT security challenges
- 41. Microsoft champions and chairs the IoT Security Maturity Model development at the Industrial Internet Consortium (IIC) SMM assists with: • Security target definition • Current security maturity assessment • Security gap analysis • Security maturity enhancement planning
- 44. Solution operator Hardware manufacturers or integrators Solution developer Solution deployer http://aka.ms/iotbestpractices
- 45. Secure and power the intelligent edge with Azure Sphere 1:00pm-2:15pm, WSCC: Rooms 612 Azure IoT Solutions - Get your IoTproject started in minutes with SaaS and preconfigured solutions