larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Orchestrating and Automating Security for the Internet of Things: Delivering Advanced Security Capabilities from Edge to Cloud for IoT

eBook (Watermarked)

  • Your Price: $51.19
  • List Price: $63.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

Also available in other formats.

  • Description
  • Sample Content
  • Updates
  • Copyright 2018
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 1008
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-475694-0
  • ISBN-13: 978-0-13-475694-3

Master powerful techniques and approaches for securing IoT systems of all kinds–current and emerging

Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards.

The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You’ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples.

This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them.

·         Understand the challenges involved in securing current IoT networks and architectures

·         Master IoT security fundamentals, standards, and modern best practices

·         Systematically plan for IoT security

·         Leverage Software-Defined Networking (SDN) and Network Function Virtualization (NFV) to harden IoT networks

·         Deploy the advanced IoT platform, and use MANO to manage and orchestrate virtualized network functions

·         Implement platform security services including identity, authentication, authorization, and accounting

·         Detect threats and protect data in IoT environments

·         Secure IoT in the context of remote access and VPNs

·         Safeguard the IoT platform itself

·         Explore use cases ranging from smart cities and advanced energy systems to the connected car

·         Preview evolving concepts that will shape the future of IoT security

Sample Pages

Download the sample pages (includes Chapter 4)

Table of Contents

Foreword xxvii

Introduction xxix

Part I Introduction to the Internet of Things (IoT) and IoT Security

Chapter 1 Evolution of the Internet of Things (IoT) 1

Defining the Internet of Things 2

Making Technology and Architectural Decisions 5

Is the Internet of Things Really So Vulnerable? 8

Summary 9

References 10

Chapter 2 Planning for IoT Security 11

The Attack Continuum 11

The IoT System and Security Development Lifecycle 13

    Phase 1: Initiation 15

    Phase 2: Acquisition and Development 15

    Phase 3: Implementation 16

    Phase 4: Operations and Maintenance 17

    Phase 5: Disposition 17

The End-to-End Considerations 17

Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21

    Segmentation 21

    New Approach 25

Summary 30

References 30

Chapter 3 IoT Security Fundamentals 31

The Building Blocks of IoT 31

The IoT Hierarchy 35

Primary Attack Targets 37

Layered Security Tiers 43

Summary 46

References 47

Chapter 4 IoT and Security Standards and Best Practices 49

Today’s Standard Is No Standard 49

Defining Standards 53

The Challenge with Standardization 56

IoT “Standards” and “Guidance” Landscape 58

    Architectural or Reference Standards 59

    Industrial/Market Focused 61

Standards for NFV, SDN, and Data Modeling for Services 63

    Data Modeling and Services 67

Communication Protocols for IoT 70

    Physical and MAC Layers 73

    Network Layer 73

    Transport Layer 74

    Application Layer 74

Specific Security Standards and Guidelines 75

Summary 79

References 80

Chapter 5 Current IoT Architecture Design and Challenges 83

What, Why, and Where? A Summary 85

Approaches to IoT Architecture Design 88

    An X-Centric Approach 91

    The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98

    The Information-Centric IoT Approach 100

    The Data-Centric IoT Approach 104

    System Viewpoint: A Cloudy Perspective 106

    Middleware 118

    Lambda Architecture 119

    Full IoT Stack/Universal 120

General Approaches 120

    Internet of Things Architecture Reference Architecture (IoT-A RA) 120

    ITU-T Y.2060 125

    IoT World Forum (IoTWF) Reference Model 126

    oneM2M Reference Architecture 129

    IEEE P2413 IoT Architecture 132

    The OpenFog Consortium Reference Architecture 133

    Alliance for the Internet of Things Innovation (AIOTI) 138

    Cloud Customer Architecture for IoT 140

    Open Connectivity Foundation and IoTivity 142

Industrial/Market Focused 144

    The Industrial Internet Consortium (IIC) 144

    Industry 4.0 148

    OPC Unified Architecture (OPC UA) 150

    Cisco and Rockwell Automation Converged Plantwide Ethernet 153

    Cisco Smart Grid Reference Model: GridBlocks 153

NFV- and SDN-Based Architectures for IoT 154

Approaches to IoT Security Architecture 156

    Purdue Model of Control Hierarchy Reference Model 157

    Industrial Internet Security Framework (IISF) IIC Reference Architecture 160

    Cloud Security Alliance Security Guidance for IoT 165

    Open Web Application Security Project (OWASP) 168

    Cisco IoT Security Framework 168

The IoT Platform Design of Today 172

    Security for IoT Platforms and Solutions 178

    Challenges with Today’s Designs: The Future for IoT Platforms 179

Summary 183

References 183

Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoT

Chapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185

A Bit of History on SDX and NFV and Their Interplay 185

Software-Defined Networking 188

    OpenFlow 192

    Open Virtual Switch 195

    Vector Packet Processing 198

    Programming Protocol-Independent Packet Processors (P4) 201

    OpenDaylight 203

    Extending the Concept of Software-Defined Networks 212

Network Functions Virtualization 217

    Virtual Network Functions and Forwarding Graphs 221

    ETSI NFV Management and Orchestration (MANO) 225

The Impact of SDX and NFV in IoT and Fog Computing 235

Summary 248

References 249

Chapter 7 Securing SDN and NFV Environments 251

Security Considerations for the SDN Landscape 251

    1: Securing the Controller 252

    2: Securing Controller Southbound Communications 256

    3: Securing the Infrastructure Planes 260

    4: Securing Controller Northbound Communications 263

    5: Securing Management and Orchestration 268

    6: Securing Applications and Services 270

Security Considerations for the NFV Landscape 272

    NFV Threat Landscape 273

    Secure Boot 274

    Secure Crash 275

    Private Keys Within Cloned Images 276

    Performance Isolation 278

    Tenant/User Authentication, Authorization, and Accounting (AAA) 279

    Authenticated Time Service 281

    Back Doors with Test and Monitor Functions 281

    Multi-administrator Isolation 282

    Single Root I/O Virtualization (SRIOV) 283

    SRIOV Security Concerns 285

Summary 285

References 285

Chapter 8 The Advanced IoT Platform and MANO 287

Next-Generation IoT Platforms: What the Research Says 287

Next-Generation IoT Platform Overview 291

    Platform Architecture 294

    Platform Building Blocks 295

    Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303

Example Use Case Walkthrough 308

    Event-Based Video and Security Use Case 309

Summary 321

References 321

Part III Security Services: For the Platform, by the Platform

Chapter 9 Identity, Authentication, Authorization, and Accounting 323

Introduction to Identity and Access Management for the IoT 324

    Device Provisioning and Access Control Building Blocks 326

    Naming Conventions to Establish “Uniqueness” 327

    Secure Bootstrap 328

    Immutable Identity 328

    Bootstrapping Remote Secure Key Infrastructures 329

    Device Registration and Profile Provisioning 330

    Provisioning Example Using AWS IoT 331

    Provisioning Example Using Cisco Systems Identity Services Engine 334

Access Control 336

    Identifying Devices 336

    Endpoint Profiling 337

    Profiling Using ISE 337

    Device Sensor 340

    Methods to Gain Identity from Constrained Devices 345

    Energy Limitations 346

    Strategy for Using Power for Communication 347

    Leveraging Standard IoT Protocols to Identify Constrained Devices 348

Authentication Methods 351

    Certificates 351

    Trust Stores 355

    Revocation Support 356

    SSL Pinning 357

    Passwords 357

    Limitations for Constrained Devices 358

    Biometrics 359

    AAA and RADIUS 361

    A/V Pairs 362

    802.1X 363

    MAC Address Bypass 365

    Flexible Authentication 366

Dynamic Authorization Privileges 367

    Cisco Identity Services Engine and TrustSec 368

    RADIUS Change of Authorization 368

    Access Control Lists 374

    TrustSec and Security Group Tags 376

    TrustSec Enablement 379

    SGACL 384

Manufacturer Usage Description 390

    Finding a Policy 390

    Policy Types 390

    The MUD Model 392

AWS Policy-based Authorization with IAM 394

    Amazon Cognito 395

    AWS Use of IAM 395

    Policy-based Authorization 395

Accounting 397

    How Does Accounting Relate to Security? 398

    Using a Guideline to Create an Accounting Framework 398

    Meeting User Accounting Requirements 400

Scaling IoT Identity and Access Management with Federation Approaches 402

    IoT IAM Requirements 403

    OAuth 2.0 and OpenID Connect 1.0 404

    OAuth 2.0 404

    OpenID Connect 1.0 405

    OAuth2.0 and OpenID Connect Example for IoT 405

    Cloud to Cloud 406

    Native Applications to the Cloud 408

    Device to Device 409

Evolving Concepts: Need for Identity Relationship Management 411

Summary 414

References 415

Chapter 10 Threat Defense 417

Centralized and Distributed Deployment Options for Security Services 418

    Centralized 418

    Distributed 420

    Hybrid 422

Fundamental Network Firewall Technologies 422

    ASAv 423

    NGFWv 423

    Network Address Translation 424

    Overlapping 425

    Overloading or Port Address Translation 425

    Packet Filtering 426

Industrial Protocols and the Need for Deeper Packet Inspection 428

    Common Industrial Protocol 428

    Lack of Security 429

    Potential Solutions: Not Good Enough 430

Alternative Solution: Deep Packet Inspection 430

    Sanity Check 431

    User Definable 432

    Applying the Filter 432

Application Visibility and Control 433

    Industrial Communication Protocol Example 435

    MODBUS Application Filter Example 436

Intrusion Detection System and Intrusion Prevention System 437

    IPS 438

    Pattern Matching 438

    Protocol Analysis 439

    IDS/IPS Weakness 439

Advanced Persistent Threats and Behavioral Analysis 440

    Behavior Analysis Solutions 441

    Protocols Used to Gain Additional Visibility 442

    Network as a Sensor 444

    Pairing with Contextual Information and Adaptive Network Control 446

    Encrypted Traffic Analytics 450

Malware Protection and Global Threat Intelligence 455

    Cisco Advanced Malware Protection and TALOS 456

DNS-Based Security 462

    Umbrella (DNS Security + Intelligent Proxy) 463

Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466

    ETSI MANO Components in the Use Case 468

    VMs (Services) Being Instantiated in the Use Case 469

    Use Case Explanation 469

Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486

    Solution Components 487

    NFVIS 488

    Orchestration 490

    vBranch Function Pack 490

Summary 495

References 495

Chapter 11 Data Protection in IoT 499

Data Lifecycle in IoT 507

Data at Rest 518

    Data Warehouses 521

    Data Lakes 522

Data in Use 524

Data on the Move 527

Protecting Data in IoT 531

    Data Plane Protection in IoT 531

    Protecting Management Plane Data in IoT 565

    Protecting Control Plane Data 566

    Considerations When Planning for Data Protection 567

Summary 573

References 574

Chapter 12 Remote Access and Virtual Private Networks (VPN) 575

Virtual Private Network Primer 575

    Focus for This Chapter 576

Site-to-Site IPsec VPN 576

    IPsec Overview 577

    IKEv1 Phase 1 579

    IKEv1 Phase 2 582

    Internet Key Exchange Protocol Version 2 584

    Benefits of IKEv2 over IKEv1 586

Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588

    IPsec Databases 589

    Use Case: IKE/IPsec Within the NSF 589

    Interface Requirements 590

Applying SDN-Based IPsec to IoT 592

    Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592

Software-Based Extranet Using Orchestration and NFV 594

    Traditional Approach 594

    Automating Extranet Using Orchestration Techniques and NFV 595

    Software-Based Extranet Use Case 597

Remote Access VPN 598

    SSL-Based Remote Access VPN 598

    Reverse Proxy 599

    Clientless and Thin Client VPN 599

    Client Based: Cisco AnyConnect Secure Mobility Client 611

    Modules 612

    Using AnyConnect in Manufacturing: Use Case Example 617

Summary 622

References 622

Chapter 13 Securing the Platform Itself 625

(A) Visualization Dashboards and Multitenancy 627

(B) Back-End Platform 631

    Scenario 1: A New Endpoint Needs to Be Connected to the Network 639

    Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639

    Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641

    Docker Security 653

    Kubernetes Security and Best Practices 656

(C) Communications and Networking 658

(D) Fog Nodes 660

(E) End Devices or “Things” 666

Summary 667

References 667

Part IV Use Cases and Emerging Standards and Technologies

Chapter 14 Smart Cities 669

Use Cases Introduction 669

The Evolving Technology Landscape for IoT 670

The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672

Smart Cities 676

Smart Cities Overview 678

The IoT and Secure Orchestration Opportunity in Cities 688

Security in Smart Cities 693

Smart Cities Example Use Cases 696

    Use Case Automation Overview and High-Level Architecture 701

    Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702

    Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705

    Event-Based Video: Secure Data Pipeline and Information Exchange 709

    Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714

    Emergency Fleet Integration 718

    Automated Deployment of the Use Cases 721

Summary 725

References 727

Chapter 15 Industrial Environments: Oil and Gas 729

Industry Overview 733

The IoT and Secure Automation Opportunity in Oil and Gas 735

The Upstream Environment 738

    Overview, Technologies, and Architectures 739

    Digitization and New Business Needs 742

    Challenges 743

The Midstream Environment 744

    Overview, Technologies, and Architectures 744

    Digitization and New Business Needs 747

    Challenges 748

The Downstream and Processing Environments 749

    Overview, Technologies, and Architectures 749

    Digitization and New Business Needs 752

    Challenges 753

Security in Oil and Gas 754

Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763

    Use Case Overview 763

    Use Case Description 765

    Deploying the Use Case 767

    Preconfiguration Checklist 773

    Automated Deployment of the Use Cases 777

    Securing the Use Case 778

    Power of SGT as a CoA 781

    Auto-Quarantine Versus Manual Quarantine 782

    Leveraging Orchestrated Service Assurance to Monitor KPIs 783

Evolving Architectures to Meet New Use Case Requirements 788

Summary 792

References 794

Chapter 16 The Connected Car 797

Connected Car Overview 800

The IoT and Secure Automation Opportunity for Connected Cars 809

    The Evolving Car Architecture 824

Security for Connected Cars 830

    Connected Car Vulnerabilities and Security Considerations 838

Connected Car Security and Automation Use Case 849

    Use Case Overview 852

    Use Case Automation Overview 854

    Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855

    Secure Network: Segmentation, Zones, and Interzone Communication 857

    Secure Content: Intrusion Detection and Prevention 858

    Secure Intelligence: Secure Internet Access from the Vehicle 861

    The Future: Personalized Experience Based on Identity 862

    Federal Sigma VAMA: Emergency Fleet Solution 863

    Automated Deployment of the Use Case 867

Summary 871

References 871

Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873

A Smarter, Coordinated Approach to IoT Security 876

Blockchain Overview 880

Blockchain for IoT Security 888

Machine Learning and Artificial Intelligence Overview 890

Machine Learning 893

Deep Learning 894

Natural Language Processing and Understanding 895

Neural Networks 896

Computer Vision 898

Affective Computing 898

Cognitive Computing 898

Contextual Awareness 899

Machine Learning and Artificial Intelligence for IoT Security 899

Summary 900

References 901

9781587145032    TOC    4/25/2018

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020