Internet of Things -

Security
Prof. (Dr.) Rajveer S Shekhawat
Director, School of Computing and IT
Hyp
e
Cycl
e
courtes
y:
Gartner
General Architecture

3
Motivation
• The IoT is complex • Issues
• Many types of devices • IP-enabled – Security
• Many types of network • Life Time - Battery
• Feedback and control • Lack of standards -cost
• Ubiquitous IoT
• Home automation • Energy Budget (typical)
• Health • 40% Comms
• Automotive • 25% Crypto Algos
• Office • 20% Data Acquisition
• Industrial • 15% House keeping

4
Internet of Things – Key Challenges
• Low Power
• Security
• Low Cost
• Small size
• Interoperability
• Others (application specific)
Sensor Networks

6
Sample Architectures - ARM mbed
OS

7
Thesis
While there’s no such thing as ‘IoT security’ as a separate
discipline, the hyper-connected world of the Internet of Things
(IoT) makes everything about data security and data privacy
more confusing. And while we can’t possibly cover all the ins
and outs of this dauntingly complex world, here are some
things to keep in mind as you navigate the treacherous waters
of IoT data security and data privacy.

©Ayla Networks
Key Issues raising security concerns
• More devices, more problems (behind firewall)
• Updates, updates, updates (newer discovery of vulnerabilities)
• Protecting data from corporations (misuse of personal data)
• Lazy Consumers (no liberty of automatic updates or patches)
• Etc.
Security Challenges
• Many small devices have limited power
• Not much processing power for (heavy weight) security algorithms
• Need to look for new encryption schemes with less CPU power
• IOT needs both encryption key management and identity
management (authentication)
• More….
Key Security requirements of IOT –
view 1
• Secure authentication
• Secure bootstrapping and transmission of data
• Security of IoT data
• Secure access to data by authorized persons
Key Security requirements of IOT –
view 2
• Attack Resiliency
• Data authentication
• Access Control
• Client Privacy
Key Security requirements of IOT –
view 3
• Key Management
• Appropriate secret key algorithms
• Secure routing protocols
• Intrusion detection technology
• Authentication and access control
• Physical security design
Complexities of the security tasks
• Disruption and Denial of service attacks
• Understanding the complexities of vulnerabilities
• IOT vulnerability management
• Identifying and implementing security controls
• Fulfilling the need for security analytics capabilities
• Modular hardware and software components
• Rapid demand in bandwidth
Top IOT Security Concerns
• Insecure web interface
• Insufficient authentication/authorization
• Lack of transport encryption
• Privacy concerns
• Insecure software/firmware
• Insecure network services
• Insecure Cloud interface
• Insecure mobile interface
• Insufficient security configurability
• Poor physical security
IOT for Critical Infrastructure
IoT on the CI (Critical Infrastructure)such
as:
M2M (Machine to Machine)
• energy,
standardization activity is essential for
• telecom and such applications.
• utilities, etc New risks and new privacy issues that
Crucial CI's aspects: IoT may brings to CI is an avoidable
• providing safety to prevent industrial challenge. Providing security for IoT
accidents, or gets more important in this matter
• supplying required services to have a
constant electrical power for
hospitals[Gianmarco14].
Approaches to IOT Security
• Privacy by Design Principles
• Defining Authentication Frameworks
• Identity and Trust
• IP-based Security Solutions
• Network Segmentation
• Automated Remediation
• Encryption Security Solution
IOT Security Landscape
Distributing Security Across Layers
#1
• Application Layer: Robust authentication removing any vulnerabilities
due to XSS (cross-site scripting) or CSRF (Cross Site Request Forgery)

1. To ensure AL Security, a comprehensive SAST (Static Application

Security Testing) or DAST are recommended.
2. Using encryption for data and by using strong algorithms and
adding random data to hashed data to make it harder to hack is
another promising way to increase the security.
Protocols utilized
• MQTT
• CoAP
• XMPP
• Block Chains
• HIMMO
• Etc.
Distributing Security Across Layers
#2
Network Layer:
1. Network Segmentation: Wireless Protected Access 2 (WPA2) or
Wireless Encryption Protocol (WEP) can make the network use
stronger complex wireless encryption. Also, for these networks, it
is recommended to use several Service Set Identifiers (SSID)
2. Firewalls: Intrusion Prevention System (IPS), Network Access
Control (NAC) for endpoint security technology (antivirus and host
intrusion prevention)
3. PPSK (Private Pre-Shared Key) for each sensor or device
Protocols utilized
• 802.11.x
• NFC
• Bluetooth
• 6LoWPAN
• ZigBee
• Zwave
• LTE/LTE Advanced
• WirelessHART
Trend of IOT Security Research
ITU-T SG17 «Security»
Q.6/17 Security aspects of ubiquitous
telecommunication services
• Security for tag-based identification, RFID, wireless sensor networks, ubiquitous networking and USN
• X.1171: Threats and requirements for protection of personally identifiable
• information in applications using tag-based identification
• X.1275: Guidelines on protection of personally identifiable information in the
• application of RFID technology
• X.1311 (and Cor.1): Security framework for ubiquitous sensor networks
• X.1312: Ubiquitous sensor network middleware security guidelines
• X.1313: Security requirements for wireless sensor network routing
• X.1314: Security requirements and framework of ubiquitous networking
• Security for e-health
• X.1092: Integrated framework for telebiometric data protection in e-health and
• telemedicine
• Security for home networks
• X.1111-X.1114: Home network security
 ITU-T SG17 «Security» Work in
Progress
• Security and identification (SG17)
• X.iotsec-1: Simple encryption procedure for IoT device security (Q6)
• X.iotsec-2: Security framework for Internet of Things (Q6)
• X.oiddev: Use of object identifiers to identify devices in the Internet of
• Things (Q11)
• X.oid-iot: Supplement to ITU-T X-series - ITU-T X.660 - Guidelines for
• using object identifiers for the Internet of Things (Q11)
• ITS related security (Q6/SG17)
• X.itssec-1: Secure software update capability for ITS communications
• devices
• X.itssec-2: Security guidelines for V2X communication systems
• Smart Grid related security (Q6/SG17)
• X.sgsec-1: Security functional architecture for smart grid services using
Achieving Low Power
• Selection % Power
• Micro
• During
Sensors
• Protocols
• Design Time
15.00% Data Acqui s i tion
20.00%
• Battery • Deployment
Communi cation
Time
• Security 25.00% Encryption
• Operation Time
• Optimization 40.00% Hous e keepi ng

• interfaces
• Data acquisition
• energy budget
• Hardware-software codesign
• Protocol parameters
Low Power Security Alternatives
• Distributed like block chains
• Light-weight security algorithms
• Block Ciphers ISO/IEC 29192 (e.g. CLEFIA, PRESENT)
• Stream Ciphers
• Hash functions (e.g. HIMMO)
• Others
• Key exchanges using LEACH, CoAP protocols
• Message Queue Telemetry Transport (MQTT) protocol
• Dynamic keys seeded by time stamps
Gate
efficiency
(ASIC):
CLEFIA and
TLS/IPsec
ciphers
Courtesy: Katagi,
Sony Corpn.
Design goals HIMMO PKC PSK
O-1: Performance * *** *
O-2: Easy device addition to a running system 
O-3: Scalable -
O-4: Easy credential management -
O-5: Easy integration with existing protocols - 
O-6: Fits device lifecycle -
O-7: Long term security 
S-1: Resilient to root of trust compromise -
S-2: Single root of trust cannot monitor -
S-3: Key escrow - 
S-4: Facilitates secure manufacturing -
S-5: Device authentication and authorization -
S-6: Back-end authentication and authorization -
S-7: Prevents DoS attacks -
S-8: Fully collusion resistance -
S-9: Device identification and blacklisting -
S-10: Key agreement 
S-11: Post-quantum resilience - 
S-12: Perfect forward secrecy - -
S-13: Non-repudiation - -
 Thanks

[email protected]