Using virtual environments for the assessment of cybersecurity issues in IoT scenarios
Introduction
Since its beginning, Internet has proven to be a very changing and evolving environment. Born as a simple network of computers, over time it evolved its shape and its features to become the complex infrastructure of today which allows the huge flow of daily worldwide information sharing and that enables the enormous amount of digital services which are pervasive to almost all types of business. Internet applications are involved in a large and ever growing number of aspects of common people life. Most of these applications were not foreseen since its inception and a lot of issues had to be addressed as they spontaneously appeared.
During the last few years, Internet applications are still increasing and, in particular, an outstanding number of highly heterogeneous networked objects (things), many of which characterized by small size and low power consumption [1] are becoming part of Internet, e.g. implantable medical devices, smart thermostats, smart meters, or any object that has the ability to transfer data over a network.
This trend has been widely recognized as the next main step in the evolution of Internet which is commonly referred to as the Internet of Things (IoT). With respect to traditional Internet sources of information, in the IoT scenarios data come from the physical world through the sensors installed on smart devices, thus widening the range of possible applications, e.g. involving the processing of environmental data and make intelligent decisions on the surrounding environment. IoT is becoming a bridge between the physical and the digital world by including smart objects which interact with the physical environment without direct human intervention [2].
IoT is showing the potential for impacting several domains, ranging from personal to enterprise environments [3]. Examples of domains and possible applications include, but are not limited to, smart cities, for lowering energy costs and reducing pollution, and smart homes, for which energy companies are building systems to increase energy savings and safety.
Despite the goals of IoT applications are directed to improve most aspects of both business and common people’s life, such emerging technology is also becoming an increasingly attractive target for cybercriminals. The more are the Internet connected devices the more are the potential attack vectors and the vulnerabilities that malicious entities may exploit.
Estimates on the number of devices that will be connected to the Internet by 2020 range from 20.8 billion [4], to 30 billion [5] devices. According to Gartner, “by 2020, addressing compromises in IoT security will have increased security costs to 20 percent of annual security budgets, from less than one percent in 2015” [6]. Unfortunately, as reported by [7], cybersecurity risks have received little attention up to now. It seems that IoT is retracing the same path that the Internet undertook during its evolution: most of the attentions are focusing on the technologies needed to achieve the desired functionalities, neglecting the aftermath of the security issues that are going to arise.
An important factor to consider is the presence of manufacturers that lack prior experience with networked devices: in an attempt to place into the market their devices and get the newest and attractive functions at the lowest cost, as quickly as possible, they end up neglecting the design and implementation of security features for hardware and software.
It is of utmost importance giving to security a high priority during the development process of IoT, otherwise, in the near future, the number of security risks for consumers and businesses will increase exponentially, leading to disastrous situations for both sides. Therefore, security should not be an artifact added at the end of the development, but it must be an integral part of the entire process. Consequently, the devices placed in the markets, should be equipped with built-in security mechanisms and ensure greater protection for their users.
To address the security vulnerabilities of IoT devices created so far, researchers are focusing on the evaluation of security properties [8]. The goal of this analysis is to identify and understand the security issues of currently deployed devices and help manufacturers to solve the detected problems, by providing them with guidelines and recommendations for improving the security of future software updates and/or version of the devices. Towards this objective, computer simulation techniques along with novel cloud based virtualization platforms represent a very good combination for achieving suitable cybersecurity analysis and assessment platforms. Virtual environments are systems in which realistic scenarios can be reproduced, by exploiting computer and network virtualization technologies and agent-based simulation [9], [10]. They find applications in many domains including military, medical, educational and recently also in cybersecurity [11].
This paper illustrates how virtual environments can be a valuable tool to assess security properties and discover vulnerabilities of IoT devices, in realistic scenarios. Specifically, the SmallWorld platform is proposed for the development of intelligent virtual environments in which the agent paradigm is used to simulate malicious and legal behaviors, both of machines and human beings. SmallWorld has being developed to be scalable by design. It introduces an abstraction layer and a set of API which make it able to run on different hypervisor technologies ranging from single machine solution (e.g. VirtualBox) to state of art cloud solution.
The SmallWorld effectiveness in the assessment of IoT cybersecurity concerns is shown through a case study in the context of smart home applications.
The rest of the paper is organized as follows. Section 2 gives an overview of the related work. Section 3 discusses the main security issues affecting IoT technologies and devices as they are currently developed, implemented and deployed. Section 4 describes the use of virtual environments as a security analysis assessment tool. Section 5 presents a case study involving smart home applications. Finally, Section 6 concludes the paper.
Section snippets
Related work
This section overviews the various approaches for the assessment of security concerns in IoT systems as described in the literature.
A model-based security toolkit, SecKit [8], has been proposed to enable the protection of user data by supporting specification and efficient evaluation of security policies. SecKit is integrated into a generic management framework for IoT devices. It has been designed to support the modeling of IoT systems and to specify, in an integrated way, security
Security concerns
IoT has brought interesting opportunities both for consumers and businesses, however it came together with vast repertoire of new security challenges. IoT technologies are embedded into and extend the Internet ecosystem and, as a consequence, they inherit all the Internet related security problems and pose new specific issues. Because of the pervasive nature of IoT devices and applications, these security problems are of a greater importance and, in some cases, tend even to become critical. To
Virtual environments
Modeling and simulation techniques are essential engineering tools allowing human beings to study, analyze, understand and predict the behavior of often complex real phenomena. It is of critical importance the ability to achieve suitable mathematical models which: are accurate enough to describe the entities under investigation, are computer executable and abstract away from superfluous details. By composing models of different entities it is possible to design new complex systems which, once
Case study
This section illustrates three IoT scenarios that have been employed to investigate about the exploration and exploitation of common smart objects vulnerabilities. The scenarios were built by using the features of SmallWorld. The combined use of real devices interacting with a virtual environment allowed to analyze these IoT scenarios, assess their cybersecurity issues and conduct a suitable risk evaluation.
In particular, three variants of the same scenario were considered for studying the
Conclusions
The pervasive diffusion of smart devices is going to change many aspects of our daily lives and also the way how most business activities will be accomplished in the next future. Just think how the smartphone already changed the way people communicate, make their appointments and plan their travels. The next step will be to deal with the consequences of the worldwide spread of IoT devices. Because human beings are going to delegate many (critical) activities to smart devices, it is of utmost
Acknowledgments
This work has been partially supported by the “National Operative Programme for Research and Competitiveness” 2007-2013, Technological District on Cyber Security (PON03PE_00032_2_02), funded by the Italian Ministry of Education, University and Research, and the Italian Ministry of Economic Development.
References (55)
- et al.
The internet of things: a survey
Comput. Netw.
(2010) - et al.
Seckit: a model-based security toolkit for the internet of things
Comput. Secur.
(2015) - et al.
Exploiting agents for modelling and simulation of coverage control protocols in large sensor networks
J. Syst. Software
(2007) - et al.
HLA_ACTOR_REPAST: an approach to distributing RePast models for high-performance simulations
Simul. Modell. Pract. Theory
(2011) Security issues and challenges for the IoT-based smart grid
Procedia Comput. Sci.
(2014)- et al.
Modelling and simulation of complex manufacturing systems using statechart-based actors
Simul. Modell. Pract. Theory
(2011) - et al.
From the Internet of computers to the Internet of things
From Active Data Management to Event-Based Systems and More
(2010) - Fleisch(2010) E. Fleisch, What is the internet of things? An economic perspective, white paper WP-BIZAPP-053, auto-ID...
- Gartner. Gartner says 6.4 billion connected “thing” will be in use in 2016, up 30 percent from 2015,...
- The digital universe of opportunities: Rich data and the increasing value of the Internet of Things,...
Cyber Risk Report 2016, Tech. rep.
A virtual environment for the enactment of realistic cyber security scenarios
Proceedings of 2nd IEEE International Conference on Cloud Computing Technologies and Applications (CloudTech 2016)
A framework for modeling and assessing security of the Internet of Things
2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS), Institute of Electrical & Electronics Engineers (IEEE)
Security assessment framework for IoT service
Telecommun. Syst.
An evaluation framework for adaptive security for the IoT in eHealth
Int. J. Adv. Secur.
Managing security trade-offs in the internet of things using adaptive security
2015 10th International Conference for Internet Technology and Secured Transactions (ICITST)
Assessing the security of internet connected critical infrastructures (the CoMiFin project approach)
Proceedings of the Workshop on Security of the Internet of Things
Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses
2008 IEEE Symposium on Security and Privacy (SP 2008)
Proposed security model and threat taxonomy for the internet of things (IoT)
Recent Trends in Network Security and Applications
Threat-based security analysis for the internet of things
2014 International Workshop on Secure Internet of Things
Remote exploitation of an unaltered passenger vehicle
Black Hat USA
Distributed detection of node replication attacks in sensor networks
2005 IEEE Symposium on Security and Privacy (S&P’05)
A game-theoretic approach to security and power conservation in wireless sensor networks
International Journal of Network Security
Jamming attacks and countermeasures in wireless sensor networks
From Principle to Practice
Cited by (55)
Modular deep learning-based network intrusion detection architecture for real-world cyber-attack simulation
2024, Simulation Modelling Practice and TheorySpecial issue on virtual environments for cybersecurity
2022, Simulation Modelling Practice and TheoryState-of-the-art survey of artificial intelligent techniques for IoT security
2022, Computer NetworksAn automated context-aware IoT vulnerability assessment rule-set generator
2022, Computer CommunicationsIterative geometric mean decomposition based secure hybrid precoder design for mmWave massive MIMO communication systems
2021, AEU - International Journal of Electronics and CommunicationsCitation Excerpt :Physical layer security (PLS) has become a headline topic for researchers and scientists in future communication systems, especially in massive multiple-input multiple-output (MIMO) millimeter wave (mmWave) systems [1–5].
Energy-efficient dynamic homomorphic security scheme for fog computing in IoT networks
2021, Journal of Information Security and Applications