End-to-end Security and Privacy by Design for IoT
by Jared Bielby (IEEE), Ali Kashif Bashir, Senior Member IEEE (Osaka University, Japan), George Corser (Saginaw Valley State University)
Of the selected issues coming out of the Experts in Technology and Policy events chosen for further research and follow-up, the question of End-to-end Security and Privacy by Design for the IoT has emerged as both timely and relevant to IEEE’s goal of advancing technology for humanity. Hosted by the Collabratec platform, the question has been posed to a selected team of experts and policy advisors for further engagement. Led by George Corser, whose research at Saginaw Valley State University examines location privacy and security protocols in Internet-of-Things, the team is currently working towards the completion of a collaboratively written white paper that proposes a set of definitions and best practices for End-to-end Security and Privacy by Design for the IoT.
The goal of the white paper is to establish definitions and best practices that are comprehensible by laypeople but at the same time applicable to security policy-making and rigorous from a technical perspective. The authors of the white paper agree that terminologies and best practices may be tailored to specific knowledge domains while maintaining a general readability useful as a reference point to experts and non-experts alike. As such, the primary contributions of the white paper will focus on (1) a list of IoT terminologies, (2) diagrams of the IoT system model and threat model, and (3) a list of best practices for security and privacy in IoT.
The Internet of Things’ Applications and Services:
The Internet of Things, or IoT, has introduced a new set of terminologies as well as a fairly significant paradigm change in the way information transactions take place. Technologists, consumers, governments and corporations alike, are scrambling to work together to secure these new systems. The task at hand requires the establishment of accurate terminologies and definitions of security and privacy for IoT that are useful to the public as well as to the experts. It is also necessary to describe the relationships between IoT components and to identify threats and risks towards the development of guidelines that serve as a basis for IoT security and privacy standards, certifications, laws and policies. First and foremost, it is critical to determine a common understanding of what is meant by IoT.
The Internet has, since its inception, transformed our daily life by proliferating connections between people and information through devices such as laptop computers, tablets and smart phones. In addition, the reach of the Internet has recently expanded to include a far wider range of devices including sensors and actuators that enables increased automation in domains including energy management, health monitoring, smart buildings, intelligent transportation, and industrial manufacturing systems. Because more devices are now able to communicate with each other and make smart decisions without human involvement, such expanded Internet connectivity has been termed as the Internet-of-Things. And as with so many emerging technologies, the IoT presents new security and privacy challenges.
It won’t be long before many, if not most Internet transactions take place without human interaction. For example, a self-driving car, say Tesla’s new Model 3, may drive all day without a person ever present in the vehicle; may park and electronically pay a fee for parking, then later electronically pay a toll while passing through a toll booth. A smart manufacturing facility will be able to adjust thermostats in buildings without the need for human intervention and monitoring. Without physically observing the complex network of IoT systems in operation, both technologists and consumers will be hard pressed to detect security vulnerabilities. More than ever it will become vital for collaboration between technologists and non-technologists towards a goal of securing computer and information systems, an impossible task without a common terminology and a common understanding of best practices.
There are, however, several barriers to establishing a common ground. For one thing, technologists are often prone to building systems independent of other systems, resulting in less than ideal piecemeal applications for companies and consumers at the best of times. Sometimes, technologists in different computing sub-domains use the same terms but mean different things (ex: DOS on IBM mainframe v. DOS on IBM PC v. DOS as denial-of-service attack). How much more will such a scenario impact the application of IoT? On the other hand, consumers and laypeople tend to use multiple systems in unpredictable ways, often in an attempt to manually tailor them to their own perceived preferences. The problem is complex since technologies change and proliferates so quickly that shared terminology can barely be established let along standardized.
Vulnerabilities and Threats:
Developing a common language for IoT is only the first step towards understanding the complexity of the potential threats against it, and there is no shortage of possible vulnerabilities awaiting IoT. Understanding the language along with establishing best practices should at least prepare consumers and technologists for the intricacy of potential misuse in IoT. Consider, for example, the abuse of connections between an infotainment system and a safety-critical system, such as an automotive braking system. A hacker can access a Jeep’s entertainment system to activate its brakes. Consider also the potential misuses of a fitness tracker against an ATM machine, where the fitness tracker can be hacked and used to guess an ATM PIN code based on the motion and movements of the wrist. The same technique could be used to guess the PIN code of a keypad lock to secured areas. How can such vulnerabilities best be identified and addressed in the early stages of design, thus protecting assets, security and privacy from the start?
IEEE, Policy and Best Practices in IoT:
While the discussion around IoT has burgeoned in recent years, there is much yet to understand about its nature, particularly in terms of best practices. It may be fair to acknowledge that much of our command of IoT, including best practices, will have to develop with, or even after its inception in common spaces. The Internet Technology Policy community is set to face the challenge full on. While the above concerns of terminology and definition coalesce, as does an effort to design security and privacy in IoT, the more complex domain of policy has already come to bear. Establishing a common ground for policymakers and technologists towards standards will enhance efficiency and security for consumers at every level. The Internet Technology Community and its Experts in Technology and Policy will continue to collaborate on the development of a proposal for End-to-end Security and Privacy by Design for the IoT in addition to addressing several other policy issues currently confronting digital culture.
Jared Bielby received a double master’s degree at the University of Alberta, Canada in information science and digital humanities with a thesis route in the field of information ethics. He works as an independent consultant in information ethics and internet governance. He currently serves as co-chair for the International Center for Information Ethics and editor for the International Review of Information Ethics. He is moderator and content writer for the Institute of Electrical and Electronics Engineers’ (IEEE) Collabratec Internet Technology Policy Forum (IEEE-ITP) and is founder and editor-in-chief of The Freelance Netizen.
Dr. Ali Kashif Bashir received his Ph.D. in Computer Science and Engineering from Korea University, South Korea. He is currently working for Graduate School of Information Science and Technology, Osaka University. Dr. Ali is a senior member of IEEE and an active member of ACM and IEICE. He has given several invited and keynote talks and is a reviewer of top journals and conferences. His research interests include: cloud computing (NFV/SDN), network virtualization, IoT, network security, wireless networks, etc. He is also serving IEEE Internet Technology Policy eNewsletter as editor in chief.
George Corser, PhD candidate, Oakland University Computer Science and Engineering (CSE) department, holds a bachelor’s degree in Civil Engineering from Princeton University and a master’s in Computer and Information Sciences from the University of Michigan-Flint. His current research focuses on the Vehicular Ad-hoc Network (VANET), specifically in the areas of security and privacy. In 2012 he wrote two award-winning papers in the fields of network and cyber security and professional associations membership. He also published an educational YouTube channel which as of May, 2013 had over 200 subscribers and 50,000 views. Prior to joining Oakland University, he managed technical recruiting operations in the United States and South Korea, filling positions for technical professionals, managers and executives worldwide. For more details, visit www.georgecorser.com
Dr. Rasheed Hussain received his B.S. in Computer Software Engineering from N-W.F.P University of Engineering and Technology, Peshawar, Pakistan in 2007, MS and PhD degrees in Computer Engineering from Hanyang University, South Korea in 2010 and February 2015, respectively. He also worked as a Postdoctoral Research Fellow in Hanyang University South Korea from March 2015 till August 2015. Furthermore, he worked as a Guest researcher in University of Amsterdam (UvA), Netherlands and consultant for Innopolis University, Russia from September 2015 till June 2016. Dr. Hussain is currently working as Assistant Professor at Innopolis University, Russia and establishing a new Masters program (Secure System and Network Engineering). He has authored and co-authored more than 45 papers in renowned national and international journals and conferences. He serves as reviewer for many journals from IEEE, Springer, Elsevier, and IET that include IEEE Sensors Journal, IEEE TVT, IEEE T-ITS, IEEE TIE, IEEE Comm. Magazine, Elsevier ADHOC, Elsevier JPDC, Elsevier VehCom, Springer WIRE, Springer JNSM, and many more. He also served as reviewer and/or TPC for renowned international conferences of repute including IEEE INFOCOM, IEEE GLOBECOM, IEEE VTC, IEEE VNC, IEEE ICC, IEEE PCCC, IEEE NoF, and many more.