Security Challenges and Approaches in Internet of Things: Sridipta Misra Muthucumaru Maheswaran Salman Hashmi
Security Challenges and Approaches in Internet of Things: Sridipta Misra Muthucumaru Maheswaran Salman Hashmi
Security Challenges and Approaches in Internet of Things: Sridipta Misra Muthucumaru Maheswaran Salman Hashmi
Sridipta Misra
Muthucumaru Maheswaran
Salman Hashmi
Security
Challenges and
Approaches in
Internet of Things
123
SpringerBriefs in Electrical and Computer
Engineering
More information about this series at http://www.springer.com/series/10059
Sridipta Misra Muthucumaru Maheswaran
•
Salman Hashmi
Security Challenges
and Approaches in Internet
of Things
123
Sridipta Misra Salman Hashmi
PDU Authentication and Digital Identity School of Computer Science
Ericsson Canada McGill University
Mont-Royal, QC Montreal, QC
Canada Canada
Muthucumaru Maheswaran
School of Computer Science
McGill University
Montreal, QC
Canada
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 System Model for the Internet of Things . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 The Concept of the “Internet of Things” . . . . . . . . . . . . . . . . . . . . 5
2.2 Evolution of the Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Vision of the Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1 Large Scale Ubiquitous and Pervasive Connectivity . . . . . 9
2.3.2 Context-Aware Computing . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.3 Seamless Connectivity and Interoperability . . . . . . . . . . . . 10
2.3.4 Network Neutrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Applications of the Internet of Things . . . . . . . . . . . . . . . . . . . . . . 11
2.5 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Vulnerable Features and Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1 Vulnerable Features of the Internet of Things . . . . . . . . . . . . . . . . . 19
3.2 Threat Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.1 Definition of Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.2 Proposed Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.3 System Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.4 Privacy Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.5 Reflective Trust and Reputation Threats . . . . . . . . . . . . . . 36
4 Securing the Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.1 Making the IoT More Secure and Private . . . . . . . . . . . . . . . . . . . . 39
4.1.1 Protocol and Network Security . . . . . . . . . . . . . . . . . . . . . 40
4.1.2 Data and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1.3 Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.1.4 Trust Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.1.5 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.2 Standardization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3 Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.4 Social Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
v
vi Contents
Not only has this vision of Karl Steinbuch been realized for decades now, the term
‘connectivity’ is being redefined with the Internet of Things (IoT). With smartphones,
tablets and ultra portable laptops having already revolutionized how, when and where
people get connected, makers of sensors and other networked endpoints are looking
to take things to the next level with an even more sophisticated ecosystem of devices.
The vision of 50 billion connected devices by 2020 [99], suggests that anything that
can benefit from being connected, will be connected. This rapid evolution of the
traditional Internet into the IoT is empowering the exploration of countless domains
of utilities that were previously unimaginable. At the same time, it is also making
the society vulnerable to newer forms of threats and attacks in many more ways than
any precursor network forms. This is because the gamut of application of the IoT
is much richer. With the IoT, computing and connectivity is becoming much more
pervasive and ubiquitous. The IoT’s cybersecurity and privacy implications are as
popular a topic as its business impact [8].
The evolution of the IoT and the advancement of computing capabilities in gen-
eral, would set off an arms race between the security community and the cybercrim-
inals [8]. The productivity achieved through equipping a large number of environ-
ments with Wi-Fi, Bluetooth or radio devices cannot be ignored, but the security and
management of the unprecedented volume of data captured by these smart environ-
ments is still highly uncertain and unclear.
Protection of data has been an issue ever since the first two computers were
connected. With commercialization of the Internet, security concerns expanded to
encompass user privacy, financial transactions, and cyber-theft threats. In IoT, secu-
rity is inseparable from safety. Whether accidental or malicious, interference with
the controls of a pacemaker, a car, or a nuclear reactor could be catastrophic.
The IoT is criticized for being developed rapidly without appropriate consid-
eration of the profound security challenges involved and the necessary regulatory
changes [74]. As the IoT spreads widely, cyber attacks are likely to become increas-
ingly physical (and not simply virtual) [73]. In January 2014, Forbes listed many
Internet-connected appliances like televisions, kitchen appliances, cameras, and ther-
mostats that can already “spy on people in their own homes” [208]. Computer-
controlled devices in automobiles such as brakes, engines, locks, horns, heating
systems, and dashboards have been shown to be vulnerable to attackers who have
access to the onboard network. These devices are currently not connected to exter-
nal computer networks, and so are less vulnerable to Internet attacks [15, 54]. The
possibility of an intruder being able to remotely regulate the air-conditioner, start the
heater, unlock the doors, deploy airbags while you are driving without any crash, or
turn a running car’s steering wheel is frightening.
The U.S. National Intelligence Council realized the severity of the situation and
stated that it would be hard to deny “access to networks of sensors and remotely-
controlled objects by enemies of the United States, criminals, and mischief makers.
An open market for aggregated sensor data could serve the interests of commerce and
security no less than it helps criminals and spies identify vulnerable targets” [168].
A comprehensive security for the IoT would encompass securing the devices/
sensors, securing the data, and securing that across an open network, which is a mas-
sive challenge. The access to personal data is probably one of the biggest challenges
in the future, and unless managed and secured adequately, it can result in severe
personal, industrial or societal destruction. Hence, it is very critical to understand
what the security model for the IoT would look like [8].
Another challenge, that we recognize, in order to ensure systematic and secure
application of the IoT is strict definition and limitation of the roles of each actors
in the functioning of the system. The IoT is bringing the cyber space and the phys-
ical space even closer. The physical world is being directly interfaced, through the
machines/things, to the virtual world. Although human intervention still exists in the
forms of traditional communication and user control/manipulation over things (refer
Sect. 2.2).
Human intervention increases the scope of undesired deviations in the system’s
behaviour due to malicious or accidental interferences. The machines should be able
to operate as per the relevant policies with minimal of human mediation. The policies
in turn should be highly context-specific and consensus-based. This would require
maximum involvement of the users in policy formulation.
The book proposes a “consensus-based dynamic policy formulation framework”
called Social Governance, which strives to:
To ensure the evolution of the IoT into a robust and secure infrastructure in the
future, all its proponents and stakeholders must align themselves towards a synergis-
tic development of the IoT technologies, while upholding the stability, security and
privacy of the society. As a part of these efforts, it is indispensable to exhaustively
study the characteristics of the IoT, and recognize those which could potentially be
exploited to pose any form of threat to either the IoT infrastructure or any of its
stakeholders. Moreover, for a solid future of the IoT, a framework for the structured
development and governance of the IoT is highly desirable. Despite the strong asso-
ciation, it is crucial to detach the development framework of the IoT from that of the
traditional Internet [222].
To wrap up the discussion in IoT security, this book examines how IoT security
is developed in three important application scenarios: connected cars, ehealth, and
smart grid. We analyze the vulnerabilities, threats, and specific countermeasures that
have been developed in the specific application scenarios.
Chapter 2
System Model for the Internet of Things
The phrase “Internet of Things” was coined about 10 years ago by the founders
of the original MIT Auto-ID Center, Kevin Ashton in 1999 and David L. Brock in
2001 [212], who envisioned “a world in which all electronic devices are networked
and every object, whether it is physical or electronic, is electronically tagged with
information pertinent to that object.” They envisioned use of physical tags that allow
remote, contactless interrogation of their contents; thus, enabling all physical objects
to act as nodes in a networked physical world. Realization of this vision will yield
benefits in diverse areas including supply chain management and inventory control,
product tracking and location identification, and human-computer and human-object
interfaces [200]. Several technologies drive the IoT’s vision. [212] comprehensively
lists those technologies. The IoT’s broad vision and the infancy of the research on it
results in lack of standard definitions for the IoT. Few standard definitions provided
by different researchers are:
Considering these definitions, the IoT can be defined as a paradigm that considers
pervasive presence in the environment of various things that through wireless and
wired connections are able to interact and cooperate with other connected things to
create seamless communication and contextual services, and reach common goals.
An interconnection of highly heterogeneous networked entities, the IoT follows a
number of communication patterns: human-to-human (H2H), human-to-thing (H2T),
thing-to-thing (T2T), or thing-to-things (T2Ts) [105].
The IoT, a global network infrastructure, links uniquely identified physical and
virtual objects, things and devices through the exploitation of data capture (sensing),
communication and actuation capabilities [125]. The underlying infrastructure of vir-
tually represented “things” in an Internet-like structure includes existing and evolving
Internet and network developments [10]. Emerging services and applications will be
characterised by a high degree of autonomous data capture, event transfer, network
connectivity and interoperability [10].
It is critical to look at the evolution of the composition and nature of networks over
the years to be able to analyse the new areas of vulnerabilities that the IoT might
introduce.
In the late 1960s, communication between two computers was made possible
through a basic computer network [172]. In the early 1980 s the TCP/IP stack was
introduced. Then, commercial use of the Internet started in the late 1980s. At this
point the networks were all about pure peer-to-peer connections. You had networks
and then you were connecting the networks together using IP protocols so that the
machines could communicate with each other. Later, the World Wide Web (WWW
or the Web) became available in 1991 which made the Internet more popular and
stimulated its rapid growth. The pure Web started as a hub and spoke network model
superimposed on top of the Internet. People (enterprises/institutions or exclusive web
content developers) were setting up web servers (hubs) onto the existing Internet,
and then people were just connecting to these hubs to access the content.
Later, with the emergence of services like the social networks, blogs and the
microblogs, where people could actively access the web services to create their own
content in the Web space, the people became a major source of content creation for
the Web, and hence an active part of the network. Here, by content we mean the
data in the Web, which is not meant to be private to a few users, but is publicly
accessible to the Internet users, and can be mined by anyone. This form of the Web
can be addressed at the “Web of People (WoP)”. The WoP modified the hub-spoke
structure to introduce a more distributed and fine-grained network structures. Now
the “hub” transformed into mostly service providers for the Internet users to create
their own content, than simply accessing content at the hub. For example, Google’s
Blogger [13] or WordPress [31], which run services on their servers (the hubs), which
people can access to create their own blog sites.
2.2 Evolution of the Networks 7
Over the years, the WoP underwent further transformations. The vision of mak-
ing the Internet services more intuitive, accurate, context-aware and automated (less
dependent on human mediation), has lead to a weaker association (or even complete
exclusion) of the “people” from the loop, and inclusion of “things” into the net-
works [47]. From inanimate things like cars, lamps, gadgets etc., to animate things
like plants and cattle, all those physical entities which directly affect or get affected
by the virtual world are being included into the Web. This form of Web can be called
the “Web of Things (WoT)” or the “Internet of Things (IoT)”. In case of the WoP,
actions like blogging, did not affect the physical world right away. The people were
the sensors, as they sensed the information and put it into the Web, or they received
the information from the Web to act on it. The IoT strives for minimizing the human
mediation in the sensing and feeding of information into the virtual world, and/or
associated actions carried out in the physical world based on the information in the
virtual world [147]. With the IoT, the command and control plane is going to be
embedded into the networking plane, which was actually human mediated up till this
point. Figure 2.1 illustrates the five phases in the evolution of the Internet.
We specialize these five network forms based on operations of the networks and the
kinds of data managed by the network forms. The composite operation of an internet
system can be organized into three layers: perceptual layer, network and transport
layer, and application layer [231, 232]. The Application Layer represents the intel-
ligence for processing the data for achieving desired functionality. The Network and
Fig. 2.2 Network forms and operations and data types supported
The underlining vision of the IoT is to create a world where the real and the virtual
realms are converging to create smart environments that makes energy, transport,
10 2 System Model for the Internet of Things
cities and many other areas more intelligent [118]. Proponents of the IoT envision
enablement of things to be connected anytime, anyplace, with anything and anyone
ideally using any path/network and any service [216]. It means enablement of com-
munication via Internet to all the things that surround us. The IoT is much more than
M2M communication, wireless sensor networks, 2G/3G/4G, RFID, etc. These are
the enabling technologies for IoT applications.
Future storage and communication services will be highly pervasive and distrib-
uted: people, smart objects, machines, platforms and the surrounding space which is
getting smart due to technologies like wireless/wired sensors, M2M devices, RFID
tags will create highly decentralized common pool of resources interconnected by
dynamic inter-networks. The “communication language” will be based on inter-
operable protocols, operating in heterogeneous environments and platforms. The
IoT would use synergies generated by the convergence of consumers, businesses
and industrial Internet [216], creating an open, global network of people, data, and
things. This convergence leverages the cloud to connect intelligent things that sense
and transmit a broad array of data, helping create services that would not be obvious
without this level of connectivity and analytical intelligence.
A fundamental motivation behind the increasing popularity of the IoT has been the
desired context-awareness of the computing elements to optimize their performance
and to enable services customization according to the current situation with minimal
human intervention. Although context-aware systems have been in the research epi-
center for almost two decades now [202, 203], the ability to convey and select the most
appropriate information to achieve non-intrusive behavior on multiuser-converged
service platforms in mobile and heterogeneous environments remains a significant
management challenge. Creation of smarter environments, entertainment and busi-
ness applications, which are more supportive and suited to the user, would require
acquiring, analyzing, and interpreting relevant context information [90] regarding
the user [185].
Interoperability at the scale of the IoT must go beyond syntactical interfaces and
requires the sharing of common semantics across all software architectures. It also
demands a seamless integration of existing computational artifacts (hardware and
software) and communication infrastructures. Only then can context information be
successfully shared between highly adaptive services across heterogeneous devices
on large-scale networks that consider this information relevant.
2.3 Vision of the Internet of Things 11
The IoT has remained on the periphery of the network neutrality battle because it
is primarily comprised of small, power-efficient devices generating a small amount
of traffic. However, with the creation of smart environments through integration
of multiple smart and intercommunicating devices, the bandwidth consumption has
become much substantial. This, along with the explosion of connected devices, means
the IoT will not be able to escape the implications of the network neutrality debate
for too long.
As a part of the IoT vision, [44] emphasizes on the significance of network neutral-
ity. It states,“no bit of information should be prioritized over another so the principle
of connecting anything from/to anybody located anywhere at any-time using the
most appropriate physical path from any-path available between the sender and the
recipient is applied in practice. For respecting these principles, the Internet service
providers and the governments need to treat all data on the Internet equally, not dis-
criminating or charging differentially by user, content, site, platform, application,
type of attached equipment, and modes of communication.”
Though advocates against network neutrality have valid arguments supporting
their stance (for example, when networks are overloaded, say at sporting events or
during disasters, being able to shed non-critical traffic may be important for emer-
gency services and the devices they may depend upon), there is a downside should
network neutrality be overturned. The risk of vendor lock-in is high and it is quite
possible to see situation where, for instance, AT&T enters into an agreement with
Google to provide the public network capabilities for Nest home automation devices,
and this could result in Nest customers suffering a substandard service if they choose
another provider.
The 2010 Internet of Things Strategic Research Agenda (SRA) [217] identified and
described the main IoT applications, which span numerous diverse applications, into
six vertical domains: smart energy, smart health, smart buildings, smart transport,
smart living and smart city. Successful realization of the vision of a pervasive IoT
would require unification of these diverse vertical application domains into a single,
unified, horizontal domain, often referred to as “smart life” [216].
Based on inputs from experts, surveys [22] and reports [4], the European Research
Cluster on the Internet of Things identified the IoT application domains [217, 218].
[216] presents an updated enumeration of the application domains.
12 2 System Model for the Internet of Things
• Cities
– Smart Parking: Monitoring parking spaces availability in the city.
– Structural health: Monitoring vibrations and material conditions in buildings,
bridges and historical monuments.
– Noise Urban Maps: Real time sound monitoring in centric zones.
– Traffic Congestion: Monitoring vehicles and pedestrian levels to optimize
driving and walking routes.
– Smart Lightning: Intelligent and weather adaptive street lighting.
– Waste Management: Detection of rubbish levels in containers to optimize the
trash collection routes.
– Intelligent Transportation Systems: Smart Roads and Intelligent Highways with
warning messages and diversions according to climate conditions and unex-
pected events like accidents or traffic jams.
• Environment and Water
– Forest Fire Detection: Monitoring combustion gases and preemptive fire condi-
tions to define alert zones.
– Air Pollution: Control of carbon dioxide emissions of factories, pollution emitted
by cars and toxic gases generated in farms.
– Landslide and Avalanche Prevention: Monitor soil moisture, vibrations and
earth density to detect dangerous patterns in land conditions.
– Earthquake Early Detection: Distributed control in specific places of tremors.
– Water Quality: Study water suitability in rivers and the sea for fauna and eligi-
bility for drinkable use.
– Water Leakages: Detection of liquid presence outside tanks and pressure varia-
tions along pipes.
– River Floods: Monitoring water level variations in rivers, dams and reservoirs.
• Energy Smart Grid, Smart Metering
– Tank level: Monitoring water, oil and gas levels in storage tanks and cisterns.
– Smart Grid: Energy consumption monitoring and management.
– Photovoltaic Installations: Monitoring and optimization of performance in solar
energy plants.
– Water Flow: Measuring water pressure in water transportation systems.
– Silos Stock Calculation: Measuring emptiness level and weight of the goods.
• Security and Emergencies
– Perimeter Access Control: Access control to restricted areas and detection of
people in non-authorized areas.
– Liquid Presence: Liquid detection in data centres, warehouses and sensitive
building grounds to prevent break downs and corrosion.
– Radiation Levels: Distributed measurement of radiation levels in nuclear power
stations surroundings to generate leakage alerts.
– Explosive and Hazardous Gases: Detecting gas levels and leakages in industrial
environments, around chemical factories and inside mines.
2.4 Applications of the Internet of Things 13
2.5 Challenges
The challenges towards fulfilling the visions for the IoT include at least the following
four aspects:
• Cost: The prices of WSN components should be low to support their large-scale
deployment. This requirement dictates resource constraints in these devices. Exist-
ing network security protocols do not consider these constraints.
• Data Management: The IoT will be a major source of big data, contributing massive
amounts of streamed information from billions of inter-connected objects. Typical
IoT applications producing big data include meteorology, experimental physics,
astronomy, biology, and environmental science. For eg., as per [299] a Boeing jet
generates 10 TB of data per engine every 30 min. A single six-hour flight would
2.5 Challenges 15
thus generate some 240 TB of data, and there are about 28,537 commercial flights
in the USA skies on any given day. An A380 has more than 300,000 sensors
on board constantly generating data streams. Clearly, M2M communications will
generate enormous Internet traffic leading to Zettabyte science [228].
• Security: Compared to traditional networks, the IoT comprises more number and
forms of networks and connected things. Also it is designed to foster newer forms
of interactions. These and few more factors (discussed in Chap. 3), gives rise to
newer security issues.
• Privacy: The devices of WSN may be unable to defend all forms (physical and
cyber) of attacks. Sensitive information may be leaked.
Strengthening the IoT’s security is a major challenge. Being still an immature
technology, a major issue affecting the acceptance and applicability of the IoT is the
lack of a mature and comprehensive security model and standards.
Figure 2.4 illustrates the risks and threats faced by the three operational layers of
the IoT. Major security challenges to the Perceptual Layer are physical damage to the
nodes, channel blocking, forgery attacks, fake attacks, copy attacks, replay attacks,
Fig. 2.4 Security problems of IoT s all layers are facing [232]
16 2 System Model for the Internet of Things
• Internet’s own security issues: Inherited from traditional Internet environment. Can
be solved by using traditional security solutions. Example: data eavesdropping,
tampering, forgery, denial of service attacks, man-in-the-middle attacks and other
common Internet attacks.
• Internet’s security issues under the scene of the IoT: Security issues already solved
by some security technologies in the Internet environment. However, given to the
special scene of the IoT, they form some new security issues. These issues cannot
be simply solved by reusing the security technology for the Internet. The distinc-
tive characteristics of the IoT needs to be taken into consideration. Appropriately
modifying the Internet security architectures or designing a new architecture is
required. Example: DNS not authenticating requester. In the IoT it will cause
leakage of object privacy.
• IoTs own security issues: Security issues caused by the new network structure,
equipments and other factors of the IoT. They cannot be solved with traditional
Internet security architectures. New solutions are required. Example: authentica-
tion protocols, key agreement and privacy protection of WSN devices.
Chapter 3
Vulnerable Features and Threats
The IoT inherits most of the defining features of the Internet. In addition, the IoT has
many distinct features as well. This section analyzes the potential vulnerable features
from the viewpoint of IoT security and privacy.
[79] measures the security of dynamic networks, in terms of the vulnerable fea-
tures of the IoT. It also identifies characteristics of the IoT that the authors find most
relevant while using the attack surface metric for dynamic networks. We borrow the
vulnerable features mentioned in [79] and extend the list to exhaustively enumer-
ate all possible vulnerable characteristics of the IoT. Following are the recognized
vulnerable characteristics (refer to Fig. 3.1):
world, and vice versa. Many of such associations are safety-critical: their failure
can cause irreparable harm to the associated physical systems or people. Supervi-
sory control and data acquisition systems, for example, perform vital functions in
national critical infrastructures, such as electric power distribution, oil and natural
gas, water and wastewater distribution systems, and transportation systems. Dis-
ruption of these control systems could dreadfully impact on public health, safety
and economic standings. While most of the effort for protecting cyber-physical
systems are toward reliability, there is a growing concern for the protection against
malicious cyber attacks. [111, 122, 148, 195] are few of the researches that have
raised and discussed this concern.
• The Network Effect
The IoT is the largest network infrastructure ever deployed. T2T communications
have resulted in the modern day super-complex, interconnected mesh of commu-
nicating nodes of varied level of complexity. It has exacerbated the challenges
of maintaining the stability and security of the Internet. As per the amplification
principle [60], in large networks, even small events can cause huge events; small
perturbations on the input to a process can destabilize the system’s output. More-
3.1 Vulnerable Features of the Internet of Things 21
over, as per the coupling principle [60], as a system gets larger, it often exhibits
more interdependence between components.
Most IoT services are realized through high degree of intercommunication among
the multiple component devices. Hence, the state of the entire system depends on
the state of each component. For example, if a single sensor in a central heating sys-
tem for a home is compromised or senses incorrect data, the decision cycle of the
central controller would be influenced, leading to an abnormal temperature change
of the entire home, unless, of course, fault tolerance techniques are used, such as
replicated sensors. In that case, an incorrectly working sensor can be tolerated.
The direct/indirect dependency of things/contexts on some other things/contexts
make it critical to carefully define the dependencies and nature of communica-
tions among the system components. Appropriate network segmentation should
be implemented to limit the effect of an attack within a small segment of the larger
system.
• Population
The number of connected devices has exploded in recent years. According to the
Cisco Internet Business Solutions Group [99], in 2003 the ratio of approximate
human population in the planet to the number of Internet-connected devices was
6.3 billion–500 million (0.08 device/person). The ratio rapidly changed to 6.8
billion to 12.5 billion in 2010 (1.84 devices/person). Cisco predicts 50 billion
connected devices by 2020 [99]. This unprecedented growth-rate of smart entities
may raise major data management, security and privacy challenges. The explosion
of participating entities is resulting in generation of tremendous amount of data.
According to [23] in 2012, 90 % of the world’s data was created in the last 2 years.
The Big Data explosion would raise data storage, data security and information
processing concerns. Moreover, as more devices get connected, more sensors are
deployed, and more objects are embedded with information. Each entity carries
an associated set of channels, methods, and data items, each of which is subject to
potential abuse, if it is not properly secured [79]. According to [79], the population
explosion would expand the attack surface of the IoT.
• Mobility
With all the smartphones, laptops and tablet, personal computers, cars, wearable
technologies like smartwatches and Google Glass, mobile sensors, and even con-
nected livestock [5], extreme dynamicity is becoming a major challenge to the IoT
security and privacy.
All the mobile devices create a dynamic operating environment for the IoT, wherein
systems and data shift rapidly between environments, exacerbating the challenges
of access control, identity management, and device monitoring, and automated
decision making within limited domains of visibility and control [79]. Mobile
devices in order to transparently provide the user with their service, locally con-
nects to other objects or gateways. They have to manage both situations in which
they can access the IoT infrastructure and relative services, and contexts in which
they will only be able to communicate with nearby devices. Managing mutual
authentication, policy enforcement, and basic communication security are chal-
lenges [158].
22 3 Vulnerable Features and Threats
The user base is a soft target of IoT security and privacy attacks, due to the user
unawareness and irresponsible/insecure user practices. Most of the times the users
of smart devices and services are unaware of the relevant security and privacy
policies, the usage policies of the manufacturers/service providers, or the complete
capabilities of the products. This could result in compromise of user privacy and/or
security. For example, one might install a smart meter expecting it to periodically
record the consumption of electric energy and communicate the information back
to the utility for monitoring and billing purposes. But, the manufacturer of the
smart meter might have added an additional feature into the meter, which also
reported the information to a third party (maybe the manufacturer itself), which
may use the information for malicious purpose, like analyzing the data to predict
the presence of people in the house based on energy consumption patterns. Many
a time users fall prey to attacks due to being unaware of secure and insecure
practices. For example, it is common for users (even system administrators) to not
change the factory setting default password of their network equipments. Also, at
times they lack the knowledge of how much information is safe to divulge, and
how to control the amount of released information. Users should demand complete
transparency from the manufacturers’/service providers’ side on where and how
the user data is sent and used.
An example of the second type of human factor vulnerabilities in the IoT are the
“hackers” or the malicious users of the systems who through their intentional
actions attempt to exploit the vulnerabilities of the system to either gain undesired
positional or intelligence advantage, or confers harm to the system by manipulat-
ing, disrupting or degrading the target system.
The IoT is coupled with new security threats and alters the overall information
security risk profile. Although the implementation of technological solutions may
respond to the IoT threats and vulnerabilities, IoT security is primarily a management
issue. Effective management of the threats associated with the IoT requires thorough
assessment of risk given the environment and development of a plan to mitigate iden-
tified threats. This section attempts to present a comprehensive taxonomy, creating
specialized threat spaces.
In the context of the Internet, threat (or cyberthreat) is defined as, “the possibility
of a malicious attempt to damage or disrupt a computer network or system” [26].
The definition of threat for the IoT would be an extension of this definition. The
integrated cyber-physical space confers the implications of IoT threats even more
3.2 Threat Taxonomy 25
severe, as their realization might impact the physical world as well. For example, if
the network of a smart home is compromised, the attacker might gain control over
critical systems of the household, like manipulating the thermostats of the heating
system, or control the lock of the “smart doors”.
While a threat basically implies a potential harm, an attack means an active act of
causing harm. From the information and system security viewpoint, a threat is an
entity (object, person or circumstance), which intentionally or unintentionally posses
a danger to the system. An attack is always an intentional act of exploitation of at
least one of the vulnerabilities of the system to inflict harm to the system, or any of
its stakeholders (the users, the enterprise, etc.).
This book proposes a novel taxonomy for the threats related to the IoT with the intent
of being as exhaustive as possible. As the nature of computing is evolving, especially
with the advent of the IoT, the natures of cyber threats are also ever changing. The
threats are classified based on the intended motives of the possible attacks, and
the type of harm inflicted on the victim. We propose three broad threat categories
for the IoT, namely, System Security Threats, Privacy Threats, and Reflective Trust
and Reputation Threats (refer Fig. 3.3). Further specialized threat spaces have been
developed under each category based on various factors.
In the context of the IoT, the term security encompasses a wide variety of concepts,
essentially including the basic elements of confidentiality, authenticity, integrity,
• Availability: Property assuring that data or services of the system are available at
all times.
• Confidentiality: Property requiring all communications be intelligible by autho-
rized principals only [46].
• Integrity: Property assuring that the resources (systems/information) are consis-
tent, accurate, and trustworthy over their entire life cycle. Systems must not be
accessed and modified and data must not be changed in transit, by unauthorized
entities [53].
• Authenticity: Property assuring that the data, transactions, communications, or
documents (electronic or physical) are genuine, and all the entities in the system
are who they claim to be [17].
• Authorization: Property assuring that each entity in and related to the system are
doing what they are authorized to do [92].
3.2 Threat Taxonomy 27
This category comprises threats that confer the attacker control over a physical or
logical segment of the IoT infrastructure, or access to some information stored in
the system. Hence, the attacker gains a positional/intelligence advantage to control
the affected segment of the infrastructure, or even a greater part in it, or it gains
access to some business/control critical information. Capture attacks might not bear
an immediate/direct disadvantage upon the victim. However, it violates requisite
security provisions, i.e., (business and control) data confidentiality, and “authorized
access only”. Moreover, such unauthorized control/access facilitates the chances of
more severe and active threats, like disruption, degradation, denial or destruction of
functioning of the target. Features of the IoT allowing such threats include ubiquity,
extensive physical distribution, weak defense mechanisms of constrained devices,
mobility, and interoperability.
For example, if an attacker captures a smart grid controller, it could be able to
observe the power consumption information of any locality or even of individual
households. Revelation of private information like the power consumption patterns
of any household may enable the observer to easily use the information for malicious
purpose.
This category comprises direct threats posing harm to the system and stakeholders
through attacks intended to disrupt, degrade, deny service of, and destroy the target
system, hence conferring a competitive disadvantage on the target. The opportunity
to capture a system also affords attackers the opportunity to disrupt it. However,
realization of a capture threat does not imply a disruption threat. While considering
disruption threats, we must evaluate attacker opportunity, as well as target resistance,
resiliency, and assurance. Features of the IoT allowing such threats include resource-
constrained elements of the IoT, insecure physical distribution, mobility [79].
Extending the scenario discussed for capture threats, an example of disruption
threats would be if the smart grid controller captured by an attacker is being mali-
ciously used to alter the behavior of the smart grid to disrupt the power distribution
or charging system, or degrade the power supply service, or even shutdown the entire
system.
28 3 Vulnerable Features and Threats
This final category of system security threats includes threats of influencing the
decision cycles [43] of the target. There are several possible ways of influencing the
decision making capabilities of the target systems.
The decision cycle starts with the data generation. A possible manipulation threat
is the corruption of the data before it enters the IoT system. In this case, even though
the internal environment of the IoT is secured and functioning properly, security con-
cerns still might rise due to the actions of the “correct system” based on “incorrect
information”. For example, in a central heating system for a home, the thermostats
have sensors which senses the temperature of its locality, and periodically reports
the data to the central controller, which based on the information received, regu-
lates the temperature of the home. Someone can manipulate the decision cycles of
the controller by simply holding a burning lighter in front of the thermostats for
the sensors to detect and report abnormal temperature rise. Based on the incorrect
information received from that sensor, the controller may drop the temperature of
the home drastically to maintain the required temperature!
Further, the system decision cycles can be influenced by compromising the low-
complexity elements of the IoT, like the RFID tags or QR codes. The attacker could
manipulate the embedded data, either by malicious substituting of the tags or by
modifying the tag information.
Even further in the decision cycles, more aggressive attacks might take place to
influence the decision making of the system. For instance, maliciously substitute or
use the devices that are the “entry points” of data into the system, like the sensors.
Even the controllers of the “entry point” devices could be compromised to influence
their behavior.
A final form of manipulation threats would be when the integrity of the data
being transmitted between two entities is tampered due to unauthorized intervention.
Attacks like Man-in-the-Middle, Replaying, and Spoofing pose such threat to data
integrity.
Such threats are extremely hard to mitigate, especially due to the features of the
IoT like population, widespread physical distribution, and mobility of the things,
which may increase the chances of attacks without being detected, and features like
heterogeneity and interoperability, which along with the highly distributed popula-
tion of devices, demand great amount of intercommunication among devices, which
increases the chances for attacks like Man-in-the-Middle, Spoofing, and Replaying.
Figure 3.5 indicates the basic security provisions which might be violated by the
realization a particular threat type.
capture threats do not influence the functioning of the target system, but confers
a positional advantage to the attacker. It would primarily violate the confiden-
tiality, authenticity, and authorization. Capture threats might also be caused by
accountability or non-repudiation issues.
Confidentiality: When an attacker gains control over a system, it gains access to
the stored data. If the data is not properly secured, the unauthorized attacker might
learn some critical information. For example, in an eavesdropping attack, even if
the intruder receives data packets being transmitted in the channel, it would be
an issue of confidentiality loss only if the intruder can decrypt the protected data.
Generally, violation of authentication/authorization increases the probability of
violation of confidentiality.
Integrity: Depending on the form of capture attack, integrity may or may not
be compromised. In case of system capture attacks (gaining control of physi-
cal/logical systems), the attacker is in the position to influence the system’s behav-
ior, and hence its consistency, accuracy, and trustworthiness. Hence, system cap-
ture implies system integrity violation. In case of information capture attacks like
eavesdropping attack, though in possession of critical information, the attacker
may not be able to create/tamper/replay messages. Hence, the integrity of the
information remains intact.
Authenticity: It is crucial to ensure the authenticity of every “entity” in a system
(users, devices, or data). In cases of capture attacks where the intruder gains control
over the system, or access to the information by misusing the identity of an autho-
rized entity, authenticity violation occurs. Since capture attacks do not involve
any active disruption/manipulation of the system, data authenticity remains intact.
Example of user/device authenticity violation would be an Identity Theft or Iden-
30 3 Vulnerable Features and Threats
tity Spoofing attack, where the intruder gains access to system/information using
some authorized entity’s identity. Instances of capture threat without violation of
authenticity are possible in cases where the intruder does not gain access to the sys-
tem by pretending to be someone authorized for the action, but exploits loopholes
in the mechanism (like SQL Injection attack on data driven applications [163]) or
in user practices (like using the default username/password of the system).
Authorization: Though authorization and authentication are two separate concepts,
they are highly coherent. Any form of capture threats would always incorporate a
violation of authorization. Any attempt of an “unwanted” entity to gain access to
a system/information, which they are unauthorized for, is a breach of authorization
policy [92].
Accountability or Non-repudiation: Capture threats may involve accountability or
non-repudiation violation. In cases of authenticity (and authorization) violation in
capture attacks, i.e., when the attacker steals/spoofs an authorized entity’s identity,
the actions of the attacker while in possession of the system/information, cannot
be traced back to the actual actor.
• Specialization of Disruption Threats
Disruption threats are primarily intended to disrupt/degrade the expected perfor-
mance of the system, or to completely destroy the system or deny its service. A
disruption attack may or may not succeed a capture attack [79]. Disruption attacks
can cause violation of any/all of the security elements: availability, confidentiality,
integrity, authenticity, authorization, and accountability or non-repudiation.
Availability: Disruption attacks are easy to accomplish in the IoT systems, espe-
cially due to the population, and dispersed and unprotected physical location of the
resource-constrained entities. For any information network to function properly,
device availability is a critical factor. Any form of denial of service attacks [119] tar-
get network availability by preventing communications between network devices
from accessing the services provided. Large quantity of the peripheral devices
of the IoT have constrained processing, storage, and power supply capabilities.
Actions engaging such devices to use their resources for purposes other than what
they are meant to be used for, would jeopardize the devices’ availability to their
legitimate cooperating systems. Resource exhaustion attacks can be in the form of
processor exhaustion attack, where the devices are kept occupied with processing
much of deliberately generated request/tasks. Another form could be the actions to
minimize the lifetime of the power constrained devices by constantly overworking
them, and not allowing them to enter the energy-saving mode. (Sleep Deprivation
Attack [49]). System availability will also be violated in cases where the target
system remains active, but the behavior of the system is changed. For example,
misconfiguration of network equipments like gateways, routers, DNS server in
the enterprise network, or the Internet by authorized persons (by mistake), or by
attackers.
Confidentiality: Disruption threats that also require capturing of system/
information (capture attacks) can possibly have violation of confidentiality if the
data captured by the attacker is not efficiently encrypted, and the attacker is able
to extract some confidential information from the data.
3.2 Threat Taxonomy 31
Integrity: As in case of a disruption attack, the attacker influences the target system
with a definite intention of deteriorating its performance. Hence, these attacks cer-
tainly compromises the consistency, accuracy, and trustworthiness of the behavior
of the system and the data generated or controlled by it. Thus, the system as well
as information integrity is violated.
Authenticity: Similar to capture threats, if a disruption threat involves an unau-
thorized intruder gaining control of system/information using some other autho-
rized entity’s identity, user/device authenticity violation occurs. But unlike capture
threats, in case of disruption threats there are also chances of data authenticity loss.
For example, a replay attack, in which a valid data transmission is repeated. It is
possible to have disruption attacks without any authenticity violation (e.g., a DoS
attack).
Authorization: An authorization policy may be infringed in attacks, where the
attacker assumes some capabilities which it is unauthorized for. For example,
incidents where an attacker misconfigures an enterprise/Internet network element
like gateways, routers, or DNS server, to manipulate network traffic, the attacker
needs to gain access into those entities. This would mean infringement of autho-
rization. On the other hand, attacks like denial of service on some device in the IoT
infrastructure, by exhausting its processing/storing capabilities or power source
by engaging it into excessive workload, may not involve a breach of authority.
Accountability or Non-repudiation: Accountability or non-repudiation may be
breached in instances of disruption threats. In cases of authenticity (and authoriza-
tion) violation, i.e., when the attacker steals/spoofs an authorized entity’s identity,
the attacker’s actions while in possession of the system/information, cannot be
traced back to the actual actor. Hence, accountability and non-repudiation is lost.
A suitable example would be a replay attack. Presence of numerous mobile smart
devices in today’s world, poses huge challenge toward deploying efficient access
control mechanisms. Absence of a strong access control and a secure bootstrap-
ping mechanism for devices entering and exiting an IoT domain, may cause device
identity issues, leading to possible accountability or non-repudiation breaches.
• Specialization of Manipulation Threats
In some cases, manipulation threats can be achieved by some form of active intru-
sion, while in others it can even be accomplished without any system intrusion. In
all its forms, a manipulation threat can infringe confidentiality, integrity, authen-
ticity, authorization, and/or accountability or non-repudiation.
Confidentiality and Integrity: In cases of active manipulation of data during transfer
on the Internet, or the intranet (the enterprise network and the low power and
lossy Networks [223]), or of data stored on devices, data confidentiality and data
integrity are compromised. In instances of manipulation of the embedded data,
either by malicious substituting of the tags or by modifying tagging information,
or malicious substitution of the devices that are the “entry points” of data into the
system, like the sensors, device integrity is also compromised.
Authenticity: In manipulation attacks, authenticity of data is always infringed,
as the motive of influencing the decision cycle of the IoT system is achieved by
either feeding incorrect information to the IoT environment (refer Sect. 3.2.3.3), or
32 3 Vulnerable Features and Threats
Privacy is a major concern associated with the IoT. With all the ubiquity offered by
the IoT, privacy becomes a challenge. In 1890, Warren and Brandeis [220] defined
privacy as “the right to be let alone”. Though this time-tested definition still holds
validity, a lot has changed since 1890! The changing perspective about public and
private in the last few decades can be attributed to several factors, but no single factor
has influenced the transformation of privacy as has the introduction of the Internet
and mobile-communication devices. And now, with the evolution of the Internet into
the IoT, there is a need to broaden the concept of privacy to accommodate not only
personal privacy, but information and physical privacy as well [98].
The growing popularity and utility of the IoT has fostered a Big Data explosion [3,
171]. Generation of such huge quantity of data has created severe data management
issues. Efficient data management methodologies [216] are required to contain the
IoT environment from turning into a dystopia. Social networking sites like the Face-
book are already impacting users’ personal interactions and employability [142, 224].
Consequences of such exposure opportunities being amplified many times could be
dire.
To understand the premise of privacy first, we must clarify its distinction from
security. Our tendency to focus on the outcome of an event and its impact on our
lives, makes the distinction between privacy and security concerns non-trivial. For
example, people tend not to consider providing their credit card number to a third
party as a threat. But when this information is misused by the third party by stealing
and using the credit card, people start treating it as security and privacy threats, and
look for a solution to the situation [28]. The difference between security and privacy
must be identified, and it must be realized that security threats and privacy threats can
be caused due to each other. The disclosure of credit card details to an unauthorized
third party should be considered a privacy breach. Security threats would arise if the
third party uses the acquired information to capture/disrupt/manipulate the authorized
3.2 Threat Taxonomy 33
These fundamental threat elements combine to form the following more complex,
real life compound threats.
• Undesired/Unlawful Surveillance Threats
• User Profiling Threats
• Active Intrusion Threats
• Persistent Footprint Threats
The IoT can easily be exploited by a malicious party for unlawful surveillance. In
the future, these smart Internet-connected modules may allow an unauthorized party
to receive far more information than they should or currently can. For example,
a malicious entity may be able to monitor children through cameras installed in
their toys, monitor people’s motion through the embedded system in their “smart
shoes”, and monitor when the members of a household enter and leave the home by
connecting to an Internet-connected door lock and the electric power usage through
their smart meters (Fig. 3.6).
Researchers have successfully demonstrated how many of these vulnerabilities
can be exploited to carry out malicious activities on connected automobiles [115],
medical devices and smart homes [89, 173]. As per a complaint filed by the Federal
Trade Commission [181] against TRENDnet Inc., a producer of wireless cameras
which can send motion-captured videos to computing devices, nearly 700 wireless
cameras were hacked into and compromised feeds were provided online. The feeds
included unauthorized recordings of infants sleeping in their cribs, young children
playing, and adults engaging in typical daily activities [16].
Undesired/Unlawful Surveillance Threats can be realized through one or many of
the following threats, association threats, location threats, digital shadowing threats,
and transaction monitoring threats.
User profiling can be defined as the collection, collation, and analysis of user data
which facilitates identification, segregation, categorization and decision making
about the user. It is a powerful tool from the marketing and research viewpoint. It can
prove to be instrumental even for security and law enforcement. The anonymized
information submitted by IoT-connected devices can be used to create a detailed pro-
file of the device owner. These profiles can be used/sold for placing targeted adver-
tisements based on various behavioral, demographic, and psychographic attributes.
Such target advertisements can be an excellent medium for sellers to reach out to
the “ideal” consumer, and for the consumers to find the “perfect” product, but it
can also be an intrusion into the user’s personal space. Dr. John Barrett furnishes an
example in his talk [19]. Suppose a heart patient has a Bluetooth-enabled pacemaker
installed. When the pacemaker detects an Arrhythmia, it informs your cell phone.
The cell phone suggests the patient to sit down, informs the hospital and calls an
ambulance. These are the benefits of the technology. However, trying to relax, the
patient receives an advertisement of some “wonder drug” for heart problems on his
phone! Even further, if the health insurer has access to the patient’s health data at real
time, while waiting for the ambulance, the patient might receive another message
informing that the health insurance premium has increased by 25 percent!
User Profiling Threats can be realized through one or many of the following
threats, action threats, association threats, location threats, preference threats, and
transaction monitoring threats.
The involvement of the IoT in our daily lives is reaching a point where a security
or privacy breach in an enterprise, or on an individual could result in catastrophic
consequences. This notion is corroborated by incidents like [15], where hackers are
able to penetrate the operating system of a smart car and manipulate the information
displayed on the dashboard to indicate a speed which is lower or higher than the
actual speed of the car, manipulate the fuel information, or even worse, deploy airbags
without any crash, or turn a running car’s steering wheel, while you are driving! Many
more such instances can be found where the vulnerabilities in the smart, connected
devices have been misused to launch active intrusion into smart cars, smart homes,
etc. [7, 16, 89]. The possibilities of an intruder remotely regulating the refrigerator,
starting the heater, unlocking the doors, manipulating a running car are frightening.
Persistent Footprints refer to the idea that as individuals collect smart objects, they
build an items database associated with their identity in corporate information sys-
tems. The association may persists even after an object is discarded. The Persistent
36 3 Vulnerable Features and Threats
Footprint threat considers the possible misuse of the discarded smart object to con-
duct some malicious act. The only identity associated with the misused object is that
of the original owner. This weakens accountability and law enforcement [106].
The book introduces a new genre of IoT threats, which has not been previously
investigated. This genre considers the possible impact of certain malicious activities
external to a service provider’s authentic IoT system, which could harm the service
provider’s reputation, or cause loss of customers’ trust. Here the term service provider
represents both device/technology manufacturers and the enterprises, which provide
services using the IoT infrastructure. These activities may also impact the service
provider’s financial market [57]. Though the previous two threat genres also harm the
reputation of the service provider whose services are affected or of the manufacturer
whose devices are compromised, these threats are unique due to the nature of the
activities undertaken to realize them. These threats do not involve any active intrusion
into the original system, which remains secured. In fact, there might not be any
interaction between the attacker and the original infrastructure at all. These threats
exploit the inadequacies in the interface between the IoT system and the users, and
the dependencies of a service provider on other agents to provide their service to the
users.
There are three possible types of activities which could pose reflective trust and
reputational threats on the stakeholders of the IoT infrastructure:
• Misrepresentation Threats
Analogous to such threats are the classic Phishing Attacks in web based interac-
tions [187]. In a phishing attack, attacker attempts to acquire sensitive information
(e.g. login credentials, credit card details) by masquerading as a trustworthy entity.
Unsuspecting users are often deceived into frauds through communications claim-
ing to be from reputed social web sites, financial institutions, or online payment
portals. In a similar manner scenarios may arise in the IoT ecosystem where users
are misguided by entities, which are unlawfully and incorrectly representing an
enterprise, service provider, or a device manufacturer, to gain personal benefits,
infringe user privacy, or at the least give an unpleasant experience to the user. In
all such cases, reputation of the genuine entity that has been wrongly represented
is tarnished. Following are two such scenarios.
The Aberdeenshire Council has started providing smartphone access to timetable
information at the bus stops [78]. The customers can now interact with their bus
stops by scanning a QR code or ‘tapping’ their NFC (Near Field Communica-
tion) [126, 39] enabled smartphones on the timetable display. This exemplifies the
ease of access to information and services that the IoT has brought about. Such
technologies can make information circulation and updation much more effective
and economical. But such applications raise a number of issues as well. How would
3.2 Threat Taxonomy 37
a user know about the authority of the provisioner of such services which can be
made available anytime, anywhere? How would the user know if the QR code is
authentic? With their location in public sites like bus stands, malicious replacement
of the original “things” (in this case, a QR code) is certainly possible. This might
result in the users being redirected to some malicious services masquerading as
the original one, and either causing harm to the visitors (like privacy intrusion),
or damage the reputation of the Public Transport Unit [29] by providing bogus
information to the users. The users may also remain uninformed about the kind
and usage of data collected from the user while using the application, and how and
to whom the data is transmitted [183].
Another relevant example would be the cloning of the physical features, firmware
or software, or security configuration of “things” by untrusted manufacturers
to gain financial benefits by selling them at cheaper prices in the market [105].
Such devices might seem to work perfectly fine to the users, but in fact they
might be providing inferior service, or even have added malicious features like a
backdoor. Such cloned substitutes may inflict reputational damage on the original
manufacturer.
• Misuse of Service or Product Threats
The reputation of a service provider can also be tarnished by the use of its ser-
vices/products by any external entity to perform actions which violates others’
security, privacy, or even reputation. These threats might negatively affect the rep-
utational and financial standing of the service provider in spite of the possible
absence of any inadequacies in the service/product. For example, malicious users
may misuse devices like Google Glasses or smart watches to stealthily collect
information at locations where such activities are either illegal/undesired. Such
privacy violations can possibly culminate into security and/or reputational threats
as well. Though such incidents do not involve the compromise of the integrity of
the service/product, they certainly corrode the reputation of the service/product
and affects the user trust, due to the association of the service/product with the
incidents. These also lead to formation of prejudiced opinions and even very harsh
policies for the service/product [14, 76]. The Social Governance Framework pro-
posed in Chap. 5 can prove to be an effective solution in minimizing such threats
and protecting interests of the users and the service providers.
• Misbehavior of Associated Entities Threats
The IoT is a composite system. Often a service provider does not own the end-
to-end infrastructure required to provide a service, and hence collaborates with
other enterprises and equipment manufacturers. In such setups, the robustness of
the security and privacy of the service provider is influenced by the performance
of the associated entities. The quality of security or privacy safeguards of the
associated entities might not be under the service provider. If the behavior of these
entities is substandard/malicious, it would ultimately tarnish the service provider’s
performance and reputation.
38 3 Vulnerable Features and Threats
Security and privacy are the prime constraints to the popularity and acceptance of
the IoT. Figure 4.1 from [179] indicates the opinions of security personnel active in
the IT space on security in the IoT. According to [213], as we go back in time, the
need of security and privacy in the Internet would keep decreasing. Hence security
and privacy were not parts of the design of the Internet. With the evolution of the
Internet into the IoT, many security and privacy issues came up, which we generally
resolved by building patches. Security and privacy are generally treated as augmented
features. The nature of the vulnerabilities of the IoT, as discussed in the Sect. 3.1,
dictates integration of security and privacy into the design of the IoT. Also, along
with a technological model for security and privacy, a foolproof IoT ecosystem would
also require reconsideration of the related governance, economics, and social-ethics.
This book recognizes the following four broad domains of actions to be vital for
the development of an effective, secure, reliable, robust, and safe IoT ecosystem.
Based on [191], this book recognizes the following requisite domains of actions for
preservation of security and privacy in the IoT:
• Protocol and Network Security
• Data and Privacy
• Identity Management
• Trust Management
• Fault Tolerance
The significance of privacy and the implications of privacy violations in the IoT
ecosystem are discussed in Sect. 3.2.4. [113] discusses privacy implications of the
IoT focusing on RFID technology as one of its main enablers and suggest possible
solutions to developing IoT systems in a privacy-respecting and secure manner. In
order to approach privacy issues in the IoT ecosystem, [191] suggests three key
consideration:
• Privacy by Design
• Transparency
• Data Management
Privacy by Design (PbD) is a philosophy that endorses empowering users with
tools to control the data produced by them [144, 201]. [201] provides three compli-
mentary definitions of PbD.
• Firstly, PbD means making data security provisions an integrated part of the
design of an information system.
• Secondly, PbD means collecting and processing minimal personal data (prin-
ciple of data minimization).
• Finally, PbD means thoroughly analyzing and assessing the future vulnerability
of originally secure technology.
PbD is being implemented in many areas. According to PbD, any data produced
by users can be controlled by them using a dynamic consent tool which permits
or restricts services to access as little or as much of that data as desired by the
producer of the data. Hence, users can control the quantity and granularity of the
data they produce that is divulged to any service. For example, a user located in
Central Park in New York could use a location-based IoT service, while divulging a
less precise location information, such as he is in New York City. Also, smart home
appliances, like a refrigerator or a smart heater, should be transparent about what
type of information they are collecting, to whom it is being sent, and what purposes
those information are used for. Moreover, the appliances and the services should be
programmable for the users to be able to set the amount of data that the appliances
may collect and to whom those information should be sent.
4.1 Making the IoT More Secure and Private 43
The IoT architecture that comprises existing networks and services, and several new
and unique devices (such as remote health monitoring devices, sensors, etc., in the
healthcare industry) faces a series of important technical challenges, one of them
being the management of diverse user and object identities and their relationship
types [96]. Although the concept of “Identity” in the IoT is similar to that in classic
web, the identity mechanisms in the IoT are required to be a little different from
those in the classic web [103]. Classic identity management (IdM) dealt with longer
living identities. For example, in applications like e-mail, user identities are long
term, i.e., they could exist for months or years. In the IoT, an identity may exist for
months or years, to even days or minutes. For example, a parcel being shipped over
a long distance gets an RFID tag associated with an identifier. It moves from one
logistic center to another, it is tracked, controlled and routed. As soon as it arrives
the identity of the parcel is terminated.
Things in the IoT often have a relationship to real people (owners, manufactur-
ers, users, administrators, etc.). As the identity relationships may change over time,
identity managements processes like authentication, authorization are also impacted.
In the classic IdM certain established methods are used to manage identities.
Authentication methods validates identities, identity attributes are transmitted over
secure channels and critical data like passwords are encrypted and stored. Security
elements like integrity, availability, authenticity, non-repudiation are integrated in
classic identity protocols, whereas in the IoT many communication protocols are
not standardized and may not be IP-based. The resource-constrained members of
the system lack processing power, bandwidth, or energy to support sophisticated
encryption, challenge response procedures or other security mechanisms.
The classic authentication mechanisms may not directly apply to the IoT. In the
IoT, objects have to provide some lightweight token or certificate for an authentication
where no human mediation is required (for tasks like providing a password). For
stronger authentication of individuals in classic IdM, usually multiple factors are
combined. These factors are based on the following proofs:
• Something that you have (like a token or certificate).
• Something that you know (like a password).
• Something that you are (like biometry).
In the IoT the last two proofs are not applicable to objects anymore. [191] states
certain object identity principles for the IoT:
• Objects know their owner’s identity. A device controlling a user’s glucose level
should know how that information fits in that user’s overall health.
A group of objects can also have an identity, which is also required to be managed.
Proving identity is an important part of IdM. The IoT would require an infrastructure
that allows mutual object authentication. Also, a balance between centralized and
distributed identity management [105] is required. Other important techniques for
IdM are anonymization and pseudonym creation. In the IoT an entity could possibly
operate in different contexts and might not want to reveal its identity every time.
As a result of this, these identity masking technologies are fast gaining popularity.
For example, [94] proposes a technique for improving the privacy of Smart Grids
through secure anonymization of frequent (for example, every few minutes) electrical
metering data sent by a smart meter. Although such frequent metering data may be
required by a utility or electrical energy distribution network, it is enough to securely
attribute the data to a specific locality, and not to a specific smart meter.
Other IdM issues discussed in [191] are: human and machine authentication,
authorization, and granularity. High system security requires combining authentica-
tion methods like bioidentification and objects like passport, identity card, or smart-
phones. Such combinations typically take the form of (what I am + what I know)
or (what I have + what I know). Authentication and authorization are highly related
concerns, as they together determine who is entitled to assume a role. However, spe-
cific topics like delegation, fall under authorization. Granularity is a concept related
to authorization. The services an object provides might be modulated based on the
number of credentials presented, i.e., authority projected.
Separation of identity and locator is an innovative trend, although the architec-
tural problem of supporting the real people behind the physical device, while protect-
ing information about the user and its context has no solution yet [109]. According
to [69] various architectures have been proposed in relation to IdM in the IoT, includ-
ing those concerned with naming, addressing, routing, and security issues such as
Mobility and Multihoming supporting Identifier Locator Split Architecture (MILSA)
and Enhanced MILSA [174, 176]. These architectures are based on identities rather
than addresses to organize networks using distributed hash tables [68, 209]. Some
of the architectures are concerned with separating the ID and the locator [150].
According to [199], the issue of bringing identity management to the network was
first addressed by the EU project Daidalos [9], and further contributions in this
direction were made under the EU ICT FP7 project SWIFT [30]. These projects
address a vertical approach to identity management, as well as how to leverage iden-
tity technologies as an enabling technology for convergence. The concept of Virtual
Identity [198] is of relevance to this context. Other prominent IdM schemes are:
Microsoft Passport [24], Microsoft CardSpace [21], and OpenID [25]. Though these
schemes present general Web 2.0 types of approaches, they do not explicitly con-
sider the large population of devices that the IdM would have to manage in an IoT
environment [199].
46 4 Securing the Internet of Things
[143] states that the majority of the proposed solutions implement ID frameworks
that are applicable within well-defined administrative boundaries, hence creating
“identity management islands with interoperability issues.” Such solutions shift the
problem from the isolation of domains to the isolation of federations and certainly
away from network convergence, which is a key aspect of the IoT.
Trust should be deemed to be a vital component of the IoT. Trust in the context of
the IoT encompasses the following two concepts:
• Reduction of uncertainty and improvement of trustworthiness of the constitut-
ing elements of the IoT.
• User experience: How comfortable, secure and capable the users feel while
interacting with the IoT.
Various trust models have been proposed that define trust in a dynamic collabo-
rative environment between interacting IoT elements. For example, [149, 219] are
examples of distributed trust management systems for the IoT, while [61, 67] are
examples of IoT trust management models based on Fuzzy Reputation. Such models
enable the IoT objects to dynamically choose an adequate partner for interaction to
accomplish certain function, improving overall reliability of the IoT system.
User trusts on the IoT can be instilled by protecting user privacy, providing users
adequate control over their services and interactions with the system and providing
them clear knowledge of their virtual surroundings. Feelings of helplessness and
being under some unknown external control can greatly undermine the IoT’s trust-
worthiness [191]. Governance plays a vital role in strengthening trust in the IoT. [191]
recognizes the importance of a common framework for formulation and enforcement
of security policies in supporting interoperability and ensuring consistent and con-
tinuous security. The Social Governance Framework proposed in this book (Chap. 5)
shares a similar vision. Such frameworks would also bring accountability in the IoT
and strengthen the trust in the IoT.
Fault tolerance is critical for ensuring service reliability. The IoT is especially prone
to attacks that would test its fault tolerance due to two reasons:
• Large population of devices producing and consuming services.
• Presence of highly resource-constrained members in the IoT.
4.1 Making the IoT More Secure and Private 47
The IoT requires specialized, lightweight solutions for fault tolerance issues. [191]
recognizes three cooperative measures required to achieve fault tolerance in the IoT:
• Build security and fault tolerance into all objects. Along with designing secure
protocols and mechanisms, hardware and firmware/software quality of the
devices should also be improved. This would reduce physical vulnerability of
the devices. Moreover, it is infeasible to provide software patches for billions
of devices.
• Enable all the IoT objects to learn the state of the network and its services.
This would require consistent communication between interacting objects, each
giving feedback to many other elements. An important task in this effort is to
build an accountability system that will help monitor state.
• Build resistance against network failures and attacks, and self-recovery in
objects. The protocols should incorporate mechanisms for detecting anom-
alous situations and allowing objects to gracefully degrade their service. Objects
should be able to use intrusion detection systems and other defensive mecha-
nisms to avoid and defend against attacks. Fast recovery of affected network
elements is also desired. [191] suggests that such elements can use feedback
from other mechanisms and entities to map the location of unsafe zones, where
an attack has caused service outages, and trusted zones with no service out-
ages, and implement recovery services using this information. Mechanisms
could also inform human operators of the damaged zone and then perform
maintenance operations. This infrastructure self-management is a key to the
IoT tenet.
4.2 Standardization
4.3 Governance
Governance, at any level of social organization, refers to conducting the public’s busi-
ness to the constellation of authoritative rules, institutions and practices by means
of which any collectivity manages its affairs [192]. Governance would be critical
for structured implementation of the IoT and enforcing its reliability. According
to [192], a sound governance for the IoT would encompass both legal and social
efforts. Legal efforts would mean formulation of comprehensive and highly rele-
vant (yet not unnecessarily innovation-stifling) policies. Social efforts would focus
on enforcing development standards for IoT services as well as ensuring secure
implementation and usage of IoT services. However, governance is a double-edged
sword. While it offers system, stability, support for political decisions, and a fair
enforcement mechanism, it can easily become excessive, resulting an environment
which continuously monitors and controls people. If we learn from the Internet’s
partially solved governance problem, it will take the combined efforts of several
research communities to address the challenges of a governance framework when
countless stakeholders and objects are involved. The concept of “multi-stakeholder
in governance” should be perceived as the new way forward in favor of including
the entire society [222]. Though the IoT’s future development is hardly predictable,
a preliminary assessment of the current environment regarding the Internet’s struc-
ture, institutional issues, and governance principles is desirable. As the IoT uses the
Internet, it is important that proposals for governance are considered in cooperation
with relevant bodies involved in parallel developments of the Internet. The European
Future Internet Assembly [11] is such an organization. Furthermore, [222] suggests
that given the difference in stakeholders of the two frameworks (global society vs.
mainly businesses), and the difference in purpose, separate (but closely cooperating)
governing bodies for the Internet and the IoT is a suitable proposition, considering
the specific needs of each framework.
4.3 Governance 49
We realize the close relation between legal and social governance. For the formu-
lation of policies which are updated and comprehensive, yet not excessively severe
on the users or the innovators, the lawmakers need to have a clear picture of the
societal needs and technological trends. This would require adequate information
exchange between the law making bodies and the other stakeholders (the innova-
tors, enterprises, and users). Moreover, the formulation of foolproof legislatures and
policies is not enough. Efficient policy enforcement mechanisms are required. [191]
states, “Future research must also carefully consider the balance of governance and
legal frameworks with innovation. Governance can sometimes hinder innovation,
but innovation in turn can inadvertently ignore human rights. The right balance will
ensure stable progress toward realizing and securing the IoT as envisioned, and the
benefits to humanity will be well worth the effort”. Figure 4.2 presents the model for
IoT Governance.
The proposed Social Governance Framework (Chap. 5) envisions facilitating ade-
quate information flow between the key drivers of the networked society, to aid sound
manufacturing, legal, or usage decision making. The framework would also ensure
efficient law formulation and enforcement. Such a framework can also provide aug-
mented services to improve data management and accountability of the IoT.
50 4 Securing the Internet of Things
Fig. 4.3 Solutions for security, privacy, system and stability in the IoT
At the Final Conference of the CASAGRAS1, in London, October 2009, the project
leaders recognized that the governments, industry, and business lacked awareness of
the IoT and its benefits, and awareness programs are key requirements in creating
a better understanding of the potential and benefits. It is vital to spread IoT related
awareness among the enterprises, the government, and the users.
4.4 Social Awareness 51
accepted, over the years SNMP was realized to be inadequate for management of
modern internetworks, and hence policy-based networking was brought in.
A lot of work has been done on the idea of developing frameworks for pol-
icy management in distributed computing systems [82, 131, 152, 207]. In existing
frameworks, the objective is to enable an enterprise to create programmatic specifi-
cations of their operational security policies. These programmatic policies can run
and create instances of the policies suitable for any deployment scenario. For exam-
ple, firewall rules, and access control policies at database servers are created from
such policy specifications. Although started mostly as logic-based frameworks, pol-
icy frameworks have evolved into risk minimization frameworks, which are closer
to the approach of Social Governance.
However, the particular focus of the policy management frameworks remain dif-
ferent. They are geared to allow an enterprise dictate how its resources should be
managed, whereas Social Governance is about a larger society, and collaboration
of the key players of IoT system, users, manufacturers, and policy makers in the
formulation and evolution of the policies.
A policy-based network management works fine in the virtual world. But in a
physical world, different functionality may be needed. For example, in a household,
a family might have a son who is a gamer. Rest of the family might ask the son to set up
his gaming console in his room and not in the living room to avoid disturbing others.
The son has the autonomy within his room, but in places of the house outside his
room, he is required not to create inconvenience for the rest of the family. Hence, the
bigger the space of influence is, there has to be a wider consensus that has to emerge
for the governance. The local policies would emerge as part of the consensus. Social
Governance strives to provide a framework to facilitate a solution for this tension.
Social Governance would also help in optimizing the actions of each of the IoT
stakeholders. For example, if an enterprise is trying to introduce something like
Google Glass in a particular region, it would be crucial for the enterprise to be aware
of the market status. If the product is only permitted to operate in a very small portion
of the region, it may not be a viable decision to market the product in the region.
Such information is also critical for the consumers. Currently, no such infrastructure
exist which may facilitate such realization.
The Social Governance framework,
• evolves policies in a collaborative manner.
• has to work with incomplete policy formulations.
• formulates some policy rules as a reaction to user actions.
Figure 5.1 illustrates the framework for Social Governance. The purpose of the frame-
work is to provide sufficient information to each of the three drivers, to equip them
to make the best innovative/production (from innovators’ or manufacturers’ perspec-
5.2 The Framework 55
tive), political (from policy makers’ perspective), and usage (from users’ perspective)
decisions.
Before discussing the nature of communications between each pair of the driver
entities, let us discuss two critical elements of the Social Governance Framework:
the Hierarchical Distributed Policy Management System and the Policy Compliant
Smart Devices.
the government of a nation may allow the use of a certain technology/product, say
Google Glass, but the administration of an office might forbid its use within the office
premises. Or the office administration may have no specific regulations for Google
Glass, but the law of the land might have banned it. Hence, the policy for a specific
location must be a logical compilation of the policies enforced by all the relevant
authorities. Figure 5.2 indicates the scope of relevance of the security and privacy
policies enforced by different authorities.
A hierarchical policy management system would provision for each of the con-
cerned policy making bodies to implement the formulated policies at respective levels
in the hierarchy and then composing decisions based on the relative importance of
the policies at each level of the hierarchy [193]. The domain of authority descends
from top to bottom in the hierarchy. Figure 5.3 illustrates a typical HDPMS. The
compilation of the policies for a location and context, based on the existing policies
in each level of the hierarchy is discussed in details in Sect. 5.2.5.
During the functioning of the HDPMS, the policy servers receive policy infor-
mation from the higher level servers in the form of policy response messages (refer
Sect. 5.2.5). To reduce the latency of response to policy requests, the servers cache
the policy information received from the higher level servers for a fixed amount of
time, after which the cached data becomes stale. If a policy request is received at a
server and the relevant policies of the higher domains are either unavailable locally,
or the cached data has expired, the server sends an inquiry message for the requested
policy to its parent. The HDPMS can have some augmented features which can aid
in making the policy formulation and enforcement procedure much more dynamic
and efficient (refer Sects. 5.2.8 and 5.3). Figure 5.4 depicts the workflow of a typical
HDPMS server.
5.2 The Framework 57
With more and more things (devices, objects, or even living beings) becoming
“smarter”, mobile and less visible, a challenge bigger than formulating reliable secu-
rity and privacy policies is ensuring high policy adherence. The commercial usage
of IoT enabled devices would require fine-grained security enforcement as opposed
to the current “perimeter-based” enforcement [175]. Security needs to be an inherent
feature and integral part of the architecture. The bootstrapping of smart things in
security domains [105, 197] is an effective solution for smart things which are join-
ing a particular security domain. For example, if a device present in the premise of
an organization is trying to access the organization’s communication infrastructure,
a secure bootstrapping would ensure policy adherence by allowing/denying access
to the device, and monitoring and controlling its activities. But what happens when
58 5 Social Governance
a smart thing, which is physically present at a protected premise, has its own net-
work connectivity (e.g., 3G/4G network link)? How could the adherence to the local
“device etiquette” be ensured? A failure in controlling such devices’ activities within
protected premises might lead to severe security/privacy breaches.
5.2 The Framework 59
Figures 5.4 and 5.5 depict the workflows of a PCSD and a HDPMS, respectively,
in a typical IoT environment. Figure 5.6 shows the major communications in the
HDPMS–PCSDs setup. The functioning of the HDPMS-PCSD based IoT environ-
ment is described below.
• Every PCSD would be considered as an aggregation of multiple functionalities. For
example, a smartphone can be considered to be composed of functionalities like
voice calling, text messaging, video recording, audio recording, media playing,
and direction finding. Each functionality would have a standardized description.
The manufacturers who wants to include any functionality in their devices, would
have to assign that unique description to the functionality. For example, if the
Functionality ID for media playing is, say PLAY_MEDIA, then every device
incorporating this functionality would recognize the functionality by the same
Functionality ID (PLAY_MEDIA).
60 5 Social Governance
• The PCSDs would request policies for the actions of all running (or requested
to run) functionalities after every t seconds. The policy request format has been
62 5 Social Governance
explained in Sect. 5.2.4. The value of t can be determined based on the character-
istics of the device, like mobility. A device that changes its location/context very
frequently would require frequent refreshment of policies, and hence a smaller
value of t. The value of t can be designed to be changed by the OS of a device as
per the rate at which the device changes its location.
Moreover, the rate policy refreshment should consider the local policy as well.
In scenarios where a specific location might want to ensure that the changes in
a local policy are immediately observed, as and when they are implemented, it
is required that the PCSDs in the area to detect and adhere to that policy within
a certain time limit. This can be achieved by provisioning for the local policy to
specify the desired rate of policy refreshment. The device should follow the rate
specified by the local policy, or the one calculated by the device itself, whichever
is higher.
• A PCSD first queries the service provider for the policies (Label 1 in Fig. 5.6).
The service provider in turn queries the HDPMS for the local policies (Label 2 in
Fig. 5.6), and relays back the response received from the HDPMS, to the requesting
device (Labels 3 and 4 in Fig. 5.6).
• When queried for policies, if the HDPMS has valid policies for the functionality,
it responds back to the service provider with the policies. Else, it responds with an
unconditional grant for the particular functionality to operate in the locality. The
policy resolution in HDPMS is explained in Sect. 5.2.5.
• If the response received from the service provider prohibits operation of the par-
ticular functionality with the requested action in the locality, the functionality is
disabled for t seconds before a fresh policy is requested from the service provider.
• If the response received allows the functionality to run with the requested action
in the locality, then the device undertakes the following procedure.
– The PCSD would seek local consent on the operation of the functionality
through a polling protocol based localized broadcast communication similar
to ARP [184] or NDP [167]. The device would broadcast a policy request mes-
sage within its physical locality, to which only the local policy compliant devices
can reply (Label 5 in Fig. 5.6). The local consent polling mechanism is discussed
in Sect. 5.2.6.
– If the requesting device does not receive any response from the locality, the OS
of the device assumes to have unconditional permission for operation of the
functionality with the requested actions in the locality and context. Else, the OS
of the device enables or disables the functionality based on the majority formed
by the peer votes.
– If enabled, the functionality operates for t seconds before requesting fresh per-
mission. If the functionality is disabled, it would be disabled for t seconds,
before a fresh permission is requested. If at the end of the t seconds, the device’s
physical location is still within the area that it had polled for the previous vote,
it can directly poll for the local consent once again; else, it would request the
service provider for a fresh policy.
– Whenever a decision on the operation of a functionality is formed based on local
votes, the PCSD reports the details of the decision, i.e., the functionality ID, the
5.2 The Framework 63
Figure 5.6 depicts the communications between the PCSDs, the service providers,
and the HDPMS, in a typical HDPMS-PCSDs setup. Note that the figure is not a
comprehensive depiction of all the types of messages exchanged in the setup. There
are intra-HDPMS message transmissions between the policy servers as well, which
are not shown in the figure, but are explained in Sect. 5.2.5. Three major types of
messages that circulate in the HDPMS-PCSDs setup are policy request, decision
report and policy response.
• Policy Requests: These messages are primarily initiated by PCSDs inquiring the
location-based security policies for the functionalities running in them. They are
used to request policies from the service provider (Label 1 in Fig. 5.6), as well
as from the local peer devices, in case of local consent based decision making
(Label 5 in Fig. 5.6). The same messages are relayed by the service provider to the
HDPMS (Label 2 in Fig. 5.6), and also used by the policy servers in HDPMS to
request policies from their parent servers, if required. For a node n1 , a composite
statement,
n 1 REQUESTS y { f 1 , a1, 1 }
n 1 REQUESTS y { f 2 , a2, 1 }
n 1 REQUESTS y { f 2 , a2, 2 }
..
.
n 1 REQUESTS y { f 4 , a4, 1 }
The format of the policy request messages has been depicted in Listing 5.1 under
the tag <policy_request>. The field message_type denotes the type of informa-
tion contained in the message (request in this case). The message also contains
the identity of the source of the policy request message (source_id), the identity of
the device initiating the policy request (device_id), and a pair of a functionality_id
and an action, for which the device is seeking the local policy. For a particular
policy request, the source ID (source_id) keeps changing as the request message is
transmitted between different nodes of the HDPMS–PCSDs setup, but the device
ID (device_id) remains constant throughout the request-response cycle. For exam-
ple, if a device d 1 requests a policy to the service provider or to its local peers,
the Device ID of the message would be d 1 throughout. In this case, the source ID
would be d 1 as well. When the request is transmitted from the service provider
to the HDPMS, the Source ID would be the identity of the service provider. And
finally, if the request is transmitted by a policy server to its parent in the hierarchy,
the Source ID would be the identity of the requesting policy server.
5.2 The Framework 65
• Policy Responses: These messages are initiated by the policy servers in the
HDPMS (Label 3 in Fig. 5.6) or the local peers of a PCSD in response to the
policy request messages which are initiated by the PCSD (Label 6 in Fig. 5.6). It
is also used by the service provider to relay HDPMS’s response to the requesting
device (Label 4 in Fig. 5.6). The possible forms of policy response messages are:
GRANTS and DENIES. The composite statement,
y GRANTS d1 { f 1 , f 3 }
denotes node y, which can be a policy server in HDPMS, the service provider, or a
local peer device, allowing the functionalities f 1 and f 3 to operate with the actions
requested by device d 1 . This statement comprises multiple individual responses
denoted by
y GRANTS d1 { f 1 }
y GRANTS d1 { f 3 }
66 5 Social Governance
y DENIES d1 { f 2 , <conditions>2 }
y DENIES d1 { f 4 , <conditions>4 }
The conditions for denial are supplied in the response message to aid in the device’s
awareness about the reason for denial of permission to run the particular function-
ality in the location. This can help the device to adjust the values of the requested
actions of the functionality, to make it suitable to operate in the locality, if required
and if possible. For example, if a policy compliant smart car enters a locality which
has a permissible speeding range of 20–45 MPH, and is speeding at 55 MPH, the
car would request for the local policy for its different operational functionalities
including running. One of the actions of “running” would be speed. When the
HDPMS receives the request from the car for running at the speed of 55 MPH, it
responds with a denial of permission. In this condition, if the OS of the car is not
supplied with the condition for denial, it would not know any other way to obey
the policy but to instantly stop! This of course is not a practical solution. If the OS
of the car receives the conditions for the denial in the response, i.e., if in this case
the car receives a denial of running at 55 MPH, and the condition “Speed Limit =
20 MPH-45 MPH,” the OS can either warn the driver, or automatically slow down
into the permissible speed limit.
The format of the policy response messages has been depicted in Listing 5.1 under
the tag <policy_response>. The field message_type denotes the type of informa-
tion contained in the message (response in this case). The message also contains
identity of the source of the message (source_id), identity of the device that ini-
tiated the policy request (device_id), description of the functionality on which
the decision has been made (functionality_id), the permission (permission), and
the conditions for denial (condition_ for_denial). As discussed earlier, the condi-
tion_for_denial is needed to be considered only when the permission has the value
‘deny’. Like the policy request messages, for a particular response, the source_id
keeps changing as the response message is transmitted between different nodes,
but the device_id remains constant throughout. Section 5.2.5 explains the policy
resolution in the HDPMS, while forming the response for the policy requests.
• Decision Reports: These messages are sent by a PCSD to the HDPMS, through
the service provider (Labels 7 and 8 in Fig. 5.6), whenever the device makes a
operation decision for any of its functionalities based on the local vote. Such reports
can help in effective representation of the local activities and opinions on various
technologies to the policy servers, which in turn can culminate in formulation of
5.2 The Framework 67
highly location and context relevant and robust policies. For a node n1 (a PCSD
or a service provider), the following composite statement,
The format of a decision report message has been depicted in Listing 5.1 under
the tag <policy_report>. The field message_type denotes the type of information
contained in the message (report in this case). The message also contains the
identity of the source of the decision report message (source_id), the identity of
the device initiating the report (device_id), the identity of the functionality on which
the decision has been made (functionality_id), the decision (permission), and the
conditions based on which the decision has been made (permission_condition).
The conditions are basically a compilation of the all the conditions under which
each of the actions of the functionality were allowed/denied to operate in the
locality. Similar to policy request and response messages, for a particular report
message, the source ID keeps changing as the request message is transmitted
between different nodes of the HDPMS–PCSDs setup, but the Device ID remains
constant throughout.
The HDPMS is a hierarchical and distributed system in which policies are simul-
taneously implemented at multiple levels of the hierarchy. The domain of authority
broadens as we go from the bottom to the top in the hierarchy. Hence, the resultant
policies for a location are obtained by compiling all the relevant policies across the
height of the hierarchy. As explained in Sect. 5.2.1 and illustrated in Fig. 5.3, the
incoming policy request messages that are initiated by the PCSDs and forwarded
by the service providers, are first received at the lowest level policy server of the
HDPMS. As shown in Fig. 5.4, the policy server tries to respond back to the request
by using its local policies (if any) and the cached copies of relevant policies that have
been received from policy servers higher in the hierarchy. If a server does not have
any relevant policies from the higher servers cached locally, or the validity of the
68 5 Social Governance
cached data has expired, then it sends a policy request message to its parent server,
and this procedure is continued recursively.
The upward traversal of the policy request message in the hierarchy terminates
when either the top of the hierarchy has been reached, or the request reaches a
policy server which has a valid cached copy of the relevant policies received from
its parent. At this point, the policy response message originates (check Listing 5.1
under the tag <policy_response> for the message format). Based on the policies
for the requested functionality, each server decides if the requested action value
of the functionality is permissible or not. If it is permissible, the local permission
of the server is to ‘allow’ operation of the functionality-action pair. Else, the local
permission is to ‘deny’ operation of the functionality-action pair. The policy server
combines this local permission with the permission contained in the policy response
message received from its parent. The rule for permission combination is as follows:
As discussed in Sect. 5.2.3, while requesting the policy for a particular functionality-
action pair from the service provider, the PCSD receives permission to operate in two
scenarios: (1) the requested functionality with the action value is permissible as per
the relevant policies contained in the HDPMS and (2) the HDPMS does not have any
relevant policy for the functionality-action pair. In both the cases, the PCSD polls
for the consent of the local PCSDs to learn the “local etiquette”, i.e., whether the
local PCSDs are willing for the particular functionality-action pair to be operational
in the locality. The capability of casting its rules on the operation of a functionality
in its physical proximity can be built into a PCSD.
The concept of using peers’ opinion in decision making through polling is common
in distributed network protocols [104, 121] and peer-to-peer communications [81].
In the first scenario mentioned in the previous paragraph, local vote polling could be
useful as the opinion of local people might differ from the enforced policies in specific
contexts. For example, an university might allow the calling and text messaging
5.2 The Framework 69
functionalities of cell phones in its premise, but at the same time an examiner might
want to prohibit their use in an examination hall. In such cases local consent polling
can prove effective in imposing the preferences of the local authority even when
relevant polices are not in place. A mechanism can be set up allow some local voting
devices’ votes to weigh more in the decision making. Moreover, as discussed in
Sect. 5.2.3, the decision made through local voting is reported to the HDPMS. This
aids in registering the opinion of the users of a locality on particular functionalities,
which can culminate in more relevant and effective policy formulation.
Labels 5 and 6 in Fig. 5.6 represent the local consent polling mechanism. The
policy request message is broadcasted in the physical locality (Label 5 in Fig. 5.6).
The communication for consent polling can be setup using the Bluetooth technol-
ogy with automatic connection initiation (no requirement of pairing) enabled in the
devices [56].
The peer PCSDs would have the capability to let their users set their preferences
for the behavior of different functionalities of PCSDs in their physical proximity.
For example, an owner of a policy compliant smart watch might not want to be
photographed or videographed at his/her workplace. He/she can set the smart watch’s
preference likewise. When the device receives a policy request from a local peer for
the camera functionality, the device would respond with a vote against the request. A
vote against a request is accompanied by the condition for denial. In case the device
does not have any relevant rule, it votes in favor of the request. This communication
(Label 6 in Fig. 5.6) uses the policy response message.
Based on the response votes received, the polling PCSD decides on the operation of
the functionality-action pair in the locality. The decision is aligned with the majority
of the votes. To base the decision on the votes received, the polling device needs to
trust the votes [81]. The reliability of the messages exchanged and of the behavior
of the devices in general can be ensured by: (1) securing the communications and
communications channel and (2) by developing a trusted computing base (TCB) in
the policy compliant smart devices.
we depend for correct enforcement of policy. The TCB protects the integrity of the
system by separating all the parts of the trusted operating system that handle the
security related operations, from the rest of the elements. The trust in the security
of the entire system would completely depend on the TCB. [181] recognizes the
following as the elements of an operating system on which the security enforcement
could depend:
The TCB is generally required to contain a small part of the entire trusted OS.
Figure 5.7 represents the composition of a trusted OS. The TCB should monitor the
following four basic activities.
The Social Governance framework will facilitate more effective security and privacy
policy formulation and enforcement.
and implications of the technologies. Such communications can take many pos-
sible forms. The innovators/manufacturers may be required to acquire innova-
tional licenses [135] or manufacturing licenses, respectively, for their technolo-
gies/products. The process of acquiring the license would require the innova-
tors/manufacturers to present their idea and intentions to the policy making body.
This would help in avoiding formation and imposition of unreasonable, weak or
extremely strict security/privacy policies.
• Communication with Users: Refer to Label 2 in Fig. 5.1. The proposed frame-
work can enable the policy makers to consider user preferences, while formulating
policies.
The HDPMS–PCSDs setup can be used as a learning mechanism by the policy
makers to learn about the activities of different types of devices in their region over a
period of time. Whenever a device requests for a policy for any of its functionalities,
the HDPMS can procure the data, which can aid in future decision making. When
a technology/device is introduced din the market, the policy makers of a region
may not enforce any specific policies for it due to reasons like lack of popularity
of the product in the region, or even ignorance of the administration. When policy
requests are received from such devices, the policy servers of the region would be
unable to respond with any specific policy, and would relay more generic policies
from the higher level servers. The server can keep track of such queries. If the
frequency of such queries exceeds a set threshold for a considerable amount of
time, the policy makers may roll out specific regulations for the functionality.
Furthermore, mining of data like for which functionalities of a particular type of
devices are policies being most frequently requested for, can help make the policies
72 5 Social Governance
more granular. For instance, an institution may prohibit the usage of GPS services
within its premise. So enforcing a policy requiring all GPS-enabled devices to
suspend all the signal transmitting functionalities would unnecessarily disable a
smartphone’s capability of calling or text messaging. Data procured over time indi-
cating high amount of requests for using the calling or messaging functionalities
by smartphones, can advice the policy makers to revise the policy and explicitly
prohibit just the GPS functionality.
Some of the benefits of such a learning mechanism for the policy makers are:
The innovators and the manufacturers of IoT technologies and devices would possibly
be the biggest beneficiary of the Social Governance Framework.
• Communication with Policy Makers: Refer to Label 3 in Fig. 5.1. The communi-
cation with the policy makers would enable the manufacturers/innovators to have
a better knowledge of the policies of any region. This knowledge may be derived
from the policies that have been explicitly defined for the genre to which the tech-
nology/product under consideration belongs. If no explicit policies are enforced
for the genre, it might be possible to still gain some important knowledge from
policies enforced on technologies/products which include some of the functional-
ities of the product under consideration. For example, an office might not have yet
implemented any explicit policies for the use of Google Glass within its premise,
but a policy which prohibits usage of cameras within the premise would indi-
cate that the camera functionality of a Google Glass might not be permitted to
operate as well. A sound understanding of the legal limitations would save the
innovators/manufacturers the efforts of conceptualizing, developing, and market-
ing a product, which might ultimately get axed by legal prohibitions. Moreover,
such knowledge would also help in refinement of their ideas/products to better fit
5.2 The Framework 73
Social Governance Framework would make the adoption of new technologies and
products by the users, much easier, well informed and secure.
The Social Governance would find relevance in every aspect of the modern, connected
society. We have already discussed about effective adherence to privacy and security
policies in case for devices like the Google Glass and smartphones. Let us try to
understand the utility of the proposed framework through another example.
With the increasing popularity of smart cars in recent years and the advent of
connected cars, making the automobiles policy compliant would mean avoidance of
a lot of unwanted incidents on the roads. Let us think of a residential locality that
also has a school. For the welfare of the residents, the locality wants to have a low
speed limit on the vehicles which pass through the neighborhood street during the
school hours (8 A.M.–4 P.M.), and restrict the vehicles driving through the street
between 12 A.M. and 6 A.M. from making too much noise. They appeal to the local
concerned authority, and the office enforces the policies. When a policy compliant
smart car enters the locality, the OS of the car probes for local policies on its running
functionalities (running, head lights, horn, music player, etc.). The functionality
‘running’ has an action ‘speed limit’. Suppose the time is between 8 A.M. and 4 P.M.,
and the car is speeding (or trying to speed) over the set limit. When the car requests
the policy for this functionality-action pair, the HDPMS will deny permission based
on the local policy. Based on the condition for denial received by the OS of the car,
it may either slows down the car within the speed limit, or notify the driver. If the
driver does not slow down within a stipulated amount of time, then the OS of the car
may automatically report the policy infringement to the traffic control department.
Similarly, if a smart car passes by the locality in between 12 A.M. and 6 A.M., and
is playing music, or honking the horn louder than the set decibel limits, either the
volumes are automatically reduced within the the permissible range or the driver is
notified.
When the frequency of such policy queries in other localities, which do not have
location/context-specific policies for passing automobiles, exceed a limit set by the
local authority, the HDPMS system can suggest the local policy makers about which
devices/situation should specific policies be formulated for.
If provisions are made for the lower level policy servers to send their native
policies to their parents, many useful information may be deduced. If a region’s
policy management server learns that considerable number of localities under it
are implementing similar vehicular policies, the server can implement algorithms
to infer the similarities in the geographic, demographic, and contextual features of
the localities enforcing similar policies, and formulate similar policies for all the
5.3 Example of Utility 75
localities with similar features. Or it may suggest suitable policies to the servers
lower in the hierarchy based on the policies imposed in other regions (horizontal
servers) with similar geographic, demographic, or contextual features.
Some of the ways in which establishment of the Social Governance Framework
would benefit the society are:
• Better administration and less involvement of IoT technologies in law violation.
• Effective formulation and enforcement of IoT related policies.
• Building an intelligent self-learning system, which adapts itself with the chang-
ing activities of the users and with changing technologies.
• Less security, privacy and awareness concerns for the users of smart technolo-
gies.
In conclusion, existing policy frameworks are pushing for the efficiency, and
secure and safe operation of a very large-scale installation that an enterprise is respon-
sible for rolling out. Social Governance considers an even larger installation. But,
more importantly, it does not intend in seeking a “best” way to run for the sake of a
single entity. It is about seeking a collaborative consensus among all parties so that
the system can function.
Chapter 6
Case Studies of Selected IoT Deployments
This chapter presents three major IoT deployments: connected vehicles involving
vehicular ad-hoc networks or VANETs, eHealth, and the smart grid. The first two
IoT deployments are presented in detail including sources of vulnerabilities, attack
scenarios, and selected countermeasures. For the third deployment, selected major
security incidents are discussed.
In the not-so-distant future, in-vehicle devices will be able to connect with external
services through roadside units (RSUs) and other wide-area networks. The RSUs can
be dedicated units or integrate into existing infrastructure such as street lights, which
in turn themselves will be connected to other IoT devices [33]. Further, vehicular
ad-hoc networks (VANETs) are expected to transform vehicles on the road into
nodes communicating in a network of vehicles. Figure 6.1 shows this ecosystem of
connected vehicles.
In the last two decades, a growing demand for more sophisticated vehicle systems
has led to more complex computer systems embedded in automobiles [63]. Tradi-
tional mechanical connections were replaced with sensors and communication buses
to enable systems like electric-powered steering, adaptive cruise control, and anti-
lock braking systems, etc. Traditional one and two-way communication systems,
such as, radio receivers and transmitters have been augmented by links to cellular
voice/data devices and to satellite signals [6].
These developments transform the automobile into, essentially, an Internet-linked
“thing” and exposes it to the same cybersecurity risks as any other entity in the
Internet.
Computers have brought numerous contributions to vehicle safety, value and func-
tionality, such as, stability control, electronic fuel injection, and theft prevention.
They have also introduced exciting new cyber-physical features such as advanced
driver assistant systems (ADAS), advanced fleet management, and autonomous
driving. However, in doing so, they have also exposed them to cybersecurity threats.
For example, a compelling reason to connect cars via wireless links is to reduce
the risks of road collisions through on-board collision avoidance systems relying
on wireless networks [227]. Since these contributions rely on information sharing
between vehicles as well as communication within a vehicle, they create the risk
for cyber attacks. Furthermore, when vehicles themselves start to connect with each
other, through networks like VANETs, the risk increases exponentially.
The level of cybersecurity threat posed to vehicles can be gaged by U.S. Senator
Edward Markey’s 2015 Tracking and Hacking Report [156], and from warnings by
law enforcement agencies, such as a March 2016 PSA [37] by the FBI. Potentially,
an attacker can compromise the integrity of the in-vehicle network by injecting
false and invalid traffic messages into the network to potentially distract drivers from
choosing a specific route or can utilize the network to find out the driver’s identity and
location [134]. More seriously, an attacker can gain access to the vehicle’s critical
components (such as engine or brakes) through an unauthorized access to the in-
vehicle network [63].
The goal of automotive security is to ensure that this new connected vehicle model
can operate to its full potential even in a malicious operating environment. As of yet,
both modern vehicles and the environment they operate in are unsecure in the event
an attacker mounts the aforementioned attacks, causing damage to the vehicle and
6.1 Connected Vehicles 79
even proving fatal to the occupants. In this study, external vehicular networks will
be covered with a focus on VANETs. However, in-vehicular networks will also be
briefly discussed.
Vehicular networks can be divided into two major categories: in-vehicle networks
and inter-vehicle networks, also known as VANETs. In-vehicle networks comprise of
electronic control units (ECUs), interfaced with various vehicle sensors and actuators
through communication buses. These networks are used for communicating informa-
tion from sensors and actuators across the entire vehicle. On the other hand, VANETs
(Vehicular Ad-hoc networks) are used for inter-vehicle communication (IVC) for dis-
pensing traffic and road-related information between vehicles in range [134]. They
can also include roadside units (RSUs) integrated into street lights, highway signs,
and traffic signals, which can provide relevant information to vehicles.
As shown in Fig. 6.2, ECUs are classified into different categories [170] and comprise
the following major in-vehicle subnetworks
Each of these subnetworks have their own network protocols for communicating
information. Also, data transfer between different subnetworks takes place through
wireless gateways [169]. Since VANETs can also interface with the in-vehicle sub-
networks through a wireless gateway, the subnetworks are susceptible to attacks from
outside the vehicle.
which subsequently starts to broadcast an accident advisory at its location. All vehi-
cles within range of this RSU receive this advisory and then pass it along further to
vehicles outside the RSU’s range. In turn, all vehicles whose navigation path lies in
some proximity to the accident location will have been notified well in advance of
approaching the location so that they can take alternate routes and avoid a potential
road block.
Due to the inherent vulnerabilities of the In-vehicle and VANETs, an array of attacks
can be mounted against connected vehicles with varying levels of consequences.
This section presents selected attacks that can be mounted on VANETs and poten-
tial countermeasures.
• Sybil Attack: In a Sybil attack scenario, a malicious vehicle can proclaim itself as
multiple vehicles at different positions at the same time or in succession. Thus, it
is possible for the vehicle launching the Sybil attack to appear to be in two places
at once! This can create a dangerous and chaotic environment in VANETs. This
attack can be quite easy to launch in environments where the identity of the vehicle
cannot be verified through tamper-proof digital credentials [134]. VANETs are
also vulnerable to Sybil attacks if the vehicles can easily obtain multiple identities
from the certificate authority. Since VANETs were initially not created with strong
digital identities in mind, it makes them vulnerable to this kind of attack and makes
possible the injecting of false information into the VANET, thus compromising
its integrity. For instance, the attacker on a particular section of the highway can
send multiple messages (each time with a different identity) to other vehicles,
creating the illusion of heavy traffic. [225] breaks down solutions for Sybil attacks
into three major categories: registration, position verification, and radio resource
testing. However, these defenses have several limitations in that they rely on fixed
base stations to work or require specific hardware. [225] suggests another solution
by detecting and localizing Sybil Nodes in VANETs, whereas [189] proposes a
public-key cryptography approach. [186] recommends another solution based on
fixed key infrastructure cryptographic mechanism to detect a Sybil Attack. [234]
offers a lightweight, scalable protocol to detect Sybil attacks whilst preserving
vehicular privacy. In this approach, malicious vehicles pretending to be multiple
other vehicles can be detected through passive overhearing, in a distributed manner,
by multiple RSUs. The advantage of this approach is that vehicles in the VANET
do not have to disclose their identity, thus preserving their privacy. Additionally,
from various simulation experiments, their scheme is shown to detect Sybil attacks
at low overhead and delay.
• Bogus Information: This attack targets the inter-vehicle communication link by
injecting incorrect and fake messages into the link for the benefit of the attacker.
For example, an attacker can send bogus information about an accident blocking
82 6 Case Studies of Selected IoT Deployments
accordingly. The attacker can create illusions of an accident, or a traffic jam, etc.
and decrease the performance of the VANET. Since the attacker manipulates and
misleads the on-board vehicle sensors to create false information, traditional data
integrity verification and message authentications schemes, which worked in other
cases, cannot defend against an illusion attack. [165] suggests a Plausibility Vali-
dation Network (PVN) model to defend against illusion attacks in VANETs. PVN
verifies the plausibility of data by collecting and processing raw data from vehicle
sensors using a rule database with a number of predefined rules for data verifica-
tion. However, PVN has drawbacks. The rule database has to be regularly updated
and can prove costly for manufacturers and frequent servicing may be inconve-
nient for vehicle owners. Furthermore, message transmissions requiring real-time
processing might not end up being processed in real-time if PVN has a backlog
of messages waiting for validation. Regardless, PVN does have the potential to
defend against further attacks especially in conjunction with the various forms of
cryptographic schemes already proposed for other types of attacks.
• DoS and DDoS Attacks: A denial of service (DoS) attack [40, 177, 211] in VANETs
can occur in different ways but the main aim is to prevent legitimate vehicles from
accessing the VANET or its services. Attackers can jam network channels by
sending dummy messages to reduce network performance.
In a distributed DoS or a DDoS attack, a legitimate vehicle may be targeted dis-
tributively by an array of malicious vehicles at various locations and at different
time slots. This is considered more dangerous than simply a DoS attack.
• Black Hole Attack: A black hole [50, 153, 211] is an area of the network where
incoming or outgoing packets are quietly dropped or discarded; without informing
the sender or recipient of the failed delivery. Black Holes are invisible in the
network topology and can only be detected by monitoring lost packets. In a Black
hole attack, a malicious vehicle will interfere with the routing protocol in use
such as OLSR (optimized link state router) [50]. It will then present itself to a
sender vehicle node as having the shortest route to a certain destination vehicle.
The sender node will, consequently, route its data packets through this malicious
node and the latter will be able to intercept the data packets and create black holes.
6.2 eHealth
eHealth is a broad term and can be used to refer to a range of healthcare services
or systems employing information technology and the Internet, such as, electronic
health/medical records (EHRs/EMRs), personal health records (PHR), clinical deci-
sion support, pharmacy management systems (PMS), health informatics, remote
patient monitoring, and telemedicine, etc. So, IoT in an eHealth environment (or
eHealth Cloud) primarily manages and comprises of a network of interconnected
medical devices over the Internet as shown in Fig. 6.4. Networked medical devices
84 6 Case Studies of Selected IoT Deployments
represent a patient’s overall health and history and to alert a healthcare provider
of any imminent problems by providing a comprehensive overview of a patient’s
health [42].
• Personal Health Record/Information (PHR/PHI): PHR or PHI is also a cumulative
record of health-related information drawn from multiple sources, but unlike EHR,
this information is managed by the patient. As such, data integrity of PHI is the
responsibility of the patient; not the healthcare system. A patient’s PHR typically
should include past and current illnesses, vaccination records, and prescriptions in
use, etc. There has been an increase in PHR platforms, providing patient centric
solutions, like Juniper Health [34] and Microsoft Health Vault [35].
In a typical eHealth device scenario, the monitoring device takes a patient’s health-
related readings, e.g., blood pressure in a periodic fashion. The readings are usually
stored in another local device or collector (e.g., an M2M gateway), which in turn
periodically transfers the readings to an application server. After some data manip-
ulation, the readings can be delivered to the healthcare staff for reviewing.
6.2 eHealth 89
Several objectives are demonstrated by this example for securing the following
main attack surfaces:
• Device and Collector Security: Authenticating the device boot loader and achieving
platform integrity by a secure boot of the device. Also, the secret keys should be
in a tamper resistant storage with a protected access control mechanism in place.
Additionally, within the eHealth context, there should be a unique identifier for
device identification.
• Communication Channel Security: Data integrity should be in place during a com-
munication session to protect data from any alteration. Secondly, there should be
mutual authentication and data confidentiality using encryption/decryption capa-
bility between the medical device and the application server during exchange of
data.
• Overall Ecosystem Security: The secret keys should have a proper key management
mechanism and the ecosystem should provide support for advanced cryptographic
protocols.
Following is a summary of some of the main eHealth security issues pointed out by
Cisco Research [86].
• OEM partner compliance: Original equipment manufacturers or OEMs of med-
ical devices are dependent on their various manufacturing partners to comply to
stringent security regulations. Device components like firmware could be com-
promised in case of security non-compliance by a partner manufacturer. There is
also a chance that the device itself goes rogue under certain operating conditions
presenting a similarly dangerous situation as an unauthorized access.
• Security of the local environment: A medical facility might be considered as a
trusted local operating environment and thus communication between a medical
device and the facility gateway may not be encrypted. However, devices like insulin
pumps with wireless connectivity between the pump and a patient monitoring com-
puter using proprietary communication protocols have been demonstrated to be
vulnerable to remote attacks from close proximity. Therefore, if any device oper-
ating environment is considered untrusted for any reason, then all communication
from the device to the environment gateway or collector must be protected through
encryption to ensure data confidentiality.
• Incapability to efficiently do encryption on device: A lot of IoT devices in eHealth
have limited on-board memory and standard encryption protocols like AES cannot
be accommodated by their microprocessors. Additionally, devices that communi-
cate directly with enterprise IT backend systems (without an aggregation unit)
have to do encryption on-board and consume precious battery power by perform-
ing all the algorithmic computations required for encryption. This puts strain on
the batteries and is especially relevant for devices that are deployed remotely for
several years of operation without any maintenance.
90 6 Case Studies of Selected IoT Deployments
• Protocols used for communication: Another issue with medical devices is that
the communication protocol used is not necessarily IP. For instance, ZigBee is
often used as the preferred personal area network (PAN) protocol for devices.
Consequently, another device has to act as a communication gateway between
medical devices and IP networks. This device typically also acts as a data collector.
This presents a further requirement to secure communication between the device
and gateway. Various groups are promoting the use of IP protocols in medical
devices instead of non-IP protocols like ZigBee.
• Scheme of encryption used over GSM/GPRS networks: Encryption schemes like A5
used over GSM/GPRS networks are not considered secure anymore. Networks like
3G/4G have better security mechanisms but they constitute a very small percentage
of IoT device market. Without a layered encryption scheme like AES, a vendor’s
private network can be broken into through man-in-the-middle (MitM) attacks
using a rouge base station software like OpenBTS and a patched cell phone.
The smart grid is referred to as ‘smart’ because its metering and control system
relies on advanced wired, wireless, cloud-based, and IoT networks, for two-way
digital communication between the supplier and consumer. This enables support
for intelligent metering and monitoring systems. IoT in a smart grid environment
comprises of and manages many devices such as smart meters, smart plugs, home
gateways, connected appliances, etc. It also plays an important role in many systems
that make up the smart grid such as various monitoring systems for power trans-
mission lines and home appliances for energy regulation. Furthermore, it provides
a communication network and platform for automating substations. In contrast, the
conventional power grid has predictable communication links and forms a closed
network composed of dedicated power devices. Since the smart grid is not a closed
network and is connected to various communication channels such as the Internet,
it inevitably inherits all the weaknesses and cyberspace vulnerabilities of these net-
works. This can result in potentially devastating consequences in case of a security
breach into a system that powers homes, hospitals, offices, industries, and drives
global economies.
This section presents a few notable cases of cyber attacks against a smart grid
infrastructure. If such an infrastructure is crippled in a cyber attack, industries and
hospitals can shut down and people stranded in cold weather during winters with inop-
erative residential heating systems. Smart grid attacks can be different from those
on a VANET or eHealth infrastructure in the sense that they are increasingly border-
ing on constituting a state-level cyberwar. Indeed, most significant of these attacks
involve the highly sophisticated malwares (Stuxnet, Flame, etc.) that were part of
the covert cyberwar sabotage campaign known as Operation Olympic Games [196].
• U.S. Electric Grid Hack by Alleged Chinese and Russian Spies (2009): In a report
by the Wall Street Journal [110], US public administration officials admitted that,
in 2009, Chinese and Russian spies had found a backdoor into the US Electric
Grid and hid exploits that could cut electricity at will and potentially disrupt
power supplies. The scope of the attack can be gaged by a statement of a senior
U.S. intelligent official, according to whom, in the event of a war (with China or
Russia), the hidden exploits could be activated.
• Mike Davis’s Proof-of-Concept Attack on Smart Meters at the U.S. Black Hat
Conference (2009): To reveal the weakness of the smart metering architecture,
IOActive security consultant Mike Davis and his team created a worm that could
self-replicate and self-distribute across an area of houses with the same brand of
smart meter. At the 2009 U.S. Black Hat Conference, the worm was used in a
6.3 The Smart Grid 93
then, throughout the world institutions and companies using Siemens PLCs have
reported to being infected by Stuxnet. More recently, a security team at the New
York offices of the Kaspersky Lab were able to reverse engineer the worm [100,
141].
• Duqu: Duqu was discovered in 2011 and appears to be based on Stuxnet [48].
It is believed to be either created by the authors of Stuxnet or that its authors
at least had access to the Stuxnet source code. Unlike Stuxnet whose objective
was direct sabotage of Industrial Control Systems, Duqu’s main objective was
espionage of Industrial Control Systems, including system information gathering
and recording key strokes, etc. in preparation for future attacks. Security experts
are still analyzing Duqu’s source code and believe that Duqu would enable a future
Stuxnet-like attack. A few organizations, especially those manufacturing industrial
control systems, have been found to contain Duqu’s executables on their systems.
• Night Dragon: Night Dragon constituted a number of targeted attacks to obtain
confidential information from various U.S. energy companies including oil, gas
and petrochemical companies. The original objective may have been compro-
mising the industrial control systems of these companies. The attacks were not
sophisticated enough to exploit any zero-day vulnerabilities but instead exploited
known vulnerabilities by utilizing several techniques such as bugs in windows-
based systems, spear-phishing, RATs (Remote Administration Tools), and social
engineering. The classified information acquired by the hackers included finan-
cial documents, oil and gas field exploration data, operational details of SCADA
systems, and details of private company negotiations. According to Intel Security
McAfee [80], the attacks are believed to have been originated in China.
A detailed analysis and classification of smart grid vulnerabilities and attack vectors
is beyond the scope of this book. The reader is referred to the National Institute
of Standards and Technology Guidelines for Smart Grid Cyber Security, Volume
3 [112] for a comprehensive overview.
Chapter 7
Conclusions and Future Work
7.1 Conclusions
50. Bibhu, V., Kumar, R., Kumar, B.S., Singh, D.K.: Performance analysis of black hole attack
in vanet. Int. J. Comput. Netw. Inf. Secur. 4(11), 47 (2012)
51. Bizer, C., Heath, T., Berners-Lee, T.: Linked data-the story so far. Int. J. Semant. Web Inf.
Syst. 5(3), 1–22 (2009)
52. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Proceed-
ings of the 21st Annual International Cryptology Conference on Advances in Cryptology,
CRYPTO’01, pp. 213–229. Springer-Verlag, London, UK, UK (2001). http://dl.acm.org/
citation.cfm?id=646766.704155
53. Boritz, J.E.: IS practitioners’ views on core concepts of information integrity. Int. J. Account.
Inf. Syst. 6(4), 260–279 (2005). doi:10.1016/j.accinf.2005.07.001. http://www.sciencedirect.
com/science/article/pii/S1467089505000473
54. Boyle, R.: Proof-of-Concept CarShark Software Hacks Car Computers, Shutting Down
Brakes, Engines, and More (2014). http://www.popsci.com/cars/article/2010-05/researchers-
hack-car-computers-shutting-down-brakes-engine-and-more
55. Brachmann, M., Morchon, O., Keoh, S., Kumar, S.: Security considerations around end-to-
end security in the IP-based internet of things. In: Proceedings of the Workshop on Smart
Object Security, in Conjunction with IETF83, Paris, France, pp. 25–30 (2012)
56. Bray, J., Sturman, C.F.: Bluetooth 1.1: Connect Without Cables. Pearson Education (2001)
57. Brian Cashell William D. Jackson, M.J., Webel, B.: The Economic Impact of Cyber-Attacks.
Tech. rep., Government and Finance Division (2004)
58. Broenink, G., Hoepman, J.H., van ’t Hof, C., Kranenburg, R.V., Smits, D., Wisman, T.:
The privacy coach: supporting customer privacy in the internet of things. CoRR (2010).
arXiv:abs/1001.4459
59. Broenink, G., Hoepman, J.H., Hof, C.V., Van Kranenburg, R., Smits, D., Wisman, T.: The
Privacy Coach: Supporting customer privacy in the Internet of Things (2010). arXiv:1001.4459
60. Bush, R., Meyer, D.: Some internet architectural guidelines and philosophy (2002)
61. Carbo, J., Molina, J.M., Davila, J.: Trust management through fuzzy reputation. Int. J. Coop.
Inf. Syst. 12(01), 135–155 (2003)
62. Cardenas, A.A., Amin, S., Sastry, S.: Secure control: towards survivable cyber-physical sys-
tems. System 1(a2), a3 (2008)
63. Carsten, P., Andel, T.R., Yampolskiy, M., McDonald, J.T.: In-vehicle networks: attacks, vul-
nerabilities, and proposed solutions. In: Proceedings of the 10th Annual Cyber and Information
Security Research Conference, CISR’15, pp. 1:1–1:8 (2015)
64. Case, J., Fedor, M., Schoffstall, M., Davin, C.: A simple network management protocol
(SNMP) (1989)
65. Cavoukian, A.: Privacy by Design. Report of the Information & Privacy Commissioner
Ontario, Canada (2012)
66. Chan, H., Perrig, A., Song, D.: Random key predistribution schemes for sensor networks. In:
Symposium on Security and Privacy, 2003. Proceedings. 2003, pp. 197–213. IEEE (2003)
67. Chen, D., Chang, G., Sun, D., Li, J., Jia, J., Wang, X.: TRM-IoT: a trust management model
based on fuzzy reputation for internet of things. Comput. Sci. Inf. Syst. 8(4), 1207–1228
(2011)
68. Cheng, L., Galis, A., Mathieu, B., Jean, K., Ocampo, R., Mamatas, L., Rubio-Loyola, J.,
Serrat, J., Berl, A., de Meer, H., et al.: Self-organising management overlays for future inter-
net services. In: Modelling Autonomic Communications Environments, pp. 74–89. Springer
(2008)
69. Chibelushi, C., Eardley, A., Arabo, A.: Identity management in the Internet of Things: the
role of MANETs for healthcare applications. Comput. Sci. Inf. Technol. 1(2), 73–81 (2013)
70. Chim, T.W., Yiu, S., Hui, L.C., Li, V.O.: Security and privacy issues for inter-vehicle com-
munications in vanets. In: 6th Annual IEEE Communications Society Conference on Sensor,
Mesh and Ad Hoc Communications and Networks Workshops, 2009. SECON Workshops’09,
pp. 1–3. IEEE (2009)
71. Chim, T.W., Yiu, S.M., Hui, L.C., Li, V.O.: Specs: secure and privacy enhancing communi-
cations schemes for vanets. Ad Hoc Netw. 9(2), 189–203 (2011)
100 References
72. Claessens, J., Gessner, J., Hof, H.J., Kloukinas, C.: IoT@Work, WP3 SECURITY: D3.1
THREAT ANALYSIS. Tech. rep., IoT@Work (2010)
73. Clearfield, C.: Rethinking security for the Internet of Things (2014). http://blogs.hbr.org/
2013/06/rethinking-security-for-the-in/
74. Clearfield, C.: Why the FTC can’t regulate the Internet of Things (2014). http://www.forbes.
com/sites/chrisclearfield/2013/09/18/why-the-ftc-cant-regulate-the-internet-of-things/
75. Cole, P.H., Ranasinghe, D.C.: Networked RFID Systems and Lightweight Cryptography.
Springer, London, UK, 10, 978–3 (2008)
76. Commission, A.L.R.: Serious Invasions of Privacy in the Digital Era. Tech. rep, Australian
Government (2014)
77. Conti, M., Das, S.K., Bisdikian, C., Kumar, M., Ni, L.M., Passarella, A., Roussos, G.,
Trster, G., Tsudik, G., Zambonelli, F.: Looking ahead in pervasive computing: Challenges
and opportunities in the era of cyberphysical convergence. Pervasive and Mobile Computing
8(1), 2–21 (2012). doi:10.1016/j.pmcj.2011.10.001. http://www.sciencedirect.com/science/
article/pii/S1574119211001271
78. Council, A.: Excellence in Travel Information & Marketing. Scottish Transport Awards 2013
(2013)
79. Covington, M., Carskadden, R.: Threat implications of the Internet of Things. In: 2013 5th
International Conference on Cyber Conflict (CyCon), pp. 1–12 (2013)
80. Cyberattacks, G.E.: Night dragon. McAfee Foundstone Professional Services and McAfee
Labs (2011)
81. Damiani, E., di Vimercati, D.C., Paraboschi, S., Samarati, P., Violante, F.: A reputation-
based approach for choosing reliable resources in peer-to-peer networks. In: Proceedings of
the 9th ACM Conference on Computer and Communications Security, CCS’02, pp. 207–
216. ACM, New York, NY, USA (2002). doi:10.1145/586110.586138. http://doi.acm.org/10.
1145/586110.586138
82. Damianou, N.C.: A policy framework for management of distributed systems. Ph.D. thesis,
Imperial College (2002)
83. Daojing, H., Chun, C., Sammy, C., Jiajun, B., Athanasios, V.: A new framework architecture
for next generation e-Health services. IEEE J. Biomed. Health Inf. 16(4), 623–632 (2012)
84. Daojing, H., Chun, C., Sammy, C., Jiajun, B., Athanasios, V.: ReTrust: attack-resistant and
lightweight trust management for medical sensor networks. IEEE Trans. Inf. Technol. Biomed.
16(4), 623–632 (2012)
85. David, K.: The real story of Stuxnet. IEEE Spectrum (2013). http://spectrum.ieee.org/telecom/
security/the-real-story-of-stuxnet
86. David, L., Rodolfo, M., Monique, M., Rajesh, V.: Internet of Things: Architectural Framework
for eHealth Security. JICTS J. ICT Stand. 1(3), 301–328 (2014)
87. Davis, M.: Smartgrid device security. adventures in a new medium (July 2009)
88. De Poorter, E., Moerman, I., Demeester, P.: Enabling direct connectivity between hetero-
geneous objects in the Internet of Things through a network-service-oriented architecture.
EURASIP J. Wirel. Commun. Netw. 2011(1), 61 (2011). doi:10.1186/1687-1499-2011-61.
http://jwcn.eurasipjournals.com/content/2011/1/61
89. Denning, T., Kohno, T., Levy, H.M.: Computer security and the modern home. Commun. ACM
56(1), 94–103 (2013). doi:10.1145/2398356.2398377. http://doi.acm.org/10.1145/2398356.
2398377
90. Dey, A.K.: Understanding and using context. Pers. Ubiquitous Comput. 5(1), 4–7 (2001)
91. Dierks, T.: The transport layer security (TLS) protocol version 1.2 (2008)
92. Whitman, M.E., J. Mattord, H.: Principles of information security. Course Technology; 4
edition (2011)
93. Consortium, D. (eds.): DiYSE Report on Service Ontologies. DiYSE deliverable D3.1 p. 8
(2010)
94. Efthymiou, C., Kalogridis, G.: Smart grid privacy via anonymization of smart metering data.
First IEEE Int. Conf. Smart Grid Commun. (SmartGridComm) 2010, 238–243 (2010). doi:10.
1109/SMARTGRID.2010.5622050
References 101
95. Eisenbarth, T., Kumar, S., Paar, C., Poschmann, A., Uhsadel, L.: A survey of lightweight-
cryptography implementations. IEEE Des. Test Comput. 24(6), 522–533 (2007)
96. El Maliki, T., Seigneur, J.M.: A survey of user-centric identity management technologies. In:
The International Conference on Emerging Security Information, Systems, and Technologies,
2007. SecureWare 2007, pp. 12–17 (2007). doi:10.1109/SECUREWARE.2007.4385303
97. Elkhodr, M., Shahrestani, S., Cheung, H.: In: 10th International Conference on ICT and
Knowledge Engineering (ICT Knowledge Engineering) (2012)
98. Eloff, J., Eloff, M., Dlamini, M., Zielinski, M.: Internet of people, things and services—the
convergence of security, trust and privacy. In: 3rd CompanionAble Workshop IoPTS. Novotel
Brussels, Brussels (2009)
99. Evans, D.: The Internet of Things: How the Next Evolution of the Internet Is Changing
Everything. Tech. rep., Cisco Systems, Inc. (White Paper) (2011)
100. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp.,
Security. Response 5, 6 (2011)
101. Forouzan, B.A.: Cryptography & Network Security, 1st edn. McGraw-Hill Inc, New York,
NY, USA (2008)
102. Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., Yegin, A.: Protocol for carrying authentica-
tion for network access (PANA) (2008). http://www.ietf.org/rfc/rfc5191.txt
103. Friese, I.: Concepts of identity within the Internet of Things (2014). https://kantarainitiative.
org/confluence/display/IDoT/Concepts+of+Ident-ity+within+the+Internet+of+Things
104. Gambs, S., Guerraoui, R., Harkous, H., Huc, F., Kermarrec, A.M.: Scalable and secure polling
in dynamic distributed networks. In: IEEE 31st Symposium on Reliable Distributed Systems
(SRDS), 2012, pp. 181–190. IEEE (2012)
105. Garcia-Morchon, O., Kumar, S., Keoh, S., Hummen, R., Struik, R.: Security considerations
in the IP-based Internet of Things. draft-garcia-core-security-06 (2014)
106. Garfinkel, S., Juels, A., Pappu, R.: RFID privacy: an overview of problems and proposed
solutions. IEEE Secur. Priv. 3(3), 34–43 (2005). doi:10.1109/MSP.2005.78
107. Georgios, M., Dimitrios, L., Nikos, K.: Integrity mechanism for eHealth tele-monitoring sys-
tem in smart home environment. In: Annual International Conference of the IEEE Engineering
in Medicine and Biology Society (IEEE), 2009, pp. 3509–3512. IEEE (2009)
108. Gluhak, A., Krco, S., Nati, M., Pfisterer, D., Mitton, N., Razafindralambo, T.: A survey on
facilities for experimental Internet of Things research. IEEE Commun. Mag. 49(11), 58–67
(2011). doi:10.1109/MCOM.2011.6069710
109. Gomez-Skarmeta, A.F., Martinez-Julia, P., Girao, J., Sarma, A.: Identity based architecture
for secure communication in future internet. In: Proceedings of the 6th ACM Workshop on
Digital Identity Management, DIM’10, pp. 45–48. ACM, New York, NY, USA (2010). doi:10.
1145/1866855.1866866. http://doi.acm.org/10.1145/1866855.1866866
110. Gorman, S.: Electricity grid in us penetrated by spies. Wall Str. J. 8 (2009)
111. Greenberg, A.: Americas Hackable Backbone. Forbes (2007)
112. Group, S.G.I.P.C.S.W., et al.: Nistir 7628 guidelines for smart grid cyber security. Privacy and
the smart grid 2 (2010)
113. Gudymenko, I., Borcea-Pfitzmann, K., Tietze, K.: Privacy Implications of the Internet of
Things. In: Constructing Ambient Intelligence, pp. 280–286. Springer (2012)
114. Guette, G., Bryce, C.: Using tpms to secure vehicular ad-hoc networks (vanets). In: Infor-
mation Security Theory and Practices. Smart Devices, Convergence and Next Generation
Networks, pp. 106–116. Springer (2008)
115. Gupta, V., Millard, M., Fung, S., Zhu, Y., Gura, N., Eberle, H., Shantz, S.: Sizzle: A standards-
based end-to-end security architecture for the embedded internet. In: Third IEEE International
Conference on Pervasive Computing and Communications, 2005. PerCom 2005, pp. 247–256
(2005). doi:10.1109/PERCOM.2005.41
116. Gutierrez, J.A., Naeve, M., Callaway, E., Bourgeois, M., Mitter, V., Heile, B.: IEEE 802.15. 4:
a developing standard for low-power low-cost wireless personal area networks. IEEE Netw.
15(5), 12–19 (2001)
102 References
117. Habtamu, A.: Adaptive security and trust management for autonomic message-oriented mid-
dleware. In: 6th International Conference on Mobile Adhoc and Sensor Systems (IEEE), 2009,
pp. 810–817 (2009)
118. Haller, S.: The Things in the Internet of Things. In: Internet of Things Conference (2010)
119. Handley, M.J., Rescorla, E.: Internet denial-of-service considerations (2006)
120. Hartig, O.: Provenance information in the web of data. In: LDOW (2009)
121. Hassin, Y., Peleg, D.: Distributed probabilistic polling and applications to proportionate agree-
ment. In: Wiedermann, J., Emde Boas, P., Nielsen, M. (eds.) Automata, Languages and Pro-
gramming, Lecture Notes in Computer Science, vol. 1644, pp. 402–411. Springer Berlin Hei-
delberg (1999). doi:10.1007/3-540-48523-6-37. http://dx.doi.org/10.1007/3-540-48523-6-
37
122. He, Q., Blum, R.S.: New hypothesis testing-based rapid change detection for power grid
system monitoring. Int. J. Parallel, Emerg. Distrib. Syst. (ahead-of-print), 1–25 (2013)
123. Heer, T., Garcia-Morchon, O., Hummen, R., Keoh, S.L., Kumar, S.S., Wehrle, K.: Security
Challenges in the IP-based Internet of Things. Wirel. Pers. Commun. 61(3), 527–542 (2011).
doi:10.1007/s11277-011-0385-5. http://dx.doi.org/10.1007/s11277-011-0385-5
124. Hendricks, J., van Doorn, L.: Secure bootstrap is not enough: shoring up the trusted computing
base. In: Proceedings of the 11th Workshop on ACM SIGOPS European Workshop, EW 11.
ACM, New York, NY, USA (2004). doi:10.1145/1133572.1133600. http://doi.acm.org/10.
1145/1133572.1133600
125. van den Hoven, J.: Fact sheet- Ethics Subgroup IoT—Version 4.0. Technical Report, Delft
University of Technology, Chair Ethics Subgroup IoT Expert Group (2012)
126. Hyvonen, L., Pinto, A., Troelsen, J.: Near Field Communication (2012). US Patent 8, 212,
735
127. Ioannis, K., Nikos, Z., Nikos, K.: Integrity and authenticity mechanisms for sensor networks.
Int. J. Comput. Res. 15(1), 57–72 (2007)
128. Jakab, L., Cabellos-Aparicio, A., Coras, F., Saucez, D., Bonaventure, O.: LISP-TREE: a
DNS hierarchy to support the LISP mapping system. IEEE J. Sel. Areas Commun. 28(8),
1332–1343 (2010). doi:10.1109/JSAC.2010.101011
129. Jason, H., Neal, P., Beau, W.: The Healthcare Internet of Things: Rewards and Risks. Brent
Scowcroft Center on International Security, Atlantic Council of the United States (2015)
130. Johnson, K.E., Kamineni, A., Fuller, S., Olmstead, D., Wernli, K.J.: How the provenance of
electronic health record data matters for research: a case example using system mapping.
eGEMs (Generating Evidence & Methods to improve patient outcomes) 2(1), 4 (2014)
131. Kagal, L., Finin, T., Joshi, A.: A policy based approach to security for the semantic web. In:
The Semantic Web-ISWC 2003, pp. 402–418. Springer (2003)
132. Karonis, N., De Supinski, B., Foster, I., Gropp, W., Lusk, E., Bresnahan, J.: Exploiting hier-
archy in parallel computer networks to optimize collective operation performance. In: 14th
International Parallel and Distributed Processing Symposium, 2000. IPDPS 2000. Proceed-
ings, pp. 377–384 (2000). doi:10.1109/IPDPS.2000.846009
133. Kashif, H., Wolfgang, L.: Threats identification for the smart Internet of Things in eHealth and
adaptive security countermeasures. In: 7th International Conference on New Technologies,
Mobility and Security (NTMS), 2015, pp. 1–5. IEEE (2015)
134. Kasra, A., Seyed, J.: Vehicular Networks: Security, Vulnerabilities and Countermeasures.
Master’s thesis, Chalmers University of Technology and University of Gothenburg, Sweden
(2010)
135. Katz, M.L., Shapiro, C.: On the Licensing of Innovations. RAND J. Econ. 16(4), 504–520
(1985). http://ideas.repec.org/a/rje/randje/v16y1985iwinterp504-520.html
136. Kaufman, C.: Internet Key Exchange (IKEv2) Protocol, RFC 4306 (2005)
137. Kortuem, G., Kawsar, F., Fitton, D., Sundramoorthy, V.: Smart objects as building blocks for
the Internet of things. IEEE Internet Comput. 14(1), 44–51 (2010). doi:10.1109/MIC.2009.
143
138. Kraemer, J.A., Levesque, R.H., Nadkarni, A.P.: Key Management for Network Communica-
tion (1998). US Patent 5, 825, 891
References 103
139. Krebs, B.: Fbi: Smart meter hacks likely to spread. Krebs on Security. http://krebsonsecurity.
com/2012/04/fbi-smart-meter-hacks-likely-to-spread/ (2012). Accessed on 25 April 2012
140. Kushalnagar, N., Montenegro, G., Schumacher, C., et al.: IPv6 over low-power wireless per-
sonal area networks (6LoWPANs): overview, assumptions, problem statement, and goals.
RFC4919, August 10 (2007)
141. Kushner, D.: The real story of stuxnet. IEEE Spectr. 3(50), 48–53 (2013)
142. Lampe, C., Ellison, N.B., Steinfield, C.: Changes in use and perception of facebook. In: Pro-
ceedings of the 2008 ACM Conference on Computer Supported Cooperative Work, CSCW’08,
pp. 721–730. ACM, New York, NY, USA (2008). doi:10.1145/1460563.1460675. http://doi.
acm.org/10.1145/1460563.1460675
143. Lampropoulos, K., Diaz-Sanchez, D., Almenares, F., Weik, P., Denazis, S.: Introducing a cross
federation identity solution for converged network environments. In: Principles, Systems and
Applications of IP Telecommunications, pp. 1–11. ACM (2010)
144. Langheinrich, M.: Privacy by design principles of privacy-aware ubiquitous systems. In:
Abowd, G., Brumitt, B., Shafer, S. (eds.) Ubicomp 2001: Ubiquitous Computing, Lecture
Notes in Computer Science, vol. 2201, pp. 273–291. Springer Berlin Heidelberg (2001).
doi:10.1007/3-540-45427-6-23. http://dx.doi.org/10.1007/3-540-45427-6-23
145. Langheinrich, M.: Privacy in ubiquitous computing. Ubiqutious Computing Fundamentals
pp. 96–156 (2009)
146. Larson, U.E., Nilsson, D.K., Jonsson, E.: An approach to specification-based attack detection
for in-vehicle networks. In: Intelligent Vehicles Symposium, 2008 IEEE, pp. 220–225. IEEE
(2008)
147. Le-Phuoc, D., Polleres, A., Hauswirth, M., Tummarello, G., Morbidoni, C.: Rapid prototyping
of semantic mash-ups through semantic web pipes. In: Proceedings of the 18th international
conference on World wide web, pp. 581–590. ACM (2009)
148. Li, D., Aung, Z., Williams, J.R., Sanchez, A.: No peeking: privacy-preserving demand
response system in smart grids. Int. J. Parallel Emerg. Distrib. Syst. (ahead-of-print), 1–26
(2013)
149. Li, H., Singhal, M.: Trust management in distributed systems. IEEE Comput. 40(2), 45–53
(2007)
150. Li, T.: Design goals for scalable Internet routing (2011)
151. Ligatti, J., Rickey, B., Saigal, N.: LoPSiL: A location-based policy-specification language.
In: Security and Privacy in Mobile Information and Communication Systems, pp. 265–277.
Springer (2009)
152. Lupu, E.C., Sloman, M.: Towards a role-based framework for distributed systems manage-
ment. J. Netw. Syst. Manag. 5(1), 5–30 (1997)
153. Mahmood, R., Khan, A.: A survey on detecting black hole attack in aodv-based mobile ad
hoc networks. In: International Symposium on High Capacity Optical Networks and Enabling
Technologies, 2007. HONET 2007, pp. 1–6. IEEE (2007)
154. Manadhata, P.K., Wing, J.M.: An Attack Surface Metric. IEEE Trans. Softw. Eng. 37(3),
371–386 (2011). http://doi.ieeecomputersociety.org/10.1109/TSE.2010.60
155. Manish, P., Salim, H.: Autonomic computing: an overview. In: Bantre, J.P., Fradet, P., Giavitto,
J.L., Nelson, O.M. (eds.) Unconventional Programming Paradigms, vol. 3566, pp. 257–269.
Springer, Berlin Heidelberg (2005)
156. Markey, E.: Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk. Ed
Markey (2015). https://www.markey.senate.gov/imo/media/doc/2015-02-06MarkeyReport-
Tracking-Hacking-CarSecurity.pdf
157. Maturana, F., Norrie, D.: Distributed decision-making using the contract net within a mediator
architecture. Decis. Support Syst. 20(1), 53–64 (1997). doi:10.1016/S0167-9236(96)00076-
0. http://www.sciencedirect.com/science/article/pii/S0167923696000760. Intelligent Agents
as a Basis for Decision Support Systems
158. Medaglia, C.M., Serbanati, A.: An overview of privacy and security issues in the Internet of
Things. In: The Internet of Things, pp. 389–395. Springer (2010)
104 References
159. Michael, C., Kevin, M.: Connecting Cybersecurity with the Internet of Things. Pricewa-
terhouseCoopers (2014). http://usblogs.pwc.com/cybersecurity/connecting-cybersecurity-
with-the-internet-of-things/
160. Mockapetris, P., Dunlap, K.J.: Development of the domain name system. SIGCOMM Com-
put. Commun. Rev. 18(4), 123–133 (1988). doi:10.1145/52325.52338. http://doi.acm.org/10.
1145/52325.52338
161. Montenegro, G., Kushalnagar, N., Hui, J., Culler, D.: Transmission of IPv6 packets over IEEE
802.15. 4 networks. Internet proposed standard RFC 4944 (2007)
162. Moreau, L.: The Foundations for Provenance on the Web. Found. Trends Web Sci. 2(2–3),
99–241 (2010). doi:10.1561/1800000010. http://dx.doi.org/10.1561/1800000010
163. Morgan, D.: Web application security SQL injection attacks. Netw. Secur. 2006(4),
4–5 (2006). doi:10.1016/S1353-4858(06)70353-1. http://www.sciencedirect.com/science/
article/pii/S1353485806703531
164. Moskowitz, R., Nikander, P., Jokela, P., Henderson, T.: Host Identity Protocol. RFC5201,
April (2008)
165. Nai-Wei, L., Hsiao-Chien, T.: Illusion attack on vanet applications—a message plausibil-
ity problem. In: 2007 IEEE Globecom Workshops, pp. 1–8. IEEE (2007). doi:10.1109/
GLOCOMW.2007.4437823
166. Nancy, L.: Medical Devices: The Therac-25*, updated from IEEE Computer, vol. 26, No. 7,
pp. 18-41 (July 1993). http://sunnyday.mit.edu/papers/therac.pdf
167. Narten, T., Simpson, W.A., Nordmark, E., Soliman, H.: Neighbor discovery for IP version 6
(IPv6) (2007)
168. National Intelligence Council: Disruptive Civil Technologies: Six Technologies With Potential
Impacts on US Interests Out to 2025. Official US Government Document, Accession Number
ADA519715 (2008)
169. Nilsson, D.K., Larson, U.E.: Conducting forensic investigations of cyber attacks on auto-
mobile in-vehicle networks. In: Proceedings of the 1st International Conference on Foren-
sic Applications and Techniques In Telecommunications, Information, and Multimedia and
Workshop, p. 8. ICST (Institute for Computer Sciences, Social-Informatics and Telecommu-
nications Engineering) (2008)
170. Nilsson, D.K., Phung, P.H., Larson, U.E.: Vehicle ecu classification based on safety-security
characteristics. In: Road Transport Information and Control-RTIC 2008 and ITS United King-
dom Members’ Conference, IET, pp. 1–7. IET (2008)
171. O’Leary, D.E.: Big Data, the ‘Internet of Things’ and the ‘Internet of Signs’. Intell. Syst.
Account. Financ. Manag. 20(1), 53–65 (2013). doi:10.1002/isaf.1336. http://dx.doi.org/10.
1002/isaf.1336
172. Olifer, N., Olifer, V.: Computer Networks: Principles, Technologies and Protocols for Network
Design. John Wiley & Sons (2005)
173. Oluwafemi, T., Kohno, T., Gupta, S., Patel, S.: Experimental security analyses of non-
networked compact fluorescent lamps: A Case Study of Home Automation Security. In:
Proceedings of the LASER 2013, pp. 13–24. USENIX, Berkeley, CA (2013). https://www.
usenix.org/laser2013/program/oluwafemi
174. Pan, J., Jain, R., Paul, S., Bowman, M., Xu, X., Chen, S.: Enhanced MILSA architecture
for naming, addressing, routing and security issues in the next generation Internet. In: IEEE
International Conference on Communications, 2009. ICC’09, pp. 1–6. IEEE (2009)
175. Pan, J., Paul, S., Jain, R.: A survey of the research on future internet architectures. IEEE
Commun. Mag. 49(7), 26–36 (2011). doi:10.1109/MCOM.2011.5936152
176. Pan, J., Paul, S., Jain, R., Bowman, M.: MILSA: A mobility and multihoming supporting
identifier locator split architecture for naming in the next generation Internet. In: IEEE Global
Telecommunications Conference, 2008. IEEE GLOBECOM 2008, pp. 1–6. IEEE (2008)
177. Parno, B., Perrig, A.: Challenges in securing vehicular networks. In: Workshop on hot topics
in networks (HotNets-IV), pp. 1–6 (2005)
178. Perrig, A., Szewczyk, R., Tygar, J., Wen, V., Culler, D.E.: SPINS: security protocols for sensor
networks. Wirel. Netw. 8(5), 521–534 (2002)
References 105
179. Pescatore, J.: Securing the “Internet of Things” Survey. Technical Report, SANS (2014)
180. Peter, E., Marco, A.: Industrial Internet: Pushing the Boundary of Mind and Machines. General
Electric (2012). http://www.ge.com/sites/default/files/Industrial-Internet.pdf
181. Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 4th edn. Prentice Hall PTR, Upper
Saddle River, NJ, USA (2006)
182. Phelan, T.: Datagram transport layer security (DTLS) over the datagram congestion control
protocol (DCCP) (2008)
183. Pignotti, E., Edwards, P.: Trusted tiny things: making the Internet of Things more transparent
to users. In: Proceedings of the International Workshop on Adaptive Security, ASPI’13, pp.
2:1–2:4. ACM, New York, NY, USA (2013). doi:10.1145/2523501.2523503. http://doi.acm.
org/10.1145/2523501.2523503
184. Plummer, D.: Ethernet Address Resolution Protocol: Or converting network protocol
addresses to 48. bit Ethernet address for transmission on Ethernet hardware (1982)
185. Preuveneers, D., Berbers, Y.: Internet of things: A context-awareness perspective. The Internet
of Things: From RFID to the Next-Generation Pervasive Networked Systems pp. 287–307
(2008)
186. Rahbari, M., Jamali, M.A.J.: Efficient detection of sybil attack based on cryptography in vanet
(2011). arXiv:1112.2257
187. Ramzan, Z.: Phishing Attacks and Countermeasures. In: P. Stavroulakis, M. Stamp (eds.)
Handbook of information and communication security, pp. 433–448. Springer Berlin Hei-
delberg (2010). doi:10.1007/978-3-642-04117-4-23. http://dx.doi.org/10.1007/978-3-642-
04117-4-23
188. Raya, M., Hubaux, J.P.: The security of vehicular ad hoc networks. In: Proceedings of the 3rd
ACM workshop on Security of ad hoc and sensor networks, SASN ’05, pp. 11–21. ACM, New
York, NY, USA (2005). doi:10.1145/1102219.1102223. http://dx.doi.org/10.1145/1102219.
1102223
189. Raya, M., Papadimitratos, P., Hubaux, J.P.: Securing vehicular communications. IEEE Wirel.
Commun. 13(5), 8–15 (2006)
190. Rodriguez, P., Spanner, C., Biersack, E.: Analysis of Web caching architectures: hierarchical
and distributed caching. IEEE/ACM Trans. Netw. 9(4), 404–418 (2001). doi:10.1109/90.
944339
191. Roman, R., Najera, P., Lopez, J.: Securing the Internet of Things. Computer 44(9), 51–58
(2011). doi:10.1109/MC.2011.291
192. Ruggie, J.G.: Reconstituting the global public domainissues, actors, and practices. Eur. J. Int.
Relat. 10(4), 499–531 (2004)
193. Saaty, T.L.: Decision Making for Leaders: The Analytic Hierarchy Process for Decisions in
a Complex World. RWS Publications, Pittsburgh, Pennsylvania (1999)
194. Salehie, M., Tahvildari, L.: Self-adaptive software: Landscape and research challenges. ACM
Trans. Auton. Adapt. Syst. 4(2), 14:1–14:42 (2009)
195. Samanthula, B.K., Chun, H., Jiang, W., McMillin, B.M.: Secure and threshold-based power
usage control in smart grid environments. Int. J. Parallel Emerg. Distrib. Syst. (ahead-of-print),
1–26 (2013)
196. Sanger, D.E.: Obama order sped up wave of cyberattacks against iran. The New York Times
1(06), 2012 (2012)
197. Sarikaya, B., Ohba, Y., Moskowitz, R., Cao, Z., Cragie, R.: Security Bootstrapping Solution
for Resource-Constrained Devices. Technical Report, CoRE Internet draft (2013)
198. Sarma, A., Matos, A., Girão, J., Aguiar, R.L.: Virtual identity framework for telecom
infrastructures. Wirel. Pers. Commun. 45(4), 521–543 (2008)
199. Sarma, A.C., Girão, J.: Identities in the future internet of things. Wirel. Pers. Commun. 49(3),
353–363 (2009)
200. Sarma, S., Brock, D.L., Ashton, K.: The networked physical world. Auto-ID Center White
Paper MIT-AUTOID-WH-001 (2000)
201. Schaar, P.: Privacy by design. Identity in the information society 3(2), 267–274 (2010). doi:10.
1007/s12394-010-0055-x. http://dx.doi.org/10.1007/s12394-010-0055-x
106 References
202. Schilit, B., Adams, N., Want, R.: Context-aware computing applications. In: First Workshop
on Mobile Computing Systems and Applications, 1994. WMCSA 1994, pp. 85–90. IEEE
(1994)
203. Schilit, B.N., Theimer, M.M.: Disseminating active map information to mobile hosts. IEEE
Netw. 8(5), 22–32 (1994)
204. Shelby, Z., Hartke, K., Bormann, C., Frank, B.: Constrained Application Protocol (CoAP),
draft-ietf-core-coap-13. The Internet Engineering Task Force-IETF, Dec, Orlando (2012)
205. Simmhan, Y.L., Plale, B., Gannon, D.: A survey of data provenance in e-science. SIG-
MOD Rec. 34(3), 31–36 (2005). doi:10.1145/1084805.1084812. http://doi.acm.org/10.1145/
1084805.1084812
206. Simon, D., Franco, Z., Spyros, D., Antonio, F., Dominique, G., Erol, G., Fabio, M.: A survey of
autonomic communications. ACM Trans. Auton. Adapt. Syst. (TAAS) 1(2), 223–259 (2006)
207. Sloman, M.: Policy driven management for distributed systems. J. Netw. Syst. Manag. 2(4),
333–360 (1994)
208. Steinberg, J.: These devices may be spying on you (Even In Your Own Home) (2014). http://
www.forbes.com/sites/josephsteinberg/2014/01/27/these-devices-may-be-spying-on-you-
even-in-your-own-home/
209. Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: A scalable peer-to-
peer lookup service for internet applications. In: ACM SIGCOMM Computer Communication
Review, vol. 31, pp. 149–160. ACM (2001)
210. Sumra, I.A., Ab Manan, J.L., Hasbullah, H.: Timing attack in vehicular network. In: Pro-
ceedings of the 15th WSEAS International Conference on Computers, World Scientific and
Engineering Academy and Society (WSEAS), Corfu Island, Greece, pp. 151–155 (2011)
211. Sumra, I.A., Ahmad, I., Hasbullah, H., Manan, J.l.B.A.: Classes of attacks in vanet. In: Elec-
tronics, Communications and Photonics Conference (SIECPC), 2011 Saudi International, pp.
1–5. IEEE (2011)
212. Sundmaeker, H., Guillemin, P., Friess, P., Woelfflé, S.: Vision and challenges for realising the
Internet of Things. EUR-OP (2010)
213. Tan, L., Wang, N.: Future Internet: The Internet of Things. In: 3rd International Conference
on Advanced Computer Theory and Engineering (ICACTE), 2010, vol. 5, pp. V5–376. IEEE
(2010)
214. Teixeira, T., Hachem, S., Issarny, V., Georgantas, N.: Service Oriented middleware for the
internet of things: a perspective. In: Proceedings of the 4th European Conference on Towards
a Service-based Internet, ServiceWave’11, pp. 220–229. Springer-Verlag, Berlin, Heidelberg
(2011). http://dl.acm.org/citation.cfm?id=2050869.2050893
215. Thornburgh, T.: Social engineering: the “Dark Art”. In: Proceedings of the 1st Annual Con-
ference on Information Security Curriculum Development, InfoSecCD’04, pp. 133–135.
ACM, New York, NY, USA (2004). doi:10.1145/1059524.1059554. http://doi.acm.org/10.
1145/1059524.1059554
216. Vermesan, O., Friess, P.: Internet of Things: Converging Technologies for Smart Environments
and Integrated Ecosystems. River Publishers (2013)
217. Vermesan, O., Friess, P., Guillemin, P., Gusmeroli, S., Sundmaeker, H., Bassi, A., Jubert,
I.S., Mazura, M., Harrison, M., Eisenhauer, M., et al.: Internet of Things Strategic Research
Roadmap. Internet of Things-Global Technological and Societal Trends pp. 9–52 (2011)
218. Vermesan, O., Friess, P., Woysch, G., Guillemin, P., Gusmeroli, S., Sundmaeker, H., Bassi,
A., Eisenhauer, M., Moessner, K.: Europe IoT Strategic Research Agenda 2012. Chapter 2 in
the Internet of Things 2012 New Horizons (2012)
219. Wang, J.P., Bin, S., Yu, Y., Niu, X.X.: Distributed trust management mechanism for the Internet
of Things. Appl. Mech. Mater. 347, 2463–2467 (2013)
220. Warren, S.D., Brandeis, L.D.: The right to privacy. Harv. Law Rev. 4(5), 193–220 (1890)
221. Weber, R.H.: Accountability in the Internet of Things. Comput. Law Secur. Rev. 27(2), 133–
138 (2011). doi:10.1016/j.clsr.2011.01.005. http://www.sciencedirect.com/science/article/
pii/S0267364911000069
References 107
222. Weber, R.H., Weber, R.: Governance of the Internet of Things. In: Internet of Things, pp.
69–100. Springer (2010)
223. Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
J., Alexander, R.: IPv6 Routing Protocol for Low-Power and Lossy Networks. Technical
Report, Internet Engineering Task Force (IETF) (2012)
224. Wortham, J.: More Employers Use Social Networks to Check Out Applicants. The New York
Times (2009)
225. Xiao, B., Yu, B., Gao, C.: Detection and localization of sybil nodes in VANETs. In:
DIWANS’06: Proceedings of the 2006 workshop on Dependability issues in wireless ad
hoc networks and sensor networks, pp. 1–8. New York, NY, USA (2006)
226. Xiaodong, L., Rongxing, L.: Xuemin (Sherman), S., Yoshiaki, N., Nei, K.: SAGE: a strong
privacy-preserving scheme against global eavesdropping for eHealth systems. IEEE J. Sel.
Areas Commun. 27(4), 365–378 (2009)
227. Ye, F., Adams, M., Roy, S.: V2V wireless communication protocol for rear-end collision
avoidance on highways. In: IEEE International Conference on Communications Workshops,
2008. ICC Workshops’08, pp. 375–379. IEEE (2008)
228. Zaslavsky, A.: Internet of Things and Ubiquitous Sensing (2014). https://www.computer.org/
portal/web/computingnow/archive/september2013
229. Zaslavsky, A.B., Perera, C., Georgakopoulos, D.: Sensing as a Service and Big Data. CoRR
(2013). arXiv:abs/1301.0159
230. Zeadally, S., Hunt, R., Chen, Y.S., Irwin, A., Hassan, A.: Vehicular ad hoc networks (vanets):
status, results, and challenges. Telecommun. Syst. 50(4), 217–241 (2012)
231. Zhang, B., Zou, Z., Liu, M.: Evaluation on security system of internet of things based on
Fuzzy-AHP method. In: International Conference on E-Business and E-Government (ICEE)
2011, 1–5 (2011). doi:10.1109/ICEBEG.2011.5881939
232. Zhang, B., Zou, Z., Liu, M.: Evaluation on security system of Internet of Things based on
Fuzzy-AHP method. In: International Conference on E-Business and E-Government (ICEE),
2011, pp. 1–5. IEEE (2011)
233. Zhou, L., Wen, Q., Zhang, H.: Preserving sensor location privacy in Internet of Things. In:
Fourth International Conference on Computational and Information Sciences (ICCIS) 2012,
856–859 (2012). doi:10.1109/ICCIS.2012.210
234. Zhou, T., Choudhury, R.R., Ning, P., Chakrabarty, K.: Privacy-preserving detection of sybil
attacks in vehicular ad hoc networks. In: Fourth Annual International Conference on Mobile
and Ubiquitous Systems: Networking & Services, 2007. MobiQuitous 2007, pp. 1–8. IEEE
(2007)