Professional Documents
Culture Documents
IoT SECURITY
PROTECTING THE NETWORKED SOCIETY
The Internet of Things (IoT) is expanding rapidly, and is expected to comprise 18
billion connected devices by 2022. But the assumptions of trust which formed the
backdrop to the early development of the internet no longer apply in the early stages of IoT
development. Privacy and security concerns are ever increasing, especially given the
growing significance of IoT in corporate, government, and critical infrastructure
contexts. Likewise, the commodification of IoT components incorporated across
diverse product ranges and deployed in both managed and unmanaged use cases brings
significant security challenges and creates potential for novel types of attack. The
proactive cooperation of all key stakeholders will be necessary to realize the
considerable economic benefits of the IoT, while protecting security, safety, and privacy.
INTRODUCTION
The Internet of Things (IoT) is rapidly emerging as the manifestation of the Networked Society
vision: where everything that benefits from a connection is connected. Yet this far-reaching
transformation is only just beginning, and the number of connected IoT devices is expected to
grow by 21 percent annually, rising to 18 billion between 2016 and 2022 [1]. The IoT consists of
multiple ecosystems, each with different requirements and capabilities. At one end of the
spectrum, there are constrained sensors made of printed electronics; at the other end, autonomous
vehicles such as trucks, trains, and aircraft. In addition, usage scenarios range from temperature
monitoring to mission-critical industrial control systems.
The internet began in an environment of mutual trust, where everyone could read, change, or
inject information. But the IoT is taking off in a hostile environment, where the expectations of
the general public and governments regarding security and privacy are very high, and information
security is a top concern among enterprises adopting IoT [2]. The IoT therefore needs to be
secure from the start, protecting personal information, company secrets, and critical infrastructure.
Regulators need to walk a fine line between protecting privacy, safeguarding national security,
stimulating economic growth, and benefiting society as a whole [3].
The IoT brings a new set of issues, such as the security, safety, and robustness of cyber-
physical systems. Novel types of attack, as well as new privacy and cybersecurity regulations,
may take many industries by surprise. Yet the economic benefits of the IoT as an enabler for
analytics, automation, and process and resource optimization cannot be overstated. To succeed
with the transformation that the IoT brings about, industries need to gather competence and
understand new threats and how to mitigate them.
This white paper provides an insight into the major security and privacy challenges due to be
met in the Networked Society. Specifically, it addresses security, safety, and privacy in the entire
IoT value chain, which includes devices, networks, cloud, infrastructure, applications, and
services. The paper also identifies the main security challenges and approaches that need to be
taken in the IoT sphere to withstand attacks, and discusses how IoT security and privacy need
to be addressed through technology, standardization, and regulation.
Machines Not
taking knowing
Physical Unable over the how to use
safety to repair Earth them
No
tangible
Privacy Security
benefits
62% 54% 27% 24% 21% 17%
11%
The wealth of information in clouds and devices – sometimes in exposed locations – increases
the risks of industrial espionage and the surveillance and tracking of people. In the IoT, individual
pieces of information may not reveal much, but the magnitude of data could make it possible to
determine company processes through the use of analytics. Even if traffic is encrypted, meaningful
patterns may be revealed through the analysis of that traffic.
REE TEE
Messages
Public peripherals Trusted peripherals
Platform hardware
Connections (billion)
50
40
30
20
Things
10
People
Places
0
1900 1990 2000 2010 2020
Protected response
Endpoint Proxy/ Protected
gateway response
Endpoint(s)
End-to-end security
LTE-M simplified term for LTE-MTC LPWA (Long Term Evolution Machine Type
Communication Low Power Wide Area)
[5] Fireeye iSIGHT Intelligence, Overload: Critical lessons from 15 years of ICS vulnerabilities,
available at:
http://www2.fireeye.com/rs/848-DID-242/images/ics-vulnerability-trend-report-final.pdf
[6] Industrial Internet Consortium, Industrial Internet of Things, Volume G4: Security Framework,
September 2016, available at: https://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB.pdf
[7] The New York Times, Hackers Used New Weapons to Disrupt Major Websites Across U.S.,
available at: http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html
[8] Mobile Ecosystem Forum, The Impact of Trust on IoT, available at:
http://mobileecosystemforum.com/initiatives/analytics/iot-report-2016
[10] European Commission, Cybersecurity Strategy of the European Union: An Open, Safe and
Secure Cyberspace, available at:
https://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_en.pdf
[11] Ericsson, Cellular Networks for Massive IoT, January 2016, available at:
https://www.ericsson.com/res/docs/whitepapers/wp_iot.pdf
[13] Ericsson, 5G Security – Scenarios and Solutions, June 2015, available at:
https://www.ericsson.com/res/docs/whitepapers/wp-5g-security.pdf
[14] Persson et. al., Calvin – Merging Cloud and IoT, available at:
http://www.sciencedirect.com/science/article/pii/S1877050915008595
[15] IETF, Authentication and Authorization for Constrained Environments (ACE), available at
https://tools.ietf.org/html/draft-ietf-ace-oauth-authz