The Internet of Things (IoT) paradigm refers to the network of physical objects or “Things” embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with servers, centralised systems, and/or other connected devices based on a variety of communication infrastructures. IoT makes it possible to sense and control objects creating opportunities for more direct integration between the physical world and computer-based systems.
The Internet of Things (IoT) is a revolution in the making. More things and more devices are getting connected to the Internet than people. It goes on to say that more than 25 billion devices are expected to be connected by the year 2016 and more than 50 billion are slated to be connected by the year 2020. Forecasts by McKinsey & Company estimate that the economic impact of IoT technology by the year 2025 will range from 2.7 to 6.2 trillion dollars. The adoption of IoT for areas including home monitoring and control, wearable technologies, and connected cars has already started.
When IoT is augmented with sensors and actuators, IoT is able to support cyber-physical applications by which networked objects can impact the physical environment by taking “physical” actions. IoT will usher automation in a large number of domains, ranging from manufacturing and energy management (e.g. Smart Grid), to healthcare management and urban life (e.g. Smart City). At the enterprise level, adoption is active for building management, fleet management, hospital management, retail, telecom, and energy sectors. Operational technology has been long adopted by Power Grids, Oil & Gas, Utilities, Nuclear Plants and Traffic Control.
IoT is rapidly evolving, at the same time IoT devices that connect to the Internet are exponentially expanding the attack surface for hackers and enemies. In recent studies, it has emerged that 70 percent of IoT devices contain serious vulnerabilities. There is undeniable evidence that our dependence on interconnected technology is defeating our ability to secure it.
Despite the huge positive impact IoT has on the lives of individuals, the risks which accompany this technology can act as a significant hurdle in its adoption. Security issues in IoT are especially a point of concern as they have the power to cause physical destruction, harm lives and also cause financial impact. There’s no denying the importance of IoT security. Depending upon the industry and application, companies using IoT technology are at risk of possible exposure to a range of threats stemming from hacktivism, terrorism, and cyber warfare.
Privacy is a serious concern not just in the IoT, but in all the applications, devices or systems where we share information. Even when users take precautions to secure their information, there are conditions that are beyond their control. Hackers can now craft attacks with unprecedented sophistication and correlate information not just from public networks, but also from different private sources, such as cars, smartphones, home automation systems and even refrigerators.
Risks of IoT
IoT risk factor is unique since it brings together many leading-edge technologies including cloud computing, mobility, and big data, in addition, to IoT sensors, gateways, and management platforms. IoT security, therefore, includes risk areas that the cyber security industry is still learning to resolve including cloud and mobility. IoT security also includes unknown risk areas in the form of IoT sensors, protocols, gateways, and management platforms. Add to this the regular IT systems that IoT platforms integrate with and you get a complex mix of risk areas that should be protected.
IoT devices do not have well-defined perimeters, are highly dynamic and continuously change because of mobility. In addition, IoT systems are highly heterogeneous with respect to communication mediums and protocols, platforms, and devices. IoT systems may also include “objects” not designed to be connected to the Internet.
IoT will further complicate the cyber security challenges that we already have at hand, including the challenge of detecting unknown attacks. The OWASP Internet of Things (IoT) Project has identified the most common IoT vulnerabilities and has shown that many such vulnerabilities arise because of the lack of adoption of well-known security techniques, such as encryption, authentication, access control, and role-based access control. OWSAP’s list of vulnerabilities is as follows:
- Insecure Web Interface
- Insufficient authentication or authorization
- Insecure network services
- Lack of transport encryption
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configuration
- Insecure software or firmware
- Poor physical security
A reason for the lack of adoption may certainly be security unawareness by IT companies involved in the IoT space and by end-users. However, another reason is that existing security techniques, tools and products may not be easily deployed to IoT devices and systems, for reasons such as the variety of hardware platforms and limited computing resources on many types of IoT devices. Even well-known encryption protocols, such as RSA, prove to be very expensive when running on devices with limited computing capabilities especially when multiple encryption operations have to be executed concurrently such as in the case of networked vehicles and small drones.
A recent study of some of the most common IoT devices reveals an alarmingly high average number of vulnerabilities per device. On average, 25 vulnerabilities were found per device. For example, 80% of devices failed to require passwords of sufficient complexity and length, 70% did not encrypt local and remote traffic communications, and 60% contained vulnerable user interfaces and/or vulnerable firmware.
Changing Canvas of Cyber Attacks in IoT
Cyber Attacks in IoT devices disrupt normal operations by exploiting vulnerabilities using various techniques and tools. An attack itself may come in many forms, including active network attacks to monitor un-encrypted traffic in search of sensitive information; passive attacks such as monitoring unprotected network communications to decrypt weakly encrypted traffic and get authentication information; close-in attacks; exploitation by insiders, and so on. Common cyber-attack types are:
(a) Physical Attacks: Due to the unattended and distributed nature of the IoT, most devices typically operate in outdoor environments, which are highly susceptible to physical attacks.
(b) Reconnaissance Attacks: The attacker does unauthorized scanning of network ports, packet sniffers, traffic analysis, and sending queries about IP address information.
(c) Denial-of-Service (DoS): Due to low memory capabilities and limited computation resources, the majority of devices in IoT are vulnerable to resource enervation attacks.
(d) Access Attacks: There are two different types of access attacks viz -physical access, whereby the intruder can gain access to a physical device, and secondly is remote access, which is done to IP-connected devices.
(e) Attacks on Privacy: Privacy protection in IoT has become increasingly challenging due to large volumes of information easily available through remote access mechanisms. The most common attacks on user privacy are:
- Data mining
- Cyber espionage
- Eavesdropping
- Tracking
- Password-Based Attacks
- Dictionary Attack
- Brute force Attacks
Supervisory Control and Data Acquisition (SCADA) Attacks: As any other TCP/IP systems, the SCADA system is vulnerable to many cyber-attacks. The system can be attacked in any of the following ways:
- Using denial-of-service to shut down the system.
- Using Trojans or viruses to take control of the system. For instance,
- in 2008 an attack was launched on an Iranian nuclear facility in Natanz using a virus named Stuxnet.
Cyber Security Measures for IoT
To succeed with the implementation of efficient IoT security, the following security measures should be incorporated:
- Confidentiality is an important security feature in IoT, but it may not be mandatory in some scenarios where data is presented publicly. For instance patient data, private business data, and/or military data as well as security credentials and secret keys, must be hidden from unauthorized entities.
- To provide reliable services to IoT users, integrity is a mandatory security property in most cases. Different systems in IoT have various integrity requirements. For instance, a remote patient monitoring system will have high integrity checking against random errors due to information sensitivities. Loss or manipulation of data may occur due to communication, potentially causing the loss of human lives.
- Authentication and Authorisation. Ubiquitous connectivity of IoT aggravates the problem of authentication because of the nature of IoT environments, where possible communication would take place between the device to device (M2M), human to the device, and/or human to human. Different authentication requirements necessitate different solutions in different systems. Some solutions must be strong, for example, the authentication of bank cards or bank systems. On the other hand, most will have to be international, e.g., ePassport, while others have to be local.
- Availability. A user of a device (or the device itself) must be capable of accessing services anytime, whenever needed. Different hardware and software components in IoT devices must be robust so as to provide services even in the presence of malicious entities or adverse situations. For instance, fire monitoring or healthcare monitoring systems would likely have higher availability requirements than roadside pollution sensors.
- Accountability. When developing security techniques to be used in a secure network, accountability adds redundancy and responsibility of certain actions, duties and planning of the implementation of network security policies. Accountability itself cannot stop attacks but is helpful in ensuring the other security techniques are working properly.
- Auditing. Due to many bugs and vulnerabilities in most systems, security auditing plays an important role in determining any exploitable weaknesses that put the data at risk. In IoT, a system’s need for auditing depends on the application and its value.
- Non-repudiation. The property of non-repudiation produces certain evidence in cases where the user or device cannot deny an action. Non-repudiation is not considered an important security property for most IoT. It may be applicable in certain contexts, for instance, payment systems where users or providers cannot deny a payment action