Design principles
In addition to the overall Well-Architected Framework security design principles, there are specific design principles for IoT security:
-
Manage device security lifecycle holistically: Device security starts at the design phase, and ends with the retirement and destruction of the hardware and data. It is important to take an end-to-end approach to the security lifecycle of your IoT solution to maintain your competitive advantage and retain customer trust.
-
Ensure least privilege permissions: Devices should all have fine-grained access permissions that limit which topics a device can use for communication. By restricting access, one compromised device will have fewer opportunities to impact any other devices.
-
Secure device credentials at rest: Devices should securely store credential information at rest using mechanisms such as a dedicated crypto element or secure flash.
-
Implement device identity lifecycle management: Devices maintain a device identity from creation through end of life. A well-designed identity system will keep track of a device’s identity, track the validity of the identity, and proactively extend or revoke IoT permissions over time.
-
Take a holistic view of data security: IoT deployments involving a large number of remotely deployed devices present a significant attack surface for data theft and privacy loss. Use a model such as the Open Trusted Technology Provider Standard
to systemically review your supply chain and solution design for risk and then apply appropriate mitigations. -
Preserve safety and reliability in critical OT/IIoT environments: IIoT cybersecurity differs from the IT cybersecurity model because it is not only concerned with data protection, but also with the preservation of safety and reliability of production systems and ensuring environmental health and safety (EHS) in industrial facilities.
-
Implement zero trust principles as per NIST SP 800-207: Zero trust isn’t limited to traditional IT, and extends to IoT, operational technology (OT) and IIoT. A zero-trust model can significantly improve your organization’s security posture by eliminating the sole reliance on perimeter-based protection. This doesn’t mean getting rid of perimeter security altogether. Where possible, use identity and network capabilities together to protect core assets and apply zero trust principles working backwards from specific use cases with a focus on extracting business value and achieving measurable business outcomes.
-
Establish secure connection with AWS via Site-to-Site VPN or Direct Connect from the industrial edge
For IIoT workloads, AWS offers multiple ways and design patterns to establish a secure connection to the AWS environment from the industrial edge. Establish a secure VPN connection to AWS over the internet or set up a dedicated private connection via Direct Connect. Use AWS VPN with Direct Connect
to encrypt traffic over Direct Connect.
-
Use VPC Endpoints whenever possible
For IIoT workloads, after a secure connection to AWS has been established via VPN over the internet or Direct Connect, use VPC Endpoints whenever possible. VPC Endpoints enables you to privately connect to supported regional services without requiring a public IP address. Endpoints also support endpoint policies, which further allow to control and limit access to only the required resources.
-
Use HTTP over TLS proxy and a firewall for services connecting to AWS over the internet
If the VPC Endpoint for the required service is not available, you would have to establish a secure connection over the internet. The best practice in such a scenario is to route these connections via a HTTP connection over a TLS proxy and a firewall. Using a proxy allows the cloud traffic to be inspected and monitored and enables threat and malware detection. It also allows the security policies to be applied at the network layer. Firewall rules can be established for HTTPS and MQTT traffic to securely connect to AWS IoT services over the public internet.
-
Use secure protocols whenever possible and when using insecure protocols, convert insecure protocols into standardized and secure protocols as close to the source as possible
In most environments, prefer to use secure protocols which support encryption. When using secure protocols is not an option, tighten the trust boundaries as described in the next point.
-
Use network segmentation and tighten trust boundaries
Follow the micro segmentation approach, that is, build small islands of components within a single network that communicate only with each other and control the network traffic between segments. Select the newer version of industrial protocols which offer security features and configure the highest level of encryption available when using industrial control system (ICS) protocols such as CIP Security, Modbus Secure, and OPC UA. When using secure industrial protocols is not an option, tighten the trust boundary using a protocol converter to translate the insecure protocol to a secure protocol as close to the data source as possible.
Alternatively, segregate the plant network into smaller cell or area zones by grouping ICS devices into functional areas to limit the scope and area of insecure communications. Use unidirectional gateways and data diodes for one-way data flow and specialized firewall and inspection products that understand ICS protocols to inspect traffic entering and leaving cell/area zones and can detect anomalous behavior in the control network.
-
Securely manage and access edge computing resources
Keeping computing resources at the industrial edge up to-date, securely accessing to them for configuration and management, or automatically deploying changes can be challenging. AWS provides options to securely manage edge compute resources (AWS System Manager), IoT resources (IoT Device Management, AWS IoT Greengrass) and also provides a fully managed infrastructure service (AWS Outposts) to make it easy to consistently apply best practices to all resources.