THE INCREASING IMPORTANCE OF SECURITY CONTROLS IN IOT Текст научной статьи по специальности «СМИ (медиа) и массовые коммуникации»



ПРЕДСТАВЛЕНИЕ НАУЧНОЙ РАБОТЫ

THE INCREASING IMPORTANCE OF SECURITY CONTROLS IN IOT

ОРЧЕСТВА

Sufanzade Bashirli Ayishanur Khazar,

Guliyev Mazahim, Azerbaijan State Oil and Industry University,

Baku, Azerbaijan

E-mail: sufanzade.ayshenur@gmail.com

Abstract. This article examines the crucial role of cybersecurity in the evolving Internet of Things (IoT) sector. It discusses unique security challenges tied to IoT, such as diverse threat scenarios, system design vulnerabilities, and vital aspects of risk management. The article underscores the need for strong security measures and continuous scrutiny to diminish potential threats and maximize the benefits of IoT technology in the digital era.

Keywords: Internet of Things (IoT), Cybersecurity, Privacy, Vulnerabilities, Data Confidentiality, Security Controls.

During the fourth industrial revolution, the Internet of Things (IoT) has surfaced as a powerful game-changer, connecting the physical and digital worlds. IoT, a system of linked devices that interact and share information, has the capability to dramatically transform several industries including healthcare, manufacturing, transportation, and retail.

Statista predicts a staggering 29 billion Internet of Things (IoT) devices worldwide by 2030 [1]. This massive number highlights the necessity to strengthen IoT cybersecurity in businesses to guarantee consistent protection of devices and assets. In the meantime, Gartner forecasts over 15 billion IoT devices will be linked to business infrastructures by 2029 [2].

Various devices, including corporate, guest, trusted, and untrusted ones, can pose a threat to businesses if not carefully managed in terms of their connectivity timing and procedures. IoT devices are becoming more common, and as a result, there are also more gadgets that could be utilized in attacks. Every connected gadget could potentially serve as an entry point into the IoT infrastructure or private information.

Insights can be gathered and actions can be initiated based on data obtained from these devices. Such analysis might reveal previously unnoticed connections, raising privacy concerns for individuals and organizations. The issues surrounding data security and privacy are critical, and the potential hazards linked with the IoT are expected to reach unprecedented levels.

ВЕСТНИК НАУКИ И ТВОРЧЕСТВА

Like conventional network systems, the security necessities of a basic IoT framework are multi-faceted, covering six critical aspects. First, confidentiality ensures that data is secured and only accessible to authorized users. Second, integrity ensures that the data can be trusted and is free from unauthorized alterations. Third, availability guarantees that data is accessible whenever and wherever required. Fourth, nonrepudiation offers a trusted audit trail, ensuring that actions cannot be denied once completed. Fifth, authenticity allows components to verify their identity, ensuring genuine interactions. Lastly, privacy ensures that the service doesn't automatically access customer data. All these elements together shape a comprehensive security framework for IoT, essential for its secure and effective functioning.

As interoperability, mashups, and autonomous decision-making become more complex, they could introduce security gaps and potential vulnerabilities. Privacy risks are expected to escalate in the IoT realm, as this increased complexity could result in greater vulnerabilities associated with the service. In the context of IoT, a considerable amount of information related to our personal details such as birth dates, locations, budgets, and so forth is involved.

Discussing the practical implications of threats, vulnerabilities, and risks is practically unachievable without acknowledging the core components of information assurance (IA), a crucial subset of IoT security. These include:

- Confidentiality: This involves maintaining the secrecy of sensitive data and preventing it from being exposed.

- Integrity: This guarantees that the information remains unaltered, whether unintentionally or intentionally, without detection.

- Authentication: This verifies that the data's origin is from a recognized identity or endpoint (typically comes after identification).

- Non-repudiation: This ensures that a person or system cannot later refute performing an action.

- Availability: This ensures that the required information is accessible when needed.

The data confidentiality, privacy, and trust issues present the most security challenges in an IoT environment. Understanding the distinction between a threat and its source is crucial when navigating the landscape of cybersecurity. A threat refers to the potential harm or compromise that could occur, while the threat source, also referred to as the threat actor, is the entity that carries out or initiates the threat. Conversely, man-made threats often target Internet of Things (IoT) devices, with human actors manipulating information or exploiting vulnerabilities in the system.

IoT threats encompass all kinds of risks to information management and data communicated to and from IoT devices. Additionally, IoT devices are exposed to the same physical security, hardware, software quality, environmental, supply chain, and various other threats present in both security and safety domains. For example, Cyber-Physical Systems (CPS), such as actuators or physical sensors, are exposed to physical reliability and resilience threats that go beyond the compromise and degradation of the computing platform.

ВЕСТНИК НАУКИ И ТВОРЧЕСТВА

Vulnerabilities are weaknesses in a system or device that make it susceptible to threats. These weaknesses could be in the design, integration, or operation of a system. Vulnerabilities can manifest in various forms like deficiencies in a device's physical protection (such as weak casings), subpar software quality, inadequate configuration, or inappropriate protocols. They can also come from design implementation deficiencies in the hardware, internal physical architecture and interfaces, the operating system, or applications. Cyber attackers are often on the lookout for these vulnerabilities, especially those that are easy, cost-effective, or quick to exploit.

Risk is another critical concept in this space. Unlike vulnerability, risk pertains to one's exposure to potential loss. It is dependent on the probability of a specific event, attack, or condition, and closely tied to an attacker's motivations. Risk also takes into account the potential impact of a single compromise or a series of attack events.

Risk management is the practice of identifying and mitigating against known vulnerabilities. It involves various techniques, including threat modeling, which helps to estimate the impact and overall cost of a compromise, the value of the target to attackers, and the skill level and motivations of the attackers. However, even the most comprehensive security measures cannot eliminate all vulnerabilities. To reduce the exposure to these vulnerabilities, various security controls such as anti-malware software and network monitoring equipment are used. Even then, a small amount of residual risk typically remains. This residual risk can be accepted as a fact of life or mitigated further through other mechanisms like insurance.

The Internet of Things (IoT) is subject to a wide array of attack types, some of the most notable ones being:

- Wired and wireless scanning and mapping attacks: These involve the unauthorized surveying and mapping of an IoT network to identify potential vulnerabilities.

- Protocol attacks: This type of attack targets the communication protocols that IoT devices use to exchange information.

- Eavesdropping attacks: These compromise confidentiality by covertly listening to private conversations or data transmission.

- Cryptographic algorithm and key management attacks: These attacks exploit weaknesses in the encryption methods and key management procedures used to secure data.

- Spoofing and masquerading attacks: These involve an attacker impersonating a valid user or device to gain unauthorized access to an IoT system.

- Operating system and application integrity attacks: These attacks aim at exploiting vulnerabilities in the operating systems or applications running on IoT devices.

- Denial of Service (DoS) and jamming: These attacks aim to disrupt the functioning of an IoT system, either by overwhelming it with excessive traffic (DoS) or by interfering with its wireless signals (jamming).

- Physical security attacks: These include tampering with IoT devices or exploiting exposed interfaces.

ВЕСТНИК НАУКИ И ТВОРЧЕСТВА

- Access control attacks: These attacks aim at gaining unauthorized privileges within an IoT system, often through privilege escalation techniques.

These attacks represent just a fraction of what is possible. Many attacks are highly tailored to exploit specific known vulnerabilities. There are also attacks designed to exploit "zero-day" vulnerabilities, which are vulnerabilities not yet publicly known. These attacks can be particularly devastating, as no defenses may be in place to counter them.

Effective security controls are critical for minimizing the likelihood or severity of an attack. These controls must be well-designed, correctly implemented, and diligently maintained. They should be selected based on the specific requirements of the system and the identified vulnerabilities. For instance, firewalls can be deployed to protect the network perimeter. Authentication mechanisms can help ensure that only authorized users can access the system. Cryptographic techniques can secure data in transit and at rest. Intrusion detection and prevention systems (IDPS) can identify and respond to potential threats in real time.

Finally, IoT security should be seen as a continuous process, rather than a onetime event. This process involves continual monitoring, regular system updates and patches, user training, and periodic security assessments. To this end, many organizations are adopting a proactive stance, embracing the concept of "security by design." This approach involves considering security from the earliest stages of system design, rather than as an afterthought. It demands a close collaboration between system designers, security experts, and other stakeholders. The ultimate goal is to create a system that is not only secure but also resilient, able to withstand attacks and quickly recover when they do occur.

The IoT landscape is vast, complex, and ever-changing. Keeping up with emerging threats, evolving standards, and best practices can be a daunting task. However, with careful planning, due diligence, and the right tools and expertise, businesses can leverage the potential of IoT while effectively managing the associated risks. In doing so, they can unlock new opportunities, improve operational efficiency, and create more value for their stakeholders.

References:

1. IoT connected devices worldwide 2019-2030 - Statista. - URL: https:// www.statista.com/statistics/1183457/iot-connected-devices-worldwide/

2. Gartner Predicts the Future of Cloud and Edge Infrastructure. - URL: https:// www.gartner.com/smarterwithgartner/gartner-predicts-the-future-of-cloud-and-edge-infrastructure

3. Li, Shancang, and Li Da Xu. Securing the Internet of Things // Elsevier Science, 2017.

4. Russell, Brian, and Drew Van Duren. Practical Internet of Things Security // Packt Publishing, 2016.