Chapter 1 Introduction—What Is IoT?

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Introducing the Reader to IoT

Not long ago, a friend was visiting me in Birmingham, and, as usual, we engaged in a conversation about our career goals and projects. She is currently based in London and works as a human resources director of a well-known multinational company. When I told her, once again, that my work was related to research on cybersecurity risks of the Internet of Things (IoT), she said: “You know, my friend, everybody talks about IoT and I still cannot understand what it is.” Her day-to-day work is about dealing a lot more with people than with technologies. Nevertheless, in today’s world everybody uses technology, even if it is not their main field of endeavor. Therefore, I believe it is important for everybody to acquire at least a general understanding of how some things that we use everyday work, particularly if they introduce risks that you might not be aware of. Maybe you do not currently use IoT every day, but I am sure you will, at some point in the not-too-distant future. You may also have to decide whether to use it or not in your business and how. In many cases, IoT can be a useful solution to many business problems, so you may probably decide to go for it. Just remember that this means that you will be introducing new risks to your organization. Managing these risks is extremely important, since on that depends the potential of IoT, which is used for the benefit of the organization and not against it. In other words, a good cost-benefit balance should be ensured, by preventing and controlling potential negative impacts caused by cyberincidents.

I believe that every person who could potentially make use of IoT should have at least a general idea of what it means. Moreover, anybody who has to make a decision about designing, building, buying, or implementing an IoT solution should know the basics of it, as well as the risks involved. Even my neighbor who is considering getting a smart thermostat for her house, just because her sister-in-law got one, should know as well, at least to a certain extent, what she is dealing with. It is not only businesses but also individuals that use IoT, and, according to Gartner, the consumer’s market for IoT is growing by leaps and bounds (Panetta 2017).

Before we look at what IoT is, it is important to understand that there is no consensus on a single definition. My favorite denotation for IoT is the one given by the European Union Agency for Network and Information Security (ENISA), which says that the term IoT “describes a wide ecosystem where interconnected devices and services collect, exchange and process data in order to adapt dynamically to a context” (ENISA 2017). I can imagine that for many this definition might mean absolutely nothing. I am sure at least that this is the case with many people I know who are not familiar with IT technical jargon. So to start this book, I must provide a definition that makes sense to a broad audience.

To make it simple: From the user’s perspective, IoT is everything that can interact with different sorts of computer devices, including mobile phones, tablets, and a variety of so-called “human–machine interfaces.” IoT, in most cases, is not autonomous; it depends on communication networks to get and send information and behaves according to rules that can be preprogrammed or learned by the devices. IoT devices can go from fairly “dumb” and simple, like a temperature sensor, to really smart and complex systems, like a smart vehicle, but in either case, it needs to interact with its environment. This is what we call the context, which is the first aspect that we need to understand in a risk assessment.

IoT is not a technology but rather a term that encompasses a variety of technologies that differ according to the industry sector, application, and even the preferences of the manufacturer. Currently, there is no standard way to build an IoT system. Hence, IoT is not simple, because it is constructed through different layers of architecture that include computing devices, communication networks, and electronic or electromechanical equipment. On top of this, each layer can have its own “language” to communicate, which is referred to as a “communication protocol.”

Now, what is this book about and for whom is it written? Its intended audience is managers, executives, and business students who want to get familiar with the cybersecurity implications of IoT. Its main purpose is to help the reader to prepare for the risk landscape of the future—or maybe I should say of the present since, as you will read in these pages, IoT has already become an attractive target for malicious agents. The reasons for such a degree of risk are many, including the complexity of IoT systems, their lack of maturity regarding cybersecurity, and their high level of adoption. Many aspects of IoT cybersecurity need to be approached differently from how it is done in the case of regular information systems. The level of interaction with the real world is a key differentiator but not the only one. It is important to know these differences and the specific sorts of expertise that are required to manage IoT systems securely.

People who are keen to incorporate technology into different aspects of their lives, such as home automation, health and fitness smart devices, connected cars, and even toys for their children, might also benefit from reading this book, as it will help them gain awareness of the risks of introducing these devices into their personal spaces. If you have an aversion to technology, it may become even worse after reading this book, but the actual intention is, far from discouraging people from using technology, to encourage them to use it wisely. In summary, this book is mainly about being aware and understanding cybersecurity risks in IoT and about different ways to deal with them.

Figure 1.1 shows a simplified model of the interactions between IoT and the physical (real) world. Later in this book, some of the aspects of these interactions will be described in more detail.

It is believed that IoT is becoming the fourth industrial revolution. With several millions of devices already connected as you read, IoT has a presence in almost every industry domain, from transport, health care, sports and entertainment, heavy industry and manufacturing, to smart grid and utility services, temperature and environment control, public safety, and retail. There is a promising bright future around the corner, where things are smart and communicate with each other. The degree of development that different technologies have reached, including the current level of coverage, speed, and reliability of the Internet, has made it possible to realize many of the science fiction scenarios that we saw in the movies of the 20th century. Drones are nothing new anymore, people feed their pets and monitor their houses from their offices, driverless cars are being tested in different cities of the world, and I have recently heard that it is not rare to see robots in the streets of the city of Milton Keynes, in England. Soon these robots will be the ones delivering your pizza! Technology is meant to make processes more effective, efficient, and safer for people. Overall, the main idea of IoT is to make our lives better. IoT gives almost endless possibilities for innovation and creation of new business opportunities. It will also create new jobs, while at the same time eliminating some of the existing ones. Products, services, and professions that never existed or were never thought of before will continue to proliferate. We are finally living in the future!

So, with all this excitement, why are these security people so determined to point out all the possible things that can go wrong? I reckon we might be considered a bunch of party poopers. The truth is that IoT is giving cybercriminals more opportunities to develop new strategies for stealing data, committing fraud, and causing distress and chaos. Moreover, they are using these opportunities. Offices generally contain smart printers, routers, security cameras, and smart TVs used for videoconferences, which might not be within the scope of the cybersecurity policy. This means that these workplaces are easy targets for cyber-attackers. Industries rely heavily on automation, with more regard for performance and safety than for cybersecurity, leaving—sometimes unknowingly—many doors open for unauthorized agents to access their corporate information networks through these systems. Sometimes, they might even know about these “open doors,” but worrying about security is not their job. So if no formal risk assessment is being performed, they might be complacent, thinking “this will not happen to us”—which many times proves to be wrong! This book aims to be an eye-opener and a first approach to developing an insight into how cybersecurity and IoT connect in order to facilitate more informed decision making.

Building Blocks of IoT

To begin understanding these risks, it is important to first understand how IoT works, what its main characteristics are, and how it differs from regular computing systems in terms of cybersecurity management. So, at the outset, let us define the main building blocks of IoT.

Things

The so-called things are electronic or electromechanical devices that interact directly with the environment or, as we will call it here, the real world. Some of them are designed to extract information, others to perform actions, and some to do both. As people are part of the real world, some of the things have the means to interact with people.

These devices can have some of the following characteristics but not necessarily all of them:

Sensing: This means the devices are able to extract information from the environment, for example, physical variables such as temperature, pressure, humidity, weight, and electrical power. Web cameras that allow monitoring of images of a place are also considered sensing devices, as well as sensors that detect presence, detection of chemical components, such as the quality of the air or water, and human vital signs, such as heartbeats or blood pressure—essentially, everything that reveals the status of something in the real world.
Actuation: This means devices that can perform an action in the real world. This action is performed through electrical or electromagnetic signals and can go from turning something on and off to controlling a drone. Actuation will usually involve mechanical devices such as motors and valves. A smart printer is also considered an actuator since it performs a physical action commanded through a computer system.
Computation: Some IoT devices serve a fixed purpose; they can sense a variable or receive commands to perform an action, but they cannot be programmed to do anything else. There are also IoT devices that are “smarter” and have more advanced computational capabilities. This means that they might even need to run an operating system to manage different pieces of software serving a variety of purposes. Even though they are not computers, they can be configured or even programmed to customize their behavior. This also means that they are susceptible to malware. A malware is a malicious piece of code or “malicious” software which is commonly used to attack computer systems. Malware has been developed specifically for certain types or groups of IoT systems.
Communication: Things need to communicate with each other and with the rest of the system. Many smart things will have their own means to communicate and be recognized by standard communication networks. For example, if a device is Internet protocol (IP) capable or able to be associated with an IP address, then it can be directly connected to the Internet.
Some things are just capable of sending and receiving electrical or electromagnetic signals. These signals represent the variable that they are sensing or the commands that they are receiving, but they lack the capabilities to communicate under a certain protocol. Others might use more advanced communication protocols such as Controller Area Network (CAN) messages or Modbus, but this will not necessarily be compatible with standard communication protocols. In these cases, the devices communicate first with a gateway, which translates the data in a way it can be understandable by standard communication networks, for example, a local area network (LAN) or the Internet.

Communication Networks

An IoT system will rely on different communication networks to be able to function. The Industrial Internet Consortium differentiates three types of networks according to the parts of the system they are meant to link. These are the proximity network, the access network, and the service network (Industrial Internet Consortium 2015). We are going to borrow their definition since it is useful to make clear how different types of communication can interact in an IoT system.

Proximity network: It provides the means of connection between the things and the gateway that will serve as a bridge to connect them to a standard communication network. If all the devices are capable of connecting directly to a standard communication network, the proximity network might not be differentiated from the access network.
Access network: It controls the flows of data between the things and the computer systems that process and store the data.
Service network: It allows the connection of the system to the platforms that run higher-level software such as the interfaces where commands and rules are generated.

Communication can be between a thing and another thing, between a thing and a computer server (including cloud services), or between a thing and a human user.

Computer Systems

This part represents the platforms where different software services interact to make the IoT system work. Usually, there is a differentiation between the platforms that store and process the data and the software services that allow monitoring, executing commands, and configuring business rules. The former are usually in charge of orchestrating the different functions and flows of information between the different parts of the system. The latter usually allow for the interaction with human interfaces as well as with software belonging to the business domain such as enterprise risk management (ERM), customer relationship management (CRM), and business intelligence (BI) tools.

Human–Machine Interfaces (HMI)

An interface is a link between different components of a system. In this case, we are referring to the hardware and software that allow humans to interact with the system by accessing data, sending commands, or changing configuration parameters. There are usually different roles that a human can take in this interaction such as user, administrator, or developer. While the user will have a more limited range of actions that can be performed, the administrator and the developer will be able to make changes to the system. The communication between humans and the IoT systems can take place in one or more of the following ways:

Directly with the IoT device, through a touch screen, keyboard, or other means of interaction;
Through software that runs in a computing device such as a mobile phone, a tablet, or a computer; or
Through a dedicated interface, similar to the electronic totems or screens that are used in airports for checking in or retrieving information of flights. It is usual to see keyboards or touch screens as well in industrial environments as a means to interact with different machines.

While some IoT systems require little or no human interaction, others are designed to have a higher level of dependency on human inputs. It will all depend on the purpose of the system and its application. For example, some industries can have highly automated manufacturing processes where only monitoring is required and actions need to be performed by humans only when there is an abnormal event. This is also the case of an airplane flying in autopilot mode compared with one that is manually commanded. A smart device that monitors sugar levels in the blood of a patient and sends this data to a hospital’s system is another example of an IoT system that might not require its user to perform any action. On the other hand, a smart TV will require input from users to select their preferred programs and the times at which they wish to watch them. Figure 1.2 shows a general diagram of an IoT system and the interaction between different components.

A useful way to understand the different components of IoT and their interactions is through an architecture model that provides a view of the system from different perspectives. Most of these models define different tiers or layers to describe the deployment of IoT. At one end, there will be a layer that corresponds to the physical domain, and at the other will be the enterprise or management of the system. In between, there are hardware and software platforms, and communication networks that allow the interaction between different sorts of computer interfaces and the physical world. Although there is no standard definition for an IoT architecture, several models are available that can be useful to study the interactions of its components from different perspectives. To explore this further, it is a good idea to start with the Industrial Internet Consortium model, which is available online. Microsoft Azure has also made available online an important deal of information about its IoT security architecture. Finally, the IoT-A model also provides a complete view of IoT from different perspectives, including examples of use cases.

It should be noted that the description I made of the different IoT building blocks or elements is agnostic with regard to any type of technology. Most of the architecture models for IoT will also tend to be general, in order to cover diverse technologies used across a variety of IoT systems. Different industries have specific types of systems they often use to control their processes. Some of them precede the idea of IoT since they have been operating in these industries for decades. Therefore, they correspond to a special case where old technologies have been integrated with new ones. Examples of this are systems that are built based on Programmable Logic Controllers (PLC), Digital Direct Controllers (DDC), industrial computers, motor drives, microcontrollers, and microprocessors. These different types of controllers have been used to process information coming from the readings of sensors, such as temperature, pressure, humidity, weight, and position, and give commands to actuators like motors, switches, or valves.

Regarding communication networks, protocols used in the proximity by the things or in the access network can be general purpose ones, such as Bluetooth, Wi-Fi, and cellular networks, or specific protocols that have been developed for IoT, such as LoRa, ZigBee, and Z-Wave. In industry, it is more often the case that the sensors and actuators are wired and use protocols such as Bacnet, Lonworks, Profibus, DNP3, OPC, and Modbus, or CAN-based protocols. All of these are industrial protocols that have been around for a while, and most of them were not developed having cybersecurity in mind since this was not a priority at the time. The protocol used depends on the different requirements of the system, such as distance range, speed, reliability, privacy, and compatibility with other devices, or simply the preference of the manufacturer and user. Overall, there are no standards for communication protocols for IoT, but it is usual that the access and service networks will make use of more standard technologies and communication protocols, since it connects to IT systems. The public Internet will therefore be a common means of communication for many IoT systems, and cloud computing will often be used as a handy way to store and process the data. Nonetheless, many applications and industries require using local or private networks for security and privacy reasons.

Now that we have a better idea of what IoT is, we can explore some of its characteristics. If some readers have not gotten the complete picture yet, please beware of the possibility of complex interactions between IoT components that vary from system to system. However, as long as you understand that IoT are connected things that can be controlled using computers, mobile phones, and tablets, it is enough for now. As you progress through the chapters, many things should become clearer.

As already mentioned, a single IoT system can encompass diverse technologies. In addition, an IoT system might be formed by subsystems, which leads to the popularly used term system of systems. You might be already familiar with this concept as well as with the term embedded system, but in case you are not, it simply refers to fully functioning systems that belong within a bigger, more complex system. For example, a voice command system that has a microphone (sensor) and a microcomputer that processes the voice input constitute a system that can be used by other bigger systems such as cars, digital assistants, toys, or anything, imaginably, that could be controlled remotely by voice. An embedded system corresponds to hardware and software that serve a specific purpose and are integrated into a major system. In a vehicle where you can find several electronic control units (ECU) that are in charge of one or more systems such as engine control, transmission, or brakes, each one of these ECU has its own hardware and software that perform specific tasks, but all of them belong to this major system, that is, the vehicle and work in coordination to make it function properly.

It can often happen in IoT that different parts of subsystems are not in the same location. A typical example of this is smart cities, where different sensors will be widely distributed to collect information about traffic conditions, air quality, utilities supply and consumption, and public transport, among other services that are yet to be created or even imagined. This is achieved only by the interaction of multiple processes and services that will often run on different platforms and have different manufacturers, owners, and administrators. For example, a smart building will have different electronic equipment from different brands for temperature control, access control, and power consumption monitoring, but it all might be controlled by the same software or building management system (BMS), which might run in its own server or might be hosted in the cloud or use a Software as a Service (SaaS) modality. All of this involves different suppliers for products and services, including the maintenance and administration of each subsystem of the smart building. The development and wider use of cloud computing has made it possible to commoditize the hosting of applications, delegating the administration of hardware and software platforms to a third party. This provides important economic benefits such as applying economies of scale principles to IT services, but it also introduces third-party risks. This is just an example of how the level of specialization of businesses in different technologies or services can introduce difficulties associated with assigning clear boundaries and responsibilities for each part of a whole system. Furthermore, getting a unified picture of how the system works end to end can also be difficult since different actors might thoroughly understand only some parts of it.

How IoT Can Introduce Risks in an Organization

While IoT is entering into every sphere of human endeavor and in all sorts of industries, it is still a phenomenon that is not well understood—at least not by all the relevant actors involved in its development and use. Even if somebody knows perfectly how an IoT system works, he or she might miss the implications that its use has in a certain context. For a full understanding, it is necessary to have a holistic view including operational, business, economic, legal, and even ethical implications of a new IoT device appearing on the scene. On the one hand, IoT realizes all the futuristic dreams of the past century, when we were expecting to have technological cities full of flying driverless cars by the year 2000. On the other hand, it also brings up a lot of questions and dilemma. For example, driverless cars will force the enactment of totally new regulations and raise questions such as who is mainly responsible in the case of an accident. Privacy is a major concern regarding IoT since by delegating the control of many of our tasks to “things” we are also providing them with a lot of information about our lives and behaviors. What if somebody with bad intentions got access to that information?

There are several ways in which IoT can introduce risks to an organization, from data theft to denial of service and interruption of industrial operations. Over the past decade, many attacks involving IoT and Industrial IoT (IIoT) have taken place. At the same time, there have been many vulnerability reports and demonstrations of potential attacks that reveal that some systems only need somebody willing to break them in order to be breached. Despite all this, many problems remain unsolved and lack of awareness still persists. Last week I went to a seminar on IoT where academics and practitioners exposed their ideas on how they see IoT changing our world. Cybersecurity was not even mentioned as one of their main challenges, but certainly, it is!

IoT has, for sure, the potential to allow us to make more efficient use of the resources available and make our lives easier. An example of this is the use of IoT-capable technologies to program our washing machine to turn on at the hours of low power consumption, not only reducing our electricity bill but also helping avoid overloading the power grid. Also, traffic can be diverted and journeys planned better by having live data of the traffic conditions. Lives can be saved by continuously monitoring vital signs of critical patients and raising alerts when something abnormal is detected, and even automatically injecting them with the appropriate doses of drugs according to their condition. Now let us think about these same scenarios from another perspective, namely that of the risks introduced by IoT. A hacker could remotely turn on not only our washing machine but also all our electric home appliances at the hour of peak consumption. This will not only increase our electricity bill but also overload the electrical grid of the area. Now imagine that they do this in every house at the same time and cause a blackout. Traffic could be maliciously diverted the wrong way, causing congestions or even accidents. A patient can be put at risk or even killed by a wrong diagnosis or by the injection of the wrong dosage of a drug. So although IoT promises great solutions, its associated risks also need to be addressed.

There are probably many reasons why manufacturers and developers of different products and services associated with IoT will avoid talking about security. Some of them might not be very conscious of the importance of developing secure products, or may not even know how to do it. Remember that cybersecurity is a field that is more developed in the IT world than in IoT, and even for traditional IT services, it faces several challenges at the moment. In many industries, a lack of security regulations and standards prevail, nor are there any market pressures for improving security. On the other hand, there are pressures for time-to-market and lower costs, which introduces another explanation: implementing security measures increases production times and costs. Also, and despite the multiple attacks involving IoT that have happened already, apparently many relevant actors still do not believe that the threat is real. Even though they might know that their products are vulnerable, there is a common bias toward thinking that there will be little or no interest from the attackers’ perspective to breach certain systems. One might think, for example, “Who will want to steal the information about how many calories someone burnt last week?” The truth is that any information that is valuable to us is likely to be valuable to somebody else. Maybe not the way we think about it, but by accessing private information criminals can perpetrate scams. That is why seemingly trivial data such as the location or routine of a person can be considered sensitive information under a series of circumstances.

It is worth noting that not all cyberattacks have the objective of stealing data. A device can be remotely locked and remain inaccessible until a ransom is paid. It can also be used as a bot in a denial of service attack against a third party. Therefore, it is not wise to underestimate a priori the motivation and capabilities of a potential attacker. A thorough risk analysis should determine whether an organization is able to take the chance or is better off employing caution and doing something different to avoid or mitigate an attack. In other words, it is important to take informed decisions based on a cost-benefit analysis, rather than to be oblivious to the risks.

Summary

What is IoT? A straightforward and simple definition is that it is “things other than servers and PCs which are connected to computer networks” (Macaulay 2017). More than a specific type of product, IoT represents a concept or a paradigm that can be used to develop different products and services. Overall, IoT refers to systems that include objects that are capable of interacting with the real world by extracting information from it, executing actions on it, or both. These interactions will be transformed into data that is sent from and to computers. This data is processed and used to make decisions sometimes automatically and in real time. It is also stored, and can therefore provide knowledge about the past behavior of the system. IoT is heterogeneous and present in every industry vertical. As much as it has come to solve a number of problems, it is also causing and continues to cause some too. The security problems introduced by IoT are what the rest of this book is mostly about!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 1 Introduction—What Is IoT?

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 1 Introduction—What Is IoT?