Using virtual environments for the assessment of cybersecurity issues in IoT scenarios

https://doi.org/10.1016/j.simpat.2016.09.007Get rights and content

Abstract

Internet of Things (IoT) has been forecast as the next main evolution in the field of Information and Communication Technology. Recent studies confirm a steep and constant increase of the diffusion of smart objects, which are capable to interact with the real world and to communicate and gather information autonomously through Internet connections. In the rush of devising and releasing to the market the next killer application for the IoT domain, critical issues regarding the cybersecurity risks are currently overlooked. Because security, like most software qualities, is not an orthogonal requirement, i.e. one that can be satisfied by adding some features at any development stage, this is going to have a very costly impact, potentially leading to failure, on the technologies currently developed for the IoT domain. In order to cope adequately with such issues, IoT applications need to be designed to be secure since their inception and suitable security assessment tools should be made available. This paper describes an approach based on the exploitation of virtual environments and agent-based simulation for the evaluation of cybersecurity solutions for the next generation of IoT applications in realistic scenarios. The effectiveness of the approach is shown by considering a concrete case study involving the cooperation of real and virtual smart devices inside a virtualized scenario where security issues are first evaluated and then handled.

Introduction

Since its beginning, Internet has proven to be a very changing and evolving environment. Born as a simple network of computers, over time it evolved its shape and its features to become the complex infrastructure of today which allows the huge flow of daily worldwide information sharing and that enables the enormous amount of digital services which are pervasive to almost all types of business. Internet applications are involved in a large and ever growing number of aspects of common people life. Most of these applications were not foreseen since its inception and a lot of issues had to be addressed as they spontaneously appeared.

During the last few years, Internet applications are still increasing and, in particular, an outstanding number of highly heterogeneous networked objects (things), many of which characterized by small size and low power consumption [1] are becoming part of Internet, e.g. implantable medical devices, smart thermostats, smart meters, or any object that has the ability to transfer data over a network.

This trend has been widely recognized as the next main step in the evolution of Internet which is commonly referred to as the Internet of Things (IoT). With respect to traditional Internet sources of information, in the IoT scenarios data come from the physical world through the sensors installed on smart devices, thus widening the range of possible applications, e.g. involving the processing of environmental data and make intelligent decisions on the surrounding environment. IoT is becoming a bridge between the physical and the digital world by including smart objects which interact with the physical environment without direct human intervention [2].

IoT is showing the potential for impacting several domains, ranging from personal to enterprise environments [3]. Examples of domains and possible applications include, but are not limited to, smart cities, for lowering energy costs and reducing pollution, and smart homes, for which energy companies are building systems to increase energy savings and safety.

Despite the goals of IoT applications are directed to improve most aspects of both business and common people’s life, such emerging technology is also becoming an increasingly attractive target for cybercriminals. The more are the Internet connected devices the more are the potential attack vectors and the vulnerabilities that malicious entities may exploit.

Estimates on the number of devices that will be connected to the Internet by 2020 range from 20.8 billion [4], to 30 billion [5] devices. According to Gartner, “by 2020, addressing compromises in IoT security will have increased security costs to 20 percent of annual security budgets, from less than one percent in 2015” [6]. Unfortunately, as reported by [7], cybersecurity risks have received little attention up to now. It seems that IoT is retracing the same path that the Internet undertook during its evolution: most of the attentions are focusing on the technologies needed to achieve the desired functionalities, neglecting the aftermath of the security issues that are going to arise.

An important factor to consider is the presence of manufacturers that lack prior experience with networked devices: in an attempt to place into the market their devices and get the newest and attractive functions at the lowest cost, as quickly as possible, they end up neglecting the design and implementation of security features for hardware and software.

It is of utmost importance giving to security a high priority during the development process of IoT, otherwise, in the near future, the number of security risks for consumers and businesses will increase exponentially, leading to disastrous situations for both sides. Therefore, security should not be an artifact added at the end of the development, but it must be an integral part of the entire process. Consequently, the devices placed in the markets, should be equipped with built-in security mechanisms and ensure greater protection for their users.

To address the security vulnerabilities of IoT devices created so far, researchers are focusing on the evaluation of security properties [8]. The goal of this analysis is to identify and understand the security issues of currently deployed devices and help manufacturers to solve the detected problems, by providing them with guidelines and recommendations for improving the security of future software updates and/or version of the devices. Towards this objective, computer simulation techniques along with novel cloud based virtualization platforms represent a very good combination for achieving suitable cybersecurity analysis and assessment platforms. Virtual environments are systems in which realistic scenarios can be reproduced, by exploiting computer and network virtualization technologies and agent-based simulation [9], [10]. They find applications in many domains including military, medical, educational and recently also in cybersecurity [11].

This paper illustrates how virtual environments can be a valuable tool to assess security properties and discover vulnerabilities of IoT devices, in realistic scenarios. Specifically, the SmallWorld platform is proposed for the development of intelligent virtual environments in which the agent paradigm is used to simulate malicious and legal behaviors, both of machines and human beings. SmallWorld has being developed to be scalable by design. It introduces an abstraction layer and a set of API which make it able to run on different hypervisor technologies ranging from single machine solution (e.g. VirtualBox) to state of art cloud solution.

The SmallWorld effectiveness in the assessment of IoT cybersecurity concerns is shown through a case study in the context of smart home applications.

The rest of the paper is organized as follows. Section 2 gives an overview of the related work. Section 3 discusses the main security issues affecting IoT technologies and devices as they are currently developed, implemented and deployed. Section 4 describes the use of virtual environments as a security analysis assessment tool. Section 5 presents a case study involving smart home applications. Finally, Section 6 concludes the paper.

Section snippets

Related work

This section overviews the various approaches for the assessment of security concerns in IoT systems as described in the literature.

A model-based security toolkit, SecKit [8], has been proposed to enable the protection of user data by supporting specification and efficient evaluation of security policies. SecKit is integrated into a generic management framework for IoT devices. It has been designed to support the modeling of IoT systems and to specify, in an integrated way, security

Security concerns

IoT has brought interesting opportunities both for consumers and businesses, however it came together with vast repertoire of new security challenges. IoT technologies are embedded into and extend the Internet ecosystem and, as a consequence, they inherit all the Internet related security problems and pose new specific issues. Because of the pervasive nature of IoT devices and applications, these security problems are of a greater importance and, in some cases, tend even to become critical. To

Virtual environments

Modeling and simulation techniques are essential engineering tools allowing human beings to study, analyze, understand and predict the behavior of often complex real phenomena. It is of critical importance the ability to achieve suitable mathematical models which: are accurate enough to describe the entities under investigation, are computer executable and abstract away from superfluous details. By composing models of different entities it is possible to design new complex systems which, once

Case study

This section illustrates three IoT scenarios that have been employed to investigate about the exploration and exploitation of common smart objects vulnerabilities. The scenarios were built by using the features of SmallWorld. The combined use of real devices interacting with a virtual environment allowed to analyze these IoT scenarios, assess their cybersecurity issues and conduct a suitable risk evaluation.

In particular, three variants of the same scenario were considered for studying the

Conclusions

The pervasive diffusion of smart devices is going to change many aspects of our daily lives and also the way how most business activities will be accomplished in the next future. Just think how the smartphone already changed the way people communicate, make their appointments and plan their travels. The next step will be to deal with the consequences of the worldwide spread of IoT devices. Because human beings are going to delegate many (critical) activities to smart devices, it is of utmost

Acknowledgments

This work has been partially supported by the “National Operative Programme for Research and Competitiveness” 2007-2013, Technological District on Cyber Security (PON03PE_00032_2_02), funded by the Italian Ministry of Education, University and Research, and the Italian Ministry of Economic Development.

References (55)

  • Gartner, Gartner says by 2020, more than half of major new business processes and systems will incorporate some element...
  • B. Anderson et al.

    Cyber Risk Report 2016, Tech. rep.

    (2016)
  • A. Furfaro et al.

    A virtual environment for the enactment of realistic cyber security scenarios

    Proceedings of 2nd IEEE International Conference on Cloud Computing Technologies and Applications (CloudTech 2016)

    (2016)
  • M. Ge et al.

    A framework for modeling and assessing security of the Internet of Things

    2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS), Institute of Electrical & Electronics Engineers (IEEE)

    (2015)
  • K.C. Park et al.

    Security assessment framework for IoT service

    Telecommun. Syst.

    (2016)
  • W. Leister et al.

    An evaluation framework for adaptive security for the IoT in eHealth

    Int. J. Adv. Secur.

    (2014)
  • W. Aman et al.

    Managing security trade-offs in the internet of things using adaptive security

    2015 10th International Conference for Internet Technology and Secured Transactions (ICITST)

    (2015)
  • H. Ghani et al.

    Assessing the security of internet connected critical infrastructures (the CoMiFin project approach)

    Proceedings of the Workshop on Security of the Internet of Things

    (2010)
  • D. Halperin et al.

    Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses

    2008 IEEE Symposium on Security and Privacy (SP 2008)

    (2008)
  • S. Babar et al.

    Proposed security model and threat taxonomy for the internet of things (IoT)

    Recent Trends in Network Security and Applications

    (2010)
  • L.A. Berk, S.F. Oehninger, The risk of insuring supply chains from cyber risk, Law360 (Jun. 29 2015)....
  • A.W. Atamli et al.

    Threat-based security analysis for the internet of things

    2014 International Workshop on Secure Internet of Things

    (2014)
  • C. Miller et al.

    Remote exploitation of an unaltered passenger vehicle

    Black Hat USA

    (2015)
  • Somerset Recon, Hello Barbie security: Part 2 - analysis,...
  • B. Parno et al.

    Distributed detection of node replication attacks in sensor networks

    2005 IEEE Symposium on Security and Privacy (S&P’05)

    (2005)
  • M. Asadi et al.

    A game-theoretic approach to security and power conservation in wireless sensor networks

    International Journal of Network Security

    (2013)
  • S. Yan-qiang et al.

    Jamming attacks and countermeasures in wireless sensor networks

    From Principle to Practice

    (2010)
  • Cited by (55)

    • Special issue on virtual environments for cybersecurity

      2022, Simulation Modelling Practice and Theory
    • Iterative geometric mean decomposition based secure hybrid precoder design for mmWave massive MIMO communication systems

      2021, AEU - International Journal of Electronics and Communications
      Citation Excerpt :

      Physical layer security (PLS) has become a headline topic for researchers and scientists in future communication systems, especially in massive multiple-input multiple-output (MIMO) millimeter wave (mmWave) systems [1–5].

    View all citing articles on Scopus
    View full text