As “the foundation of a global infrastructure for the information society,” as the ITU has called it, the Internet of Things (IoT) is now close to the peak of its evolution. By 2020, it’s estimated that there will be 10 connected IoT devices for every person in the world — 40 to 80 billion IoT devices altogether — and an IoT market that will reach some US$3 trillion.
The IoT or Internet of Anything (IoA), as we prefer to call it, has three foundational pillars: computing, sensing, and communicating. Computing occurs within any provisioned, specialized “network of things,” whether it involves the Internet or not. Computing handles tasks such as decision-making and data transfers by executing algorithms and protocols. Sensing is an assumed benefit of the IoT. The thinking is that the more external information collected from the environment of a network of things at specific times, the greater the ability to tailor the decisions made within the computations. Note also that many of the devices used in a provisioned, specialized network of things will collect various data regardless of whether the occurrence of surveillance is known or not. If so, where does that data go? Who owns it? And why is it being collected in the first place? Sensors and surveillance will be huge concerns to overcome if we are to argue convincingly for compliance. And of course, communicating must hold all the data flow and workflow in sync for a network of things to satisfy its “purpose for being.”
But what is that purpose for being, or better yet, does that suggest fit-for-purpose? It does, and this introduces a new difficulty that’s often swept under the rug. The difficulty stems from an assumption that all these moving pieces in a network of things, along with ever-changing environments, flawed components, disrupted communications, and defective sensors, will somehow come together and create a fit-for-purpose network of things solution. This is folly. We can’t ignore nefarious intent, faulty devices, faulty software, all composed under a massive “scalability” challenge, and expect anything less than finger pointing and blame from a network’s heterogeneous stakeholders. Further, we can’t overlook the various vertical domain applications of IoT (for example, smart homes, agriculture, transportation, healthcare, retail), and how the Utopian goal of a one-size-fits-all definition of IoT is probably not helpful because of the different levels of “-ility” rigor that belong to each domain, particularly given that many are regulated for safety, reliability, and security.
According to Gartner, IoT’s plateau phase will occur in about 10 years — just when the drafted now-basic IoT standards will probably be ready. (Does that suggest that de facto standards will prevail here?) As the rapid increase of IoT devices creates new attack surfaces, we must immediately start addressing the new IoT environment reliability and security concerns, as well as safety and privacy issues.
Computing Now’s November 2015 issue presents three articles that discuss IoT security challenges and opportunities.
IoT devices range from lowly RFID transponders to more resourced smartphones and tablets. In “Low-Energy Security: Limits and Opportunities in the Internet of Things,” Wade Trappe, Richard Howard, and Robert S. Moore focus on the most lightly resourced and inexpensive devices, and point out that “ultimately, the IoT’s future will rely on our ability to adequately secure hard-to-secure, resource-sparse devices.” The task of affordably supporting security and privacy for “networkable” low-energy and lightweight devices is quite challenging, as such devices must devote most of their available energy and computation to executing core application functionality. The authors state that this task is far easier with platforms such as smartphones and tablets than with the new generation of IoT nodes, such as miniature sensor tags capable of reporting presence, temperature, and humidity for decades. To identify IoT security concerns, the authors explore prior work on wireless ad hoc and sensor network security. They then outline three types of threats for the low end of future wireless Internet:
- integrity, authentication, and nonrepudiation; and
The authors are skeptical that cryptography — and lightweight cryptography, in particular — will successfully migrate and be implemented without weakness on a low-end IoT device. Despite the considerable efforts in developing lightweight cryptographic algorithms suitable for resource-constrained devices such as RFID tags, the track record isn’t encouraging. Almost an equal quantity of papers identify lightweight algorithm vulnerabilities. The essence is that an algorithm with a small key size — say, 40 to 64 bits — offers essentially no security. So, the authors suggest two approaches for supporting security at the low-end device: reusing existing functions to avoid introducing additional energy burdens or being very selective about what additional functionality we employ; or exploit the inherent asymmetry in the deployment scenario in which low-end devices typically communicate to more powerful base stations or back-end servers that don’t have the low-end devices’ energy and computational restrictions.
In “IoT-Security Approach Analysis for the Novel Nutrition-Based Vegetable Production and Distribution System,” Dennis A. Ludena R. and his colleagues state that the IoT paradigm is giving the scientific community the ability to create integrated environments, in which information can be exchanged among heterogeneous characteristic networks in an automated way to provide a richer experience to the user. The authors analyze a general security IoT approach to provide guidelines for proper implementation of their IoT nutrition-based system by focusing on the security analysis of two main aspects: authentication and data integrity.
In “Experiments with Security and Privacy in IoT Networks,” Mary R. Schurgot, David A. Shinberg, and Lloyd G. Greenwald explore the risks to security and privacy in IoT networks by setting up an inexpensive home automation network and performing a set of experiments intended to study attacks and defenses. Their emphasis is on privacy preservation in home automation networks, but their insights can extend to other IoT applications. The authors look at both simple cryptographic techniques and information manipulation to protect users against adversaries inside the IoT network or those that have compromised remote servers.
Industry Perspective Video
Rajiv Ranjan on the Internet of Things
Industry Perspective Video
Vijay Varadharajan on the Internet of Things
Industry Perspective Video
Tim Grance on Securing the Internet of Anything
“We have to demand that the technology does ask and does say please,” says Tim Grance of the National Institute of Standards and Technology (NIST). In the first Industry Perspectives video, he addresses questions such as: What is IoT? Is it a really big deal? What are the driving forces? Then he states that we will be deeply challenged by IoT security and privacy. Given that we have inherited all the current evils and have added scale and complexity, he suggests it will definitely be a bumpy ride.
IT is becoming an integral part of the product itself with IoT and cloud-based interconnections and services, says Vijay Varadharajan, the Microsoft Chair Professor in Innovation in Computing at Macquarie University. Embedded technology and software, together with the cloud enabling data storage and analysis, are driving dramatic improvements in product functionality and performance. Clearly, security is paramount for the safe and reliable operation of IoT-connected devices. Varadharajan discusses three main IoT security challenges:
- IoT increases the security attack surface as it introduces an overwhelming amount of new and diverse devices with different operating systems as well as different networks and associated protocols.
- Every physical and virtual device in the IoT infrastructure generating huge quantities of data presents immediate and direct consequences. Just because data is accessible doesn’t mean it’s trustworthy or reliable for making decisions — or even ethical to access and use it.
- The interactions between the IoT and cloud infrastructures — particularly when data from different devices must be combined to offer seamless cloud-based distributed services.
In our third video, Rajiv Ranjan of Newcastle University examines the IoT vision in which devices are connected to clouds via the Internet for data storage, processing, analytics, and visualization. The IoT ecosystem encompasses heterogeneous clouds, networks, and devices to provide seamless service delivery, for example, in smart cities and remote healthcare. Enabling efficient service delivery requires the ability to guarantee a certain quality of service level — ensuring end-to-end performance, security, and privacy both at system and data levels — from the IoT device, cloud, and network perspectives. Ranjan discusses the IoT, cloud computing, big data, and new security research issues arising due to realization of the IoT ecosystem vision. The talk focuses on the specific research issues for efficient, end-to-end, and secure big sensing IoT data processing on public and private clouds.
Thank you for reading our Securing the IoA issue of Computing Now. IoA has incredible potential to change the world around us, but to succeed, it must provide mechanisms for securely managing a range of new technologies and addressing the related security and privacy requirements.
We welcome your comments and perspectives on this exciting topic. For example:
- How will IoA shape and transform the IT industry, business, and society as a whole?
- What are your real-life experiences in embracing IoT, and what security and privacy related issues have you faced?
- How can IoT regulatory bodies and researchers work together to raise IoT to further heights?
- How will IoA security be addressed in the next five to ten years?
Please share your insights, ideas, and experiences below.
Irena Bojanova is Editor in Chief of IEEE Transactions on Cloud Computing, Associate Editor of IT Professional magazine, and a Senior Member of the IEEE. You can reach her at firstname.lastname@example.org.
Jeffrey Voas is the security column editor for Computermagazine and an IEEE Fellow. You can reach him at email@example.com.