Security in the Internet of Everything -- Opening Statement
CUTTER IT JOURNAL VOL. 29, NO. 7
On “teleautomation”: When wireless is perfectly applied, the whole Earth will be converted into a huge brain, which in fact it is, all things being particles of a real and rhythmic whole. We shall be able to communicate with one another instantly, irrespective of distance … and the instruments through which we shall be able to do this will be amazingly simple compared with our present telephone. A man will be able to carry one in his vest pocket.
Since Tesla’s prediction of “teleautomation,” it has taken almost 80 years for the general public to experience what has culminated into the Internet of Things (IoT) and another 10 to truly accept it. The problem is that, in recent years, a vast range of devices and systems have been designed to support this new paradigm, but with little regard to security or privacy — despite the profound impact that breaches of either can have on a user’s “real life.”
This edition of Cutter IT Journal features five articles that discuss existing and future (but not at all fictional) risks in what we currently call the Internet of Things and that in the very near future will evolve into the Internet of Everything (IoE). It presents examples of risks and attacks in the different domains of our personal life, commercial world, and industry in which IoT devices are used, and highlights the corresponding technological and managerial challenges for confronting — even anticipating and warding against — security attacks.
The issue starts with an article from the two of us, in which we provide a quick look into the cyber and physical threats to the Internet of Everything. The article decomposes the IoE into layers representing the cyber and physical aspects that attackers can target and proceeds with a report on threats, attacks, and their impact to each layer. Providing examples from three domains that are currently experiencing dramatic changes thanks to IoT technologies (automobility, domestic environments, and well-being/healthcare), it serves as an introduction to the issues and challenges addressed in more detail by the articles that follow. One of the article’s key observations is that looking back in history for inspiration may not be a bad approach when it comes to securing the IoT, as many if not most of the challenges it brings with it are by no means new.
We continue with an article by Cutter Senior Consultant Claude Baudoin, who discusses the challenges of tackling both connectivity and security in the Industrial Internet of Things (IIoT) ecosystem, as these are introduced through the needs of access control, data protection, design, and enforcement of policies and risk management. The article’s focus is not only on the technological framework powering the IIoT and the use of technologies for remote access/control and secure data communication between devices. Instead, it provides an example-driven holistic approach in which IIoT security is pursued through the early adoption of policies in IIoT systems design.
In “Social Engineering in the Internet of Everything,” Ryan Heartfield and Diane Gan provide specific examples of complex and effective deception-based attacks. Going beyond the reporting of actual attack cases, the authors discuss a series of hypothetical but very convincing social engineering attacks that can be facilitated by smart connected devices in the IoE era. Asking the question “Would your fridge lie to you?” they chart this new and vast landscape of potential deception vectors, which is a security angle that not many people have started thinking about. Yet considering how conventional phishing has evolved, it seems only logical that IoE-based deception attacks constitute the next battleground in cybersecurity.
Our fourth article is by David Tayouri, who discusses the different threats that IoT devices are exposed to, emphasizing personal, household, and everyday use devices and giving examples of attacks or proven vulnerabilities. In addition to identifying the threats, Tayouri provides very clear and well-thought-out suggestions as to what can be done in order to protect the IoT against them and elaborates on the reason the threats have not been effectively addressed up to now. He concludes by proposing action on a number of fronts: legislation, regulation, and, importantly, consumer practices as well.
Finally, in “Security and Privacy in the Internet of Things: How to Increase User Trust,” Dimitrios Kogias discusses privacy issues related to the Internet of Things and the impact security attacks on the IoT may have on the protection of personal data. He also presents an overview of privacy-enhancing technologies (PETs) and security solutions and discusses how they can enhance user trust in the IoT.
From this issue, there are several points to take away:
- The wider the (inevitable) adoption of IoT technologies, the greater the range of cyber-physical threats and risks to our professional and personal lives. The physical world’s increasing dependence on the IoT is a key factor in the proliferation of cyber-physical attacks (i.e., cybersecurity breaches with adverse physical impact).
- While the range of threats and risks is widening, age-old security design principles and cyberhygiene can go a long way in helping protect the IoT landscape against threats to our security and privacy.
- For targets of higher criticality, such as those in the Industrial Internet, a rigorous threat assessment and appropriate governance and organization are necessary to ensure the effectiveness of defense-in-depth and any technical security solutions put in place.
The Internet of Things — or better, the Internet of Everything — has yet to unfold its full potential to us: a world where humans and machines can communicate and collaborate for improving the quality not only of life, but of everything. Again, Tesla prophesied it with amazing prescience:
We have soon to have everywhere smoke annihilators, dust absorbers, ozonizers, sterilizers of water, air, food and clothing, and accident preventers on streets, elevated roads and in subways. It will become next to impossible to contract disease germs or get hurt in the city, and country folk will got to town to rest and get well.
It is up to the industry to take security into account from the design phase of IoE devices — and up to the users to demand it. We are confident that the articles in this issue will trigger ideas and provoke thoughts in this direction. We hope you will enjoy them.