A Case for IoT Security Assurance
Today the proliferation of ubiquitous devices interacting with the external environment and connected by means of wired/wireless communication technologies points to the definition of a new vision of ICT called Internet of Things (IoT). In IoT, sensors and actuators, possibly embedded in more powerful devices, such as smartphones, interact with the surrounding environment. They collect information and supply it across networks to platforms where IoT applications are built. IoT services are then made available to final customers through these platforms. Needless to say, IoT scenario revolutionizes the concept of security, which becomes even more critical than before. Security protection must consider millions of devices that are under control of external entities, freshness and integrity of data that are produced by the latter devices, and heterogeneous environments and contexts that co-exist in the same IoT environment. These aspects make the need of a systematic way of assessing the quality and security of IoT systems evident, introducing the need of rethinking existing assurance methods to fit the IoT-based services. In this chapter, we discuss and analyze challenges in the design and development of assurance methods in IoT, focusing on traditional CIA properties, and provide a first process for the development of continuous assurance methods for IoT services. We also design a conceptual framework for IoT security assurance evaluation.
This work was partly supported by the program “piano sostegno alla ricerca 2015-17” funded by Università degli Studi di Milano.
- 1.Ezra Caltum and Ory Segal. SSHowDowN: Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf. Accessed 11 Oct 2016.
- 2.US-CERT/NIST. CVE-2004-1653. 2004. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1653. Aug, 2004. Accessed 11 2016.
- 3.Sadeghi, Ahmad-Reza, Christian Wachsmann, and Michael Waidner. 2015. Security and privacy challenges in industrial internet of things. In Proceedings of the 52nd Annual Design Automation Conference (DAC), 54. ACM.Google Scholar
- 4.Abomhara, Mohamed and Geir M Køien. 2014. Security and privacy in the Internet of Things: Current status and open issues. In International Conference on Privacy and Security in Mobile Systems (PRISMS), 1–8. IEEE.Google Scholar
- 5.Zhang, Zhi-Kai, Michael Cheng Yi Cho, Chia-Wei Wang, Chia-Wei Hsu, Chong-Kuan Chen, and Shiuhpyng Shieh. 2014. IoT security: ongoing challenges and research opportunities. In 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, 230–234. IEEE.Google Scholar
- 6.Sato, Hiroyuki, Atsushi Kanai, Shigeaki Tanimoto, and Toru Kobayashi. 2016. Establishing trust in the emerging era of IoT. In 2016 IEEE Symposium on Service-Oriented System Engineering (SOSE), 398–406. IEEE.Google Scholar
- 7.Zhao, Kai, and Lina Ge. 2013. A survey on the internet of things security. In Computational Intelligence and Security (CIS), 2013 9th International Conference on, 663–667. IEEE.Google Scholar
- 8.Bagci, Ibrahim Ethem, Mohammad Reza Pourmirza, Shahid Raza, Utz Roedig, and Thiemo Voigt. 2012. Codo: Confidential data storage for wireless sensor networks. In 9th International Conference on Mobile Ad-Hoc and Sensor Systems (MASS), 1–6. IEEE.Google Scholar
- 9.Raza, Shahid, Hossein Shafagh, Kasun Hewage, René Hummen, and Thiemo Voigt. 2013. Lithe: Lightweight secure CoAP for the internet of things. IEEE Sensors Journal 13(10): 3711–3720.Google Scholar
- 10.Dofe, Jaya, Jonathan Frey, and Qiaoyan Yu. 2016. Hardware security assurance in emerging IoT applications. In International Symposium on Circuits and Systems (ISCAS), 2050–2053. IEEE.Google Scholar
- 11.Raza, Shahid, Linus Wallgren, and Thiemo Voigt. 2013. SVELTE: Real-time intrusion detection in the Internet of Things. Ad hoc networks 11(8): 2661–2674.Google Scholar
- 12.Raza, Shahid, Simon Duquennoy, Joel Höglund, Utz Roedig, and Thiemo Voigt. 2014. Secure communication for the Internet of Things—a comparison of link-layer security and IPsec for 6LoWPAN. Security and Communication Networks 7(12): 2654–2668.Google Scholar
- 13.Lee, Jun-Ya, Wei-Cheng Lin, and Yu-Hung Huang. 2014. A lightweight authentication protocol for internet of things. In 2014 International Symposium on Next-Generation Electronics (ISNE), 1–2. IEEE.Google Scholar
- 14.Park, Haemin, Dongwon Seo, Heejo Lee, and Adrian Perrig. 2012. SMATT: Smart meter attestation using multiple target selection and copy-proof memory. In Computer Science and its Applications, 875–887. Springer.Google Scholar
- 15.Ardagna, Claudio Agostino, Rasool Asal, Ernesto Damiani, and Quang Hieu Vu. 2015. From security to assurance in the cloud: A survey. ACM Computing Surveys (CSUR), 48(1): 2:1–2:50.Google Scholar
- 16.ISO/IEC JTC 1. 2014. Information Technology. Internet of things (iot). preliminary report.Google Scholar
- 17.B. Leukert et al. IoT 2020: Smart and secure IoT platform. IEC 2016. https://www.openstack.org/.
- 18.Minerva, Roberto, Abyi Biru, and Domenico Rotondi. 2015. Towards a Definition of the Internet of Things (IoT). Torino, Italy: IEEE Internet Initiative.Google Scholar
- 19.Weiser, Mark. 1991. The computer for the twenty-first century. Scientific American, 6675.Google Scholar
- 20.Ala Al Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, and Moussa Ayyash. 2015. Internet of things: A survey on enabling technologies, protocols, and applications. IEEE Communications Surveys and Tutorials 17(4): 2347–2376.Google Scholar
- 21.IATAC and DACS. 2007. Software security assurance: State of the art report (SOAR). http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA472363.
- 22.Beznosov, Konstantin, and Philippe Kruchten. 2004. Towards agile security assurance. In Proceedings of the 2004 workshop on New security paradigms, 47–54, ACM.Google Scholar
- 23.Misra, Sridipta, Muthucumaru Maheswaran, and Salman Hashmi. 2017. Security challenges and approaches in internet of things. Springer International Publishing.Google Scholar
- 24.Mahalle, Parikshit Narendra, and Poonam N. Railkar. 2015. Identity management for internet of things. River Publishers Series in Communications.Google Scholar
- 25.Shelby, Zach, Klaus Hartke, and Carsten Bormann. 2014. The constrained application protocol (CoAP). Technical report.Google Scholar
- 26.Montenegro, Gabriel, Nandakishore Kushalnagar, Jonathan Hui, and David Culler. 2007. Transmission of IPv6 packets over IEEE 802.15. 4 networks. Technical report.Google Scholar
- 27.Stephen Kent and Seo, Karen. 2005. Security architecture for the internet protocol. Technical report.Google Scholar
- 28.Bhatnagar, Neerja, and Ethan L. Miller. 2007. Designing a secure reliable file system for sensor networks. In Proceedings of the 2007 ACM workshop on Storage security and survivability, 19–24. ACM.Google Scholar
- 29.Wei Ren, Yi Ren, and Hui Zhang. 2008. Hybrids: A scheme for secure distributed data storage in wsns. In IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, 2008. EUC’08, vol. 2, 318–323. IEEE.Google Scholar
- 30.Ericsson. 2016. Bootstrapping security-the key to internet of things access authentication and data integrity. Ericsson White paper, 284 23-3284. http://www.ericsson.com/res/docs/whitepapers/wp-iot-security.pdf.
- 31.Doug, J. 2011. Tygar. Adversarial machine learning. IEEE Internet Computing 15(5): 4.Google Scholar
- 32.Huang, Ling, Anthony D. Joseph, Blaine Nelson, Benjamin IP Rubinstein, and J.D. Tygar. 2011. Adversarial machine learning. In Proceedings of the 4th ACM workshop on security and artificial intelligence, 43–58. ACM.Google Scholar
- 33.Liu, Chang, Chi Yang, Xuyun Zhang, and Jinjun Chen. 2015. External integrity verification for outsourced big data in cloud and iot. Future generation computer systems, 49(C): 58–67.Google Scholar
- 34.Newe, Thomas, Muzaffar Rao, Daniel Toal, Gerard Dooly, Edin Omerdic, and Avijit Mathur. 2017. Efficient and high speed fpga bump in the wire implementation for data integrity and confidentiality services in the iot. In Postolache, Octavian Adrian, Subhas Chandra Mukhopadhyay, Krishanthi P. Jayasundera, and Akshya K. Swain (eds.). Sensors for everyday life: Healthcare settings, 259–285. Springer International Publishing.Google Scholar
- 35.Gaurav, Kumar, Pravin Goyal, Vartika Agrawal, and Shwetha Lakshman Rao. 2015. Iot transaction security. In Proceedings of the 5th International Conference on the Internet of Things (IoT 2015).Google Scholar
- 36.Yick, Jennifer, Biswanath Mukherjee, and Dipak Ghosal. 2008. Wireless sensor network survey. Computer Networks 52(12): 2292–2330.Google Scholar
- 37.Tanenbaum, Andrew S., and Maarten Van Steen. 2007. Distributed systems. Prentice-Hall.Google Scholar
- 38.National Institute of Standards and Technology (NIST). 2013. Security and privacy controls for federal information systems and organizations. Special Publication 800: 53.Google Scholar
- 39.International Organization for Standardization (ISO). 2016. ISO/IEC 27001:2013 Information technology–Security techniques–Information security management systems–Requirements. https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en. Accessed 10 2016.