Internet of Things (IoT) is an advanced automation and analytics system that uses an ecosystem of networking, sensors and actuators, big data analysis engine, cloud computing, and intelligent technologies to deliver services. IoT will interconnect all the objects – living or nonliving. But the interconnected world so developed, must be secure against the looming security threats against CIA triad of security. Areas of research like security standards formulation, security principles and design rules, secured communication protocol and interoperability of devices are, explored keeping in mind the zero-day attacks and ever growing cyber threats to ensure secured communication amongst all devices. The numbers of connected devices will exceed 50 billion by the year 2020. IoT will pave the way for living and nonliving beings to be a part of an ecosystem for exchanging information using unique IP addresses.
The layers present in the IoT architecture are as follows:
- nPerception Layer – It consists of smart devices such as sensors and actuators which capture physical inf ormation and then transfer it in the form of electrical signals to the digital world.
- nCloud/Internet Layer – It stores all the data collected from LANs and WANs. The data can also be collected from 2G/3G/4G mobile networks etc. The data in cloud is stored in the servers that are remotely located.
- nApplication Layer – It collects all the data from the cloud/Internet layer. The data in this layer is used for plann ing of retail, healthcare, transport system design using big data analysis.
IoT plays an important role in various fields like:
- nSmart Life – By providing health care with a new patient centric model, innovative models for banking and finance, efficient and convenient delivery of public services, for example, a wearable IoT tracker band which includes features like activity tracking, food logging, coaching, and tracking sleep patterns. IoT-enabled home appliances can notify us when supplies are short and order them all on their own.
- nSmart City – By providing smart management of infrastructure, smart metering and grid management, smart surveillance, safer and automated transportation, smarter energy management systems. For example, Bigbelly smart waste and recycling system, a waste management system that helps with smart trash pick-up, helps in avoiding overflows, and generates other notifications to help cities in waste management and keeping them cleaner.
- nSmart Manufacturing – By optimizing supply chain operations, rapid prototyping and manufacturing, improved processes, and intelligent decision making. Oneexample is Embedded Data Collector (EDC), from smart structure. It works by embedding sensors in the concrete during the pouring and curing process. The sensors provide vital information about concrete strength and quality directly to the Smart Structures Work Station.
- nSmart Mobility – By helping in design of autonomous cars, smart traffic management, efficient distribution, and logistics. Examples include connected cars that optimize their own operation, maintenance, as well as comfort of passengers using on-board sensors and Internet connectivity.
Different Types of Cyber Attacks to IoT
IoT has opened flood gates for new opportunities but we must ensure CIA triad for the data at rest and in motion. Security breaches to IoT can lead to various types of attacks which includes:
- nDenial of Service (DoS) attack: This happens when a service that would usually work is made unavailable.
- nBotnets: A botnet (Robot Networks) is a network of systems combined together with the purpose of remotely taking control and distributing malware.
- nAccess Attack: Unauthorized persons gain access to network or devices to which they do not have right to access. The access can be physical access or remote access.
- nPrivacy Attack: The most common attacks on user privacy are:
- lCyber Espionage: Using cracking techniques and malicious software to spy or obtain secret information of individuals, organizations, or the government.
- lEavesdropping: Secretly listening to a conversation between two parties.
- lPassword-based attack: Attempts are made by intruders to duplicate a valid user password. This attempt can be made in two different ways – using dictionary attack and brute force attack.
- nDestructive Attack: Cyberspace is used to create large-scale disruption and destruction of life and property. An example of destructive attacks is terrorism.
- nCybercrime: To exploit users and data for materialistic gain such as intellectual property theft, identity theft, brand theft, and fraud.
IoT Security Principles
There are six principles of IoT cyber security:
- nSecure Device (Hardware) – Device layer refers to the hardware level of the IoT solution. Manufactures use chip security in the form of TPMs (trusted platform modules) that act as a root of trust by protecting sensitive information and credentials (i.e., not releasing encryption keys outside the chip). Secure booting mode can be used to ensure that only verified software will run on the device.
- lDevice Intelligence – On-device security and privacy preserving mechanisms should be enabled. Secured connectivity must be powered by a smart device which is able to handle security, encryption, authentication, timestamps, caching, proxies, firewalls, connection loss, etc. Devices must be robust and rugged and able to operate in the field with limited support.
- lEdge Processing – It is a method of optimizing cloud computing system by performing data processing at the edge of the data, near the source of data. It reduces the data load in the cloud by local processing of data. It also provides additional security because sensitive information is not sent to the cloud.
- nSecure Communication – It refers to the connectivity networks on which the data is securely transmitted/received. Data-centric solutions such as encrypting the information for data in transmit and data in rest, firewalls and intrusion prevention systems are used to examine traffic flows.
- lDevice-Initiated Connection – The device should initiate a connection to the cloud and not in the reverse direction because when we open a firewall port, the network is open to security risks. It must not allow incoming connections because the connected devices should act as clients and not as servers.
- lMessage Control – Lightweight message-based protocols have a number of distinct advantages that make them a good choice for IoT devices including options for double encryption, queuing, filtering, and even sharing with third parties. With correct labelling, each message can be handled according to the appropriate security policy.
- nSecure Cloud – Cloud layer is the software backend of the IoT solution, that is, where data from devices is ingested, analyzed, and interpreted at scale to generate insights and perform actions. Cloud security includes encrypting the sensitive information, verifying the identity of other cloud service providers, digital certificates for identification and authentication etc.
- lIdentification, Authentication, and Encryption – Two-step authentication must be used for humans; however, for machines we must use digital certificates based on cryptographic identification that not only provide authentication for any transaction, but also encrypt the channel from device to cloud before the authentication takes place.
- nSecure Lifecycle Management – It is an overarching layer with continuous processes required to keep the security of an IoT solution up-to-date, that is, ensuring sufficient security levels are in place from the device manufacturing stage and initial installation to the disposal of things. Regular security patches must be used to avoid zero-day attacks, stay up-to-date, strengthen resistance against attack, and fix possible vulnerabilities.
- lRemote Control and Updates of Devices – It is required for allowing remote diagnostics, setting a new configuration, updating buggy software, retrieving files, resetting a machine learning algorithm with a new of set of learning data, adding new functionality to a product, and more.
Considering the importance of the CIA triad in the implementation of IoT, Department of Telecommunications (DoT), Government of India has also amended the Indian Telegraph rules. All telecom equipments used by operators in Indian telecom networks will have to undergo mandatory testing and get certified by authorized agencies as per specified norms from 1 October 2018. DoT is closely working in the domain of physical security of IoT devices. DoT has a national working group which is actively working on developing IoT and its applications.