research-article

Security and privacy challenges in industrial internet of things

Authors:
Ahmad-Reza Sadeghi

Technische Universität Darmstadt, Germany

Technische Universität Darmstadt, Germany
View Profile

,
Christian Wachsmann

Intel CRI-SC at TU Darmstadt, Germany

Intel CRI-SC at TU Darmstadt, Germany
View Profile

,
Michael Waidner

Technische Universität Darmstadt, Germany and Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany

Technische Universität Darmstadt, Germany and Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany
View Profile

DAC '15: Proceedings of the 52nd Annual Design Automation ConferenceJune 2015Article No.: 54Pages 1–6https://doi.org/10.1145/2744769.2747942

Published:07 June 2015Publication History

DAC '15: Proceedings of the 52nd Annual Design Automation Conference

Pages 1–6

ABSTRACT

Today, embedded, mobile, and cyberphysical systems are ubiquitous and used in many applications, from industrial control systems, modern vehicles, to critical infrastructure. Current trends and initiatives, such as "Industrie 4.0" and Internet of Things (IoT), promise innovative business models and novel user experiences through strong connectivity and effective use of next generation of embedded devices. These systems generate, process, and exchange vast amounts of security-critical and privacy-sensitive data, which makes them attractive targets of attacks. Cyberattacks on IoT systems are very critical since they may cause physical damage and even threaten human lives. The complexity of these systems and the potential impact of cyberattacks bring upon new threats.

This paper gives an introduction to Industrial IoT systems, the related security and privacy challenges, and an outlook on possible solutions towards a holistic security framework for Industrial IoT systems.

References

SmartFactory --- From Vision to Reality in Factory Technologies. International Federation of Automatic Control, 2008.Google Scholar
C. Alcaraz, R. Roman, P. Najera, and J. Lopez. Security of industrial sensor network-based remote substations in the context of the internet of things. Ad Hoc Netw., 11(3), 2013. Google ScholarDigital Library
W. Arbaugh, D. Farber, and J. Smith. A secure and reliable bootstrap architecture. In IEEE Symposium on Security and Privacy (S&P), 1997. Google ScholarDigital Library
F. Armknecht, A.-R. Sadeghi, S. Schulz, and C. Wachsmann. A security framework for the analysis and design of software attestation. In ACM Conference on Computer & Communications Security (CCS). ACM, 2013. Google ScholarDigital Library
M. Blackstock and R. Lea. Toward interoperability in a web of things. In ACM Conference on Pervasive and Ubiquitous Computing Adjunct Publication (UbiComp). ACM, 2013. Google ScholarDigital Library
F. Brasser, P. Koeberl, B. E. Mahjoub, A.-R. Sadeghi, and C. Wachsmann. TyTAN: Tiny trust anchor for tiny devices. In Design Automation Conference (DAC). ACM, 2015. Google ScholarDigital Library
E. Byres and J. Lowe. The myths and facts behind cyber security risks for industrial control systems. Technical report, PA Consulting Group, 2004.Google Scholar
S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. Comprehensive experimental analyses of automotive attack surfaces. In USENIX Conference on Security. USENIX Association, 2011. Google ScholarDigital Library
D. J. Cook and S. K. Das. How smart are our environments? An updated look at the state of the art. Pervasive Mob. Comput., 3(2), 2007. Google ScholarDigital Library
A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A large-scale analysis of the security of embedded firmwares. In USENIX Conference on Security Symposium. USENIX Association, 2014. Google ScholarDigital Library
A. Cui and S. J. Stolfo. A quantitative analysis of the insecurity of embedded network devices: Results of a wide-area scan. In Annual Computer Security Applications Conference (ACSAC). ACM, 2010. Google ScholarDigital Library
D. Dzung, M. Naedele, T. von Hoff, and M. Crevatin. Security for industrial communication systems. Proceedings of the IEEE, 93(6), 2005.Google ScholarCross Ref
K. Eldefrawy, A. Francillon, D. Perito, and G. Tsudik. SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar
K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito. SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2012.Google Scholar
A. Francillon, Q. Nguyen, K. B. Rasmussen, and G. Tsudik. A minimalist approach to remote attestation. In Conference on Design, Automation & Test in Europe (DATE). European Design and Automation Association, 2014. Google ScholarDigital Library
R. W. Gardner, S. Garera, and A. D. Rubin. Detecting code alteration by creating a temporary memory bottleneck. Trans. Info. For. Sec., 4(4), 2009. Google ScholarDigital Library
E. Grosse and M. Upadhyay. Authentication at scale. IEEE Security Privacy, 11(1), 2013. Google ScholarDigital Library
T. Heer, O. Garcia-Morchon, R. Hummen, S. L. Keoh, S. S. Kumar, and K. Wehrle. Security challenges in the ip-based internet of things. Wirel. Pers. Commun., 61(3), 2011. Google ScholarDigital Library
G. Hernandez, O. Arias, D. Buentello, and Y. Jin. Smart Nest thermostat --- A smart spy in your home. In BlackHat USA, 2014.Google Scholar
M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo. Using innovative instructions to create trustworthy software solutions. In Hardware and Architectural Support for Security and Privacy (HASP). ACM, 2013. Google ScholarDigital Library
A. G. Illera and J. V. Vidal. Lights off! The darkness of the smart meters. In BlackHat Europe, 2014.Google Scholar
M. Kabay. Attacks on power systems: Hackers, malware, 2010.Google Scholar
H. Kagermann, W. Wahlster, and J. Helbig. Securing the future of German manufacturing industry --- Recommendations for implementing the strategic initiative Industrie 4.0, 2013.Google Scholar
R. Kennell and L. H. Jamieson. Establishing the genuinity of remote computer systems. In USENIX Security. USENIX Association, 2003. Google ScholarDigital Library
P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan. TrustLite: A security architecture for tiny embedded devices. In European Conference on Computer Systems (EuroSys). ACM, 2014. Google ScholarDigital Library
J. Kong, F. Koushanfar, P. K. Pendyala, A.-R. Sadeghi, and C. Wachsmann. PUFatt: Embedded platform attestation based on novel processor-based PUFs. In Design Automation Conference (DAC). ACM, 2014. Google ScholarDigital Library
K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. In IEEE Symposium on Security and Privacy (S&P), 2010. Google ScholarDigital Library
F. Koushanfar, A.-R. Sadeghi, and H. Seudie. Eda for secure and dependable cybercars: Challenges and opportunities. In Proceedings of the 49th Annual Design Automation Conference. ACM, 2012. Google ScholarDigital Library
X. Kovah, C. Kallenberg, C. Weathers, A. Herzog, M. Albin, and J. Butterworth. New results for timing-based attestation. In IEEE Symposium on Security and Privacy (S&P), 2012. Google ScholarDigital Library
J. S. Kumar and D. R. Patel. A survey on internet of things: Security and privacy issues. International Journal of Computer Applications, 90(11), 2014.Google Scholar
E. Levy. Crossover: Online pests plaguing the off line world. IEEE Security Privacy, 1(6), 2003. Google ScholarDigital Library
Y. Li, J. M. McCune, and A. Perrig. VIPER: Verifying the integrity of peripherals' firmware. In ACM Conference on Computer and Communications Security (CCS). ACM, 2011. Google ScholarDigital Library
J. Liu, Y. Xiao, S. Li, W. Liang, and C. L. P. Chen. Cyber security and privacy issues in smart grids. IEEE Communications Surveys Tutorials, 14(4), 2012.Google ScholarCross Ref
Y. Liu and G. Zhou. Key technologies and applications of internet of things. In 5th International Conference on Intelligent Computation Technology and Automation (ICICTA), 2012. Google ScholarDigital Library
J. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB reduction and attestation. In IEEE Symposium on Security and Privacy (S&P), 2010. Google ScholarDigital Library
F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Hardware and Architectural Support for Security and Privacy (HASP). ACM, 2013. Google ScholarDigital Library
C. Medaglia and A. Serbanati. An overview of privacy and security issues in the internet of things. In The Internet of Things. Springer, 2010.Google ScholarCross Ref
M. Miettinen, N. Asokan, F. Koushanfar, T. D. Nguyen, J. Rios, A.-R. Sadeghi, M. Sobhani, and S. Yellapantula. I know where you are: Proofs of presence resilient to malicious provers. In ACM Symposium on Information, Computer and Communications Security (ASIACCS). ACM, 2015. Google ScholarDigital Library
M. Miettinen, N. Asokan, T. D. Nguyen, A.-R. Sadeghi, and M. Sobhani. Context-based zero-interaction pairing and key evolution for advanced personal devices. In Conference on Computer and Communications Security (CCS). ACM, 2014. Google ScholarDigital Library
B. Miller and D. Rowe. A survey SCADA of and critical infrastructure incidents. In Research in Information Technology (RIIT). ACM, 2012. Google ScholarDigital Library
C. Miller and C. Valasek. A survey of remote automotive attack surfaces. In BlackHat USA, 2014.Google Scholar
D. Miorandi, S. Sicari, F. De Pellegrini, and I. Chlamtac. Survey internet of things: Vision, applications and research challenges. Ad Hoc Netw., 10(7), 2012. Google ScholarDigital Library
D. M. Nicol. Hacking the lights out. Scientific American, 305, 2011.Google Scholar
P. Nixon, W. Wagealla, C. English, and S. Terzis. Security, privacy and trust issues in smart environments, 2004.Google ScholarCross Ref
J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel, I. Verbauwhede, and F. Piessens. Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In USENIX Conference on Security. USENIX Association, 2013. Google ScholarDigital Library
E. Owusu, J. Guajardo, J. McCune, J. Newsome, A. Perrig, and A. Vasudevan. OASIS: On achieving a sanctuary for integrity and secrecy on untrusted platforms. In ACM Conference on Computer & Communications Security (CCS). ACM, 2013. Google ScholarDigital Library
H. Park, D. Seo, H. Lee, and A. Perrig. SMATT: Smart meter attestation using multiple target selection and copy-proof memory. In Computer Science and its Applications. Springer, 2012.Google ScholarCross Ref
B. Parno, J. McCune, and A. Perrig. Bootstrapping trust in commodity computers. In IEEE Symposium on Security and Privacy (S&P), 2010. Google ScholarDigital Library
N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot --- A coprocessor-based kernel runtime integrity monitor. In USENIX Security Symposium. USENIX Association, 2004. Google ScholarDigital Library
J. Pollet and J. Cummins. Electricity for free --- The dirty underbelly of SCADA and smart meters. In BlackHat USA, 2010.Google Scholar
K. Poulsen. Slammer worm crashed Ohio nuke plant network, 2003.Google Scholar
PR Newswire. Computer virus strikes CSX transportation computers, 2003.Google Scholar
J. Rifkin. The Third Industrial Revolution: How Lateral Power is Transforming Energy, the Economy, and the World. Palgrave MacMillan, 2011.Google Scholar
M. Rostami, A. Juels, and F. Koushanfar. Heart-to-heart (h2h): authentication for implanted medical devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013. Google ScholarDigital Library
M. Rostami, F. Koushanfar, and R. Karri. A primer on hardware security: Models, methods, and metrics. Proceedings of the IEEE, 2014.Google ScholarCross Ref
S. Schulz, A.-R. Sadeghi, and C. Wachsmann. Short paper: Lightweight remote attestation using physical functions. In ACM Conference on Wireless Network Security (WiSec). ACM, 2011. Google ScholarDigital Library
A. Seshadri, M. Luk, and A. Perrig. SAKE: Software attestation for key establishment in sensor networks. In Distributed Computing in Sensor Systems. Springer, 2008. Google ScholarDigital Library
A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla. SCUBA: Secure code update by attestation in sensor networks. In ACM Workshop on Wireless Security (WiSe). ACM, 2006. Google ScholarDigital Library
A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. In ACM Symposium on Operating Systems Principles (SOSP). ACM, 2005. Google ScholarDigital Library
A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla. SWATT: Software-based attestation for embedded devices. In IEEE Symposium on Security and Privacy (S&P), 2004.Google ScholarCross Ref
D. Shahrjerdi, J. Rajendran, S. Garg, F. Koushanfar, and R. Karri. Shielding and securing integrated circuits with sensors. In Computer-Aided Design (ICCAD), 2014 IEEE/ACM International Conference on. IEEE, 2014. Google ScholarDigital Library
A. Soullie. Industrial control systems: Pentesting PLCs 101. In BlackHat Europe, 2014.Google Scholar
R. Strackx, F. Piessens, and B. Preneel. Efficient isolation of trusted subsystems in embedded systems. In Security and Privacy in Communication Networks. Springer, 2010.Google ScholarCross Ref
G. E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Annual International Conference on Supercomputing (CIS). ACM, 2003. Google ScholarDigital Library
H. Suo, J. Wan, C. Zou, and J. Liu. Security in the internet of things: A review. In International Conference on Computer Science and Electronics Engineering (ICCSEE), 2012. Google ScholarDigital Library
H. T. T. Truong, X. Gao, B. Shresthab, N. Saxena, N. Asokan, and P. Nurmi. Using contextual co-presence to strengthen zero-interaction authentication: Design, integration and usability. Pervasive and Mobile Computing, 2014.Google Scholar
Trusted Computing Group (TCG). Website, 2011.Google Scholar
A. Vasudevan, J. McCune, J. Newsome, A. Perrig, and L. van Doorn. CARMA: A hardware tamper-resistant isolated execution environment on commodity x86 platforms. In ACM Symposium on Information, Computer and Communications Security (ASIACCS). ACM, 2012. Google ScholarDigital Library
O. Vermesan and P. Friess. Internet of Things --- From Research and Innovation to Market Deployment. River Publishers, 2014.Google Scholar
J. Vijayan. Stuxnet renews power grid security concerns, 2010.Google Scholar
M. Waidner, M. Kasper, T. Henkel, C. Rudolph, and O. Küch. Eberbacher Gespräch zu "Sicherheit in der Industrie 4.0", 2013.Google Scholar
J. Winter. Trusted computing building blocks for embedded linux-based ARM Trustzone platforms. In ACM Workshop on Scalable Trusted Computing (STC). ACM, 2008. Google ScholarDigital Library
K. Zhao and L. Ge. A survey on the internet of things security. In Computational Intelligence and Security (CIS), 2013. Google ScholarDigital Library
B. Zhu, A. Joseph, and S. Sastry. A taxonomy of cyber attacks on SCADA systems. In International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing. IEEE, 2011. Google ScholarDigital Library
S. Zonouz, J. Rrushi, and S. McLaughlin. Detecting industrial control malware using automated PLC code analytics. IEEE Security and Privacy, 12(6), 2014.Google ScholarCross Ref
D. Zuehlke. Smartfactory --- towards a factory of things. Annual Reviews in Control, 34(1), 2010.Google ScholarCross Ref

Index Terms

Security and privacy challenges in industrial internet of things

Recommendations

Internet of things security: challenges and perspectives
ICC '17: Proceedings of the Second International Conference on Internet of things, Data and Cloud Computing

No one can deny that the Internet of Things (IOT) will revolutionize our daily thanks to its many benefits in order to improve and simplify people's lives. Us any new technology the internet of things has a number of problems that prevents it to reach ...
Read More
Privacy and Security Challenges in Internet of Things
ICDCIT 2015: Proceedings of the 11th International Conference on Distributed Computing and Internet Technology - Volume 8956

Internet of Things IoT envisions as a global network, connecting any objects around us, ranging from home appliances, wearable things to military applications. With IoT infrastructure, physical objects such as wearable objects, television, refrigerator, ...
Read More
Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Read More

Reviews

Reviewer: Scott Arthur Moody

As billions of computing devices are eventually embedded into the environment, the Internet of Things (IoT) becomes a reality. The IoT application space ranges from the smart doghouse to the industrial smart factory. With vast amounts of security and safety-critical data continually exchanged and managed, this overview paper discusses unique IoT security and privacy challenges. It's envisioned that the industrial IoT will evolve into self-organizing production systems that optimize available resources, now with the benefit of in situ smart devices helping collect data and manage the environment. Unfortunately, IoT devices are very constrained with limited resources including low power and limited networking, making traditional security solutions difficult to implement. This paper highlights the elements of a holistic approach to IoT cybersecurity, including platform security, secure engineering, security management, identity management, and industrial rights management. They call these industrial IoT systems cyberphysical systems (CPS) and cyberphysical production systems (CPPS). Numerous security and privacy layers, and associated attack surfaces, are discussed and backed by extensive references. But it turns out that IoT constraints for, say, secure device management become increasingly burdensome, as introducing and discovering devices requires various binding and pairing approaches. As these scale, automation approaches are needed to reduce any manual user interaction while still establishing trust. (Just think of manual smartphones connecting to the correct Wi-Fi hotspot in a busy building filled with hotspots, with or without a user interface.) Although the paper discusses many daunting challenges, the authors acknowledge that IoT systems are "not sufficiently enhanced" to solve expected security and privacy risks. While the authors envision a holistic cybersecurity framework, the paper poses more unanswered challenges than solutions. Basically, IoT systems require new security and privacy solutions since current approaches don't scale or are hindered by power and network constraints. Welcome to the Internet of Things. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

DAC '15: Proceedings of the 52nd Annual Design Automation Conference
June 2015
1204 pages
ISBN:9781450335201
DOI:10.1145/2744769

Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 June 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,770of5,499submissions,32%
Upcoming Conference
DAC '24

Sponsor:

sigda

61st ACM/IEEE Design Automation Conference

June 23 - 27, 2024

San Francisco , CA , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 529
  Total Citations
  View Citations
- 4,822
  Total Downloads
- Downloads (Last 12 months)402
- Downloads (Last 6 weeks)56
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Security and privacy challenges in industrial internet of things

DAC '15: Proceedings of the 52nd Annual Design Automation Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Internet of things security: challenges and perspectives

Privacy and Security Challenges in Internet of Things

Internet of Things security

Reviews

Access critical reviews of Computing literature here

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Security and privacy challenges in industrial internet of things

DAC '15: Proceedings of the 52nd Annual Design Automation Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Internet of things security: challenges and perspectives

Privacy and Security Challenges in Internet of Things

Internet of Things security

Reviews

Access critical reviews of Computing literature here

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media