Security in Internet of Things(IoT) Ecosystem

1,659 views

Published on

The paper analyzes the various security and regulatory frameworks around "Internet of Things" put in place by prominent organizations and bodies across the globe and proposes a consolidated model for IoT ecosystem governance.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,659
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
127
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security in Internet of Things(IoT) Ecosystem

  1. 1. Security in IoT Ecosystem Need for an International Policy Framework This paper explores the importance of a holistic policy framework for governance in the new world of the Internet of Things (IoT) by putting into perspective the need for such a framework while citing the recent incidents that have taken place in this domain. The paper goes on to evaluate the policies and frameworks put into place by international organizations such as the European Union, Federal Trade Commission and ITU-T. The paper concludes by proposing a single framework for policy development in an IoT ecosystem. PREPARED BY Mansi Bhargava Rahul Bindra PGP-12-122 PGP-12-137 UNDER THE GUIDANCE OF Dr. Anil Vaidya Head of Department, Information Management S.P. Jain Institute of Management & Research
  2. 2. P a g e | 2 Table of Contents Executive Summary.................................................................................................................................3 Introduction ............................................................................................................................................4 Secondary Research................................................................................................................................6 Legal Framework: Models...................................................................................................................6 Self-Regulation................................................................................................................................6 International Agreements...............................................................................................................7 Global..........................................................................................................................................7 Regional.......................................................................................................................................7 Evaluation of International Policy Framework Approaches ...............................................................7 European Union Commission Approach.........................................................................................7 European Union Legislation........................................................................................................8 Legal scenarios and specific implementation.............................................................................9 Evaluation of European Union Legislations ................................................................................9 ITU Telecommunication Standardization (ITU-T) Approach...........................................................9 Legal Barriers: ITU.....................................................................................................................10 United States Federal Trade Commission on IoT..........................................................................10 Research Findings .................................................................................................................................12 Challenges posed by growing IoT Ecosystem ...................................................................................12 Need for a global policy framework for IoT......................................................................................13 Reconfirmation by Primary Research ...................................................................................................14 Approach to a Policy Framework......................................................................................................15 Globality........................................................................................................................................15 Ubiquity.........................................................................................................................................16 Verticality......................................................................................................................................16 Technicity......................................................................................................................................16 IBTCa Policy Framework for IoT............................................................................................................17 Information.......................................................................................................................................17 Business.............................................................................................................................................17 Trust..................................................................................................................................................18 Contextual abstraction......................................................................................................................18 Way Forward.........................................................................................................................................20 References ............................................................................................................................................21
  3. 3. P a g e | 3 Executive Summary The Internet of Things (IoT) has grown from an interesting technology that offered to help machines interact with each other to a phenomenon that has deeply pervaded into the daily life of every human being. This transience in the ambit of IoT linking the digital or virtual world with the real or physical world puts forth an equal number of questions as the ones it answers. An ecosystem that already is thrice the size of human population on earth is big enough to leave a lasting imprint on the face of human innovation and evolution. However, with the opportunity of the large scale benefits is also associated the lingering possibility of large scale exploitation of the system leading to potential economic, technological, and societal damage. With news of refrigerators and personal devices being used in massive attacks to the tune of hundreds of thousands of terminals in a system, the need of having a security and privacy framework around the IoT ecosystem is gaining prominence on the digital forums and conferences. Such a policy framework has the unenviable objectives of not only placing an internationally accepted framework of regulations and policies around the ever expansive system of Internet of Things but also ensuring that the regulations provide the necessary innovative space and protection to the scientific community and the industry from “speculative consumer harm” at the same time maintaining the accountability and compliance parameters. In effect, the framework must ensure support to the IoT ecosystem through trust building in three important areas of Industry, System and User. While System Trust may be related largely with technological advancements and the implementation of the “privacy enhancing techniques”, the Industry and User Trust can only be cultivated by the right mix of involvement of the consumer, private and regulatory bodies in the overall development of the global policy framework for the governance of IoT ecosystem. While the development of a single policy framework acceptable to and inclusive of cross- boundary and function players would be an important step in the direction of governing the IoT ecosystem, further research needs to be undertaken in the space of enhancing user involvement, creating contextual abstraction and development of data privacy and security for personal devices.
  4. 4. P a g e | 4 Introduction Imagine walking into your home with your smartphone in your pocket on a hot summer afternoon. As you step into the drawing room, you notice that the air conditioner has switched on 5 minutes ago and the room is now at the right coolness according to your preferences. The television in your room is switched on automatically with your favorite show for the time pre-selected and you don‟t have to wait for cooking the food because the microwave already started pre-heating the food the minute you walked into the house. Welcome to the world of Internet of Things (IoT). With a projected 50 billion devices1 to be connected and speaking to each other by 2020 and an ecosystem worth slated to touch $14 trillion2 by the same time, Internet of Things (IoT) is the next big thing in the evolution of technology. Coined by Kevin Ashton at an MIT lecture in 1999, the concept has come a long way in how machines and humans interact with each other to share information and perform tasks. There are various large scale industrial programs taken up by technology giants such as General Electric, IBM and Cisco that have brought Internet of Things (IoT) to the front of large scale industrial usage. General Electric defines IoT as a large scale network of machine to machine and machine to human interactions by leveraging advanced analytics and predictive algorithms to ensure better service quality. Cisco, on the other hand, views IoT as a network of functional networks such as home, energy etc. interacting with each other via secure analytics techniques. The idea is echoed by IBM who views IoT as a large scale network of interconnected devices. 1 Cisco, http://share.cisco.com/internet-of-things.html 2 Cisco, http://iotevent.eu/cisco-sees-14-trillion-opportunity-in-iot/ Currently there are more devices on Internet than there are people on Internet and that‟s Internet of Things IBM
  5. 5. P a g e | 5 3 4 5 However, such an interconnected mesh of fairly autonomous nodes presents an equally challenging scenario for the entities involved in it. The system raises questions on not only the security, privacy and identity management aspects but also calls into question the laws or framework of policies governing the administration of such a network. Such laws are difficult into manage and envision because not only is there no single body for governing information communication through IoT networks but also because the pervasion of information exchange has covered ambit of devices previously un-thought of such as toasters and light bulbs. The alarmists cite recent examples of refrigerators being used for comprehensive spam attacks and call into question the aspects of data ownership, exchange and reuse that take place in such a network and how it impacts the security and privacy of the real owner of the data. However, owing to the geographical spread and lack of single point of authority in this space, there has been little progress in the development of a policy framework for IoT with industrialists calling into question the need for such a framework with the apprehension of it stifling the innovative edge that the technology presents with itself. 3 General Electric, Industrial Internet: Pushing the boundaries of minds and people, November 26, 2012 4 Cisco, The Internet of Things: How the next evolution of the internet is changing everything, April 2011 5 IBM, http://www.ibm.com/smarterplanet/us/en/overview/article/iot_video.html
  6. 6. P a g e | 6 Secondary Research Development of an international legal/policy framework for IoT would be a tough take no in the least because of the straddling with existing laws of data communication as well as the fact that the technology and the interconnected devices cover international landscape even for the ambit of a single transaction. In an attempt to realize a single policy framework for governing IoT network, let us first analyze the individual organizational efforts that have taken place in this field through independent international bodies such as US Federal Trade Commission (FTC), European Union Commission and International Telecommunication Union – Standardization (ITU-T). However, before delving deep into the study of the above policies, it is important to first develop a basic grounding on the different types of legal/policy frameworks and models: Legal Framework: Models International laws not merely incorporate relation among states but also players like individual human beings, organizations and various legal entities. A legal framework for international regulations will need to define structure and principal guidelines for IoT; how rules are made as well as will be interpreted. The framework should also have the flexibility for revisions based on context. Establishment of a legal framework also raises the need for an appropriate legal source. Various models can be applied to establish a framework. These include no regulation, self- regulation, government regulation and international agreements. For the governance of a network as large and expansive as the IoT, self-regulation and international agreements can be considered important for further analysis. Self-Regulation Self-regulation responds to changes in the environment and works independent of territoriality concept. Self-regulation as a social control model consists of normatively appropriate rules of human behaviour which are enforced through reputational sanctions, requiring effective communication channels to inform about the IoT participants behaviour. Self-regulation tends to induce government not to introduce any formal laws. The rules formed are more efficient as they respond to real needs and are flexible incentive driven. But it might turn out to be interest driven as it is not legally binding.
  7. 7. P a g e | 7 Even if the legal framework to be established is self-regulated, some pillars need to be set by the legal sources to be introduced at an international level. International Agreements Global The approach towards establishing an international body as a legislator determines the establishment of a new body with representatives from government, businesses and others which poses challenges questioning the legitimacy of such a body. On the other hand establishing a governing body within existing organizations would need lesser time investment and requirements to adhere to. Regional Issues related to various policies need to raise awareness among all stakeholders, promote IoT technologies/services and make sure that individuals get fundamental rights to privacy, personal data and consumer identity protection apart from other information security instances. Having understood two of the primary approaches for development of a policy framework, the different initiative by independent international organizations can now be understood in greater detail: Evaluation of International Policy Framework Approaches Having discussed on the key aspects of a policy framework and the different types of models that can be leveraged to achieve a policy/legal framework, let us now discuss some of the key policy initiatives taken by prominent organizations across the globe. European Union Commission Approach6 To establish a legal framework for IoT, EU invited comments from various stakeholders. Key points involved are: 6 Weber, R.H. & Weber, R. (2010), Internet of Things: Legal Perspectives. Springer
  8. 8. P a g e | 8 EU recommended the commission to follow a technology neutral approach to IoT. Also, the development of IoT cannot only go to the private sector but should be done in a coherent manner with all public policy related to governance of the internet. European Union Legislation7 It aims to issue a legislation which aims at a regional framework before applying it on a global level making the whole system functional. EU laid down 14 lines of action which include:  Governance implementation  Privacy monitoring and personal data protection  IoT infrastructure of utmost importance  Standardization of IoT technologies  Promotion of R&D in IoT  Public and private sector cooperation  Institutional awareness  Waste management and recycling  International dialogues From a legal perspective major points to be considered are: 7 http://innovation-regulation2.telecom-paristech.fr/wpcontent/uploads/2012/10/CS87_BARBRY.pdf ANEC and BEUC - Privacy and data protection being the major challenges, regulations other than self-regulation need to be implemented. Amcham - Focus on RFID limits innovation; Technology independent rules should be laid down after further development Afilias- Recommended IoT root system to focus on backward compatibility, identifier collusion, unilateral control authority, assurance of practicality, openness to competition. Framework with local control and global interoperability
  9. 9. P a g e | 9 IoT security and “Silence of the chips”: need to be able to disconnect from the network whenever required. Legal scenarios and specific implementation Legislation for privacy and data protection should be focused on these goals: EU directives considers „specific implementation‟ i.e. - natural persons as objects of privacy laws. But legal persons like corporations also should be included in privacy protection laws. Evaluation of European Union Legislations  Address many aspects but does not consider the merits of self-regulatory models and industry standardization  Ensures that the principles of verticality, ubiquity and technicity can be taken into account  Only applicable for member States in Europe and not globally  Attest that privacy and data protection problems in the field of the IoT are taken seriously ITU Telecommunication Standardization (ITU-T) Approach8 Combining its expertise in setting standards for internet as well as radio communication sector, ITU can provide necessary inputs for setting the rules for IoT ecosystem as well. Currently ITU acts as a consultant for various bodies engaged in IoT and hence its activities are not directly monitored by the users of IoT. But ITU has identified challenges in the use of IoT wherein they believe that users are concerned about privacy and socio-ethical implications of the use of tracking and geo-location: users have to be made aware of the benefits of the IOT. 8 Weber, R.H. & Weber, R. (2010), Internet of Things: Legal Perspectives. Springer Goals Right-to-know legislation: Users should know what data is collected and should have the option to deactivate tags if needed Prohibition legislation: If public community dislikes certain behavior, it should be prohibited IT-security legislation: Protect application from unwanted reading and rewriting Utilization legislation: Making information available in scenarios where it might be required Task-force legislation: research on legal challenges and resolution for the same
  10. 10. P a g e | 10 Legal Barriers: ITU Regulation of radio frequency RFID which forms an important aspect of the IoT is controlled by national regulations. The band allocation or usage conditions will vary between states. For a global network like IoT, it is required that RFID attached to all objects operate at the same frequency for effective information exchange. ITU has regional differences within its system, efforts need to be made in this direction to harmonize and establish specifically dedicated frequency bands for IoT usage for ensuring interoperability. Health impact The effect of electromagnetic energy radiated by RFID tags on human body is yet to be established. These tags might also interfere with other devices used by individuals. Before all things are designated with electromagnetic tags health risks should be essentially considered. These can otherwise contaminate the environment as well as interfere with wide frequency range. ITU has given many recommendations with respect to the environmental effects of electromagnetic radiations. Its goal is also to provide consultation for the limits of human exposure to these radiations. It had defined classes depending on transmitting antenna directivity, accessibility to people and general public or occupational exposure. It also provides guidance for telecommunication installation to comply with tolerable human exposure to electromagnetic fields. ITU also helps in guiding migration to reduce radiation levels in areas accessible to people. In all, ITU serves the aim of identifying potential sources of radiation and modifying the same for decreasing it. United States Federal Trade Commission on IoT The privacy and security of consumer information have always been reflected in the policies and directives of the US Federal Trade Commission (FTC). The idea has only expanded recently with the emergence of the Internet of Things on an international stage and the potential security and privacy concerns that it brings with itself considering the potential stakeholders employed in the system as well as the potential uses of data. In a March 2012 report9 , the FTC highlighted the Department of Commerce (DoC) recommendation to 9 Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting- consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
  11. 11. P a g e | 11 implement a Consumer Privacy Bill based on the Fair Information Practice Principles (FIPP) along with a framework to assess how different scenarios in the regulation would apply to different businesses. In the same report, the FTC highlighted five key points of consideration for government policymaking efforts in the future years: The workshop called for development of a policy where regulators work in tandem with businesses and society to not stifle but protectively nurture a growing technological revolution. It also underscored the need for developing a context-aware system inclusive of the culture, demographics and user perceptions for data use to supplement the privacy and security of consumer data in an interconnected world and increase the acceptability of IoT. Do Not Track Mobile Data Brokers Large Platform Provides Promoting enforceable self-regulatory codes  Do Not Track: Noting the efforts by Digital Advertising Alliance (DAA), browsers (e.g. Mozilla) and W3C consortium in helping the consumer with opt-out options, the commission reiterated its support to the above stakeholders.  Mobile: The commission planned on working with companies providing mobile services on creating succinct and clear messages for the customers for better transparency.  Data Brokers: The commission called on data brokers who collate and use consumer information to create a centralized platform with ease of access of information for the consumers on how their information is being used.  Language Platform Providers: Large platforms like ISPs actively track consumers‟ online activities and must be enlightened for addressing privacy concerns.  Self-Regulation: The FTC would work with the DoC on creation of sector-specific regulatory codes and further work on ensuring the compliance of these codes. Understanding the need for a policy framework on IoT, the FTC held a workshop in December 2013 to invite the public on exploring the surge in consumer data security and privacy issues posed by the surge in interconnected devices able to transfer data amongst each other.
  12. 12. P a g e | 12 Building a context aware system10 Research Findings Challenges posed by growing IoT Ecosystem The exponential growth of the devices and endpoints in the IoT ecosystem has resulted into a variety of challenges being posed in front of the researchers such as: 10 Internet of Things: Privacy and Security in a connected world, Federal Trade Commission Workshop http://www.ftc.gov/sites/default/files/documents/public_events/internet-things-privacy-security-connected- world/internet_of_things_workshop_slides.pdf Device growth (Host ecosystem diversity) With a host of new ecosystems and mods of existing ones appearing every day, consistency of host devices is a big challenge. Device growth (Internet bandwidth constraint) Although IPv6 addressess the exhaustion problem of IPv4, the transition time and complexity are still on higher side. Information security and privacy With a surge in the number of devices participating in handling sensitive information, privacy enhancing technologies (PET) must form the core of any IoT design.
  13. 13. P a g e | 13 Need for a global policy framework for IoT Data Integrity/Access Control With data travelling across diverse devices, it is important to establish the contextual integrity of data Breakdown immunity With a breakdown potentially affecting millions of people, fallback mechanisms must be developed for damage control Establishing object trust/traceability Since the data flows through multiple checkpoints and inter-device boundaries, it may be difficult to trust and trace a specifc part of data Data reuse The data in an IoT network travels across multiple device boundaries which raises the possibility of it being used outside of the intended authorization User maneuverability With a large amount of user data shared for the IoT services of a provider, data migration would be a challenge Loss of human control As technology develops, more predictive algorithms will result in autonomous operation of systems which would subsequently make human intervention difficult Legal operability As multinational organizations provide geographically dispersed data and information services, compliance of local/national/international laws may be a hurdle “It is difficult to stop it as our ability to see is limited” General Keith Alexander, Director NSA on cyber securityattacks
  14. 14. P a g e | 14 The challenges posed by an exponentially growing IoT network notwithstanding, the need for establishing a global policy framework for the same has become prominent more than ever. The claims by security researchers from Proofpoint11 and the Linux worm vulnerability of routers uncovered by Symantec12 only serve as a reminder of the reach and potential impact of a security vulnerability in IoT. With even mild security attacks costing the industry from $40 to $80 billion each year13 , the implications of a large scale attack on the economy, society, technology and above all, the user trust in IoT could be disastrous as evident from the Malta smart meter electricity theft14 . 15 Moreover, although an ecosystem such as the IoT serves the grand purpose of bringing the real and virtual worlds together, currently from a legal perspective at least, the laws governing each of these worlds are different and thus arises the need for a policy framework. Reconfirmation by Primary Research Owing to the time constraints involved, the primary research for the purpose of this paper was undertaken by adopting a two-pronged approach for reaching the industry professional working in the field of IoT for their thoughts on the topic. Professionals from organizations having a comprehensive IoT program such as General Electric were contacted and interviews have been taken via email and phone calls. 11 http://www.bbc.co.uk/news/technology-25780908 12 http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices 13 http://www.industryweek.com/systems-integration/technology-rethinking-safety-iot-world 14 http://www.smartgridnews.com/artman/publish/Technologies_Metering/Malta-s-smart-meter-scandal---- 41-million-worth-of-electricity-stolen-6360.html/#.Uw1szfmSzMU 15 Primary Research, http://www.linkedin.com/groupItem?view=&gid=73311&item=5843314036610969603&type=member&com mentID=discussion%3A5843314036610969603%3Agroup%3A73311&trk=hb_ntf_COMMENTED_ON_GROUP_ DISCUSSION_YOU_CREATED#commentID_discussion%3A5843314036610969603%3Agroup%3A73311 As the IoT network grows, the sheer deluge of devices and nodes on the network will present a governance challenge too big to manage without a policy framework in place. This problem has already been brought to the fore with Verizon admitting that it cannot see an IoT when connected to a smartphone and Cisco admitting that it will not be able to secure 1 trillion IoTs. “Technology and law sometimes must work together or neither will be effective.” Larry Karisny, Security Expert
  15. 15. P a g e | 15 In order to further reach the professional community working outside the ambit of our immediate reach, we have leveraged the professional networking platform of LinkedIn16 to pose our questions on the topic and invite comments from the community. The primary research insights corroborated the secondary research findings on the need of establishing a policy framework owing to the large size of IoT ecosystem but at the same time brought to fore the skepticism and possible distaste for the same by industry due to fears of scuttling innovation. As such, any policy framework aimed at governing IoT on a global scale must have a fair representation of not only the consumers of the system but also the service providers and the industrial giants with sizeable investment research projects in- progress on IoT. Approach to a Policy Framework There are four key challenges in the establishment of a policy/legal framework17 : Globality IoT will be marketed and distributed globally; same technical processes will be applied all over the world. To prevent the complexity which can arise in businesses and trade due to differing laws globally, legal systems need to be synchronized. 16 Primary Research, http://www.linkedin.com/groupItem?view=&gid=73311&type=member&item=5843314036610969603&qid=7 45c202a-ac89-4275-b530-5c723dbd57a3&trk=groups_items_see_more-0-b-ttl 17 Weber, R.H. & Weber, R. (2010), Internet of Things: Legal Perspectives. Springer Globality Ubiquity Verticality Technicity
  16. 16. P a g e | 16 Ubiquity IoT environment should be ubiquitous encompassing persons, things, plants, animals everything. Verticality IoT technical environment should be such that it is durable. Products should be such that they last for duration long enough for going through the entire product life cycle. Technicity Technical considerations are important for developing rules for protecting objects privacy. Based on the above requirements, a global framework established by an international regulator is required which can be implemented on every object right from initiation to destruction. Determining a legal framework will also require addressing technical issues. Therefore a framework without involving technical experts seems inevitable. As such, there is a need for a global policy framework for IoT that addresses the different stakeholders‟ aspects for security and privacy such as regulatory, economic, socio-ethical and technical.18 18 Weber and Weber, Internet of Things Legal Perspectives • User rights • Public awareness • Disclosure • User advocacy • Encryption • Identity Management • Privacy Enhancing Techniques • Self-regulation • Codes of conduct • Privacy certification • User education • User Consert • Collection Limitation • Data Use • Accountability • Openness Regulatory Market Social- Ethical Technical
  17. 17. P a g e | 17 IBTCa Policy Framework for IoT Based on our analysis of the viewpoints put forth by the various policymakers and stake holders that form a part of the IoT ecosystem, the following four characteristics have come to the fore as the integral part of any internationally accepted policy framework for IoT: Information This is the bottom-most layer of the framework and is responsible for ensuring the resilient and up-to-date technologies enabled security and privacy enhancing implementations to ensure the protection of user data and related information. This layer would be responsible for increasing both user trust and participation in the system by ensuring that the personal information travelling in the system is secure. Business The business layer sits on top of the information layer and would encompass the business or industry specific laws of information exchange and governance. The idea behind placing this layer separately is to ensure re-usability of a wide array of rules already in place for different sectors and industries. This would further ensure adoption of the framework by a wider audience. Contextual abstraction Trust Business Information
  18. 18. P a g e | 18 Trust It is both extremely critical as well as equally difficult to establish user trust in a widely interconnected system such as IoT. In order to accomplish this feat, trust building measures need to be taken at three levels of developing Industry, System and User trust. Contextual abstraction Displaying the right information to the right user at the right time is important to ensure user involvement and association in the system. In order to ensure that the conveyed information is acted upon/realized by the targeted recipient, it is important to ensure that the information is customized to the need and knowledge level of the user as well as ensuring minimal action on the user‟s part. Rules on data privacy, security and protection Public Internet Healthcare PersonalDevices Financial&Insurance Retail Mobile Context/Situation specific abstraction layer Data related transparency Industry Trust System Trust User Trust Consumer Regulators Industry Liberal Regulations Involvement of LPPs and private players Work with Data Brokers Globality Transparency Security Privacy by design Accountability Do Not Track Self-regulation Opt-Out Type, Use, Origin, Collection, Usage IBTCa Policy Framework
  19. 19. P a g e | 19 The above model adopts a bottom-up approach by proposing to continue the existing protocols and regulations for data privacy, security and protection for the purpose of data communication. On the basis of our primary and secondary research, we are of the opinion that the existing sets of rules in this space are well defined and are suitable for cross-border policy making. An offshoot of the above belief is the opportunity of further work on keeping the systems updated with latest protocols and security measures. We believe that more research can be done in this area on how to maximize the security upgrades on the user terminal with minimum actions or assumption of knowledge on user‟s part. On the basis of our research, instead of having a single law/regulation intended for all the businesses and functions, it is much easier to devise function or context specific laws because much of the work governing data security and privacy in this space is either already done or in progress (as discussed in US FTC section). This would not only avoid re-inventing the wheel but also keep the entire regime simple and easy to adopt. An addition to the existing field of work for this section could be development of specific rules for data communication to and from personal devices. This field of study would gain prominence with growth in the ambit of devices covered by the IoT ecosystem and can be expanded as a separate field of research. Further, there is a need to develop the trust in three important components of IoT viz. Industry, System and User. On the industry front, the regulators need to provide the right amount of flexibility to the private players in order to nurture and sustain the innovation in IoT. The policies should not be drafted while only considering the “speculative harm” that might befall the consumers but should have good representation of the industry interests as well. Therefore, any policy must be developed in conjunction with different parties from the public and private sector to ensure the continued growth in IoT. “The Internet of Things is an exploding innovation ecosystem and is poised to be a prime engine of economic growth and mobile opportunity globally. In these very early innings of this exciting technological transformation, government should avoid rigid, prescriptive policies that could stymie our rapidly evolving wireless revolution” Mobile Future (AT&T, Cisco, Ericsson and Verizon) “It is vital that government officials like myself approach new technologies with a dose of regulatory humility” Maureen Ohlhausen, Member, US FTC
  20. 20. P a g e | 20 On the system front, it is important to ensure that right mix of transparency and privacy enhancing techniques are used and continually upgraded in line with the latest developments in security and privacy. These technologies and upgrades must then be ensured to find a way to the terminal of the users so that attacks exploiting known vulnerabilities which form a large part of the overall attacks on systems could be minimized. It is also important to develop the user trust in the IoT ecosystem to ensure its adoption and growth. Apart from user training, it is important to develop policies that assist the user understand the flow of his/her personal information in the system and how it is being used by the system. Coupled with options to opt out and view the data use, this would empower the user and help in building the user trust in the system. Finally, a lot of policies and measures do not percolate down to the user because of the sheer technical and text-abundant nature of these directives. Therefore, a context-specific abstraction layer needs to be developed that can convey the cause and effect of the policies on the users in a context that relates to them. Way Forward While the proposed framework highlights the key components of a policy model, further research on three important sections of the framework would help on further enhancing and practically evaluating the ideas put forth in the model. Firstly, development of data transfer, privacy and security regime for personal devices presents an interesting research prospective that will not only further add value to the proposal of developing business-specific rule base but also provide further insights in a growing business to be increasingly impacted by IoT. Secondly, as discussed earlier, further work is required on development of a methodology that encourages the user to use and employ the latest security upgrades available to him/her by minimizing the actions or technical knowledge required. This would help protect the system from attacks on legacy vulnerabilities. Finally, research on creation of a context-specific abstraction layer is crucial to the user adoption of the system as it will help the user to personally relate his/her situation and position in the system.
  21. 21. P a g e | 21 References The Internet of Things [Online] Available from: http://share.cisco.com/internet-of-things.html [Accessed: 4th February 2014] Cisco sees $14 trillion opportunity in IoT [Online] Available from: http://iotevent.eu/cisco-sees-14-trillion-opportunity-in-iot/ [Accessed: 4th February 2014] Huansheng, N. & Hong, L. (2012) Cyber-Physical-Social Based Security Architecture for Future Internet of Things. Scientific Research. p. 2, 6 Karisny L. (2014) Security in the IoT Ecosystem [Online] Available from: http://www.linkedin.com/groupItem?view=&gid=73311&type=member&item=58433140366 10969603&qid=745c202a-ac89-4275-b530-5c723dbd57a3&trk=groups_items_see_more-0- b-ttl European Union. IoT Privacy, Data Protection, Information Security [Online] Available from: ec.europa.eu/information_society/newsroom/cf/dae/ [Accessed: 4th February 2014] BBC (2014). Fridge sends spam emails as attack hits smart gadgets. [Online] Available from: http://www.bbc.com/news/technology-25780908 [Accessed: 4th February 2014 Symantec (2013). Linux Worm Targeting Hidden Devices [Online] Available from: http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices [Accessed: 5th February 2014] Hessman T. (2013). Technology: Rethinking Safety in the IoT World - When everything is online, security is everyone's job. Industry Week. [Online] Available from: http://www.industryweek.com/systems-integration/technology-rethinking-safety-iot-world [Accessed: 6th February 2014] Weber, R.H. & Weber, R. (2010). Internet of Things: Legal Perspectives. Springer. United States. Federal Trade Commission (2012). Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers [Online] Available from: http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report- protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf [Accessed: 9th February 2014] Gartner (2013). Gartner's 2013 Hype Cycle for Emerging Technologies Maps Out Evolving Relationship Between Humans and Machines. [Online] Available from: http://www.gartner.com/newsroom/id/2575515 [Accessed: 10th February 2014] Evans, D. (2011). Cisco. The Internet of Things How the Next Evolution of the Internet Is Changing Everything [Online] Available from: https://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf [Accessed: 10th February 2014]
  22. 22. P a g e | 22 Evans, P. C. & Annunziata M. (2012). Industrial Internet: Pushing the Boundaries of Minds and Machines [Online] Available from: http://www.ge.com/docs/chapters/Industrial_Internet.pdf [Accessed: 10th February 2014] IBM. The Internet of Things [Online] Available from: http://www.ibm.com/smarterplanet/us/en/overview/article/iot_video.html [Accessed: 11th February 2014] United States. Federal Trade Commission (2013). Internet of Things: Privacy and Security in a connected world [Online] Available from: http://www.ftc.gov/sites/default/files/documents/public_events/internet-things-privacy- security-connected-world/internet_of_things_workshop_slides.pdf [Accessed: 12th February 2014]

×