This paper addresses the emerging cybersecurity technologies primarily related to (IoT) internet of things. How these new technologies can show hope for change and innovation in the field. Also, looking at government policy that has been lagging in its ability to step in and catch up with the dynamic change in technology and cybersecurity policy. Understanding the technology and satisfying the initial need is completely two different things. Also, we look at the overall impact that the government policy that is being used in cases against a hotel company and mobile device vendor is taking a toll on the innovation of IoT in this field.
One of the fastest growing areas in technology is the introduction of the concept (IoT) Internet of things. IoT is a very broad area. It ultimately encompasses everything connected. In fact, (Forbes & Morgan, 2004) says, “that by 2020 there will be over 26 billion connected devices… That’s a lot of connections (some even estimate this number to be much higher, over 100 billion)” As many attempts to try and define IoT there hasn’t been much of a great definition until the past year. (Gartner Research, n.d.) defined it by saying, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” Forbes went to greater lengths to simplify IoT as, “Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other).” This includes but not limited to smartphones, smart electrical grids, toasters, and Fitbit’s and other wearables to show the range that we’re discussing. Much like the definition which can be slightly vague, cybersecurity policy and mitigation is also heavily undefined in this area. The upside to IoT is that it reduces human involvement along with improving accuracy and efficiency, resulting in economic benefit, (CHALLA et al., 2017, p. xx). According to the (IEEE) the institute of electrical and electronic engineers there are emerging technology that show positive signs of hope in this fast-growing new area, which are application authentication and key management practices, computed trust nodes, and lightweight security protocols for cloud-based Internet-of-Things (IoT) applications for battery-limited mobile devices.
Each of these emerging technologies offer a different approach in establishing a level of trust in cybersecurity. One emphasizes a solution built around secure authenticated key establishment scheme, another improves on a trust system or creation of trusted nodes within a network, and the last dives deeper into creating a lightweight protocol concentrating on cloud based cybersecurity.
The basic premise for this new technology is that IoT as a concept has a high potential for invalid security and privacy. Largely due to the inability to establish security at the design level for each connected object. This is where most of the security challenges come into play. Key contributing features that makes this a very promising emerging methodology or practice are:
- An authentication model for IoT to follow. This model defines a term of mutual authentication. Where a user authenticates through a gateway node and the IoT device authenticates through the gateway node as well. Through this mutual authentication the users are then authenticated on the IoT device by proxy.
- A secure signature based authentication and key agreement scheme. A legal user can access the information from a sensing device in the IoT applications if both mutually authenticate each other, (CHALLA et al., 2017, p. xx). After their mutual authentication, a secret session key is established between them for future communication.
Ultimate benefits of the wide use of this technical methodology have
concluded very efficient in communication and computational costs. Which helps to solve the problem of identity on IoT devices. The proposed scheme also protects itself from replay attacks by using random number generators as well as current timestamps. The assumptions are that all users in the IoT environment are synchronized with their clocks. There are eight phases to implementation:
- System setup
- Sensing device registration
- User registration
- Authentication and key agreement
- Password and biometric update
- Smart card revocation
- Dynamic sensing device addition
This new best practice can be applied to many different industries in regard to IoT much like the cybersecurity frameworks established by NIST for its categorizations of authentication in web based applications. This could potentially be incorporated to help satisfy some of the “reasonable security measures” that FTC a government agency which has been known to uphold. More on this later in the paper. Establishing standard frameworks for cybersecurity in IoT may allow some businesses that are on the fence to moving to this technology to start implementing and eventually start innovating in the area.
Privacy and trust are also a large concern to the US smart grid system. Mainly because the smart grid network itself highly depends on information and communication technology (ICT). Supervisory control and data acquisitions (SCADA) are integral part of the modern day smart grid system. Its primary function is control messages and measurements. At the current moment, the system is in its fourth generation of architecture, which introduced two key new advanced technologies, (Hasan & Mouftah, 2016, p. xx). The first would be cloud computing and the second IoT making the smart grid more susceptible to complete outage. Slight modifications of these systems may cause a complete outage across the entire grid. Smart grid operators use trust systems to monitor network traffic to and from different nodes. These nodes are called trust nodes. The nodes themselves include both a firewall and intrusion detection system. Within making the decision of which nodes are the best to deploy these trust systems in a network there are two factors which need to be considered capital expenditures and operational expenditures, (Hasan & Mouftah, 2016, p. xx). To deploy the trust system properly considering operational expenditures and capital expenditures. Nodes can house only a fixed number of trust systems deployed to them due to budgetary constraints. The SCADA networks need to be segmented to minimize the amount of cyber-attack traffic and for the trust nodes to be more effective. There are some potential risks that these SCADA systems need to watch out for. There are three main types of attacks that are at risk in the current SCADA network.
- Targets power plants. Disrupts operation or generation.
- Targets power distribution and control systems. Disrupts state information that may lead to instability.
- Targets consumer premises. It could potentially cause an increment in the load that could damage the grid.
The focus of the new emerging technology is on the optimal placement of the trust nodes on the SCADA network. The ultimate solution was producing an algorithm where minimum spanning trees (MST) would represent the smaller segments and then would determine the least expensive method of determining these segments and deploying the trust systems to these trust nodes. Thereby segmenting the electrical grid enough to protect in from cyberattacks and in the most cost-efficient way possible. The emerging technology directly effects not only the US smart grid and its efficiency, but also on a local level being able to apply this algorithm to other industries where cost is an issue possibly in the automotive and more factory related industries with clearly large systems that need to be segmented for better protection. With this new technology and the high priority to moving towards smaller micro grids, this technology is essential and the energy industry globally should be able to benefit from this.
The last emerging technology is the development of the CP-ABE Scheme for battery limited mobile devices. In the IoT world many new applications have an emphasis on one device in general that’s the smartphone. The ability to create secure applications is a must. This emerging tech focuses on the encryption mechanisms of (CP-ABE) Ciphertext Policy Attribute Based Encryption. The problem is that most CP-ABE schemes are based on bilinear maps and require long decryption keys, ciphertexts and incur significant computational costs, (Odelu, Das, Khurram Khan, Choo, & Jo, 2017, p. xx). These limitations prevent the CP-ABE scheme from being deployed on mobile battery limited devices. The new emerging technology is the ability to create RSA based CP-ABE that has a constant length of secret key. The ultimate key decryption and encryption times are O (1) of time of complexity which is ground breaking as other solutions have failed to be this efficient up until this point.
CPE-ABE has been around for years but the efficiency that this new method has brought has now made this more applicable to modern IoT technologies primarily the smartphone but not limited to this. The implementation of the RSA based CPE-ABE is broken down into four main algorithms:
- Setup – This algorithm takes a security parameter and the universe of attributes as inputs and then outputs a master public key and its corresponding master secret key
- Encrypt – This algorithm takes an access policy the master public key and plaintext as inputs. The encryption algorithm outputs a ciphertext
- KeyGen – The inputs are an attribute set, the master public key and the master secret key. The key generation then outputs a user secret key corresponding to the attributes.
- Decrypt – It takes a ciphertext generated with an access policy, the master public key and the secret key and outputs plaintext using the decryption algorithm, (Odelu, Das, Khurram Khan, Choo, & Jo, 2017, p. xx).
Real world usage for this kind of technology isn’t limited to mobile phones. Since this is an attribute based encryption system this can be used almost anywhere where attribute based encryption is used. Which includes token based authentication in JSON Web Token and the creation of JWE or an encrypted JSON Web Token which is used in OAuth system all over the internet in almost every authenticated application. JSON Web Tokens are used currently right now as an attribute based system. Instead of attributes the RFC calls them claims where claims are encrypted and sent with a token to the user trying to authenticate. The claims are then evaluated and the user is given a long-lived token for subsequent requests until the token is expired. This creates a stateless session for any web application user experience. OAuth is a security framework that is widely used to authenticate a user across multiple services. With the emergence of this new technology businesses will be able to use this new RSA based system much like the current systems that are using claims in JWT’s. The entire online web community will take advantage of this new emerging technology in the coming years.
Cooperative efforts between the government community and the technology community is needed when discussing the new technology concepts such as IoT. There is still a lot of work to be done. A good place to start would be the Federal Trade and Commission’s (FTC). In an Act, there is a requirement “reasonable security measures” which the agency uses to regulate unfairness. (IEEE & Loza de Siles, n.d.) says, “Under the Act, this agency regulates conduct involving the Internet and otherwise as that conduct relates to consumers and competition.” In this act, there are three main components that categorizes unfair or deceptive acts:
- The act or practice results in substantial consumer injury
- The consumer cannot reasonably avoid that injury
- The harm caused by the act or practice is outweighed by countervailing benefits to consumers or to competition.
An actor’s unfair act or practice may not be the cause of consumer injury for the actor to be liable under the Act, (IEEE & Loza de Siles, n.d.). The FTC prosecuted several Whyndam companies for unfair acts or practices as to the Cybersecurity risks to hotel guests’ personal information where hackers ended up exploiting those risks on three separate occasions, injuring 619,000 consumers. (IEEE & Loza de Siles, n.d.) continues, “Under the FTC’s unfairness authority, IoT and other companies must use “reasonable security measures” to protect consumers’ data.” This is very promising that consumers are being protected in this manner as this is long overdue. However, the vagueness again much like the definition of IoT is still the issue. There needs to be more policy writing that will foster more concrete laws that move with the dynamic changing landscape. This does show the overall support of the government agency in the protection of this newly emerging field.
HTC is another example of how the FTC was willing to go after offenders in this grey area of this Act. The FTC alleged that HTC failed to implement reasonable security measures where HTC, among other illegal conduct, introduced permission re-delegation vulnerabilities in its customized, pre-installed mobile applications on Android-based phones and thereby undermined the operating system’s more protective security model, (IEEE & Loza de Siles, n.d.). This shows how even though the policy is archaic there is still a government entity looking to look out for consumers. Accordingly, the important take-away regarding the FTC’s Tried and True Guidance is that what constitutes “industry-tested and accepted methods” of data security is dynamic and a constantly moving target, (IEEE & Loza de Siles, n.d.). But when does this “reasonable security measures” end. One could clearly see how this may deter innovators from pursuing such areas of interest. In the end, there needs to be more capable policy writers to keep up with the times. It looks as though there are severe re-writes that need to happen in the next five to ten years. Only then will innovators and security experts truly see eye to eye.
One of the fastest growing areas in technology is the introduction of the concept (IoT) Internet of things. However, a very exciting time. There is a some very important new emerging technologies to take note of. That will allow for more innovation in the IoT field. As the field continues to grow there will allows be more potential risks. The emerging security solutions and methodologies are grossly behind. The policy is even more behind the technology to help combat some of the threats that IoT faces. For this field to get the growth it needs cyber policy needs to be written to allow for innovators in the field to have comfort in developing in this space. Until this is done there will not be enough significant innovation to elevate all the security threats due to the inability to in fuse a startup in this space without thinking an investment is going to go directly to liability issues in a few years or even worse in its first year. The ability to see the government take initiative to protect is however very refreshing.
CHALLA, S., WAZID, M., KUMAR DAS, A., KUMAR, N., REDDY, A., YOON, E., & YOO, K. (2017). Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access, 5, 3028-3043. Retrieved from http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7867773
Forbes, & Morgan, J. (2004, May 13). A simple explanation of ‘the internet of things’. Retrieved from https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#697fb71f1d09
Gartner Research. (n.d.). Internet of things defined – tech definitions by gartner. Retrieved from http://www.gartner.com/it-glossary/internet-of-things/
Hasan, M. M., & Mouftah, H. T. (2016). Optimal trust system placement in smart grid scada networks. IEEE Access, 4, 2907-2919. doi:10.1109/access.2016.2564418
IEEE, & Loza de Siles, E. (n.d.). Cybersecurity Law and Emerging Technologies Part 1 – IEEE Future Directions. Retrieved from http://sites.ieee.org/futuredirections/tech-policy-ethics/may-2017/cybersecurity-law-and-emerging-technologies-part-1/
Odelu, V., Das, A. K., Khurram Khan, M., Choo, K. R., & Jo, M. (2017). Expressive cp-abe scheme for mobile devices in iot satisfying constant-size keys and ciphertexts. IEEE Access, 5, 3273-3283. doi:10.1109/access.2017.2669940
RFC 7516 – JSON Web Encryption (JWE). (n.d.). Retrieved from https://tools.ietf.org/html/rfc7516
RFC 7519 – JSON Web Token (JWT). (n.d.). Retrieved from https://tools.ietf.org/html/rfc7519