Project Acronym: SecureIoT Grant Agreement number: 779899 (H2020-IoT03-2017 - RIA) Project Full Title: Predictive Security for IoT Platforms and Networks of Smart Objects DELIVERABLE D2.4 – Architecture and Technical Specifications Deliverable Number D2.4 Deliverable Name Architecture and Technical Specifications Dissemination level Public Type of Document Report Contractual date of delivery 30/09/2018 Deliverable Leader AIT Status & version V1.00 WP / Task responsible WP2(FUJITSU) / Task T2.4(AIT) Keywords: Security, Architecture, Probes, Data Collection, Security Monitoring Abstract (few lines): This deliverable presents the first version of the architecture of the SecureIoT security monitoring platforms. The architecture is primarily presented in terms of a logical view, which includes its main components and the interactions between them. Other views (implementation, process, deployment) are also discussed, while early examples on how this architecture can be used for implementing the project’s use cases are given. Athens Information Technology (John Soldatos, Sofoklis Deliverable Leader: Efremidis) Daniel Calvo (ATOS), George Moldovan (SIEMENS), David Evans (IDIADA), Nikos Kefalakis (INTRA), Jérôme François (INRIA), Contributors: Abdelkader Lahmadi (INRIA), David Schubert (Its-OWL), Sofianna Menesidou (UBI), Sofoklis Kyriazakos (iSprint), Pouyan Ziafati (LuxAI) Reviewers: Giannis Ledakis (SiLO), Nechifor, Cosmin-Septimiu (SIEMENS) Approved by: George Koutalieris (INTRA) This document is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 779899. It is the property of the SecureIoT consortium and shall not be distributed or reproduced without the formal approval of the SecureIoT Management Committee. D2.4 – Architecture and Technical Specification of SecureIoT Services Version: v1.0 - Final, Date 30/09/2018 Executive Summary This deliverable introduces the SecureIoT architecture for the security of IoT systems. The architecture is presented as a set of modules, along with the structuring principles that drive their integration in an IoT security system that emphasizes security monitoring, security analytics and security automation. In order to define these modules and their structuring principles, SecureIoT has taken into account a number of reference architectures for IoT systems (like RAMI4.0 and the Reference Architecture of the Industrial Internet Consortium), as well as related security frameworks (such as the Industrial Internet Security Framework). The reference IoT architectures have been exploited as means of understanding the structure of the IoT systems to be monitored and protected, while the security frameworks have been used as basis for defining building blocks for security data collection and analysis, as well as security monitoring and automation. The SecureIoT architecture is a data-driven architecture, which is defined as an overlay layer that protects all assets of an IoT system. It collects security-related information for IoT devices through a number of probes, while at the same time analyzing this information in order to identify abnormal behaviors and instigate alerts or invoke security automation functions. The architecture specifies a powerful “templates” mechanisms, which allows for the characterization and identification of abnormal or suspicious behaviors, based on the execution of advanced data analytics algorithms over the security-related data that are collected from the various probes. It also provides the means for customizing and contextualizing the various templates according to the status of the IoT system that is being protected. Furthermore, the SecureIoT architecture introduces an IoT security knowledge base component, which can be used to match identified abnormal or suspicious behaviors with known vulnerabilities or attacks. The architecture provides also the means for collecting and analyzing information from different IoT devices and platforms based on appropriate probes and a common modelling of the security- related information regardless of the platform for which it is collected. As such it can also support monitoring and protection of IoT systems and applications that span multiple platforms, as part of security interoperability scenarios. This is in-line with one of the main objectives of the project, which is to support security for applications that span multiple, diverse IoT platforms. As part of the deliverable, the various components of the SecureIoT architecture are described along with the interactions and information flows between them. To this end, the architecture is introduced in terms not only of its logical viewpoint, but also in terms of its process viewpoint as well. Furthermore, development and physical deployment aspects are briefly discussed as well, as part of 4+1 views approach to introducing the SecureIoT architecture. Based on the SecureIoT architecture, the project will create an IoT security platform which will be used to support the project’s services and use cases. This platform will expose a set of APIs to developers and deployers of IoT security services. These APIs are briefly outlined in the Page |2 Project Title: SecureIoT Contract No. 779899 Project Coordinator: INTRASOFT International S.A. D2.4 – Architecture and Technical Specification of SecureIoT Services Version: v1.0 - Final, Date 30/09/2018 deliverable, along with the structure of the SECaaS (Security as a Service) services that will make use of them, notably risk assessment, compliance auditing and developers support services. It is also discussed how the SecureIoT architecture can be used to produce alerts and notifications as part of a security monitoring system. Moreover, the present deliverable provides some early insights on the technologies and frameworks that will exploiting towards implementing the SecureIoT platform in-line with the introduced architecture. As part of the deliverable we also illustrate the high-level structure of the security systems that will support the project’s use cases. The design of these systems will be detailed and elaborated as part of WP6 of the project. Nevertheless, this early mapping has been performed a vehicle for confronting the use cases requirements against the capabilities and functionalities that are offered by the SecureIoT architecture. Moreover, it boosts adherence to the 4+1 methodology that has been selected as a vehicle for presenting the SecureIoT architecture. Overall, the present deliverable provides insights on the structure and main components of SecureIoT compliant security systems. It can therefore serve as a blueprint for the integration of IoT security services and use cases in the scope of WP5 and WP6 respectively. However, the security components of the architecture will be specified in detailed and accordingly implemented as part of WP3 (dealing with the data collection components) and WP4 (dealing with the security analytics components). Note also that the present deliverable provides the first version of the architecture. A second and final version will be also delivered in M18 of the project as part of deliverable D2.5. The final version of the architecture will enhance and fine-tune the one introduced in this deliverable in order to meet new and updated requirements. It will also incorporate feedback from the actual deployment and use of the architecture in WP5 and WP6 of the project. Page |3 Project Title: SecureIoT Contract No. 779899 Project Coordinator: INTRASOFT International S.A. D2.4 – Architecture and Technical Specification of SecureIoT Services Version: v1.0 - Final, Date 30/09/2018 Document History Version Date Contributor(s) Description V0.11 16/05/2018 Sofoklis Efremidis (AIT) Initial Structure Revisions following discussions during V0.14 11/06/2018 John Soldatos (AIT) the Bilbao Meeting Information about the scope and V0.15 29/06/2018 John Soldatos (AIT) methodology V0.16 03/07/2018 Sofianna Menesidou (UBI) Inputs in Section 2 John Soldatos (AIT), Sofoklis Updated Structure based on V0.20 04/07/2018 Efremidis (AIT) comments on released version First Draft of Section 3 (Logical View V0.21 19/07/2018 John Soldatos (AIT) of the SecureIoT architecture) Analysis of IoT RAs: IoT-A, ISO/IEC V0.23 17/08/2018 Daniel Calvo (ATOS) 30141 and IDS. Analysis of FIWARE IoT platform V0.24 20/08/2018 John Soldatos (AIT) Updates to Section 3 Inputs to Section 5 on implementation V0.25 21/08/2018 John Soldatos (AIT) technologies for probes and data routing V0.26 29/08/2018 Sofianna Menesidou (UBI) Inputs in Sub-Section 4.2 V0.27 05/09/2018 David Evans (IDIADA) Connected Cars Use Cases, Section 6 V0.28 05/09/2018 John Soldatos (AIT) Inputs on RAMI V4.0 John Soldatos, Sofoklis Efremidis V0.30 06/09/2018 Enhancements to Section 2 (AIT) V0.32 10/09/2018 Daniel Calvo (ATPS) Connected Cars Use Cases, Section 6 Jérôme François (Inria), Security Knowledge Base Inputs in V0.33 13/09/2018 Abdelkader Lahmadi (Inria) Sections 4 & 5 V0.34 13/09/2018 David Schubert (Its-OWL) Inputs to Section 6.1 Addition of Information in Section 2 V0.35 14/09/2018 John Soldatos (AIT) and editing Nechifor, Cosmin-Septimiu V0.36 15/09/2018 Inputs to Section 2 (SIEMENS) Description of LuxAI Use Case V0.37 17/09/2018 Pouyan Ziafati (LuxAI) Architecture in Section 6 Page |4 Project Title: SecureIoT Contract No. 779899 Project Coordinator: INTRASOFT International S.A. D2.4 – Architecture and Technical Specification of SecureIoT Services Version: v1.0 - Final,