Академический Документы
Профессиональный Документы
Культура Документы
in IoT
Understanding Cyberrisks
in IoT
When Smart Things Turn
Against You
10 9 8 7 6 5 4 3 2 1
Keywords
IoT (Internet of Things); IIoT (Industrial Internet of Things); cybersecurity;
risks; industrial control systems; cyberattack; vulnerability; threat; availability;
integrity; privacy; confidentiality; cyber-awareness
Contents
Acknowledgments....................................................................................ix
References............................................................................................119
About the Author.................................................................................123
Index..................................................................................................125
Acknowledgments
To my dad who inspired my curiosity about things and taught me that
no matter how complicated things are, they can always be explained in a
simple way. To my mom who always believed in me as a writer, and to my
brother, who is unsparing to correct my English grammar.
CHAPTER 1
Introduction—What Is IoT?
Proximity Access
Computer systems Service
network network
(Service platform) network
User
interfaces
IoT users
“Things”
Real world
are being tested in different cities of the world, and I have recently heard
that it is not rare to see robots in the streets of the city of Milton Keynes,
in England. Soon these robots will be the ones delivering your pizza!
Technology is meant to make processes more effective, efficient, and safer
for people. Overall, the main idea of IoT is to make our lives better. IoT
gives almost endless possibilities for innovation and creation of new busi-
ness opportunities. It will also create new jobs, while at the same time
eliminating some of the existing ones. Products, services, and professions
that never existed or were never thought of before will continue to prolif-
erate. We are finally living in the future!
So, with all this excitement, why are these security people so deter-
mined to point out all the possible things that can go wrong? I reckon
we might be considered a bunch of party poopers. The truth is that IoT
is giving cybercriminals more opportunities to develop new strategies for
stealing data, committing fraud, and causing distress and chaos. More-
over, they are using these opportunities. Offices generally contain smart
printers, routers, security cameras, and smart TVs used for videoconfer-
ences, which might not be within the scope of the cybersecurity policy.
This means that these workplaces are easy targets for cyber-attackers. In-
dustries rely heavily on automation, with more regard for performance
and safety than for cybersecurity, leaving—sometimes unknowingly—
many doors open for unauthorized agents to access their corporate in-
formation networks through these systems. Sometimes, they might even
know about these “open doors,” but worrying about security is not their
job. So if no formal risk assessment is being performed, they might be
complacent, thinking “this will not happen to us”—which many times
proves to be wrong! This book aims to be an eye-opener and a first ap-
proach to developing an insight into how cybersecurity and IoT connect
in order to facilitate more informed decision making.
Things
• Sensing: This means the devices are able to extract information from
the environment, for example, physical variables such as tempera-
ture, pressure, humidity, weight, and electrical power. Web cameras
that allow monitoring of images of a place are also considered
sensing devices, as well as sensors that detect presence, detection of
chemical components, such as the quality of the air or water, and
human vital signs, such as heartbeats or blood pressure—essentially,
everything that reveals the status of something in the real world.
• Actuation: This means devices that can perform an action in the
real world. This action is performed through electrical or electro-
magnetic signals and can go from turning something on and off
to controlling a drone. Actuation will usually involve mechanical
devices such as motors and valves. A smart printer is also consid-
ered an actuator since it performs a physical action commanded
through a computer system.
• Computation: Some IoT devices serve a fixed purpose; they can
sense a variable or receive commands to perform an action, but
they cannot be programmed to do anything else. There are also
IoT devices that are “smarter” and have more advanced computa-
tional capabilities. This means that they might even need to run
an operating system to manage different pieces of software serv-
ing a variety of purposes. Even though they are not computers,
they can be configured or even programmed to customize their
behavior. This also means that they are susceptible to malware. A
malware is a malicious piece of code or “malicious” software which
is commonly used to attack computer systems. Malware has been
developed specifically for certain types or groups of IoT systems.
INTRODUCTION
7
Communication Networks
Computer Systems
This part represents the platforms where different software services in-
teract to make the IoT system work. Usually, there is a differentiation
between the platforms that store and process the data and the software
services that allow monitoring, executing commands, and configuring
business rules. The former are usually in charge of orchestrating the dif-
ferent functions and flows of information between the different parts of
the system. The latter usually allow for the interaction with human inter-
faces as well as with software belonging to the business domain such as
enterprise risk management (ERM), customer relationship management
(CRM), and business intelligence (BI) tools.
10
Computer systems
Proximity
Gateway
network
Software
Data bases
Software platfroms
Hardware
Software
Rules, monitoring
& control
Service network
Now that we have a better idea of what IoT is, we can explore some
of its characteristics. If some readers have not gotten the complete picture
yet, please beware of the possibility of complex interactions between IoT
components that vary from system to system. However, as long as you
understand that IoT are connected things that can be controlled using
computers, mobile phones, and tablets, it is enough for now. As you prog-
ress through the chapters, many things should become clearer.
As already mentioned, a single IoT system can encompass diverse
technologies. In addition, an IoT system might be formed by subsystems,
which leads to the popularly used term system of systems. You might be al-
ready familiar with this concept as well as with the term embedded system,
but in case you are not, it simply refers to fully functioning systems that
belong within a bigger, more complex system. For example, a voice com-
mand system that has a microphone (sensor) and a microcomputer that
processes the voice input constitute a system that can be used by other
bigger systems such as cars, digital assistants, toys, or anything, imagin-
ably, that could be controlled remotely by voice. An embedded system
corresponds to hardware and software that serve a specific purpose and
are integrated into a major system. In a vehicle where you can find several
electronic control units (ECU) that are in charge of one or more systems
such as engine control, transmission, or brakes, each one of these ECU
has its own hardware and software that perform specific tasks, but all of
them belong to this major system, that is, the vehicle and work in co-
ordination to make it function properly.
It can often happen in IoT that different parts of subsystems are not in
the same location. A typical example of this is smart cities, where different
sensors will be widely distributed to collect information about traffic con-
ditions, air quality, utilities supply and consumption, and public trans-
port, among other services that are yet to be created or even imagined.
This is achieved only by the interaction of multiple processes and services
that will often run on different platforms and have different manufac-
turers, owners, and administrators. For example, a smart building will
have different electronic equipment from different brands for tempera-
ture control, access control, and power consumption monitoring, but it
all might be controlled by the same software or building management
system (BMS), which might run in its own server or might be hosted
INTRODUCTION
13
operations. Over the past decade, many attacks involving IoT and In-
dustrial IoT (IIoT) have taken place. At the same time, there have been
many vulnerability reports and demonstrations of potential attacks that
reveal that some systems only need somebody willing to break them in
order to be breached. Despite all this, many problems remain unsolved
and lack of awareness still persists. Last week I went to a seminar on IoT
where academics and practitioners exposed their ideas on how they see
IoT changing our world. Cybersecurity was not even mentioned as one of
their main challenges, but certainly, it is!
IoT has, for sure, the potential to allow us to make more efficient use
of the resources available and make our lives easier. An example of this is
the use of IoT-capable technologies to program our washing machine to
turn on at the hours of low power consumption, not only reducing our
electricity bill but also helping avoid overloading the power grid. Also,
traffic can be diverted and journeys planned better by having live data
of the traffic conditions. Lives can be saved by continuously monitoring
vital signs of critical patients and raising alerts when something abnormal
is detected, and even automatically injecting them with the appropriate
doses of drugs according to their condition. Now let us think about these
same scenarios from another perspective, namely that of the risks intro-
duced by IoT. A hacker could remotely turn on not only our washing
machine but also all our electric home appliances at the hour of peak
consumption. This will not only increase our electricity bill but also over-
load the electrical grid of the area. Now imagine that they do this in every
house at the same time and cause a blackout. Traffic could be maliciously
diverted the wrong way, causing congestions or even accidents. A patient
can be put at risk or even killed by a wrong diagnosis or by the injection
of the wrong dosage of a drug. So although IoT promises great solutions,
its associated risks also need to be addressed.
There are probably many reasons why manufacturers and developers
of different products and services associated with IoT will avoid talking
about security. Some of them might not be very conscious of the im-
portance of developing secure products, or may not even know how to
do it. Remember that cybersecurity is a field that is more developed in
the IT world than in IoT, and even for traditional IT services, it faces
several challenges at the moment. In many industries, a lack of security
INTRODUCTION
15
regulations and standards prevail, nor are there any market pressures for
improving security. On the other hand, there are pressures for time-to-
market and lower costs, which introduces another explanation: imple-
menting security measures increases production times and costs. Also,
and despite the multiple attacks involving IoT that have happened al-
ready, apparently many relevant actors still do not believe that the threat
is real. Even though they might know that their products are vulnerable,
there is a common bias toward thinking that there will be little or no
interest from the attackers’ perspective to breach certain systems. One
might think, for example, “Who will want to steal the information about
how many calories someone burnt last week?” The truth is that any in-
formation that is valuable to us is likely to be valuable to somebody else.
Maybe not the way we think about it, but by accessing private informa-
tion criminals can perpetrate scams. That is why seemingly trivial data
such as the location or routine of a person can be considered sensitive
information under a series of circumstances.
It is worth noting that not all cyberattacks have the objective of stealing
data. A device can be remotely locked and remain inaccessible until a ran-
som is paid. It can also be used as a bot in a denial of service attack against
a third party. Therefore, it is not wise to underestimate a priori the motiva-
tion and capabilities of a potential attacker. A thorough risk analysis should
determine whether an organization is able to take the chance or is better off
employing caution and doing something different to avoid or mitigate an
attack. In other words, it is important to take informed decisions based on
a cost-benefit analysis, rather than to be oblivious to the risks.
Summary
What is IoT? A straightforward and simple definition is that it is “things
other than servers and PCs which are connected to computer networks”
(Macaulay 2017). More than a specific type of product, IoT represents
a concept or a paradigm that can be used to develop different products
and services. Overall, IoT refers to systems that include objects that are
capable of interacting with the real world by extracting information from
it, executing actions on it, or both. These interactions will be transformed
into data that is sent from and to computers. This data is processed and
16 UNDERSTANDING CYBERRISKS IN IoT