Anuradha Udunuwara, MBCS looks at the challenges of providing security for the internet of things (IoT), using the ITU-T Y.2060 as a starting point.

The internet of things, or IoT in short, has become a buzz-word in the tech world. In the ITU-T Y.2060 (06/2012) model’s recommendation - an overview of the Internet of things - it defines IoT as: A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. The ‘things’ in IoT includes a broad set, including, but not limited to, household items (washing machines, refrigerators, lights, microwaves, etc.), industrial items (machinery, meters, …), medical items (pace-makers, heart rate monitors, …) and vehicles. Early internet was about connecting places and then, in the last decade, it became about connecting people. The future is about connecting ‘things’ and things could be anything. Some estimate that by 2020, the number of connected devices or the ‘things’ on IoT could be around 20 - 50 billion.

Security of IoT

With so many ‘things’ to be connected to the internet, the security of those ‘things’ and the services they provide has become critical. Given the internet itself has been challenged with many security issues, some creating financial losses, privacy issues, threat to human lives, etc., when so many billions of things are added, the problem space becomes really big.

The ITU-T Y.2060 IoT reference model identifies security capabilities as one important aspect spanning across the four layers - application, service support and application support, network, device - the reference model composed of. Both security and management capabilities are associated with the four layers. According to the reference model, there are two kinds of security capabilities: generic security capabilities and specific security capabilities. Generic security capabilities are independent of applications. They include:

  • at the application layer: authorisation, authentication, application data confidentiality and integrity protection, privacy protection, security audit and anti-virus;
  • at the network layer: authorisation, authentication, use data and signaling data confidentiality, and signaling integrity protection;
  • at the device layer: authentication, authorisation, device integrity validation, access control, data confidentiality and integrity protection.

Specific security capabilities are closely coupled with application-specific requirements, e.g., mobile payment, and security requirements.

The challenge of IoT security

While the ITU-T Y.2060 provides the reference model, the implementation of security for IoT is not easy due to many reasons. These include the scale (so many billions of ‘things’), different types/applications, used locations, etc. One of the challenges for the internet security has been the rate at which different security loop holes are found and the rate at which the solutions are found. When the number of endpoints suddenly become 20 - 50 billion, the number of possible hacks will also rise.

IoT, like the internet will soon become an integral part of human life. Therefore, the security of the same will become of utmost importance. As more and more ‘things’ are added to the IoT, ensuring its security will become critical.