Security Goals in IoT

Today is the era of the Internet of Things (IoT), where digitally connected devices are intruding on
many aspect of our lives, including our homes, offices, cars, retails Health and fitness etc. With the
advent of IPv6 and the wide deployment of Wi-Fi networks, IoT is growing at a very fast pace, and
researchers estimate that by 2020, the number of active wireless connected devices will exceed 40
billion. Downside is that, it is becoming increasingly vulnerable to cybercriminals. IDC predicts that
the IoT market will hit $14.4 trillion in annual sales by 2020 when combined with big data. And
according to Cisco, there will be 50 billion connected devices by that time. Major industries, from
healthcare to consumer to automotive, stand to benefit from these devices and the services derived
from them. While the adoption of the smart home and its connected devices are still in its early
stages today, Accenture reports that nearly 70% of consumers plan to buy a smart home device by
2019 bringing the smart home market alone to $490 billion in revenue. The healthcare industry
will experience the fastest growth in IoT adoption within the next five years, topping $2.5 trillion in
IoT-generated healthcare revenue by 2025. A recent survey by McKinsey & Company even found
that more than 25% of car buyers believe Internet connectivity is more important that engine power
or fuel efficiency.
However innovative and promising it seems, this so-called Internet of Things (IoT) phenomenon
significantly increases the number of security risks businesses and consumers will inevitably face.
Any device connecting to the Internet with an operating system comes with the possibility of being
compromised, in turn becoming a backdoor for attackers into the enterprise. The need of the hour is
to prevent the security threats by introducing adequate security the entire Ecosystem right from
establishing the system else when the system is compromised; it may really go out of proportion to
identify and fix issues in such high volumes of potentially affected nodes. Therefore, IoT security,
previously ignored, has now become an issue of high concern. Security should protect the services,
hardware resources, information and data, both in transition and storage.

Security Issues

Data confidentiality
Data Confidentiality is
whether the information
stored on a system is
protected against
unintended or unauthorized
access.
Since systems are
sometimes used to manage
sensitive information, Data
Confidentiality is often a
measure of the ability of the
system to protect its data.

Access control and

Authorization
Authorization helps
determine if upon
identification, the person or
device is permitted to
receive a service. Access
control entails controlling
access to resources by
granting or denying means
using a wide array of
criteria.
These are important to
establishing a secure
connection between a
number of devices and
services. The main issue to
be dealt with in this
scenario is making access
control rules easier to
create, understand and
manipulate

Authentication and
Identity Management
Because multiple users,
object/things and devices
need to authenticate each
other through trustable
services.
The problem is to find
solution for handling the
identity of user,
things/objects and devices
in a secure manner.

Vulnerability
Vulnerabilities are weaknesses in a system or its design that allow an intruder to execute
commands, access unauthorized data, and/or conduct denial-of service attacks. IoT systems are
based on two main components; system hardware and system software, and both have design flaws
quite often.

Hardware vulnerabilities are

very difficult to identify and
also difficult to fix even if the
vulnerability were identified
due to hardware compatibility
and interoperability and also
the effort it take to be fixed.
OEM and
Manufacturers of IoT
Device should
ensure providing inbuilt security.
Embedded devices
carry authentication
and authorization
information right from
manufacturing stage,
so that it can readily
fit in IoT Ecosystem
to ensure end to end

Entities a
data is co
exchang
internet,
privacy is
Ensuring
in data c
data sha
managem
security m

security.

Software vulnerabilities can

be found in operating
systems, application
software, and control
software like communication
protocols and devices drives.
There are a number of
factors that lead to software
design flaws, including
human factors and software
complexity.

Unauthorized Data Ingestion

Over the air

software / firmware
auto updates /
upgrades and
Provisioning.
Allowing the
information to be
injected into the
system through USB
or any other external
means. The entire
path/interface should
be secured and
procedures to be
applied only after
ensuring
authentication and
authorization of the
source of Data.

Security Attacks
Attacks are actions taken to harm a system or disrupt normal operations by exploiting vulnerabilities
using various techniques and tools. If enterprises haven't been affected by IoT attacks already,
they're something that should be on their to-address lists. IoT attacks are inevitably coming, so it is
important to learn how best to prevent or defend against them before it's too late. Common cyberattack types are:

Physical attacks

This sort of attack tampers with hardware components. Due to the unattended and distributed nature o

Reconnaissance attacks

Unauthorized discovery and mapping of systems, services, or vulnerabilities. Examples of reconnaissa

information.
Denial-of-service (DoS)

This kind of attack is an attempt to make a machine or network resource unavailable to its intended use
resource enervation attacks.
Access attacks

unauthorized persons gain access to networks or devices to which they have no right to access.
There are two different types of access attack: the first is physical access, whereby the intruder can ga
Attacks on privacy

Privacy protection in IoT has become increasingly challenging due to large volumes of information easi
Data mining: enables attackers to discover information that is not anticipated in certain databases.
Cyber espionage: using cracking techniques and malicious software to spy or obtain secret informatio
Eavesdropping: listening to a conversation between two parties
Tracking: a users movements can be tracked by the devices unique identification number (UID). Trac
Password-based attacks: attempts are made by intruders to duplicate a valid user password. This atte
guess user passwords; 2) brute force attacks using cracking tools to try all possible combinations o
Cyber-crimes

The Internet and smart objects are used to exploit users and data for materialistic gain, such as intellec

Ransomware

It is a type of malware that can be covertly installed on a computer without knowledge or intention of th
the malware operators to remove the restriction.
IoT devices offer a potential growth bed to any ransomware operation because the devices are intercon
ever run on a number of IoT devices, but ransomware, predominantly consisting of a few commands an

Security Goals

 Confidentiality is an important security

feature in IoT, but it may not be
mandatory in some scenarios where
data is presented publicly. However, in
most situations and scenarios sensitive
data must not be disclosed or read by
unauthorized entities.
For instance patient data, private
business data, and/or military data as
well as security credentials and secret
keys, must be hidden from unauthorized
entities.

To provide reliable services to IoT users,

integrity is a mandatory security property
in most cases. Different systems in IoT
have various integrity requirements. For
instance, a remote patient monitoring
system will have high integrity checking
against random errors due to information
sensitivities.

Confidentiality

Integrity

A user of a device (or the device itself)

must be capable of accessing services
anytime, whenever needed. Different
hardware and software components in
IoT devices must be robust so as to
provide services even in the presence of
malicious entities or adverse situations.
Various systems have different
availability requirements. For instance,
fire monitoring or healthcare monitoring
systems would likely have higher
availability requirements than roadside
pollution sensors.

When developing security techniques to

be used in a secure network,
accountability adds redundancy and
responsibility of certain actions, duties
and planning of the implementation of
network security policies.
In case of a repudiation incident, an
entity would be traced for its actions
through an accountability process that
could be useful for checking the inside
story of what happened and who was
actually responsible for the incident.

Availability

Accountability

Application whitelisting is a computer

administration practice used to prevent
unauthorized programs from running.
The purpose is primarily to protect
computers and networks from harmful
applications, and, to a lesser extent, to
prevent unnecessary demand for
resources.

The OWASP Internet of Things Project is

designed to help manufacturers,
developers, and consumers better
understand the security issues
associated with the Internet of Things,
and to enable users in any context to
make better security decisions when
building, deploying, or assessing IoT
technologies.

Application whitelisting

OWASP Guidelines

Privacy Goals
Privacy is an entitys right to determine the degree to which it will interact with its environment
and to what extent the entity is willing to share information about itself with others. The main
privacy goals in IoT are:

Privacy in devices

depends on physical and commutation privacy. Sensitive information may be leaked out of the device in cas

Privacy during communication

depends on the availability of a device, and device integrity and reliability. IoT devices should communicate

Privacy in storage

to protect the privacy of data stored in devices, the following two things should be considered:
Possible amounts of data needed should be stored in devices.
Regulation must be extended to provide protection of user data after end-of-device life (deletion of the devic
Encrypted Data at Rest

Privacy in processing

depends on device and communication integrity. Data should be disclosed to or retained from third parties w

Identity privacy
the identity of any device should only discovered by authorized entity (human/device).

Location privacy
the geographical position of relevant device should only discovered by authorized entity (human/device).

Conclusion
IoT networks are challenging to secure. Meanwhile given that the nature of the risk emphasizes
system availability as a high-priority security attribute means that the threat environment is very
polarized: IoT networks need to be worried about both sophisticated targeted attacks from
competitors and nation-states, as well as accidental misuse from employees, contractors, and
vendors.
By using historical attack patterns, vulnerabilities, and lessons learned from previous incidents, IoT
network owners can build a threat model that effectively mitigates security risk while also addressing
compliance requirements. This risk-based approach is cost effective, practical, and emphasize the
most critical areas of risk first. Its an important foundation to an ongoing information security
program that can enable organizations to continue to use the benefits of increased system
interconnectedness as dictated by proven ROI, while minimize the very real human and economic
risks associated with IoT. However, until that is done, it is up to users and enterprises to take the
necessary precautions and put the proper controls in place to mitigate potential IoT security threats.

References

http://riverpublishers.com/journal/journal_articles/RP_Journal_22451439_414.pdf
https://en.wikipedia.org/wiki/Ransomware

http://icitech.org/wp-content/uploads/2016/04/ICIT-Brief-Combatting-theRansomware-Blitzkrieg2.pdf
http://techcrunch.com/2015/10/24/why-iot-security-is-so-critical/
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
http://searchsecurity.techtarget.com/definition
https://www.ariasystems.com/blog/the-iot-new-opportunities-bring-newsecurity-challenges/
http://internetofthingsagenda.techtarget.com/tip/Internet-of-Things-IOTSeven-enterprise-risks-to-consider
http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-ofthings/C11-735871.pdf
Images :
o http://blogs-images.forbes.com/centurylink/files/2015/10/cyber-attackdata-breach.jpg
o https://www.ariasystems.com/blog/wpcontent/uploads/2016/03/Internet-of-Things-security-questions.jpg
o https://vtechsolution.com/wpcontent/uploads/2014/05/Vulnerability.png
o Google Images

Credits: Various references have been taken to compile the article and due credits
are passed to the authors/publishers of these White papers/tutorials/journals. This is
compiled information to give a perspective.