This course, taught from the perspective of a CISO or a senior director in either a security or engineering organization, will focus on the information required to design and implement an IoT product security program. The topics discussed in this course will apply to any Information Security Program trying to understand how to securely handle IoT, IIoT, ICS, and OT technology within the enterprise. By better understanding the underlying security concerns of designing and manufacturing IoT devices, security practitioners can better understand how to secure these devices within their environments.
The IoT security field is maturing and changing at an incredible rate. At the same time, IoT is expanding into our everyday lives and will continue to have an increasing impact on how we live our lives. Threat actors understand this and see the immature industry as an opportunity to do evil.
This class is designed for senior-level security professionals and assumes the learner has knowledge of advanced security concepts, experience leading security or engineering organizations, and is comfortable with business risk and governance concepts. The class is organized in a way to help organizations stand up an IoT product security program; however, any learner with a desire to understand how to apply cyber security principles to IoT security will benefit from the material in this class.
This class takes a deep technical dive into designing and establishing a secure foundation of trust within the IoT device and ecosystem architecture. The class will take a deep technical dive into roots of trust, anchors of trust, secure boot, and managed boot with an in-depth discussion of secure elements and hardware roots of trust, including TEE, TPM, HSM, and DICE. It discusses the steps an organization can take to develop a product security program to address IoT security, including factors of success, reporting structures, and which elements of the existing information security program that can be incorporated and enhanced for product security. This class discusses how an organization can proactively develop tools to address IoT vulnerabilities, such as developing an enterprise vulnerability disclosure program using tools such as bug bounties and responsible disclosure. It discusses hot topics, such as third-party risk, IoT physical and logical security, OTA patching, architecture frameworks, and IoT manufacturing considerations in foreign markets. The class will identify secure IoT device provisioning and manufacturing practices, including a robust examination of security considerations for chip manufacturers, IoT device OEMs, and contract manufacturers. This class also discusses relevant legal and regulatory changes affecting the global IoT market and steps organizations should consider to meet the changing security and privacy environment. Lastly, this class uses real-world case studies and goes behind the news headlines to discuss how organizations can take steps today to prevent becoming tomorrow's next Internet meme.
Prerequisites
This course assumes the learner has a strong foundation of security engineering concepts, security management practices, and business leadership principles and can apply these concepts in a leadership capacity.
Course Goals
By the end of this course, students should be able to:
- Design and build a risk-based IoT product security program to securely develop, manufacture, deliver, and support IoT and Industrial IoT (IIoT) devices throughout their product lifecycle
- Understand what existing security program elements CISOs can leverage to implement an IoT product security program and identify the new elements that need to be added
- Identify principles of hardware roots of trust and develop an understanding of how to help guide product engineers to securely design IoT products
- Understand how to design secure elements and hardware roots of trust including TEE, TPM, HSM, and DICE
- Understand how CISOs should manage risk associated with existing IoT, IIoT, Industrial Control Systems (ICS), and Operational Technology (OT) systems within the context of their existing security program
- Learn how to create a Vulnerability Disclosure Program using tools such as bug bounties and responsible disclosure
- Understand how to secure the IoT device provisioning and manufacturing practices including a robust examination of security considerations for chip manufacturers, IoT device OEMs, and contract manufacturers
- Learn relevant legal and regulatory changes affecting the global IoT market, and identify steps organizations should consider to meet the changing security and privacy environment
- Apply security knowledge gained by study of CISSP, CISM, CRISC, etc. to the real world scenarios contained in the course material and discussions
