The introduction of IoT into our lives has brought many benefits into several domains, such as healthcare, transportation, safety, and business. But this introduction makes IoT security very difficult to address. The interaction of people with the technological ecosystem requires the protection of their privacy, while the interaction with control processes requires the guarantee of their safety. This requires a systemic and cognitive approach to IoT security to be successful.
It is possible now for objects, services, and applications to make decisions and to react according to a given situation in their environment. This is why processes have to ensure their reliability and realize the objectives for which they are designed.
A Systemic and Cognitive Approach for IoT Security
IoT deals with a vast number of things. With their relevant data, many security challenges need to be addressed. This is especially true when things need to interact across another set of things and according to different policy requirements.
Many attacks can occur, from message modification, traffic analysis, Denial of Service to eavesdropping, side-channel attacks, and many more. For these risks and due to many interactions between things, a systematic and cognitive approach seems to be the right choice for IoT security.
According to an interesting study done by the French National Institute for Research in Digital Science and Technology (Inria), the systemic and cognitive approach for IoT security is made up of four nodes:
- intelligent object
All the nodes must cooperate to guarantee conformity in the conception and implementation of secure applications. These connections among nodes are called tensions. There are seven tensions between nodes: identification, trust, privacy, reliability, responsibility, safety, and safe-immunity.
Nodes in Detail
Security concerns depend on people’s interests and intentional or unintentional behavior. Humans have to accomplish the tasks related to security management that consists of:
- Addressing security practices and rules to develop efficient security policy documentation
- Auditing security practices and rules effectiveness, including personnel, documentation, and technical control procedures
- Implementing practices and rules in operational mode
The process must follow effective security policies to guarantee a sufficient level of security at different IoT architecture layers. The Federal Financial Institutions Examination Council’s has defined a set of standard areas to consider when performing a secure process:
- Information Security Risk Assessment
- Information Security Strategy
- Security Controls Implementation
- Security Monitoring
- Security Process Monitoring and Updating
A secure process must widely fit the requirements of policies, standards, strategies, procedures, and other specific documentation or regulation.
This node is about the technological alternatives to guarantee an acceptable IoT security level. There are five categories of information security elements:
- Security Design and Configuration
- Identification and Authorization
- Enclave Internal
- Enclave Boundary
- Physical and Environmental
This node refers to an object like a sensing node (camera, X-ray machine) and RFID reader or tag (detecting the presence of a person, animal, or thing) involved in a given application.
Privacy refers to the tension induced by the interaction between a person and the technological ecosystem. Protected data is related to humans, so their privacy is a mandatory objective of IoT. There are several fields that privacy can be divided into, including:
- Privacy in data collection
- Privacy in data sharing
- Privacy in data sharing and management
- Data security issues
Trust links the intelligent object with the technological ecosystem. Trust management definition and operations must have a particular interest, including establishing, updating, and revoking credentials, keys, and certificates. In IoT context, there are severe resource constraints and difficult technical choices.
Identification of a given object is a fundamental subject that concerns the general system operation, including architecture, components, access rights, etc.
This tension can be considered when handling unique and reliable entities’ addresses, managing data over the network, or effectively using a device(s) for specific applications.
The widespread use of autonomous systems has created new worries about their control software, which can have random or unpredictable behavior. Such a situation must be controlled to avoid disastrous consequences for the system and the whole environment. People may also refuse their participation due to privacy or safety concerns; thus, safety is essential.
Responsibility is closely related to access rights or authorization privileges. For instance, if an IoT object is configured by one entity, it must handle connections from other things and distinguish their different access rights.
Frequently, nodes are used in distant and hostile areas. Due to site constraints, they became unprotected and exposed to physical attacks, so defense mechanisms have to be addressed.