Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
Session 1 & 2: Basic and Advanced concepts of IoT architecture from security perspective
- A brief history of the evolution of IoT technologies.
- Data models in IoT systems – definition and architecture of sensors, actuators, devices, gateways, and communication protocols.
- Third-party devices and risks associated with vendor supply chains.
- The technology ecosystem – risks associated with device providers, gateway providers, analytics providers, platform providers, and system integrators.
- Edge-driven distributed IoT vs. Cloud-driven centralized IoT: Advantages and risk assessment.
- Management layers in IoT systems – fleet management, asset management, onboarding/deboarding of sensors, Digital Twins, and the risks of authorizations in management layers.
- Demo of IoT management systems including AWS, Microsoft Azure, and other fleet managers.
- Introduction to popular IoT communication protocols – Zigbee, NB-IoT, 5G, LORA, Witespec – and a review of vulnerabilities in communication protocol layers.
- Understanding the entire IoT technology stack with a review of risk management.
Session 3: A check-list of all risks and security issues in IoT
- Firmware Patching: The soft underbelly of IoT.
- Detailed review of IoT communication protocol security – Transport layers (NB-IoT, 4G, 5G, LORA, Zigbee, etc.) and Application Layers (MQTT, WebSocket, etc.).
- Vulnerability of API endpoints – a list of all possible APIs in IoT architecture.
- Vulnerability of Gateway devices and services.
- Vulnerability of connected sensors and gateway communication.
- Vulnerability of Gateway/Server communication.
- Vulnerability of Cloud database services in IoT.
- Vulnerability of Application Layers.
- Vulnerability of Gateway management services (Local and Cloud-based).
- Risks of log management in edge and non-edge architectures.
Session 4: OWASP Model of IoT security, Top 10 security risk
- I1: Insecure Web Interface.
- I2: Insufficient Authentication/Authorization.
- I3: Insecure Network Services.
- I4: Lack of Transport Encryption.
- I5: Privacy Concerns.
- I6: Insecure Cloud Interface.
- I7: Insecure Mobile Interface.
- I8: Insufficient Security Configurability.
- I9: Insecure Software/Firmware.
- I10: Poor Physical Security.
Session 5: Review and Demo of AWS-IoT and Azure IoT security principles
- Microsoft Threat Model – STRIDE.
Details of STRIDE Model
- Security of device, gateway, and server communication – Asymmetric encryption.
- X.509 certification for public key distribution.
- SAS Keys.
- Bulk OTA risks and techniques.
- API security for application portals.
- Deactivation and delinking of rogue devices from the system.
- Vulnerabilities within AWS/Azure security principles.
Session 6: Review of evolving NIST standards/recommendations for IoT
Review of NISTIR 8228 standard for IoT security – 30-point risk consideration model.
Third-party device integration and identification.
- Service identification & tracking.
- Hardware identification & tracking.
- Communication session identification.
- Management transaction identification and logging.
- Log management and tracking.
Session 7: Securing Firmware/Device
Securing debugging mode in firmware.
Physical security of hardware.
- Hardware cryptography – PUF (Physically Unclonable Function) – securing EPROM.
- Public PUF, PPUF.
- Nano PUF.
- Known classification of malware in firmware (18 families according to YARA rule).
- Study of some popular firmware malware – MIRAI, BrickerBot, GoScanSSH, Hydra, etc.
Session 8: Case Studies of IoT Attacks
- On Oct. 21, 2016, a massive DDoS attack was deployed against Dyn DNS servers, shutting down many web services including Twitter. Hackers exploited default passwords and usernames of webcams and other IoT devices, installing the Mirai botnet on compromised devices. This attack will be studied in detail.
- IP cameras can be hacked through buffer overflow attacks.
- Philips Hue lightbulbs were hacked through their ZigBee link protocol.
- SQL injection attacks were effective against Belkin IoT devices.
- Cross-site scripting (XSS) attacks exploited the Belkin WeMo app to access data and resources the app could reach.
Session 9: Securing Distributed IoT via Distributed Ledger – Blockchain and DAG (IOTA) [3 hours]
Distributed ledger technology – DAG Ledger, Hyperledger, Blockchain.
PoW, PoS, Tangle – a comparison of consensus methods.
- Differences between Blockchain, DAG, and Hyperledger – a comparison of their working, performance, and decentralization.
- Real-time and offline performance of different DLT systems.
- P2P network, Private and Public Key basic concepts.
- How ledger systems are implemented practically – review of some research architectures.
- IOTA and Tangle: DLT for IoT.
- Practical application examples from smart cities, smart machines, and smart cars.
Session 10: The best practice architecture for IoT security
- Tracking and identifying all services in gateways.
- Never use MAC addresses; use package ID instead.
- Use an identification hierarchy for devices: board ID, Device ID, and package ID.
- Structure firmware patching to perimeter and conform to service ID.
- PUF for EPROM.
- Secure risks of IoT management portals/applications by implementing two layers of authentication.
- Secure all APIs – define API testing and API management.
- Identification and integration of the same security principles in the logistics supply chain.
- Minimize patch vulnerability of IoT communication protocols.
Session 11: Drafting IoT security Policy for your organization
- Define the lexicon of IoT security / tensions.
- Suggest best practices for authentication, identification, and authorization.
- Identification and ranking of Critical Assets.
- Identification of perimeters and isolation for applications.
- Policy for securing critical assets, critical information, and privacy data.
Requirements
- Fundamental knowledge of devices, electronic systems, and data systems.
- Basic understanding of software and systems.
- Basic understanding of Statistics (at an Excel proficiency level).
- Understanding of Telecommunication Verticals.
Summary
- An advanced training program covering the current state-of-the-art security of the Internet of Things.
- Covers all aspects of firmware, middleware, and IoT communication protocol security.
- Provides a 360-degree view of security initiatives in the IoT domain for those not deeply familiar with IoT standards, evolution, and future trends.
- In-depth analysis of security vulnerabilities in firmware, wireless communication protocols, and device-to-cloud communication.
- Cross-references multiple technology domains to develop awareness of security in IoT systems and their components.
- Includes live demonstrations of security aspects related to gateways, sensors, and IoT application clouds.
- Explains the 30-point risk consideration framework of current and proposed NIST standards for IoT security.
- Covers the OWASP model for IoT security.
- Provides detailed guidelines for drafting IoT security standards for an organization.
Target Audience
Engineers, managers, and security experts responsible for developing IoT projects or auditing and reviewing security risks.
21 Hours
Custom Corporate Training
Training solutions designed exclusively for businesses.
- Customized Content: We adapt the syllabus and practical exercises to the real goals and needs of your project.
- Flexible Schedule: Dates and times adapted to your team's agenda.
- Format: Online (live), In-company (at your offices), or Hybrid.
Price per private group, online live training, starting from 3900 € + VAT*
Contact us for an exact quote and to hear our latest promotions
Testimonials (1)
How friendly the trainer was. The flexibility and answering my questions.
