物联网 (IoT) 安全最佳做法Security best practices for Internet of Things (IoT)

保护物联网 (IoT) 基础结构需要严格的深度安全防御策略。Securing an Internet of Things (IoT) infrastructure requires a rigorous security-in-depth strategy. 该策略要求保护云中的数据,在公共 Internet 中传输数据时保护数据的完整性以及安全预配设备。This strategy requires you to secure data in the cloud, protect data integrity while in transit over the public internet, and securely provision devices. 在总体基础结构中的每一层构建更强的安全性保证。Each layer builds greater security assurance in the overall infrastructure.

保护 IoT 基础结构Secure an IoT infrastructure

此深度安全保护可由制造、开发和部署 IoT 设备与基础结构所涉及的各个积极参与者来开发及执行。This security-in-depth strategy can be developed and executed with active participation of various players involved with the manufacturing, development, and deployment of IoT devices and infrastructure. 下面是这些参与者的高级描述。Following is a high-level description of these players.

  • IoT 硬件制造商/集成商:通常这些参与者是要部署的 IoT 硬件的制造商、组装来自各个制造商的硬件的集成商,或针对其他供应商制造或集成的 IoT 部署提供硬件的供应商。IoT hardware manufacturer/integrator: Typically, these players are the manufacturers of IoT hardware being deployed, integrators assembling hardware from various manufacturers, or suppliers providing hardware for an IoT deployment manufactured or integrated by other suppliers.

  • IoT 解决方案开发人员:IoT 解决方案的开发通常由解决方案开发人员完成。IoT solution developer: The development of an IoT solution is typically done by a solution developer. 此开发人员可能是内部团队成员或专门从事此活动的系统集成商 (SI)。This developer may part of an in-house team or a system integrator (SI) specializing in this activity. IoT 解决方案开发人员可从头开始开发 IoT 解决方案的各个组件、集成各个现成或开源组件,或改编仅需轻微调整的解决方案加速器。The IoT solution developer can develop various components of the IoT solution from scratch, integrate various off-the-shelf or open-source components, or adopt solution accelerators with minor adaptation.

  • IoT 解决方案部署人员:完成开发 IoT 解决方案之后,需要在现场部署解决方案。IoT solution deployer: After an IoT solution is developed, it needs to be deployed in the field. 此过程涉及硬件部署、设备互连以及在硬件设备或云中部署解决方案。This process involves deployment of hardware, interconnection of devices, and deployment of solutions in hardware devices or the cloud.

  • IoT 解决方案操作员:IoT 解决方案部署完成之后,需要长期的操作、监视、升级和维护。IoT solution operator: After the IoT solution is deployed, it requires long-term operations, monitoring, upgrades, and maintenance. 这些任务可由内部团队来完成,该团队由信息技术专业人员、硬件操作和维护团队,以及负责监督整体 IoT 基础结构行为是否正常的领域专业人员组成。These tasks can be done by an in-house team that comprises information technology specialists, hardware operations and maintenance teams, and domain specialists who monitor the correct behavior of overall IoT infrastructure.

后续部分会提供每个参与者可遵循的最佳实践,以帮助开发、部署和操作安全的 IoT 基础结构。The sections that follow provide best practices for each of these players to help develop, deploy, and operate a secure IoT infrastructure.

IoT 硬件制造商/集成商IoT hardware manufacturer/integrator

以下是 IoT 硬件制造商和硬件集成商的最佳做法。The following are the best practices for IoT hardware manufacturers and hardware integrators.

  • 设置符合最低要求的硬件范围:硬件设计应包括硬件工作时所需的最少功能,仅此而已。Scope hardware to minimum requirements: The hardware design should include the minimum features required for operation of the hardware, and nothing more. 其中一个例子就是仅在必需运行设备时,才包括 USB 端口。An example is to include USB ports only if necessary for the operation of the device. 这些附加功能会使硬件容易出现有害的攻击载体,因此应予以避免。These additional features open the device for unwanted attack vectors that should be avoided.
  • 让硬件具有防篡改功能:内置检测物理篡改(例如打开设备护盖、拆下设备构件)的机制。Make hardware tamper proof: Build in mechanisms to detect physical tampering, such as opening of the device cover or removing a part of the device. 这些篡改信号可以是上传到云的数据流的一部分,可提醒操作员这些事件。These tamper signals may be part of the data stream uploaded to the cloud, which could alert operators of these events.
  • 围绕安全硬件构建功能:如果 COGS 允许,请构建安全功能,例如,安全与加密存储或基于受信任的平台模块 (TPM) 的引导功能。Build around secure hardware: If COGS permits, build security features such as secure and encrypted storage, or boot functionality based on Trusted Platform Module (TPM). 这些功能将使设备更安全,有助于保护 IoT 总体基础结构。These features make devices more secure and help protect the overall IoT infrastructure.
  • 安全升级:设备生存期内,固件升级无可避免。Make upgrades secure: Firmware upgrades during the lifetime of the device are inevitable. 构建安全的设备升级路径和固件版本加密保证,可保护设备在升级期间和升级之后的安全性。Building devices with secure paths for upgrades and cryptographic assurance of firmware versions will allow the device to be secure during and after upgrades.

IoT 解决方案开发人员IoT solution developer

以下是 IoT 解决方案开发人员的最佳做法:The following are the best practices for IoT solution developers:

  • 遵循安全软件开发方法:开发安全软件需要在项目开端到项目实施、测试和部署过程中,随时考量安全相关事项。Follow secure software development methodology: Development of secure software requires ground-up thinking about security, from the inception of the project all the way to its implementation, testing, and deployment. 平台、语言和工具的选择也都受此方法的影响。The choices of platforms, languages, and tools are all influenced with this methodology. Microsoft 安全开发周期提供构建安全软件的循序渐进方法。The Microsoft Security Development Lifecycle provides a step-by-step approach to building secure software.
  • 谨慎选择开源软件:开源软件有时可以加速解决方案的开发。Choose open-source software with care: Open-source software provides an opportunity to quickly develop solutions. 选择开源软件时,请考虑每个开源组件的社区活跃程度。When you're choosing open-source software, consider the activity level of the community for each open-source component. 活跃的社区可确保软件受支持,问题得以发现和解决。An active community ensures that software is supported and that issues are discovered and addressed. 相反,不知名或不活跃的开源软件项目可能不会受到支持,且问题也可能不会得以发现。Alternatively, an obscure and inactive open-source software project might not be supported and issues are not likely be discovered.
  • 谨慎集成:库和 API 的边界上存在许多软件安全漏洞。Integrate with care: Many software security flaws exist at the boundary of libraries and APIs. 当前部署中不需要的功能仍然可能会通过 API 层得到使用。Functionality that may not be required for the current deployment might still be available via an API layer. 若要确保总体安全性,请务必检查正针对安全缺陷进行集成的组件的所有接口。To ensure overall security, make sure to check all interfaces of components being integrated for security flaws.

IoT 解决方案部署人员IoT solution deployer

以下是 IoT 解决方案部署人员的最佳做法:The following are best practices for IoT solution deployers:

  • 安全部署硬件:IoT 部署可能需要将硬件部署在不安全的位置,例如公共场所或不受监督的区域。Deploy hardware securely: IoT deployments may require hardware to be deployed in unsecure locations, such as in public spaces or unsupervised locales. 在这种情况下,请确保硬件部署能够在最大程度上防篡改。In such situations, ensure that hardware deployment is tamper-proof to the maximum extent. 如果硬件上有 USB 或其他端口,请确保这些端口盖有安全保护盖。If USB or other ports are available on the hardware, ensure that they are covered securely. 许多攻击载体可能使用这些端口作为入口点。Many attack vectors can use these as entry points.
  • 保持身份验证密钥处于安全状态:在部署期间,每个设备需要使用云服务生成的设备 ID 和关联的身份验证密钥。Keep authentication keys safe: During deployment, each device requires device IDs and associated authentication keys generated by the cloud service. 即使是在部署之后,也必须以物理方式保护这些密钥的安全。Keep these keys physically safe even after the deployment. 恶意设备可能会使用任何透漏的密钥伪装成现有设备。Any compromised key can be used by a malicious device to masquerade as an existing device.

IoT 解决方案操作员IoT solution operator

以下是 IoT 解决方案操作员的最佳做法:The following are the best practices for IoT solution operators:

  • 使系统保持最新状态:确保设备的操作系统和所有设备驱动程序都已升级到最新版本。Keep the system up-to-date: Ensure that device operating systems and all device drivers are upgraded to the latest versions. 如果在 Windows 10(IoT 或 其他 SKU)中启用自动更新,则 Microsoft 将使其保持最新状态,为 IoT 设备提供安全的操作系统。If you turn on automatic updates in Windows 10 (IoT or other SKUs), Microsoft keeps it up-to-date, providing a secure operating system for IoT devices. 使其他操作系统(例如 Linux)保持最新有助于确保它们也能免于恶意攻击。Keeping other operating systems (such as Linux) up-to-date helps ensure that they are also protected against malicious attacks.
  • 防御恶意活动:如果操作系统允许,请在每个设备操作系统上安装最新的防病毒或反恶意软件功能。Protect against malicious activity: If the operating system permits, install the latest antivirus and antimalware capabilities on each device operating system. 这种做法有助于缓解大多数外部威胁。This practice can help mitigate most external threats. 采取合适的步骤可保护大多数现代操作系统免受威胁。You can protect most modern operating systems against threats by taking appropriate steps.
  • 经常审核:响应安全事件时,针对安全相关问题审核 IoT 基础结构是关键所在。Audit frequently: Auditing IoT infrastructure for security-related issues is key when responding to security incidents. 大多数操作系统都提供内置事件日志记录,应经常进行审查这些日志以确保未出现安全违规。Most operating systems provide built-in event logging that should be reviewed frequently to make sure no security breach has occurred. 可将审核信息作为单独的遥测数据流发送到云服务,并在云服务中进行分析。Audit information can be sent as a separate telemetry stream to the cloud service where it can be analyzed.
  • 以物理方式保护 IoT 基础结构:针对 IoT 基础结构的最严重安全攻击是通过物理访问设备的方式发起的。Physically protect the IoT infrastructure: The worst security attacks against IoT infrastructure are launched using physical access to devices. 防止恶意使用 USB 端口和其他物理访问是一种非常重要的安全做法。One important safety practice is to protect against malicious use of USB ports and other physical access. 发现可能已出现的安全违规的一个关键在于记录物理访问,例如 USB 端口的使用。One key to uncovering breaches that might have occurred is logging of physical access, such as USB port use. 同样,Windows 10(IoT 和其他 SKU)可针对这些事件启用详细日志记录。Again, Windows 10 (IoT and other SKUs) enables detailed logging of these events.
  • 保护云凭据:用于配置和操作 IoT 部署的云身份验证凭据可能是访问和损坏 IoT 系统的最简单手段。Protect cloud credentials: Cloud authentication credentials used for configuring and operating an IoT deployment are possibly the easiest way to gain access and compromise an IoT system. 经常更改密码并避免在公用计算机上使用凭据可保护这些凭据。Protect the credentials by changing the password frequently, and refrain from using these credentials on public machines.

不同的 IoT 设备具有不同的功能。Capabilities of different IoT devices vary. 某些设备可能是运行常见桌面操作系统的计算机,而某些设备可能运行极其精简的操作系统。Some devices might be computers running common desktop operating systems, and some devices might be running very light-weight operating systems. 前面描述的安全最佳做法可能适用于这些不同级别的设备。The security best practices described previously might be applicable to these devices in varying degrees. 如果这些设备的制造商提供了附加的安全和部署最佳实践,则应予以遵循。If provided, additional security and deployment best practices from the manufacturers of these devices should be followed.

某些旧式设备和功能受限的设备可能不是专门为 IoT 部署而设计的。Some legacy and constrained devices might not have been designed specifically for IoT deployment. 这些设备可能缺少加密数据、连接 Internet 或提供高级审核功能。These devices might lack the capability to encrypt data, connect with the Internet, or provide advanced auditing. 在这种情况下,安全的新式现场网关可聚合旧式设备中的数据,并提供通过 Internet 连接这些设备所必需的安全性。In these cases, a modern and secure field gateway can aggregate data from legacy devices and provide the security required for connecting these devices over the Internet. 现场网关可提供安全身份验证、加密会话协商、云命令接收,以及其他许多安全功能。Field gateways can provide secure authentication, negotiation of encrypted sessions, receipt of commands from the cloud, and many other security features.

另请参阅See also

若要详细了解如何保护 IoT 解决方案,请参阅:To learn more about securing your IoT solution, see:

若要进一步探索 IoT 中心的功能,请参阅:To further explore the capabilities of IoT Hub, see: