Outlines

• Security and Privacy Implications of IoT Overview

• Security Issues Related to IoT

• Privacy and Ethics

• Cyber Security Methods

– Authentication; Authorization; Network Enforced Policy; Secure Analytics:
Visibility and Control

• Off The Shelf IoT

• Fog Computing

• Encryption

• Identifying IoT Security Risks

Le The Dung, Ph.D. Securing IoT 1/25

Security and Privacy Implications of IoT
• Internet of Things involves:
– extra devices being connected
– extra networking to connect these devices
– extra programming to direct the devices and networking
– a massive volume of extra data pouring into the internet
– more machine to machine (M2M) interactions and autonomous decision making.

• Each of these layers brings additional security issues.

issues

• Securing the Internet of Things is a highly necessary and complex task that
sits across the top of its devices, networks and applications, but must be
considered and factored into the design and planning phase.
• Many IoT devices are purposely very small and low powered,
powered and this
increases the difficulty of securing them.

Le The Dung, Ph.D. Securing IoT 2/25

Security and Privacy Implications of IoT (cont.)
• Connecting things up makes private data about ourselves, our lives,
and our businesses accessible.
accessible The Internet of Things challenges
notions and ethics of privacy, factors which must be considered
and designed for.
• There is also the concern that IoT technology development is
outpacing the governance and regulation required, as well as the
ability of many individuals to be aware of the threats and know
how to address them.
• Aside from digital security risks, we also need to know how to keep
IoT devices physically secure.
secure

Le The Dung, Ph.D. Securing IoT 3/25

Security Issues Related to IoT

Le The Dung, Ph.D. Securing IoT 4/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 5/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 6/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 7/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 8/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 9/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 10/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 11/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 12/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 13/25

Security Issues Related to IoT (cont.)

Le The Dung, Ph.D. Securing IoT 14/25

Privacy and Ethics

• Data may be collected from people (with or without their knowledge)

through IoT includes: personal information; locations and movements;
habits; physical conditions.
• Personal data valuable to sales and marketing, service planning, health
intervention, credit decisions, insurance decisions, employment decisions,
fraud and theft.
• Good product development practice involves developers: conducting a
privacy and security risk assessment, building security into the product
from the outset, testing the security measures before launching, using a
service provider capable of providing security, and monitoring a product
through its life cycle.

Le The Dung, Ph.D. Securing IoT 15/25

Privacy and Ethics (cont.)

• Due to additional privacy and security risks, other recommendations

around IoT development are to minimize the data collected and retained,
and the length of time data is retained, to consider who should have
access to data (at the appropriate level in an organization), and to educate
employees about good security practices.
• The Federal Trade Commission (FTC) report refers to Fair Information
Practice Principles, or FIPPs. 4 FIPPs were focused on, i.e., notice
(consumer being given notice of practice), choice (consumer having
control over how data is used), data minimization, security (consumers'
held data being accurate and secure).

Le The Dung, Ph.D. Securing IoT 16/25

Cyber Security Methods

• IoT devices can connect a person’s

person s activity to their identity,
identity which
presents a challenge to privacy.

• A device does need to be able to check ownership and identity,

but it also needs to de-couple (separate) itself from the owner. This
is called shadowing
shadowing. The device uses a virtual identity to act on
behalf of the owner (whom it knows about, but does not reveal the
identity of).

• The following diagram from the Cisco Networking Academy shows

an example of a Secure IoT Framework.
Framework

Le The Dung, Ph.D. Securing IoT 17/25

Cyber Security Methods (cont.)

Le The Dung, Ph.D. Securing IoT 18/25

Cyber Security Methods (cont.)

It outlines the following components:

• Authentication – IoT devices connecting to the network create a trust
relationship, based on validated identity through mechanisms such as:
passwords, tokens, biometrics, RFID, X.509 digital certificate, shared secret, or
endpoint MAC address.
• Authorization – a trust relationship is established based on authentication and
authorization of a device that determines what information can be accessed
and shared.
• Network Enforced Policy – controls all elements that route and transport
endpoint traffic securely over the network through established security
protocols.
• Secure Analytics:
Analytics: Visibility and Control – provides reconnaissance, threat
detection, and threat mitigation for all elements that aggregate and correlate
information.

Le The Dung, Ph.D. Securing IoT 19/25

Off The Shelf IoT

• If you’re using an 'off the shelf' IoT product, don't

forget the following additional security measures:
– Disable default passwords
– Disable UPnP (Universal Plug and Play - which allows the device to
automatically make itself available to networks)
– Disable remote management
– Keep software (firmware) up to date
– Use encryption and/or certificates where possible
– Physically keep device secure

off the shelf:

shelf : not designed or made to order but taken from existing stock or supplies.

Le The Dung, Ph.D. Securing IoT 20/25

Fog Computing
• Another way to increase the security of IoT devices, is to use 'the fog'. The
fog extends the reach of 'the cloud' , so it is closer to devices that create
and act on IoT data.

Le The Dung, Ph.D. Securing IoT 21/25

Encryption
• Encryption is an important form of computer security. Encryption simply
involves encoding a message or information.

• Encryption simply involves encoding a message or information. You

probably engaged in some simple encryption when writing secret notes as
a child, replacing letters with other letters, numbers or characters, or
writing in invisible ink and needing a UV light to expose the message.
Computer encryption uses the same basic principles.

Le The Dung, Ph.D. Securing IoT 22/25

Identifying IoT Security Risks

• Wearable heart monitor:

monitor : Encryption, Authentication, password protection.
• Medical data in the Cloud:
Cloud: Remove identification from data, Control access to
private data.

Note: Although you will need to line up solutions with the risks, there is no ‘correct’ answer for the
Note:
‘Impact risk or ‘Likelihood
Impact of risk’ Likelihood of risk event’
event categories – this is an exercise in practicing risk analysis, so
your answer should reflect what you think.

Le The Dung, Ph.D. Securing IoT 23/25

Identifying IoT Security Risks (cont.)

• Microcontroller:
Microcontroller : Encryption, Authentication, password protection. Also relevant are: Use
established security protocols, Hide or physically lock away devices, Keep firmware updated.
• Solenoid valve water release:
release: Threat detection, firewall, Physically lock away or protect device.

Le The Dung, Ph.D. Securing IoT 24/25

Identifying IoT Security Risks (cont.)

• Data in network:
network : Use Fog/edge computing, Authentication, password protect.
• Manager with computer and tool kit:
kit: Hide, physically lock away or protect device or
computer, Authentication, password protection.

Le The Dung, Ph.D. Securing IoT 25/25

THANK YOU ALL FOR LISTENING
QUESTIONS AND ANSWERS