Securing the Internet of Things: A Meta-Study of Challenges, Approaches, and Open Problems
05 Jun 2017-pp 220-225
TL;DR: This paper provides a systematic analysis of security issues of IoT-based systems and highlights a set of open problems and provides a detailed description for each.
Abstract: The Internet of Things (IoT) is becoming a key infrastructure for the development of smart ecosystems. However, the increased deployment of IoT devices with poor security has already rendered them increasingly vulnerable to cyber attacks. In some cases, they can be used as a tool for committing serious crimes. Although some researchers have already explored such issues in the IoT domain and provided solutions for them, there remains the need for a thorough analysis of the challenges, solutions, and open problems in this domain. In this paper, we consider this research gap and provide a systematic analysis of security issues of IoT-based systems. Then, we discuss certain existing research projects to resolve the security issues. Finally, we highlight a set of open problems and provide a detailed description for each. We posit that our systematic approach for understanding the nature and challenges in IoT security will motivate researchers to addressing and solving these problems.
Citations
More filters
TL;DR: The purpose of this paper is to identify and discuss the main issues involved in the complex process of IoT-based investigations, particularly all legal, privacy and cloud security challenges, as well as some promising cross-cutting data reduction and forensics intelligence techniques.
Abstract: Today is the era of the Internet of Things (IoT). The recent advances in hardware and information technology have accelerated the deployment of billions of interconnected, smart and adaptive devices in critical infrastructures like health, transportation, environmental control, and home automation. Transferring data over a network without requiring any kind of human-to-computer or human-to-human interaction, brings reliability and convenience to consumers, but also opens a new world of opportunity for intruders, and introduces a whole set of unique and complicated questions to the field of Digital Forensics. Although IoT data could be a rich source of evidence, forensics professionals cope with diverse problems, starting from the huge variety of IoT devices and non-standard formats, to the multi-tenant cloud infrastructure and the resulting multi-jurisdictional litigations. A further challenge is the end-to-end encryption which represents a trade-off between users’ right to privacy and the success of the forensics investigation. Due to its volatile nature, digital evidence has to be acquired and analyzed using validated tools and techniques that ensure the maintenance of the Chain of Custody. Therefore, the purpose of this paper is to identify and discuss the main issues involved in the complex process of IoT-based investigations, particularly all legal, privacy and cloud security challenges. Furthermore, this work provides an overview of the past and current theoretical models in the digital forensics science. Special attention is paid to frameworks that aim to extract data in a privacy-preserving manner or secure the evidence integrity using decentralized blockchain-based solutions. In addition, the present paper addresses the ongoing Forensics-as-a-Service (FaaS) paradigm, as well as some promising cross-cutting data reduction and forensics intelligence techniques. Finally, several other research trends and open issues are presented, with emphasis on the need for proactive Forensics Readiness strategies and generally agreed-upon standards.
440 citations
Cites background from "Securing the Internet of Things: A ..."
...For that reason, another huge part of the research is focused on the issue of securing the IoT domain [12]–[15]....
[...]
TL;DR: This review provides useful information and insights to researchers and practitioners who are interested in cybersecurity of IoT, including the current research of IoT cybersecurity, IoT cybersecurity architecture and taxonomy, key enabling countermeasures and strategies, major applications in industries, research trends and challenges.
Abstract: As an emerging technology, the Internet of Things (IoT) revolutionized the global network comprising of people, smart devices, intelligent objects, data, and information. The development of IoT is still in its infancy and many related issues need to be solved. IoT is a unified concept of embedding everything. IoT has a great chance to make the world a higher level of accessibility, integrity, availability, scalability, confidentiality, and interoperability. However, how to protect IoT is a challenging task. System security is the foundation for the development of IoT. This article systematically reviews IoT cybersecurity. The key considerations are the protection and integration of heterogeneous smart devices and information communication technologies (ICT). This review provides useful information and insights to researchers and practitioners who are interested in cybersecurity of IoT, including the current research of IoT cybersecurity, IoT cybersecurity architecture and taxonomy, key enabling countermeasures and strategies, major applications in industries, research trends and challenges.
337 citations
Cites background from "Securing the Internet of Things: A ..."
...Attacks based on access level are active and passive attacks [38]–[40]....
[...]
TL;DR: A framework for IoT-enabled smart government performance is developed and applied to conduct case study analyses of digital technology policy, IoT cybersecurity policy, and IoT use in major application domains at the U.S. federal government level.
86 citations
TL;DR: It is argued that by adhering to the proposed requirements, an IoT system can be designed securely by achieving much of the promised benefits of scalability, usability, connectivity, and flexibility in a practical and comprehensive manner.
Abstract: There has been a tremendous growth in the number of smart devices and their applications (e.g., smart sensors, wearable devices, smart phones, smart cars, etc.) in use in our everyday lives. This is accompanied by a new form of interconnection between the physical and digital worlds, commonly known as the Internet of Things (IoT). This is a paradigm shift, where anything and everything can be interconnected via a communication medium. In such systems, security is a prime concern and protecting the resources (e.g., applications and services) from unauthorized access needs appropriately designed security and privacy solutions. Building secure systems for the IoT can only be achieved through a thorough understanding of the particular needs of such systems. The state of the art is lacking a systematic analysis of the security requirements for the IoT. Motivated by this, in this paper, we present a systematic approach to understand the security requirements for the IoT, which will help designing secure IoT systems for the future. In developing these requirements, we provide different scenarios and outline potential threats and attacks within the IoT. Based on the characteristics of the IoT, we group the possible threats and attacks into five areas, namely communications, device/services, users, mobility and integration of resources. We then examine the existing security requirements for IoT presented in the literature and detail our approach for security requirements for the IoT. We argue that by adhering to the proposed requirements, an IoT system can be designed securely by achieving much of the promised benefits of scalability, usability, connectivity, and flexibility in a practical and comprehensive manner.
86 citations
Cites background from "Securing the Internet of Things: A ..."
...Requirements [152] [151] [148] [149] [147] [154] [145] [155] [156] [168] [169] [153] [143] [158] [157] [140] [160] [170]...
[...]
...[157], and Park and Shin [158] listed IoT security requirements that include data integrity, information protection, anonymity, non-repudiation and data freshness (i....
[...]
TL;DR: In this article, the authors present the findings of the analysis of the state of the art conducted as part of the JRC research on "Exploring Digital Government Transformation in the EU: understanding public sector innovation in a data-driven society" (DIGIGIGOV), within the framework of the European Location Interoperability Solutions for eGovernment (ELISE)" Action of the ISA2 Programme on interoperability solutions for public administrations, businesses and citizens, coordinated by DIGIT.
Abstract: This report presents the findings of the analysis of the state of the art conducted as part of the JRC research on "Exploring Digital Government Transformation in the EU: understanding public sector innovation in a data-driven society" (DIGIGOV), within the framework of the "European Location Interoperability Solutions for eGovernment (ELISE)" Action of the ISA2 Programme on Interoperability solutions for public administrations, businesses and citizens, coordinated by DIGIT. The results of the review of literature, based on almost 500 academic and grey literature sources, as well as the analysis of digital government policies in the EU Member States provide a synthetic overview of the main themes and topics of the digital government discourse. The report depicts the variety of existing conceptualisations and definitions of the digital government phenomenon, measured and expected effects of the application of more disruptive innovations and emerging technologies in government, as well as key drivers and barriers for transforming the public sector. Overall, the literature review shows that many sources appear overly optimistic with regard to the impact of digital government transformation, although the majority of them are based on normative views or expectations, rather than empirically tested insights. The authors therefore caution that digital government transformation should be researched empirically and with a due differentiation between evidence and hope. In this respect, the report paves the way to in-depth analysis of the effects that can be generated by digital innovation in public sector organisations. A digital transformation that implies the redesign of the tools and methods used in the machinery of government will require in fact a significant change in the institutional frameworks that regulate and help coordinate the governance systems in which such changing processes are implemented.
47 citations
References
More filters
TL;DR: This survey is directed to those who want to approach this complex discipline and contribute to its development, and finds that still major issues shall be faced by the research community.
12,539 citations
"Securing the Internet of Things: A ..." refers background in this paper
...The Internet of Things (IoT) [1] represents a global information network of our everyday devices, such as appliances and automotive, and provides an intelligent framework with...
[...]
TL;DR: Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers.
Abstract: In this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBAC's utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.
2,529 citations
"Securing the Internet of Things: A ..." refers background in this paper
...The widespread mechanisms for restricting access to authorized users are as follows: Role-based Access Control (RBAC) [21] and Capability-based Access Control (CapBAC) [16, 22– 28]....
[...]
...However, RBACs are widely used for human-to-things communication, but they are not suitable for things-to-things communication....
[...]
...The widespread mechanisms for restricting access to authorized users are as follows: Role-based Access Control (RBAC) [21] and Capability-based Access Control (CapBAC) [16, 22–...
[...]
01 Jun 2014
TL;DR: The Constrained Application Protocol is a specialized web transfer protocol for use with constrained nodes and constrained networks, designed for machine- to-machine (M2M) applications such as smart energy and building automation.
Abstract: The Constrained Application Protocol (CoAP) is a specialized web
transfer protocol for use with constrained nodes and constrained
(e.g., low-power, lossy) networks. The nodes often have 8-bit
microcontrollers with small amounts of ROM and RAM, while constrained
networks such as IPv6 over Low-Power Wireless Personal Area Networks
(6LoWPANs) often have high packet error rates and a typical throughput
of 10s of kbit/s. The protocol is designed for machine- to-machine
(M2M) applications such as smart energy and building automation. CoAP
provides a request/response interaction model between application
endpoints, supports built-in discovery of services and resources, and
includes key concepts of the Web such as URIs and Internet media
types. CoAP is designed to easily interface with HTTP for integration
with the Web while meeting specialized requirements such as multicast
support, very low overhead, and simplicity for constrained
environments.
2,412 citations
"Securing the Internet of Things: A ..." refers methods in this paper
...The Constrained application protocol (CoAP) [13], a new proposed standard for the IoT, runs over UDP and implements the Datagram Transport Layer Security (DTLS) to achieve end to end security....
[...]
Book•
21 Dec 2009
TL;DR: 6LoWPAN: The Wireless Embedded Internet is an invaluable reference for professionals working in fields such as telecommunications, control, and embedded systems, and Advanced students and teachers in electrical engineering, information technology and computer science will also find this book useful.
Abstract: "It is stunningly thorough and takes readers meticulously through the design, conguration and operation of IPv6-based, low-power, potentially mobile radio-based networking" Vint Cerf, Vice President and Chief Internet Evangelist, Google This book provides a complete overview of IPv6 over Low Power Wireless Area Network (6LoWPAN) technology In this book, the authors provide an overview of the 6LoWPAN family of standards, architecture, and related wireless and Internet technology Starting with an overview of the IPv6 Internet of Things, readers are offered an insight into how these technologies fit together into a complete architecture The 6LoWPAN format and related standards are then covered in detail In addition, the authors discuss the building and operation of 6LoWPAN networks, including bootstrapping, routing, security, Internet ingration, mobility and application protocols Furthermore, implementation aspects of 6LoWPAN are covered Key Features: Demonstrates how the 6LoWPAN standard makes the latest Internet protocols available to even the most minimal embedded devices over low-rate wireless networks Provides an overview of the 6LoWPAN standard, architecture and related wireless and Internet technology, and explains the 6LoWPAN protocol format in detail Details operational topics such as bootstrapping, routing, security, Internet integration, mobility and application protocols Written by expert authors with vast experience in the field (industrial and academic) Includes an accompanying website containing tutorial slides, course material and open-source code with examples (http://6lowpannet ) 6LoWPAN: The Wireless Embedded Internet is an invaluable reference for professionals working in fields such as telecommunications, control, and embedded systems Advanced students and teachers in electrical engineering, information technology and computer science will also find this book useful
689 citations
"Securing the Internet of Things: A ..." refers background in this paper
...2: Comparison between Web stack and IoT stack [5]....
[...]
01 Sep 2011
TL;DR: This document specifies an IPv6 header compression format for IPv6 packet delivery in Low Power Wireless Personal Area Networks (6LoWPANs) and a framework for compressing next headers.
Abstract: This document updates RFC 4944, "Transmission of IPv6 Packets over
IEEE 802.15.4 Networks". This document specifies an IPv6 header
compression format for IPv6 packet delivery in Low Power Wireless
Personal Area Networks (6LoWPANs). The compression format relies on
shared context to allow compression of arbitrary prefixes. How the
information is maintained in that shared context is out of scope. This
document specifies compression of multicast addresses and a framework
for compressing next headers. UDP header compression is specified
within this framework. [STANDARDS-TRACK]
569 citations
"Securing the Internet of Things: A ..." refers methods in this paper
...[19] used a 6LoWPAN header-compression technique to reduce the size of the DTLS headers [20]....
[...]