First, the background analysis of smart light poles
In the context of new infrastructure, 5G network construction will face a large number of base station construction, and the demand for sensor construction in smart cities under the background of "Internet of Everything" is also very urgent. The construction of smart light poles can effectively reduce the cost and increase efficiency of the overall operation of the city, and is conducive to improving the efficiency of urban management. At present, the national policy guidance strongly supports the research and development and application of smart light poles, Shenzhen, Shanghai and other cities have gradually launched the pilot application of smart light poles, and enterprises actively invest in R&D elements to broaden industrial application scenarios and functions.
Smart light pole is an important part of smart city construction, is a new type of information infrastructure that integrates camera, advertising screen, charging pile, small base station and other functions, and can complete the collection, release and transmission of data information in lighting, public security, municipal, meteorology, environmental protection, communication and other industries. At the same time, as an important part of the construction of the Internet of Vehicles, cloud network construction and communication network construction in the 5G era, smart light poles will also be widely used.
Second, the current situation analysis of smart light poles
2.1. Analysis of the composition of lamp pole business
The intelligent street lamp control system is composed of software system and hardware system, divided into four layers: data acquisition layer, communication layer, application layer and interaction layer, and through the mutual cooperation of each layer, it realizes the application functions of street lamp facility management, fault alarm, power monitoring, street lamp control and so on. It can be seen that the smart lamp pole service has certain requirements for the accuracy and timeliness of the front-end scene, and the service operation has a certain degree of automation, so a large number of IoT devices are applied in the lamp pole business, so the security of the lamp pole collection layer equipment is very important.
2.2. Analysis of the safety status of lamp poles
Most of the front-end light pole data collection equipment is in an unattended state at the network boundary, and basically does not have any security protection capabilities, and there are many security risk points.
2.2.1、Smart light poles are deployed outdoors and unattended for a long time, and assets are easy to be privately connected
Assets are replaced with shoddy charging, illegal access, and unauthorized tampering (failure or incorrect data collection of electricity monitoring), resulting in economic losses.
2.2.2、The abnormal behavior of the smart light pole system network is difficult to discover, and illegal intrusion is difficult to prevent
The lighting system is illegally invaded, and the normal lighting cannot affect the residents' lives (such as real-time change of the running status of street lamps, fault alarms), resulting in safety accidents.
2.2.3、The smart lamp pole system was discovered by hackers using the scripting language to find vulnerabilities and implant viruses to manipulate street lights
Using firmware vulnerabilities to implant control viruses, a large number of viruses spread laterally in a short time, resulting in business paralysis (control the entire light control system of smart light poles).
2.2.4、The smart light pole system has backdoor or weak password vulnerabilities, which is easy to fall into a broiler used by hackers
LED display pictures and surveillance videos were replaced with malicious negative videos, which had an impact on society.
2.3. Smart lamp pole attack case
February 5, 2020 – Check Point Research, the threat intelligence arm of Check Point Software Technologies Inc., a leading global provider of cybersecurity solutions, today disclosed vulnerabilities that could be used by hackers to take over smart lights and their controllers to spread ransomware or other malware into smart pole systems. Through the analysis of the chip firmware of the smart street lamp, hackers found some possible vulnerabilities, through these vulnerabilities, the smart lamp pole control system was quickly cracked, so as to achieve remote control.
If criminals enter the system, smart light poles in a block or even an entire city can be suddenly turned off, and sudden darkness at night can cause serious traffic accidents. At the same time, once the smart light pole is used, it can transmit illegal information through sound and image, causing panic and riots. What's more, if it is controlled in large quantities, the pictures taken by smart light poles can be used for many illegal purposes, which may also lead to problems such as the leakage of traffic data, and may seriously threaten public safety and even national security.
2.4. Smart light pole protection ideas
After analyzing the attack cases, it is found that the smart light pole can not detect illegal access to the device in time, resulting in hackers carrying out network attacks through some security vulnerabilities in street lamps, how to solve the security problems of smart light poles needs to consider the following aspects:
2.4.1 Trusted terminal devices
It is necessary to consider the reinforcement of key equipment, and have the ability to collect data from the terminal flow of the smart light pole system, monitor, protect, and early warning and disposal. It is necessary to implement end-to-end security linkage with the security operation center of smart light poles, implement disposal strategies such as terminal network blocking within a reasonable range, and realize the security empowerment of services such as smart light pole security operation centers and operators.
2.4.2 Trusted Communication Network
It is necessary to consider the secure and trusted communication capability of the transmission link, and timely discover the malicious remote control, viruses and other information existing in the smart light pole system network.
2.4.3 Trusted Security Boundary
It is necessary to consider meeting the boundary isolation, access control, intrusion prevention, security audit, and IoT security expansion requirements of "cloud, pipe, edge, and end" of smart light poles.
2.4.4 Trusted Security Operation Center
It is necessary to consider the unified collection, classification and summary of assets such as smart lamp pole systems, communication links, platforms, and massive service security data. Real-time monitoring and centralized auditing of various network security incidents in business scenarios, and further mining of event correlation to identify security anomalies and potential security incidents. Organically combine threat events with smart light pole services, and visualize the global security situation through the situational awareness screen, changing security from invisible to visible.
Third, the solution
3.1. Solution architecture
Our security team closely follows the smart light pole business architecture, combines the distribution of equipment for flexible deployment, and the overall solution is to carry out security protection from the aspects of end test, edge, core layer, and cloud, and continuously monitor possible security risks in the network in an all-round way.
1) The terminal side is embedded with a lightweight security core SDK, which can cover Linux, Android, RTOS and other operating systems, and penetrate into the very end of the Internet of Things.
2) Deploy a perception layer security gateway on the edge to protect the front-end devices of the Internet of Things; Support 2G/3G/4G, RJ45 wired, Lora, serial port, optical port multiple network communication methods, low-power fanless design, support complex outdoor environment, meet wide temperature, wide voltage.
3) The core layer deploys a traffic security detection gateway to conduct real-time security detection of IoT nodes and IoT services.
4) Build a centralized control IoT security perception management platform, traffic AI algorithm center, and cloud security library in the cloud.
3.2. Introduction to program functions
3.2.1 Asset discovery and inventory module
Based on the real-time traffic analysis method, the system automatically discovers the access devices in the smart light pole system, quickly identifies device information such as device type and manufacturer brand, and sorts out assets according to the fingerprints of devices such as IP and Mac.
1) Terminal discovery and identification: Passive detection of terminal assets uploaded to the server side through APN private network or Internet channels, and identification of devices according to their traffic characteristics and device information, including but not limited to device IP, Mac address, device number, terminal type and other information.
2) Asset ledger combing: display various terminal assets found in the network, establish related asset ledgers, and provide functions such as management, query, and export.
3.2.2、Asset access control and counterfeit detection module
After the smart light pole system equipment is connected to the network, it conducts full-cycle security analysis of its various behaviors, and when the equipment produces abnormal behavior, attacks or malicious counterfeiting and replacement behaviors occur, it blocks its communication connection with the outside world and protects the security of equipment and data services.
1) Terminal access control: Control the access of existing devices and new access devices in the network, or ensure that terminal access can be controlled and processed under abnormal conditions based on abnormal behavior analysis and attack detection results.
2) Terminal access strategy: Support the prefabrication of access strategy, that is, all access methods and manual review methods, which can be flexibly operated according to the operation and maintenance conditions in the network, and support setting the terminal type fingerprint as the access strategy to meet the network access control of different types of terminals.
3) Terminal fingerprint generation: After the security probe discovers assets, the administrator can generate fingerprint information for specific devices, including but not limited to the IP address, device name, terminal type and traffic characteristics of the device to generate device fingerprints and use them as the unique identification of the device on the management platform.
4) Device fingerprint disable: The administrator can manage the fingerprints of devices that have been judged to be illegal access, unauthorized access, unsafe devices, and returned offline, and if it is confirmed that they are not allowed to access the network again, the corresponding devices can be deleted/disabled.
5) Device counterfeiting monitoring: If illegal assets are connected to the network by forging real asset IP/MAC, after detection, the security supervision platform will display the terminal as counterfeit and make an alarm. At the same time, it provides a detailed audit of the full cycle of IP use, records in detail the period corresponding to the use of different IP addresses for each MAC address, and can confirm whether the IP has been assigned to different MAC addresses during this period.
6) Immediate network disconnection: For IoT terminals that are judged to be malicious or high-risk, the immediate network disconnection operation can be issued through the management interface, and after the operation takes effect, the malicious terminal will immediately take effect on the corresponding port.
7) Bypass deployment blocking: The security probe supports linkage disposal with switches and firewalls, and can complete device blocking without changing the network topology.
3.2.3 Asset security operation and maintenance management module
The safety monitoring platform can monitor the whole life cycle of the equipment connection status in the light pole system, and timely discover abnormal access conditions such as offline equipment, private access, and replacement.
1) Terminal status monitoring: support full-cycle status monitoring of the working status of equipment in the network, and conduct real-time statistics on the existing access and recorded terminal equipment, such as online status, working status, maintenance and replacement records, etc.
2) Working status monitoring: monitor according to the interactive traffic between the terminal and the server, count its service reporting cycle and network activity, and judge and alarm in time when the activity is identified as too low.
3) Asset responsibility system management: support asset responsibility system information management, manage the asset owner, contact information and other file information, if it is convenient to find the operation and maintenance personnel in the event of a failure, the system can automatically send SMS or email according to the setting to report the fault.
4) Asset information linkage operation and maintenance: Based on asset ID, security code and other indexes, the security monitoring and management platform can be connected to the service platform to which the terminal belongs.
3.2.4 Network behavior detection module
The security monitoring platform is based on the network behavior security analysis of the lamp pole system, and recognizes the access behavior of intelligent light pole equipment in the network as a whitelist model through automated learning, as long as a network attack or behavior outside the whitelist occurs, no matter what attack method the attacker uses, it is inevitable to detect, attack, transmit, download and other activities in the network, and these attack activities will automatically surface under the filtering of the network security strategy and quickly exposed.
1) Network traffic information identification: Through network behavior analysis technology, extract information such as source Mac, destination Mac, source IP, destination IP, source port, destination port, network protocol, application protocol, characteristic field, and traffic characteristics.
2) Network automation learning and security policy construction: For the multi-dimensional network behavior data of terminals, automatic learning of terminal trusted services is carried out, and the minimum compliance behavior model is set; The behavior model can be directly referenced by the policy, and the identified terminal communication protocol and terminal port information can be monitored in real time to accurately identify abnormal terminal behavior.
3) Terminal intrusion attack detection: Combined with the intrusion attack rules at the IoT level, it detects typical IoT intrusion behaviors such as malicious device scanning, remote control, ARP man-in-the-middle attack, DDOS attack, and brute force cracking faced by IoT terminals, and blocks or alerts in time after discovery.
4) Network communication anomaly detection: Supports behavioral learning of packet size, frequency, service cycle and other characteristics for IoT device communication business scenarios, and generates a service network behavior security model. It can discover abnormal service communications, such as short-term frequent access and missing access in multiple cycles, and can query based on device type and group.
3.2.5、IoT security management platform
The security monitoring and management platform carries out centralized control of IoT terminals and security products in the light pole system, realizes comprehensive terminal monitoring, real-time alarms, unified collection of log information, correlation analysis, etc., reduces operation and maintenance costs, improves incident response efficiency, forms a security situation analysis of each district and road section, and helps enterprises master the network security situation.
1) Unknown device detection: Supports rapid detection of unknown devices and real-time alarms for unknown device access in the network, and quickly discovers illegal access in the system.
2) Network behavior model management: Based on machine learning functions, establish an IoT terminal security model from multiple dimensions such as device type, protocol, and port, and monitor the communication protocol and network traffic of IoT terminals identified by security probe products in real time.
3) Terminal security audit: From the terminal dimension, audit the security information such as the historical security status and abnormal behavior of each IoT device.
4) Event correlation analysis: Support terminal event correlation analysis function, with the ability to analyze the origin device, target device, and path of the event, trace the asset abnormal event for forensics, automatically discover the attack path and network attack detection at the Internet of Things level.
5) User management: The platform adopts the management mode of separation of powers, and each administrator performs his or her own duties, supervises each other, and audits the operation behavior of various roles such as administrator, security officer and auditor, which effectively avoids the security risks caused by excessive authority and excessive authority.
6) Version management: Support the platform to issue system upgrade commands for security probes, which can quickly adapt to the growing security needs of customers, and terminal security will never stop.
3.2.6、Graphical display of safety monitoring
Record in detail the asset status, access monitoring, abnormal behavior of assets, and abnormal behavior of the network in the smart light pole network for real-time monitoring and alarming.
1) Online quantity statistics: Statistics on the number of IoT terminal devices currently online can be counted according to device type, device area, and device ownership.
2) Offline device statistics: Statistics are made of offline IoT terminals that have obtained access permissions and have been online, and statistics are supported according to offline time and offline reason.
3) Terminal online rate statistics: Online statistics are performed on IoT terminals that have obtained access permissions, which can be counted according to time, device type, device area, and device ownership.
4) Access success statistics: The system supports statistics on IoT terminals that have obtained access certification.
5) Access failure statistics: The system supports statistics on IoT terminals that fail access authentication.
6) Added device statistics: The system supports statistics on newly launched IoT terminals, and supports statistics based on device type, online time, and grouping.
7) Device type statistics: The system supports statistics on the types of IoT terminal devices such as currently registered and accessed, and statistics can also be based on the organizational structure and device type to which the device belongs.
8) Alarm statistics: The system supports statistics on the alarms issued by the system, and supports statistics according to the alarm level, alarm object, alarm scope, alarm time, etc.
9) Historical network access record statistics: The system supports statistics on the historical network access of the system, and supports the statistical query of historical conditions such as the type of equipment entering the network, and the access control of the network.
10) GIS map display: Provide high-definition GIS map display to visually display assets, risks and threat events in terms of geographical location.
Fourth, the value point
1) Keep abreast of the operation status of each terminal equipment of the smart lamp pole system, quickly discover whether the equipment is faulty, improve the work efficiency of operation and maintenance personnel, and ensure the normal operation of the lamp pole business.
2) Timely discover relevant information such as abnormal network behavior and attack behavior of the smart lamp pole system, and continuously monitor the lamp pole business, so as to reduce the occurrence of network incidents.
3) Timely discover illegal equipment connected to the smart light pole system, and quickly carry out access control processing, thereby reducing the occurrence of safety accidents.
4) Quickly learn all network behaviors in the smart light pole system, form a set of model strategies unique to the smart light pole business environment, and quickly block possible security vulnerabilities and illegal network access behaviors in the network to reduce the occurrence of security incidents.