IoT security-by-design is still a major roadblock to massive IoT adoption. To fill the gap, we need distributed awareness and collective cooperation along with accessible knowledge and ready-to-use frameworks.

Despite its universal nature, there is no universal definition for the term “IoT”. Ok, this may look quite weird to tech-savvy users, but I bet if you ask the same question — “What is IoT?” — to the hundred people you will end up with the same answer — “It’s the Internet of things!” — which, you must admit, is a hundred-in-one answer.

Although the concept was born among Coke bubbles (yes, you read it right, Coca-Cola was the first company working on network of smart devices as early as 1982, with a modified Coca-Cola vending machine at Carnegie Mellon University, becoming the first Internet-connected appliance[1]) its popular name — The Internet-of-Things — has been around since the 1999, when its father Kevin Ashton of Procter & Gamble started considering the radio-frequency identification (RFID) as essential to the world of connected things. This is how and when the myth started, but the real birth of IoT dates back between 2008 and 2009 when Cisco defined it as “simply the point in time when more ‘things or objects’ were connected to the Internet than people” [2].

The attentive reader would now note that all these words do not give a clear definition of IoT … So, for the moment, let’s stick to our beloved Wikipedia definition: “The Internet of Things (IoT) describes the network of physical objects — “things” — that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.”

This definition should give just a loose grasp on the structure of such system which is a complex architecture made by hardware and software components acting in a coordinated environment. Typical reference architectures for IoT systems span from small automation edge gateways with local logic to broad cloud-based highly available systems connecting millions of devices. Being big or small, local or distributed, their principal aim is to effectively and efficiently transform physical quantities into digital values.

Sensors and actuators are simple power efficient constrained electronic devices that run specific software for sensing physical parameters, collecting digital information, and transmitting it towards a network. Examples of these devices are single-board microcontrollers that provide all the necessary circuitry for implementing control tasks (microprocessor, I/O, clock, RAM and interfaces for other ICs) or embedded systems based on micro-processors that inherit characteristics of regular computer systems at a much smaller scale and with specific requirements of computational power, cost and real-time capacity. These usually run dedicated operating systems that are optimized for the use in IoT applications where they must guarantee certain level of uptime, robustness in harsh environments and availability.

These two types of IoT devices are also known as end nodes and edge gateways. They are programmed with software modules that run specific tasks with the goal of properly encoding the collected information and structuring the message to be transmitted over a dedicated IoT network.

At the network stage (network layer in the ISO/OSI naming convention), IoT systems are mainly built taking advance of popular network architectures and protocols whose target is to guarantee that the message sent by the end nodes or edge gateways are received by the entity in charge of manipulating the application data. The transmission network can be wired, or wireless and specific architectures have been designed in response to different application requirements (long distances, high throughput, low latency, low power, etc.).

Once the information collected by the devices is successfully transmitted over the IoT network, the data is fed into a dedicated software system that is in charge of storing and manipulating it with the purpose of implementing the application logic that the end user want to achieve in order to get the desired business value, e.g., being able to receive preventive alerts before a system is going to halt thus guaranteeing operational continuity. Typically, such systems are distributed platform residing on the cloud and made by several database, microservices, API gateways, orchestrators, etc.

Clearly, this is just a very high-level and simplified picture of a generic IoT system, the topic is far more complex and detailed, but we defer this dissertation to other tables as it is not the scope of this article.

Well, equipped with a very brief understanding of how an IoT system is composed, we can say that we have got the network, the devices and some pieces of software spread around. All of them are intertwined and connected through Internet with the aim of letting people leverage this ubiquitous presence and implement services never thought been possible before.

This all sounds great and exciting, but too many times I found people like me, working in the IoT industry talking a lot about a fundamental, yet too often neglected, concept that is written in all papers and best practice guides: “IoT security-by-design”.[3]

A recent survey conducted by IoT industry leaders shows that security concerns remain the major roadblock to massive IoT adoption. 85% of the respondents consider security as priority number one, whereas 64% consider end-to-end security as a top short-term priority over other well know topics like edge computing (55%), artificial intelligence (AI) (50%) and 5G deployments (28%).[4][5]

Ok, I can imagine that you might think: “well, again another sky-scraping article with no practical insights”, but hold on, don’t judge too quickly, my honest and open desire is to bring you my five cents and help the crowded world of IoT become a bit more secure.

Simply put, are there really security threads in the IoT world we need to care about? Well, trying to collect all of them and assess the potential risks is quite an ambitious task, but if you think about your smart irrigation system, effectively, you could just end up with some dry grass and a couple of dead plants. However, if you think about the smart door locker that keeps your house safe, things are a bit different, isn’t it? At least, you might end up with someone watching your TV on your sofa and drinking your beers. In some other cases, things are much more severe and critical, like when in 2010, the Stuxnet virus [6] infected a uranium enrichment plant in Iran and caused permanent damage to centrifuges.

Cybersecurity for IoT is a branch of a broader topic that helps manufacturers and system integrators design robust and reliable IoT devices and services. The tricky thing about IoT and cybersecurity is that, despite there can be different levels of protection and cares, the reality is that poorly designed IoT systems can be the key for much more dangerous attacks to wider critical systems. If you add this to the exponential forecasted growth of next years [7], IoT risks to become an uncontrolled monster.

For this reason, many organizations are working hard to define clear best practices and guidelines aiming at formalizing them into standards and directives. The rapid adoption of Internet-connected sensors has set profound challenges involving regulatory changes that have still to come. Clear examples are coming from institutions like the European Union Agency for Cybersecurity (ENISA) and the National Institute of Standards and Technology (NIST) with several articles and publications on security topics outlining processes and methods to address cybersecurity in all its shapes.

An important step forward in this direction is made by the IoT Security Foundation (IoTSF), a “non-profit organization dedicated to driving security excellence” [8]. IoTSF is a collaborative, vendor-neutral, international initiative aspiring to be the expert resource for sharing knowledge, best practice, and advice.

Founded in 2015, as response to the hyperconnected world of things and the security challenges that it poses, the organization has released the “IoT Security Compliance Framework” [9], a self-assessed certification that help companies to audit and validate their cybersecurity level thus delivering end-user only secured products and services.

By defining a comprehensive framework spanning from device hardware to cloud applications, the IoTSF defines an assessment process structured in two steps:

  • Risk assessment with the creation of a risk register.
  • Definition of a “compliance class”.

Risk assessment is the process of evaluating all potential threads in different use-cases and scenarios the product can incur into, while considering both technical and business implications, e.g., “cost of product recall”, “product exposes Wi-Fi credentials”, “product undermines personal safety”. The outcome of this process is the Risk Register, an artifact collecting all foreseen threads along with their estimate of probabilities and impacts. In simple words, a product put in a specific context is subject to certain potential threats, each of them with its own likelihood and impact. The document helps in defining what is called the device Compliance Class, namely, how it relates to the CIA (Confidentiality, Integrity and Availability) Triad model, a commonly used model by security professionals.

Assigning a Compliance Class to a product or service, the security framework provides a list of all important requirements that must be taken into account during the product or service design process. Doing this at the design phase is paramount as major errors can be avoided preventively. Requirements are, therefore, clustered into six main groups:

  • Business Process
  • Device Hardware
  • Device Software
  • Device OS
  • Device Interfaces
  • Authentication & Authorization

Every requirement in each group has an applicability level that varies according to the selected product Compliance Class. This way, requirements needed to comply with class 4 may not be required for class 1. In addition, the framework requires the user to collect evidence for each satisfied requirement. At the end of this process, we end up with a document briefing our approach to all relevant aspects for each of the six groups listed above. I personally think that the simplicity and immediacy of this framework is astonishingly relevant for the IoT security world as it allows every newcomer to take the first steps relatively quickly within a solid and comprehensive framework and assess its own security level. A robust self-assessed method aligned with international institutions and regulatory agencies like this can, indeed, represent a real pervasive means for technology improvement and adoption.

Equipped with this understanding of what the IoTSF prescribes in terms of cybersecurity practices, we can delve into a final relevant consideration that makes this organization interesting. Differently from many other certification authorities, the IoTSF has decided to keep this framework open and free. The target here is to foster knowledge and excellence in security, thus promoting awareness. No fee required, no certification issued, just an open and accessible means to improve security in IoT. Every player can assess and demonstrate the strengths of its products and services, showing high sensitivity and competence.

Overall, this looks to me quite an effective and immediate opportunity that I hope more and more players will try to catch.

Massimiliano Pesce
EU Tech Chamber (EUTECH)