Skip to content
/ poc-iot-system Public

Proof of Concept IoT Setup virtualised using services such as Grafana, InfluxDB, Netbird VPN with a virtual python script IoT device.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

simonthorell/poc-iot-system

BranchesTags

Repository files navigation

Proof of Concept IoT System

This repo provides a secure virtual IoT system that collects data from IoT devices, stores it in a database, and allows for dashboard visualization from any device via VPN.

Prerequisites

Optional Tools:

This repo includes these files pre-created for system demo.

Setup & Usage

1. Configuration

  • Open .env.example and follow the instructions to set up your environment variables.

2. Start the System

  • Run the following command to deploy the system:

    docker-compose up -d

3. Setup VPN

Server:

  • Access Netbird VPN Dashboard and configure the network.
  • Go to Network Routes and press Add Route
  • Add Range 172.24.0.0/16 and select the peer (your server IP)
  • Select all in both the groups for testing purpose
  • Set Network Identifier to "iot-server"

You may be asked to setup a defualt policy after this, just use all the default settings, and save.

Client:

  • Download and install the Netbird VPN app on any client devices requiring access to the Grafana dashboard.
  • Log in to your Netbird dashboard and add the clients as peers.

4. Access Dashboard

System Specification

Project Overview

Objective: Design and implement a secure IoT solution prototype to demonstrate secure communication, robust infrastructure, and compliance considerations with the Cyber Resilience Act (CRA).

This Proof of Concept (PoC) will illustrate how a secure IoT system can help customers remotely monitor and manage their devices.

Customer Use Case

Client: Mining Company
Application: Remote Monitoring of Heavy Machinery
The customer, a mining company, requires a system that allows them to monitor critical metrics of their fleet, including:

  • Engine Temperature
  • Engine Oil Pressure
  • Total Operating Hours
  • Total Driving Distance
  • Current Running Time Since Startup

The solution must provide reliable, real-time data for efficient monitoring and timely response to prevent costly downtime or equipment failure.

In this use case the wireless network in this PoC will use LoRa technology for a long range within a specific area that can easily be covered realiably at a low cost.

Architecture

System Components

  1. Sensor Unit (IoT Client)

    • A virtual sensor unit that communicates via MQTT over a secure wireless network.
    • Configured with TLS encryption for secure data transmission.
    • Simulates data and publishes it to the MQTT broker.

  2. Gateway (Mosquitto Broker)

    • Acts as a central hub, securely receiving data from the IoT client.
    • Communicates over TLS to ensure data integrity and confidentiality.
    • Connected to internal networks for secure, isolated data flow.

  3. Database (InfluxDB)

    • Collects and stores sensor data for analysis and visualization.
    • Accessible only within the internal network to prevent unauthorized access.

  4. Data Visualization (Grafana)

    • Provides real-time dashboard visualization for monitoring IoT data.
    • Accessed over a secure VPN connection to ensure data protection.

  5. VPN Service (Netbird)

    • Ensures secure remote access to the Grafana dashboard.
    • Uses dynamic VPN setup for client access control, following zero-trust principles.

Network Layout

  • Wireless Network: For secure communication between the IoT client and the MQTT broker.
  • Internal Network: Isolated network for secure data flow between services like the database, visualization tools, and other internal components.

Communication Flow

  1. IoT Client to Mosquitto Broker

    • Protocol: MQTT over TLS (port 8883).
    • Data from the IoT client is published to the broker using secure authentication and TLS for encryption.

  2. Mosquitto Broker to InfluxDB (via Telegraf)

    • Telegraf collects data from the MQTT broker and sends it to InfluxDB.
    • Communication is secured within the internal network with no external exposure.

  3. InfluxDB to Grafana

    • Grafana queries InfluxDB for data visualization.
    • Operates on the internal network, accessible only to authenticated services.

  4. Remote Access via VPN (Netbird)

    • Remote clients connect to Grafana through a VPN, ensuring secure, authenticated access to the dashboard.

Data Flow Diagram

+---------------------------------------------------+
|                  * IoT Devices *                  |
|  +---------------------------------------------+  |
|  |         ioT Client (python simulation)      |  |
|  +---------------------------------------------+  |
+---------------------------------------------------+
                          |
                [Secure mTLS over TCP]
                          |
                          v
# The IoT-devices and Gateway are all connected to
# a dedicated/segmented wireless network.
+---------------------------------------------------+
|                    * Gateway *                    |
|  +---------------------------------------------+  |
|  |             Mqtt Server (Mosquitto)         |  |
|  +---------------------------------------------+  |
+---------------------------------------------------+
                          |
               [Secure mTLS over TCP]
                          |
                          v
# This backend is simulated as an internal network in
# docker-compose with static IP-adresses assigned
# for each service specified below:
+---------------------------------------------------+
|                * Backend Services *               |
|  +---------------------------------------------+  |
|  |           Mqtt Connector (Telegraf)         |  |
|  +---------------------------------------------+  |
|  +---------------------------------------------+  |
|  |        TimeSeries Database (InfluxDB)       |  |
|  +---------------------------------------------+  |
|  +---------------------------------------------+  |
|  |         Data Visualization (Grafana)        |  |
|  +---------------------------------------------+  |
|  +---------------------------------------------+  |
|  |              VPN Server (Netbird)           |  |
|  +---------------------------------------------+  |
+---------------------------------------------------+
                          |
                 [Secure VPN tunnel]
                          |
                          v
# The consuming client can be all type of devices such
# as a computer, mobile, tablet etc.
+---------------------------------------------------+
|               * Consuming Client *                |
|  +---------------------------------------------+  |
|  |          VPN Client (Netbird App)           |  |
|  +---------------------------------------------+  |
|  +---------------------------------------------+  |
|  |        Web Browser (Grafana Dashboard)      |  |
|  +---------------------------------------------+  |
+---------------------------------------------------+

Security Measures

Secure Communication

  • TLS (Transport Layer Security): TLS is applied to all MQTT communications, ensuring data encryption in transit.
  • VPN Access: A secure VPN (Netbird) restricts external access to the Grafana dashboard, providing an additional layer of protection.

CRA Requirements

  1. Security-by-Design

    • Data Encryption: TLS encryption is implemented for all communication between devices and servers.
    • Authentication: All services require secure authentication (e.g., MQTT credentials, VPN keys).
    • Zero-Trust Network Principles: The use of VPN ensures secure, authenticated access for remote clients only.

  2. Updatability

    • Future system updates will include automated container image rebuilds and redeployments.
    • Telegraf, InfluxDB, and Grafana are configured to allow for patch updates, ensuring the system remains secure.

  3. Vulnerability Management

    • Monitoring: Telegraf and Grafana enable real-time monitoring, alerting administrators of any anomalies.
    • Testing and Auditing: Regular penetration testing and security audits will be conducted.
    • Patch Management: Vulnerability patches for container images will be updated continuously.

CRA Compliance Roadmap

To ensure full CRA compliance, the following steps are proposed for future development:

  • Enhanced Vulnerability Detection: Implement automated security scanning tools to detect and alert on vulnerabilities in real time.
  • Secure Firmware Updates: Integrate Over-the-Air (OTA) update mechanisms for all components to maintain security.
  • Incident Response Plan: Develop a structured response plan for any detected vulnerabilities, ensuring timely remediation and customer notification.

This system specification outlines a secure IoT solution prototype with attention to CRA principles of security-by-design, updatability, and vulnerability management, providing a foundation for further development toward a production-ready solution.

Licence

As per licence file.

About

Proof of Concept IoT Setup virtualised using services such as Grafana, InfluxDB, Netbird VPN with a virtual python script IoT device.

Topics

python influxdb grafana telegraf mqtt-broker vpn-server mtls

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages