This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
7. Secure both the IoT environment and supporting IT environments to the same level of criticality
Secure both the IoT environment and supporting IT environments to the same level of criticality following a well-documented standard. This is especially true for gateways that serve as boundaries between systems.
Often, IoT systems still have a dependency on traditional IT systems to operate. Whether that’s for identity and authorization, billing, monitoring and remediation, or maintenance, having these systems become unavailable to the IoT system can cause cascading failures. Therefore, you should use the risk assessment and asset inventory to document these critical dependencies and architect all relevant systems to the same level of resiliency and security. Some ways to do this include:
-
Plan and manage security lifecycle of devices.
-
Consistently harden internet-connected network resources such as edge gateways.
-
Avoid hardcoding or storing credentials and secrets locally on devices.
-
Use device certificates and temporary credentials instead of long-term credentials to access AWS cloud services.
-
Limit the number of listening ports on IoT devices, and ensure access only from authorized systems.
-
Create allow lists for access with a management mechanism similar to that of software updates.
-
Disable unused sensors, actuators, services, or software on the IoT device.
-
Establish secure connections to cloud services, and monitor these connections.
Supporting AWS resources
AWS provides the following assets, capabilities, and services to help secure cloud connected network resources and securely manage on-premises computing resources:
-
NIST Guide to General Server Security
– For general guidance on security devices (such as edge gateways). -
Working with secrets at the Edge.
-
AWS IoT SiteWise Gateway – Securely configuring edge gateways.
-
AWS Systems Manager
– Provides you with a centralized and consistent way to gather operational insights and carry out routine management tasks. -
AWS IoT Device Management
– A service that allows you to securely register, organize, monitor, and remotely manage IIoT devices at scale throughout their lifecycle. -
AWS IoT secure tunneling – Accesses IIoT devices behind restricted firewalls at remote sites for troubleshooting, configuration updates, and other operational tasks.
-
Plant network to Amazon Virtual Private Cloud connectivity options
-
AWS IoT Greengrass - Connect on port 443 or through a network proxy