The Clusit, Security Community, has published a report on the “state of the art” of the IoT phenomenon, Internet of Things, which is quite interesting.
As noted in the introduction, this phenomenon has become very topical since 2010, when it was reported by the Chinese government, as one of the strategic priorities of the following five years.
ENISA’s definition seems to better capture the characteristics of the IoT phenomenon: «cyber-physical ecosystem of interconnected sensors and actuators, enabling intelligent decision making».
Information is the nerve centre of IoT, because every “thing” is a computer that lives and speaks through a network.
But whether you use “embedded” systems, or operate “stand alone”, it is precisely the dialogue that creates and raises issues of security and compliance.
A McKinsey report in 2015 estimated savings, attributable to “connected objects” technology, of between 4 and 11 trillion dollars in 10 years!
Every IoT device must ensure compliance with fundamental principles such as confidentiality, availability and integrity for overall security.
The “Internet of Things” was coined by Kevin Ashton of MIT, setting the standard for RFID (radio frequency identification) technology and the supply chain.
Things are identifiable and connected smart objects, which provide services, thanks to a local and central data processing capacity, in which the device is passive and decisions centralized! But, the full exploitation of the connected object, is expressed in the total integration with other digital innovation technologies, creating a real interweaving (TANGLE), which implies less security and a contractual commitment for the consumer, able to “tie” him to a multitude of suppliers/actors. Hence the term TANGLEGENCE, crases of tangle and convergence, which could be translated by us as “intertwining“.
In this field you can have them:
– Sensors: to measure various factors (physical, chemical, biological)
– Actuators: in the opposite direction to the first ones, they translate an electrical input signal into actions (e.g. valves, motors)
– Embedded systems: union of the first two operating stand-alone with a gateway interface, or embedded, embedded, in a larger system equipped with LAN or cloud network (e.g. wearebles devices).
There are devices that combine the first and the second type together, such as a thermostat that detects the room temperature (sensor) and activates (actuator) the air conditioner.
Smart objects have the following characteristics:
– Identifiability (e.g. IP address)
– Connectivity
The operation of smart objects is passive, because, very often, it is decided by a central entity, represented by the service owner, and this represents the natural and consequent evolution of M2M, machine-to-machine communications, which were instead unidirectional and did not use IP protocols.
In industry 4.0 we speak of Industrial Internet of Things (IIOT), where Information Technology (IT) and Operational Technology (OT) converge, the latter traditionally closed and proprietary, therefore incompatible with business innovation, now contrary to silo approaches.
The 5G network will implement the sector by increasing transmission speed and reducing latency times.
Security will have to take into account the protocols dictated by NIST, ENISA and the Cloud Security Alliance (CSA). ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS).
Recital 78 of the GDPR states that «manufacturers of products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications», including therefore the various IoT applications.
The U.S. Federal Government’s indications, which explicitly require all devices connected to the Internet to meet the requirements of the Homeland Security Act and reinforced by the Federal Information Security Management Act (FISMA) and the National Cybersecurity Protection Advancement Act, do not go much further.
