Table of Contents

Cybersecurity Concepts

IoT designers and engineers need to understand cybersecurity concepts. This will help them understand the various attacks that can be conducted against IoT devices and how to implement security mechanisms to protect them against cyber attacks. This section discusses some cybersecurity concepts required to understand IoT security.

What is cybersecurity

Cybersecurity refers to the technologies, strategies, and practices designed to prevent cyberattacks and mitigate the risk posed by cyberattacks on information systems and other cyber-physical systems. It is sometimes called information technology security, which involves developing and implementing technologies, protocols, and policies to protect information systems against data theft, illegal manipulation, and service interruption. The main goal of cybersecurity systems is to protect the hardware and software systems, networks, and data of individuals and organisations against cybersecurity attacks that may bridge these systems' confidentiality, integrity, and availability.

After understanding cybersecurity, it is also essential to understand what a cyberattack is. A cyberattack can be considered any deliberate compromise of an information system's confidentiality, integrity, or availability. That is unauthorised access to a network, computer system or digital device with a malicious intention to steal, expose, alter, disable, or destroy data, applications or other assets. A successful cyberattack can cause a lot of damage to its victims, ranging from loss of data to financial losses. An organisation whose systems have been compromised by a successful cyber attack could lose its reputation and be forced to pay for damages incurred by customers due to a successful cybersecurity attack.

The question is why should we be worried about cybersecurity attacks, especially in the context of IoT. The widespread adoption of IoT to improve business processes and personal well-being has exponentially increased the options available to cybercriminals to conduct cybersecurity attacks, increasing cybersecurity-related risks for businesses and individuals. This underscores the need for IoT engineers, IT engineers, and other non-IT employees to understand cybersecurity concepts.

The confidentiality, integrity and availability (CIA) triad

The CIA triad is a conceptual framework that combines three cybersecurity concepts, confidentiality, integrity, and availability, to provide a simple and complete checklist for implementing, evaluating, and improving cybersecurity systems. They form a set of requirements that a well-designed cybersecurity system must sacrifice to ensure information systems' confidentiality, integrity, and availability. It provides a powerful approach to identify vulnerabilities and threats in information systems and then implement appropriate technologies and policies to protect the information systems from being compromised. It provides a high-level framework that guides organisations and cybersecurity experts when designing, implementing, evaluating, and auditing information systems. In the following paragraphs, we briefly discuss the elements of the CIA triad (figure 1).

CIA Triad
Figure 1: CIA Triad

Confidentiality

It involves the technologies and strategies to ensure that sensitive data is kept private and inaccessible to unauthorised individuals. That is, sensitive data should be viewed only by authorised individuals within the organisation and kept private from unauthorised individuals. Some of the data collected by IoT sensors is very sensitive, and it must be kept private and should not be viewed by unauthorised individuals with malicious intentions. Data confidentiality involves a set of technologies, protocols, and policies designed and implemented to protect data against unintentional, unlawful, or unauthorised access, disclosure, or theft. To ensure data confidentiality, it is essential to answer the following questions:

To ensure the confidentiality of the data stored in computer systems and transported through computer and telecommunication networks, some security guidelines should be followed:

Integrity

Integrity in cybersecurity involves technologies and strategies designed to ensure that data is not modified or deleted during storage or transportation by unauthorised persons. It is essential to maintain the integrity of the data to ensure that it is consistent, accurate, and reliable. In the context of IoT, integrity is the assurance that the data collected by the IoT sensors is not illegally altered during transportation, processing, and storage, making it incomplete, inaccurate, inconsistent, and unreliable. The data can only be modified or changed by those authorised to access it. The collected data must be kept complete, accurate, consistent and safe throughout its entire lifecycle in the following ways [1]:

The IoT system designers, manufacturers, developers, and operators should ensure that the data collected is not lost, leaked, or corrupted during transportation, processing, or storage. As the data collected by IoT sensors is growing and lots of companies depend on the results from the processing of IoT data for decision-making, it is vital to ensure the integrity of the data. It must be assured that the IoT data collected is complete, accurate, consistent and secure throughout its lifecycle, as compromised data is of little or no interest to organisations and users. Also, data losses due to human error and cyberattacks are undesirable for organisations and users. Physical and logical factors can influence the integrity of the data.

The physical integrity of data could be enforced by:

IoT system designers, manufacturers, and developers can adopt various technologies and policies to ensure the integrity of the hardware from the IoT devices and communication to fog/cloud data centres.

Enforcing data integrity is a complex task that requires carefully integrating cybersecurity tools, policies, regulations, and people. Some of the ways that data integrity can be enforced include but are not limited to the following strategies:

Availability

The computing, communication, and data storage and retrieval systems should be accessible anytime and when needed. Availability in the context of cybersecurity is the ability of authorised users or applications to have reliable access to the information systems when necessary at any time. It is one of the elements of the CIA triad that constitutes the requirement for designing secure and reliable information and communication systems such as IoT. Given that IoT nodes are being integrated into critical infrastructure and other existing infrastructure of companies and individuals, longer downtimes are not tolerated, making availability a crucial requirement. Availability disruption could result from any of the following causes:

Some of the ways to ensure the availability of information systems and data include the following:

Some commonly used cybersecurity terms

To understand advanced cybersecurity concepts and technologies, it is crucial to have a good understanding of some basic cybersecurity concepts. Below, some cybersecurity concepts are presented.

Cybersecurity risk: It is the probability of being exposed to a cybersecurity attack or that any of the cybersecurity requirements of confidentiality, integrity, or availability is violated, which may result in data theft, leakage, damage or corruption. It may also result in service disruption or downtime that may cause the company to lose revenue and damage infrastructure. An organisation that falls victim to a successful cyber-attack may lose its reputation and be compelled to pay damages to its customers or to pay a fine to regulatory agencies. Thus, a cybersecurity risk is the potential losses that an organisation or individuals may experience as a result of successful cyberattacks or failures of the information systems that may result in loss of data, customers, revenues, and resources (assets and financial losses).

Threats: It is an action performed to violate any cybersecurity requirements that may result in data theft, leakage, damage, corruption, or losses. The action may either disclose the data to unauthorised individuals or alter the data illegally. It may equally result in the disruption of services due to system downtime, system unavailability, or data unavailability. Threats may include, among others, device infections with viruses or malware, ransomware attacks, denial of service, phishing attacks, social engineering attacks, password attacks, SQL injection, data breaches, man-in-the-middle attacks, energy depletion attacks (the case of IoT devices), or many other attack vectors. Cybersecurity threats could result from threat actors such as nation stations, cybercriminals, hacktivists, disgruntled employees, design errors, misconfiguring of systems, software flaws or bugs, terrorists, spies, errors from authorised users, and natural disasters [2].

Cybersecurity vulnerability: It is a weakness, flaw, or error found in an information system or a cybersecurity system that cybercriminals could exploit to compromise the security of an information system. There are several cybersecurity vulnerabilities, and so many are still being discovered. Still, the most common ones include SQL injection, buffer overflows, cross-site scripting, security misconfiguration [3], weak authentication and authorisation mechanisms, and unencrypted data during transportation or storage. Security vulnerabilities can be identified using vulnerability scanners and performing penetration testing. When a vulnerability is detected, necessary steps should be taken to eliminate or mitigate its risk.

Cybersecurity exploit: A cybersecurity exploit is the various ways that cybercriminals take advantage of cybersecurity vulnerabilities to conduct cyberattacks to compromise the confidentiality, integrity, and availability of information systems. The exploit may involve the use of advanced techniques (e.g., commands, scripting, or programming) and software tools (proprietary or open-source) to identify and exploit vulnerabilities to steal data, disrupt the services, damage or corrupt the data, and hijack data or systems in exchange for money.

Attack vector: It is the various ways that attackers may compromise the security of an information system, such as computing, communication, or data storage and retrieval systems. Some of the common attack vectors include:

The various approaches to eliminate attack vectors to reduce the chances of a successful attack include the following [4]:

Attack surface: An attack surface is a location or possible attack vectors that cybercriminals can target or use to compromise data and information systems' confidentiality, integrity, and availability. Organisations and individuals should always strive to minimise their attack surfaces; the smaller the attack surfaces, the smaller the likelihood that their data or information systems will be compromised. So, they must constantly monitor their attack surfaces to detect and block attacks as soon as possible and minimise the potential risk of a successful attack. Some of the common attack surfaces are poorly secured devices (e.g., devices such as computers, mobile phones, hard drives, and IoT devices), weak passwords, a lack of email security, open ports, and a failure to patch software, which offers an open backdoor for attackers to target and exploit users and organisations. Another common attack surface is weak web-based protocols, which hackers can exploit to steal data through man-in-the-middle (MITM) attacks. There are two categories of attack surface, which include [5]

A practical attack surface management provides the following advantages to organisations and individuals:

As IT infrastructures increase and are connected to external IT systems over the internet, they become more complex, hard to secure, and frequently targeted by cybercriminals. Some of the ways to minimise attack surfaces to reduce the risk of cyberattacks include:

Encryption: Encryption is scrambling data into a secret code (encrypted data) to only be transformed back into the original data (decrypted) with a unique key by authorised users or applications. It ensures that the confidentiality and integrity of the data are not compromised. That is, it prevents the data from being stolen or illegally altered by cybercriminals. Encryption is often used to protect data during transportation, storage, and processing/analysis. The process of encryption involves the use of a mathematical cryptographic algorithm (encryption algorithm) to scramble data (plaintext) to a cyphertext that can only be unscrambled back into the plain text using another cryptographic algorithm (decryption algorithm) and an appropriate unique key. The cryptographic keys should be long enough that cybercriminals can not easily guess them through a brute-force attack or cryptanalysis. The goals of implementing encryption algorithms in information systems are:

Cryptographic algorithms can be categorised into two main types as follows:

Although encryption is very valuable for securing data during transportation, processing, and storage, it still has disadvantages. Some of the drawbacks of encryption are:

Authentication: Authentication is an access control mechanism that makes it possible to verify that a user, device, or application is who they claim to be. The authentication credentials (username and password) are matched against a database of authorised users or data authentication servers to verify their identities and ensure they have access rights to the device, servers, application or database. Using a username or ID and a password for authentication is called single-factor authentication. Recently, organisations, especially those dealing with sensitive data (e.g., banks), require their users and applications to provide multiple factors for authentication (rather than only an ID and password), resulting in what is now known as multi-factor authentication. In the case of two factors, it is known as two-factor authentication. Using human features such as fingerprint scans, facial or retina scans, and voice recognition is known as biometric authentication [6]. Authentication ensures the confidentiality and integrity of data and information systems by allowing only authenticated users, applications, and processes access valuable and sensitive resources (e.g., computers, wireless networks, wireless access points, databases, websites, and other network-based applications and services).

Authorisation: Just like authentication, authorisation is another process often used to protect data and information systems from being abused or misused by cybercriminals and unintended (or intended) actions of authorised users. Authorisation is the process of determining the access rights of users and applications to ensure they have the right to perform the action they are trying to perform. Unlike authentication, which verifies the users' identities and then grants them access to the systems, authorisation determines the permissions they have to perform specific actions. One example of authorisation is the Access Control List (ACL), which allows or denies users and applications access to particular information system resources and to perform specific actions. General users may be allowed to perform some actions but may be refused permission to perform others. In contrast, super users or system administrators can perform almost every action in the system. Also, some users are authorised to access some data and are denied access to more sensitive data; thus, in database systems, general users may be permitted to access less sensitive data, and the administrator is permitted access to more sensitive data.

Access control: It consists of the various mechanisms designed and implemented to grant authorised users access to information system resources and to control the actions that they are allowed to perform (e.g., view, modify, update, install, delete). It can also control an organisation's physical access to critical resources. It ensures that the confidentiality and integrity of data and information systems are not compromised. Thus, physical access controls physical access to critical resources, while logical access control controls access to information systems (networks, computing nodes, servers, files, and databases). Access to locations where critical assets (servers, network equipment, files) are stored is restricted using electronic access control systems that use keys, access card readers, personal identification number (PIN) pads, auditing and reports to track employee access to these locations. Access to information systems (networks, computing nodes, servers, files, and databases) is restricted using authentication and authorisation mechanisms that evaluate the required user login credentials, which can include passwords, PINs, biometric scans, security tokens or other authentication factors [7].

Non-repudiation: It is a way to ensure that the data sender does not refute that it sent the data and that the receiver does not deny that it received the data. It also ensures that an entity that signs a document cannot refute its signature. It is a concept adopted from the legal field and has become one of the five pillars of information assurance, including confidentiality, integrity, availability, and authentication. It ensures the authenticity and integrity of the message. It provides the sender's identity to the receiver and assures the sender that the message was delivered without being altered along the way. In this way, the sender and receiver cannot deny they send, receive or process the data. Signatures can be used to ensure non-repudiation as long as they are unique for each entity.

Accountability: Accountability requires organisations to take all the necessary steps to prevent cyberattacks and mitigate the risk of a possible attack. If an attack occurs, the organisation must take responsibility for the damages and engage relevant stakeholders to handle the consequences and prevent future attacks. It must also accept responsibility for dealing with security challenges and fallouts from security breaches.


[2] Abi Tyas Tunggal, What is Cybersecurity Risk? A Thorough Definition, https://www.upguard.com/blog/cybersecurity-risk, 2024
[3] Rapid 7, Vulnerabilities, Exploits, and Threats, https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/