Post on 20-May-2020
ds2os.org/
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Securing the Internet of ThingsMarc-Oliver Pahl (TUM) | s2labs.org | pahl@tum.de
2Slabslabslabs
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Why do we need a secure IIoT?
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemUser (un)aware monitoring
3Photo courtesy Universal Robots A/S
What?How often?
Weight?
Preferences?
Who?
Where?
With whom?
When?
@work
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Foto:Steve Jurvetson (Flickr) https://www.flickr.com/photos/jurvetson/7408451314
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemSecurity Challenges include
PrivacyReliability
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
How can we achieve a secure IIoT?
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemThe usual suspects
• Authentication • Authorization • Confidentiality
Entities
Devices
Services
Users
LinksData
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Why is it challenging?
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Heterogeneity
Imag
e So
urce
: Pra
shan
t Sha
rma,
Mic
roso
ft Ve
ntur
es |
http
s://w
ww.
mic
roso
ftven
ture
s.co
m/b
log/
entry
/Inte
rnet
ofTh
ings
101U
nder
stan
ding
theB
uild
ingB
lock
softh
eCon
nect
edW
orld
%7C
1064
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
10
ComplexityFlickr | Mark Skipper | https://www.flickr.com/photos/bitterjug/7670055210
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemWhom to trust?
• Hardware?
• Software Services?
• My answer: no-one but the components you design as enabler for the IoT: MIDDLEWARE.
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Security by-design
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Data Centric IoT
Smart SpaceKnowledge Agent
Context Repository
Context Manager
Adaptation
ActuatorSensor
Adaptation Adaptation
Service UI Service Service Service
Heterogeneous Smart Devices
Bidirectional Adaptation
Context Management Virtual State Layer
Orchestration Workflows, etc.
PeopleInterface Devices
Interface Devices
Physical World
Phys
ical
Wor
ld
Dev
ices
Serv
ices
Con
text
Data Centric IoT
VSL Knowledge Agent
Knowledge Repository
Knowledge Manager
Adaptation
ActuatorSensor
Adaptation Adaptation
subscribe notifygetset
Service UI Service Service Service
subscribe notifygetset
virtual nodes
Heterogeneous Smart Devices
Bidirectional Adaptation
Context Management Virtual State Layer
Orchestration Workflows, etc.
PeopleInterface Devices
Interface Devices
Physical World
Leve
l of A
bstra
ctio
n
Phys
ical
Wor
ld
Dev
ices
Serv
ices
Con
text
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Data
Entity Management
Managed Entities
Comprehensive Management
User Interfaces
A Data Centric IoT
Needs autonomous management!
The Virtual State Layer
Services
VSL Overlay
Hardware Underlay
Other Services
Gateway Services
Logical Connectivity
Physical Connectivity
Knowledge Agent
Gat
eway
Adv
ance
d R
easo
ning
Orc
hest
ratio
n
Use
r In
terf
ace
...
ActuatorSensor
DS2OS Site Local Global
Cen
tral
Mod
elR
epos
itory
App
Sto
re
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Smart IoT Devices1
Man
aged
IoT
Spac
e
(Adaptation) Services2a
(Orchestration) Services2b
VSL: Virtual Objects3
Glo
bal R
epos
itory
Central Model RepositoryData Models
4
host5
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
How to achieve Security-by-Design?
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemTwo approaches
1. Handling security in the middle in a non-circumventable way
2. Retrofitting Security
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemFor me everything is a service
Development Distribution
Configuration
Deployment
Update
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem“Crowdsourced” Development
Edge
Internet
IoT space
IoT space
IoT space
IoT space
IoT spaceIoT
space
StoreD
D
DevelopersUsers
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
1. Handling security in the middle in a non-circumventable way
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Distributed Smart Space Orchestration System
µService Store
IoT Smart Space
Global
KA KA
µS
SLSM
config
µSµS µS
µService Package
executable
manifest
Context Model Repo
e
c
1
3
4
a
2
NLS
Mb
VSL Middleware
fd
KA
KA
*LSM {Site,Node}-Local Service Manager
Computing Node
Middleware Interface
Context Model (Data Model)
u
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Distributed Smart Space Orchestration System
service package
metadata
store
IoT Site
SLCA
global
cert
KA KA
svc
SLSM svcsvc svc
executable
cert
e
cs
1
2
3
a
NLS
M
b
VSL Middleware
fd
KA
KA
SLCA Site-Local Certificate Authority
cert
*LSM {Site,Node}-Local Service Manager
Computing Node
Middleware Interface
Service Certificate
Private Key
Signature
u CA
cert certcert
cert cert cert
Z
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemDistributed Revocation via Short Lifetime
Certificates and fully automated Renewal
0
50
100
150
200
250
300
350
400
450
500
550
0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000
AverageTraffc
(Bytes/s)
Certifcate Lifetime (seconds)
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemCosts: Energy
0.25
0.3
0.35
0.4
0.45
0.5
0.55
0.6
00:00 03:00 06:00 09:00 12:00 15:00 18:00 21:00 24:00 27:00 30:000
5
10
15
20
25
30
35
40InputC
urrent(A)
CPU
Usage
(%)
Time
CPU usageInput Current
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
2. Retrofitting Security
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemApproach in a
• Blackbox assumption
• Passive traffic monitoring
• Behavior modeling
• Anomaly detection
• Firewalling
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemApproach
Raspberry Pi 3 Model B V1.2
Power
HDMIAudio
USB
2x
USB
2x
ETH
ERN
ET
DSI
(DIS
PLAY
)
CSI (CAM
ERA)
GPIO
© Raspberry Pi 2015
µS
Raspberry Pi 3 Model B V1.2
Power
HDMIAudio
USB 2x
USB 2x
ETHERN
ET
DSI (D
ISPLAY)
CSI (
CAM
ERA
)
GPIO
© Raspberry Pi 2015
µSµS
µS
µS
µSService Communication Monitor, Analyzer, and Firewall
MicroserviceInter-Node Comm. Interface
Service Runtime EnvironmentµS Model Federation Service
µService Store
Raspberry Pi 3 Model B V1.2
Power
HDMIAudio
USB 2x
USB 2x
ETHERN
ET
DSI (D
ISPLAY)
CSI (
CAM
ERA
)
GPIO
© Raspberry Pi 2015
µS
IoT Site
VSL Middleware
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemWho talks to whom?
0 2 4 6 8 10 12 14Time (m)
0
5
10
15
Num
ber o
f edg
es a
nd v
ertic
es
First learning phaseLearning phase at the addition of servicesAnomalous behavior needing userNumber of verticesNumber of edges
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemClustering Periodicities
-20 -15 -10 -5 0 5 time (s)
pack
et a
rriva
l
Outgoing traffic from a washing machine service
Write to battery1Read to battery1Write to battery2Read to battery2Read to thermometerRead to movement
-20 -10 0 time (s)
0
0.5
1
1.5
2
2.5
inte
r-arri
val d
urat
ion
(s)
Battery read
-20 -10 0 time (s)
0
0.5
1
1.5
2
2.5
inte
r-arri
val d
urat
ion
(s)
Battery write
-20 -10 0 time (s)
0
0.5
1
1.5
2
2.5
inte
r-arri
val d
urat
ion
(s)
Thermometer write
-20 -10 0 time (s)
0
2
4
6
inte
r-arri
val d
urat
ion
(s)
Movement write
-20 -10 0 time (s)
0
0.5
1
1.5
2
2.5
inte
r-arri
val d
urat
ion
(s)
All the traffic
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stemQuality
Classification errors over time
DoS attack
service update
DoS attack
anomaly value too low
0 5 10 15 20Time in hours
0
50
100
150
200
250
300
350
Num
ber o
f cla
ssifi
catio
n er
rors
0
69800
139600
209400
279200
349000
Tota
l num
ber o
f pac
kets
False PositiveFalse NegativeTotal number of packets
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Summary
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Distributed Smart Space Orchestration System
µService Store
IoT Smart Space
Global
KA KA
µS
SLSM
config
µSµS µS
µService Package
executable
manifest
Context Model Repo
e
c
1
3
4
a
2
NLS
Mb
VSL Middleware
fd
KA
KA
*LSM {Site,Node}-Local Service Manager
Computing Node
Middleware Interface
Context Model (Data Model)
u
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
[1] M.-O. Pahl and F.-X. Aubet, “All Eyes on You: Distributed Multi-Dimensional IoT Microservice Anomaly Detection,” presented at the 2018 14th International Conference on Network and Service Management (CNSM) (CNSM 2018), Rome, Italy, 2018.
[2] M.-O. Pahl and L. Donini, “Securing IoT Microservices with Certificates,” presented at the Network Operations and Management Symposium (NOMS), 2018.
[3] M.-O. Pahl and M. Loipfinger, “Machine Learning as a Reusable Microservice,” presented at the Network Operations and Management Symposium (NOMS), 2018.
[4] M.-O. Pahl, F.-X. Aubet, and S. Liebald, “Graph-Based IoT Microservice Security,” presented at the Network Operations and Management Symposium (NOMS), 2018.
[5] F.-X. Aubet, M.-O. Pahl, S. Liebald, and M. R. Norouzian, “Graph-based Anomaly Detection for IoT Microservices,” presented at the Passive and Active Measurement Conference (PAM), 2018.
[6] M.-O. Pahl, G. Carle, and G. Klinker, “Distributed Smart Space Orchestration,” presented at the Network Operations and Management Symposium 2016 (NOMS 2016) - Dissertation Digest, 2016.
[7] M.-O. Pahl, “Data-Centric Service-Oriented Management of Things,” presented at the Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, Ottawa, Canada, 2015, pp. 484–490.
[8] M.-O. Pahl and G. Carle, “Crowdsourced Context-Modeling as Key to Future Smart Spaces,” presented at the Network Operations and Management Symposium 2014 (NOMS 2014), 2014, pp. 1–8.
[9] M.-O. Pahl and G. Carle, “Taking Smart Space Users into the Development Loop: An Architecture for Community Based Software Development for Smart Spaces,” presented at the Proceedings of the 2013 ACM Conference on Pervasive and Ubiquitous Computing Adjunct Publication, New York, NY, USA, 2013, pp. 793–800.
[10] M.-O. Pahl and G. Carle, “The Missing Layer - Virtualizing Smart Spaces,” presented at the 10th IEEE International Workshop on Managing Ubiquitous Communications and Services 2013 (MUCS 2013, PerCom 2013 adjunct), San Diego, USA, 2013, pp. 139–144.
[11] M.-O. Pahl, H. Niedermayer, H. Kinkelin, and G. Carle, “Enabling Sustainable Smart Neighborhoods,” presented at the 3rd IFIP Conference on Sustainable Internet and ICT for Sustainability 2013 (SustainIT 2013), Palermo, Italy, 2013.
[12] M.-O. Pahl, C. Niedermeier, M. Schuster, A. Müller, and G. Carle, “Knowledge-based middleware for future home networks,” presented at the WD'09: Proceedings of the 2nd IFIP conference on Wireless days, Paris, France, 2009.
ds2os.org/
Orc
hest
ratio
nD
istr
ibut
edSm
art
2pac
eSy
stem
Securing the Internet of ThingsMarc-Oliver Pahl (TUM) | s2labs.org | pahl@tum.de
2Slabslabslabs