物联网 (IoT) 安全体系结构Internet of Things (IoT) security architecture

在设计系统时,我们应了解该系统的潜在威胁并添加适当的防御机制,以妥善设计系统与其体系结构。When designing a system, it is important to understand the potential threats to that system, and add appropriate defenses accordingly, as the system is designed and architected. 在一开始设计产品时就先考虑安全很重要,因为了解攻击者可能如何破坏系统,有助于从一开始就准备好适当的安全防护功能。It is important to design the product from the start with security in mind because understanding how an attacker might be able to compromise a system helps make sure appropriate mitigations are in place from the beginning.

安全从威胁模型开始Security starts with a threat model

Microsoft 产品在威胁模型方面历史悠久,并已公开发表公司的威胁建模过程。Microsoft has long used threat models for its products and has made the company’s threat modeling process publicly available. Microsoft 的成功经验证实,建模除了可以立即掌握哪些是最关键的威胁,还拥有超越期望的优点。The company experience demonstrates that the modeling has unexpected benefits beyond the immediate understanding of what threats are the most concerning. 例如,建模操作还能创建与其他外部开发团队开放讨论的管道,以获取产品的新构想和增强功能。For example, it also creates an avenue for an open discussion with others outside the development team, which can lead to new ideas and improvements in the product.

威胁建模操作的目标是了解攻击者可能如何破坏系统,以确保准备好适当的安全防护功能。The objective of threat modeling is to understand how an attacker might be able to compromise a system and then make sure appropriate mitigations are in place. 威胁建模操作可确保设计团队在系统设计阶段就考虑安全防护功能,而不是等到系统部署之后才亡羊补牢。Threat modeling forces the design team to consider mitigations as the system is designed rather than after a system is deployed. 这一点是非常重要的,因为要现场修改大量设备的安全防御措施非但不可行、容易产生错误,而且会让客户面临风险。This fact is critically important, because retrofitting security defenses to a myriad of devices in the field is infeasible, error prone and leaves customers at risk.

许多开发团队能精准掌握对客户有益的系统功能要求。Many development teams do an excellent job capturing the functional requirements for the system that benefit customers. 但是,识别有心人士可能如何滥用系统的隐匿方式则更具挑战性。However, identifying non-obvious ways that someone might misuse the system is more challenging. 威胁建模操作可帮助开发团队了解攻击者可能采取的行动和原因。Threat modeling can help development teams understand what an attacker might do and why. 威胁建模操作是一种结构化的过程,可创建系统安全设计决策的介绍,以及过程中的设计更改将对安全产生哪些影响。Threat modeling is a structured process that creates a discussion about the security design decisions in the system, as well as changes to the design that are made along the way that impact security. 尽管威胁模型只是一种文档,但此文档也是传承知识、保存所学经验,并帮助新团队快速上手的理想方式。While a threat model is simply a document, this documentation also represents an ideal way to ensure continuity of knowledge, retention of lessons learned, and help new team onboard rapidly. 最后,威胁建模操作的结果应有助于考虑到安全的其他层面,例如想要提供给客户哪些安全承诺。Finally, an outcome of threat modeling is to enable you to consider other aspects of security, such as what security commitments you wish to provide to your customers. 将这些承诺与威胁建模操作配合使用,即可针对物联网 (IoT) 解决方案提供分析与驱动测试。These commitments in conjunction with threat modeling inform and drive testing of your Internet of Things (IoT) solution.

何时执行威胁建模When to do threat modeling

在将威胁建模包含于设计阶段中时,威胁建模才能发挥最大的价值。Threat modeling offers the greatest value when you incorporate it into the design phase. 因为只有在设计阶段,才有最大的弹性空间可进行威胁消除更改。When you are designing, you have the greatest flexibility to make changes to eliminate threats. 最理想的结果就是通过设计来消除潜在威胁。Eliminating threats by design is the desired outcome. 这样做比添加安全防护功能、进行测试,并确保它们保持最新状态等操作更加容易,因为消除不是随时想做就能做到。It is much easier than adding mitigations, testing them, and ensuring they remain current and moreover, such elimination is not always possible. 随着产品日益成熟,消除威胁会变得更加困难,相比于开发早期采用的威胁建模,这需要更多投入与更高难度的取舍。It becomes harder to eliminate threats as a product becomes more mature, and in turn ultimately requires more work and a lot harder tradeoffs than threat modeling early on in the development.

针对威胁建模需要考虑的内容What to consider for threat modeling

应该将解决方案作为一个整体来看待,并重点关注以下方面:You should look at the solution as a whole and also focus on the following areas:

  • 安全与隐私功能The security and privacy features
  • 其失败会造成安全影响的功能The features whose failures are security relevant
  • 触及信任边界的功能The features that touch a trust boundary

谁执行威胁建模Who performs threat modeling

威胁建模与任何其他过程一样。Threat modeling is a process like any other. 建议将威胁模型文档视为方案的任何其他组件,并进行验证。It is a good idea to treat the threat model document like any other component of the solution and validate it. 许多开发团队能精准掌握对客户有益的系统功能要求。Many development teams do an excellent job capturing the functional requirements for the system that benefit customers. 但是,识别有心人士可能如何滥用系统的隐匿方式则更具挑战性。However, identifying non-obvious ways that someone might misuse the system is more challenging. 威胁建模操作可帮助开发团队了解攻击者可能采取的行动和原因。Threat modeling can help development teams understand what an attacker might do and why.

如何执行威胁建模How to perform threat modeling

威胁建模过程包括以下四个步骤:The threat modeling process is composed of four steps; the steps are:

  • 为应用程序建模Model the application
  • 枚举威胁Enumerate Threats
  • 缓解威胁Mitigate threats
  • 验证缓解措施Validate the mitigations

过程步骤The process steps

构建威胁模型时,请谨记以下三项准则:Three rules of thumb to keep in mind when building a threat model:

  1. 创建参考体系结构图表。Create a diagram out of reference architecture.
  2. 先从广度下手。Start breadth-first. 获取概述,先概略了解整个系统,再进行深入工作。Get an overview, and understand the system as a whole, before deep-diving. 此方法有助于确保在适当的位置进行深入工作。This approach helps ensure that you deep-dive in the right places.
  3. 控制过程,而不要受过程的摆布。Drive the process, don’t let the process drive you. 如果在建模阶段发现问题,并想要进行探索,尽管放心去做!If you find an issue in the modeling phase and want to explore it, go for it! 不需要盲目遵循这些步骤。Don’t feel you need to follow these steps slavishly.

威胁Threats

威胁模型的四个核心元素为:The four core elements of a threat model are:

  • 进程(例如 Web 服务、Win32 服务和 *nix 守护程序)。Processes such as web services, Win32 services, and *nix daemons. 如果无法在这些区域中进行技术性向下钻取,可将某些复杂实体(例如现场网关和传感器)抽象化为进程。Some complex entities (for example field gateways and sensors) can be abstracted as a process when a technical drill-down in these areas is not possible.
  • 数据存储(存储数据的任何位置,例如配置文件或数据库)Data stores (anywhere data is stored, such as a configuration file or database)
  • 数据流(其中的数据将在应用程序的其他元素之间移动)Data flow (where data moves between other elements in the application)
  • 外部实体(与系统交互但不在应用程序控制之下的任何要素,例如用户和附属源)External Entities (anything that interacts with the system, but is not under the control of the application, examples include users and satellite feeds)

体系结构图中的所有元素都受限于各种威胁;这对这些威胁,本文介绍 STRIDE 助记键。All elements in the architectural diagram are subject to various threats; this article the STRIDE mnemonic. 请阅读 Threat Modeling Again, STRIDE (再次威胁建模 STRIDE)以详细了解 STRIDE 元素。Read Threat Modeling Again, STRIDE to know more about the STRIDE elements.

应用程序图表的不同元素受限于特定 STRIDE 威胁:Different elements of the application diagram are subject to certain STRIDE threats:

  • 进程受限于 STRIDEProcesses are subject to STRIDE
  • 数据流受限于 TIDData flows are subject to TID
  • 数据存储受限于 TID,有时受限于 R(当数据存储是日志文件时)。Data stores are subject to TID, and sometimes R, when the data stores are log files.
  • 外部实体受限于 SRDExternal entities are subject to SRD

IoT 中的安全性Security in IoT

特殊用途的连接设备具有大量的潜在交互接口区与交互模式,必须全面考虑所有项目才能提供适当的框架,以保护这些设备的数字访问安全性。Connected special-purpose devices have a significant number of potential interaction surface areas and interaction patterns, all of which must be considered to provide a framework for securing digital access to those devices. 此处的“数字访问”一词是用于与通过直接设备交互来执行的任何操作进行隔离,而直接交互的访问安全通过物理访问控制来保障。The term “digital access” is used here to distinguish from any operations that are carried out through direct device interaction where access security is provided through physical access control. 例如,将设备放入室内,并将门上锁。For example, putting the device into a room with a lock on the door. 尽管物理访问无法通过软件和硬件拒绝访问,但我们仍可以采取一些措施来防止物理访问干扰系统。While physical access cannot be denied using software and hardware, measures can be taken to prevent physical access from leading to system interference.

在探索交互模式时,对“设备控制”和“设备数据”同等重视。As you explore the interaction patterns, look at “device control” and “device data” with the same level of attention. “设备控制”可以归类为任一方提供给设备的任何信息,其目标是要更改或影响设备针对其状态或环境状态的行为。“Device control” can be classified as any information that is provided to a device by any party with the goal of changing or influencing its behavior towards its state or the state of its environment. “设备数据”可以归类为任何信息,其为设备发出给另一方的设备状态和环境观察状态相关信息。“Device data” can be classified as any information that a device emits to any other party about its state and the observed state of its environment.

为了优化最佳安全实践,建议将典型的 IoT 体系结构划分为多个组件/区域,作为威胁建模练习的一部分。In order to optimize security best practices, it is recommended that a typical IoT architecture is divided into several component/zones as part of the threat modeling exercise. 本部分详细说明这些区域,并包括以下重点:These zones are described fully throughout this section and include:

  • 设备,Device,
  • 现场网关,Field Gateway,
  • 云网关,以及Cloud gateways, and
  • 服务。Services.

区域是从广度方面来隔离方案;每个区域通常将有自身的数据以及身份验证和授权要求。Zones are broad way to segment a solution; each zone often has its own data and authentication and authorization requirements. 区域也可以用于隔离损毁,并限制低度信任区域对较高信任区域的影响。Zones can also be used to isolation damage and restrict the impact of low trust zones on higher trust zones.

每个区域都由信任边界来隔离;下图中以红色虚线标示。Each zone is separated by a Trust Boundary, which is noted as the dotted red line in the following diagram. 它代表从某个源到另一个源之间的数据/信息转换。It represents a transition of data/information from one source to another. 在这种转换期间,数据/信息可能受限于 STRIDE,即欺骗 (Spoofing)、篡改 (Tampering)、可否认性 (Repudiation)、信息泄漏 (Information Disclosure)、拒绝服务 (Denial of Service) 和权限提升 (Elevation of Privileg)。During this transition, the data/information could be subject to Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege (STRIDE).

IoT 安全区域

每个边界内所描述的组件也会受限于 STRIDE,因此我们需启用解决方案的全方位威胁建模视图。The components depicted within each boundary are also subjected to STRIDE, enabling a full 360 threat modeling view of the solution. 以下部分详述了每个组件和特定的安全注意事项,以及应准备好的解决方案。The following sections elaborate on each of the components and specific security concerns and solutions that should be put into place.

后续部分介绍这些区域中常见的标准组件。The following sections discuss standard components typically found in these zones.

设备区域The Device Zone

设备环境是指设备周围实时的物理空间,其中可进行设备的物理访问和/或“局域网”对等数字访问。The device environment is the immediate physical space around the device where physical access and/or “local network” peer-to-peer digital access to the device is feasible. “局域网”假设为不同的隔离网络,但可能桥接到公共 Internet,并包含任何短程无线电技术以让设备进行对等通信。A “local network” is assumed to be a network that is distinct and insulated from – but potentially bridged to – the public Internet, and includes any short-range wireless radio technology that permits peer-to-peer communication of devices. 包括任何网络虚拟化技术(其会创建此类局域网络的假象),也不包含公共电信营运商的网络(其中任两个设备需要具有对等通信关联,才能跨公共网络空间进行通信)。It does not include any network virtualization technology creating the illusion of such a local network and it does also not include public operator networks that require any two devices to communicate across public network space if they were to enter a peer-to-peer communication relationship.

现场网关区域The Field Gateway Zone

现场网关是一种设备/工具,或作为通信启用器的一般用途服务器计算机软件,甚至可能是设备控制系统和设备数据处理中心。Field gateway is a device/appliance or some general-purpose server computer software that acts as communication enabler and, potentially, as a device control system and device data processing hub. 现场网关的区域包括现场网关本身以及连接到它的所有设备。The field gateway zone includes the field gateway itself and all devices that are attached to it. 顾名思义,现场网关可作为外部专用的数据处理设备,通常与位置绑定,也可能受限于物理入侵的影响,并具有限的操作冗余。As the name implies, field gateways act outside dedicated data processing facilities, are usually location bound, are potentially subject to physical intrusion, and has limited operational redundancy. 简而言之,现场网关是在大家知道其功能以后,最容易触及与蓄意破坏的设备。All to say that a field gateway is commonly a thing one can touch and sabotage while knowing what its function is.

现场网关和单纯的流量路由器不同,它在管理访问与数据流方面扮演积极的角色,这意味着它是由应用程序处理的实体和网络连接或会话终端。A field gateway is different from a mere traffic router in that it has had an active role in managing access and information flow, meaning it is an application addressed entity and network connection or session terminal. 相反地,NAT 设备或防火墙并不算现场网关,因为它们并不是明确的连接或会话终端,而是连接或会话经过的路线(或块)。An NAT device or firewall, in contrast, does not qualify as field gateways since they are not explicit connection or session terminals, but rather a route (or block) connections or sessions made through them. 现场网关有两个不同的外围应用。The field gateway has two distinct surface areas. 一个外围应用表示区域的内部,并面对附加到该区域的设备,而另一个外围应用表示区域的边缘,并面对所有外部方。One faces the devices that are attached to it and represents the inside of the zone, and the other faces all external parties and is the edge of the zone.

云网关区域The cloud gateway zone

云网关是一种系统,其可让跨公共网络空间的多个不同站点的设备之间进行远程通信;它通常针对基于云的控制和数据分析系统,也可以说是此类系统的联合。Cloud gateway is a system that enables remote communication from and to devices or field gateways from several different sites across public network space, typically towards a cloud-based control and data analysis system, a federation of such systems. 在某些情况下,云网关可立即提升特殊用途设备的终端(如平板电脑或手机)访问速度。In some cases, a cloud gateway may immediately facilitate access to special-purpose devices from terminals such as tablets or phones. 在此处所述的上下文中,“云”是指未绑定到附加设备或现场网关的同一站点的专用数据处理系统。In the context discussed here, “cloud” is meant to refer to a dedicated data processing system that is not bound to the same site as the attached devices or field gateways. 此外,在云区域中,用于防止物理访问目标的操作措施并不一定要向“公有云”基础结构公开。Also in a Cloud Zone, operational measures prevent targeted physical access and are not necessarily exposed to a “public cloud” infrastructure.

云网关可能会映射到网络虚拟化覆盖,以隔离云网关与所有附加设备或现场网关的任何其他网络流量。A cloud gateway may potentially be mapped into a network virtualization overlay to insulate the cloud gateway and all of its attached devices or field gateways from any other network traffic. 云网关本身不是设备控制系统,也不是处理或存储设备数据的设备;而是这些设备与云网关对接。The cloud gateway itself is not a device control system or a processing or storage facility for device data; those facilities interface with the cloud gateway. 云网关区域包含云网关和所有现场网关,以及直接或间接附加到其上的设备。The cloud gateway zone includes the cloud gateway itself along with all field gateways and devices directly or indirectly attached to it. 区域边缘是不同的外围应用,所有外部方将通过此处进行通信。The edge of the zone is a distinct surface area where all external parties communicate through.

服务区域The services zone

此上下文将“服务”定义为任何软件组件或模块,它通过现场网关或云网关来与设备交互、进行数据收集和分析,以及执行命令和控制等功能。A “service” is defined for this context as any software component or module that is interfacing with devices through a field- or cloud gateway for data collection and analysis, as well as for command and control. 服务属于中介。Services are mediators. 它们以面向网关和其他子系统的标识来执行操作、存储和分析数据、根据数据的深入信息或计划自动向设备发出命令,并向授权用户公开信息与控制功能。They act under their identity towards gateways and other subsystems, store and analyze data, autonomously issue commands to devices based on data insights or schedules and expose information and control capabilities to authorized end-users.

信息设备与专用设备Information-devices versus special-purpose devices

电脑、手机和平板电脑主要是交互式信息设备。PCs, phones, and tablets are primarily interactive information devices. 手机和平板电脑专门针对最大电池续航时间做了优化。Phones and tablets are explicitly optimized around maximizing battery lifetime. 当无需立即与人员交互,或者不提供播放音乐或为设备所有者进行路线规划等服务时,最好将这些设备部分关闭。They preferably turn off partially when not immediately interacting with a person, or when not providing services like playing music or guiding their owner to a particular location. 从系统角度来看,这些信息技术设备主要用作面向用户的代理。From a systems perspective, these information technology devices are mainly acting as proxies towards people. 也就是说,它们是建议操作的“用户行动器”,以及收集输入的“用户传感器”。They are “people actuators” suggesting actions and “people sensors” collecting input.

专用设备则各有不同,从简单的温度传感器到每条生产线包含上千个组件的复杂工厂生产线都算在内。Special-purpose devices, from simple temperature sensors to complex factory production lines with thousands of components inside them, are different. 这些设备主要以实际用途为目的,即使提供用户接口,多半都只限于用于对接或集成在现实世界中的资产。These devices are much more scoped in purpose and even if they provide some user interface, they are largely scoped to interfacing with or be integrated into assets in the physical world. 它们可以测量和报告环境情况、打开阀门、控制伺服、发出警报、切换灯号,以及执行许多其他任务。They measure and report environmental circumstances, turn valves, control servos, sound alarms, switch lights, and do many other tasks. 如果使用信息设备进行某些任务将大材小用、过于昂贵、过大或太脆弱,就可以改用专用设备。They help to do work for which an information device is either too generic, too expensive, too large, or too brittle. 此类设备的具体用途确定了它们的技术设计,包括可用的生产预算金额与预定的生命周期操作。The concrete purpose immediately dictates their technical design as well the available monetary budget for their production and scheduled lifetime operation. 这两项关键因素的组合可限制可用的操作能源预算、实际使用量,乃至可用的存储、计算和安全功能。The combination of these two key factors constrains the available operational energy budget, physical footprint, and thus available storage, compute, and security capabilities.

如果具有自动化功能或可远程控制的设备发生某些问题,例如,物理缺陷或控制逻辑缺陷导致蓄意的未经授权入侵和操作。If something “goes wrong” with automated or remote controllable devices, for example, physical defects or control logic defects to willful unauthorized intrusion and manipulation. 这些问题可能导致生产批受损、建筑物被侵占或烧毁,甚至可能造成人员伤亡。The production lots may be destroyed, buildings may be looted or burned down, and people may be injured or even die. 此类损失的等级显然比信用卡失窃和被刷爆来得严重。This is a whole different class of damage than someone maxing out a stolen credit card's limit. 因此,如果是涉及物品移动的设备以及最终将发出命令导致物品移动的传感器数据,这样的安全标准就必须高于任何电子商务或银行方案。The security bar for devices that make things move, and also for sensor data that eventually results in commands that cause things to move, must be higher than in any e-commerce or banking scenario.

设备控制与设备数据的交互Device control and device data interactions

特殊用途的连接设备具有大量的潜在交互接口区与交互模式,必须全面考虑所有项目才能提供适当的框架,以保护这些设备的数字访问安全性。Connected special-purpose devices have a significant number of potential interaction surface areas and interaction patterns, all of which must be considered to provide a framework for securing digital access to those devices. 此处的“数字访问”一词是用于与通过直接设备交互来执行的任何操作进行隔离,而直接交互的访问安全通过物理访问控制来保障。The term “digital access” is used here to distinguish from any operations that are carried out through direct device interaction where access security is provided through physical access control. 例如,将设备放入室内,并将门上锁。For example, putting the device into a room with a lock on the door. 尽管物理访问无法通过软件和硬件拒绝访问,但我们仍可以采取一些措施来防止物理访问干扰系统。While physical access cannot be denied using software and hardware, measures can be taken to prevent physical access from leading to system interference.

在探索交互模式与进行威胁建模时,对“设备控制”和“设备数据”同等重视。As you explore the interaction patterns, look at “device control” and “device data” with the same level of attention while threat modeling. “设备控制”可以归类为任一方提供给设备的任何信息,其目标是要更改或影响设备针对其状态或环境状态的行为。“Device control” can be classified as any information that is provided to a device by any party with the goal of changing or influencing its behavior towards its state or the state of its environment. “设备数据”可以归类为任何信息,其为设备发出给另一方的设备状态和环境观察状态相关信息。“Device data” can be classified as any information that a device emits to any other party about its state and the observed state of its environment.

对 Azure IoT 参考体系结构执行威胁建模Performing threat modeling for the Azure IoT reference architecture

Microsoft 使用上述体系结构来对 Azure IoT 进行威胁建模。Microsoft uses the framework outlined previously to do threat modeling for Azure IoT. 以下部分使用 Azure IoT 参考体系结构的具体示例来演示如何分析 IoT 威胁建模,以及如何处理所识别的威胁。The following section uses the concrete example of Azure IoT Reference Architecture to demonstrate how to think about threat modeling for IoT and how to address the threats identified. 此示例标识了四个主要区域:This example identifies four main areas of focus:

  • 设备和数据源,Devices and Data Sources,
  • 数据传输,Data Transport,
  • 设备和事件处理,以及Device and Event Processing, and
  • 呈现Presentation

Azure IoT 威胁建模

下图提供了简化的 Microsoft IoT 体系结构视图,其中使用 Microsoft Threat Modeling Tool 所用的数据流原理图模型:The following diagram provides a simplified view of Microsoft’s IoT Architecture using a Data Flow Diagram model that is used by the Microsoft Threat Modeling Tool:

使用 MS 威胁建模工具为 Azure IoT 进行威胁建模

请注意,该体系结构将设备和网关功能隔离开来。It is important to note that the architecture separates the device and gateway capabilities. 此方法可让用户利用更安全的网关设备:此类设备可以使用安全的协议与云网关进行通信,且通常需要的处理开销高于本机设备(例如恒温器)可自行提供的量。This approach enables the user to leverage gateway devices that are more secure: they are capable of communicating with the cloud gateway using secure protocols, which typically requires greater processing overhead that a native device - such as a thermostat - could provide on its own. 在 Azure 服务区域中,假设 Azure IoT 中心服务代表云网关。In the Azure services zone, assume that the Cloud Gateway is represented by the Azure IoT Hub service.

设备与数据源/数据传输Device and data sources/data transport

本部分透视了威胁建模,以探讨前面概述的体系结构,并提供如何解决一些固有考虑因素的概述。This section explores the architecture outlined previously through the lens of threat modeling and gives an overview of how to address some of the inherent concerns. 此示例着重于威胁模型的核心元素:This example focuses on the core elements of a threat model:

  • 进程(你掌控的进程以及外部项)Processes (both under your control and external items)
  • 通信(也称为数据流)Communication (also called data flows)
  • 存储(也称为数据存储)Storage (also called data stores)

进程Processes

在 Azure IoT 体系结构所述的每个类别中,此示例尝试跨数据/信息存在的三个阶段来降低不同威胁的风险:进程、通信以及存储。In each of the categories outlined in the Azure IoT architecture, this example tries to mitigate a number of different threats across the different stages data/information exists in: process, communication, and storage. 下面是“进程”分类中最常见威胁的概述,以及如何以最妥善的方式降低这些威胁的风险的概要说明:Following is an overview of the most common ones for the “process” category, followed by an overview of how these threats could be best mitigated:

欺骗 (S):攻击者可能从某个设备提取加密密钥材料(无论软件还是硬件级别),然后使用不同的物理或虚拟设备,以从中获取密钥材料的设备的名义访问系统。Spoofing (S): An attacker may extract cryptographic key material from a device, either at the software or hardware level, and subsequently access the system with a different physical or virtual device under the identity of the device the key material has been taken from. 遥控器就是很好的例子,它既可以遥控电视机,也是很流行的恶作剧工具。A good illustration is remote controls that can turn any TV and that are popular prankster tools.

拒绝服务 (D):通过干扰无线电频率或剪断线路,导致设备无法运行或无法通信。Denial of Service (D): A device can be rendered incapable of functioning or communicating by interfering with radio frequencies or cutting wires. 例如,蓄意破坏监控摄影头的电源或网络连接,使其完全无法报告数据。For example, a surveillance camera that had its power or network connection intentionally knocked out cannot report data, at all.

篡改 (T):如果非法程序可以使用密钥材料或保存密钥材料的加密设备,攻击者可能会部分或全部替换设备上运行的软件,以此让取而代之的软件运用设备的正版标识。Tampering (T): An attacker may partially or wholly replace the software running on the device, potentially allowing the replaced software to leverage the genuine identity of the device if the key material or the cryptographic facilities holding key materials were available to the illicit program. 例如,攻击者可能使用提取的密钥材料来拦截和隐藏通信路径上的设备数据,并以窃取的密钥材料来通过身份验证,再以假数据取而代之。For example, an attacker may leverage extracted key material to intercept and suppress data from the device on the communication path and replace it with false data that is authenticated with the stolen key material.

信息泄漏 (I):如果设备正在运行受操控的软件,此类受操控的软件可能会将数据泄漏给未经授权方。Information Disclosure (I): If the device is running manipulated software, such manipulated software could potentially leak data to unauthorized parties. 例如,攻击者可能使用提取的密钥材料来介入设备、控制器、现场网关或云网关之间的通信路径,以此窃取信息。For example, an attacker may leverage extracted key material to inject itself into the communication path between the device and a controller or field gateway or cloud gateway to siphon off information.

特权提升 (E):执行特定功能的设备可能被强制执行其他操作。Elevation of Privilege (E): A device that does specific function can be forced to do something else. 例如,编程为半开的阀门可能将受骗而完全打开。For example, a valve that is programmed to open half way can be tricked to open all the way.

组件Component 威胁Threat 缓解措施Mitigation 风险Risk 实现Implementation
设备Device SS 将标识分配给设备并对设备进行身份验证Assigning identity to the device and authenticating the device 用其他设备替换设备或部分设备。Replacing device or part of the device with some other device. 如何确定是否在与正确的设备通信?How do you know you are talking to the right device? 使用传输层安全性 (TLS) 或 IPSec 来验证设备。Authenticating the device, using Transport Layer Security (TLS) or IPSec. 如果设备无法处理完全非对称加密,则基础结构应该支持在这些设备上使用预共享密钥 (PSK)。Infrastructure should support using pre-shared key (PSK) on those devices that cannot handle full asymmetric cryptography. 利用 Azure AD, OAuthLeverage Azure AD, OAuth
TRIDTRID 通过让人很难甚至不可能从设备提取密钥和其他加密材料等方法,为设备应用防篡改机制。Apply tamperproof mechanisms to the device, for example, by making it hard to impossible to extract keys and other cryptographic material from the device. 但风险是我们不知道设备是不是已受到篡改(物理干扰)。The risk is if someone is tampering the device (physical interference). 如何确定设备未受到篡改。How are you sure, that device has not been tampered with. 最有效的缓解措施是信赖平台模块 (TPM) 功能,它可让你将密钥存放在特殊的芯片电路中,以确保密钥不被读取,而仅可用于只使用密钥而不会泄露密钥的加密操作。The most effective mitigation is a trusted platform module (TPM) capability that allows storing keys in special on-chip circuitry from which the keys cannot be read, but can only be used for cryptographic operations that use the key but never disclose the key. 设备的内存加密。Memory encryption of the device. 设备的密钥管理。Key management for the device. 为代码签名。Signing the code.
EE 针对设备使用访问控制。Having access control of the device. 授权方案。Authorization scheme. 如果设备可以根据外部源甚至遭入侵的传感器的命令来执行各项操作,则意味着攻击可以凭此执行操作,而不仅是访问内容。If the device allows for individual actions to be performed based on commands from an outside source, or even compromised sensors, it allows the attack to perform operations not otherwise accessible. 针对设备使用授权方案Having authorization scheme for the device
现场网关Field Gateway SS 现场网关到云网关的验证(例如证书式、PSK 或基于声明)。Authenticating the Field gateway to Cloud Gateway (such as cert based, PSK, or Claim based.) 如果某人可以欺骗现场网关,则就可以伪装成任何设备。If someone can spoof Field Gateway, then it can present itself as any device. TLS RSA/PSK、IPSec、 RFC 4279TLS RSA/PSK, IPSec, RFC 4279. 同样地,一般的设备密钥存储和证明考虑因素都高度建议使用 TPM。All the same key storage and attestation concerns of devices in general – best case is use TPM. IPSec 的 6LowPAN 扩展可支持无线传感器网络 (WSN)。6LowPAN extension for IPSec to support Wireless Sensor Networks (WSN).
TRIDTRID 保护现场网关免遭篡改 (TPM)Protect the Field Gateway against tampering (TPM?) 欺骗攻击让云网关误以为和现场网关通信,而可能导致信息泄漏与数据遭篡改。Spoofing attacks that trick the cloud gateway thinking it is talking to field gateway could result in information disclosure and data tampering 内存加密、TPM、身份验证。Memory encryption, TPM’s, authentication.
EE 针对现场网关使用访问控制机制Access control mechanism for Field Gateway

下面是此类威胁的一些示例:Here are some examples of threats in this category:

欺骗:攻击者可能从某个设备提取加密密钥材料(无论软件还是硬件级别),然后使用不同的物理或虚拟设备,以从中获取密钥材料的设备的名义访问系统。Spoofing: An attacker may extract cryptographic key material from a device, either at the software or hardware level, and subsequently access the system with a different physical or virtual device under the identity of the device the key material has been taken from.

拒绝服务:通过干扰无线电频率或剪断线路,导致设备无法运行或无法通信。Denial of Service: A device can be rendered incapable of functioning or communicating by interfering with radio frequencies or cutting wires. 例如,蓄意破坏监控摄影头的电源或网络连接,使其完全无法报告数据。For example, a surveillance camera that had its power or network connection intentionally knocked out cannot report data, at all.

篡改:如果非法程序可以使用密钥材料或保存密钥材料的加密设备,攻击者可能会部分或全部替换设备上运行的软件,以此让取而代之的软件运用设备的正版标识。Tampering: An attacker may partially or wholly replace the software running on the device, potentially allowing the replaced software to leverage the genuine identity of the device if the key material or the cryptographic facilities holding key materials were available to the illicit program.

篡改:显示空走廊的可见光谱图像的监控摄影头可能是对着走廊拍摄图片。Tampering: A surveillance camera that’s showing a visible-spectrum picture of an empty hallway could be aimed at a photograph of such a hallway. 烟雾或火灾传感器可能会报告下面有人手持打火机。A smoke or fire sensor could be reporting someone holding a lighter under it. 任一种情况下,系统可能会在技术上完全信任设备,但是设备报告的信息却有可能受到操控。In either case, the device may be technically fully trustworthy towards the system, but it reports manipulated information.

篡改:攻击者可能使用提取的密钥材料来拦截和隐藏通信路径上的设备数据,并以窃取的密钥材料来通过身份验证,再以假数据取而代之。Tampering: An attacker may leverage extracted key material to intercept and suppress data from the device on the communication path and replace it with false data that is authenticated with the stolen key material.

篡改:如果非法程序可以使用密钥材料或保存密钥材料的加密设备,攻击者可能会部分或全部替换设备上运行的软件,以此让取而代之的软件运用设备的正版标识。Tampering: An attacker may partially or completely replace the software running on the device, potentially allowing the replaced software to leverage the genuine identity of the device if the key material or the cryptographic facilities holding key materials were available to the illicit program.

信息泄漏:如果设备正在运行受操控的软件,此类受操控的软件可能会将数据泄漏给未经授权方。Information Disclosure: If the device is running manipulated software, such manipulated software could potentially leak data to unauthorized parties.

信息泄漏:攻击者可能使用提取的密钥材料来介入设备、控制器、现场网关或云网关之间的通信路径,以此窃取信息。Information Disclosure: An attacker may leverage extracted key material to inject itself into the communication path between the device and a controller or field gateway or cloud gateway to siphon off information.

拒绝服务:可将设备关闭或改为无法通信的模式(许多工业机械刻意设计了此功能)。Denial of Service: The device can be turned off or turned into a mode where communication is not possible (which is intentional in many industrial machines).

篡改:可将设备重新配置为在控制系统不知道的状态下运行(在已知校正参数的范围以外),从而提供可能被误解的数据Tampering: The device can be reconfigured to operate in a state unknown to the control system (outside of known calibration parameters) and thus provide data that can be misinterpreted

特权提升:执行特定功能的设备可能被强制执行其他操作。Elevation of Privilege: A device that does specific function can be forced to do something else. 例如,编程为半开的阀门可能将受骗而完全打开。For example, a valve that is programmed to open half way can be tricked to open all the way.

拒绝服务:可将设备变成无法通信的状态。Denial of Service: The device can be turned into a state where communication is not possible.

篡改:可将设备重新配置为在控制系统不知道的状态下运行(在已知校正参数的范围以外),从而提供可能被误解的数据。Tampering: The device can be reconfigured to operate in a state unknown to the control system (outside of known calibration parameters) and thus provide data that can be misinterpreted.

欺骗/篡改/否认性:如果未受保护(在使用者进行远程控制时很少出现这种情况),攻击者可以匿名方式操控设备的状态。Spoofing/Tampering/Repudiation: If not secured (which is rarely the case with consumer remote controls), an attacker can manipulate the state of a device anonymously. 遥控器就是很好的例子,它既可以遥控电视机,也是很流行的恶作剧工具。A good illustration is remote controls that can turn any TV and that are popular prankster tools.

通信Communication

设备、设备和现场网关,以及设备和云网关之间的通信路径周围也充满威胁。Threats around communication path between devices, devices and field gateways, and device and cloud gateway. 针对设备/VPN 上的开放套接字,下表提供了相关指导:The following table has some guidance around open sockets on the device/VPN:

组件Component 威胁Threat 缓解措施Mitigation 风险Risk 实现Implementation
设备 IoT 中心Device IoT Hub TIDTID 用于加密流量的 (D)TLS (PSK/RSA)(D)TLS (PSK/RSA) to encrypt the traffic 窃听或干扰设备与网关之间的通信Eavesdropping or interfering the communication between the device and the gateway 协议级别的安全性。Security on the protocol level. 使用自定义协议时,需要了解如何对其进行保护。With custom protocols, you need to figure out how to protect them. 在大多数情况下,通信主要是发生在设备到 IoT 中心这一段位置(由设备发起连接)。In most cases, the communication takes place from the device to the IoT Hub (device initiates the connection).
设备到设备Device to Device TIDTID 用于加密流量的 (D)TLS (PSK/RSA)。(D)TLS (PSK/RSA) to encrypt the traffic. 读取设备之间正在传输的数据。Reading data in transit between devices. 篡改数据。Tampering with the data. 使用新连接使设备过载Overloading the device with new connections 协议级别的安全性 (MQTT/AMQP/HTTP/CoAP)。Security on the protocol level (MQTT/AMQP/HTTP/CoAP. 使用自定义协议时,需要了解如何对其进行保护。With custom protocols, you need to figure out how to protect them. DoS 威胁的缓解措施是通过云网关或现场网关将设备设为对等,使其仅可充当网络客户端。The mitigation for the DoS threat is to peer devices through a cloud or field gateway and have them only act as clients towards the network. 在网关代理对等方之后,对等互连可以实现对等方之间的直接连接。The peering may result in a direct connection between the peers after having been brokered by the gateway
外部实体设备External Entity Device TIDTID 外部实体与设备的强式配对Strong pairing of the external entity to the device 窃听设备的连接。Eavesdropping the connection to the device. 干扰设备的通信Interfering the communication with the device 使用 NFC/蓝牙 LE 安全配对外部实体与设备。Securely pairing the external entity to the device NFC/Bluetooth LE. 控制设备(物理)的操作面板Controlling the operational panel of the device (Physical)
现场网关 云网关Field Gateway Cloud Gateway TIDTID 用于加密流量的 TLS (PSK/RSA)。TLS (PSK/RSA) to encrypt the traffic. 窃听或干扰设备与网关之间的通信Eavesdropping or interfering the communication between the device and the gateway 协议级别的安全性 (MQTT/AMQP/HTTP/CoAP)。Security on the protocol level (MQTT/AMQP/HTTP/CoAP). 使用自定义协议时,需要了解如何对其进行保护。With custom protocols, you need to figure out how to protect them.
设备 云网关Device Cloud Gateway TIDTID 用于加密流量的 TLS (PSK/RSA)。TLS (PSK/RSA) to encrypt the traffic. 窃听或干扰设备与网关之间的通信Eavesdropping or interfering the communication between the device and the gateway 协议级别的安全性 (MQTT/AMQP/HTTP/CoAP)。Security on the protocol level (MQTT/AMQP/HTTP/CoAP). 使用自定义协议时,需要了解如何对其进行保护。With custom protocols, you need to figure out how to protect them.

下面是此类威胁的一些示例:Here are some examples of threats in this category:

拒绝服务:当受限设备主动侦听网络上的入站连接或来路不明的数据报时,通常会处于 DoS 威胁之下,因为攻击者可能同时打开多个连接,却不为它们提供服务或以缓慢的速度提供服务,或者设备可能被来路不明的流量淹没。Denial of Service: Constrained devices are generally under DoS threat when they actively listen for inbound connections or unsolicited datagrams on a network, because an attacker can open many connections in parallel and not service them or service them slowly, or the device can be flooded with unsolicited traffic. 在这两种情况下,网络可能会将设备解释为无法正常工作。In both cases, the device can effectively be rendered inoperable on the network.

欺骗、信息泄漏:受限设备和专用设备通常提供一个通用的安全机制,例如密码或 PIN 码保护,或完全依赖网络信任,这意味着当设备位于同一网络时,可授予对信息的访问权限,且该网络通常只受到共享密钥的保护。Spoofing, Information Disclosure: Constrained devices and special-purpose devices often have one-for-all security facilities like password or PIN protection, or they wholly rely on trusting the network, meaning they grant access to information when a device is on the same network, and that network is often only protected by a shared key. 这意味着,当设备或网络共享的机密遭到透露时,攻击者可以控制设备或观察从设备发出的数据。That means that when the shared secret to device or network is disclosed, it is possible to control the device or observe data emitted from the device.

欺骗:攻击者可能拦截或部分覆盖广播,从而欺骗发起方(中间人)Spoofing: an attacker may intercept or partially override the broadcast and spoof the originator (man in the middle)

篡改:攻击者可能拦截或部分覆盖广播,并发送虚假的信息Tampering: an attacker may intercept or partially override the broadcast and send false information

信息泄露:攻击者可能窃听广播并未经授权获取信息 拒绝服务:攻击者可能阻塞广播信号,并拒绝信息分发Information Disclosure: an attacker may eavesdrop on a broadcast and obtain information without authorization Denial of Service: an attacker may jam the broadcast signal and deny information distribution

存储Storage

每个设备和字段网关都有某种形式的存储(临时为数据排队、操作系统 (OS) 映像存储)。Every device and field gateway has some form of storage (temporary for queuing the data, operating system (OS) image storage).

组件Component 威胁Threat 缓解措施Mitigation 风险Risk 实现Implementation
设备存储Device storage TRIDTRID 存储加密、为日志签名Storage encryption, signing the logs 读取存储中的数据(PII 数据)、篡改遥测数据。Reading data from the storage (PII data), tampering with telemetry data. 篡改排队或缓存的命令控制数据。Tampering with queued or cached command control data. 在本地缓存或排队时篡改配置或固件更新包可能导致 OS 和/或系统组件遭到入侵Tampering with configuration or firmware update packages while cached or queued locally can lead to OS and/or system components being compromised 加密、消息身份验证代码 (MAC) 或数字签名。Encryption, message authentication code (MAC), or digital signature. 尽可能通过资源的访问控制列表 (ACL) 或权限进行强式访问控制。Where possible, strong access control through resource access control lists (ACLs) or permissions.
设备 OS 映像Device OS image TRIDTRID 篡改 OS/替换 OS 组件Tampering with OS /replacing the OS components 只读 OS 分区、签名的 OS 映像、加密Read-only OS partition, signed OS image, Encryption
现场网关存储(将数据排队)Field Gateway storage (queuing the data) TRIDTRID 存储加密、为日志签名Storage encryption, signing the logs 读取存储中的数据(PII 数据)、篡改遥测数据、篡改排队或缓存的命令控制数据。Reading data from the storage (PII data), tampering with telemetry data, tampering with queued or cached command control data. 在本地缓存或排队时篡改配置或固件更新包(发往设备或现场网关)可能导致 OS 和/或系统组件遭到入侵Tampering with configuration or firmware update packages (destined for devices or field gateway) while cached or queued locally can lead to OS and/or system components being compromised BitLockerBitLocker
现场网关 OS 映像Field Gateway OS image TRIDTRID 篡改 OS/替换 OS 组件Tampering with OS /replacing the OS components 只读 OS 分区、签名的 OS 映像、加密Read-only OS partition, signed OS image, Encryption

设备和事件处理/云网关区域Device and event processing/cloud gateway zone

云网关是一种系统,其实现跨公共网络空间的多个不同站点的设备之间进行远程通信;它通常针对基于云的控制和数据分析系统,也可以说是此类系统的联合。A cloud gateway is system that enables remote communication from and to devices or field gateways from several different sites across public network space, typically towards a cloud-based control and data analysis system, a federation of such systems. 在某些情况下,云网关可立即提升特殊用途设备的终端(如平板电脑或手机)访问速度。In some cases, a cloud gateway may immediately facilitate access to special-purpose devices from terminals such as tablets or phones. 在此处所述的上下文中,“云”是指未绑定到附加设备或现场网关的同一站点的专用数据处理系统,且其中用于防止物理访问目标的操作措施并不一定要向“公有云”基础结构公开。In the context discussed here, “cloud” is meant to refer to a dedicated data processing system that is not bound to the same site as the attached devices or field gateways, and where operational measures prevent targeted physical access but is not necessarily to a “public cloud” infrastructure. 云网关可能会映射到网络虚拟化覆盖,以隔离云网关与所有附加设备或现场网关的任何其他网络流量。A cloud gateway may potentially be mapped into a network virtualization overlay to insulate the cloud gateway and all of its attached devices or field gateways from any other network traffic. 云网关本身不是设备控制系统,也不是处理或存储设备数据的设备;而是这些设备与云网关对接。The cloud gateway itself is not a device control system or a processing or storage facility for device data; those facilities interface with the cloud gateway. 云网关区域包含云网关和所有现场网关,以及直接或间接附加到其上的设备。The cloud gateway zone includes the cloud gateway itself along with all field gateways and devices directly or indirectly attached to it.

云网关通常是指以服务形式运行且自定义构建的软件,包含公开的终结点供现场网关和设备进行连接。Cloud gateway is mostly custom built piece of software running as a service with exposed endpoints to which field gateway and devices connect. 因此,它的设计必须完全考虑到安全问题。As such it must be designed with security in mind. 请遵循 SDL 过程来设计和构建此服务。Follow SDL process for designing and building this service.

服务区域Services zone

控制系统(或控制器)是一种软件解决方案,可与设备、现场网关或云网关对接来控制一个或多个设备,以便收集、存储和/或分析设备数据,进行演示或后续控制。A control system (or controller) is a software solution that interfaces with a device, or a field gateway, or cloud gateway for the purpose of controlling one or multiple devices and/or to collect and/or store and/or analyze device data for presentation, or subsequent control purposes. 在本文的范畴内,控制系统是唯一可立即帮助与人交互的实体。Control systems are the only entities in the scope of this discussion that may immediately facilitate interaction with people. 设备上的中间物理控制面(类似于可让用户关闭设备或更改其他属性的开关)则属例外情况,它们没有能够以数字方式访问的对等功能。The exceptions are intermediate physical control surfaces on devices, like a switch that allows a person to turn off the device or change other properties, and for which there is no functional equivalent that can be accessed digitally.

在中间物理控制面中,控制逻辑可限制实体控制面的功能,使对等功能可以从远程启动或避免远程输入的输入冲突 - 此类元控制面在概念上是连接到本地控制系统,该系统运用的基础功能与设备可并行附加的任何其他远程控制系统相同。Intermediate physical control surfaces are those where governing logic constrains the function of the physical control surface such that an equivalent function can be initiated remotely or input conflicts with remote input can be avoided – such intermediated control surfaces are conceptually attached to a local control system that leverages the same underlying functionality as any other remote control system that the device may be attached to in parallel. 请参阅 Cloud Security Alliance (CSA)(云安全联盟 (CDA))页,了解云计算的头号威胁。Top threats to the cloud computing can be read at Cloud Security Alliance (CSA) page.

其他资源Additional resources

有关详细信息,请参阅以下文章:For more information, see the following articles:

另请参阅See also

要详细了解如何保护 IoT 解决方案,请参阅保护 IoT 部署To learn more about securing your IoT solution see, Secure your IoT deployment

若要进一步探索 IoT 中心的功能,请参阅:To further explore the capabilities of IoT Hub, see: