Course Outline

Session 1 & 2: Basic and Advanced concepts of IoT architecture from security perspective

  • A brief history of evolution of IoT technologies
  • Data models in  IoT system – definition and architecture of sensors, actuators, device, gateway, communication protocols
  • Third party devices and risk associated with vendors supply chain
  • Technology ecosystem – device providers, gateway providers, analytics providers, platform providers, system integrator -risk associated with all the providers
  • Edge driven distributed IoT vs Cloud driven central IoT : Advantage vs risk assessment
  • Management layers in IoT system – Fleet management, asset management, Onboarding/Deboarding of sensors , Digital Twins. Risk of Authorizations in management layers
  •  Demo of IoT management systems- AWS, Microsoft Azure and Other Fleet managers
  •  Introduction to popular IoT communication protocols – Zigbee/NB-IoT/5G/LORA/Witespec – review of vulnerability in communication protocol layers
  • Understanding the entire Technology stack of IoT with a review of Risk management

Session 3: A check-list of all risks and security issues in IoT

  • Firmware Patching- the soft belly of IoT
  • Detailed review of security of IoT communication protocols- Transport layers ( NB-IoT, 4G, 5G, LORA, Zigbee etc. ) and Application Layers – MQTT, Web Socket etc.
  • Vulnerability of API end points -list of all possible API in IoT architecture
  • Vulnerability of Gate way devices and Services
  • Vulnerability of connected sensors -Gateway communication
  • Vulnerability of Gateway- Server communication
  • Vulnerability of Cloud Database services in IoT
  • Vulnerability of Application Layers
  • Vulnerability of Gateway management service- Local and Cloud based
  • Risk of log management in edge and non-edge architecture

Session 4: OSASP Model of IoT security , Top 10  security risk

  • I1 Insecure Web Interface
  • I2 Insufficient Authentication/Authorization
  • I3 Insecure Network Services
  • I4 Lack of Transport Encryption
  • I5 Privacy Concerns
  • I6 Insecure Cloud Interface
  • I7 Insecure Mobile Interface
  • I8 Insufficient Security Configurability
  • I9 Insecure Software/Firmware
  • I10 Poor Physical Security

Session 5: Review and Demo of AWS-IoT and Azure IoT security principle

  • Microsoft Threat Model – STRIDE
  • Details of STRIDE Model
  • Security device and gateway and server communication – Asymmetric encryption
  • X.509 certification for Public key distribution
  • SAS Keys
  • Bulk OTA risks and techniques
  • API security for application portals
  • Deactivation and delinking of rogue device from the system
  • Vulnerability of AWS/Azure Security principles

Session 6: Review of evolving NIST standards/recommendation for IoT

  • Review of NISTIR 8228 standard for IoT security -30 point risk consideration Model
  • Third party device integration and identification
  • Service identification & tracking
  • Hardware identification & tracking
  • Communication session identification
  • Management transaction identification and logging
  • Log management and tracking

Session 7: Securing Firmware/ Device

  • Securing debugging mode in a Firmware
  • Physical Security of hardware
  • Hardware cryptography – PUF ( Physically Unclonable Function) -securing EPROM
  • Public PUF, PPUF
  • Nano PUF
  • Known classification of Malwares in Firmware ( 18 families according to YARA rule )
  • Study of some of the popular Firmware Malware -MIRAI, BrickerBot, GoScanSSH, Hydra etc.

Session 8: Case Studies of IoT Attacks

  • Oct. 21, 2016, a huge DDoS attack was deployed against Dyn DNS servers and shut down many web services including Twitter . Hackers exploited default passwords and user names of webcams and other IoT devices, and installed the Mirai botnet  on compromised IoT devices.  This attack will be studied in detail
  • IP cameras can be hacked through buffer overflow attacks
  • Philips Hue lightbulbs were hacked through its ZigBee link protocol
  • SQL injection attacks were effective against Belkin IoT devices
  • Cross-site scripting (XSS) attacks that exploited the Belkin WeMo app and access data and resources that the app can access

Session 9: Securing Distributed IoT via Distributer Ledger – BlockChain and DAG (IOTA) [3 hours]

  • Distributed ledger technology– DAG Ledger, Hyper Ledger, BlockChain
  • PoW, PoS, Tangle – a comparison of the methods of consensus
  • Difference between Blockchain, DAG and Hyperledger – a comparison of their working vs performance vs decentralization
  • Real Time, offline performance of the different DLT system
  • P2P network, Private and Public Key- basic concepts
  • How ledger system is implemented practically- review of some research architecture
  • IOTA and Tangle- DLT for IoT
  • Some practical application examples from smart city, smart machines, smart cars

Session 10: The best practice architecture for IoT security

  • Tracking and identifying all the services in Gateways
  • Never use MAC address- use package id instead
  • Use identification hierarchy for devices- board ID, Device ID and package ID
  • Structure the Firmware Patching to perimeter and conforming to service ID
  • PUF for EPROM
  • Secure the risks of IoT management portals/applications by two layers of authentication
  • Secure all API- Define API testing and API management
  • Identification and integration of same security principle in Logistic Supply Chain
  • Minimize Patch vulnerability of IoT communication Protocols

Session 11: Drafting IoT security Policy for your organization

  • Define the lexicon of IoT security / Tensions
  • Suggest the best practice for authentication, identification, authorization
  • Identification and ranking of Critical Assets
  • Identification of perimeters and isolation for application
  • Policy for securing critical assets, critical information and privacy data  



  • Basic knowledge devices, electronics systems and data systems
  • Basic understanding of software and systems
  • Basic understanding of Statistics (in Excel levels)
  • Understanding of Telecommunication Verticals


  • An advanced training program covering the current state of the art security of Internet of Things
  • Covers all aspect of  security of Firmware , Middleware and IoT communication protocols 
  • The course provides a 360 degree view of all kinds of security initiatives in IoT domain for those who are not deeply familiar with IoT standards, evolution and future
  • Deeper probe into security vulnerabilities in Firmware, Wireless communication protocols,  device to cloud communication.
  • Cutting across multiple technology domains to develop awareness of security in  IoT systems and its components
  • Live demo of some of the security aspects of gateways, sensors and IoT application clouds
  • The course also explains 30 principle risk considerations of  current and proposed NIST standards for IoT security
  • OSWAP model for IoT security
  • Provides detailed guideline for drafting IoT security standards for an organization


Target Audience 

Engineers/managers/security experts who are assigned to develop IoT projects or audit/review security risks.

 21 Hours

Testimonials (1)

Related Categories