The complexity of things – the things within things – just seems to be endless. I mean nothing is easy, nothing is simple.—Alice Munro1
Introduction
Historical Background to IoT
IoT Ecosystem
Connectivity Technology
Messaging Technology
Platform Technology
Elements of an IoT System
IoT Device
IoT Device Architectural Goals
Interoperability
Security
IoT Network
IoT System Management
Device Lifecycle
Manufacturing
Supply Chain
Deployment
Normal Operation and Monitoring
Manage
Update
Decommissioning
IoT Framework
IoT Framework Design Goals
IoT Data Model and System Abstractions
{
"tempSensor" = "/myTempSensor",
{
"currTemp"="85",
"aveTemp"="70",
"degrees"="Centigrade"
}
}
{
"nodeType"="myDeviceType",
"deviceID"="<UUID>",
{
"tempSensor" = "/myTempSensor",
"ptzCamera" = "/myPtzCamera",
"lightBulb" = "/myLight"
}
}
IoT Node
-
They may expose multiple nodes per framework to give the appearance of many nodes having the same IP address.
-
They may consolidate multiple network addresses terminating into a common framework node.
-
They may host services and capabilities that are dynamic – being created and deleted according to RESTful messages.
-
They may impose system partitioning semantics such as dividing nodes into domains, groups, rooms, or some other semantic overlay.
IoT Operations Abstraction
-
Consulting a directory of framework devices to learn device identities and how to connect – conceptually similar to LDAP (Lightweight Directory Access Protocol) commonly used by PCs in IT networks to accomplish a similar objective
-
Inspecting a schema describing interfaces to learn which REST, publish/subscribe, and asynchronous notification messages can be used
-
Querying the device directly to introspect its current state and configuration
-
Preparing a message body whose syntax satisfies a recognized (standardized) data model schema
-
Protecting the message using the appropriate security credentials
-
Sending the message following the interface definition schema for the target node
-
Collecting and processing the response message that similarly follows these conventions
-
Identifying objects and attributes available for participating in asynchronous events and conditions to be met that result in notifications.
-
Preparing and sending a registration/subscription message following messaging exchange conventions.
-
Maintaining context for processing asynchronous notifications.
-
Nodes managing registrations/subscriptions must maintain context for secure delivery of the notification message(s) potentially involving many subscribers. Asynchronous message delivery may involve different security associations and context from those used to process registrations/subscriptions.
Connectivity Elements
-
Connectivity: Framework endpoint abstractions are mapped to network layer addresses and protocols where framework message exchange abstractions map to protocol specifics such as MTU (Maximum Transmission Unit) framing, multicasting, broadcasting, and packet delivery mechanisms.
-
Gatewaying: Framework domain abstractions impose operational context for domain-specific filtering (hiding) traffic and performance of administrative duties.
-
Bridging: Due to the proliferation of framework solutions, it is often necessary to translate from one framework environment to another. Framework bridging may have side effects where objects, interfaces, or semantics in one environment don’t exactly translate to a second.
Manageability Elements
Security Elements
Consider the Cost of Cryptography
Criteria | Symmetric (Preshared Secrets) | Asymmetric (Raw Public/Private Keys) | Asymmetric (Certified Public/Private Keys) |
---|---|---|---|
Hardware Acceleration
| Not Required | Required | Required |
Memory Size
| Small | Medium | Large (certificates) |
Code Size
| Small | Medium | Large (certificate parsing) |
Message Size
| Small | Medium | Large (certificates) |
Persistent Storage Size
| Small–Medium (depends on network size) | Medium–Large (depends on network size) | Medium (depends on caching algorithms) |
Security – Perfect Forward Secrecy (PFS)
| No | Yes | Yes |
Security – Impersonation Risk
| High (keys are shared, no detection of misuse, no common trusted infrastructure, depends on secure storage) | Medium (no common trusted infrastructure, depends on secure storage) | Low (depends on secure storage) |
Constrained Environment
| Optimized for Verification (benefits constrained servers) | Balanced | Optimized for Signing (benefits constrained clients) |
Scalability (number of nodes interacting)
| Low | Medium | High |
Summary IoT Framework Considerations
IoT Framework Architecture
Data Object Layer
Node Interaction Layer
Platform Abstraction Layer
Platform Layer
Security Challenges with IoT Frameworks
Consumer IoT Framework Standards
Open Connectivity Foundation (OCF)
https://iotivity.org/downloads
) may offer guidance. Support for various wired and wireless transports in IoTivity continues to grow. At the time of this writing, there was support for CoAP (UDP) over IPv4, IPv6, Ethernet, Wi-Fi, and Bluetooth LE. At the time of this writing, an Object Security for Constrained RESTful Environments (OSCORE) draft specification22 defines a REST message binding to CoAP and HTTP. OSCORE supports connections originating in IoT networks based on a UDP transport that terminates in cloud services environments or remote access gateways that are based on a TCP transport.OCF Core Framework Layer
"oic.r.switch.binary": {
"type": "object",
"properties": {
"value": {
"type": "boolean",
"description": "Status of the switch"
}
}
}
get:
responses :
200: body:
application/json:
schema: |
{ }
Resource Name | Description | Functional Area |
---|---|---|
/oic/res
| A resource that lists all discoverable resources known to the current network | Discovery |
/oic/p
| A resource that reveals details about the platform that hosts the OCF device | Discovery |
/oic/rts
| A resource that lists the resource type information for all discoverable resources | Discovery |
/oic/ifs
| A resource that lists the resource interface information for all discoverable resources | Discovery |
/oic/mon
| A resource that reveals observable resources | Device Management |
/oic/sec/cred
| A resource that lists the credentials this device has configured | Security Management |
/oic/sec/acl2
| A resource that lists the access control restrictions for this device | Security Management |
/oic/sec/dots
| A resource that facilitates device onboarding | Device and Security Management |
/oic/p {
"rt": "oic.wk.p",
"if": ["oic.if.r"],
"pi": "ABCD123...", //platform identifier UUID
"mnmn": "acme.org", //platform manufacturer
"mnmo": "widget X", //platform model number
"mnpv": "v1.0", //platform version number
}
{
"anchor": "/my/room/1", //the Context
"rel": "contains", //the Relation
"href": "/the/light/1", //the Target
"rt": "acme.light", //the resource type
"if": "oic.if.a" //the interface type
}
/my/room/1 {
"rt": "acme.room",
"if": ["oic.if.r", "oic.if.rw"],
"color": "blue",
"dimension": "15bx15wx10h",
"links": [
{"href":"/the/light/1", "rel":"contains", "rt":"acme.light", "if":["oic.if.a", "oic.if.baseline"]},
{"href":"/the/light/2", "rel":"contains", "rt"="mycorp.light", "if":["oic.if.s" , "oic.if.baseline"]},
{"href":"/the/fan/1", "rel":"contains", "rt":"hiscorp.fan", "if":["oic.if.baseline"]}
]
}
OCF Profiles Framework Layer
The OCF Device Abstraction
OCF Security
/oic/sec/acl2 {
"aclist2": [
"subject": ...,
"resources": [...],
"permission": CRUDN,
"validity": ...,
"aceid": INTEGER
]
}
-
RESET: Device transitions to its default state prior to onboarding.
-
RFOTM: Device transitions to a state ready for onboarding into a new network.
-
RFPRO: Device transitions to a state ready for provisioning resources.
-
RFNOP: Device transitions to a state suitable for normal operations.
-
SRESET: Device transitions to a state subsequent to onboarding, but where the device may be recommissioned or reconfigured with other options normally established only at onboarding.
AllSeen Alliance/AllJoyn
-
Org.freedesktop.DBus.Peer is used to determine if a peer is alive.
-
Org.freedesktop.DBus.Introspectable is used to obtain an XML description of the interfaces, methods, and signals the device implements.
-
Org.freedesktop.DBus.Properties is used to expose native properties and attributes of connected devices or to simulate them if they don’t exist.
-
Org.freedesktop.DBus.ObjectManager is used to query subobjects under its path when device objects are organized hierarchically.
AllJoyn Security
Universal Plug and Play
-
Vendor-specific details include manufacturer name, model, version, serial number, and URLs to vendor-specific web sites.
-
Service details include URLs for control, event notification, and service description. Service commands and their parameters are detailed.
-
Variables that describe Runtime state are described in terms of data type, expected range, and event characteristics.
UPnP Security
-
ReadSensor: Control points can issue ReadSensor() actions to sensor objects.
-
WriteSensor: Control points can issue WriteSensor() actions to sensor objects.
-
ConnectSensor: Control points can issue ConnectSensor() and DisconnectSensor() actions to sensor objects.
-
CommandSensor: Control points can modify IoTManagementAndControl properties in the data model (which is a data repository object).
-
ViewSensor: Control points can read IoTManagementAndControl properties in the data model.
-
Admin: Role can read, write, connect, command, or view any sensor object.
-
Public: Role can read or write specific sensor objects (e.g., those supporting the Public role).
-
Basic: Role can read or write specific sensor objects (e.g., those supporting the Basic role).
Lightweight Machine 2 Machine (LWM2M)
LWM2M Architecture
-
/ <ObjectID> / <ObjectInstanceID> / <ResourceID>
LWM2M Device Management
-
Bootstrapping: Configures symmetric secrets, raw public keys, and certificates clients and service will use to establish DTLS sessions. LWM2M Services may be configured. Access control lists may also be configured.
-
Remote Management: Updates operational settings as defined by device profiles. Triggers for controlling actuation may also be configured or reset as part of normal operation.
-
Firmware Update: Client nodes report firmware version and firmware packages can be installed through the firmware update object.
-
Fault Management: Device errors can be exposed through the fault reporting objects. These may be viewed by other nodes querying operational status.
-
Reporting: Notification of changing sensor values can be configured for multiple recipients. Status of the notification can be monitored and configuration changes applied when needed.
LWM2M Security
One Machine to Machine (OneM2M)
-
Application and service layer management (ASM): The ASM function manages all entities hosted by any node excluding NoDN nodes. Management functions consist of two categories: (1) configuration functions and (2) software management functions. Configuration CRUDN functions expose resources used to manage entities, while software management functions are concerned with managing software and related artifacts associated with a software lifecycle.
-
Communication management and (message) delivery handling: These functions manage delivery, temporary storage, and caching of messages. It also manages policies related to configuration and tuning of message delivery infrastructure.
-
Data management and repository handling: These functions manage data repositories. They are concerned with the collection, aggregation, mediation, storage, and preparation for analytics and semantic processing.
-
Device management: These functions address device management capabilities associated with OneM2M nodes and can use existing IoT device management frameworks such as TR-069 and LWM2M or may define new functions. Device management functions translate data, protocol, and semantics from one management node to another using a Management adapter module. Management gateways, proxies, and bridging functions fall within the scope of device management functions. Device management functions perform device configuration, device diagnostics, monitoring, firmware management, and topology management.
-
Discovery: Nodes, resources, and attributes can be discovered using a discovery CSF. Typically, the invoker supplies a query value that selects a subset of available possible matches. Filter criteria are expressed in terms of identifiers, keywords, location, and other semantic information.
-
Group management: Nodes can be organized into groups. The group management CSF must validate group membership and whether the group member is capable of performing functions meaningful to the group. Groups are used to coordinate publication, broadcasts, or multicasts to multiple nodes and to define roles for access control.
-
Location: The location CSF senses and publishes location information for the node. Location coordinates can be more than latitude-longitude coordinates but require knowledge of location extension semantics.
-
Network service exposure: The network service exposure, service execution, and triggering (NSSE) CSF manages exposure of underlying networks and communication layers through Mcn reference points and NSE modules.
-
Registration: Entity services must register with a registrar CSF in order to make their services available for use. The registration CSF supplies a requestor with the node identifier where the service can be reached, a schedule for when it can be reached, and details for accessing the service.
-
Security: The security CSF handles identity management, access control, authorization, authentication, security associations, data confidentiality, data integrity, and security system management. Access control list subjects can group nodes that enforce read or write permissions. ACLs are associated with resources, entities, and repositories. Access control can be applied to discovery resources but requires subject authentication and authorization – though an “anonymous” group could be defined that corresponds to an ACL entry matching unauthenticated subjects.
-
Service charging and accounting: The SCA CSF manages telemetry generation and collection used to charge for services, events, information, and real-time credit control.
-
Subscription and notification: The subscription CSF manages subscription operations and notification message delivery to subscribers when the subscription condition is met. Subscriptions are registered with a resource or group of resources following an access control check. Changes to resources are tracked at attribute granularity. Changes to subresources are also tracked but not attributes of subresources.
OneM2M Security
Industrial IoT Framework Standards
Industrial Internet of Things Consortium (IIC) and OpenFog Consortium
-
Business viewpoint: Identifies stakeholders, business objectives, values, vision, and related regulatory context and comprehends business-oriented concerns.
-
Usage viewpoint: Represents the activities, sequences, and functionality involving human or logical users. It ultimately establishes whether the IIS achieves value from the user’s perspective.
-
Functional viewpoint: Identifies functional components, structures, interfaces, interactions, and relationships. It considers trade-offs associated with the interests of systems architects, component architects, developers, and integrators.
-
Implementation viewpoint: Considers challenges and implications of functional components, their communication, and lifecycle procedures and dependencies.
Open Platform Communications-Unified Architecture (OPC-UA)
OPC-UA Framework Architecture
OPC-UA Security
Data Distribution Service (DDS)
-
Domains (Figure 2-28): Define a global context in which data, data readers, and data writers have ubiquitous access. The domain defines the naming scope for identifiers. Cross-domain interactions may require disambiguation using a domain identity.×
-
Topics (Figure 2-28): Are objects that conceptually fit between data writers and data readers. They define the context in which publish-subscribe interactions may take place. Topic names are unambiguous within the domain and contain a type and QoS component (Figure 2-29). Type and QoS attributes apply to the data referenced via the topic context. QoS attributes are themselves DDS Topics. Topics allow expression of both functional and nonfunctional information.×
-
Data Writers: Correspond to publishers of a publish-subscribe interaction pattern and must create a Publisher instance object in order to accept subscribers or to prepare and publish data. Data writers communicate data to its publisher to initiate a publication.
-
Data Readers: Correspond to the subscribers of a publish-subscribe interaction pattern and must create a Subscriber instance object in order to register to receive publications. Data readers communicate interest in a topic to initiate subscription registration.
-
USER_DATA: Allows the application to attach additional information to the data object so that remote entities can obtain additional context that relates to application-specific purposes. This aids in refining discovery queries and allows selection of appropriate security credentials or enforcement of application-specific security policies.
-
TOPIC_DATA: Allows the application to attach additional information to the topic object to facilitate discovery for application-specific purposes.
-
GROUP_DATA: Allows the application to attach additional information to the Publisher or Subscriber entity so that application-specific policies may regulate the way data reader listeners and data writer listeners behave.
-
DURABILITY: Allows data to be read or written even when there are no current subscribers or publishers. Multiple degrees of data volatility can be defined.
-
DURABILITY_SERVICE: Allows configuration of a service that implements durability attributes.
-
PRESENTATION: Controls the scope of access given various data interdependencies. Coherent_access controls whether the service will preserve groupings of changes made by a publisher. Ordered_access controls whether the service will preserve the order of changes. Access_scope controls the scope of access in terms of data instance, topic, or group.
-
DEADLINE: Controls the interval in which a topic is expected to be updated. Publishers must supply updates within the deadline interval, and subscribers can set a timer to check for most recent updates based on the interval.
-
LATENCY_BUDGET: Allows applications to specify the urgency of the message by specifying a latency duration.
-
OWNERSHIP: Controls how data writer objects interact with published data. Shared access means multiple writers can update the data item. Exclusive access means only one writer can update it. SHARED-EXCLUSIVE means multiple updaters coordinate their updates.
-
LIVELINESS: Controls mechanisms for determining if network entities are still “alive.”
-
TIME_BASED_FILTER: Allows data readers to see at most one change to a topic at a minimum periodicity.
-
PARTITION: Allows a logical partition inside a “physical” partition. Physical partitioning may have safety and security benefits, while logical partitions may have performance benefits.
-
RELIABILITY: Allows reliability to be defined in terms of levels, BEST_EFFORT being the lowest and RELIABLE being the highest.
-
TRANSPORT_PRIORITY: Allows alignment with transport layer QoS capabilities.
-
LIFESPAN: Allows specification of when a data value becomes stale.
-
DESTINATION_ORDER: Controls how each subscriber resolves the final value of the data instance when written by multiple writers.
-
HISTORY: Controls when data instance changes before it is communicated to data readers. KEEP_LAST means the server keeps the most recent update. KEEP_ALL means the server will attempt to deliver all instances of changed data.
-
RESOURCE_LIMITS: Controls how many resources can be applied to achieve quality of service objectives.
-
ENTITY_FACTORY: Controls the flexibility of nodes in their ability to replicate or produce additional entity instances.
-
DATA_LIFECYCLE: Controls how persistent or temporal data are relative to the availability of either the data writer or data reader.
DDS Framework Architecture
-
Applications can autonomously and asynchronously read and write data that is decoupled spatially and temporally.
-
DDS data is loosely coupled due to virtualized data spaces that are designed for scalability, fault tolerance, and heterogeneity.
-
As with all distributed systems, the data model must consider a data consistency model. DDS defines data spaces that tolerate inconsistent data but eventually becomes consistent. Data readers will eventually see a write but may not observe it at the same time.
-
DDS discovery model isolates discovery from network topology and connectivity details so that applications may focus on data objects that are most relevant to application objectives.
-
The DDS data model allows location transparency since topics, data readers, and data writers are conceptually separated from the underlying physical devices and network nodes. Integration across Cloud, enterprise, plant and mission control, shop floor, or device networks doesn’t require redefinition of data syntax and semantics.
-
DDS data spaces (aka domains) are decentralized. A DDS system may host multiple data spaces that involve readers and writers from any data space. There is no central point of failure.
-
Connectivity among DDS entities is adaptive, meaning connections can be established and torn down dynamically. The underlying communications infrastructure can optimize for the most efficient data sharing approach.
DDS Security
Security Enveloping
Security Tokens
-
Discovery tokens: Facilitate establishment of security contexts for subsequent secure interactions. The IdentityToken contains summary information of a domain participant in a manner that can be externalized and propagated using DDS discovery. The IdentityStatusToken contains authentication information of a domain participant in a manner that can be externalized and propagated securely. The PermissionsToken contains summary information on the permissions for a domain participant in a manner that can be externalized and propagated over DDS discovery.
-
Permissions tokens: The PermissionsCredentialToken encodes the permissions and access information for a domain participant in a manner that can be externalized and sent over a network. It is used by the access control plugin which manages domain access and specific reader-writer interactions.
-
Message tokens: The CryptoToken contains all the information necessary to construct a set of keys to be used to encrypt and/or sign plain text transforming it into ciphertext or to reverse those operations. The MessageToken is a superclass of several message tokens used to maintain security context when multiple message exchanges are required such as authentication and key exchange protocols.
Security Plugin Modules
-
Authentication plugin: The principal joining a DDS domain must authenticate to a domain controller, and peer DDS participants may be required to perform mutual authentication and establish shared secrets.
-
Access control plugin: Decides whether a principal is allowed to perform a protected operation.
-
Cryptography plugin: Generates keys and performs key exchange, encryption, and decryption operations. Computes digests and verifies message authentication codes. Signs and verifies signatures on messages.
-
Logging plugin: Logs all security relevant events.
-
Data tagging plugin: Adds data tags for each data sample.
Framework Gateways
Framework Gateway Architecture
Type I Framework Gateway
Type II Framework Gateway
Type III Framework Gateway
Type IV Framework Gateway
Security Considerations for Framework Gateways
-
Authenticate endpoints to the gateway and gateway to the endpoints.
-
Authenticate endpoints from a foreign domain to endpoints in the local domain. This may require creation of a virtual endpoint on the gateway device if interior endpoints can’t support the needed security capabilities.
-
Integrity and confidentiality protect messages passing through the gateway. The gateway may need to decrypt then re-encrypt using native domain’s recognized security associations, security algorithms, and protocols. On rare occasion domains have all these security elements in common.
-
Authorize access to objects in a local domain by endpoints from a peer domain.
-
Inspect and log activity between the domains.
-
Establish endpoint credentials in the peer network environment. Different domains may have dissimilar security services for authentication, authorization, and key management. The gateway may be required to host security services on behalf of a local domain so that a peer domain can utilize its chosen set of security services.
-
Perform data structure translation and protocol mapping functions previously described. Modification to data objects and protocol message that are integrity and confidentiality protected necessarily implies the gateway is authorized and trusted to perform these transformations.