Are the ‘things’ in IoT secure?

Anuradha UdunuwaraAnuradha Udunuwara, MBCS looks at the challenges of providing security for the internet of things (IoT), using the ITU-T Y.2060 as a starting point.

The internet of things, or IoT in short, has become a buzz-word in the tech world. In the ITU-T Y.2060 (06/2012) model’s recommendation - an overview of the Internet of things - it defines IoT as: A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. The ‘things’ in IoT includes a broad set, including, but not limited to, household items (washing machines, refrigerators, lights, microwaves, etc.), industrial items (machinery, meters, …), medical items (pace-makers, heart rate monitors, …) and vehicles. Early internet was about connecting places and then, in the last decade, it became about connecting people. The future is about connecting ‘things’ and things could be anything. Some estimate that by 2020, the number of connected devices or the ‘things’ on IoT could be around 20 - 50 billion.

Security of IoT

With so many ‘things’ to be connected to the internet, the security of those ‘things’ and the services they provide has become critical. Given the internet itself has been challenged with many security issues, some creating financial losses, privacy issues, threat to human lives, etc., when so many billions of things are added, the problem space becomes really big.

The ITU-T Y.2060 IoT reference model identifies security capabilities as one important aspect spanning across the four layers - application, service support and application support, network, device - the reference model composed of. Both security and management capabilities are associated with the four layers. According to the reference model, there are two kinds of security capabilities: generic security capabilities and specific security capabilities. Generic security capabilities are independent of applications. They include:

  • at the application layer: authorisation, authentication, application data confidentiality and integrity protection, privacy protection, security audit and anti-virus;
  • at the network layer: authorisation, authentication, use data and signaling data confidentiality, and signaling integrity protection;
  • at the device layer: authentication, authorisation, device integrity validation, access control, data confidentiality and integrity protection.

Specific security capabilities are closely coupled with application-specific requirements, e.g., mobile payment, and security requirements.

The challenge of IoT security

While the ITU-T Y.2060 provides the reference model, the implementation of security for IoT is not easy due to many reasons. These include the scale (so many billions of ‘things’), different types/applications, used locations, etc. One of the challenges for the internet security has been the rate at which different security loop holes are found and the rate at which the solutions are found. When the number of endpoints suddenly become 20 - 50 billion, the number of possible hacks will also rise.

IoT, like the internet will soon become an integral part of human life. Therefore, the security of the same will become of utmost importance. As more and more ‘things’ are added to the IoT, ensuring its security will become critical.

About the author

Anuradha Udunuwara, MBCS is an expert senior engineer in the field of Telecom & Technology, currently working at Sri Lanka Telecom, University of Hertfordshire and CTO, UK.

Comments (2)

Leave Comment
  • 1
    David Kay wrote on 15th May 2017

    Given the recent worldwide ransom episode, this article makes me wonder when the first hack of an IoT enabled washing machine will take place.

    Report Comment

  • 2
    John Sherwood wrote on 22nd May 2017

    The real challenge of the IoT is not just its scale, but its complexity as a system of systems of systems... means that it exhibits emergent properties - unforeseen and often unwanted behaviours that cannot be designed out easily. Most vulnerabilities and zero-day exploits are based on emergent properties of the system.

    Report Comment

Post a comment

About this blog

This blog is brought to you by the members of the BCS Internet Specialist Group and allows you to harness their skills, expertise and knowledge. The internet is ubiquitous and has a major impact on our daily lives, at work, at home on the move. The associated risks and security concerns are real, but the magic and advantages of the internet are significant.

See all posts by Internet Specialist Group

Search this blog

February 2018