GithubHelp home page GithubHelp logo

mcw-securing-the-iot-end-to-end's Introduction

Securing the IoT end-to-end

Contoso, Ltd. has major holdings in one of the world’s most important oil-producing regions. To overcome the challenges of monitoring and optimizing a vast number of widely dispersed field assets, Contoso, Ltd. is looking to streamline its operations with IoT solutions. They want to deploy IoT technologies to electronically collect data and use cloud based solutions to store and analyze it in order to gain new insights into well operations and future drilling possibilities.

Their environments are very tough environments in which to work. The climate is hot, harsh, and unforgiving, and oil wells are often spaced many miles apart, so field technicians can spend much of their day just driving from one to another. Cellular and radio reception is spotty at best, so collecting data about well conditions and performance typically involves manually writing down information. The technician must then make the long trek to the central office at the end of the day to upload the data for analysis. With such remote situations, a key concern for Contoso is not only how they manage these remote devices, but more broadly how they secure the complete solution that encompasses the physical device, the software on the device, the services processing the data in the cloud and the network connecting it all.

Contoso plans to tie in to existing sensors at the well head that monitor key system parameters like temperatures, pressures, and flow rates. They will deploy gateway devices route device data for processing, storage and analytics. Internal IT staff and engineers want to visualize the high-resolution data and deliver near real-time analyses. The company is places a premium on flexibility and ease of use, with security as a fundamental.

In addition, they would also like to the solution to yield benefits to their workers in the field. “The field technicians and lease operators already have tools on their phones that they use every day to see what a well is doing,” explains Miles Strom. “Our goal is to connect these tools to live data from the IoT sensors. So, instead of seeing low-resolution volumes or flow rates, they’ll see what is happening in real time. This way they can respond immediately to problems that lead to downtime or maintenance issues.”

They have implemented proof of concept solution for this collecting and analyzing device telemetry using IoT Hub, but are interested in learning about any related services in Azure that would help them to secure such solutions.

Target audience

  • Cloud Solution Architect
  • System Architect
  • Software Engineer
  • Technical Support Engineer
  • Data Engineer

Abstract

Workshop

In this workshop, you will look at the process for designing and implementing an oil and gas manufacturing IoT solution that is secured end-to-end following best practices.

At the end of this workshop, you will be better able to architect a comprehensive and secure oil and gas manufacturing IoT solution.

Envisioned situation

Whiteboard design session

In this whiteboard design session, you will look at the process for designing a oil and gas manufacturing IoT solution that is secured end-to-end following best practices. You will learn how how to monitor and manage the security of all components in the solution You will also provide Contoso guidance on defining lifecycles for particular components so that they have a plan that begins with initial deployment, to expected maintenance, to planned obsolescence and ultimately thru decommissioning of the device so that they can understand how Azure supports this. Additionally, you will perform some threat modeling to help Contoso think about how they might handle STRIDE threats (spoofing of user identity, tampering, repudiation, information disclosure, denial of service, elevation of privilege).

At the end of this whiteboard design session, you will be better able to architect a comprehensive and secure oil and gas manufacturing IoT solution.

Outline: Key Concerns for Customer situation

  • How can we provide a secure identity to each of our devices?
  • How can we proactively guard against attacks to components in our solution, from device, to network to cloud?
  • What is the alerting capability provided? Do we have to author dozens of rules to get started? How would we keep the rules set up to date? Are we limited to rules as the only way alerts are created?
  • Are the alerts limited to events occurring just on the device or can we have a single solution that can raise alerts based on events transpiring on devices, on our IoT Edge devices, and the IoT Hub to which they transmit?
  • Is there a way for us to send custom security related events from the device? Can this be done without an agent installed on the device?
  • How can we manually query for security alerts collected by the solution?
  • How do we manage the lifecycle of the solution, encompassing the both the applications running on or near the device and in the cloud?
  • We run a mix of devices, mostly Linux but some run on x86 and others run on x64 architectures. When using Azure Security Center for IoT, how would we choose the agent flavor to use? We currently do not have Windows Server or Windows IoT Core devices, but as we are exploring new devices all the time, we are curious- do the Windows agents and Linux agents have feature parity?
  • How do we configure IoT Hub to enable the additional security capabilities?
  • How are security agents installed on the devices? Do we have to install the agents one by one or are there ways for us to deploy at scale? Can we turn the device agent off, such as when we need to perform maintenance on the device?
  • How do we configure a security module on our IoT Edge device?
  • How does my solution architecture change if I use multiple different IoT Hubs instead of one central IoT Hub?
  • For the security solution you recommend, are there communication protocols are we required to use for the devices and for IoT Edge devices?
  • We understand now that Azure Security Center for IoT provides the capabilities to secure solutions around a single IoT Hub. If we want to roll this security info up to a higher, enterprise wide view across other IoT Hub solutions, or to include non-IoT solutions in a unified security information and event management solution or leverage security orchestration and automated response at this higher level, what other Azure service should we consider and how at a high level would we configure it to consume the events from ASC for IoT?

Hands-on lab

In this hands-on lab, you will look at the process for implementing a oil and gas manufacturing IoT solution that is secured end-to-end following best practices. You will learn how how to monitor and manage the security of all components in the solution.

Outline: Hands-on lab exercises

  • Exercise 0: Before the hands-on lab
  • Exercise 1: Secure IoT Hub
  • Exercise 2: Secure Device
  • Exercise 3: Secure IoT Edge
  • Exercise 4: Send custom security events
  • Exercise 5: Query and monitor events, alerts and recommendations
  • Exercise 6: Simulate an attack and perform threat mitigation

Azure services and related products

  • Azure Security Center (including ASC for IoT)
  • Log Analytics
  • Azure IoT Provisioning Service
  • Azure IoT Edge
  • Azure IoT Hub

Related references

mcw-securing-the-iot-end-to-end's People

Contributors

givenscj avatar zoinertejada avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mrfalafel pietrobr dawnmariedesjardins digitalarche llenroc mallik-g samratbhatnagar direkshan-digital arjuntsr

mcw-securing-the-iot-end-to-end's Issues

tpm var is emtpy

Hi I'm following the HOL,

after running

tpm=$(sudo find /sys -name dev -print | fgrep tpm | sed 's/.{4}$//')

if I print out the variable , like echo $tpm, I get an empty line, I'm not sure if it's ok, but then after

sudo systemctl status iotedge the service failed to start, so runing

sudo journalctl -u iotedge I get those errors

Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: 2019-06-12T09:12:51Z [ERR!] - The daemon could not start up successfully: Could not initialize DPS provisioning client
Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: 2019-06-12T09:12:51Z [ERR!] - caused by: HSM API returned an invalid null response
Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: Error: Time:Wed Jun 12 09:12:51 2019 File:/home/vsts/work/1/s/edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/src/tpm_comm_linux.c Func:tpm_usermode
Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: Error: Time:Wed Jun 12 09:12:51 2019 File:/home/vsts/work/1/s/edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/src/tpm_comm_linux.c Func:tpm_comm_cre
Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: Error: Time:Wed Jun 12 09:12:51 2019 File:/home/vsts/work/1/s/edgelet/hsm-sys/azure-iot-hsm-c/deps/utpm/src/tpm_codec.c Func:Initialize_TPM_Co
Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: 2019-06-12T09:12:51Z [ERR!] (/home/vsts/work/1/s/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_tpm_device.c:initialize_tpm_device:272) Failur
Jun 12 09:12:51 oilwells-edgevm-pietro iotedged[3333]: 2019-06-12T09:12:51Z [ERR!] (/home/vsts/work/1/s/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_tpm_device.c:hsm_client_tpm_create:305) Failur
Jun 12 09:12:51 oilwells-edgevm-pietro systemd[1]: iotedge.service: Main process exited, code=exited, status=1/FAILURE

SME Review - Securing IoT (Kalyan B)

Great first draft. Few points to note:

  1. The title of workshop should have something around "Designing a secure IoT architecture for or " to align to the planned customer outcomes
  2. Azure IoT Sphere is a key security solution for device end points that plays into IoT scenarios (Starbucks case that Satya presented) is missing here. Worth considering as an addition to the scenario basically to cover Device, Cloud (ASC) and Cloud to Device (IoT Hub etc.)
  3. I think you mean this but we should make it clear that the key message is "IoT Security" is integral part of Architecture design vs. stand alone activity.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.