Contrained Networks/Devices

IoT Security–Essentials–Part 01

February 1, 2017 Cloud to Device, Communication Protocols, Connected, Connectivity, Contrained Networks/Devices, Device to Cloud, Geolocation, Identity of Things (IDoT), Internet Appliance, Internet of Things, IoT, IoT Privacy, IoT Security, machine-to-machine (M2M), Machines, Tech-Trends No comments , , , , ,

Security(Cyber Security) is an essential requirement for any IoT platform or devices or end users and the communication infrastructure.  In order to achieve or design best possible security solutions,  to avoid some external entity or hacker gaining access to your IoT device or infrastructure, every architect or system designer should do Threat Modeling exercise.  As the system is designed and architected, we can minimize the exposure to external threats to our IoT architecture.

With this article I am trying to provide you relevant bits and pieces essential for your understanding:

What is Cyber Security?

As per WhatIs.com – “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security.”

To make it more clear and simpler – Cyber Security also known as Computer security, or IT security, is the protection of computer systems from the theft or damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide. Cyber security includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection.

What is Threat Modeling?

The objective of threat modeling is to understand how an attacker might be able to compromise a system and then make sure appropriate mitigations are in place. Threat modeling forces the design team to consider mitigations as the system is designed rather than after a system is deployed. This fact is critically important, because retrofitting security defenses to a myriad of devices in the field is infeasible, error prone and will leave customers at risk.

[Content courtesy:  Microsoft]

In order to optimize security best practices, it is recommended that a proposed IoT architecture be divided into several component/zones as part of the threat modeling exercise.

Relevant Important  Zones  for an IoT architecture  :

  • Device,
  • Field Gateway,
  • Cloud gateways, and
  • Services.

Each zone is separated by a Trust Boundary, which is noted as the dotted red line in the diagram below. It represents a transition of data/information from one source to another. During this transition, the data/information could be subject to Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege (STRIDE).

[Content courtesy:  Microsoft]

This diagram like below provides a full 360 view you any proposed solution:

iot-security-architecture-fig1

Summary of important Sections/Zones:

  1. The Device Zonerepresents a thing or device where device to device or local user physical access is possible.
  2. The Field Gateway Zone –  Field gateway is a device/appliance (Embedded/Hardware) or some general-purpose software that runs on a Physical Server, and acts as communication enabler and potentially, as a device control system and device data processing hub.
  3. The Cloud Gateway ZoneCloud gateway is a system that enables remote communication from and to devices or field gateways from several different sites across public network space, typically towards a cloud-based control and data analysis system, a federation of such systems.
  4. The Services Zone –  A “service” is  any software component or module that is interfacing with devices through a field- or cloud gateway for data collection and analysis, as well as for command and control. Services are mediators.

Once we identified threat boundaries we should be able to provide fail safe security measures each associated zones, to meet the business needs and global information exchange and data compliance  standards.  It is also important to design the product from the start with security in mind because understanding how an attacker might be able to compromise a system helps make sure appropriate mitigations are in place from the beginning.

In next session, we will go through Microsoft’s IoT Reference architecture and associated security measures been put together across each zones. 

Additional Resources:

Microsoft Azure IoT Suite–Provisioned solutions for Faster Time to Market IoT enabled solutions

January 7, 2017 Analytics, Azure, Azure SDK, Cloud Computing, Communication Protocols, Contrained Networks/Devices, Data Collection, Data Integration, Emerging Technologies, Identity of Things (IDoT), Internet of Things, Interoperability, IoT, PaaS, Performance, Predictive Analytics, Predictive Maintenance, Realtime Analytics, Reliability, Scalability, Self Driven Cars, Solutions, Stream Analytics, Tech-Trends, Windowz Azure No comments

Microsoft Azure IoT Suite Provisioned solutions will help you create your own fully integrated solutions tailored for your specific needs in the following 3 sections. Using these ready to consume solutions will accelerate your time to market IoT(Internet of Things) requirements.

image

  1. Remote Monitoring  – Connect and monitor your devices to analyze untapped data and improve business outcomes by automating processes.  For ex: As a car  manufacturing company, provide an option to customer to remotely monitor their car condition, and suggest if they need a re-fuel or oil change.
  2. Connected Factory – Anticipate maintenance needs and avoid unscheduled downtime by connecting and monitoring your devices. For ex: As a car manufacturing  factory and spare parts are essential for car manufacturing. Automated solutions can ensure timely availability of necessary spare parts inventory to meet daily, weekly or monthly manufacturing needs.
  3. Predictive Maintenance – Connect and monitor your factory industrial devices for insights using OPC UA to drive operational productivity.  For ex: As a car service support, you can get near real-time performance data from the cars manufactured by your company, predict the health of each components in a car and offer timely maintenance to their cars.  Send real-time reminders and notifications to customers. Their by ensuring higher satisfaction levels for customers and more business value to the organization as it attracts more sales and good customer feedback.

image

These solutions will help you to:

  1. Connect and scale quickly – Use preconfigured solutions, and accelerate the development of your Internet of Things (IoT) solution.

  2. Analyze and process dataCollect previously untapped data from devices and sensors, and use built-in capabilities to visualize—and act on—that data.

  3. Integration and Digital TransformationEasily integrate with your systems and applications, including Salesforce, SAP, Oracle Database, and Microsoft Dynamics, making it simple to access your data and keep your disparate systems up to date.

  4. Enhanced security Set up individual identities and credentials for each of your connected devices—and help retain the confidentiality of both cloud-to-device and device-to-cloud messages.

Useful Links:

IoT Protocols–Quick Comparison

January 5, 2017 Communication Protocols, Connectivity, Contrained Networks/Devices, Internet of Things, Interoperability, IoT, Performance, Reliability, Scalability, Tech-Trends No comments

The table below contains a quick summary of the IoT protocols:

Protocol CoAP XMPP RESTful HTTP MQTT AMQP
Transport UDP TCP TCP TCP TCP
Messaging Request/Response Publish/Subscribe Request/Response Request/Response Publish/Subscribe Request/Response Topic based Publish/Subscribe
2G, 3G, 4G Suitability (1000s nodes) Excellent Excellent Excellent Excellent Excellent
LLN Suitability (1000s nodes) Excellent Fair Fair Fair Excellent
Compute Resources 10Ks RAM/Flash 10Ks RAM/Flash 10Ks RAM/Flash 10Ks RAM/Flash 10Ks RAM/Flash
Success Stories Utility Field Area Networks Remote management of consumer white goods Smart Energy Profile 2 (premise energy management, home services) Extending enterprise messaging into IoT applications Extending enterprise messaging into IoT applications
designed for resource-constrained devices and low bandwidth, high latency networks interoperability
reliable queuing, flexible routing, transactions, and security

Source: Beyond MQTT: A Cisco View on IoT Protocols, Paul Duffy, April 30 2013

IoT Hub vs Event Hub–A quick comparison

December 11, 2016 Azure, Cloud Computing, Cloud to Device, Communication Protocols, Connectivity, Contrained Networks/Devices, Data Hubs, Device Shadow, Device to Cloud, Device Twin, Emerging Technologies, Event Hubs, HTTP2, Identity of Things (IDoT), Intelligent Cloud, Internet of Things, Interoperability, IoT, IoT Hub, IoT Privacy, IoT Security, Messaging, Microsoft, Performance, Protocols, Reliability, Scalability, Tech-Trends No comments

With this article I am trying to provide you a birds eye view comparison of IoT Hub and Azure Event Hub, so that some of you may stop feeling that there is nothing new in IoT Hub.

For the interest of this article, I put together a table with side-by-side comparison of some important features/desired features from an IoT Hub like platform.

Feature IoT Hub Event Hub
Communication Supports both device-to-cloud and cloud-to-device bidirectional communication Supports only device-to-cloud communication
State Management Can maintain device state using Device Twins and query them whenever needed. Not Supported
Protocol Support AMQP 1.1, AMQP over Web Sockets, MQTT 3.2, MQTT over Web Sockets, HTTP 1.1, Web Sockets. AMQP 1.1, AMQP over Web Sockets, HTTP 11 , Web Sockets only
Protocol Extensions Provides IoT protocol gateway a customizable implementation for industrial protocol channelling. Not Supported
Security Provides identity to each device and easily revocable through IoT Hub Device Management portal. Shared access policies with limited revocation capabilities are provided.
Monitoring/ Operations Provides a rich set of features through Device Management capability. Includes individually enable/disable or provision new device. Change security keys as needed. View/identify individual device problems easily. Does not provide individual performance metrics. Can provide only a high level aggregated metrics only.
Scalability Scalable to thousands/millions of simultaneous devices Limited number of simultaneous connections up to 5000 connections per Azure Service Bus Quotas. Event Hub provides a capability to partition your message to channel it in to associated Service Bus quotas.
SDK Support/ Developer Support Provides very good Integration SDK and developer support. Both Azure IoT  Device SDK and IoT Gateway SDK are the most essential kits provided for almost all devices/OS platforms. It also support all the latest programming languages such as C#, Node.js, Java and Python.
Also provides  direct MQTT, AMQP and REST based HTTP APIs.
Very detail oriented documentation provided.
.NET, Java and C apart from protocols such as AMQP, HTTP API interfaces.
Files/Images Upload Capability Supports IoT devices/solutions to upload files/images/snapshots to cloud and define a workflow for processing them. Not Available
Message Routing Very decent message routing capability is available out of the box. Up to 10 end points can be defined and Advanced Rules can be defined on how routing should occur. Requires additional programming and hosting to support as per the need.

From this comparison table, you can analyse that IoTHub is the right candidate for your IoT solution needs, as Event Hub lacking certain capabilities that are essential for an IoT Ingestion point. If you are only requiring to send messages to cloud and doesn’t require any fancy stuff as IoTHub provides, you can choose Event Hub.

Remember with more power comes more responsibility, that’s what IotHub intend to provide to you.

Hope this overview was helpful. Please feel free to comment or initiate a discussion any time. Please share your feedbacks on this article as well.

Introduction to IoT Hub

December 9, 2016 .NET, AMQP, Analytics, Azure, C#.NET, Cloud to Device, Communication Protocols, Connected, Connectivity, Contrained Networks/Devices, Device to Cloud, Device Twin, Emerging Technologies, Geolocation, HTTP 1.1, Identity of Things (IDoT), Internet Appliance, IoT, IoT Hub, IoT Privacy, IoT Security, KnowledgeBase, machine-to-machine (M2M), Machines, Microsoft, MQTT, Stream Analytics, Visual Studio 2015, Visual Studio 2017, Visual Studio Code, VisualStudio, VS2015, VS2017, Windows, Windows 10, Windowz Azure No comments

IoT Hub is a fully managed service from Microsoft Azure  as part of Azure IoT Suite that enables reliable and secure bi-directional communications between millions of IoT devices and your solution back end.

Azure IoT Hub are designed to provide following capabilities:

  • Multiple device-to-cloud and cloud-to-device communication options, including one-way messaging, file transfer, and request-reply methods.
  • Built-in declarative message routing to other Azure services.
  • A queryable store for device metadata and synchronized state information.
  • Secure communications and access control using per-device security keys or X.509 certificates.
  • Extensive monitoring for device connectivity and device identity management events.
  • Provides device libraries for the most popular languages and platforms.

hubarchitecture

Why IoTHub?

IoT Hub and the device libraries help you to meet the challenges of how to reliably and securely connect devices to the solution back end.

Real-world  IoT devices mostly have the following constaints:

  • Embedded systems.with minimal or no user interaction.
  • Remotely available, with less physical access. .
  • Reachable through the solution back end.
  • Limited power and processing capabilities
  • Intermittent, slow, or expensive network connectivity.
  • Use proprietary, custom, or industry-specific application protocols.
  • Created using a large set of popular hardware and software platforms.

IoT Hub provide solutions to meet all the above constraints of a connected device. In addition it also provides scale,  scalability and reliability. It also addresses most of the connectivity challenges through following capabilities.

  1. Device Twin:  With Device twins, you can store, synchronize, and query device metadata and state information, and these are stored in JSON format.  IoT Hub persists a device twin for each device that you connect to IoT Hub. This feature was introduced in Novemeber’16 with General availability of Iot Hub.
  2. Per-device authentication and secure connectivity. You can provision each device with its own security key to enable it to connect to IoT Hub.There by enabling you to manage or block devices as desired.
  3. Route device-to-cloud messages to Azure services based on declarative rules. IoT Hub enables you to define message routes based on routing rules to control where your hub sends device-to-cloud messages.
  4. Monitoring of device connectivity operations. You can receive detailed operation logs about device identity management operations and device connectivity events.
  5. Device libraries for most of the platforms with support for Programming languages like C#, Java, Python and JavaScript.
  6. Support for latest and widely used IoT protocols and provides extensibility: Protocols such as AMQP 1.1 or HTTP 1.1 and MQTT 3.1 are supported. We could also provide additional protocol translation using Azure IoT Gateway SDK at Device/Field/Protocol  Gateway layer.

Azure IoT Hub can bring more value to organizations to bring in their field devices to cloud with real-time data capture and bi-directional communication. It solves the problem of lack of proper communication infrastructure for devices to communicate or operate on real-time basis.  Pay per use, less investment infrastructure that would let you scale as you grow.

Do you feel some similarities between IoT Hub and Event Hubs service already exists as part of Azure Platform?  In my later articles I would be covering some of the major differences.

Useful References: