7026CEM

Security of Emerging
Connected Systems
Dr. Basil Elmasri Dr. James Shuttleworth
[email protected] & [email protected]
Module Intended Learning Outcomes (MILO)
1. Critically evaluate the role of a security policy for protecting information
assets and be able to propose appropriate security policies to defend
those assets based on an understanding of security concepts and their
application to internet-based technologies.
2. Demonstrate a sound understanding of the key legislation that relates
to information security and how it influences the security policy of an
organisation.
3. Propose and implement effective ‘defence-in-depth’ solutions to
mitigate the key technical internet security vulnerabilities that
organisations face.
4. Design and implement secure private networks for the Internet of
Things (IoT) and Bring Your Own Device (BYOD).
5. Discuss and debate a wide range of current research and technological
advances in network security.
30 March 2020 7026CEM - Dr. Basil Elmasri 2
Assessment
• The 7026CEM is a 15 credit module.
• There are two components to the assessment: Coursework 1 and 2.
• The pass requirement for the module is 40% in each component.
• Coursework 1 is a short (≈ 1500 words) report on the legal and policy
aspects of a given scenario, drawn from current cases.
• Typically, students will be asked to evaluate the legal context of a
product or service, the agreements between the vendor and client, and
the requirements for internal policy it is likely to present.
• This coursework assesses outcomes 1 and 2.
• Coursework 1 is worth 5 of the 15 assessment credits for the module.

30 March 2020 7026CEM - Dr. Basil Elmasri 3

Assessment (cont.)
• Coursework 2 is a security evaluation (≈ 2500) words, excluding the
associated diagrams, screenshots, tables, code, etc.) of a given IoT
system.
• Students will be given access to a system of multiple components, in
an in-development stage, for which they will be asked to advise the
developer on technical matters relating to security, reporting in a
“PenTest" style as is typical in industry.
• This coursework assesses outcomes 3, 4 and 5.
• Coursework 2 is worth 10 of the 15 assessment credits for the module,
the final module mark is calculated as:
CW1 + 2×CW2
3
30 March 2020 7026CEM - Dr. Basil Elmasri 4
Coursework details
• Submission: All coursework will be submitted through the moodle web
for the module and evaluated for similarity with other sources using
TurnitIn.
• Feedback: module tutors will aim to have feedback and provisional
marks returned to students around two weeks after the submission
deadline. This may be extended if students are awarded deferrals.
o Please note, this might change due to the current COVID-19 situation.
• Assessment schedule
o CW 1 and CW 2 are available to student on Monday, 30th of March, 2020
o Deadline is on 18:00:00, on Friday, 17th of April 1st of May, 2020.
- Due to the current COVID-19 circumstances, deadline was extended 14 days.

30 March 2020 7026CEM - Dr. Basil Elmasri 5

Introduction
• What is the meaning of these terms:
o IoT?
o IIoT?
o Industry 4.0?
o Industrial Internet?
• What is the meaning of Emerging technologies?
• How IoT devices interact with the web?
• What is critical to most IoT devices?
o Possibly just to pull data?
o Possibly to send data back into a larger model to be used later and possibly by
other IoT devices?
o Possibly because the digital twin is not inside the device itself, but in “the
cloud”? What is digital twin?
30 March 2020 7026CEM - Dr. Basil Elmasri 6
The Internet of Things (IoT)
•A term that describes all computing machines, software services,
billions of personal and professional devices, sensors and actuators,
robots, smart and digitised objects, connecting to the Internet via the
computer networks and the Internet Protocol (IP).
• Some open source software projects for IoT on linux.com/news/21-
open-source-projects-iot, with variety of technologies.
• This is leading to a knowledge-driven society, which demands
specialised engines for producing self-managing systems.
• Cognition-enabled machines and expert systems will become casual
and compact companions. A growing array of smarter systems will
surround, support, and sustain human’s daily life.
• Raman, Anupama C., 2017, The Internet of things: enabling
technologies, platforms, and use cases. Taylor & Francis, CRC Press.
30 March 2020 7026CEM - Dr. Basil Elmasri 7
What is the IoT?
• Smart Devices: incorporating some degree of intelligence through
embedded systems. Still this is not enough to be “IoT”.
• Smart devices connected to each other or external service through a
network, e.g. home Wi-Fi, Global System for Mobile Communications
(GSM). Still not “IoT”.
• IoT: the extension of the known internet into the smart connected
devices, or the “things”.
• Who is it for? Generally everyone, but with a range of models and
ideologies. Examples on commerce processes:
o Business to Consumer (B2C)
- Digitising traditional way of trading products and services, and develop new methods.
o Business to Business (B2B)

30 March 2020 7026CEM - Dr. Basil Elmasri 8

Abstract Architectures
• Model and interface: a “model of the world”.
• The ways in which that model can be used, linked to the IoT device's
input and output.
• Hardware Defined Product (HDP): the actual physical device.
• Software Defined Product (SDP): the digital twin – software that’s
usually embedded in the physical device.
• External entities and network (external/net): the local network, back-
end services, public data, etc.
• See the presentation in:
o https://californiaconsultants.org/wp-content/uploads/2017/02/CNSV-1703-
Sinclair.pdf

30 March 2020 7026CEM - Dr. Basil Elmasri 9

Component view
• Physical Objects
• Sensors
• Actuators
• Virtual Objects
• People
• Services
• Platforms
• Networks
• Check the IEEE Computer Society on:
o https://www.computer.org/web/sensing-
iot/content?g=53926943&type=article&urlTitle=what-are-the-components-of-iot-
30 March 2020 7026CEM - Dr. Basil Elmasri 10
Industrial Internet–IIoT–Industry 4.0–I4.0–CPS
• Industrial Internet, Industry 4.0, I4.0, Industrial Internet of Things
(IIoT), Cyber-physical Systems (CPS).
• Practical difference to IoT: data produced by the devices is a greater
proportion than in IoT.
• IoT when the “T for Things” are manufacturing machinery.
• Industry 4.0: the fourth industrial revolution, following the previous
three industrial revolutions.
o 1st, began in Great Britain, new manufacturing processes in Europe and the US,
in the period from about mid 1700s to mid1800s.
o 2nd, 1870 – 1914 , rapid industrial development, mainly in UK, Germany and
US, other European countries and Japan. Electricity, telephones, Iron, etc.
o 3rd, Digital Revolution, late 1950s to the late 1970s, and continuing for later
decades. Digitising mechanical and analogue technologies. Microprocessors,
computers, the Internet.

30 March 2020 7026CEM - Dr. Basil Elmasri 11

Industrial Internet–IIoT–Industry 4.0–I4.0–CPS
• Moving traditional manufacturing to IoT-style connectedness, often skipping
the stages consumer devices went through
• Cyber-physical Systems (CPS) integration of computation with physical
processes whose behaviour is defined by both cyber and physical parts of
the system.
• Better visibility and insight into organisations’ operations and assets through
integration of machine sensors, middleware, software, and backend cloud,
and storage systems.
• Providing methods of transforming business operational processes by using
as feedback the results gained from interrogating large data sets through
advanced analytics.
• The business gains are achieved through operational efficiency gains and
accelerated productivity
• Reduced unplanned downtime and optimised efficiency, and thereby profits.
30 March 2020 7026CEM - Dr. Basil Elmasri 12
The Cloud
• What is the cloud?
• And why the term “cloud” was chosen?
• What are the characteristics a real cloud in the sky have?
• A term that has evolved and now means very little.
• Originally described the abstraction of hardware – software – service.
• Comes from the idea that you care very little about the platforms as
long as the service works.
• This abstraction means that the layers below users’ concern can be
generalised, and not be very much concerned about it.

30 March 2020 7026CEM - Dr. Basil Elmasri 13

Services over the cloud (I)
• Lower costs in various ways; e.g. employees, devices, premises rent.
• Less dependency on particular hardware/software
o On-demand provisioning (memory, storage, data, cycles, etc)
• Disaster recovery
o Magical off-site backup. Magical load balancing.
• Flexibility. Cloud-based services are ideal for organisations with
growing or fluctuating bandwidth demands.
• Different way of technical support, e.g. automatic software updates.
• Work from anywhere
• Some added security features, what aspects cloud make it secure?
• Any disadvantages for the cloud?
30 March 2020 7026CEM - Dr. Basil Elmasri 14
Services over the cloud (II)
• You probably came across some or all of these terms
before:
• SaaS
• PaaS
• IaaS
• DaaS
• CaaS
• MaaS
• XaaS
30 March 2020 7026CEM - Dr. Basil Elmasri 15
Services over the cloud (III)
• SaaS – Software as a Service
o Examples: Gmail
o Aimed at consumers, organisations.
• PaaS – Platform as a Service
o Allows to building applications, usually web-apps, without having to own and
manage very own platforms.
o Examples: some of the Amazon Web Services (AWS), i.e. AWS Elastic
Beanstalk, Windows Azure.
• IaaS – Infrastructure as a Service
o Servers, datacentres, load-balancers, etc., that are “somewhere on the Internet”
o AWS, Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE)
• On-premise: software/services/systems that are installed in the same
location of the organisation.
30 March 2020 7026CEM - Dr. Basil Elmasri 16
Services over the cloud (V)
• Taken from bmc.com:
https://www.bmc.com/bl
ogs/saas-vs-paas-vs-
iaas-whats-the-
difference-and-how-to-
choose
• Check the link for more
details and examples.

30 March 2020 7026CEM - Dr. Basil Elmasri 17

Services over the cloud
• DaaS – Desktop as a Service
o Pretty much the old “thin client” model.
• CaaS – Containers as a Service
o CaaS Communication; Voice over IP (VoIP) telephony all in the cloud.
o Genesys Cloud Platform
• MaaS – Monitoring as a Service
o watchdogs, analytics, log analysis, IDS, SOC, etc.
• XaaS – X as a Service. Anything a for any given X
• The reality of IoT “cloud”
• Usually refers to the parts of an IoT device that is not in your,
premises, e.g. home, on your own server or in the device itself.
• - Photo storage, Data collection, weather, etc.
30 March 2020 7026CEM - Dr. Basil Elmasri 18
BYOD
• Stands for Bring Your Own Device.
• The practice of allowing users to use their own personal devices
connected to a private network
• Public Wi-Fi
• Workplace Wi-Fi
• Facility of Virtual private network (VPN) and other services to allow
remote usage of systems from any device
• Not IoT, but a big and interesting security consideration.

30 March 2020 7026CEM - Dr. Basil Elmasri 19

Wireless Sensor Networks (WSN)
• Was this an older image of IoT?
• Deals with distributed sensing.
• Research mostly around practical matters of low-power
communications, protocols, resources etc.
• A number of specialist platforms developed.
• Generally expensive and not very easy to work with.

30 March 2020 7026CEM - Dr. Basil Elmasri 20

WSN to IoT
• IoT itself as a concept is old
• Public interest began when devices started to be cheaper and easy
enough build.
• Usually based on more generic platforms than WSN
• Assumption that resources are healthier than WSN, e.g. batteries are
better, or that power is available nearly or at 100%.
• Less concern for new research in protocols - leave that for industry to
solve and sell.

30 March 2020 7026CEM - Dr. Basil Elmasri 21

Hardware Platforms - Manufacturers
• Arduino
• ARM
• Atmel
• Broadcom
• Freescale
• IBM
• Intel
• Microchip
• Texas Instruments

30 March 2020 7026CEM - Dr. Basil Elmasri 22

HARDWARE PLATFORMS
• Arduino – https://www.arduino.cc/
• CHIP – https://getchip.com/pages/chip – now gone.
• Photon https://www.particle.io/products/hardware/photon-wifi-dev-
kit#photon.
• Raspberry Pi - https://www.raspberrypi.org/ .
• ESP8266 –
https://www.espressif.com/en/products/hardware/esp8266ex/overview.
• NodeMCU - http://www.nodemcu.com/index_en.html.
• A very good IoT Hardware Guide in
https://www.postscapes.com/internet-of-things-hardware/.

30 March 2020 7026CEM - Dr. Basil Elmasri 23

IoT – Common Cloud Platforms
• Amazon Web Services (AWS)
• Well known and understood
• Backbone of many traditional applications, born-digital enterprises and
now IoT devices.
• Oracle IoT: more recent, see oracle.com/internet-of-things/.
• IBM WATSON Built upon data mining and processing, Machine
Learning and other tools for extracting values and information from
data.
o https://www.ibm.com/uk-en/internet-of-things
o https://www.ibm.com/uk-en/internet-of-things/solutions/iot-platform/watson-iot-
platform.
• AZURE IoT. Seems to push the I4.0 angle. azure.microsoft.com/en-gb.
30 March 2020 7026CEM - Dr. Basil Elmasri 24
MEDIA
• Wired and wireless
• Examples on wired
o Ethernet
o USB
o Wire protocols
o Controller Area Network (CAN) bus
o Aircraft: http://www.interfacebus.com/Design_Connector_Avionics.html
• Examples on wired
o Zigbee
o ZWave
o Bluetooth-LE
o Etc.
• See https://en.wikipedia.org/wiki/List_of_automation_protocols.
30 March 2020 7026CEM - Dr. Basil Elmasri 25
Media
• For more details see
https://www.postscapes.com/in
ternet-of-things-technologies/
• And
• https://www.postscapes.com/in
ternet-of-things-protocols/

30 March 2020 7026CEM - Dr. Basil Elmasri 26

Protocols
• Physical and upwards in the IOS/Internet reference model
o 802.11, Zigbee
o IoT stacks
• Infrastructure
o IPv4
o 6TiSCH, 6Lo
• Identification
o Electronic Product Code (EPC)
o uCode: global ID system for real objects.
• Transport
o Wifi
o Bluetooth
o Low-power Wide-area Network (LPWAN)
30 March 2020 7026CEM - Dr. Basil Elmasri 27
Protocols
• Discovery
o Physical Web
o DNS
o Bonjour, mDNS, DNS-SD
• Data
o MQTT
o Constrained Application Protocol (CoAP)
o Advanced Message Queuing Protocol (AMQP)
• Semantic
• JSON-LD (JavaScript Object Notation for Linked Data)
• Web Thing Model

30 March 2020 7026CEM - Dr. Basil Elmasri 28

Message Queuing Telemetry Transport (MQTT)
• An open OASIS and ISO standard.
• mqtt.org
• What is MQTT? First question in mqtt.org/faq
• MQTT stands for MQ Telemetry Transport. It is a publish/subscribe,
extremely simple and lightweight messaging protocol, designed for
constrained devices and low-bandwidth, high-latency or unreliable
networks. The design principles are to minimise network bandwidth and
device resource requirements whilst also attempting to ensure reliability and
some degree of assurance of delivery. These principles also turn out to
make the protocol ideal of the emerging “machine-to-machine” (M2M) or
“Internet of Things” world of connected devices, and for mobile applications
where bandwidth and battery power are at a premium.
• Standard:http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-
os.html.
30 March 2020 7026CEM - Dr. Basil Elmasri 29
MQTT
• Useful for manul IoT tasks that require data to be monitored, sent,
aggregated over low power/low bandwidth channels
• Works of TCP/IP or most other connection oriented protocols.
• Requires an MQTT server to mediate communication.
• Service/devices that produce data that needs to be received by 1 or
more “sink”.
• At most once: used for general monitoring when some data loss is
acceptable. A sensor might produce constant data but a client could
easily skip some of it without issue. Data isn't duplicated
• At least once: Guarantees delivery, but might duplicate result.
• Exactly once: guarantee of one delivery.

30 March 2020 7026CEM - Dr. Basil Elmasri 30

• A Client can connect to the server
• Publish messages to a server
• Subscribe to messages from another client via the server
• Unsubscribe.
• Disconnect from the server.
• A Server can accept Network Connections from clients
• Receive published messages
• Record subscriptions and unsubscriptions.
• Pass messages to clients according to the subscriptions.
• Example pcap capture: mqtt_basic.pcapng, file will be on moodle
30 March 2020 7026CEM - Dr. Basil Elmasri 31
MQTT Examples Sequence
• Subscription
• Connecting
o Client sends connect command
o Server sends connect ack
o Client sends subscribe request
o (Assuming success) Server sends Subscribe ack
• And when there is a message:
o Server sends publish message.
• Another example sequence - publishing
o Client sends connect command
o Server sends connect ack
o Client sends publish message
o Client sends disconnect request
30 March 2020 7026CEM - Dr. Basil Elmasri 32
MTQQ and Security
• From the standard:
o http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-
os.html#_Toc398718111.
• There are a number of threats that solution providers should consider.
For example:
• Devices could be compromised
• Data at rest in Clients and Servers might be accessible
• Protocol behaviours could have side effects (e.g. “timing attacks”)
• Denial of Service (DoS) attacks
• Communications could be intercepted, altered, re-routed or disclosed
• Injection of spoofed Control Packets
30 March 2020 7026CEM - Dr. Basil Elmasri 33
Hash-Based Message Authentication Code (HMAC)
• RFC: https://tools.ietf.org/html/rfc2104
• One issue is authentication.
o This is the I in the CIA triangle.
• Relies on a shared secret between sender and receiver
• Does NOT provide secrecy, only authenticates sender and offers non-
repudiation
• Given hash function H, a shared secret, S, and message M:
HMAC(S,M)=H(H(K||M))
• And what gets sent is: HMAC(S,M)||M
• So the receiver can calculate hmac(S,M), since it has both S and M,
and check before accepting that M came from the sender.
30 March 2020 7026CEM - Dr. Basil Elmasri 34
HMAC
• Good hash function required (as usual), but why?
• Mustn't be feasible to brute-force
• Why hash twice?
• If just once, an attacker could extend a message and calculate the
new hash based on the old one, without knowing S
• Hash functions often process linearly, so if state of the function is
known, when S||M was hashed, we could carry on computing to work
out H(S||M||X), where X is the new part of the message
• This is called a Length Extension Attack
• How about replay attacks? In fact, hat are replay attacks? How do we
prevent replay attacks?

30 March 2020 7026CEM - Dr. Basil Elmasri 35

HMAC-based One-time Password algorithm (HOTP)
• In addition to a shared secret, S, each party has a component that
changes
o Could be time
o Could be a counter
• HOTP - Counted
• To send a given message, we must also know how many we have
sent before and a starting number
• A simple count, N, and a shared value, C:
HOTP(S,C,N,M)=H(H(K||(C+N)||M))

30 March 2020 7026CEM - Dr. Basil Elmasri 36

HOTP
• AKA Time-based one time password (TOTP)
• To send a given message, we must also know the time, T, rounded to
some value that:
• Is vague enough that it won't cause authentication to fail often
because of clock drift or communication time
• Is accurate enough to make replay attacks difficult to impossible
HOTP(S,T,M)=H(H(K||T||M))
• HOTP Can be used as a way to make HMAC difficult to attack with
replay attacks
• Has become a popular authentication mechanism in n-factor systems
• Many hardware HOTP systems - yubikeys, for example
• Mobile HOTP token systems in use OAUTH, Google authenticator
30 March 2020 7026CEM - Dr. Basil Elmasri 37
References
• Dr. James Shuttleworth lecture notes from previous years and online
modules.
• Various references and links presented through out the slides

30 March 2020 7026CEM - Dr. Basil Elmasri 38