Cyber-Assurance for the Internet of Things E-Book

IEEE Press

445 Hoes Lane

Piscataway, NJ 08854

IEEE Press Editorial Board

Tariq Samad, Editor in Chief

George W. Arnold

Xiaoou Li

Ray Perez

Giancarlo Fortino

Vladimir Lumelsky

Linda Shafer

Dmitry Goldgof

Pui-In Mak

Zidong Wang

Ekram Hossain

Jeffrey Nanzer

MengChu Zhou

CYBER-ASSURANCE FOR THE INTERNET OF THINGS

Copyright © 2017 by The Institute of Electrical and Electronics Engineers, Inc.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reserved Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data is available.

ISBN: 978-1-119-19386-9

To Jesus Christ and my parents

CONTENTS

FOREWORD

PREFACE

ACKNOWLEDGMENTS

CONTRIBUTORS

ACRONYMS

INTRODUCTION

PART I EMBEDDED DESIGN SECURITY

Chapter 1 Certified Security by Design for the Internet of Things

1.1 Introduction

1.2 Lessons from the Microelectronics Revolution

1.3 Certified Security by Design

1.4 Chapter Outline

1.5 An Access-Control Logic

1.6 An Introduction to HOL

1.7 The Access-Control Logic in HOL

1.8 Cryptographic Components and Their Models in Higher-Order Logic

1.9 Cryptographic Hash Functions

1.10 Asymmetric-Key Cryptography

1.11 Digital Signatures

1.12 Adding Security to State Machines

1.13 A Networked Thermostat Certified Secure by Design

1.14 Thermostat Use Cases

1.15 Security Contexts for the Server and Thermostat

1.16 Top-Level Thermostat Secure-State Machine

1.17 Refined Thermostat Secure-State Machine

1.18 Equivalence of Top-Level and Refined Secure-State Machines

1.19 Conclusions

AppendiX

Note

References

Chapter 2 Cyber-Assurance Through Embedded Security for the Internet of Things

2.1 Introduction

2.2 Cyber-Security and Cyber-Assurance

2.3 Recognition, Fortification, Re-Establishment, Survivability

2.4 Conclusion

References

Chapter 3 A Secure Update Mechanism for Internet of Things Devices

3.1 Introduction

3.2 Importance of IOT Security

3.3 Applying the Defense in-Depth Strategy for Updating

3.4 A Standards Approach

3.5 Conclusion

References

PART II TRUST IMPACT

Chapter 4 Security and Trust Management for the Internet of Things: An Rfid and Sensor Network Perspective

4.1 Introduction

4.2 Security and Trust in the Internet of Things

4.3 Radio Frequency Identification: Evolution and Approaches

4.4 Security and Trust in Wireless Sensor Networks

4.5 Applications of Internet of Things and Rfid in Real-Time Environment

4.6 Future Research Directions and Conclusion

References

Chapter 5 The Impact of IoT Devices on Network Trust Boundaries

5.1 Introduction

5.2 Trust Boundaries

5.3 Risk Decisions and Conclusion

Notes

References

PART III WEARABLE AUTOMATION PROVENANCE

Chapter 6 Wearable IoT Computing: Interface, Emotions, Wearer'S Culture, and Security/Privacy Concerns

6.1 Introduction

6.2 Data Accuracy in Wearable Computing

6.3 Interface and Culture

6.4 Emotion and Privacy

6.5 Privacy Protection Policies for Wearable Devices

6.6 Privacy/Security Concerns About Wearable Devices

6.7 Expectations About Future Wearable Devices

Notes

References

Chapter 7 On Vulnerabilities of IoT-Based Consumer-Oriented Closed-Loop Control Automation Systems

7.1 Introduction

7.2 Industrial Control Systems and Home Automation Control

7.3 Vulnerability Identification

7.4 Modeling and Simulation of Basic Attacks to Control Loops and Service Providers

7.5 Illustrating various attacks through a basic home heating system model

7.6 A Glimpse of Possible Economic Consequences of Addressed Attacks

7.7 Discussion and Conclusion

Notes

References

Chapter 8 Big Data Complex Event Processing for Internet of Things Provenance: Benefits for Audit, Forensics, and Safety

8.1 Overview of Complex Event Processing

8.2 The Need: IoT Security Challenges in Audit, Forensics, and Safety

8.3 Challenges to CEP Adoption in IoT Settings

8.4 CEP and IoT Security Visualization

8.5 Summary

8.6 Conclusion

References

PART IV CLOUD ARTIFICIAL INTELLIGENCE CYBER-PHYSICAL SYSTEMS

Chapter 9 A Steady-State Framework for Assessing Security Mechanisms in a Cloud-of-Things Architecture

Variable Nomenclature

9.1 Introduction

9.2 Background

9.3 Establishing a Framework for Cot Analysis

9.4 The Cot Steady-State Framework

9.5 Conclusion

Notes

References

Chapter 10 An Artificial Intelligence Perspective on Ensuring Cyber-Assurance for the Internet of Things

10.1 Introduction

10.2 AI-Related Cyber-Assurance Research for The IoT

10.3 Multidisciplinary Intelligence Enabling Opportunities with AI

10.4 Future Research on AI-Based Cyber-Assurance for IoT

10.5 Conclusion

References

Chapter 11 Perceived Threat Modeling for Cyber-Physical Systems

11.1 Introduction

11.2 Overview of Physical Security

11.3 Relevance to Grounded Theory

11.4 Theoretical Model Construction

11.5 Experiment

11.6 Results

11.7 Discussion

11.8 Future Research

11.9 Conclusion

Notes

References

APPENDIX A LIST OF IEEE INTERNET OF THINGS STANDARDS

APPENDIX B GLOSSARY

APPENDIX C CSBD THERMOSTAT REPORT

APPENDIX D CSBD ACCESS-CONTROL LOGIC REPORT

BIBLIOGRAPHY

INDEX

EULA

List of Tables

Chapter 1

Table 1.1

Table 1.2

Table 1.3

Chapter 4

Table 4.1

Table 4.2

Table 4.3

Chapter 10

Table 10.1

Chapter 11

Table 11.1

Table 11.2

Table 11.3

Table 11.4

Guide

Cover

Table of Contents

Preface

Pages

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xli

xlii

xliii

xliv

xlv

xlvii

xlviii

xlix

l

li

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

65

67

68

69

70

71

72

73

74

75

76

78

81

84

85

86

87

88

89

92

93

97

99

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

129

130

131

132

133

134

135

136

137

139

140

141

142

143

144

145

147

148

149

150

151

152

153

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

225

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

270

271

272

273

274

275

276

277

278

279

280

281

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

415

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

457

FOREWORD

Effective Cyber-Assurance Will be Essential for the Internet of Things

ZEAL ZIRING

Information Assurance Technical Director, National Security Agency, Fort Meade, MD, USA

Our society has become substantially dependent upon the Internet, on the ability to access and use cyberspace, in a wide variety of ways. The Internet has given us amazing capabilities to exchange information, conduct commerce, enlighten, and entertain. But for all of the development and growth of the Internet, the virtual world and the physical world were at most lightly connected, often through the actions of people. The domain of packets and protocols was always separate from the world of fields, roads, and buildings. No longer the virtual world and the physical are becoming increasingly intertwined. The interposition has profound potential for benefits and for harm. This revolution-in-progress has been dubbed the Internet of Things (IoT), and cyber-physical systems (CPS), and various other names. It is a complex trend, founded on technology advances, but with economic and social drivers. It is already well underway, though we are feeling only modest effects so far.

As IoT technologies and capabilities become more prevalent, and eventually ubiquitous, many aspects of the physical world will become more visible from cyberspace. In some cases, processes in cyberspace will influence or control physical objects and environments. Points of contact between the physical world and the virtual will proliferate. There have been many estimates of how many connected “things” will be dispersed through our physical environment during the growth of IoT, from 10 to 50, to even 200 billion. As a result of the greatly increased integration between physical and virtual worlds, our dependence upon the Internet and associated technologies will increase.

There have been many books and articles written about the technologies driving the IoT, and the wonderful benefits we will realize from it. But those benefits are not certain. As the physical world becomes more dependent on the virtual, threats that are today confined to cyberspace will expand and transform. The benefits we hope to enjoy will be at risk, subject to attacks mediated and scaled by cyberspace. This book is about understanding those risks: why they arise, how they differ from cyber risks that we face today, and especially how to address them.

Some History

There have been many histories written about the Internet, focused on technology or people or other factors. One way of looking at the Internet is how it grew from convergence of previously independent systems and domains. This is relevant to understanding the IoT and the importance of its cyber-assurance, because it represents the biggest convergence yet.

From the beginnings of telephony and radio, military and civilian communications were distinct and separated. From the time of World War II, they used different technologies and different means of protection. Military communications were usually encrypted, used different frequency bands protocols, and infrastructure from their civilian counterparts. Since its creation in 1952, the National Security Agency (NSA) designed and codified the security necessary for national security communications, including military. Working there, it became clear around 1990 that convergence was inevitable. Over the course of two decades, from the mid-1990s to today, military and civilian (commercial) communications have become much closer: common technologies, protocols, infrastructure, and standards underpin both. Levels of cryptographic strength that were first envisioned for safeguarding national security are now used to protect both strategic intelligence and social media. Tactical military operations still use specialized radios, but they also use commercial smartphones and cellular standards. From the military side, convergence has been driven mainly by the greater functionality and capability available from the commercial products. From the commercial side, adoption of security mechanisms formerly confined to national security applications has been driven by the need for assurance and privacy for business conducted online.

Another convergence is still underway, though nearly complete: convergence of voice telephony and data networks. Voice telephony networks came first, of course, and by the time computing began to grow in the 1960s, national and international telephone networks were already well-established. In fact, the telephone network was so large and reliable that early digital communications used it as an infrastructure, converting digital data from serial lines into modulated audio signals, transferring them over the telephone networks, and then converting them back into bits at the other end. But over the course of the 1970s and 1980s, the telephone network itself became digital, and the same switching networks were used to carry voice calls and dedicated digital links (so-called “leased lines”). Some of the earliest wide-area data exchanges, such as bulletin boards and Usenet, employed these technologies. But at the same time, the foundations of packet networking were being created in universities and companies and the U.S. Department of Defense (DoD).

By the early 1980s, many of the key technologies were in place for the Internet to begin exponential growth. But the telephony network was still built around static trunks lines and circuit switching. Over the course of the 1990s and 2000s, the core technologies of packet switching and Internet protocols were integrated into global telephony networks, and voice became just another kind of digital traffic on packet networks. Today, the global network fabric is entirely packet-based, and the distinction between voice service and data service is visible mainly for cellular systems. But the convergence of formerly independent voice and data networks has had security consequences. Voice telephony services can be attacked over data networks, but assurances built into modern networks can help protect both voice and data services.

One more convergence is also underway, and is especially relevant here: the convergence of industrial networks and public data networks. Computer control of industrial systems began in the 1960s with direct digital control (DDC) systems. The first programmable logic controller (PLC) system was built in 1968. By the late 1970s, PLCs were being connected using modems, serial links, and proprietary protocols. Standards for interoperability and transport of industrial control protocols over Transmission Control Protocol/Internet Protocol (TCP/IP) emerged in the early 1990s, but control systems were still connected and managed over dedicated links or leased lines. But since about 2000, controlling industrial systems over the Internet has been growing rapidly. There are several drivers for this convergence: reduced cost, greater operational flexibility, and especially integration of industrial control and monitoring systems with business systems. The benefits are substantial, but exposing industrial systems to direct or indirect access from the Internet imposes substantial risks. Control system components are generally designed for reliability, simplicity, and economy. Repeated tests by government, academic, and commercial labs have identified numerous vulnerabilities, consistently across the industry, for well over a decade. The trend toward connecting industrial control systems to the Internet, and integrating them with other Internet systems, is sometimes called “the industrial Internet,” as if it were a separate network – it is not.

Along with the convergence history sketched above, there is a parallel history of malicious activities directed at computers and data networks. That history is documented in multiple books and papers, only a few highlights are necessary to illustrate the growth of the threat. In the pre-Internet years, computers and networks were certainly subject to malicious acts, but they were relatively narrow in scope. Some early personal computer (PC) viruses propagated fairly widely, but were confined to a very narrow range of operating systems and applications. Military networks were subject to passive collection by nation-state actors, but that was expected and the risks posed were manageable – risks from passive collection can be managed with effective encryption.

In the early years of the global Internet, there were many large-scale malicious events, beginning with the Morris Worm in 1988, and continuing through the 1990s and into the early 2000s. While these infections garnered headlines, there was also a quiet growth of more sophisticated malware and capabilities for espionage. Also, with the growth of the World Wide Web (www), there was a corresponding growth in web defacement attacks. During much of this period, the value of information stored and business conducted on the Internet was modest. Many malicious actors were motivated by notoriety: releasing a virus that spread worldwide garnered acclaim from peers. Web sites were important to the image of a company or government agency, and thus web defacers attacked the element of value that was most accessible to them. The primary suppliers of computer and network technology also began to take security much more seriously during this period. As an example, in 1992, Microsoft's flagship product was Windows 3.1, which shipped with effectively no security; by 2000, their flagship Windows 2000 product included a broad array of security features.

In the most recent decade, convergence has driven large portions of our economy, government, and society onto the Internet. The increase of value and diversity of connected systems and services has driven a corresponding growth and diversification of malicious activities. For example, greater use of Internet services for banking was quickly followed by Internet crime targeting bank accounts and transactions. Similarly, as national governments and economies became more dependent on the Internet, governments around the world have increased their use of the Internet as a domain for collecting intelligence and pressuring rivals. Many nations, including the United States, have incorporated cyberspace operations into their military doctrine.

We have also seen the first Internet-borne attacks where effects have extended beyond cyberspace into the physical world. Most of the early ones were accidental, denials of service by PC malware infecting PCs used to manage industrial controls. But by 2008, it was clear that some actors were deliberately targeting power utilities to conduct extortion. In 2010, the Stuxnet worm was discovered; it appeared to have been targeted at a particular industrial installation, propagated over the Internet and other networks, and caused physical damage to that installation (as well as disruption elsewhere).

The clear message from history is this: attacks follow value. The more value and dependence we place on the Internet, the greater motivation malicious actors, criminals, and hostile regimes will have to operate there. We are in the early stages of the biggest convergence yet, and the assurance we will require with be commensurately great.

The Breadth and Diversity of the Internet of Things

The IoT is a very broad phenomenon, ranging across nearly every sector of industry, many different technology standards, and geographic scales. It encompasses both the connected “things” and the various data analysis, management, and infrastructure services with which they interact. The data and interaction are the foundation for the benefits we expect to gain – a single car with an Internet connection might help one driver navigate to their destination, but when a majority of cars are connected, analytics and active management will keep traffic flowing efficiently across a city. Innovative companies are devising new models for analyzing data and acting on it in sectors like housing, transportation, manufacturing, healthcare, public safety, energy, retail, and more.

The standards landscape for IoT is complicated, and in many areas, standards are still emerging or evolving rapidly. Standards are essential for IoT because they foster interoperability, stability, and innovation. There are many areas where standards will be essential, but four are particularly relevant to IoT cyber-security.

Cellular communication – the radio spectrum is a finite, precious resource. As more devices join the Internet, managing the availability of that resource for all of them will be critical.

Personal Area Networks (PAN) – standards for very short-range data exchange among wearable and nearby devices are still evolving to support all the capabilities and assurances we will need.

Security and cryptography – most existing secure protocols, credential schemes, and other standards were designed for the world of desktop computers and enterprise servers. Standards will be needed to provide basic security services to large numbers of small, constrained devices. These services include identity and credential management, authorization, data protection, and more. As discussed below, IoT will impose new requirements in provisioning, efficiency, and scale.

Sensing and data management – some of IoT's greatest benefits will flow from sensing aspects of the physical world, and exposing that data for analysis and fusion in cyberspace. Standards will be needed for representing and managing vast amounts of sensor data.

IoT devices will use a variety of modalities in connecting to the Internet. Some will be accessible only when activated by something else, such as a radio frequency identification (RFID) tag reader. Others will have periodic interaction, delivering data or accepting commands, but otherwise quiet (e.g., an implanted medical device, a weather sensor). Many devices will expect continuous connectivity to deliver data or allow remote entities to exert real-time control (e.g., a smart TV, an electrical substation monitor) and still others will act as local gateways, supporting local interaction and providing Internet connectivity for other devices within their scope (e.g., a smart car, bus, or train).

As described above, IoT will offer us enormous benefits, but most of those benefits will depend on some form of trust. We will need confidence enough in the operation of IoT devices and supporting services to entrust them with control of physical systems and environments. We will need confidence that the data delivered from sensors is accurate in order to rely on them when making personal, business, and even military decisions. Establishing and maintaining necessary trust will be challenging in many ways. Complete and comprehensive trust is not usually possible, even for narrowly scoped traditional computers. Instead, we will need to build systems that can deliver specific kinds of trust. We will need trust management and associated assurances at several levels for IoT systems: individual devices, populations of devices, users, services, and infrastructure.

What Is Cyber-Assurance for the Internet of Things, and Why Does It Matter?

At the highest level, assurance for the IoT is just like assurance for other elements of cyberspace. But the scale and constraints of IoT, and the potential impacts of assurance failures, will mean that current strategies for achieving assurance will not be sufficient.

The five basic assurance properties are:

Authenticity – assurance that an entity claiming an identity does possess the right to use it. Assigning and authenticating identities will be challenging for IoT.

Integrity – assurance that information is created, modified, and deleted only by entities with the rights to do so.

Confidentiality – assurance that information is accessible or readable only by entities with requisite rights.

Availability – assurance that information or services are available or accessible under all conditions that it is supposed to be.

Non-repudiation – assurance that an action can be irrefutably bound to an accountable entity.

These assurances are primitives. By using and combining them, systems can offer higher order properties, such as privacy, legal compliance, or resilience. All of them will be important to the secure operation of IoT devices and the services they will support.

In addition to direct security risks to devices, IoT will have profound effects on the risk posture of traditional systems and networks to which they are attached. Connecting a broad range of IoT devices to conventional networks will expand the attack surface for those networks. To support the devices, conventional networks will have to support a broader set of protocols and data formats, adding new potential for exploitable vulnerabilities. Finally, many IoT use cases bridge traditional trust boundaries, or require system owners to establish new trust relationships. Build assurance into IoT devices and systems will be essential for managing these risks too.

Achieving the basic assurance properties for conventional networks has proven extremely difficult – recent security incidents have shown us that our technical measures and practices are not sufficient to prevent adverse impacts from cyber-attacks. Achieving the basic properties will be even more difficult for IoT systems. Why? First, the scale and diversity of IoT will require approaches and standards that span a very wide range. Device capabilities vary along several axes, such as computation speed, data storage, and communication bandwidth. For connected devices, some of these capabilities will vary over six orders of magnitude or more, from tiny tags and sensors to smart vehicles and buildings.

Another challenge for supporting assurance for connected devices and service is their diversity of security needs. Some devices will need very tight security rights – for example, an implanted medical device will have very high integrity requirements, and should deliver data only to the patient and authorized doctors; in contrast, a weather sensor might offer data to any requester. Longevity will also present a challenge for assuring some IoT devices. Some devices will have the power and bandwidth to accept frequent security updates, but others will not. Some types of sensors, for example, will have to operate for years, and cannot be expected to receive any software updates or trust anchor updates in that time. This means that the security mechanisms built into such devices will need to be exceptionally simple and robust.

Finally, there will be many assurance challenges for IoT based on the relative immaturity of the law, policy, and practices for assuring IoT device data and access. Consider a smart building – what parties should be authorized to read the sensor data from the building's systems? The building owner? The tenants? The local fire department? Maintenance workers, such as plumbers or electricians? Each of these stakeholders has a good rationale for accessing portions of the building's data or adjusting aspects of the building's operation. But neither the technical controls, legal precedents, nor accepted practices are ready to support them.

The IoT will let us use the flexibility and power of information technology to sense, understand, manage, and optimize many aspects of the physical world, from wearables on a single person, to a retail store, to a highway system. We can only depend on IoT to do these things for us, and enjoy the corresponding benefits, if we have certain essential assurances. The list below is based on the fundamental properties, but is tuned to be actionable for designers and builder of IoT systems:

Assurance that collected data are valid (i.e., values reported are values sensed).

Assurance that access to collected data is appropriately constrained.

Assurance that control over devices is exercised only by authorized parties, and that those parties can be held accountable.

Assurance that applicable laws, regulations, and policies are enforced.

Assurance that the interactions between IoT systems and other cyber systems can be monitored and controlled.

Assurance that overall security properties continue to hold as individual devices or components are updated or replaced.

The most important security properties for IoT will be system properties, assurances that are offered by, qualified over, and dependent upon multiple layers of hardware and software, service providers, data aggregation middleware, and presentation systems.

Examples

The examples below examine the assurance challenges for four different IoT scenarios.

Example 1 – A medical implant with connection to the Internet can offer faster detection of health problems, more nuanced responses, and better overall health monitoring. The devices themselves are subject to serious limitations on size, power consumption, and connectivity. There are immediate risks to use of such a device – a cyber-attack against it might pose direct threat to the user's health and safety. But an attack that alters data reported by a device may also pose such a threat, because medical treatment might be based on it. There are also strong privacy concerns around the collected data. Assurance for data access will be complex, because there are multiple stakeholders: the patient, their doctors, hospitals, first responders, insurance companies, the device manufacturer, etc. Also, medical devices and health data are subject to a complex regulatory regime that is still adapting to cyber threats.

Example 2 – A connected car will support a wide variety of use cases, from simple collision avoidance to entertainment to maintenance to full autonomous operation. There are large potential benefits for transportation safety and efficiency. Such a complex system will also have a complicated authorization model, with different rights for the driver, the mechanic, the manufacturer, highway systems, and network infrastructure. Some operations will be subject to hard real-time constraints, while others involve communication with the global Internet. Interactions between vehicles and smart highway systems are still being defined, but imply a very close trust relationship. Recent vulnerability demonstrations from researchers have shown that current vehicle telematics systems do not enforce trust boundaries effectively, that will have to change. Lastly, connected cars will connect to a wide variety of other networks, in owner's homes, at maintenance facilities, and while on the highway. There will need to be very specific and bounded trust relationships between each car and these networks.

Example 3 – Smart buildings will contain a wide variety of sensors, actuators, and control systems for a wide variety of purposes: lighting, safety, heating and cooling, entry control, and more. Many of these systems are installed to improve the cost efficiency of a building, or make it more hospitable to users. There will be some privacy or confidentiality concerns for the collected data. But the primary risks will be based on control: abuse of the control systems within a building can make it uninhabitable or even damage it. Control integrity and authorization will be key assurance concerns for smart buildings, but as noted above, the set of authorized users for such buildings will be large and diverse. In addition to the exposure from connection to the Internet, many building automation technologies employ wireless networks, using standards such as Wi-Fi, ZigBee, and Bluetooth. These can leave the network of a building exposed to anyone with physical proximity.

Example 4 – Sensor networks offer the potential from monitoring physical conditions across many different environments and locales. An ocean sensor network, for example, might be composed of sensor buoys, communication relays, and other floating and anchored elements. The components of the network will be widely distributed and subject to harsh conditions and uncertain connectivity. The components may be power-constrained, expected to operate for long periods on stored power. The data collected from such sensors may be public, but its integrity may be critical for ocean navigation and weather prediction. Data from the sensor network will be fused with other sources in analytic systems, where there is likely to be much greater value to attract threat actors. This implies a need to manage the trust between the sensor network and the analysis systems, to prevent compromise of a sensor propagating upward.

These four examples show several common elements. First, integrity is a crucial concern for most IoT use cases – integrity of reported data, and integrity of control. Second, many of the suppliers that produce components for various IoT sectors have not, historically, had to worry about cyber-assurance for their products – it is only now that their products are exposed to such threats. Third, there is no simple model or universal model for trust relationships in these use cases. Each of them includes a variety of stakeholders with different roles and rights. Finally, none of the connected devices in these use cases operate independently, they all interact with other infrastructures and systems, and both inherit risks from and impose risks on those systems.

Key Elements of Cyber-Assurance for IoT

Researchers, academics, professionals, and science-practitioners have a lot of work ahead to create an assured and trustworthy IoT. Research is already underway and needs to continue. Standards bodies and consortia have taken up the challenge of building security into many of the standards required. The next step is for the broader community, manufacturers, service providers, data aggregators, to build assurance into their offerings, and for users to demand it. We do not yet know all the assurances and security features that IoT will require, but we know some that will be essential. That kind of partial knowledge, and learning while building, had been a feature of every major convergence leading to today's Internet environment. We can learn as we build, but we must build in the essentials at every step. Some of those essentials are listed below, and explored more fully in the chapters of this book.

Basic security properties, the fundamentals, must be designed in to IoT devices, infrastructures, and back-end analysis systems. The security designs must reflect IoT requirements and constraints, and must enable high-level assurance as end-to-end guarantees. Chapters 1 and 2 explore general facets of designing cyber-assurance for IoT. Provisioning identities for IoT devices and services, and managing credentials, attributes, and rights associated with those identities, will be critical for supporting high-level assurance properties like privacy and access control. Several chapters touch on this area. IoT devices must be able to integrate securely into existing network services and enterprise IT environments – this will require certain security features in the devices themselves and substantial evolution in the way enterprises handle trust boundaries in which Chapter 3 explores this very challenging area. Establishing and maintaining assurance for IoT systems will depend on trust management services, which will have to extend from individual devices to high-level data analysis services which Chapters 4 and 5 examine. Chapter 6 reviews the privacy and security concerns of wearable computing while Chapter 7 focuses on the vulnerabilities of industrial control systems. Chapter 8 approaches to leverage Big Data techniques to enhance IoT provenance, which is itself only one of multiple measures needed to improve cyber-assurance. Assurance is not something that can be established once and then forgotten – it must be actively managed, measured, and maintained and Chapter 9 explores the more general challenge of assessing security mechanisms. Chapter 10 researches the future artificial intelligence aspect of cyber-assurance and Chapter 11 explores the threats toward cyber physical systems for the IoT.

To ensure that the essential assurance elements are built into the devices and systems that will comprise the Internet of Things, it is necessary to raise awareness about the challenges and possible solutions. This book is one step in that direction. By raising tough issues, and presenting potential solutions, it will encourage discussion and debate, expose engineers and designers to new strategies and emerging standards, and promote active development of cyber-assurance. With those assurances, we will be able to take full advantage of the potential benefits of the IoT.

PREFACE

The Internet of Things (IoT) has resulted in the widespread deployment of a relatively immature technology. There are, however, many significant challenges faced by the programmers, designers, and implementers of IoT technologies in ensuring that the level of security afforded is appropriate. As innovative technologies using the IoT will focus more on wireless technologies, there are numerous complex considerations which must be taken into account when deploying wireless infrastructures and without adequate forethought their use may be ill-advised. Researchers and commercial organizations are predicting that there will be 50 billion devices connected to the Internet by 20201 and the potential economic impact – including consumer surplus – of as much as $11.1 trillion per year in 2025 for IoT applications.2 IoT networks will become popular because they can be deployed quickly with very little equipment infrastructures. These networks also lend themselves well to environments with populations of transient users. The possible applications of the IoT are almost limitless and organizations throughout the world have been quick to realize its potential.

The heavy utilization of wireless equipment and technologies renders the IoT operation very complicated. At the same time, the pace of data-in-transit and data-in-storage processing is significantly accelerated with the focus of how the data are delivered to the IoT systems, whereas the quick shifting of the focus will inevitably bring about swift and constant changes in the tactics of information security. Under such a highly complex and ever-changing environment, organizations must pay attention to the use of information security tools and techniques with a view to defeating cyber-attacks within this new environment. The future platform for the IoT will have to operate in a very harsh environment where there are serious advance persistent threats (APTs) to the safety of the information being processed. These APTs to the safety of the data being processed include the IoT network security, information security, and physical security, and its necessity to adopt appropriate countermeasures against these APTs to secure the initiative in confronting cyber-attacks. The primary measures to be taken include: using different kinds of technical defense measures, strengthening the security design of the IoT networks and devices, and undertaking research and production of these networks and devices.

This book presents the concept of a cyber-assurance approach to the IoT. This book presents the concept of a cyber-assurance approach to the IoT. This book is needed to understand the variety of cyber-assurance techniques and technologies supporting the task of seeking out defects that have the potential to be successfully targeted as exploitable vulnerabilities by a cyber-attacker. Furthermore, this book will support information security, assurance, and IoT industry practitioners' understanding of how to design and build cyber-assurance into the IoT. The target audience of this book will be those researchers, professionals, and students working in the field of wireless technologies, information system theory, systems engineering, information security architecture, and security system design along with university professors and researchers involved in cyber-assurance and IoT-related networking.

Through a collection of edited essays from cyber-assurance, information assurance, information security, and IoT industry practitioners and experts, this book is written for graduate students, researchers, and academics who want to improve their understanding of the latest developments of cyber-assurance for the IoT. Since these IoT networks present unique information assurance (IA) challenges, there will be a heavy reliance on the secure communication of urgent and time-sensitive information over these IoT networks.

Chapter 1: provides an approach intended to design security in the categories of (1) IoT secure-by-design systems and (2) processes and procedures that minimize human error and vulnerability introduction through the building of hardware and software components.

Chapter 2: provides the concept of automatically securing Internet of Things networks and devices through an embedded sensor which identifies cyber-attacks and mitigates any threats to the device and network before continuing to process the data.

Chapter 3: discusses a potential set of uniform methods for securely updating IoT devices, which could be applied to devices of any form factor or function by categorizing an IoT device based on its crypto processing ability, available storage, and how it achieves network connectivity.

Chapter 4: explains vulnerabilities in ad hoc and sensor networks and design attributes for trust management schemes are elucidated with their respective design metrics and analysis.

Chapter 5: discusses the two sides to the trust boundary discussion: how an approved IoT device affects the security posture when accepted into the trust boundary of a network and how an unapproved IoT device affects the security posture when interacting with devices that fall within the trust boundary of a network.

Chapter 6: reviews a Fitbit wearable device experiment and its relations to privacy/security concerns about wearable IoT devices.

Chapter 7: deals with a specific area where IoT sensor devices are applied, feedback loops in the consumer environment, highlighting vulnerabilities in areas such as automatic control theory, control systems engineering, information technology, data science, technical standards, and many others.

Chapter 8: reviews the systematic exploitation of two broad trends in computing, complex event processing and Big Data, present opportunities for enhancing provenance and related aspects of IoT security.

Chapter 9: identifies a framework that simplifies and aggregates the functionality of security-critical things (e.g., embedded devices, tags, actuators, smart objects) in a cloud-of-things architecture.

Chapter 10: discusses an artificial intelligence approach toward ensuring cyber-assurance for the IoT.

Chapter 11: evaluates a proposed cyber physical systems to help derive a set of input requirements and provide a mechanism for an automated approach for threat detection and assessment for the IoT.

TYSON T. BROOKS

Notes

1

http://blogs.cisco.com/news/cisco-connections-counter

2

http://www.mckinsey.de/sites/mck_files/files/unlocking_the_potential_of_the_internet_of_things_full_report.pdf

ACKNOWLEDGMENTS

I would first like to give honor to my Lord and Savior Jesus Christ whom all my blessing come from. To my parents, my dad [the late] F. Burrell Brooks and my mom, W. Michelle Brooks and my entire family for all their love and encouragement. An extra special thanks to my lovely wife Lisa and children, Tyson Jr. and Taylor, for always supporting and loving me in whatever initiative “keeps me on the computer.”

I would also like to thank IEEE, U.S. Department of Defense and the faculty and staff of Syracuse University's Center for Information and Systems Assurance and Trust (CISAT) and the School of Information Studies (iSchool) for all the guidance, direction, support, and encouragement in assisting me pursue my passion for research over the years.

TYSON T. BROOKS

CONTRIBUTORS

M. BALA KRISHNA

received B.E. in Computer Engineering from Delhi Institute of Technology (presently Netaji Subhash Institute of Technology), University of Delhi, Delhi, India, and M.Tech. in Information Technology from University School of Information Technology (presently University School of Information and Communication Technology), Guru Gobind Singh Indraprastha University, New Delhi, India. Dr. Krishna received his Ph.D. in Computer Engineering from JMI Central University, New Delhi, India. Dr. Krishna had earlier worked as Senior Research Associate and Project Associate in Indian Institute of Technology, Delhi, India, in the areas of digital systems and embedded systems. Dr. Krishna had worked as faculty member and had handled projects related to networking and communication. Dr. Krishna is presently working as Assistant Professor in University School of Information and Communication Technology, Guru Gobind Singh Indraprastha University. Dr. Krishna's areas of interest include computer networks, wireless networking and communications, mobile and ubiquitous computing, and embedded system design. Dr. Krishna has publications in international journals, conferences, and book chapters. Dr. Krishna's teaching areas include wireless networks, mobile computing, data and computer communications, embedded systems, programming languages, etc. Dr. Krishna's current research work includes wireless ad hoc and sensor networks, green networking and communications, cognitive networks, and advances in mobile computing and communications. Dr. Krishna is a member of various IEEE and ACM technical societies and international conferences.

TYSON T. BROOKS

is an information security technologist, science-practitioner, and an adjunct professor in the School of Information Studies (iSchool) at Syracuse University, Syracuse, NY, and also works with the Center for Information and Systems Assurance and Trust (CISAT) at Syracuse University. Dr. Brooks has over 20 years of professional experience in the design, development, and production of complex information systems, as well as leading the effort to develop secure information systems architectures. Dr. Brooks's expertise includes work in the areas of information assurance, cyber-security, enterprise architecture, and network-based intrusion analysis in both the public and private sector. Dr. Brooks is the Founder/Editor-in-Chief of the International Journal of Internet of Things and Cyber-Assurance (IJITCA), an Associate Editor for IEEE Access, the Journal of Enterprise Architecture (JEA), the International Journal of Cloud Computing and Services Science (IJ-CLOSER), and the International Journal of Information and Network Security (IJINS), and is also a reviewer for the IEEE Internet of Things Journal. Dr. Brooks received his doctorate in Information Management from Syracuse University and holds master's degree in Information and Telecommunications Systems from Johns Hopkins University, a master's degree in Business Administration from Thomas More College, and a bachelor's degree in Business Administration/Management from Kentucky State University. Dr. Brooks is also a senior member of the Institute of Electrical and Electronics Engineers (IEEE) and a member of the Project Management Institute (PMI) and the Association of Enterprise Architects (AEA).

SHIU-KAI CHIN

is a Professor in the Department of Electrical Engineering and Computer Science and a Provost Faculty Fellow focused on strategic planning at Syracuse University, Syracuse, NY. Dr. Chin is Co-director of the Center for Information and Systems Assurance and Trust (CISAT) and is affiliated with the Institute for National Security and Counterterrorism. Dr. Chin's research applies mathematical logic to the engineering of trustworthy systems and supports the research program of the Air Force Research Laboratory's Information Directorate in trustworthy systems and hardware-based computer security. Dr. Chin's research focus is on access control and policy-based design and verification. With JP Morgan Chase, Dr. Chin applies his research to reasoning about credentials and entitlements in large-value commercial transactions. Dr. Chin is co-author, with Dr. Susan Older, of the textbook Access Control, Security, and Trust: A Logical Approach, CRC Press, 2010. Dr. Chin served as the Interim Dean of the L.C. Smith College of Engineering and Computer Science from 2006 to 2008. From 1998 until 2006, he was Director of the Center for Advanced Systems Engineering (CASE) at Syracuse University – a New York State Center of Advanced Technology funded by the New York State Foundation for Science, Technology, and Innovation (NYSTAR).

MARTIN GOLDBERG

graduated from Baruch College – City University of New York (CUNY) with BBA in Computer Information Systems and proceeded to work in private industry for 8 years. Following that, Mr. Goldberg took part in the National Science Foundation's (NSF) Scholarship for Service (SFS) program where he graduated from Polytechnic Institute of New York University (NYU Poly) with M.S. in Computer Science. Upon graduating from NYU Poly in 2005, Mr. Goldberg joined the U.S. Department of Defense, Fort Meade, MD.

UTKU KÖSE

received B.S. in Computer Education from Gazi University, Turkey, M.S. in Computer Science from Afyon Kocatepe University, Turkey, and D.S./Ph.D. in Computer Engineering from Selcuk University, Turkey. Between 2009 and 2011, Dr. Köse has worked as a Research Assistant in Afyon Kocatepe University. Dr. Köse has also worked as Lecturer and Vocational School Vice Director in Afyon Kocatepe University between 2011 and 2012. Currently, Dr. Köse is Lecturer in Usak University, Usak, Turkey, and also Director of the Computer Sciences Application and Research Center at Usak University. Dr. Utku Köse's research interest includes artificial intelligence, the chaos theory, distance education, e-learning, computer education, and computer science.

CHRISTOPHER LEBERKNIGHT

received B.A. in Computer Science from Rutgers University, New Brunswick, NJ, M.S. in Computer Science, and Ph.D. in Information Systems from the New Jersey Institute of Technology (NJIT), Newark, NJ. Dr. Leberknight began his academic career as a Postdoctoral Research Associate in the Department of Electrical Engineering at Princeton University, followed by an appointment as an Assistant Professor in the Computer Science Department at William Paterson University. Dr. Leberknight's primary research interests are networking and social computing and his research has been published in top tier journals as well as national and international conferences. In addition to his academic experience, Dr. Leberknight has over 10 years of professional experience in the computer and telecommunication industries and served as the CEO for two start-up companies. Dr. Leberknight also has experience with decision support and location aware systems (Patent no. 7,406,448). Dr. Leberknight is a member of the Institute of Electronic and Electrical Engineers (IEEE), Association of Computing Machinery (ACM), and the Association for Information Systems (AIS). Dr. Leberknight also serves on the Editorial Board for the Journal of Privacy and Information Security, International Journal of Internet of Things and Cyber-Assurance, and the International Journal of E-Politics.

MARTHA LERSKI,

a graduate of the University of Pennsylvania, is an instructor and business librarian at Lehman College, CUNY, Bronx, NY. Ms. Lerski's early career work in currencies in the Finance Division of Swiss Bank supports her continued interest in global information flows, including arts metadata. Ms. Lerski studied Digital Libraries at Syracuse University, Syracuse, NY, and holds MLS from Queens College.

ROBERT MCCLOUD

is Distinguished Global Professor and Associate Professor of Computer Science at Sacred Heart University, Fairfield, CT. In his 16 years as a faculty member, he has published one e-book and three print books in addition to many research articles. Dr. McCloud has also been awarded five international fellowships, including two Fulbrights and a World Bank research grant.

LEE MCKNIGHT

is Kauffman Professor of Entrepreneurship and Innovation and Associate Professor in the iSchool (The School of Information Studies), Syracuse University, Syracuse, NY. Dr. McKnight was Principal Investigator of the National Science Foundation Partnerships for Wireless Grids Innovation Testbed (WiGiT) project 2009–2014, which was the recipient of the 2011 TACNY Award for Technology Project of the Year. Dr. McKnight is the inventor of Edgeware, a new class of software for creating secure ad hoc overlay cloud to edge applications, known as Gridlets and Wiglets. Dr. McKnight's research focuses on cloud to edge services and policy, virtual markets and wireless grids, the global information economy, national and international technology policy, and Internet governance. Dr. McKnight was an Associate Professor of International Information and Communication and Director of the Edward R. Murrow Center at the Fletcher School of Law and Diplomacy, Tufts University; Principal Research Associate and Lecturer at MIT; and founder of the Internet Telephony Consortium, also at MIT. Lee served on the Enterprise Cloud Leadership Council of TM Forum; and as a member of IEEE P2030.4 smart grid interoperability task force. Lee is founder and was a member of the Board of Directors of Wireless Grids Corporation, 2004–2014. Dr. McKnight was a founding member of the Board of Directors of Summerhill Biomass Systems, 2007–2013. Dr. McKnight received his doctorate in 1989 from MIT; an M.A. from the School of Advanced International Studies, Johns Hopkins University, in 1981; and a B.A. magna cum laude from Tufts University in 1978.

MARTIN MURILLO

works as Data Scientist with the University of Notre Dame, South Bend, IN. Dr. Murillo has Ph.D. in Optimal Control Systems and M.S. in Measurement and Control Systems. Dr. Murillo has authored various papers in control systems theory and applications and has also focused on other topics that bridge technology, policy, and governance. Currently, Dr. Murillo focuses on the study of vulnerability of political and administrative entities in the context of climate change and the emergence of smart cities and already existing vulnerable cyber-physical infrastructure. Dr. Murillo has worked in industry leading the design and implementation of security and control modules for dedicated short-range communications applications for vehicles and road structures. Dr. Murillo has served in various leadership positions in the IEEE, including managing several humanitarian initiatives.

NICOLE NEWMEYER