Security Management Framework for the Internet of Things

The increase in the design and development of wireless communication technologies offers multiple opportunities for the management and control of cyber-physical systems with connections between smart and autonomous devices, which provide the delivery of simplified data through the use of cloud computing. Given this relationship with the Internet of Things (IoT), it established the concept of pervasive computing that allows any object to communicate with services, sensors, people, and objects without human intervention. However, the rapid growth of connectivity with smart applications through autonomous systems connected to the internet has allowed the exposure of numerous vulnerabilities in IoT systems by malicious users. This dissertation developed a novel ontology-based cybersecurity framework to improve security in IoT systems using an ontological analysis to adapt appropriate security services addressed to threats. The composition of this proposal explores two approaches: (1) design time, which offers a dynamic method to build security services through the application of a methodology directed to models considering existing business processes; and (2) execution time, which involves monitoring the IoT environment, classifying vulnerabilities and threats, and acting in the environment, ensuring the correct adaptation of existing services. The validation approach was used to demonstrate the feasibility of implementing the proposed cybersecurity framework. It implies the evaluation of the ontology to offer a qualitative evaluation based on the analysis of several criteria and also a proof of concept implemented and tested using specific industrial scenarios. This dissertation has been verified by adopting a methodology that follows the acceptance in the research community through technical validation in the application of the concept in an industrial setting.O aumento no projeto e desenvolvimento de tecnologias de comunicação sem fio oferece múltiplas oportunidades para a gestão e controle de sistemas ciber-físicos com conexões entre dispositivos inteligentes e autônomos, os quais proporcionam a entrega de dados simplificados através do uso da computação em nuvem. Diante dessa relação com a Internet das Coisas (IoT) estabeleceu-se o conceito de computação pervasiva que permite que qualquer objeto possa comunicar com os serviços, sensores, pessoas e objetos sem intervenção humana. Entretanto, o rápido crescimento da conectividade com as aplicações inteligentes através de sistemas autônomos conectados com a internet permitiu a exposição de inúmeras vulnerabilidades dos sistemas IoT para usuários maliciosos. Esta dissertação desenvolveu um novo framework de cibersegurança baseada em ontologia para melhorar a segurança em sistemas IoT usando uma análise ontológica para a adaptação de serviços de segurança apropriados endereçados para as ameaças. A composição dessa proposta explora duas abordagens: (1) tempo de projeto, o qual oferece um método dinâmico para construir serviços de segurança através da aplicação de uma metodologia dirigida a modelos, considerando processos empresariais existentes; e (2) tempo de execução, o qual envolve o monitoramento do ambiente IoT, a classificação de vulnerabilidades e ameaças, e a atuação no ambiente garantindo a correta adaptação dos serviços existentes. Duas abordagens de validação foram utilizadas para demonstrar a viabilidade da implementação do framework de cibersegurança proposto. Isto implica na avaliação da ontologia para oferecer uma avaliação qualitativa baseada na análise de diversos critérios e também uma prova de conceito implementada e testada usando cenários específicos. Esta dissertação foi validada adotando uma metodologia que segue a validação na comunidade científica através da validação técnica na aplicação do nosso conceito em um cenário industrial

Practical security considerations for IoT systems over satellite

Currently, the forecast for the European market for IoT is a yearly 19.8% increase up to reach $241 billion in 2025. Thisstrong growing will be concentrated in verticals from manufacturing, utilities, retail and transportation [1], [2]. However, in orderto monetize the potential services over IoT it is necessary to guarantee the security of the communications [3]. In this regardphysical-layer security methods may complement higher-layer encryption techniques by exploiting the characteristics of wirelesschannels. For this purpose, it is resorted to the secrecy-capacity metric to measure the security level. More specifically, it was shownin [4] that reliable information-theoretic security could be achieved, whenever the eavesdropper’s channel be a degraded versionof the legitimate user’s channel. In this case, if the secrecy rate is chosen below the secrecy-capacity, then reliable transmissionscan be achieved in perfect secrecy. However, the time-varying fading effect of wireless channels degrades the secrecy-capacity. Inthis situation, it is used the ergodic capacity to measure the secrecy-capacity [5]. In order to make the overhearing process of theeavesdroppers difficult, it is used the time-packing/faster than Nyquist strategy [6]- [7].Thus, the time-duration of the transmittedframes are reduced which: i) improves the interception probability of the packets, ii) augments the spectral efficiency of theM2M communications without increasing the transmission bandwidth, iii) diminishes the effect of Doppler spread in Non-GEOcommunications, and iv) permits to use the overlapping degree among the pulse shapes to boost the secrecy-capacity. On thecontrary, this overlapping degree introduces a multi-path channel that may difficult the synchronization process. However, thecoefficients of the multipath channel are known by the legitimate user but ignored by the eavesdropper. This strategy of securityis similar to that the Artificial Noise (AN) one pursues [5], [8]- [9], but without wasting energy for jamming the eavesdropper’schannel.Note that the satellite channel model has a large Line of Sight (LoS) component. So, it means that the channel of theeavesdropper and the legitimate user could be quite similar in the same beam of the satellite constellation. So it is necessary todistort the channel of the desired user in order to increase the security of the communications. The use of non-Nyquist pulses,permits to introduce an artificial multipath interference that degrades the eavesdropper’s channel. In this case, we have consideredtwo types of eavesdropper: i) without being able to estimate the time-packing multipath, and ii) equipped with an estimationblock of the time-packing interference. In the first case, all interference signals are considered as noise whereas in the secondone part of the interference is assumed as noise. In both cases, it is possible to obtain a secrecy-capacity. Finally, comment thatin satellite constellation there is a residual co-channel interference. This interference limits the resolution of the eavesdroppersalthough they be equipped with multiple antennas. We have considered that the eavesdropper does not have full knowledge of thetime-packed/faster than Nyquist multi-path interference. This pragmatic approach was also followed in [9]. However, there therain losses made difficult to obtain perfect channel estimations.Peer ReviewedPostprint (published version

Toward the automation of threat modeling and risk assessment in IoT systems

The Internet of Things (IoT) has recently become one of the most relevant emerging technologies in the IT landscape. IoT systems are characterized by the high heterogeneity of involved architectural components (e.g., device platforms, services, networks, architectures) and involve a multiplicity of application domains. In the IoT scenario, the identification of specific security requirements and the security design are very complex and expensive tasks, since they heavily depend on the configuration deployment actually in place and require security experts. In order to overcome these issues, we propose an approach aimed at supporting the security analysis of an IoT system by means of an almost completely automated process for threat modeling and risk assessment, which also helps identify the security controls to implement in order to mitigate existing security risks. We demonstrate the effectiveness of the approach by discussing its application to a home automation system, built on top of commercial IoT products

Security In The Internet Of Things - A Systematic Mapping Study

The Internet of Things (IoT) concept is emerging and evolving rapidly. Various technical solutions for multiple purposes have been proposed for its implementation. The rapid evolution and utilization of IoT technologies has raised security concerns and created a feeling of uncertainty among IoT adopters. The purpose of this paper is to examine the current research trends related to security concerns of the IoT concept and provide a detailed understanding of the topic. We thus applied systematic mapping study as the methodological approach. Based on the chosen search strategy, 38 articles (of close to 3500 articles in the field) were selected for a closer examination. Out of these articles, the concerns, solutions and research gaps for the security in the IoT concept were extracted. The mapping study identifies nine main concerns and 11 solutions. However, the findings also reveal challenges, such as secure privacy management and cloud integration that still require efficient solutions

Internet of Things is a revolutionary approach for future technology enhancement: a review

Abstract Internet of Things (IoT) is a new paradigm that has changed the traditional way of living into a high tech life style. Smart city, smart homes, pollution control, energy saving, smart transportation, smart industries are such transformations due to IoT. A lot of crucial research studies and investigations have been done in order to enhance the technology through IoT. However, there are still a lot of challenges and issues that need to be addressed to achieve the full potential of IoT. These challenges and issues must be considered from various aspects of IoT such as applications, challenges, enabling technologies, social and environmental impacts etc. The main goal of this review article is to provide a detailed discussion from both technological and social perspective. The article discusses different challenges and key issues of IoT, architecture and important application domains. Also, the article bring into light the existing literature and illustrated their contribution in different aspects of IoT. Moreover, the importance of big data and its analysis with respect to IoT has been discussed. This article would help the readers and researcher to understand the IoT and its applicability to the real world

THaW publications

In 2013, the National Science Foundation\u27s Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions, led by Dartmouth College, to enable trustworthy cybersystems for health and wellness. As of this writing, the Trustworthy Health and Wellness (THaW) project\u27s bibliography includes more than 130 significant publications produced with support from the THaW grant; these publications document the progress made on many fronts by the THaW research team. The collection includes dissertations, theses, journal papers, conference papers, workshop contributions and more. The bibliography is organized as a Zotero library, which provides ready access to citation materials and abstracts and associates each work with a URL where it may be found, cluster (category), several content tags, and a brief annotation summarizing the work\u27s contribution. For more information about THaW, visit thaw.org

A systematic design approach to IOT security for legacy production machinery

The Internet of Things (IoT) is an emerging topic of rapidly growing technical importance for the industry. The aim is to connect objects with unique identifiers and combine them with internet connectivity for data transfer. This advanced connectivity has significant potential in the workshop-level upgrade of existing legacy equipment to unlock new features and economic benefits especially for monitoring and control applications However, the introduction of the Industrial Internet of Things (IIoT) brings new additional security and integrity risks for the industrial environment in the form of network, communication, software and hardware security risks. This thesis addresses such fundamental new risks at their root by introducing a novel approach for IoT-enabled monitoring of legacy production machinery, which consist of five stages, incorporating security by design features. The first two phases of this novel approach aim to analyse current monitoring practices and security and vulnerability issues related to the application domain. The proposed approach applies three more stages which make the domain-relevant analysis to become application specific. These include a detailed model of the application context on legacy production machinery monitoring, together with its interfaces and functionality, implementing threat mitigations combined with a new modular IoT DAQ unit mechanism, validated by functional tests against Denial of Service (DoS) and clone attacks. Thus, to be effective, the design approach is further developed with application-specific functionality. This research demonstrates an instance of this innovative riskaverse design thinking through introducing an IoT device design which is applicable to a wide set of industrial scenarios. A practical showcase example of a specific implementation of the generic IoT design is given through a concrete industrial application that upgrades existing legacy machine tool equipment. The reported work establishes a novel viewpoint for the understanding of IoT security risks and their consequent mitigation, opening a new space of riskaverse designs that can bring significant confidence in data, safety, and security of IoT-enabled industry.Manufacturin

A Framework for Facilitating Secure Design and Development of IoT Systems

The term Internet of Things (IoT) describes an ever-growing ecosystem of physical objects or things interconnected with each other and connected to the Internet. IoT devices consist of a wide range of highly heterogeneous inanimate and animate objects. Thus, a thing in the context of the IoT can even mean a person with blood pressure or heart rate monitor implant or a pet with a biochip transponder. IoT devices range from ordinary household appliances, such as smart light bulbs or smart coffee makers, to sophisticated tools for industrial automation. IoT is currently leading a revolutionary change in many industries and, as a result, a lot of industries and organizations are adopting the paradigm to gain a competitive edge. This allows them to boost operational efficiency and optimize system performance through real-time data management, which results in an optimized balance between energy usage and throughput. Another important application area is the Industrial Internet of Things (IIoT), which is the application of the IoT in industrial settings. This is also referred to as the Industrial Internet or Industry 4.0, where Cyber- Physical Systems (CPS) are interconnected using various technologies to achieve wireless control as well as advanced manufacturing and factory automation. IoT applications are becoming increasingly prevalent across many application domains, including smart healthcare, smart cities, smart grids, smart farming, and smart supply chain management. Similarly, IoT is currently transforming the way people live and work, and hence the demand for smart consumer products among people is also increasing steadily. Thus, many big industry giants, as well as startup companies, are competing to dominate the market with their new IoT products and services, and hence unlocking the business value of IoT. Despite its increasing popularity, potential benefits, and proven capabilities, IoT is still in its infancy and fraught with challenges. The technology is faced with many challenges, including connectivity issues, compatibility/interoperability between devices and systems, lack of standardization, management of the huge amounts of data, and lack of tools for forensic investigations. However, the state of insecurity and privacy concerns in the IoT are arguably among the key factors restraining the universal adoption of the technology. Consequently, many recent research studies reveal that there are security and privacy issues associated with the design and implementation of several IoT devices and Smart Applications (smart apps). This can be attributed, partly, to the fact that as some IoT device makers and smart apps development companies (especially the start-ups) reap business value from the huge IoT market, they tend to neglect the importance of security. As a result, many IoT devices and smart apps are created with security vulnerabilities, which have resulted in many IoT related security breaches in recent years. This thesis is focused on addressing the security and privacy challenges that were briefly highlighted in the previous paragraph. Given that the Internet is not a secure environ ment even for the traditional computer systems makes IoT systems even less secure due to the inherent constraints associated with many IoT devices. These constraints, which are mainly imposed by cost since many IoT edge devices are expected to be inexpensive and disposable, include limited energy resources, limited computational and storage capabilities, as well as lossy networks due to the much lower hardware performance compared to conventional computers. While there are many security and privacy issues in the IoT today, arguably a root cause of such issues is that many start-up IoT device manufacturers and smart apps development companies do not adhere to the concept of security by design. Consequently, some of these companies produce IoT devices and smart apps with security vulnerabilities. In recent years, attackers have exploited different security vulnerabilities in IoT infrastructures which have caused several data breaches and other security and privacy incidents involving IoT devices and smart apps. These have attracted significant attention from the research community in both academia and industry, resulting in a surge of proposals put forward by many researchers. Although research approaches and findings may vary across different research studies, the consensus is that a fundamental prerequisite for addressing IoT security and privacy challenges is to build security and privacy protection into IoT devices and smart apps from the very beginning. To this end, this thesis investigates how to bake security and privacy into IoT systems from the onset, and as its main objective, this thesis particularly focuses on providing a solution that can foster the design and development of secure IoT devices and smart apps, namely the IoT Hardware Platform Security Advisor (IoT-HarPSecA) framework. The security framework is expected to provide support to designers and developers in IoT start-up companies during the design and implementation of IoT systems. IoT-HarPSecA framework is also expected to facilitate the implementation of security in existing IoT systems. To accomplish the previously mentioned objective as well as to affirm the aforementioned assertion, the following step-by-step problem-solving approach is followed. The first step is an exhaustive survey of different aspects of IoT security and privacy, including security requirements in IoT architecture, security threats in IoT architecture, IoT application domains and their associated cyber assets, the complexity of IoT vulnerabilities, and some possible IoT security and privacy countermeasures; and the survey wraps up with a brief overview of IoT hardware development platforms. The next steps are the identification of many challenges and issues associated with the IoT, which narrowed down to the abovementioned fundamental security/privacy issue; followed by a study of different aspects of security implementation in the IoT. The remaining steps are the framework design thinking process, framework design and implementation, and finally, framework performance evaluation. IoT-HarPSecA offers three functionality features, namely security requirement elicitation security best practice guidelines for secure development, and above all, a feature that recommends specific Lightweight Cryptographic Algorithms (LWCAs) for both software and hardware implementations. Accordingly, IoT-HarPSecA is composed of three main components, namely Security Requirements Elicitation (SRE) component, Security Best Practice Guidelines (SBPG) component, and Lightweight Cryptographic Algorithms Recommendation (LWCAR) component, each of them servicing one of the aforementioned features. The author has implemented a command-line tool in C++ to serve as an interface between users and the security framework. This thesis presents a detailed description, design, and implementation of the SRE, SBPG, and LWCAR components of the security framework. It also presents real-world practical scenarios that show how IoT-HarPSecA can be used to elicit security requirements, generate security best practices, and recommend appropriate LWCAs based on user inputs. Furthermore, the thesis presents performance evaluation of the SRE, SBPG, and LWCAR components framework tools, which shows that IoT-HarPSecA can serve as a roadmap for secure IoT development.O termo Internet das coisas (IoT) é utilizado para descrever um ecossistema, em expansão, de objetos físicos ou elementos interconetados entre si e à Internet. Os dispositivos IoT consistem numa gama vasta e heterogénea de objetos animados ou inanimados e, neste contexto, podem pertencer à IoT um indivíduo com um implante que monitoriza a frequência cardíaca ou até mesmo um animal de estimação que tenha um biochip. Estes dispositivos variam entre eletrodomésticos, tais como máquinas de café ou lâmpadas inteligentes, a ferramentas sofisticadas de uso na automatização industrial. A IoT está a revolucionar e a provocar mudanças em várias indústrias e muitas adotam esta tecnologia para incrementar as suas vantagens competitivas. Este paradigma melhora a eficiência operacional e otimiza o desempenho de sistemas através da gestão de dados em tempo real, resultando num balanço otimizado entre o uso energético e a taxa de transferência. Outra área de aplicação é a IoT Industrial (IIoT) ou internet industrial ou Indústria 4.0, ou seja, uma aplicação de IoT no âmbito industrial, onde os sistemas ciberfísicos estão interconectados a diversas tecnologias de forma a obter um controlo de rede sem fios, bem como fabricações avançadas e automatização fabril. As aplicações da IoT estão a crescer e a tornarem-se predominantes em muitos domínios de aplicação inteligentes como sistemas de saúde, cidades, redes, agricultura e sistemas de fornecimento. Da mesma forma, a IoT está a transformar estilos de vida e de trabalho e assim, a procura por produtos inteligentes está constantemente a aumentar. As grandes indústrias e startups competem entre si de forma a dominar o mercado com os seus novos serviços e produtos IoT, desbloqueando o valor de negócio da IoT. Apesar da sua crescente popularidade, benefícios e capacidades comprovadas, a IoT está ainda a dar os seus primeiros passos e é confrontada com muitos desafios. Entre eles, problemas de conectividade, compatibilidade/interoperabilidade entre dispositivos e sistemas, falta de padronização, gestão das enormes quantidades de dados e ainda falta de ferramentas para investigações forenses. No entanto, preocupações quanto ao estado de segurança e privacidade ainda estão entre os fatores adversos à adesão universal desta tecnologia. Estudos recentes revelaram que existem questões de segurança e privacidade associadas ao design e implementação de vários dispositivos IoT e aplicações inteligentes (smart apps.), isto pode ser devido ao facto, em parte, de que alguns fabricantes e empresas de desenvolvimento de dispositivos (especialmente startups) IoT e smart apps., recolham o valor de negócio dos grandes mercados IoT, negligenciando assim a importância da segurança, resultando em dispositivos IoT e smart apps. com carências e violações de segurança da IoT nos últimos anos. Esta tese aborda os desafios de segurança e privacidade que foram supra mencionados. Visto que a Internet e os sistemas informáticos tradicionais são por vezes considerados inseguros, os sistemas IoT tornam-se ainda mais inseguros, devido a restrições inerentes a tais dispositivos. Estas restrições são impostas devido ao custo, uma vez que se espera que muitos dispositivos de ponta sejam de baixo custo e descartáveis, com recursos energéticos limitados, bem como limitações na capacidade de armazenamento e computacionais, e redes com perdas devido a um desempenho de hardware de qualidade inferior, quando comparados com computadores convencionais. Uma das raízes do problema é o facto de que muitos fabricantes, startups e empresas de desenvolvimento destes dispositivos e smart apps não adiram ao conceito de segurança por construção, ou seja, logo na conceção, não preveem a proteção da privacidade e segurança. Assim, alguns dos produtos e dispositivos produzidos apresentam vulnerabilidades na segurança. Nos últimos anos, hackers maliciosos têm explorado diferentes vulnerabilidades de segurança nas infraestruturas da IoT, causando violações de dados e outros incidentes de privacidade envolvendo dispositivos IoT e smart apps. Estes têm atraído uma atenção significativa por parte das comunidades académica e industrial, que culminaram num grande número de propostas apresentadas por investigadores científicos. Ainda que as abordagens de pesquisa e os resultados variem entre os diferentes estudos, há um consenso e pré-requisito fundamental para enfrentar os desafios de privacidade e segurança da IoT, que buscam construir proteção de segurança e privacidade em dispositivos IoT e smart apps. desde o fabrico. Para esta finalidade, esta tese investiga como produzir segurança e privacidade destes sistemas desde a produção, e como principal objetivo, concentra-se em fornecer soluções que possam promover a conceção e o desenvolvimento de dispositivos IoT e smart apps., nomeadamente um conjunto de ferramentas chamado Consultor de Segurança da Plataforma de Hardware da IoT (IoT-HarPSecA). Espera-se que o conjunto de ferramentas forneça apoio a designers e programadores em startups durante a conceção e implementação destes sistemas ou que facilite a integração de mecanismos de segurança nos sistemas préexistentes. De modo a alcançar o objetivo proposto, recorre-se à seguinte abordagem. A primeira fase consiste num levantamento exaustivo de diferentes aspetos da segurança e privacidade na IoT, incluindo requisitos de segurança na arquitetura da IoT e ameaças à sua segurança, os seus domínios de aplicação e os ativos cibernéticos associados, a complexidade das vulnerabilidades da IoT e ainda possíveis contramedidas relacionadas com a segurança e privacidade. Evolui-se para uma breve visão geral das plataformas de desenvolvimento de hardware da IoT. As fases seguintes consistem na identificação dos desafios e questões associadas à IoT, que foram restringidos às questões de segurança e privacidade. As demais etapas abordam o processo de pensamento de conceção (design thinking), design e implementação e, finalmente, a avaliação do desempenho. O IoT-HarPSecA é composto por três componentes principais: a Obtenção de Requisitos de Segurança (SRE), Orientações de Melhores Práticas de Segurança (SBPG) e a recomendação de Componentes de Algoritmos Criptográficos Leves (LWCAR) na implementação de software e hardware. O autor implementou uma ferramenta em linha de comandos usando linguagem C++ que serve como interface entre os utilizadores e a IoT-HarPSecA. Esta tese apresenta ainda uma descrição detalhada, desenho e implementação das componentes SRE, SBPG, e LWCAR. Apresenta ainda cenários práticos do mundo real que demostram como o IoT-HarPSecA pode ser utilizado para elicitar requisitos de segurança, gerar boas práticas de segurança (em termos de recomendações de implementação) e recomendar algoritmos criptográficos leves apropriados com base no contributo dos utilizadores. De igual forma, apresenta-se a avaliação do desempenho destes três componentes, demonstrando que o IoT-HarPSecA pode servir como um roteiro para o desenvolvimento seguro da IoT