Click here to load reader
Upload
hahuong
View
212
Download
0
Embed Size (px)
Citation preview
303 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 04, April, 2016
International Journal of Computer Systems (ISSN: 2394-1065), Volume 03– Issue 04, April, 2016
Available at http://www.ijcsonline.com/
Security Consideration in IoT Implementation
Linda Nur AfifaA, Azhari
B
ȦInformatics Department, Darma Persada University, Indonesia BComputer Science Department, Gadjah Mada University, Indonesia
Abstract
IoT is Communication machine-to-machine (M2M) via wired/wireless without human intervention. Security guarantee
and data integrity needed when devices and sensors connected to the network. The security aspect such as
confidentiality, integrity and availability (CIA) are necessaries for IoT implementation. This paper will be reviewed the
security in every layer of IoT. To ensure confidentiality, integrity and availability of IoT this paper proposed security
consideration in sensing layer, transport layer and application layer. This consideration can be used to complete the
previous research and giving awareness before IoT implemented in organizations or individually.
Keywords: IoT, Security, Integrity, Confidentiality, Availability.
I. INTRODUCTION
Internet of Things (IoT) is all about the “things” wich
can be devices or sensors are both smart and connected,
with the ability to collect and share data without human
intervention [1]. In another source IoT defined a several
tiny devices connected together to form a collaborative
computing environment [2]. IoT also considered as a part
of the internet of the future and will comprise billion of
intelligent communicating “things” [3]. According to [4], a
decade ago there were about 500 million devices
connected to the internet, in 2015 there are 10 to 20
billion, in five years could be 40 to 50 billion.
The number IoT device grown rapidly, the data volume
also grow up. Every industry and individual company
stands to gain and prosper by implementing IoT into their
business model [4]. The rise of IoT means we are at the
start of a new age of data. IoT object capture data via
sensors and transmit data via the internet. Connected
“things” are producing large amount of information [1].
According to the Norwegian research organization
SINTEF in [4], 90 percent of the wold’s data has been
generated over the past two years, every second over
205.000 new gigabytes are created, wich is the equivalent
of 150 million books. This is the amount of data created in
a world with 10 to 20 billion connected and sensorized
objects.
The problem above is the one of big challenge in IoT
and opportunities for industries and developers. The rapid
growth of IoT bring the multiple security. There are the
key IoT security challenge [5], following are considers:
Every single device and sensor in the IoT represents a
potential risk.
Trust and data integrity. Data from all manner of
connected sensor in IoT, how sure can an
organisation be that the data has not been interfered.
Data collection, protection and privacy. Data collected
by connected devices need to safeguard from
exploitation by cybercriminals.
To overcome the issues discussed above, we reviewed
security problem in IoT adhere. The rest of this paper as
organized as follow. Section II present state of the art IoT
security. Section III discussion and we conclude the work
of this paper in section V.
II. STATE OF THE ART IOT SECURITY
The rapid growth of small internet connected devices
(IoT) is new creating a new set of challenges to create
secure. Recomendations from reseach, some attach that are
possible on IoT device can be shown in Table. 1. In the
matrix, security categorized into characteristic security and
the scene [6] . According to these figure, the problems
above can be classified into device/hardware, network and
cloud/server side vulnerabilities.
Table 1. Matrix of Security Challenges for The IoT [6]
Linda Nur Afifa et al Security Consideration in IoT Implementation
304 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 04, April, 2016
The privacy, cyber breaches and liablity also
indentified as the biggest risk that come with IoT [4]. But
Microsoft give some point of view on the IoT. Connected
“things” produced large amounts of information, by
tapping into those data streams and connecting them to the
cloud and back-end systems, organizations can optimize
business processes, make more informed decisions and
idenfy new revenue opportunities [1].
Research has conducted to reduce risk and
vulnerabilities in IoT. To ensure confidentiality, chiper
algorithms are: RSA, ECC, AES and 3DES implemented
to encrypted information. In addition, non-repudiation,
availability and authenticity are guaranteed by
communication protocols like IPSec [2]. Furthermore to
provide security at physical or execution level has been
build a processing unit wich is capable of executing
application in protected manner called Secure Executions
Environment (SEE) [2]. To protect RFID tag attack and
data leakage, method “block tag” has been proposed by
Juels. On the other hand, low-cost symmetric key
cryptography algorithm such as Tiny Encryption
Algorithm (TEA) and Advance Encryption Standard
(AES), have been proposed to protect data exchange [3].
Security issues corresponding to each layer of the
IoTarchitecture has been discussed as shown in Table.2
[7]. Security layering model also mentioned in [8], the
potential security problem can be analysed according to
perception layer, network layer and application layer.
Some security ways was proposed, such as added the IoT
middleware, encryption/decryption mechanism and access
control.
Table 2. Construction of Secure IoT Application [7]
When we talk about Internet of Things, all of devices
and sensors communicate with one another. They
communicate via wired and wireless without human
intervention. In order to interoperate with the internet to
support machine-to-machine (M2M) communication the
Internet Protocol version 6 (IPV6) over Low power
Wireless Personal Area Networks (6LoWPAN) was
standardized [9]. 6LoWPAN has some vulnerabilities, a
lot of research has been proposed methodoligies to prevent
risk such as intrusion detection system (IDS) aims for
denial of service (DOS) detection, protocol composition
logic (PCL) and formal verification using Simple Promela
Interpreter (SPIN) can prevent malicious attacks including
reply attacks, man-in-the-middle attacks, impersonation,
etc [9]. Intrusion detection of SinKhole attack 6LoWPAN
for Internet of Things (INTI) also proposed to indentify
sinkhole attacks on routing services in IoT [10].
Integrating IFTTT (internet services) are providing an
integrated interface between smart home devices and users
that can send notification to user and communicate with
other smart home [11].
IoT vision of the future is connected world. To realize
this vision need any requirement such as accessibility and
connectivity, dynamic management, maximum resource
utilization an personalization [12]. Cloud computing is the
answer to the above issues and offers high reliability for
supporting massive scale and long term storage of data
[13]. Many connectivity and data stored are security
challenge. The secure cloud architecture have been
proposed in order to address security challenge, depicted
in Fig.1 [14]. Advances encryption standard (AES) has
been applied at the different sharing levels of IoT data to
ensure secured transmission over network and even while
the data resides on cloud platform [15]. Communication
in cloud-IoT environment also potentially against
vulnerable, an intruder can interrupt the ongoing com-
munication either between the IoT devices or between the
IoT network and cloud interface [16].
Cloud device and Context
Sensing Domain
P2PPZH
Cloud Thrusted Domain
CopyPZH
Tru
ste
d L
ink
Service
Service
Service
Storage
Cloud services and Storage Domain
Fig 1. Cloud Architecture Domain [14]
Many considerations should be addressed in cloud when
data was transmitted, strored and accessed. To secure
IoT Layer Terminology Security Necessity
Application
Layer
Information
Application
Security
Implementing data protection, data backup and recovery
mechanisms
To secure the database data security management and
encryption/decryption algorithms must be applied
Middleware
Layer
Information
Processing
Security
Authenticity, confidentiality and integrity during the
phase of data acquisition
The key management protocol in the perception layer
needs to be strengthened
Adopted srouting policies to ensure authentic route
discovery and effective network security
Leveraging sensor node authentication policies to
prevent data access by unauthorized and malicious users
Network
Layer
Information
Transmission
Security
Implementing DDOS attack detection and prevention
Leveraging authentication mechanisms, key
management and negotiation mechanisms, and intrusion
detection mechanisms to make the network immune
against
Perception
Layer
Physical Security RFID security policy
Data encryption, blocker tag, tag frequency
modification, jamming, kill order policy
Sensor network security policy
Key distribution policies, Intrusion detections
mechanisms, security routing policies
Sensor terminals security policies
Cryptographic algorithms, identity authentication
policies, data flow control policies, data filtering
mechanisms
Linda Nur Afifa et al Security Consideration in IoT Implementation
305 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 04, April, 2016
communication, technology communication like Transport
Layer Security (TLS) uses chryptography is required to
prevent authorised acess to data or metadata [17].
Accessing particular data (a file, record, data stream) in a
cloud denotes acces control problems [17].
III. DISCUSSION
The critical points are found in each layer IoT. The
general network architecture in IoT is devided into several
layers: sensing layer, transport layer and application layer
depicted in Fig 2. [18]. In every layer should be ensured
the several security aspect such as integrity, confidentiality
and availability.
By definition integrity is the property that data has not
been altered in an authorized manner [19] and can
achieved in transport layer. Whereas confidentiality is the
property that information is nor made available or
disclosed to an authorized individuals, entities or
processes. The next security aspect is availabilty that
means all of the parts of IoT wich is stored, processed the
information, the security control to protect it, and the
communication channels used to access must be
functioning correctly [20] [21].
Fig 2. Layer architecture of IoT [18]
Data explossion comes up when IoT has been
implemented. Integrity, confidentiality and availability are
the important aspect that must been have when data
produced at IoT device and transmitted on the network.
Generally the IoT security has been discussed in previous
point. Accordance to the objectives there are some
appropriate secuirity considerations wich are summerised
in Table.3. The list describes the things that should be
applied during the implementation of IoT. In addition, it
is used to supplement the prvious research as shown in
Table 2.
Table 3. Security Consideration in IoT Layer Layer Consideration Security Focus
Sensing Additional protocol to deal with interception, interruption
and modification [22]
Authentication, authorization
Need Public Key infrastructures authentication
protocols [22]
Confidentiality, integrity
Malicious things Confidentiality
Transport Suitable security algorithm
within the network [23]
Confidentiality,Int
egrity
Need Transport Secure Layer protocol (TSL) to prevent
eavesdropping and data
leakage, protection data from from corruption/interference
[17]
Integrity, Authentication
Provide security as authentication encryption and
mechanism [24]
Confidentiality, Integrity
Applica-
tion
Secure Acces control system
[25]
Confidentiality
Required program installation
and mangement to prevent malware at critical moments
[26]
Availability
Looging at large scale [17] Confidentiality,
Integrity, Availability
Technical requirement and
service level agreements (SLAs) includes third parties
[26]
Availability
Sensing layer is composed of a varieties of sensors and
also the source of information collection of things and the
matter recognitions [18]. IoT environment communication
take place between devices known as machine-to-machine
communication (M2M). Attack mechanism occured in this
layer such as eavesdropping, interuptions and
modifications can be lead data or information that received
is incompleted. Confidentiality and integrity are concerned
with data that is being transmitted. Additional secure
protocols required to authorized the certain actions and
provides shared secret token between two peers [22].
Transport layer is composed of a variety of network
(wired/wireless network) has been responsible with
transmission and processing of informations [18]. New
security challenge has appear in this layer. Capturing
information can be done by anyone. Data transmit in
plaintext form is unsecured, so required secure mechanism
to mitigate this challenge. Chryptography algorithm is
devise for ensuring security within wireless sensor
network and achieved confidentiality and integrity [23]
[24].
Application layer is interface between user and IoT is.
This interface using cloud computing, data mining and
other intelligent computing technologies [18]. Application
of IoT is very vast, such e-health, smart Grid, smart city,
etc. Today IoT application are comparable with security
problems. For example the major threat to IoT in smart
Grid is captured terminal nodes and reprogram them by
attackers [25]. This resulted capturing data for various
puposes. Trusted secure access control system is suitable
to guarantee data integrity and confidentiality. Beside
that, the risk cause availabilty problems like activation
malware at critical moment, denial of service (DOS),
empty batteries and risk under control of third parties [26].
Program installation and management to prevent malware
at critical moments is necessary to addressed. Service level
agreement (SLA) with third party should be stated clearly.
Both of this solution can be used to encounter availability
problems.
Linda Nur Afifa et al Security Consideration in IoT Implementation
306 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 04, April, 2016
The main focus is the wholeness of data. The
description above can be used as a reference for and-users
and IoT developers before implemented IoT technology,
how securely and how to guarantee the data generated by
IoT devices.
IV. CONCLUSION
The risk-driven in every layer IoT constitutes the
awareness for everyone or developers who have been
implementing IoT
IoT problem arrise when “things” connected to the
network. There are many hole can be captured and
intruded when data transmitted. Integrity and
confidentiality needed to guarantee the unity of data.
Network layer is the most vulnerable layer, need
secure mechanism, technique to encrypt data and
transport secure layer (TSL).
REFERENCES
[1] B. Edson, “Creating the Internet of Your Things,” 2014.
[2] S. J. Ukil, Arijit, “Embedded Security for Internet of Things.” [3] S. Li, L. Da Xu, and S. Zhao, “The internet of things: a
survey,” Inf. Syst. Front., vol. 17, no. 2, pp. 243–259, 2014.
[4] N. Berg and M. Power, “The Internet of Things : Evolution or Revolution ?,” 2015.
[5] B. H. D. Maycon, “The Internet of Things and Its,” 2013.
[6] P. Fremantle and P. Scott, “A security survey of middleware for the Internet of Things,” 2015.
[7] G. S. Matharu, P. Upadhyay, and L. Chaudhary, “The Internet
of Things: Challenges & security issues,” Proc. - 2014 Int. Conf. Emerg. Technol. ICET 2014, pp. 54–59, 2014.
[8] X. Yang, Z. Li, Z. Geng, and H. Zhang, “A multi-layer security
model for internet of things,” Internet of Things, pp. 388–393, 2012.
[9] Y. Qiu and M. Ma, “An Authentication and Key Establishment
Scheme to Enhance Security for M2M in 6LoWPANs,” pp. 2671–2676, 2015.
[10] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos,
“Detection of Sinkhole Attacks for Supporting Secure Routing on 6LoWPAN for Internet of Things,” 2015.
[11] B. Min and V. Varadharajan, “Design and Evaluation of
Feature Distributed Malware Attacks against the Internet of Things (IoT),” 2015 20th Int. Conf. Eng. Complex Comput.
Syst., pp. 80–89, 2015. [12] A. R. Biswas and R. Giaffreda, “IoT and Cloud Convergence:
Opportunities and Challenges,” 2014 IEEE World Forum
Internet Things, pp. 375–376, 2014. [13] R. V. R. Filho, B. Porter, and G. Blair, “Environmental IoT:
Programming cyber-physical clouds with high-level system
specifications,” Proc. - 2014 IEEE/ACM 7th Int. Conf. Util. Cloud Comput. UCC 2014, pp. 947–950, 2015.
[14] A. Arabo, “Privacy-aware IoT cloud survivability for future
connected home ecosystem,” Proc. IEEE/ACS Int. Conf. Comput. Syst. Appl. AICCSA, vol. 2014, pp. 803–809, 2015.
[15] P. Srivastava, “Secure and optimized data storage for IoT
through cloud framework,” pp. 720–723, 2015. [16] A. Sharma, T. Goyal, E. S. Pilli, A. P. Mazumdar, M. C. Govil,
and R. C. Joshi, “A Secure Hybrid Cloud Enabled Architecture
for Internet of Things,” 2015. [17] J. Singh, T. Pasquier, J. Bacon, H. Ko, and D. Eyers, “Twenty
Cloud Security Considerations for Supporting the Internet of
Things,” IEEE Internet Things J., vol. 4662, no. c, pp. 1–1, 2015.
[18] W. H. Xu Xingmei, Zhou Jing, “Security Problem IOT.pdf.”
pp. 825–828, 2013. [19] C. P. Henrich, “JSON Sensor Signatures ( JSS ): End-to-End
Integrity Protection from Constrained Device to IoT
Application,” 2015. [20] C. Perrin, “The CIA Triad,” TechRepublic, p. 1, 2008.
[21] P. Veríssimo and L. Rodrigues, “Fundamental Security
Concepts,” Distrib. Syst. Syst. Archit., vol. 1, pp. 377–393,
2001. [22] M. Schukat, “Public Key Infrastructures and Digital
Certificates for the Internet of Things,” no. ii, 2015.
[23] B. V. Sundaram, “Encryption and Hash based Security in Internet of Things,” pp. 1–6, 2015.
[24] G. A. N. Gang and L. U. Zeyong, “Internet of Things Security
Analysis.” 2011. [25] “Research On Application and Security Protetion of IOT.pdf.”
2013.
[26] R. M. Savoia, H. Abie, and M. Sihvonen, “Risk-Driven Security Metrics Development for an e-Health loT
Application,” vol. 1, pp. 0–5.