The IoT Architect's Guide to Attainable

Security and Privacy 1st Edition

Damilare D. Fagbemi
Visit to download the full and correct content document:
https://textbookfull.com/product/the-iot-architects-guide-to-attainable-security-and-priv
acy-1st-edition-damilare-d-fagbemi/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

IoT: Security and Privacy Paradigm (Internet of

Everything (IoE)) 1st Edition Souvik Pal (Editor)

https://textbookfull.com/product/iot-security-and-privacy-
paradigm-internet-of-everything-ioe-1st-edition-souvik-pal-
editor/

Women Securing the Future with TIPPSS for IoT Trust

Identity Privacy Protection Safety Security for the
Internet of Things Florence D. Hudson

https://textbookfull.com/product/women-securing-the-future-with-
tippss-for-iot-trust-identity-privacy-protection-safety-security-
for-the-internet-of-things-florence-d-hudson/

IoT security issues Gilchrist

https://textbookfull.com/product/iot-security-issues-gilchrist/

The 2020 International Conference on Machine Learning

and Big Data Analytics for IoT Security and Privacy:
SPIoT-2020, Volume 1 John Macintyre

https://textbookfull.com/product/the-2020-international-
conference-on-machine-learning-and-big-data-analytics-for-iot-
security-and-privacy-spiot-2020-volume-1-john-macintyre/
Security And Privacy Joseph Savirimuthu

https://textbookfull.com/product/security-and-privacy-joseph-
savirimuthu/

Attainable Sustainable 1st Edition Kris Bordessa

https://textbookfull.com/product/attainable-sustainable-1st-
edition-kris-bordessa/

Beyond the Algorithm AI Security Privacy and Ethics 1st

Edition Santos

https://textbookfull.com/product/beyond-the-algorithm-ai-
security-privacy-and-ethics-1st-edition-santos/

Security Privacy and Forensics Issues in Big Data

Advances in Information Security Privacy and Ethics
1st Edition Ramesh C. Joshi

https://textbookfull.com/product/security-privacy-and-forensics-
issues-in-big-data-advances-in-information-security-privacy-and-
ethics-1st-edition-ramesh-c-joshi/

Smart Grids: Security and Privacy Issues 1st Edition

Kianoosh G. Boroojeni

https://textbookfull.com/product/smart-grids-security-and-
privacy-issues-1st-edition-kianoosh-g-boroojeni/
 DAVID M.
WHEELER
DAMILARE D.
FAGBEMI
JC
WHEELER

AN AUERBACH BOOK
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2020 by David M. Wheeler and Damilare D. Fagbemi

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-0-8153-6816-8 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to
publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials
or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material repro-
duced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any
form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming,
and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copy-
right.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400.
CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have
been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identifica-
tion and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com
 Trademarks Covered in This Book

2lemetry™ is a trademark of 2lemetry, Inc.

Adobe® and Adobe® Sensei™ are either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States and/or other countries.
Akamai® is a trademark of Akamai Technologies, Inc.
Amazon®, Amazon API Gateway™, Amazon Cognito™, Amazon CloudWatch™, Amazon EC2™, Amazon Elastic
Compute Cloud™, Amazon Elasticsearch Service™, Amazon IoT Core™, Amazon Simple Notification Service™,
SNS™, Amazon Virtual Private Cloud™ (Amazon VPC™), Amazon Web Services™, AWS™, AWS CloudTrail™,
AWS EBS™, AWS Elastic Container Service™, AWS IoT™, AWS Lambda™, AWS S3™, API Gateway™, and
Amazon Webstore™ are trademarks of Amazon.com, Inc.
Anomali® is a registered trademark of Anomali, Inc.
Apple® and Apple® IoS® are registered trademarks of Apple, Inc., in the United States and other countries.
Arduino® is a registered trademark of Arduino, LLC.
Arm®, Arm® Mbed™, and Arm Trustzone® are trademarks or registered trademarks of Arm Limited (or its subsid-
iaries) in the US and/or elsewhere.
Auth0® is a registered trademark of Auth0, Inc.
AutonomicSM is a service mark of Autonomic, LLC.
Bitcoin® is a trademark of A.B.C. IPHoldings South West, LLC, a UK-based company and subsidiary of Monopolip
LTD.
Black Hat® is a registered trademark of UBM LLC.
Bluetooth® is a registered trademark of the Bluetooth SIG, Inc.
Checkmarx® is a registered trademark of Checkmarx Ltd.
CIP™ is a trademark of Flextronics International, LTD.
Civilization™ and CIVILIZATION IV are registered trademarks of Take-Two Interactive Software, Inc.
CoreOS® is a registered trademark of CoreOS, Inc.
Cumulocity™ is a trademark of Software AG, Inc.
Docker™ is a trademark of Docker, Inc.
Dyn™ is a trademark of Dyn, Inc.
Elasticsearch® is a trademark of Elasticsearch B.V., registered in the U.S. and in other countries.
Facebook™ is a trademark of Facebook, Inc.
Flashpoint® is a registered trademark of EJ2 Communications, Inc.
Ford® and Ford® Model T™ are trademarks and registered trademarks of the Ford Motor Company.
FOUNDATION™ Fieldbus and HART-IP™ are trademarks and HART® and WirelessHART® are registered
trademarks of FieldComm Group, Austin, Texas, USA.
Gartner® is a registered trademark of Gartner, Inc. or its affiliates.
GitHub®is a registered trademark of GitHub, Inc.
Google Nest® is a registered trademark of Google LLC.
Google®, Google® Android™, Google Cloud™, Google Cloud Functions™, Google Cloud IoT Core™, Google Cloud
Platform™, Google Cloud Storage™, Google Compute Engine™, Google Home™, Google Persistent Disk™,
Google VPC™, TensorFlow®, the TensorFlow logo, GCP Firebase™, and any related marks are trademarks or
registered trademarks of Google LLC.
HART® is a registered trademark of Rosemount Inc.
HART-IP™ is a registered trademark of Fieldcomm Group, Inc.
IBM Watson™ is a trademark of International Business Machines Corporation.
IEEE 802.15.4™ is a trademark of the Institute of Electrical and Electronics Engineers (IEEE).
Intel® is a trademark of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
Intel® is a registered trademark of Intel Corporation or its subsidiaries in the United States and/or other countries.
INTERBUS® is a registered trademark of Phoenix Contact, Inc.
IOActive® is a registered trademark of IoActive, Inc.
Jasper™ is a trademark of Jasper Technologies, Inc.
JavaScript® is a registered trademark of Oracle Corporation.
Kiuwan™ is a trademark of Kiuwan Software, S.L.
Klocwork® is a registered trademark of Klocwork Solutions Corp.
Kubernetes® is a registered trademark of The Linux Foundation.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
LoRa Alliance™ and LoRaWAN™ are trademarks of the LoRa Alliance™.
Microsoft®, Microsoft® Azure®, Microsoft® Azure® IoT Hub, Microsoft® Azure Sphere®, Azure Blob Storage™, Azure
Compute™, Azure Search™, Azure Virtual Disks™, Azure VNet™, and Windows® are registered trademarks of the
Microsoft Corporation.
MiWi™ is a trademarks of Microchip Technology Incorporated in the U.S.A. and other countries.
MODBUS® is a registered trademark of Schneider Electric USA, Inc.
Navteq® is a registered trademark of NAVTEQ Corporation.
Netflix® is a registered trademark of Netflix, Inc.
Node.js® is a registered trademark of Joyent, Inc.
OpenStack Cinder™, OpenStack Neutron™, OpenStack Nova™, and OpenStack Swift™ are trademarks of the
OpenStack Foundation.
PROFIBUS® and PROFINET® are registered trademarks of PROFIBUS International.
Rancher® is a registered trademark of Rancher Labs, Inc.
Raspberry Pi® is a registered trademark of the Raspberry Pi Foundation.
SafetyNet P™ is a registered trademark of Pilz GmbH & Co.
SchmooCon™ is a trademark of The Schmoo Group.
Seeed® is a registered trademark of Seeed Technology Co., Ltd.
Sherlock Holmes® is a registered trademark of Conan Doyle Estate Limited.
SigFox® is a registered trademark of SIGFOX Société Anonyme.
Suricata® is a registered trademark of the Open Information Security Foundation.
Symantec™ is a trademark owned by Symantec Corporation or its affiliates in the U.S. and other countries.
Symphony Link™ is a trademark of Link Labs LLC.
Tesla® is a registered trademark of Tesla Motors, Inc.
The OPC Foundation® is a registered trademark of OPC Foundation.
The Open Group® is a registered trademark of The Open Group.
Thread® is a registered trademark of Thread Group, Inc.
Tor® is a registered trademark of The Tor Project, Inc.
TruePic® is a registered trademark of TruePic, Inc.
VAX™ is a trademark of Digital Equipment Corporation.
Vnet/IP® and ProSafe® are registered trademarks of Yokogawa Electric Corporation.
Weightless™ is a trademark of the Weightless™ Special Interest Group (SIG), Weightless Management Ltd, UK.
WirelessHART® is a registered trademark of HART COMMUNICATION FOUNDATION.
ZigBee® is a registered trademark of the ZigBee Alliance.
Z-Wave® is a registered trademark of Silicon Labs and its subsidiaries in the United States and other countries.
Dedication

To everyone who truly loves people, to everyone who uses their skills to serve others,
to everyone who seeks and upholds truth, I dedicate this book to you. For all
the technology in the world could never serve a better purpose.
— Damilare D. Fagbemi

To my Father in Heaven, may you bless the work of our hands;

To my family, may you always see Him in all that I do;
To my mentors and teachers, may I carry forward all that you
have given me with integrity and honor.
— David M. Wheeler

vii
Contents

Dedication vii
Contents ix
Foreword by Dr. James Ransome xvii
Foreword by Erv Comer xxiii
Preface xxv
Acknowledgments xxvii
About the Authors xxix

Part One 1
Chapter 1 How We Got Here 3
Damilare Fagbemi, Dave Wheeler, and JC Wheeler
1.1 We Forgot Security When Building the Internet 3
1.2 What’s This Book About and Who’s It For? 4
1.3 Let’s Break Down the Book 4
1.4 What’s an IoT System? 6
1.4.1 Everyone Needs to Know the Location of the Nearest Pizza 7
1.4.2 Computing Everywhere 7
1.5 An IoT System’s Major Components 8
1.5.1 The Human IoT System 9
1.6 Shall We Just Connect Everything? 9
1.7 Wait! We Need to Add Security! 10
References 11

Chapter 2 The IoT Castle and Its Many Gates 13

Damilare Fagbemi and Dave Wheeler
2.1 And the Internet Got Hacked: Analyzing the Mirai Attack 13
2.1.1 Resolution of the Mirai Attack 15

ix
x The IoT Architect’s Guide to Attainable Security and Privacy

2.2 “Full Disclosure,” Ethics, and “Hacking Buildings for Fun and Profit” 16
2.3 Defending IoT Castles 17
2.3.1 Know Thine Enemy 21
2.4 Attacking the IoT Castle 22
2.5 A Closer Look at IoT Attack Surfaces and Breach Consequences 23
2.6 The Road Ahead 25
References 26

Chapter 3 The IoT Security Economy 27

Damilare Fagbemi and Dave Wheeler
3.1 A Toy Is Not a Plaything, It’s a Tool for Cybercrime 27
3.2 Understanding the IoT Economy 28
3.3 The Cybercriminal Economy 29
3.4 Cryptocurrency 01100101 31
3.4.1 Mining, Minting, and Verifying Transactions 32
3.4.2 The Draw of Crypto Mining 33
3.4.3 The Monero Cryptocurrency 33
3.5 Where Cybercriminals Go to Hide 34
3.6 Accessing the Dark Web with Tor 35
3.7 Money Money Money . . . Making Bank on the Dark Web 38
3.8 Challenges in the Regular IoT Economy: Out of the Dark,
and into Naïvety 39
3.9 Why You Should Care 40
References 41

Part Two 43
Chapter 4 Architecting IoT Systems That Scale Securely 45
Dave Wheeler
4.1 The IoT System Architecture 45
4.1.1 The Cloud Layer 48
4.1.2 The Gateway Layer 49
4.1.3 The Devices Layer 50
4.2 IoT Must Be a Low-Cost System 53
4.2.1 IoT Gateway Layer: Reason 1—Client Volume 53
4.2.2 IoT Gateway Layer: Reason 2—Energy Costs 54
4.2.3 IoT Gateway Layer: Reason 3—Long-Haul
Communications Costs 55
4.2.4 IoT Gateway Layer: Reason 4—Security 56
4.2.5 IoT Gateway Layer: Reason 5—Scaling 57
 Contents xi

4.3 Details of the IoT Architecture Layers 58

4.3.1 Basic IoT Edge Device Architecture 59
4.3.2 Simple IoT Gateway Architecture 61
4.4 Fundamental IoT Cloud Architecture 65
4.5 Why Security Is Hard in IoT Systems 66
References 67

Chapter 5 Security Architecture for Real IoT Systems 69

Dave Wheeler
5.1 Preparation for the Coming Storm 69
5.2 What Is Security Architecture? 70
5.3 The Security Architecture Process 71
5.3.1 Analyze the System Architectural Views 73
5.3.2 Perform Threat Analysis 74
5.3.3 Threat Disposition 81
5.3.4 Incorporate Threat Mitigation into the System Architecture 82
5.3.5 Rinse and Repeat 82
5.3.6 Security Architecture Review Board 82
5.3.7 After Security Architecture Approval 83
5.4 Design Principles for Security Architecture 84
5.4.1 Open Design Principle 84
5.4.2 Economy of Mechanism Principle 85
5.4.3 Fail-Safe Default Principle 86
5.4.4 Separation of Privilege Principle 86
5.4.5 Complete Mediation Principle 87
5.4.6 Least Privilege Principle 87
5.4.7 Least Common Mechanism Principle 88
5.4.8 Defense-in-Depth Principle 88
5.4.9 Trust No One Principle 89
5.4.10 Secure the Weakest Link Principle 89
5.5 Addressing the Security Concerns of an Industrial IoT System 90
5.5.1 The Autonomous Factory 91
5.5.2 Architecting for IoT Manageability 95
5.5.3 Architecting IoT Device Trust 97
5.5.4 Architecting End-to-End Encryption 103
5.5.5 Architecting for Longevity 105
5.5.6 Architecting IoT with Intelligence 108
5.5.7 Architecting for Scale 111
5.6 Summarizing IoT Security Architecture 113
References 113
xii The IoT Architect’s Guide to Attainable Security and Privacy

Chapter 6 Securing the IoT Cloud 115

Damilare Fagbemi
6.1 The History of The Cloud 115
6.2 So What Is the Cloud? 117
6.3 Cloud Architecture Overview 118
6.3.1 Object Storage Service 119
6.3.2 Block Storage Service 119
6.3.3 Compute Service 120
6.3.4 Image Service 121
6.3.5 Networking Service 121
6.3.6 Identity Service 121
6.4 How the Cloud Enables and Scales IoT Security 122
6.4.1 Secure Centralization of Data Management and Analytics 123
6.4.2 Secure IoT Device Management 128
6.4.3 Secure Multi-Presence Access to IoT Devices 134
6.5 A Summary of Security Considerations for IoT Cloud Back Ends 135
6.6 Practical IoT Cloud Security Architecture: The “Dalit” Smart City
Use Case 136
6.6.1 Introducing ATASM as a Threat Modeling Tool 137
6.6.2 Dalit Cloud Architecture Overview 138
6.6.3 Data Ingestion and Processing View 140
6.6.4 Device Software (and Firmware) Updates View 144
6.6.5 Networking View 145
6.6.6 Cloud Resource Monitoring and Auditing View 148
6.6.7 Threat Analysis 149
6.7 What We Learned 150
References 155

Chapter 7 Securely Connecting the Unconnected 157

Dave Wheeler
7.1 What Connectivity Means to IoT 157
7.2 Classifying IoT Communication Protocols 159
7.2.1 Bandwidth, Bits, Codes, and Hertz 160
7.2.2 Physical Layer Communications—Wired and Wireless 161
7.2.3 Wired Phys 161
7.2.4 Wireless Phys 166
7.2.5 Comparison of Different Phys 171
7.2.6 Upper-Layer Protocols 171
7.2.7 Application Layer Protocols for IoT 176
7.2.8 Protocols Summary 184
 Contents xiii

7.3 Network Security for IoT 184

7.3.1 Protecting the Little Ones 185
7.3.2 Additional Steps by the Bigger Devices—
Self-Protection Services 187
7.3.3 System Protect and Detect Services 188
7.4 Security Analysis for Protocols 188
7.4.1 The Preliminaries and Definitions 189
7.4.2 An Informal Analysis Model for Protocol Design 191
7.4.3 An Informal Analysis of a Digest Authentication Protocol 191
7.4.4 The Formal Security Models 195
7.5 IoT Protocol Conclusions 196
References 197

Chapter 8 Privacy, Pirates, and the Tale of a Smart City 201

JC Wheeler
8.1 Shroud for Dark Deeds or Fortress for the Vulnerable 201
8.2 Chapter Scope 202
8.3 AI and IoT Unite—Amplifying the Engineer’s Significance
in Society 202
8.4 The Elephant in the Room 203
8.5 Scenario: Safe Driving App Meets Smart Fridge 204
8.5.1 IoT Saves Our Bacon, but Tattles if We Eat Cured
Fatty Pork 208
8.5.2 Smart Algorithms to the Rescue 209
8.6 From Autonomous Vehicles to Smart Cities 210
8.6.1 Scenario: The Tale of a Smart City 211
8.7 The Deepfake and IoT 223
8.8 Learning from Smart Appliances, Myopia, and Deepfakes 224
8.9 Privacy Playbook 225
8.9.1 Bring in the “Great White Shark” 225
8.9.2 Know the Pirate Lineup 226
8.9.3 Believe in the Data Afterlife 227
8.9.4 Defy Fate 228
8.9.5 Obfuscate Waldo 229
8.9.6 Playbook Wrap-up 229
References 230

Chapter 9 Privacy Controls in an Age of Ultra-Connectedness 231

Dave Wheeler and Damilare Fagbemi
9.1 Introduction 231
9.2 Defining Privacy and Information Privacy 232
xiv The IoT Architect’s Guide to Attainable Security and Privacy

9.3 A Better Definition of Personal Information and How That

Becomes Personal Knowledge 233
9.3.1 Data from a Fitness App Turns into Military Intelligence 233
9.4 Who Cares about Privacy? 234
9.5 Privacy Controls 235
9.5.1 Access Controls 235
9.5.2 Anonymization 236
9.5.3 Differential Privacy 237
9.5.4 Homomorphic Encryption 238
9.5.5 Secure Multi-Party Computation 238
9.5.6 Zero-Knowledge and Group Signatures 239
9.5.7 Data Retention and Deletion Policy 240
9.6 Privacy Legislation 240
9.6.1 European Union Data Protection Directive 241
9.6.2 General Data Protection Regulation 241
9.6.3 California Consumer Privacy Act of 2018 242
9.6.4 California Online Privacy Protection Act 243
9.6.5 Children’s Online Privacy Protection Act of 1998 243
9.6.6 Health Insurance Portability and Accountability Act
of 1996 243
9.7 The Future of Privacy Controls 244
References 245

Chapter 10 Security Usability: Human, Computer, and Security

Interaction 247
Damilare Fagbemi
10.1 Poor User Experience Design Isn’t Just Inconvenient, It’s Painful 247
10.2 Nightmare at 40: When Too Many Convenient Devices Become
Too Difficult to Manage 249
10.3 Challenges of IoT Security Usability 249
10.3.1 Security Doesn’t Make Sense to the Regular User 250
10.3.2 Security Is Not Interesting to the Regular User 251
10.3.3 Usable Security Is Not Demanded from Vendors 251
10.3.4 Barriers to Necessary Workflow 252
10.3.5 Different Views of Security, from Executive to Architect
to Implementer, Then the User 252
10.4 Principles for Designing Usable IoT Security Controls 253
10.5 The Cause of Usable Security Belongs to All of Us 256
References 256
 Contents xv

Part Three 257

Chapter 11 Earth 2040—Peeking at the Future 259
Damilare Fagbemi
11.1 Whacking at the Future of IoT 259
11.2 The Fascination of Technology Innovation 260
11.2.1 Clairvoyance or Science? 261
11.2.2 Now 261
11.2.3 The Major Types of Change Introduced by IoT 263
11.3 The Evolving Cyber Threat Landscape 265
11.3.1 Threat Agents and Cyberattackers of the Future:
AI and ML 265
11.4 A Vision of 2040 268
11.4.1 Healthcare 268
11.4.2 Agriculture 272
11.4.3 Cities and Homes, Energy, and Autonomous Transportation 275
11.5 The Emergent Future of Cloud Computing 280
11.5.1 Infrastructure as Code 281
11.5.2 Serverless Architecture 281
11.5.3 Elastic Container–Based Cloud 283
11.5.4 Autoscaling 283
11.5.5 Summarizing the Security Advantages of Emergent Trends
in Cloud Computing 284
11.6 Do the Right Thing and the Future Will Take Care of Itself 284
References 285

Epilogue 287
Index 289
Foreword

by Dr. James Ransome

A Little about IoT and Security

The Internet of Things (IoT) involves adding internet connectivity to a system of interrelated
computing devices, mechanical and digital machines, objects, people, and/or animals. Virtually
every aspect of global civilization now depends on or is affected by interconnected cyber sys-
tems. Each “device” is provided a unique identifier and the ability to automatically transfer
data over a network. IoT security architecture concerns itself with designing and safeguarding
connected devices and networks in the IoT. The current explosive growth of the IoT ecosystem
has resulted in the complexity of networked systems as a result of the heterogeneity of plat-
forms and operating systems, multifunction protocols, and ubiquity of network access, result-
ing in an ever-expanding diversity of systems and software. This is giving rise to the attack
surface and risks exponentially increasing in IoT systems. Those risks can be greatly reduced
with secure system design and development. Allowing devices to connect to the Internet opens
them up to a number of serious potential attacks and risks if they are not properly protected.
This is due to factors such as their connectivity, the sensitive data they process, and the com-
pute power that is available via IoT devices.
As the IoT evolves, cybersecurity and the issues associated with it will affect everyone on the
planet in some way, whether it is cyber-crime, cyber-fraud, or cyber-war. It will be important
for this industry to build out substantial product protection and security systems. You must
understand the adversary and weakness in the systems you design by taking a closer look at the
IoT attack surfaces, attack vectors, and breach consequences. Security design and architecture
will be a critical part of this effort.
The proliferation of IoT devices running various kinds of software highlights the concerns
that we can no longer ignore the threats of insecure software because software has become the
lifeblood of the modern world. Core software and hardware security development practices
can significantly eliminate the core factors of risk in IoT security. Reliable IoT applications are
not impossible to achieve; however, it will require that all connected networks remain equally
secure. This can only happen if comprehensive security measures are taken during the initial
stages of architecting, designing, and developing the product and/or application. Hence, the
need for experienced and qualified security architects who, needless to say, are in short supply

xvii
xviii The IoT Architect’s Guide to Attainable Security and Privacy

and the gap for these professionals grow on a daily basis. The IoT Architect’s Guide to Attainable
Security and Privacy was written to help fill this gap. The responsibility falls on all of us who
are security professionals associated with IoT to rethink how we design and build secure prod-
ucts that respond to and defend our IoT infrastructure against aggressive adversaries, as well as
preserve the privacy and build the kind of life we want in our society.

Why I Care about IoT Security

I have spent the last 23 years as a cybersecurity executive since retiring from the US govern-
ment in 1997. In addition to my CISO/CSO roles, I have had several technical leadership roles,
which include Vice President of Integrated Security and Director of Industrial Cyber Security
for CH2M HILL where I was responsible for developing models for converged wired/wireless
network security. In a subsequent position as the Senior Director, Secure Unified Wireless
and Mobility Solutions at Cisco, I co-architected, developed, and marketed the Getronics-
Cisco “Wireless Integrated Security, Design, Operations & Management (WISDOM)” refer-
ence framework that was a productization of the original WISDOM framework developed
as part of my doctoral dissertation titled “Wireless Integrated Secure Data Options Model
(WISDOM) for Converged Network Security.” This resulted in an increase of over $45 million
USD revenue for Getronics and Cisco within a two-year period. I was also an adjunct profes-
sor for an NSA/DHS Center of Academic Excellence in the Information Assurance Education
program as well as the author of eleven books covering various areas of cybersecurity. Most of
my roles and books have centered around the various networks, systems, and technologies that
make up what is now called the Internet of Things. Since the year before I retired from the US
DOE-Lawrence Livermore National Laboratory, I have had a keen interest in Internet security,
particularly the devices and systems that are connected to the Internet.

Why I Believe You Should Read This Book

I have a great passion for the topic of this book and have anticipated its publication since
discussing it with the authors. I have known Damilare and David for several years now as
co-workers and co-patriots in this journey we call cybersecurity. I have great respect for their
work and reputations at both Intel and in the industry at large. Given the technical respect,
knowledge, and integrity they have, when they talk . . . people listen, and when they write . . .
people read with anticipation. They also have a rare and critical skill necessary in the security
industry today in that they know how to use a variation of the KISS methodology, which I call
KYSS (Keep Your Security Simple), while also making it relevant, economical, efficient, and
scalable. Although security is complex in the background, the use experience must be simple
to the user. Keep your security simple or it will be ignored. As an added bonus, David’s wife,
JC Wheeler, joined the team to write Chapter 8, which combined with Chapter 9 would be an
outstanding book on privacy and its relation to IoT security all to itself.
Although this book includes the requisite technical specifications, processes, reference
charts, tables, and diagrams, the storytelling pulls it all together. Most importantly, it is filled
with practical and relevant examples based on years of experience with the technical specs,
 Foreword xix

design requirements, and architectural principles broken up by lively discussions and story-
telling surrounding issues related to IoT security design flaws and architectural issues based
on real-world experiences. This book doesn’t bog you down in complex theories and descrip-
tions but is rather practical and just “what you need to know.” It provides both general and
detailed overviews of IoT security design and architecture principles but also leads the reader
to other books and reference materials for deep dives into complex areas. If you only had one
space on your shelf for a practical reference book for IoT Security Design, this is the book you
need to have.
I thoroughly enjoyed the authors’ holistic and entertaining approach to educating the
reader on the principles of designing secure IoT. Some of the key areas covered that I found of
particular interest that will likely be of interest to you as the reader include:

• The evolution and history of the Internet and IoT.

• Using the castle model as an analogy to describe the various inherent vulnerabilities and
threat vectors for IoT systems and infrastructure.
• Business drivers for both adversaries and security professionals. Philosophical and
business issues are discussed. Since cybercrime is driven by human motives, it is dynamic
and evolving. This means that defenders who build and deploy IoT systems must be just
as nimble and shrewd in their methods of defense.
• Cost-effective, efficient, and scalable design principles for IoT systems focused on the
device, gateway, and cloud layers, with a particular emphasis on how it all works together
to protect and secure edge devices.
• Design principles of IoT security architecture, practical secure system architectural
models, and processes that include threat modeling, analysis, and disposition, threat
mitigation, longevity issues, and focused discussion on Industrial IoT system (IIoT)
architectural and design challenges, including the importance of control loops.
• Architecting for manageability, device trust, end-to-end encryption, longevity, inclusion
of intelligence, and scalability.
• Design principles to secure the cloud to include how the cloud enables and scales to
IoT security, data management and analytics, device management, threat modeling,
and analysis as well as a case study providing practical examples and applications of the
principles described.
• Weakest links that are the things that are accepted threats in the system.
• Pushing security out to the edge and Real-Time Operating Systems (RTOS).
• Connectivity design issues and solutions to include communications, wired versus
wireless, network security, and protocols. The art and a science to secure protocol design
and the case of why you shouldn’t create your own security protocols but instead use
protocols that are well published and standardized.
• Privacy risk, design principles, encryption, and legislation for IoT. Moral and ethical
consequences of risks as a result of the technology related to security and privacy are
covered without any judgment as to whether these issues are good or bad but rather
where the vulnerabilities are and how to mitigate or fix them. Philosophical issues are
also addressed.
• How data becomes personal information, and how personal information grows to
become something more dangerous, known as personal knowledge. The combination of
xx The IoT Architect’s Guide to Attainable Security and Privacy

multiple data sets of personal information and PII together to represent a different class
of information known as personal knowledge. The two chapters on privacy could be a
privacy book in itself.
• Security design principles as they relate to usability. There is an existential tension
between usability and good security. The purpose of security usability is the alleviation
of that tension. If we strive for the utmost security, the system becomes unusable. If
we are too lax with security for the benefit of the greatest usability, the system is soon
compromised and everyone is up in arms. We must find a balance, ensuring that the
security that is implemented is usable.
• Challenges in the provision of usable IoT security controls.
• Eight principles that help you address the security usability challenges that they have
outlined. The principles are not an exhaustive list, but rather a foundation that provides
you with the necessary insight and starter fuel required to build usable IoT security. An
invitation to the reader to extend their list is included.
• How to future proof your security designs in IoT with some forecasted views for some key
sectors such as healthcare, agriculture, smart cities, energy, and transportation as well as
projected future advances and challenges as a result of the evolution of cloud computing,
serverless architecture, infrastructure as code, and autoscaling.
This is done by leveraging the evidence outlined by current trends and technological
advancements to envision future trends and their impact on IoT solutions and their users.
The expectation that artificial intelligence (AI) and machine learning (ML) systems will
emerge as a new form of attacker is also discussed.

I will certainly be recommending this book to all I meet in the technology sector, whether
it be on advisory boards, speaking at conferences, or to clients. The IoT Architect’s Guide to
Attainable Security and Privacy is destined to be a “have-to-have” reference book for all who are
interested in this topic.
— Dr. James Ransome

About Dr. James Ransome

Dr. James Ransome was most recently the Senior Director of Security Development Lifecycle
(SDL) Engineering and the Senior Director of Product Security at Intel and McAfee/Intel
Security, where he was responsible for building and managing product security programs at
both companies. His career has been marked by leadership positions in private and public
industries, including three chief information security officer (CISO) and four chief security
officer (CSO) roles as well as other technical leadership roles. Prior to entering the corporate
world, James had 23 years of government service in various roles supporting the US intelli-
gence community, federal law enforcement, and the Department of Defense.
James holds a PhD in Information Systems, specializing in Information Security, and
graduate certificates in International Business and International Affairs. He developed/tested
a security model, architecture, and provided leading practices for converged wired/wireless
network security for his doctoral dissertation as part of a NSA/DHS Center of Academic
Excellence in Information Assurance Education program. James is a member of Upsilon Pi
 Foreword xxi

Epsilon, the International Honor Society for the Computing and Information Disciplines,
and he is a Certified Information Security Manager (CISM), a Certified Information Systems
Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow.
James is the author of several published books, including Wireless Operational Security, VoIP
Security, Instant Messaging (IM) Security, Business Continuity Planning and Disaster Recovery
Guide for Information Security Managers; Wireless Security: Know It All; Cloud Computing:
Implementation, Management, and Security; Defending the Cloud: Waging Warfare in Cyberspace;
and Core Software Security: Security at the Source. He also developed the initial wireless net-
work architecture, SCADA, Cryptography, and VoIP security leading practices for the Federal
Communications Commission Network Reliability and Interoperability Council Focus Group
on Cybersecurity—Homeland Defense.
Foreword
by Erv Comer, Zebra Technologies

I first became aware of the quality of Dave’s work in security in the mid-1990s. I was lead-
ing a security analysis team at Motorola’s Government Electronics Group in Scottsdale (AZ)
developing cutting-edge “stuff ” for our three-lettered friends when we first met. The com-
munity of security practitioners and designers was a small crowd, and we followed strict
need-to-know protocols, which limited interaction, but things always seemed to be happening
when Dave was involved. Happening for the better. A few years later designing the Internet
in the Sky, I had the immense pleasure of working alongside a remarkable engineer with a
devout passion for security—Mrs. JC Wheeler. I’d connected at a professional level with a
couple holding a passion for security that I thought only I possessed. Our friendship has never
waned over the years. We continue to pursue the engineering discipline of security that we so
intensely enjoy.
Although I was honored to be asked to write this Foreword, I honestly didn’t believe I’d
learn much from the book. However, experience had taught me that Dave and JC had some-
thing robust otherwise they would not be seeking the scrutiny of a security practitioner. I’ve
worked with the National Security Agency (NSA) in the development of their System Security
Engineering CMM, obtained my Master’s Degree in Engineering with a thesis on security
for product development, reduced all the academia and theory to practice at Motorola across
nine global business units within the past 15 years, and recently reincarnated the whole thing
at Zebra Technologies—a leader in the IoT mobile computing space.
This book conveys to the reader a great understanding of IoT security methods and prac-
tices that must occur in order to properly account for security within the IoT operational
environment. The IoT space is large, but the concepts and methods revealed are applicable
across the entire space. End points, edge services, and clouds all come into play. The archi-
tectural views, in combination with the iterative security/privacy threat analyses, reveal abuse
and misuse cases not easily recognized when analyzing from a single point of view. The robust-
ness of the design is strengthened as the process builds upon itself, with designers becoming
security conscious of their own designs. Toss in concerns over privacy, regulatory constraints,
and analytic feedback channels and the security analyses will take a different route, yielding
more insight. Change a few technology or environmental variables and completely different
results emerge.

xxiii
xxiv The IoT Architect’s Guide to Attainable Security and Privacy

There is an absolute treasure trove of information within this book that will benefit anyone,
not just the engineering community. This book has earned a permanent spot on my office
bookshelf because of the wealth of content it provides.
— Erv Comer, Fellow of Engineering, Office of Chief Architect
Zebra Technologies
Preface

This book describes how to architect and design Internet of Things (IoT) solutions that provide
end-to-end security and privacy at scale. It is unique in its detailed coverage of threat analysis,
protocol analysis, secure design principles, intelligent IoT’s impact on privacy, and the effect of
usability on security. The book also unveils the impact of digital currency and the dark web on
the IoT security economy.
We wrote this book not only to be a valuable security and IoT architectural resource for
you but also to be an enjoyable read. With that in mind, we’ve added personal experiences,
scenarios, and examples designed to draw you in and keep you engaged.

Why This Book?

When we purchase a book, we are looking for new insights. Being security architects at Intel,
in addition to our combined experiences at McAfee, Honeywell, Motorola, and General
Dynamics, our work has afforded us the unique opportunity to be involved in hundreds of
diverse IoT and other Internet-related product releases. This depth and breadth of exposure has
provided us with a deep understanding into what works, what doesn’t, and why. It’s provided
us with insights into the future of technologies that are shaping IoT, and insights into the secu-
rity of IoT and networked systems. It’s given us a knowledge of the security solutions that scale
well, the vulnerabilities that are likely to creep into IoT systems, and the assurance practices
that significantly reduce risks without overburdening teams. Its these insights and design prac-
tices that we have put into this book. Your success as an IoT innovator is important to society,
so you bet it’s important to us.
Please visit our blogs, listed in our biographies below, for additional examples, detailed
analyses, and discussions.

Who Would Benefit Most from This Book?

If you have a vested interest in IoT systems that preserve security and uphold privacy, this book
is for you. The primary beneficiaries are IoT architects (security, system, software, or solution

xxv
xxvi The IoT Architect’s Guide to Attainable Security and Privacy

architects), and IoT strategic marketing. Executive managers and policy makers will also bene-
fit from its insights.

Topics at a Glance
• The fundamental components of an IoT system.
• The architecture of IoT systems, how they differ from other client-server and cloud-
based systems, and why are they architected the way they are.
• The security-mindset and secure design principles required to build secure systems
and communicate effectively with customers, architects, and designers.
• The motivation and methods of cybercriminals.
• The IoT Security Economy, dark web, dark money, and digital currency.
• IoT attack vectors—how IoT systems are attacked.
• How to perform a threat analysis and construct countermeasures to protect a system,
whether that is an IoT, cloud, or some other system—including detailed examples.
• A broad survey of common and not-so-common IoT communications protocols, and
the roles of wired and wireless communications in IoT system.
• How to perform a protocol analysis—analyzing a protocol for security and finding
security vulnerabilities in protocols, including a detailed example.
• Artificial Intelligence and Digital Privacy—the privacy impacts of combining AI and
IoT; featuring scenarios for an autonomous vehicle ecosystem and smart refrigerator.
• Digital privacy laws and regulations and how they impact IoT architectures.
• A Privacy Playbook to mitigate unnecessary exposure of personal data.
• Designing Usable IoT Security—principles for building user-friendly security controls
into IoT systems.
• The future evolution of the Internet of Things and AI, the impact on our lives, the
security consequences we must prevent . . . starting now, and the responsibilities we all
share.
Acknowledgments

We humbly acknowledge that we could not have written this book alone. Writing is a journey
that can often be fun, and at other times, it can be grueling. It is a journey that is only possible
with the help and support of family, friends, mentors, and colleagues.
First and in every sense above all, both authors would like to start by thanking God, with-
out whom we truly believe we would not be.
We would like to thank our editor John Wyzalek at Taylor & Francis, who shared our
vision for this book and was a patient and supportive advocate throughout the project. We
would also like to thank the stellar production team at DerryField Publishing Services who
have worked tirelessly to make our vision a reality: Theron Shreve and Marje Pollack.
Many thanks to James Ransome (Senior Director of Security Development Lifecycle [SDL]
Engineering at Intel), Brook Schoenfield (Director of Advisory Services at IOActive, previ-
ously Master Security Architect at McAfee, and author of Securing Systems: Applied Security
Architecture and Threat Models), and Erv Comer (Fellow of Engineering, Office of Chief
Architect at Zebra Technologies), for their support with this project. We are also very grateful
to JC Wheeler who through a fascinating chapter contribution, shed new light on the digital
privacy debate and the privacy risks of a world powered by the IoT, as well acted as a technical
reviewer and editor for many other chapters.
Finally, we would like to thank our mentors and peers in the engineering and security com-
munities who we so deeply appreciate. As that wonderful saying teaches, “If you want to go
fast, go alone. If you want to go far, go together.”
— Damilare D. Fagbemi and David M. Wheeler

It is with a joyful grin that I say these heartfelt thanks to my beloved wife, AtTIyah, Papa and
Mama, and the famous five: AtTIyah, you were a loving stalwart even before you were mine.
You said, “I’m waiting for Chapter 1,” and with that, we were on our way. Papa and Mama,
somehow you kept me alive, continually investing in my education so I could learn to read and
. . . write. The famous five, our famous five, we could scarcely have known that all those novels
we shared and all those precious moments we enjoyed would take us down these paths, and
into the stories and tales of far far away.

xxvii
xxviii The IoT Architect’s Guide to Attainable Security and Privacy

A special thanks to James Ransome, Brook Schoenfield, Rotimi Akinyele, Antonio Martin,
and Marcus Lindholm. It is because of priceless people like you that I find myself believing that
all security professionals must be wonderful people.
— Damilare D. Fagbemi

Thanks to my family for their support and patience while I was consumed with this long and,
at times, arduous project! To my wife, you always bring out the best in me and enable me to
achieve more than I could have imagined—I am so blessed to “do life” with you.
Thank you to my mentors at Intel—Brendan Traw, Baiju Patel, Lori Wigle. I value the time
you gift to me and your examples of integrity and selfless leadership. I have learned as much
from watching you as I have from our conversations. And to Dr. Jesse Walker, thank you for
imparting your invaluable insights in protocol analysis and cryptography to me; you may never
really know how that reignited the researcher in me.
A heartfelt thanks to all my technical peers and colleagues at Intel. Through our inter-
actions and work each day, I learn so much. There is insufficient space to adequately thank each
of you. Among these, I must acknowledge Geoffrey Cooper, Tony Martin, Brent Sherman, and
the late and beloved George Cox.
To my friend (and JC’s mentor) Dr. William T. Scott, thank you for the many lunches and,
of course, evenings shared over good wine with you and Sue, talking about security and com-
munications. That has shaped this book in ways you could not have imagined.
— David M. Wheeler
Another random document with
no related content on Scribd:
 The processes in so far as lead enters can best be divided into—
(1) Glaze; (2) decorative.
1. Glaze Processes.—The charge of glaze is made by weighing
out and mixing carbonate of lead with the necessary silicates and
silico-borates in the lead house or mixing-room, where wet grinding
prepares the mixture for the dipping-tub. “Putters-up” hand the ware
to the dipper, from whom “takers-off” place it on boards for removal
to the drying still, or place it (in large works) directly on to the shelf of
an appliance known as a “mangle,” in which an endless chain carries
the ware through a heated chamber. Subsequently superfluous glaze
has to be removed from the base, rims, and not infrequently also
other parts of the articles. This ware cleaning is performed with a wet
sponge or flannel, either while the ware is still moist or by scraping,
the particles removed dropping into a vessel of water; or, if the glaze
is dry, over a grating provided with exhaust draught. The ware is next
removed by the glost-placer on boards, and each piece is separately
placed by him in the sagger (fireclay receptacle) and carried into an
oven to be fired.
2. Decorative Processes.—Majolica painting is the application of a
coloured glaze rich in lead by means of a brush. Ground-laying
consists in dusting powdered enamel colour on to a pattern first
printed on glazed ware with an oily medium. Colour dusting differs
from the same only in detail.
Aerographing (colour blowing) is the blowing on to the ware, by
means of a jet of compressed air, coloured glaze, or enamel colour
held in suspension in oil or other liquid in a glaze kettle or aerograph
instrument.
Dangers.—Apart from risk inseparable from, and increased by,
defective lighting, uneven floors of wood or brick, collection of dust
on benches and floors, and the risk entailed in the sweeping of these
even when watering is practised, and lack of care and attention to
detail on the part of the worker, the following special dangers are
incidental to the various processes: In dipping the glaze (except in
tiles, where the surface only is allowed to touch the liquid), splashes
on to the face and overalls of the dipper, “hander-up,” and “taker-off”
(dipper’s assistants), and “threader-up” (in the case of china
furniture), especially when, as with plates, there is much shaking of
the ware. These splashes dry, and the overalls may become so
coated with glaze that every movement, such as carrying boards or
leaning against the mangle, crumbles it off as dust into the air. As the
dipper shakes the ware, some of the drops are disseminated into the
atmosphere as a fine spray. In ware cleaning the work may have to
be done so rapidly that it is difficult always to observe proper care,
and the worker is tempted to withdraw the article from the range of
the exhaust. Sometimes a ware cleaner is seen blowing away with
her mouth dust lying on the ware.
Dipping-boards, unless freed from adherent glaze by washing after
use, create dust whenever ware is placed on, or removed from,
them, when they are handled and placed on or taken off the stillage
bars, and when they are stacked. Persons gathering at the mangle
are exposed to dust if there is any outward current of air from it. The
glost-placer raises a slight amount of dust as he takes the ware from
the board and places it in the sagger. The dangerous practice
formerly almost universal of rubbing the bottoms and rims of cups,
etc., either together (without use of an exhaust) or rubbing them on a
piece of leather fixed round the chest, is generally replaced by
removal of the glaze on a moist piece of flannel, but it is still possible
to find men doing it in outlying potteries. In majolica dipping and
painting (apart from the obvious risk of splashing and contamination
of the hands), danger arises mostly from scraping the edges and
under surfaces of the tiles on to which glaze, when applying the
background, has overflowed. The amount of glaze so removed is
considerable, and if it is not all caught in the trough of water, the floor
becomes an added source of danger.
In all the decorative processes—ground-laying, aerographing,
colour-dusting, and grinding of colours for aerographing, etc., the
danger is one solely arising from dust.
Prevention.—Meticulous attention to detail, not only in the
provision, but also in the maintenance, of the locally-applied exhaust
ventilation, alone can allay the danger in the processes to which dust
is incidental, such as ware cleaning, gathering at the mangle, glost-
placing, and the decorative processes. The Lead Committee
considered that, as there was no rapid method of testing the actual
degree of moisture, exhaust ventilation might be required in the case
of ware that was not cleaned within fifteen minutes of the application
of the glaze. Such a requirement would prevent the practice now
prevalent of painting as many as three dozen tiles, piling them one
on top of another, and then proceeding to the operation of scraping.
No danger attaches to removal of glaze with a damp sponge or
flannel, but means must always be at hand for washing and damping
them. In the dipping-house, (a) impervious floors should be provided,
which could be washed down so as to prevent the risks from
sweeping, and from glaze drying, and being raised as dust; (b)
partial covering of the dipping-tub to prevent splashing and spray;
and (c) substitution for the overalls at present worn by persons in the
dipping-house, glost-placers, millers and mixers of glaze, majolica
paintresses, and others, of overalls of some light waterproof material
which could be sponged, or of aprons of waterproof material worn in
front of the overalls. Dipping-tubs and walls and floors in close
proximity to them can with advantage be painted red. Dipping-boards
should be washed with clean water after every time of use.
Automatic machines for washing and scrubbing boards are in use in
some factories.
To reduce risk or remove the danger of lead poisoning in this
industry, use of low solubility glazes or of leadless glazes are
advocated. On this point the Lead Committee say: “The effect of
melting the lead with silicious matter amounts to imprisoning it in
such a manner as to render it less liable to the action of the acids
which it meets in passing through the human body, and in
consequence largely reduces the likelihood of its absorption into the
blood. If the frit is properly compounded, all but a small fraction of
the lead is rendered insoluble, and glazes so made are spoken of as
‘low solubility glazes.’ The finished glaze generally contains from 12
to 22 per cent., or more, of lead oxide, but after the process of fritting
with sufficient silicious material only from 2 to 5 per cent. remains
soluble.”[A]
[A] Raw lead comprises red lead, white lead, and litharge. If introduced in
this form as a constituent of glaze it is soluble in dilute acids. If, however,
the raw lead is fluxed by heating with a part or the whole of the silica, it is
converted into “fritted lead.” The solubility of the frit depends upon the
relative proportions of material taken. Thorpe[23], as a result of numerous
 analyses of lead silicates (after determining their solubility as regards lead),
both simple and complex, in use in the potteries and on the Continent,
found that the quantity of lead dissolved had no necessary relation to the
quantity of lead in the silicate. “Primarily and in the main the insolubility of
the lead depends not upon any one oxide or group of oxides, but upon the
maintenance of a certain proportion between the whole of the basic oxides
on the one hand and the whole of the acidic oxides on the other. If the value
of ratio bases/acids is higher than, or approximately equal to, two, the
amount of the lead extracted is small, but if it fall much below two, the
quantity of lead dissolved begins rapidly to increase.”

On the subject of the use of leadless glazes, the Committee

conclude that in all classes of pottery ware a great many articles can
be manufactured in a very high state of perfection, with reduction in
the cost of production of certain classes of common ware, such as
jampots and Persian painted ware; but that in certain other classes,
owing to the excessive number of “seconds,” their use would entail
increased cost or sacrifice of quality, so much so as to involve loss of
important markets; and, finally, that certain kinds of ware, in
consequence of difficulties relative to accuracy in reproducing old
patterns, colours, or methods of decoration, cannot at present be
made at all without use of lead.
In the case of manufacturers who are able to conform to the
Thorpe test of low solubility—i.e., glaze which yields to a dilute
solution of hydrochloric acid not more than 5 per cent. of its dry
weight of a soluble lead compound, calculated as lead monoxide
(PbO)—important relaxation of certain special rules are allowed,
such as limitation placed on the employment of females and young
persons, and periodical medical examination of the workers.
H. R. Rogers[24], one of H.M. Inspectors of Factories, Stoke-on-
Trent, has worked out a simple test to show approximately how
much lead has been used in the glaze of a piece of pottery. Thus, by
treating glazes with hydrofluoric acid for forty seconds, absorbing the
liquid with filter paper, precipitating the lead on the paper as the
sulphate, dissolving out the sulphate soluble in water, and then
precipitating the lead on the paper as sulphide, stains are produced
varying, in depth of colour, according to the proportion of lead in the
glazes concerned (see Plate IV.).
 Briefly summarized, the recommendations of the Potteries
Committee in regard to the processes are—
Manufacture of Glazes.—No handling of white or red lead without
at least 5 per cent. of added moisture, and no weighing out, etc., nor
employment in the room, to be allowed within thirty minutes of such
weighing out, etc., without the wearing of a respirator.
Lawning—i.e., straining glaze so as to remove insufficiently
ground material through a fine lawn sieve—to be done by an adult
male only, except where less than a quart of glaze is lawned.
Dipping.—Impervious floors sloped towards a drain to be cleaned
by an adult male, after work has ceased, with a jet of water and a
mop. Walls adjacent to dipping-tubs to be tiled or painted with
washable paint, and cleaned daily. Dipping not to be done where
artificial light is necessary during hours of daylight.
Threading-up and Thimble-picking to be done in a room
sufficiently separated from any place where scheduled processes
are carried on.
Drying Ware after Dipping.—The same requirement as to floors as
in dipping-house.
Boards.—To be cleaned with clean water by an adult male after
each time that dipped ware has been placed on them and before
subsequent use. Boards for use in lead processes to be painted red
at the ends.
Mangles.—Ventilation to be so arranged as to maintain a flow of
air into the hot chamber from the workroom. Mangle shelves to be
thoroughly wet cleansed once a week.
Ware Cleaning.—Local exhaust ventilation to be applied except
when the process is carried on entirely with use of wet materials
(damp sponges, etc.), or when done within fifteen minutes of
application of glaze. Troughs to be provided to collect glaze, and to
be cleaned out and supplied with fresh water at least once a week.
The floors and standard of lighting to be the same as for the dipping-
house.
Glost-placing.—Boards to be treated as already described. Floors
to be impervious. Women, young persons, and children to be
excluded, except that women to be allowed to place china furniture
and electrical fittings.
 Majolica Painting and Mottling.—A sponge and clean water to be
placed beside each paintress; special washing accommodation in
the painting-room or adjoining it; splashes to be removed
immediately by wet sponging. Work-benches and floors to be subject
to the same conditions as potters’ shops.
Flow Material—i.e., the substance usually containing much lead in
the form of powder and placed in the sagger to cause certain colours
applied to biscuit ware to run slightly—to be weighed out in front of
an exhaust draught and delivered to the glost-placer by an adult
male.

PLATE IV

Fig. 1.—No Lead used. Fig. 2.—Fritted Lead used.

0·9 per cent. solubility.
Fig. 3.—Fritted Lead used. Fig. 4.—Fritted Lead used.
1·5 per cent. solubility. 5·0 per cent. solubility.
13·9 per cent. total lead. 5·0 per cent. total lead.

Fig. 5.—Raw Lead used. Fig. 6.—Raw Lead used.

19·4 per cent. solubility. 44·1 per cent. solubility.

19·4 per cent. total lead. 45·2 per cent. total lead.
 Fig. 7.—Rockingham (Raw Lead)
used.
50·9 per cent. solubility.
50·9 per cent. total lead.

Ground-laying, colour-dusting, and aerographing to be done under

locally applied exhaust ventilation. Proper receptacles to be provided
for cotton-wool used and waste cotton-wool to be burnt. No short-
sighted person to be employed to do either glaze or colour blowing,
unless wearing suitable glasses, and certificate to this effect to be
entered in the Health Register.
Litho-Transfer Making.[25]—Transfers for the decoration of
earthenware and china are made in special factories, of which there
are seven, employing 257 persons. The patterns are impressed in
the ordinary chromo-lithographic fashion, but as the enamel colours,
containing high percentages of lead, are dusted either mechanically
in the machine, or by hand by means of a pad of cotton-wool, danger
from dust is great in the absence of maintenance of a negative
pressure inside the dusting machine and an efficient exhaust draught
behind the bench where the final dusting with flour, to remove the
superfluous colour, is done. In one factory, before a fresh colour was
applied to the adhesive pattern on the sheets, the machines had to
be cleaned as far as possible of the previous colour used. To do this
it was necessary for the attendant to enter a closed chamber at the
back of each machine, so as to supply the powder to the hoppers
which feed the rollers, or to clean them by means of a brush,
sometimes as often as every half-hour. The upward exhaust
ventilation applied to the interior of the machine tended to draw the
dust created in brushing past the worker’s face, and led to severe
incidence of poisoning. The remedy suggested by Pendock[26] was
to dispense altogether with the need for entering the chamber, to
maintain a slight negative pressure inside the machine by downward
exhaust, and to remove the dust by means of a small vacuum
cleaning plant.
At the same factory the flouring bench was in the same room as
the machines, and the locally applied exhaust drew its air-supply
from the general atmosphere of the room. Apart from faulty
arrangement of the exhaust ducts leading to effects of too local a
character, dust was drawn from other parts of the room, including the
machines, so much so as to necessitate frequent cleaning of the
glass hoods. Poisoning among those employed in flouring occurred.
To remedy this, an air-grid with curved inlets at intervals of 2 inches
apart, leading into a trunk in connection with a fan, was placed along
the back of the bench and under the top of the glass hood. In order,
however, that its action should not interfere unduly with the general
ventilation of the room, but be, in large measure, independent of this,
a somewhat similar grid, introducing air from the street outside, was
fitted along the front of the bench. The whole arrangement was
operated by one suction fan. Ten cases occurred in this factory in the
year before this arrangement was carried out. In the three years
since, three cases only have been reported. In the ten years 1900-
1909, 48 cases were reported among 257 persons employed.
Vitreous Enamelling.[27]—Surfaces, such as sheet iron for
advertisement signs, cast iron for baths and gas stoves, copper for
copper letters and tablets, brass for jewellery, and glass for lettering
and decoration, are treated with glaze or enamel colours, which,
either in the mode of application or subsequent treatment before final
vitrefaction, give rise to dust.
 In the manufacture of advertisement signs, glaze is swilled on to
the sheet of iron. After drying, it is fired or vitrified, and upon this
surface as many other coats of glaze are applied as may be wanted.
As soon as the colour is dry, lettering is effected by brushing away
the dried (but not fired) glaze exposed through stencils.
Dangers and Prevention.—Exhaust ventilation for the removal of
the dust is essential, but it is, unfortunately, unable to draw the dust
away when brushing is done at a distance of more than about 18
inches from the exhaust opening. And some of the plates required
are very large. No exhaust-pipe has yet been invented which will
follow the hand of the worker without impeding movement. In
consequence of severe incidence of poisoning, mainly on young
women who do the work of brushing, when the process was first
introduced with enamel glazes containing from 15 to 75 per cent. of
lead, manufacturers quickly turned their attention to use of enamels
free from lead. For this class of work they appear to have been
entirely successful, and now lead poisoning is almost a thing of the
past. Thus, of 122 samples examined in 1910 from factories claiming
exemption from the regulations by reason of the use of enamels
containing less than 1 per cent. of lead, excess was found in three
only[28].
Porcelain Enamelling.—The cast-iron bath or stove is heated
to redness in a muffle furnace. On withdrawal from the furnace it is
placed by the helpers on a table capable of being turned in every
direction. Enamel powder is then dusted on to the heated metallic
surface through a sieve attached to a long wooden handle, held by
the duster, who protects himself from the intense heat by a mask and
an asbestos cloth covering.
Fig. 12.—The first glaze is sprayed on with an aerograph. The portion of the stove
to be glazed is shown on supports on the sliding table, which is half out of the
cabinet. When the casting is fully in the cabinet, the end piece and the centre
piece close the cabinet sides, and, fitting on a felt beading, make an air-tight
joint. The spray, shown in front of the cabinet, is worked through the holes in the
glass front. Exhaust is provided at the top.

Dangers and Prevention.—The heated column of air carries up

much of the powdered glaze as it is unevenly distributed by jolting
the handle of the receptacle, and in the absence of very efficient
exhaust ventilation this dust will, as the current of air strikes the roof
and cools, fall down again. The hood placed over the bath must have
steep sides and be brought down as low as is possible without
interfering with work, and the duct leading to the fan must be
unusually wide, so as to be able to cope with the up-rush of heated
air. If the sides of the hood be shallow, not only will the dust fail to be
removed, but the hood itself may become so hot as noticeably to
increase the discomfort from heat to which the men are exposed
during the three or four minutes, five or six times an hour, that the
dusting operation lasts. A method has been patented by M. Dormoy
of Sougland[29], Aisne, France, for carrying out automatically in a
closed chamber the process of dusting on to small red-hot castings,
such as are required in the manufacture of stoves. It is not applicable
for baths.
Occasionally, in the case of small castings, again, the enamel is
sprayed on by means of an aerograph. For this excessively
dangerous process we have seen simple and ingenious devices for
carrying it on quite safely in a space under negative pressure, and
covered in except for the necessary openings through which to work
the spray (see Figs. 12, 13, 14).[A]
[A] The cabinets have been patented by Messrs. Wilsons and Mathiesons,
Ltd., Leeds, by whom they are made and supplied. Since using them there
has been no trace of illness among the persons employed.
Fig. 13.—After firing the casting is lifted out for treatment with dry glaze, which is
sprinkled on with a sifter shown on the table. The turntable enables the operator
to manipulate the red-hot casting more easily.

White enamel powders free from lead are used entirely by some
firms, but the black and coloured enamels on stove grates contain
lead. A frit analyzed in the Government Laboratory was found to
contain 26·66 per cent. of lead oxide. The fact that all the lead used
is in the form of a silicate, even although the silicate is readily soluble
in dilute acid, tends, we believe, to cause incidence of poisoning to
be less than might have been expected from the amount of dust
often present in the air, and attacks, when they occur, to be less
severe, as a rule, than they would be were raw carbonate of lead
alone used. For the arduous work entailed the men are specially
selected. Despite their exposure to lead dust, the majority continue
to work for many years without marked signs of lead absorption. The
management should provide a suitable room for the men to cool
themselves in the intervals of dusting.
Fig. 14.—The cabinet is shown when dry dusting is being done. The casting is
worked by tongs through a slot in the side of the cabinet (not seen), while the
worker dusts the casting with his arms through the two front holes. He can see
his work through the square pane of glass. (Photographs kindly made by Mr. F.
W. Hunt, Leeds.)

Manufacture of Electric Accumulators.[30]—Electric

accumulators are secondary batteries which serve for the storage of
electricity, in order to allow of a current when desired. A primary
battery is one in which the materials become exhausted by chemical
action, and, unless a portion or the whole of the materials is
renewed, fails to supply electricity. The secondary battery becomes
exhausted in the same way, but the chemical contents are of such a
nature that it is merely necessary to pass a current of electricity
through the battery (charging) in order to recharge them. In the
accumulator battery the positive element is peroxide of lead, and the
negative element spongy lead. The elements—several positive
connected together and several negative—are placed in dilute
sulphuric acid contained in vessels of glass.
The form of accumulator in almost universal use now is the pasted
plate, but it varies greatly in size, according to the use for which it is
required. It may be either large, to act as an equalizer or reservoir of
current in electric-lighting installations, or quite small for ignition
purposes in motor-cars. The litharge smeared on to one plate
becomes converted into the positive element, peroxide of lead,
during what is called the “forming process” (passage of the electric
current through the dilute sulphuric acid solution in which it is
placed), and red lead smeared on to the other becomes spongy lead
to form the negative.
The industry gives employment to about 1,200 persons. Plates are
first cast in moulds from a bath containing molten lead or of lead with
admixture of antimony. Irregularities in the plates so cast are
removed by a saw or knife (trimming), and sometimes filed or
brushed with a wire brush. The interstices in the plates are next filled
in by means of a spatula with paste of litharge or red lead, as the
case may be, which has been previously mixed either by hand at the
bench or in a special mechanical mixing machine. After drying, the
plates are removed to the formation room to be charged. To allow of
the passage of the current, positive elements are connected
together, and negative also, by means of a soldering iron or, more
frequently, of an oxy-hydrogen blowpipe flame. After formation is
complete the plates have to be built into batteries, or “assembled.”
Tailpieces, technically known as “lugs,” have to be connected with
each plate, effected usually by the oxy-hydrogen blowpipe flame.
Finally, a connecting bar of lead is cast on or burnt on to the lugs.
Dangers and Prevention.—In casting, danger is mainly from
dust in depositing the skimmings, and from fume also when old
accumulator plates are melted down. For these reasons exhaust
ventilation over the melting pots should be provided, embracing also
(by branch ducts if necessary) the receptacles into which the lead
ashes are thrown. In mixing and pasting, the danger is from dust of
oxides of lead to be controlled (see Fig. 6) by—(1) Exhaust
ventilation by branch ducts protecting (a) the barrel from which the
material is scooped, (b) the mechanical mixer into which the weighed
quantity of oxide is discharged, (c) the bench at which the mixing by
hand is done; (2) dampness of benches and floor to prevent raising
of dust either by manipulation of the (often) heavy plates or trampling
into powder the paste which may fall on the ground.
In assembling or putting together of the formed plates, and in
earlier stages of the manufacture also, filing or use of a wire brush
causes production of metallic lead dust and of the oxides when the
brush touches them—a danger only to be met by exhaust ventilation.
How far the poisoning to which the lead burners engaged in
assembling plates is attributable to lead fume, produced by the high
temperature of the blowpipe flame, and how far to handling (with
inevitable dislodgment of dust) has not been satisfactorily settled.
Incidence of poisoning on this class of worker in the past has been
marked.
Generally there is need for impervious floors, solidly built, so as to
prevent vibration and the raising of dust from passage of trolleys
conveying the heavy plates. Gloves are frequently provided, more to
protect the hands from contact with the sulphuric acid used in
making the paste and jagged edges of the plates than as a
preventive of lead absorption.
In the 10 years 1900-1909 incidence, according to precise
occupation, has been—Casting, 33; pasting, 114; lead burning, 69;
and assembling the plates, etc., 69.
Glass-Cutting.[31]—Red lead enters largely into the mixture of
raw materials for the manufacture of glass. Flint glass, for instance,
contains 43 per cent. of lead. The raw materials (white sand, red
lead, and generally saltpetre) require to be very carefully mixed, and
a few cases of poisoning have been reported from the dust raised in
sieving. One man works the sieve, resting on two runners across the
bin, while another shovels the mixture into the sieve. The operation
is not a continuous one, and respirators have principally been relied
on to protect the workers. It should be possible to carry out the
mixing operations in a dust-tight closed apparatus.
Poisoning from lead fumes generated in a glass furnace is
unknown. Lead poisoning used to be common in the process of
polishing cut glass on a brush by means of “putty powder” (oxide of
tin, 29 per cent.; and oxide of lead, 71 per cent.), mixed with water to
the consistency of a paste. The brush was made to revolve at high
speed, with dissemination of the putty powder as a fine spray into
the atmosphere of the workroom. Although rouge and oxide of iron
have replaced putty powder to some extent—especially for the
polishing of the bevelled edges of plate glass—no substitute can at
present be found to give the final lustre and brilliancy required in the
case of cut glass and in certain kinds of high-class work, such as
polishing lenses.
Locally applied exhaust ventilation has robbed the process of its
dangers. Pyramidal-shaped hoods enclose the spindle and putty box
and brush before which the workman sits. The draught of the fan
prevents escape of spray. The lad who feeds the brush with putty
powder stands at the side, and in our experience his cap and clothes
are now free from signs of splashing. Formerly the polishing was
done by each man at his own berth, thus endangering the health of
all working in the vicinity, as the custom of the trade is that the same
man carries through the work both of cutting and polishing. Polishing
occupies only about a fifth of a man’s time, and it has now, owing to
the position of the fan, to be carried out in one particular part of the
room.
Dr. D’Arcy Ellis[32], Certifying Surgeon for the Stourbridge district, has described
the processes as formerly carried out:
“The mixture of lead and tin is heated over a bright fire in a shallow iron pan. As
it melts, the top scum which forms is skimmed off, dried, pounded to a powder in
an iron mortar, and afterwards sieved. The person who does this work always
suffers more or less. He usually protects himself by wearing a respirator—there is
a good draught at the flue, and the sieve is enclosed in a box—but there is always
a certain amount of dust. This putty-powder is used on the wooden wheel, and is
dabbed on the wheel as it revolves. All good bold work can be polished in this way,
and there is not much risk to the workman, as the speed at which the wheel
revolves causes the mixture to cling and not fly about. This process does not
answer for any fine work, so it is contended; and to enable this kind of work to be
properly polished brushes made of bristles are used. They are mounted on an iron
spindle, and are usually about 6 inches to 7 inches in diameter, with a face of 1
inch to 1¹⁄₂ inches broad. They are driven at a speed of about 2,000 revolutions a
minute. The putty powder is applied to these brushes (which are of various sizes)
in the same way as to the wooden wheel—that is, by dabbing it on. For smaller
work, such as tumblers and wine-glasses, the workman applies the putty mixture
himself, holding the glass against the brush with his right hand, and using his left
underneath to apply the mixture. Where, however, larger work has to be done in
which the workman cannot manage with one hand, the service of a boy is called
in, who does what is called the ‘feeding up.’ This boy stands partly in front and
partly at the side of the brush, and applies the mixture with one hand with the wisp
of straw. In this position the boy gets splashed with the putty mixture which flies off
the brush, and it is generally believed by the workmen to be the most dangerous
occupation. At one time—not very long ago—all the various processes of the work
were done indiscriminately in the workshop, and consequently the men were
frequently found working in a perfect haze of fine dust, which had been thrown off
from the brushes. There was no attempt made to separate and detach the less
injurious part of the work, such as the roughing and cutting, from the general
workshop, the lead polishing only occupying about one-fifth of the workmen’s time.
After the glass has been polished by the putty it is taken away to another
department, where girls are employed as 'wipers out.’ They take the glass with the
dried putty upon it, dip it into a basin of water, and then wipe it dry. Some of these
girls have been known to suffer from lead poisoning.... Drop-wrist was frequently to
be seen—in fact, there was hardly a workshop in the district in which cases of
wrist-drop could not be found. They were all anæmic, and the albuminuric and
prematurely aged were frequently met with.”

In this small industry in the past the poisoning must have been
considerable. In 1898 nineteen cases were reported. Reference to
the table on p. 47 shows that the number now is greatly reduced.
Those reported are generally cases which have ended fatally from
the sequelæ of lead poisoning contracted many years previously.
Stained-glass painting—a form of vitreous enamelling—very rarely
gives rise to poisoning, as no dust is generated (see vitreous
enamelling for use of aerograph in glass-painting).
Paints and Colours.[33]—Most of the cases have occurred in
the manufacture of white-lead paint, although manufacture of
chromate of lead and of Brunswick greens (barytes with which
Prussian blue and chrome yellows are mixed) account for several.
The following table shows the precise occupation of persons
affected, the number of cases distributed according to precise
occupation, and the proportion of these to the total in 225 cases
which were closely examined:

Precise Occupation Number Proportion

of Person affected. of Cases of Cases
 in each to Total
Subdivision. (per Cent.).
Mixing and grinding (mainly of white lead) 144 64·0
Packing (mainly of red lead) 19 8·4
Sieving 2 0·9
Manufacture of chrome yellow 22 9·8
Colour house and filters 16 7·2
Painting and stencilling 6 2·7
Other processes 16 7·0

Knowing the conditions of work, we can confidently assert that the

poison must have entered the system in the form of dust in at least
90·0 per cent. of the cases, and in the remainder the possibility of
dust having been the cause is not excluded.
In a small factory the cask of white lead is broken and the material
scooped out into a pail. Scales are at hand, and when the amount of
lead removed weighs half a hundredweight the contents of the pail
are discharged either into a cylindrical pug-mill or into the pan of an
edge-runner to be mixed with oil. In large factories the dry white lead
is generally shovelled directly from the cask down openings or
shoots in the floor to the grinding mills below.
Dangers and Prevention.—Dust arises in unheading the casks
from the displacement of air following the scooping or shovelling out
of the lead, in filling the pails, and in discharging the lead into the
mill. All points should, and can, be adequately protected by locally
applied exhaust ventilation at each one of the points enumerated. A
telescopic arrangement of the branch duct in connection with the
barrel enables dust generated in scooping out to be removed as the
contents of the barrel get lower and lower (see Fig. 15).
 Fig. 15.[A]

[A] Fig. 15 shows the arrangement for preventing dust at every point where
it is produced in a factory where dry colours are ground, sifted, and packed
on a large scale. On the upper floor, the chamber is shown in which the
contents of a cask are tipped down a shoot leading in the one case to the
burr stone mill on the left, and in the other into the Blackstone sifters.
Exhaust is arranged at two levels to catch the dust arising from the
displacement of air. After grinding in the closed-in burr stone mill, a hood
and duct is arranged over the point where the material is discharged into
the barrel. Similarly, the casing of the two Blackstone sifters is connected
with the exhaust fan, and also the cover of the barrel into which the ground
material falls. Inside the edge-runner (the door of which is shown open) a
negative pressure is maintained, and one branch duct controls the dust in
the scooping out of the material from the barrel, while another is connected
to the cover of the receptacle into which the ground material is discharged.
Tapering of the ducts, tangential entry of branches, fan-box, and collecting
filters, are all shown. In the factory in question there are four edge-runners,
three burr stone mills, and two Blackstone sifters. Altogether exhaust
ventilation is applied at twenty-five points. (Drawing kindly supplied by the
Sturtevant Engineering Company, Limited, London.)