The introduction of IoT into our lives has brought many benefits into several domains, such as health-care, transportation, safety, and business. On the other hand, this introduction of objects into the control processes of complex systems makes IoT security very difficult to address. The interaction of people with the technological ecosystem requires the protection of their privacy, while the interaction with control processes requires the guarantee of their safety.
It is possible now for objects, services, and applications to make decisions and to react according to a given situation in their environment. This is why processes have to ensure their reliability and realize the objectives for which they are designed.
A Systemic and Cognitive Approach for IoT Security
The IoT deals with a huge number of things and their relevant data, so many security challenges need to be addressed. This is especially true when things need to interact with each other across another set of things, through many security techniques and according to different policy requirements.
There are many attacks that can occur, from message modification, traffic analysis, Denial of Service to eavesdropping, side-channel attacks, and many more. For these risks and due to a large number of interactions between things, a systematic and cognitive approach seems to be the right choice for IoT security.
According to an interesting study done by a the French National Institute for Research in Digital Science and Technology (Inria), the systemic and cognitive approach for IoT security is made up of four nodes:
- intelligent object
To guarantee the conformity in conception and implementation of secure applications, all these nodes must cooperate. These connections among nodes are called tensions. There are seven tensions between nodes: identification, trust, privacy, reliability, responsibility, safety, and safe-immunity.
Nodes in Detail
Security concerns are depending on people’s interests and intentional or unintentional behavior. Humans have to accomplish the tasks related to security management that consists of:
- Addressing security practices and rules to develop efficient security policy documentation.
- Auditing security practices and rules effectiveness, including personnel, documentation, and technical control procedures.
- Implementing practices and rules in operational mode.
The process must be in accordance with effective security policies to guarantee a sufficient level of security at different IoT architecture layers. The Federal Financial Institutions Examination Council’s has defined a set of standard areas to consider when performing a secure process:
- Information Security Risk Assessment
- Information Security Strategy
- Security Controls Implementation
- Security Monitoring
- Security Process Monitoring and Updating.
A secure process must widely fit the requirements of policies, standards, strategies, procedures, and other specific documentation or regulation.
This node is about the technological alternatives taken to guarantee an acceptable IoT security level. There are five categories of information security elements:
- Security Design and Configuration
- Identification and Authorization
- Enclave internal
- Enclave boundary
- Physical and environmental.
4. Intelligent Object
This node refers to an object like a sensing node (camera, X-ray machine) and RFID reader or tag (detecting the presence of a person, animal, or object) involved in a given application.
Privacy refers to the tension induced by the interaction between a person and the technological ecosystem. Protected data is related to humans, so their privacy is a mandatory objective of the IoT. Privacy can be divided into several fields:
- Privacy in data collection
- Privacy in data sharing
- Privacy in data sharing and management
- Data security issues.
Trust links the intelligent object with the technological ecosystem. In the IoT context, there are severe resource constraints and difficult technological choices. Special interest must be granted to trust management definition and operations, including establishing, updating, and revoking credentials, keys, and certificates.
Identification of a given object is a fundamental subject that concerns the general system operation, including architecture, components, access rights, etc.
This tension can be considered when handling unique and reliable entities’ addresses, managing data over the network, or in case of effective use of a device(s) for specific applications.
The widespread use of autonomous systems has created new worries about their control software, which can have random or unpredictable behavior. Such a situation has to be controlled to avoid disastrous consequences for the system and the whole environment. People may also refuse their participation due to privacy or safety concerns; thus, safety is of the highest importance.
Responsibility is closely related to access rights or authorization privileges. For instance, if an IoT object is configured by one entity, it must be able to handle connections from other objects and distinguish their different access rights.
Frequently, nodes are used in distant and hostile areas. They became unprotected and exposed to physical attacks due to site constraints, so defense mechanisms have to be addressed.