9 Important Security Requirements to Consider for IoT Systems

The Internet has been steadily growing since its birth back in the second half of the last century. This constant growth was driven by different trends in different epochs. The most recent trend is to connect all sorts of embedded devices to the Internet, including home entertainment systems, industry equipment, vehicles, transport infrastructure devices, medical equipment, etc. This trend transformed the Internet to what is called today the Internet of Things, or IoT for short.

The Internet of Things allows for collecting a huge amount of data from our natural and artificial environment, which we can convert to information that can be used to better understand and control the processes that our society so critically depends on. In short, the Internet of Things has the potential to make our modern life more efficient. For instance, we can use data collected from industry equipment to better predict when maintenance is needed and, hence, to decrease the probability of outages; we can use data collected from vehicles and the transport infrastructure to eliminate traffic jams and accidents; we can use connected home equipment to run our household more energy efficiently; and we can use connected medical devices to take care of the growing number of elderly people remotely, hence, making their life easier and reducing the cost of health care.

However, all this potential can be realized only if we can trust the data obtained from the environment via the Internet of Things, which ultimately translates to the requirement of making it secure. The Internet itself has never been a secure “place” and its history is full of epic security failures. The most devastating ones resulted in huge numbers of computers being compromised[1], network-based services made unavailable[2], or large amount of personal data being leaked out[3]. These security failures cost the world a huge amount of money every year, part of which is obtained by the miscreants themselves, making them even stronger. Today, Internet-based crime is organized and the size of this criminal domain is comparable to that of trafficking drugs[4]. Yet, while the Internet seems to be broken[5] (at least in terms of security), it still “works” (at least to the extent that it can still be regarded useful). However, this balance may turn out to be fragile, and the growth of the Internet of Things may destroy it.

The Internet of Things endangers the current balance in Internet security in two ways. First, attacks originating from the Internet can now target IoT systems and embedded IoT devices that interact with our physical environment. Hence, cyber-attacks may have physical consequences, ranging from the damage of expensive equipment, through the unavailability of vital services, to maybe even loss of human life. For instance, a cyber attack on a substation of the energy distribution grid may cause the damage of expensive electrical switchgear, or it may lead to a power outage in a given geographical region. In addition, an extended power outage may unexpectedly interrupt vital services, such as surgical operations in a hospital, leading to fatalities. Similarly, a cyber attack on an oil refinery site or a gas pipeline may lead to a fatal explosion, and a cyber attack on a food production or a pharmaceutical factory may lead to an erroneous product that may be poisonous.

The second impact of the Internet of Things on Internet security is that connected IoT devices can be converted to a substantial attack infrastructure to be used for attacking the Internet itself. While exploding gas pipelines and poisonous medicament are plausible, yet still somewhat imaginary threats of the future, botnets built from millions of IoT devices are hard facts already today[6]. And the number of IoT devices connected to the Internet can soon become orders of magnitude larger than it is today, which elevates the problem of botnets (or Internet-based attack infrastructures in general) in the future to a much larger problem. IoT botnets such as Mirai that holds the record for the most intensive DDoS attack in history ever[7] could just be the beginning of a completely new era.

All this means that ensuring the security of the Internet of Things is indispensable. Securing IoT systems and applications should begin with understanding the most important security requirements that emerge in such systems and applications. Hence, in the rest of this post, we enumerate the typically considered security requirements, and for each, we explain how they are relevant (or not) for the different IoT application domains. We also try to shed light on how the use of IoT makes it harder (or easier) to satisfy those security requirements compared to satisfying them in “traditional” IT systems.

The most frequently mentioned information security requirements are confidentiality, integrity, and availability – the CIA triad, as they are often called. In “traditional” IT systems, this order also represents the importance of these requirements. In IoT systems, however, this may not be the right order regarding importance. Nevertheless, we start the discussion with confidentiality, and continue with integrity and availability, as usual.

1. Confidentiality means the protection of information from illegitimate read access. Not all sorts of information needs confidentiality, but there are sensitive data that must definitely be kept secret. In “traditional” IT systems, lots of applications generate business data that needs confidentiality; consider, for instance, all kinds of documents containing business plans, technical designs, financial data, salaries of employees, mails exchanged with partners and customers, etc. In fact, almost all information regarding the internal operation of an organization can be considered sensitive with respect to competitors; what does not fall in this category is usually published on the company web site. In addition to business data, account credentials, such as passwords, and other security parameters, such as cryptographic keys also need confidentiality.
In IoT systems, data may not have very strict confidentiality requirements, although this can depend on the application domain as well. In general, the data generated by IoT systems are sensor readings, which are usually not secret; anyone could actually measure the same parameters and obtain the data himself. Yet, in the domains of security and surveillance, healthcare, retail, and even in home automation some data may need to be kept confidential. Images of surveillance cameras in security applications and inventory data in retail applications can easily be imagined to contain sensitive information, while data collected in homes by home automation applications and data collected from patients by healthcare applications may need confidentiality due to privacy reasons. When data requires confidentiality, it must be provided for both storage and transmission of that data. The latter is especially important in case of wireless communications, which is notoriously easy to eavesdrop. In addition, IoT systems also use access credentials, such as passwords, and cryptographic keys, which definitely need confidentiality. In security application, transport systems, and industrial environments, configuration data and control programs may also be kept secret, as they may contain intellectual property (e.g., control logic in vehicle ECUs and process set points used by industrial PLCs).

2. Integrity means protection against illegitimate modification of data, and it is one of the most important information security requirements in IoT systems. Sensor data generated by IoT systems are used to keep track of and control physical processes, so they need to be accurate. If sensor data can be changed by attackers, then tracking becomes inaccurate and control may receive wrong input. In addition, if control commands can be changed by an attacker, then control is definitely corrupted. The consequence of both can range from simple failures to fatal accidents. Similarly, parameters and software updates that are sent to IoT devices should not be modified by attackers, as such modifications can have similar effects as modifications of sensor data or control commands. Integrity is important in all IoT application domains, but perhaps transportation, industry automation and process control, and healthcare are outstanding here, as in these applications, violation of information integrity may really have fatal consequences.

3. Availability is the second most important information security requirement in IoT systems. It means that information is always available to entities who need it, and this is something we need to ensure in case of data used in control type of applications, such as transportation and industrial process control, and in certain healthcare applications as well. Availability of information is also very important in security and surveillance applications. In other applications, availability is desired, but it may not lead to serious negative outcomes if data is not always available in a timely manner; unavailability of information may lead to financial damage in retail applications and to inconveniences in home and office automation.

Besides confidentiality, integrity, and availability, two other information security requirements are often considered: authenticity and non-repudiation. Both deal with the capability of verifying the origin of data, but they differ in whom verifiability is provided to. We discuss them below:

4. Authenticity means that the origin of the data can be verified by the intended receiver of the data. As the intended receiver typically acts upon the data, it is very important to make sure that the data originates from a trusted source. In fact, data origin authentication is as important as data integrity in IoT applications: if it was not provided, attackers could spoof fake data in the system making them appear to come from legitimate and trusted sources, and the consequences of that would be the same as being able to modify the data illegitimately. Authenticity is of paramount importance in case of control commands, configuration parameters, and software updates received by IoT devices.

5. Non-repudiation is similar to authenticity, but in this case, not only the intended receiver of the data can verify its source, but the origin of the data can be proven to any third parties. This means that the source of the data cannot deny or repudiate that the data originates from him or her, hence the name non-repudiation. Non-repudiation is not always required even in “traditional” IT systems, because in many cases messages that are exchanged are not kept long enough to make them available for verification by third parties. Regarding IoT applications, non-repudiation may be required in transport and healthcare applications, where there could be multiple entities involved in interactions and logs are kept for later audits in case of fatal accidents.

The requirements discussed above are related to information security. However, not only information needs to be protected, but there are security concerns related to individual IoT devices, entire IoT systems, and the services they provide as well. While information security requirements are often satisfied by using cryptographic tools, cryptography alone is not sufficient to achieve device, system, and service security. The typical security requirements relevant in this context are access control and authorization, ensuring the trustworthiness of computing, and protection against Denial-of-Service attacks:

6. Access control and authorization can be important in all IoT application domains, in particular if the underlying IoT system and the services it provides are not meant to be publicly available or available for free. Clearly, one would not like to give free access to his home automation system to a stranger. Similarly, access to security and surveillance services should be restricted to the owner or the operator of the building or location being physically protected by those services. Industrial automation and process control systems are not supposed to be accessible for entities that are not part of the industrial facility or its contractors, and healthcare IoT systems must also be restricted to the patient and authorized medical staff. Transport and retail IoT systems are meant to be available to the public, but still certain parts of even those systems should be restricted to their operators. In the retail case, consumers should not have access to stock and order information of the retailer, whereas in the transport case, certain services should be authorized only to distinguished entities (e.g., to emergency vehicles).

7. Trustworthy computing is a general requirement and it means that one must be assured that the system and its services work as expected by the user at any time and in all conceivable situations. It is also a fundamental requirement, as if it cannot be satisfied, then other requirements, such as proper access control and authorization, could not be satisfied either, or at least, one would never be sufficiently assured that they are enforced properly. This is because system and service level security requirements are typically satisfied by implementing security mechanisms on the underlying computing platforms, and those implementations should be trustworthy. More specifically, the trustworthy computing requirement means that the computing environment on which the system is running and services are provided is difficult to corrupt by attackers. This covers the requirement to protect IoT devices from being hacked or infected by malware. In addition, trustworthiness requires assurance, which means that not only it is difficult to compromise system components, but it is possible to verify that the system is still in a healthy state, if it is, and if not, it can be brought back to a healthy state.

8. Denial-of-Service protection makes it difficult for attackers to render the services provided by the IoT system unavailable or substantially under-performing. This is a requirement similar to availability of information, but here we require availability of services rather than just information. Also, this requirement complements the trustworthy computing requirement in the sense that making it difficult for attackers to corrupt services (i.e., modify them) may not be sufficient to ensure that those services are available at all. In other words, system components may be intact, and hence, the service semantics may be unchanged, and yet the service may not be available. As an example, consider a typical DoS attack: the service is flooded with requests and overloaded, such that it cannot serve legitimate requests anymore. The service is still the same semantically, system components remained uncorrupted, yet the service became unavailable. Hence, the DoS protection requirement is needed besides the trustworthy computation requirement to fully express what we expect from a secure IoT system.
Protection against DoS attacks is important in all IoT application domains for two reasons. First, the very purpose of any IoT system is to provide some service; if this service can be rendered unavailable easily, then the entire IoT system becomes useless. Second, it is indeed rather easy to mount DoS type attacks against any kind of IT system, because such attacks do not need access to the system and corruption of the system components, as we explained above. As IoT systems consists of IoT devices that are often resource constraints, and they often operate in environments with special conditions, DoS attacks seems to be easier to carry out against IoT systems than against “traditional” IT systems.

Finally, we discuss privacy as another quite general requirement below:

9. Privacy means that human users can control how private information about them is stored, processed, and used in the IoT system and beyond. This requirement is relevant in application domains where the IoT system handles user related private information. This is not the case in industrial automation and process control applications, but privacy issues must be considered in all other IoT application domains. In home and office automation applications, generated data may reveal the users’ behavioral habits, in security and surveillance applications, as well as in transportation applications, data may reveal the users’ location, in retail applications, data may reveal user preferences towards certain types of products and also their shopping behavior, and finally, in healthcare applications, data may reveal the users’ illnesses or other types of medical problems. Essentially, as IoT is meant to convert our everyday life easier by using embedded intelligence in everyday objects, it seems to be unavoidable that IoT systems observe humans and collect data about them. Even if this data collection is not explicitly targeted to collect private information, whatever data such systems collect, it may contain a large amount of extractable private information. This is not a problem in itself, if privacy preserving mechanisms are also provided to the users that help them to keep the control on how their private information is used by other entities. Hence, the privacy requirement does not postulate the complete elimination of obtaining private information from data generated by IoT systems, but rather it postulates the need for appropriate privacy preserving mechanisms, and a privacy-by-design approach whenever possible (e.g., in case of new systems just about to be created).

The take-away message from this post is that all traditional security requirements are relevant in IoT systems as well. Projects building IoT systems or developing services based on IoT systems should carefully address these requirements. In the IoTAC project, we put a special emphasis on security, and develop a security baseline that is applicable in a range of IoT applications, including smart homes, drones, road vehicles, and factories.

[1] https://threatpost.com/inside-story-sql-slammer-102010/74589/ (last visited: February 14th, 2021)7

[2] https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/ (last visited: February 14th, 2021)

[3] https://www.cnbc.com/2019/07/30/five-of-the-biggest-data-breaches-ever.html (last visited: February 14th, 2021)

[4] https://www.mcclatchydc.com/news/nation-world/national/national-security/article201399274.html (last visited: February 14th, 2021)

[5] https://www.technologyreview.com/2006/02/15/229667/the-internet-is-broken/ (last visited: February 14th, 2021)

[6] https://ww6.makeuseof.com/tag/internet-of-things-botnets/ (last visited: February 14th, 2021)

[7] https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet/ (last visited: February 14th, 2021)

 

Leave a Reply

7 + 3 =