This repo provides a secure virtual IoT system that collects data from IoT devices, stores it in a database, and allows for dashboard visualization from any device via VPN.
- Docker Compose installed.
- Netbird account for VPN setup.
Optional Tools:
This repo includes these files pre-created for system demo.
- Open
.env.exampleand follow the instructions to set up your environment variables.
-
Run the following command to deploy the system:
docker-compose up -d
Server:
- Access Netbird VPN Dashboard and configure the network.
- Go to
Network Routesand pressAdd Route - Add Range
172.24.0.0/16and select the peer (your server IP) - Select
allin both thegroupsfor testing purpose - Set
Network Identifierto "iot-server"
You may be asked to setup a defualt policy after this, just use all the default settings, and save.
Client:
- Download and install the Netbird VPN app on any client devices requiring access to the Grafana dashboard.
- Log in to your Netbird dashboard and add the clients as peers.
- Once configured, connected VPN clients can access the dashboard at: http://172.24.0.14:3000.
Objective: Design and implement a secure IoT solution prototype to demonstrate secure communication, robust infrastructure, and compliance considerations with the Cyber Resilience Act (CRA).
This Proof of Concept (PoC) will illustrate how a secure IoT system can help customers remotely monitor and manage their devices.
Client: Mining Company
Application: Remote Monitoring of Heavy Machinery
The customer, a mining company, requires a system that allows them to monitor critical metrics of their fleet, including:
- Engine Temperature
- Engine Oil Pressure
- Total Operating Hours
- Total Driving Distance
- Current Running Time Since Startup
The solution must provide reliable, real-time data for efficient monitoring and timely response to prevent costly downtime or equipment failure.
In this use case the wireless network in this PoC will use LoRa technology for a long range within a specific area that can easily be covered realiably at a low cost.
-
Sensor Unit (IoT Client)
- A virtual sensor unit that communicates via MQTT over a secure wireless network.
- Configured with TLS encryption for secure data transmission.
- Simulates data and publishes it to the MQTT broker.
-
Gateway (Mosquitto Broker)
- Acts as a central hub, securely receiving data from the IoT client.
- Communicates over TLS to ensure data integrity and confidentiality.
- Connected to internal networks for secure, isolated data flow.
-
Database (InfluxDB)
- Collects and stores sensor data for analysis and visualization.
- Accessible only within the internal network to prevent unauthorized access.
-
Data Visualization (Grafana)
- Provides real-time dashboard visualization for monitoring IoT data.
- Accessed over a secure VPN connection to ensure data protection.
-
VPN Service (Netbird)
- Ensures secure remote access to the Grafana dashboard.
- Uses dynamic VPN setup for client access control, following zero-trust principles.
- Wireless Network: For secure communication between the IoT client and the MQTT broker.
- Internal Network: Isolated network for secure data flow between services like the database, visualization tools, and other internal components.
-
IoT Client to Mosquitto Broker
- Protocol: MQTT over TLS (port 8883).
- Data from the IoT client is published to the broker using secure authentication and TLS for encryption.
-
Mosquitto Broker to InfluxDB (via Telegraf)
- Telegraf collects data from the MQTT broker and sends it to InfluxDB.
- Communication is secured within the internal network with no external exposure.
-
InfluxDB to Grafana
- Grafana queries InfluxDB for data visualization.
- Operates on the internal network, accessible only to authenticated services.
-
Remote Access via VPN (Netbird)
- Remote clients connect to Grafana through a VPN, ensuring secure, authenticated access to the dashboard.
+---------------------------------------------------+
| * IoT Devices * |
| +---------------------------------------------+ |
| | ioT Client (python simulation) | |
| +---------------------------------------------+ |
+---------------------------------------------------+
|
[Secure mTLS over TCP]
|
v
# The IoT-devices and Gateway are all connected to
# a dedicated/segmented wireless network.
+---------------------------------------------------+
| * Gateway * |
| +---------------------------------------------+ |
| | Mqtt Server (Mosquitto) | |
| +---------------------------------------------+ |
+---------------------------------------------------+
|
[Secure mTLS over TCP]
|
v
# This backend is simulated as an internal network in
# docker-compose with static IP-adresses assigned
# for each service specified below:
+---------------------------------------------------+
| * Backend Services * |
| +---------------------------------------------+ |
| | Mqtt Connector (Telegraf) | |
| +---------------------------------------------+ |
| +---------------------------------------------+ |
| | TimeSeries Database (InfluxDB) | |
| +---------------------------------------------+ |
| +---------------------------------------------+ |
| | Data Visualization (Grafana) | |
| +---------------------------------------------+ |
| +---------------------------------------------+ |
| | VPN Server (Netbird) | |
| +---------------------------------------------+ |
+---------------------------------------------------+
|
[Secure VPN tunnel]
|
v
# The consuming client can be all type of devices such
# as a computer, mobile, tablet etc.
+---------------------------------------------------+
| * Consuming Client * |
| +---------------------------------------------+ |
| | VPN Client (Netbird App) | |
| +---------------------------------------------+ |
| +---------------------------------------------+ |
| | Web Browser (Grafana Dashboard) | |
| +---------------------------------------------+ |
+---------------------------------------------------+
- TLS (Transport Layer Security): TLS is applied to all MQTT communications, ensuring data encryption in transit.
- VPN Access: A secure VPN (Netbird) restricts external access to the Grafana dashboard, providing an additional layer of protection.
-
Security-by-Design
- Data Encryption: TLS encryption is implemented for all communication between devices and servers.
- Authentication: All services require secure authentication (e.g., MQTT credentials, VPN keys).
- Zero-Trust Network Principles: The use of VPN ensures secure, authenticated access for remote clients only.
-
Updatability
- Future system updates will include automated container image rebuilds and redeployments.
- Telegraf, InfluxDB, and Grafana are configured to allow for patch updates, ensuring the system remains secure.
-
Vulnerability Management
- Monitoring: Telegraf and Grafana enable real-time monitoring, alerting administrators of any anomalies.
- Testing and Auditing: Regular penetration testing and security audits will be conducted.
- Patch Management: Vulnerability patches for container images will be updated continuously.
To ensure full CRA compliance, the following steps are proposed for future development:
- Enhanced Vulnerability Detection: Implement automated security scanning tools to detect and alert on vulnerabilities in real time.
- Secure Firmware Updates: Integrate Over-the-Air (OTA) update mechanisms for all components to maintain security.
- Incident Response Plan: Develop a structured response plan for any detected vulnerabilities, ensuring timely remediation and customer notification.
This system specification outlines a secure IoT solution prototype with attention to CRA principles of security-by-design, updatability, and vulnerability management, providing a foundation for further development toward a production-ready solution.
As per licence file.