Security and Privacy in IoT and Cyber-physical Systems

Security and Privacy in
Cyber-Physical and IoT Systems
Bob Marcus
Co-Chair NIST Big Data PWG
robert.marcus@et-strategies.com
Caveat: This is a rough first cut and will be revised extensively!

Definitions
Cyber-Physical System (CPS) - a system in which objects interacting
with their physical environment are controlled or monitored by
software. In cyber-physical systems, physical and software
components are deeply intertwined. A robot is a cyber-physical
system even if not networked.
Internet of Things (IoT) - describes the network of physical objects—
a.k.a. "things"—that are embedded with sensors, software, and
other technologies for the purpose of connecting and exchanging
data with other devices and systems over the Internet. A networked
set of computers is not necessarily part of the Internet of Things.
Internet of Everything (IoE) - is an expansion of the Internet of Things
to include people and possibly future intelligent autonomous devices.
These additional components provide major security risks.
My Suggestion: Toughen end-users by sending them test phishing

messages and links without warning to ensure that they are aware
of the danger of responding to similar attacks. (White Hat Phishing)

Outline of Slides
・Recent Development in IoT Security
・IoT Security Issues
・IoT Privacy
・IoTSecurity Frameworks
・Online Trust Alliance (OTA) Trust Framework and Resource Guide
・Open Web Application Security Project (OWASP) Slides
・IoT Use Cases Security
・References

Recent Developments in IoT Security
since initial posting of this slide set)

IoT Security Foundation
From https://www.iotsecurityfoundation.org
We will support our mission by:
• Composing and maintaining a comprehensive Compliance Framework of
recommended steps for creating secure IoT products and services;
• Promoting the adoption of the Compliance Framework to IoT service and
product providers, IoT system specifiers, purchasers, and policymakers;
• Composing and promoting security best practice guidance;
• Helping to arrange assurance processes to demonstrate that IoT products
and services meet the requirements of the IoTSF Compliance Framework.
Our mission is to help secure the Internet of Things and make it safe to connect.
Establishing Principles for IoT Security
IoTSF is a collaborative, non-profit, international r.esponse to the complex challenges posed
by cybersecurity in the expansive hyper-connected IoT world. As such, IoTSF is the natural
destination for IoT users and technology providers including IoT security professionals, IoT
hardware and software product vendors, network operators, system specifiers, integrators,
distributors, retailers, insurers, local authorities, government agencies and other
stakeholders.
Members

Click image to watch video

Materials published by IoTSF include contributions from security practitioners,
researchers, industrially experienced staff and other relevant sources from IoTSF’s
membership and partners. IoTSF has a multi-stage process designed to develop
contemporary best practice with a quality assurance peer review prior to publication.
Publications
• Consumer IoT:Vulnerability Disclosure – Expanding theView into 2021
• IoT Security Compliance Framework
• Secure Design Best Practice Guides
• CanYou TrustYour Smart Building?
• IoT Security Reference Architecture for the Healthcare Industry
• HOME IoT Security Architecture and Policy
• ENTERPRISE IoT Security Architecture and Policy
• IoT Cybersecurity: Regulation Ready – FullVersion Nov 2018
• IoT Cybersecurity: Regulation Ready – ConciseVersion Nov 2018
• Vulnerability Disclosure Best Practice Guide

Best Practices for Developing Secure Connected Devices (Vdoo)
From https://tinyurl.com/jk8za8rf

IoT Security Issues and Challenges from Thales
From https://tinyurl.com/87s3fpf7
Developing a thorough understanding of IoT cybersecurity issues and executing a
strategy to mitigate the related risks will help protect your business and build
confidence in digital transformation processes.
In this new article, we will review six significant IoT security challenges:
• Weak password protection
• Lack of regular patches and updates and weak update mechanism
• Insecure interfaces
• Insufficient data protection
• Poor IoT device management
• The IoT skills gap
We explain the potential threats for each topic, illustrate the issue with IoT attack
examples, and results from recent research papers.
We will also see how to address these risks and move forward.
The IoT Ecosystem in 2021

NIST Recommendations for IoT Cybersecurity
From https://csrc.nist.gov/publications/detail/nistir/8259/final
Internet of Things (IoT) devices often lack device cybersecurity capabilities their
customers—organizations and individuals—can use to help mitigate their
cybersecurity risks. Manufacturers can help their customers by improving how
securable the IoT devices they make are by providing necessary cybersecurity
functionality and by providing customers with the cybersecurity-related information
they need.This publication describes recommended activities related to
cybersecurity that manufacturers should consider performing before their IoT
devices are sold to customers.These foundational cybersecurity activities can help
manufacturers lessen the cybersecurity-related efforts needed by customers, which
in turn can reduce the prevalence and severity of IoT device compromises and the
attacks performed using compromised devices.
From Internet of Things Cybersecurity Improvement Act of 2020
https://www.congress.gov/bill/116th-congress/house-bill/1668/text
Not later than 90 days after the date of the enactment of this Act, the Director of the Institute
shall develop and publish under section 20 of the National Institute of Standards andTechnology
Act (15 U.S.C. 278g-3) standards and guidelines for the Federal Government on the appropriate
use and management by agencies of Internet of Things devices owned or controlled by an agency
connected to information systems owned or controlled by an agency, including minimum
information security requirements for managing cybersecurity risks associated with such devices.

From https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf
The remainder of this publication is organized into the following sections and
appendices:
• Section 2 provides background on how manufacturers play a key role in
how securable their IoT devices are for their customers, such as which
cybersecurity risk mitigation areas that customers commonly need to
address and understanding how the device may provide support for those
areas.
• Sections 3 and 4 describe activities that manufacturers should consider
performing before their IoT devices are sold to customers in order to
improve how securable the IoT devices are for the customers.
• Section 3 includes activities that primarily impact securability efforts by
the manufacturer before device sale.The Section 3 activities are:
identifying expected customers and defining expected use cases,
researching customer cybersecurity needs and goals, determining how
to address customer needs and goals, and planning for adequate
support of customer needs and goals.
• Section 4 includes activities that primarily impact securability efforts by
the manufacturer after device sale.The Section 4 activities are: defining
approaches for communicating with customers regarding IoT device
cybersecurity

NIST Recommendations for IoT Cybersecurity: References
From https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf
Fagan M, Megas KN, Scarfone K, Smith M (2020) IoT Device Cybersecurity
Capability Core Baseline. (National Institute of Standards and Technology,
Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8259A. https://
doi.org/10.6028/NIST.IR.8259A
Boeckl K, Fagan M, Fisher W, Lefkovitz N, Megas K, Nadeau E, Piccarreta B, Gabel
O’Rourke D, Scarfone K (2019) Considerations for Managing Internet of Things
(IoT) Cybersecurity and Privacy Risks. (National Institute of Standards and
Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8228.
https://doi.org/10.6028/NIST.IR.8228
Cyber-Physical Systems Public Working Group (2017) Framework for Cyber-
Physical Systems:Volume 1, Overview,Version 1.0. (National Institute of
Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP)
1500-201. https://doi.org/10.6028/NIST.SP.1500-201
Internet of Things (IoT) Component Capability Model for Research Testbed
(2020) (National Institute of Standards and Technology, Gaithersburg, MD)
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8316.pdf

From https://www.nist.gov/video/nist-recommendations-foundational-cybersecurity-guidance-iot-device-manufacturers-presented

NIST Cybersecurity for IoT Program
From https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
NIST’s Cybersecurity for the Internet of Things (IoT) program supports the
development and application of standards, guidelines, and related tools to improve
the cybersecurity of connected devices and the environments in which they are
deployed. By collaborating with stakeholders across government, industry,
international bodies, and academia, the program aims to cultivate trust and foster an
environment that enables innovation on a global scale.
• Published! Four public draft documents providing guidance for federal agencies and IoT device
manufacturers on defining IoT cybersecurity requirements (Overview) (Background Information):
◦ SP 800-213 (DRAFT) IoT Device Cybersecurity Guidance for the Federal Government: Establishing
IoT Device Cybersecurity Requirements [Document]
◦ NISTIR 8259B (DRAFT), IoT Non-Technical Supporting Capability Core Baseline[Document]
◦ NISTIR 8259C (DRAFT), Creating a Profile Using the IoT Core Baseline and Non-Technical
Baseline [Document]
◦ NISTIR 8259D (DRAFT), Profile Using the IoT Core Baseline and Non-Technical Baseline for the
Federal Government [Document]
• Published! Federal Profile of NISTIR 8259A (“Federal Profile”) (June 30, 2020) [FAQs] 
NIST is developing a federal profile of the Core Baseline established in NISTIR 8259A (“Federal
Profile”) and seeks feedback from all stakeholders on this initial catalog of proposed IoT device
cybersecurity capabilities and related non-technical capabilities. Also, the IoT for Cybersecurity
Program has instituted a new way to provide feedback and influence the discussion!
•

NIST Cybersecurity for IoT Program(cont)
From https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
• . NISTIR 8259 and NISTIR 8259A promise to have a lasting impact on IoT device
cybersecurity. In a June 1, 2020 blog, NIST IoT Cybersecurity Program Manager Katerina
Megas explains what they mean for manufacturers and consumers—both in the United
States and beyond.
• Published! NISTIR 8259 (FINAL) – Recommendations for IoT Device Manufacturers:
Foundational Activities (May 29, 2020) [Document] [FAQs]
• Published! NISTIR 8259A (FINAL) – Core Device Cybersecurity Capability Baseline
(May 29, 2020) [Document] [FAQs]
• The Final Public Draft of NIST SP 800-53 Revision 5: Security and
Privacy Controls for Information Systems and Organizations was
released on March 16. NIST SP 800-53 presents a proactive and systemic approach to
developing comprehensive safeguarding measures for all types of computing platforms,
including general purpose computing systems, cyber-physical systems, cloud and mobile
systems, industrial/process control systems, and Internet of Things (IoT) devices. NIST
seeks comment on this draft through May 15, 2020.
• Published! NISTIR 8259 (DRAFT) Core Cybersecurity Feature Baseline for Securable
IoT Devices:A Starting Point for IoT Device Manufacturers [Document] [Background
Information]
• Published! NISTIR 8228: Considerations for Managing Internet of Things (IoT)
Cybersecurity and Privacy Risks now available.

National Cybersecurity Center of Excellence(NCCoE) for IoT
From https://www.nccoe.nist.gov/projects/building-blocks/iot
Trusted IoT Device Network-Layer Onboarding and Lifecycle Management
Network-layer onboarding of an IoT device is the provisioning of network credentials to that device.The current lack of trusted IoT device
onboarding processes leaves many networks vulnerable to having unauthorized devices connect to them. It also leaves devices vulnerable to
being taken over by networks that are not authorized to onboard them.This project focuses on approaches to trusted network-layer
onboarding of IoT devices over IP networks and lifecycle management of the devices. Learn more about this project.
Securing Wireless Infusion Pumps
Medical facilities are more connected than ever before, making the delivery of healthcare more efficient and convenient for patients.The
wireless infusion pump device is present in nearly every medical setting. Tampering with the wireless infusion pump ecosystem can expose a
healthcare delivery organization (HDO) enterprise, and by extension its patients, to serious risks.This project resulted in defense-in-depth
cybersecurity guidance applicable to any connected medical device to help HDOs protect their networks. Learn more about this
project.
Mitigating IoT-Based DDoS
This project aims to improve the resiliency of IoT devices against network-based attacks by using the Internet Engineering Task Force’s
Manufacturer Usage Description (MUD) architecture.When MUD is used, the network will automatically permit IoT devices to send and
receive only the traffic they require to perform as intended, and the network will prohibit all other communication with the devices. Learn
more about this project
The Internet of Things has unlimited possibilities for home and business use.Appliances from refrigerators to sensor networks are now
available in models that interact with a wireless network, making them easier to control with a computer or smartphone. Estimates suggest
that there will be more than 75 billion IoT devices in use by 2025, according to IHS Markit. Along with this massive market adoption of IoT,
though, comes a trove of security concerns that necessitate attention and action.The National Institute of Standards and Technology's (NIST)
National Cybersecurity Center of Excellence (NCCoE) is striving to make IoT more secure. NCCoE’s work is done in conjunction with and
informed by NIST’s Cybersecurity for the Internet of Things (IoT) Program.This program supports the development and application of
standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed.
Below are the IoT projects that are currently underway at the NCCoE.

National Cybersecurity Center of Excellence(NCCoE) for IoT(cont)
From https://www.nccoe.nist.gov/projects/building-blocks/iot
Securing the Industrial Internet of Things
This project focuses on data integrity and malware prevention, detection, and mitigation within industrial control systems (ICS). Major
consideration is given to distributed energy resources (DERs)—particularly commercial-scale and utility-scale solar power installations—and
their interconnection with the electricity distribution grid. Distributed energy resources introduce information exchanges between a utility’s
distribution control system and the DERs, or an aggregator, to manage the flow of energy in the distribution grid.These information
exchanges often employ Industrial Internet of Things (IIoT) technologies that lack the communications security present in traditional utility
systems. Learn more about this project.
Consumer Home Internet of Things Product Security
This project aims to provide data-driven cybersecurity information about the state of the consumer smart home market.This project
provides technical security assessments of consumer home IoT products, with the aim of identifying security capabilities and
recommendations for IoT device manufacturers.These technical assessments will also help the NCCoE better address consumer home IoT
security in a holistic manner in future projects. In addition, the technical assessments informs the security tenets for IoT devices outlined in
NISTIR 8259 (Draft), Core Cybersecurity Feature Baseline for Securable IoT Devices. Learn more about this project.
Security for IoT Sensor Networks
This project aims to demonstrate how resource-constrained sensors can have their firmware securely updated over the air (OTA).This
project will align with draft NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity
Capability Baseline and seeks to utilize industry standards for interoperability. Learn more about this effort.
Securing Telehealth Remote Patient Monitoring Ecosystem
Telehealth is one of the fastest growing sectors within healthcare. It leverages network-connected devices to monitor and treat patients
outside of a healthcare delivery organization’s (HDOs) closed environment. HDOs are leveraging a combination of telehealth capabilities,
such as remote patient monitoring (RPM) and videoconferencing, to treat patients in their homes.These modalities are used to treat
numerous conditions, such as patients battling chronic illness or requiring postoperative monitoring.As use of these capabilities continues to
grow, it is important to ensure that the infrastructure supporting them can protect patient data.The NCCoE healthcare team and NIST
Privacy teams are working together on this project. Learn more about this project.

IoT Security Discussion from ARM
From https://www.arm.com/glossary/iot-security
IoT security covers both physical device security and network security, and impacts the
processes, technologies, and measures necessary to protect IoT devices and networks. It
spans industrial machines, smart energy grids, building automation systems, entertainment
devices, and more, including devices that often aren’t designed for network security. IoT
device security must protect systems, networks, and data from a broad spectrum of IoT
security attacks, which target four types of vulnerabilities:
• Communication attacks on the data transmitted between IoT devices and servers.
• Lifecycle attacks on the IoT device as it changes hands from user to maintenance.
• Attacks on the device software.
• Physical attacks, which directly target the chip in the device.
Key Security Goals

ATT’s List of IoT Security Technologies
From https://cybersecurity.att.com/blogs/security-essentials/internet-of-things-security-explained
1. IoT network security - This is all about protecting and securing the network that connects IoT devices
to the internet. The sheer number of devices, combined with the complexity of communication protocols,
make IoT network security a primary concern within IoT networks. 
 
2. IoT authentication -The mechanism with which users authenticate an IoT device, which may include
multiple users on one device (such as a connected car). Mechanisms range from a static password or PIN
to more robust authentication mechanisms like multi factor authentication (MFA), biometrics, and digital
certificates 
 
3. IoT encryption -The communication channels between edge devices and back-end systems require
that encryption technologies are implemented across various IoT devices hardware platforms. As such,
data integrity is maintained and hackers trying to intercept data are thwarted. 
 
4. IoT Public Key Infrastructure (PKI) - Provides complete X.509 digital certificate, cryptographic key
and life-cycle capabilities, including public/private key generation, distribution, management, and
revocation. With PKI, digital certificates can be securely loaded onto devices at the time of manufacturing.
Not only that, but they can be activated at the point of development, providing a means for an effective PKI
application across a
5. IoT security analytics - Much like other analytics, IoT device data is collected, monitored, aggregated
and normalized to provide actionable alerts and reports when abnormal activity is detected. Recently,
analytics have leveraged more sophisticated AI, machine learning, and big data to help with predictive
modeling and reduce false positives.

SecurityBoulevard’s Top 19 IoT Security Solutions
From https://securityboulevard.com/2020/12/the-top-19-internet-of-thingsiot-security-solutions/
Palo Alto Networks
FirstPoint
Trustwave
NanoLock
Armis
Bastille
Broadcom
Trusted Objects
CENTRI Protected Sessions
Overwatch
SecuriThings Horizon
SensorHound
Tempered Airwall
Vdoo
Atonomi
CyberMDX
Cynerio
Medigate
Sternum

TenVulnerability Management Tools
From https://tinyurl.com/59nswcvh
1. Kenna SecurityVulnerability Management
2. FlexeraVulnerability Management
3. tenable.io
4. Zeronorth
5.Threadfix
6. Infection Monkey
7. Crowdstrike Falcon
8. Immuniweb
9. ManageEngineVulnerability Manager Plus
10. Nessus Professional

Intellectsoft Top 10 IoT Security Issues
From https://www.intellectsoft.net/blog/biggest-iot-security-issues/
Lack Of Compliance On The Part Of Iot Manufacturers
Lack Of User Knowledge & Awareness
Iot Security Problems In Device Update Management
Lack Of Physical Hardening
Botnet Attacks
Industrial Espionage & Eavesdropping
HighjackingYour Iot Devices
Data Integrity Risks Of Iot Security In Healthcare
Rogue Iot Devices
Cryptomining With Iot Bots

IoT Security Issues
From https://www.linkedin.com/pulse/convergence-iot-quantum-computing-ahmed-banafa
IoT system’s diverse security issues include:
• Data breaches – IoT applications collect a lot of user data, and most of it sensitive or
personal, to operate and function correctly. As such, it needs encryption protection.
• Data authentication – Some devices may have adequate encryption in place but it can still
be open to hackers if the authenticity of the data that is communicated to and from the
IoT device cannot be authenticated.
• Side-channel attacks – Certain attacks focus on the data and information it can gain from
a system’s implementation rather than vulnerabilities in the implementation’s algorithms.
• Irregular updates – Due to the rapid advances in the IoT industry, a device that may have
been secure on its release may not be secure anymore if its software does not get
updated regularly. Add to that the famous SolarWinds’s Supply Chain attack of 2020 which
infected over 18,000 companies and government agencies using updates of oﬃce
applications, and network monitoring tools.
• Malware and ransomware – Malware refers to the multitude of malicious programs that
typically infects a device and influences its functioning whereas ransomware has the
capabilities to lock a user out of their device, usually requesting a “ransom” to gain full
use back again paid by cryptocurrency “Bitcoin”.

Operational and Information Technology Security for IoT
From http://www.corporateperformancemanagement-hq.com/how-should-you-consider-the-iot-security-management-better-secure-the-application-layer/

CPS System of Systems Security Characteristics
From http://www.slideshare.net/pfroberts/cyber-physical-systems-boston-2015-1

CPS Security Topics
From http://icsd.i2r.a-star.edu.sg/cpss15/
• Adaptive attack mitigation for CPS
• Authentication and access control for CPS
• Availability, recovery and auditing for CPS
• Data security and privacy for CPS
• Embedded systems security
• EV charging system security
• Intrusion detection for CPS
• Key management in CPS
• Legacy CPS system protection
• Lightweight crypto and security
• SCADA security
• Security of industrial control systems
• Smart grid security
• Threat modeling for CPS
• Urban transportation system security
• Vulnerability analysis for CPS
• Wireless sensor network security

IoT Security Levels
From http://www.slideshare.net/DrDavidProbert/integrated-cybersecurity-and-the-internet-of-things

Recommended Interdisciplinary Design Areas from NIST
From https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

Cyber-Physical and Analog Design Layers from NIST

Recommended Design Considerations for CPS Security

Design Considerations for CPS Security continued

Challenges for Privacy and Security
From http://tinyurl.com/gv38c78

Responses toChallenges to Cyber-Physical System Security
mPCDs = Mobile Personal Communication Device
SNSS = Smart Networked Systems and Society

Online Trust Alliance’s (OTA)Vendor Best Practices for IoT Security
From https://otalliance.org/news-events/press-releases/internet-things-lacks-safety-today-opening-door-major-threats-tomorrow
• Making privacy policies readily available for review prior to product purchase,
download or activation.
• Encrypting or hashing all personally identifiable data both at rest and in motion.
• Disclosing prior to purchase a device’s data collection policies, as well as the impact
on the device’s key features if consumers choose not to share their data.
• Disclosing if the user has the ability to remove or make anonymous all personal
data upon discontinuing device or device end-of-life.
• Publishing a timeframe for support after the device/app is discontinued or replaced
by newer version.

From http://iot-datamodels.blogspot.com/2014/05/design-patterns-for-internet-of-things.html
Design Patterns for IoT Security from Michael Koster
• Access control using data models: semantic hyperlinks control access to resources
based on the embedded metadata 
• Social to physical graph relationship: well defined concepts of ownership and
access delegation between people, entities, and things 
• PGP and asymmetric public-key cryptography on devices: ways of creating SSL
sessions and signing data between devices and applications 
• DTLS over UDP: security for resource constrained devices 
• End-to-end encryption: transmitting and storing encrypted data independent of
channel encryption
 
• Device Management: using device identity, registration, and secure key exchange

Device Level Security Requirements
From www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
• Secure Booting
• Access Control
• Device Authentication
• Firewalls or Intrusion Prevention System (IPS)
• Updates and Patches

Security for IoT in IERC
From www.internet-of-things-research.eu/pdf/IERC_Cluster_Book_2014_Ch.3_SRIA_WEB.pdf
DoS/DDOS attacks are already well understood for the current Internet, but the IoT is also
susceptible to such attacks and will require specific techniques and mechanisms to ensure that
transport, energy, city infrastructures cannot be disabled or subverted.
General attack detection and recovery/resilience to cope with IoT-specific threats, such as
compromised nodes, malicious code hacking attacks.
Cyber situation awareness tools/techniques will need to be developed to enable IoT-based
infrastructures to be monitored.Advances are required to enable operators to adapt the
protection of the IoT during the lifecycle
of the system and assist operators to take the most appropriate protective action during attacks.
The IoT requires a variety of access control and associated accounting schemes to support the
various authorisation and usage models that are required by users.The heterogeneity and diversity
of the devices/gateways that require access control will require new lightweight schemes to be
developed.
The IoT needs to handle virtually all modes of operation by itself without relying on human
control. New techniques and approaches e.g. from machine learning, are required to lead to a self-
managed IoT

Privacy for IoT from IERC
Cryptographic techniques that enable protected data to be stored processed and shared, without the
information content being accessible to other parties. Technologies such as homomorphic and
searchable encryption are potential candidates for developing such approaches.
Techniques to support Privacy by Design concepts, including data minimisation, identification,
authentication and anonymity.
Fine-grain and self-configuring access control mechanism emulating the real world. There are a
number of privacy implications arising from the ubiquity and pervasiveness of IoT devices where
further research is required, including
Preserving location privacy, where location can be inferred from things associated with people.
Prevention of personal information inference, that individuals would wish to keep private, through
the observation of IoT-related exchanges.
Keeping information as local as possible using decentralised computing and key management.
Use of soft Identities, where the real identity of the user can be used to generate various soft
identities for specific applications.Each soft identity can be designed for a specific context or
application without revealing unnecessary information, which can lead to privacy breaches

Trust for IoT from IERC
Lightweight Public Key Infrastructures (PKI) as a basis for trust management.Advances are expected in
hierarchical and cross certification concepts to enable solutions to address the scalability requirements.
Lightweight key management systems to enable trust relationships to be established and the distribution
of encryption materials using minimum communications and processing resources, as is consistent with
the resource constrained nature of many IoT devices.
Quality of Information is a requirement for many IoT-based systems where metadata can be used to
provide an assessment of the reliability of IoT data.
Decentralised and self-configuring systems as alternatives to PKI for establishing trust e.g. identity
federation, peer to peer.
Novel methods for assessing trust in people, devices and data, beyond reputation systems. One example
is Trust Negotiation.Trust Negotiation is a mechanism that allows two parties to automatically negotiate,
on the basis of a chain of trust policies, the minimum level of trust required to grant access to a service
or to a piece of information.
Assurance methods for trusted platforms including hardware, software, protocols, etc.
Access Control to prevent data breaches. One example is Usage Control, which is the process of
ensuring the correct usage of certain information according to a predefined policy after the access to
information is granted

IoT Security Concerns from HP
From http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf

Security Threats for IoT from Infineon
From http://www.slideshare.net/infineon/infineon-the-root-of-trust-for-the-internet-of-things

Attacks on IoT Devices
From https://www.researchgate.net/publication/252013823_Proposed_embedded_security_framework_for_Internet_of_Things_IoT

Potential Security Risks in IoT to Cloud Networks
From http://blog.imgtec.com/powervr/bringing-better-security-to-mobile-automotive-or-iot

Device Level Security Levels
From http://viodi.com/2015/04/26/summary-of-iot-sessions-at-2015-gsa-silicon-summit-part-i/

IoT Security Chain (Device to Data Center) from PRPL
From http://www.slideshare.net/axroh/cie-io-tsecurityarfinal

IoT Products Security Comparison by Veracode
From https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf
1. User Facing Services Security
2. Device Facing Services Security
3. Mobile Application Interface Security
4. Device Debugging Interface Security

1. User Facing Cloud Services Security Comparison

2. Device Facing Cloud Services Security Comparison

3. Mobile Application Interface Security Comparison

4. Device Debugging Interface Security Comparison

Privacy Risks with IoT
From www.computerworld.com/article/3010626/internet-of-things/a-privacy-standard-for-internet-of-things-suppliers.html
• Prospective buyers of connected cars have heard the reports of hackers taking over
control of the vehicle, putting passengers at risk of an accident.They also worry about
others being able to remotely monitor conversations inside the vehicle, monitor
compliance with traffic regulations and predict when and where they will be.
• Future consumers of smart homes — houses containing interconnected appliances,
smart meters and smart TVs — similarly worry about outside parties being able to
assume remote control of their living space, monitor activity, predict whereabouts and
also draw conclusions about what type of people they are based on their living
patterns.
• As wearables expand beyond tracking the number of steps per day into more
comprehensive health and wellness profiles integrated with smartphones and social
networks, users’ commentary and concern about the use and disclosure of their data
dossiers are increasing.

Industry Specific Privacy Standards with IoT
• Mobile-marketing industry’s Mobile Application Privacy Policy Framework
http://tinyurl.com/hjzwfnp
• Automaker’s Consumer Privacy Protection Principles forVehicle Technologies and Services
http://www.autoalliance.org/?objectid=865F3AC0-68FD-11E4-866D000C296BA163
• Agribusiness sector’s Privacy and Security Principles for Farm Data.
http://www.fb.org/tmp/uploads/PrivacyAndSecurityPrinciplesForFarmData.pdf

Required Privacy for IoT
1. Tested security. It’s one thing to adopt a set of security controls like the Payment Card Industry
Data Security Standard, designed to reduce credit card fraud. It’s another thing for those controls to
prevail in a sophisticated penetration test.The IoT would need to set the bar at this higher level to earn
maximum user trust.
2. Data minimization. IoT components should maintain default settings that use the minimum
amount of personal data to perform their service. Minimum can mean minimum types of data fields
collected and exposed to other devices as well as minimum periods of data retention.
3. Controlled and transparent disclosure. Law enforcement and national defense around the
world will seek to pursue their legitimate objectives within the IoT.Virtually every industry will seek to
track or analyze their end consumers as they move through the system.Trust in the whole enterprise
will collapse, however, if these pursuits are not counterbalanced with reliable disclosure controls that
are proportionate to the identified threat, and widely known and understood.
4. Data portability. Users won’t want any one node of the IoT ecosystem to accumulate too much
power by storing data in its own proprietary format.To bolster trust in the entire system, adopt a
common data format that allows users to port their data from one platform to the next.
5. Right to be forgotten.The IoT should be safe for the most vulnerable in society: children, victims
of crime and the poor.To protect their safety and thereby make the IoT the largest possible
marketplace, enable users to completely opt out by being able to withdraw their data.

CPS Security Framework from China
From www.sersc.org/journals/IJSIA/vol9_no1_2015/17.pdf or
https://www.terraswarm.org/pubs/136/lu_newmultiframe_edge.pdf

Security Architecture Service Delivery Framework from Cap Gemini
From http://www.slideshare.net/JohnArnoldSec/security-architecture-frameworks

Architecture Reference Model based Security Framework for IoT
From http://www.mdpi.com/1424-8220/15/7/15611/htm

Architecture Interaction with Security Framework for IoT
From http://www.mdpi.com/1424-8220/15/7/15611/htm

Security Enclaves Management Structure from Cisco
From http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-manager/whitepaper-c07-731204.html

IoT Security Environment from Cisco
From http://www.cisco.com/web/about/security/intelligence/iot_framework.html

Secure IoT Framework from Cisco

Secure Features and Layering from IoT-A
From http://www.iot-a.eu/arm/d1.3/at_download/file

Security Framework from iCore Project
From http://www.sciencedirect.com/science/article/pii/S0167404815000887

Model-Based Security Kit (SecKit) based on ICore
From http://www.sciencedirect.com/science/article/pii/S0167404815000887

SecKit Metamodel and Dependencies
From http://www.internet-of-things-research.eu/pdf/Building_the_Hyperconnected_Society_IERC_2015_Cluster_eBook_978-87-93237-98-8_P_Web.pdf

Eurotech’s Security Approach
From http://www.slideshare.net/Eurotechchannel/iot-security-elements

EurotechEveryWareDeviceCloud(EDC)+SoftwareFramework(ESF)

EurotechEveryWareDeviceCloud+SoftwareFrameworkcontinued

Internet of Secure Things Framework
From http://embedded-computing.com/25942-leveraging-iot-security-to-improve-roi/

Floodgate Security Framework from Icon Labs
From http://www.iconlabs.com/prod/product-family/floodgate-security-framework

Secure Analytics for IoT Framework from Cisco
• This secure analytics layer defines the services by which all elements (endpoints and
network infrastructure, inclusive of data centers) may participate to provide telemetry
for the purpose of gaining visibility and eventually controlling the IoT/M2M ecosystem.
• With the maturity of big data systems, we can deploy a massive parallel database
(MPP) platform that can process large volumes of data in near real time.When we
combine this technology with analytics, we can do some real statistical analysis on the
security data to pick out anomalies.
• Further, it includes all elements that aggregate and correlate the information,
including telemetry, to provide reconnaissance and threat detection.Threat mitigation
could vary from automatically shutting down the attacker from accessing further
resources to running specialized scripts to initiate proper remediation.
• The data, generated by the IoT devices, is only valuable if the right analytics
algorithms or other security intelligence processes are defined to identify the threat.
We can get better analytical outcome by collecting data from multiple sources and
applying security profiles and statistical models that are built upon various layers of
security algorithms.

Security Cloud from Cisco
From https://techradar.cisco.com/pdf/cisco-technology-radar.pdf
Before
After

Security Options for Constrained Devices
From http://cnds.eecs.jacobs-university.de/slides/2013-im-iot-management.pdf

Security Boundaries from RTI
From http://www.slideshare.net/RealTimeInnovations/build-safe-and-secure-distributed-systems-39944271

Data Distribution ServiceTransport Security from RTI
From http://www.slideshare.net/RealTimeInnovations/build-safe-and-secure-distributed-systems-39944271

Open Trust Alliance (OTA)
Trust Framework and Resource Guid

Online Trust Alliance’s (OTA) Trust Framework
From https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework_released_3-2-2016.pdf

Online Trust Alliance’s (OTA) Trust Framework continued
Security continued

Privacy, Disclosures, and Transparency Continued

Online Trust Alliance’s Trust Framework for IoT Resource Guide
From https://otalliance.org/system/files/files/initiative/documents/iot_trust_resource_guide_2-8.pdf

Online Trust Alliance’s Trust Framework for IoT Resource Guide
Security

OTA Trust Framework for IoT Resource Guide Continued
Security

OTA Trust Framework for IoT Resource Guide continued
Security

User Access and Credentials

Privacy, Transparency, & Disclosures

Privacy, Transparency, & Disclosures (16 continued)

Privacy, Transparency, & Disclosures (23 continued)

Open Web Application Security Project (OWASP)

SecurityNeedsfromOpenWebApplicationSecurityProject(OWASP)
From https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf
• The Internet of Things Device
• The Cloud
• The Mobile Application
• The Network Interfaces
• The Software
• Use of Encryption
• Use of Authentication
• Physical Security
• USB ports

OWASP Top Ten IoT Security Issues
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10. Poor Physical Security

1. Insecure Web Interface

2. Insufficient Authentication/Authorization

3. Insecure Network Services

4. Lack of Transport Encryption

5. Privacy Concerns

6. Insecure Cloud Interface

7. Insecure Mobile Interface

8. Insufficient Security Configurability

9. Insecure Software/Firmware

10. Poor Physical Security

IoT Security Threats from Beecham Research
From http://www.smartgridnews.com/story/iot-presents-utilities-myriad-security-challenges/2015-05-12

Critical Cyber-Physical Systems Requiring Security
From www.slideshare.net/DrDavidProbert/integrated-cybersecurity-and-the-internet-of-things

Security Incidents by Sector in FY 2013 from DHS

IoT Use Case and Security from Infineon
From http://www.slideshare.net/infineon/infineon-the-root-of-trust-for-the-internet-of-things

Cyber Threats to Critical Infrastructure from GAO
From http://pserc.wisc.edu/documents/general_information/presentations/pserc_seminars/psercwebinars2012/Govindarasu_PSERC_Webinar_Slides_Feb_2012.pdf

Smart Grid Security = Info + Infrastructure + Application Security

Attacks on Smart Grid Cyber-Physical Systems

Smart City Multi-Layer Security Framework
From www.slideshare.net/DrDavidProbert/integrated-cybersecurity-and-the-internet-of-things

References
Inventory of all Bob Marcus CPS Slides on Slideshare
http://www.slideshare.net/bobmarcus/inventory-of-my-cps-slide-sets

Reference Links (CPS Security)
Designed-In Cybersecurity for CPS from Cyber-Security Research Alliance
http://www.cybersecurityresearch.org/documents/CSRA_Workshop_Report.pdf
Designed-in Security for CPS from IEEE Panel
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6924670
Security of Cyber-Physical Systems Papers from CMU CyLab
https://www.cylab.cmu.edu/research/projects/research-area/security-cyber-physical.html
CPS Security Research at ADSC in Singapore
http://publish.illinois.edu/cps-security/
NSF/Intel Partnership in CPS Security and Privacy
http://www.nsf.gov/pubs/2014/nsf14571/nsf14571.htm
Challenges for Securing Cyber-Physical Systems from Berkeley CHESS
https://chess.eecs.berkeley.edu/pubs/601/cps-security-challenges.pdf
Secure Control Towards Survivable CPS from Berkeley
https://www.truststc.org/pubs/345/cardenas-SecureControl-v1.pdf
Security Issues and Challenges for Cyber Physical Systems from China
http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf
Challenges in Security from USC
http://cimic.rutgers.edu/positionPapers/CPS-Neuman.pdf
Systems Theoretic Approach to the Security Threats in CPS from MIT
http://web.mit.edu/smadnick/www/wp/2014-13.pdf

Reference Links (CPS Security)
CPS Security Challenges and Research Idea from BBN
http://cimic.rutgers.edu/positionPapers/CPSS_BBN.pdf
IoT Botnet
http://internetofthingsagenda.techtarget.com/definition/IoT-botnet-Internet-of-Things-botnet
Privacy Standards for IoT
http://www.computerworld.com/article/3010626/internet-of-things/a-privacy-standard-for-internet-of-things-suppliers.html
Building the Bionic Cloud
http://www.digitalgovernment.com/media/Downloads/asset_upload_file194_5802.pdf
How the Internet of Things could be fatal
http://www.cnbc.com/2016/03/04/how-the-internet-of-things-could-be-fatal.html
Hippocratic Oath for Medical Devices
https://www.iamthecavalry.org/wp-content/uploads/2016/01/I-Am-The-Cavalry-Hippocratic-Oath-for-Connected-Medical-Devices.pdf
Hierarchical Security Architecture for Cyber-Physical Systems
https://inldigitallibrary.inl.gov/sti/5144319.pdf
A Systematic View of Studies in Cyber-Physical System Security
http://www.sersc.org/journals/IJSIA/vol9_no1_2015/17.pdf
Why IoT Security is so Critical
http://techcrunch.com/2015/10/24/why-iot-security-is-so-critical/#.j1xovjh:VRMg
Open Web Application Security Project
https://www.owasp.org/index.php/Main_Page
PRPL Foundation
http://prplfoundation.org/overview/
OpenWrt
https://en.wikipedia.org/wiki/OpenWrt

Reference Links (CPS Security) continued
Online Trust Alliance (OTA) IoT Initiatives
https://otalliance.org/initiatives/internet-things
TerraSwarm
http://www.terraswarm.org/
Secure Internet of Things Project Publications
http://iot.stanford.edu/pubs.html
Internet of Things Privacy and Security in a Connected World Report from U.S. Federal Trade Commission(FTC)
https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
Best Practices in CyberSecurity from the U.S. National Highway Traffic Safety Administration (NHTSA)
http://tinyurl.com/zhpojlp
Cybersecurity through Real-Time Distributed Control System
http://web.ornl.gov/sci/electricdelivery/pdfs/ORNL_Cybersecurity_Through_Real-Time_Distributed_Control_Systems.pdf
ISO/IEC 27108 Privacy Standard and Microsoft Support
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498
http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/
Surveillance through IoT
http://www.theregister.co.uk/2016/02/09/clapper_says_iot_good_for_intel/
Nanotechnology, Ubiquitous Computing and the IoT - Challenges to the Rights of Privacy and Data Protection for Council of Europe
https://www.coe.int/t/dghl/standardsetting/dataprotection/Reports/Miller%20Kearnes%20-%20Nano%20privacy%20Draft%20report%20%2017%2005%202013.pdf
NIST supported research on IoT Security for Homes and Transit Systems by Galois
https://galois.com/news/tozny-awarded-nist-grant-to-secure-iot-enabled-smart-homes-and-transit-systems/
Iot and Quantum Computing
https://www.linkedin.com/pulse/convergence-iot-quantum-computing-ahmed-banafa

Security and Privacy in IoT and Cyber-physical Systems

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security and Privacy in IoT and Cyber-physical Systems

Similar to Security and Privacy in IoT and Cyber-physical Systems (20)

Recently uploaded

Recently uploaded (20)

Security and Privacy in IoT and Cyber-physical Systems