Device/IoT-Centric Security Assets

Security Threat Landscape

Internet of Things (IoT) can be defined as “the networked interconnection of everyday objects, equipped with ubiquitous intelligence” [1]. The exponential growth of connected devices (from minuscule sensors to bigger machines), which, according to Intel[2] are expected to reach 200 billion by 2020, is revolutionizing current IT systems. Smart transportation, sustainable mobility, smart cities, e-health, smart vehicles, UAVs, and many more are just some examples of domains where IoT, edge computing, and smart devices are changing the environment. The existence of billions of resource-constrained devices connected to the Internet introduces fundamental risks that can threaten users’ life and personal sphere. Current environments are so pervasive and ubiquitous that users just become another component of the system.

---

Assets

IoT assets can be categorized by different classes as follows:

• Data – IoT, and devices are the main source of data but, they do not have data as main assets since they stream data almost in real-time. However, in case of edge or while in transit (e.g., passing to gateways), data becomes an important asset for this domain also considering the OWASP principle of IoT security related to the “Data aggregation”,[3] which can reveal sensitive patterns.
• Infrastructure – It comprises communication protocols (e.g. MQTT, ZigBee), communication devices like routers, gateway, but also power supply units and batteries.
• Devices – It is the essence of this category and refers to sensors, actuators, as well as firmware driving them. It includes also devices that serve the purposes of aggregating data (e.g., in edge systems) and managing sensors/actuators, as well as embedded systems in general.
• Platform and backend – It refers to IoT backend in the cloud. It is part of IoT since it is fundamental for the operation and has a great impact on security. For the sake of clarity, it is discussed in detail in Domain 3 “System-centric security”.
• Decision making – It regards the transformation of the acquired data into actions on the actuators or models. It can be computed on the edge. Similarly, to the platform and backend, we refer to Domain 4 “Data-centric security” for more details.
• Management – It includes, when available, device management services like device usage, battery status, and the like, as well as update management, network setup and statistics, and applications and diagnostics.
• Security and privacy techniques – It refers to all security techniques that are the target for an attacker. These represent the interesting components that would result in unauthorized data disclosure and leakage if compromised. In IoT environment, they can be spread from device interface to gateways and Cloud backend.
• Roles – Introduced by the NIST Big Data Public Working Group, it includes human resources and related assets.

Each class can be further refined in different asset categories as presented below and inspired by the ENISA report.[4]

---

Data assets can be summarized as follows:

• In transit – Assets that are focused on encapsulating data while they need to be sent to another component/layer.
• At rest – It is mostly associated with the data that temporarily or permanently reside on the edge, gateways or sensors that streams on batch bases.
• Aggregated – More impacting at the cloud backend level when the aggregation takes place, but also impacting in case a number of devices of the same network/application are compromised. It is mostly associated with the data that temporarily or permanently reside on the edge, gateways or sensors that streams on batch bases.
• Credentials – Files including important credentials like certificates tokens.

---

Infrastructure assets can be summarized as follows:

• Network/protocols – Networking peculiarities and the relative protocols, for instance, the ones specialized for IoT like MQTT, Zigbee.
• Router/gateways – Networking components used to provide connectivity via packet forwarding and bridging between different protocols.
• Power supply – External (and wired) or internal via batteries.

---

Devices assets can be summarized as follows:

• Hardware – It includes the physical part of IoT devices like physical memory, sensors, and physical interfaces.
• Edge nodes/embedded systems – Computing services on the devices or at the edge, offering interfaces, aggregations, management services. It includes mobile devices.
• Firmware/software – Software installed on the device including low-level software for operating system-level functionalities.
• Sensors/actuators – The subsystems to detect and measure events, and to make a decision based on previously processed information.

---

Platform and backend assets can be summarized as follows:

• Device Web interface/services – It includes APIs and services. It is a major target for a number of impacting attacks.
• Cloud-level interface/services – See Section 3.5.2.

---

Decision-making assets can be summarized as follows:

• Device/edge processing – It refers to data aggregation, an important trend in IoT and Edge open to a number of issues related to the possibility of revealing sensitive patterns.
• Cloud/Big data processing

---

Management assets can be summarized as follows:

• Device and network – Management subsystems of IoT devices (e.g., updates). It also considers configurations at any level including networking.
• Device status – Status level monitoring including batteries, usage patterns, and the like.

---

Security mechanisms assets can be summarized as follows:

• Device – It includes access controls and other security mechanisms adopted by the device itself. It also includes physical SIM cards that can contain important security-related data (see Data Asset above).
• Infrastructure – It includes security mechanisms that are in place at the level of infrastructures, like firewalling, channel encryption at the gateway level.
• Platform – It includes the security mechanisms in place at the Cloud level of the IoT.

We note that class Security Mechanisms include subcategories that cover most of the other assets. This is due to the fact that security controls in IoT can be distributed in different assets and inherit assets peculiarities and vulnerabilities.

---

[1] F. Xia, L. T. Yang, L. Wang e A. Vinel, «Internet of Things,» International Journal of Communication Systems 25 (September 2012), vol. 9, pp. 1101-1102, 2012.

[2] A guide to Internet of Things Infographic https://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html

[3] Future-proofing the Connected World:13 Steps to Developing Secure IoT Products https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf

[4] See https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/at_download/file