Internet of Things Security and ...

68 downloads 40263 Views 1MB Size Report
Gartner's 'Hype Cycle for Emerging Technologies, 2015' shows that the IoT is ..... [7] Cloud Security Alliance, “Security Guidance for Early Adopters of the ...
IT Infrastructure Services

White Paper

Address Security and Privacy Concerns to Fully Tap into IoT’s Potential

About the Author

Abhik Chaudhuri Abhik Chaudhuri is a Domain Consultant for cyber security and policy in TCS' ITIS Technology Excellence Group, focused on the security of the Internet of Things (IoT) and smart cities. Chaudhuri has more than 12 years of IT experience and is a Chevening TCS Fellow in Cyber Security and Policy.

Abstract

The breakthrough potential of the Internet of Things (IoT) conjures up immense possibilities for delivering value through new business models across industries, products, and service offerings. However, making IoT technologies reliable and secure is key to realizing the potential of this breakthrough concept. Ensuring security and privacy of IoT offerings is therefore a major concern for users and businesses, and is also of critical importance in the conceptualization of smart cities – the ultimate goal with regard to IoT application. This paper explores the potential of IoT enabled smart offerings and smart city services. It identifies security and privacy concerns for a variety of scenarios and discusses ways to address these concerns effectively.

Contents

Understanding the Growth of the Internet of Things

5

IoT Enabled Services: Opening up a World of Possibilities

5

Envisioning IoT Enabled Smart Cities

6

Strengthening Security and Privacy is the Key

8

Smart healthcare systems

8

Smart billing and payment systems

9

Smart home security systems

9

Smart fitting rooms in retail outlets

9

Proximity marketing

10

Smart vending machines

10

Bolstering Security

10

Enhancing Privacy

11

Making Way for a Smart and Secure World

12

Understanding the Growth of the Internet of Things The Internet of Things (IoT) provides new functionalities to improve the quality of life and enables technological advances in critical areas. These include personalized health care, emergency response, traffic management, smart manufacturing, defense, home security, and smart energy distribution and utilization. New digital business models utilize the power of information to replace traditional products with innovative solutions and services leveraging IoT devices. Gartner’s ‘Hype Cycle for Emerging Technologies, 2015’ shows that the IoT is at the ‘peak of inflated expectations’ ² and on the cusp of a multi-year, multifold growth, ‘In 2020, 25 billion connected "things" will be in use.’³ This growth prospect is fuelled by continuous reduction in the cost of computing power and the adoption of IPv6 technology. The transition from IPv4 to IPv6 technology promises unprecedented opportunity to interconnect existing as well as new services in utilities, healthcare, education, and other businesses over the internet, due to the availability of more than two billion unique IP addresses. This is an important aspect to realize the ‘smart life’ dream where cities will be provisioned with real-time data analytics and decision support systems. However, IoT enabled smart services are not yet fully secure and this is a key challenge. There are notable privacy concerns around data gathered from user-owned devices as well as the surrounding environment or other devices.

According to TCS’ Global Trend Study on the IoT, based on a survey of 795 executives from global enterprises in 13 industries, businesses are set to make huge investments in the IoT in the next five years. Close to 7% respondents indicated that their companies plan to spend more than $500 million in 2015 to monitor products, premises, customers, or supply chains.¹

IoT Enabled Services: Opening up a World of Possibilities Functionally, IoT sensors capture contextual data from a designated environment and send it to a centralized storage space that resides in the cloud. The data is analyzed and processed to support various services. The monitoring and management of IoT devices, as well as their inter-communication, is performed remotely to optimize smart services. This helps enterprises leverage the IoT to deliver superior services that make every element of our personal and public life including transportation systems, cities, homes, healthcare, and aviation truly smart. For example, smart homes have IoT enabled appliances such as refrigerators that talk to each other and with the user. They also include smart lighting systems and temperature controls that enable substantial energy savings. Likewise, connected cars help drivers identify optimal routes by assessing the traffic along a smart city transport network. They come with features such as smart fuel indicator, predictive usage, smart parking, and crash prevention through GPS-based location monitoring. The concept of driverless cars is also turning into a reality with the help of the IoT. [1] Tata Consultancy Services, “Internet of Things: The Complete Reimaginative Force” (July 2015), accessed July 22, 2015, http://sites.tcs.com/internet-of-things/#download-report [2] Gartner, “Hype Cycle for Emerging Technologies, 2015” (July 2015), accessed July 30, 2015, http://www.gartner.com/document/3100227?ref=lib [3] Gartner, “Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015” (November 2014), accessed July 8, 2015, http://www.gartner.com/newsroom/id/2905717

5

An important area that significantly benefits from the IoT is healthcare. Connected healthcare offers immense possibilities including remote monitoring of patients with critical aliments such as diabetes, cardiac issues, and kidney malfunction. This enables healthcare organizations and governments to capture and analyze population health data to identify potential health hazards at an early stage and take preemptive actions. In the future, smart retail solutions will provide cashless buying options, eliminating the need for point of sales (POS) counters. User preference data collected by IoT sensors attached to display zones and dressing areas at retail outlets can be utilized by retailers to track fast moving items. Retailers can also use this data to replace less preferred items with popular items, driving faster and increased sales. IoT will also promote smart agriculture, characterized by temperature control of warehouses, dashboard based monitoring of inventory, and predictive analysis of usage and stock replenishment. Furthermore, factories can become more energy efficient by leveraging IoT enabled manufacturing to analyze the usage and performance data gathered from sensors attached to machines. Data gathered on plant floors is analyzed to provide just-in-time information to floor managers, increasing supply chain efficiency and reducing material wastage and power utilization.

Envisioning IoT Enabled Smart Cities With more and more people moving to cities and continuous growth in urban population, providing basic services to the increasing number of citizens is becoming a huge challenge for city councils. To meet the needs of the growing population, cities are expanding As per BSI, a smart city is the exponentially and stretching the operational limits of various services. In one that effectively integrates such a scenario, cities driven by IoT enabled smart services can significantly physical, spatial, digital, and improve the standard of living. human worlds to deliver a sustainable, prosperous, and Smart cities take a citizen-centric approach to service provisioning with IoT inclusive future to its citizens.⁴ enabled infrastructure. According to the UK Department for Business Innovation and Skills, a smart city should enable citizens to engage with all services on offer, public as well as private, in a way best suited to their needs. It brings together infrastructure, social capital including local skills and community institutions, and digital technologies to fuel sustainable economic development and provide an attractive environment for all.⁵ By leveraging the IoT, a connected environment of interdependent systems can be built, enhancing all aspects of city life. This can be achieved by embedding IoT technologies in all types of physical objects and artifacts ranging from clothes, home appliances, and automobiles to street lighting systems, transport systems, public utilities, and even the human body. To meet the burgeoning needs of the growing human population, governments the world over are redesigning existing cities, and creating new ones, for smarter living – a top global agenda for the next two decades. Cities such as Barcelona, San Jose, and Edinburgh are already implementing smart services for their citizens, and India has set

[4] BSI, “PAS 181 Smart City Framework” (2014), accessed July 21, 2015, http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-181-smart-cities-framework/ [5] GOV.UK, “Smart Cities: Background Paper” (October 2013), accessed July 20, 2015, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/246019/bis-13-1209-smart-cities-background-paper-digital.pdf

6

plans afoot to establish some 100 smart cities ⁶ in the next five years. In a The synergistic smart city, the IoT-enabled digital fabric of interdependent systems will be interdependency of IoTdynamic in nature, with instantaneous data gathering and near real-time enabled smart services analytics. This will help city councils strategize necessary actions and ensure provides immense effective governance based on continuous analysis of the huge volume of opportunities for superior data collected from sub-systems. The insights thus gained can help manage quality of living and effective governance. energy efficiency of buildings, map social data for crime prevention, monitor flood or drought situations, and drive public consultation and trend analysis. Other areas of application include infrastructure development across housing, education, transport, medical services, employment, and so on. As a result, governments can decrease costs of service delivery and operations through enhanced efficiency and reduced wastage of natural resources.

[6] Smart Cities Mission: Ministry of Urban Development: Government of India, “Smart City: Mission Statement & Guidelines” (June 2015), accessed July 21, 2015, http://smartcities.gov.in/writereaddata/SmartCityGuidelines.pdfhttps://www.gov.uk/government/uploads/system/uploads/attachment_data/file/246019/bis-13-1209smart-cities-background-paper-digital.pdf

7

Strengthening Security and Privacy is the Key Although the IoT offers tremendous opportunities for smart services across sectors, it is not completely secure or risk-free. In fact, the landscape becomes complex due to the vast network of IoT devices and interconnected systems that are required to realize the numerous benefits of smart services. Security and privacy concerns are major roadblocks in the successful deployment of IoT enabled smart services. TCS’ Global Trend Study on the IoT highlights the need for increased security and reliability as one of the three biggest factors hindering companies from realizing the IoT promise.¹

Security and privacy of IoTenabled smart services acquire an even bigger dimension than traditional IT-enabled services, due to the pervasive nature of these devices and services.

The scale and complexity of IoT-enabled services make the implementation of traditional security techniques fairly complex. There are unique access control challenges (specifically for wireless sensor devices that can store energy for just about a few weeks to a month) and memory limitations (permissible upper limits being a few kilobytes) that restrict the communication and processing capabilities of these devices to run complex encryption algorithms. These issues are further compounded by the distributed nature of the IoT device network, which is vital to create a system that provides context aware services. In addition, non-trusted entities can physically or remotely intercept and manipulate data captured by IoT sensor nodes. Data transmission from sensors and gateway devices can be passively monitored in the absence of robust encryption, and malicious nodes can be embedded in wireless sensor networks to interfere with neighboring nodes. Privacy is another pressing concern. Personally identifiable information (PII) can be gathered from gateway devices without consent, and can be used to conduct unscrupulous activities. Here are some probable scenarios that underscore the need to focus on security and privacy aspects in an IoT environment.

Smart healthcare systems IoT-enabled healthcare services enable remote monitoring of patients with diabetes, kidney malfunction, heart problems, and more. This is possible through direct, round-the-clock data exchange between devices like pacemakers and glucose monitors implanted in patients’ bodies and health monitoring systems in hospitals. Now, in the event of these devices being breached or the data obtained from them being unauthenticated, patients’ lives are at risk. Here, key questions that need to be addressed with respect to security and privacy include: §

How much PII about a patient is captured and stored, and who has access to this? Is the PII anonymized?

§

Is the data sent from sensors to gateway devices encrypted? Is the data stored in gateway devices?

§

Is there any mechanism to monitor and verify the information sent back to an implanted medical device from the remote healthcare center? 8

Smart billing and payment systems In a retail outlet, IoT sensors are used to tally the purchases in a customer’s cart. This means customers do not need to stand in the queue for checkout and billing, with sensors sending the data to a cloud-based billing and payment systems. Customers can pay the bill through a payment app on their smartphones. In this scenario, the following security and privacy questions are significant: §

How is the data from sensors logged and for what duration? Is the data copied to multiple locations for back-up?

§

Is the transaction compliant with PCI Payment Acceptance Data Security Standard?

§

Is the data safe in transit – from sensors to the cloud, and from the cloud to customers’ smartphones?

§

Has any customer’s PII been compromised?

Smart home security systems IoT-enabled home security solutions and temperature control systems use sensors to collect and share data from multiple edge devices. If an attacker gains access to these smart systems through malicious means, the underlying functional logic of control systems is vulnerable to misuse, compromising the physical security of residents. Key security and privacy concerns to be addressed in this scenario are: §

What data is captured and transmitted by IoT devices and who can access it?

§

Does the IoT product vendor have access to the data generated from these devices?

§

Is the data that is sent to the actuator encrypted, and is there an authentication process involved in the transmission of data?

Smart fitting rooms in retail outlets RFID sensors are used in smart fitting rooms in retail outlets to allow customers to flip through a catalog on a touch screen and indicate the items that need to be displayed in the dressing room. When a shopper walks to the dressing area, the smart mirror recognizes the items and displays different clothing items on the screen. Customers’ shopping behavior data can be stored by the retailer for cross-sell recommendations. The following security and privacy questions are pertinent in this scenario: §

What data is gathered and transmitted by sensors, and does this data remain anonymous?

§

Is there any possibility of intercepting the data gathered by sensors?

§

Can the supply chain data be compromised during data transit?

9

Proximity marketing IoT has led to the advent of proximity marketing using Bluetooth-enabled beacons. Billboards embedded with beacons that include IoT sensors⁷ identify interested customers in their vicinity. By activating an app on customer smartphones, relevant data is gathered by sensors and sent to the cloud for analytical processing. Based on the information and insights gathered, personalized marketing content is sent back. For example, Apple leverages iBeacons⁸ to allow smartphones, tablets, and other devices to perform actions like determining the location of a person with an iOS device and providing information about nearby retail outlets, coffee shops, or multiplexes, and Facebook⁹ makes recommendations on places to visit, things to do, and so on. Some critical security and privacy aspects that merit attention in this scenario are: §

Can the beacon communication be compromised during transit?

§

Does this communication occur with customers’ consent?

§

Does the personal data collected by sensors remain anonymous?

§

Who all can access customer data in the cloud?

Smart vending machines Smart vending machines allow customers to choose products from the display, during which, customer details are obtained through their smartphones by a Near Field Communication (NFC) smartphone payment system fitted to the vending machine. Merchants can use this data to improve stock replenishment, perform health checks on vending machines, and identify popular products. Security and privacy concerns in this scenario include: §

Is the data sent from sensors to a gateway device encrypted?

§

Is any customer identifiable information stored in gateway devices or in the cloud?

§

Can merchants exploit customer information for business benefits without the customer’s consent?

Bolstering Security We propose the following ways, mapped to five key dimensions, to address security concerns in an IoT setup: 1. Securing sensors: Wireless sensors that provide last mile of connectivity for IoT-enabled services can be damaged by human influence or natural wear and tear. Memory and power limitations of IoT devices also make them vulnerable to eavesdropping and radio jamming attacks. Therefore, threat mitigation of IoT devices is

[7] Cloud Security Alliance, “Security Guidance for Early Adopters of the Internet of Things (IoT)” (April 2015), accessed June 18, 2015, https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf [8] Apple Inc., “iOS: Understanding iBeacon”, accessed July 3, 2015, https://support.apple.com/en-ap/HT202880 [9] Facebook, “Engage people who visit your business”, accessed June 18, 2015, https://www.facebook.com/business/a/facebook-bluetooth-beacons

10

imperative to ensuring secure smart services. For smart service implementation in open outdoor environments, periodic site survey is a must to track the IoT device outlay. Likewise, regular physical checks on devices are necessary to identify damaged sensors that need replacement. 2. Safeguarding the network: The network connecting IoT devices can be wired or wireless, and it is mandatory to secure it to the extent possible. A well-defined network security policy for wireless connectivity is based on network security protocols such as Wi-Fi Protected Access 2. It also outlines key security steps such as the use of non-suggestive Service Set Identifier (SSID) for segmenting networks and ensuring client communication through designated access points. For wired networks, the security policy should include firewalls, intrusion prevention systems, and adoption of robust encryption mechanisms. 3. Protecting data captured by sensors: Data encryption using complex algorithms is not feasible due to the limited computing power and energy storage capacity of IoT devices. To counter memory limitations, the contextual data captured by these devices is forwarded to sink nodes that are gateway devices with memory storage capacity. The process and path of data transfer from IoT devices are secured to ensure that only authenticated nodes communicate during data transfer, thereby preventing data loss. 4. Ensuring safe storage of data in the cloud: The data collected by sensors is sent to the cloud for analytics and application based processing. It is essential to prevent data breaches and leaks, and ensure effective data owner identification. Further, there can be various jurisdictional requirements regarding ownership of IoT data that is copied across multiple geographies resulting in redundancy. 5. Gaining end-to-end control of devices, data, and network: To secure smart services and offerings, specifically in smart cities, it is imperative to track and control all interconnected devices, data, networks, and gateways that deliver these services. Failure to do so can result in erroneous or malicious data making way into the systems, leading to breaches and malfunctions. This will ultimately bring the smart service down, and may also affect other connected services. To mitigate security risks, attribute-based access control can be implemented for end-to-end control of devices, data, and network.

Enhancing Privacy Privacy is a key concern that needs to be addressed effectively if we are to establish truly smart cities with a host of smart services. Global regulations in this regard mandate the collection and processing of PII in a verifiable manner. Privacy can be broadly classified into the following four categories: Identity: As IoT devices are owned by individuals and organizations, the identity of these devices helps identify their owners. Therefore, these devices and the data they generate should be marked as private. Location: Data that can be used to identify a user’s or device’s location is also considered private. An IoT device’s location can be used to gather information about the owner’s location, which may be leveraged for unscrupulous activities and hence, such information should be concealed.

11

Search query: Search queries can reveal information about the person who initiated it by tracking the IP address of the source. For instance, a smart refrigerator makes online queries for food items that its owner likes. In this scenario, businesses can track such queries and profile the owner based on his or her fondness for specific food items. This data can then be used for target advertising without the individual’s consent. Digital footprint: Since IoT-enabled devices are always online, they leave behind traceable data on the internet. The devices should therefore be secured through effective security protocols to prevent accumulation of digital footprints related to devices and their owners. Cookie invasion of IoT devices should also be prevented to ensure operational privacy. The metadata can include details such as location, time stamps, proximity to other IoT devices, and relevant information for profiling device owners. Protection of the metadata is therefore vital to addressing privacy concerns. So, an organization or a city council owning a smart service should develop a cyber-privacy strategy for IoT environment to ensure the privacy of all connected entities. Regulatory compliance measures should be established for appropriate collection and usage of metatda by IoT devices and services.

Making Way for a Smart and Secure World The Internet of Things is a promising technological advancement that can offer several benefits to the society at large. However, businesses and city councils across the globe need to work collectively to build secure and reliable IoT technologies and eliminate undesired side effects. To realize the true potential of this technology, security and privacy concerns need to be effectively addressed. In addition to self-regulation, a structured and well defined cyber security and privacy policy must be developed with efficient collaboration between governments and enterprises. It is also key to ensure that IoT specific legislation and industry standard protocols do not stifle innovation. This will allow individuals and communities to reap the advantages of the IoT and build a smarter world that offers intelligent solutions for big and small challenges across all walks of life.

12

About TCS’ IT Infrastructure Services Unit Leading organizations across industries work with TCS to realize their business transformation and innovation objectives by enhancing the availability, performance and agility of their IT infrastructure. Leveraging a combination of the cloud, new generation delivery models such as IaaS, PaaS, and SaaS, virtualization, and managed services, our offerings deliver the secure, flexible, and reliable IT infrastructure needed to power critical business applications, services and data. TCS infrastructure offerings encompass data center services, end-user computing (EUC), mobility services, cloud services and transformational solutions, converged network services, managed security services, application management services, enterprise systems management, IT service desk, and IT service management. Backed by our Assess-Build-Manage-Transform framework, extensive partner ecosystem, tools and automation frameworks, and technology Centers of Excellence (CoEs), analytics-led approach, to understand the ‘as-is’ state, and arrive at the ‘to-be’ state. As a result, you seamlessly transition from traditional infrastructure management services towards new generation delivery.

Contact For more information about TCS’ IT Infrastructure Services, visit: http://www.tcs.com/offerings/it_infrastructure/Pages/default.aspx Email: [email protected] Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/Pages/feed.aspx?f=w Feedburner: http://feeds2.feedburner.com/tcswhitepapers About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and assurance services. This is delivered through its unique Global Network Delivery ModelTM, recognized as the benchmark of excellence in software development. A part of the Tata Group, India’s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India.

IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright © 2015 Tata Consultancy Services Limited

TCS Design Services I M I 10 I 15

For more information, visit us at www.tcs.com