IoT Security

IoT systems and services are widely adopted in various industries, such as health care, agriculture, smart manufacturing, smart energy systems, intelligent transport systems, logistics (supply chain management), smart homes, smart cities, and security and safety. The primary goal of incorporating IoT into existing systems in various industries is to improve productivity and efficiency. Despite the enormous advantages of integrating IoT into existing systems in multiple sectors, including critical infrastructure, there are concerns about the security vulnerabilities of IoT systems. Businesses are increasingly anxious about the possible risks IoT systems introduce into their infrastructure and how to mitigate them.

One of the weaknesses of IoT devices is that they can easily be compromised. This is because some IoT manufacturers of IoT devices fail to incorporate security mechanisms into the devices, resulting in security vulnerabilities that can easily be exploited. Some manufacturers and developers often focus on device usability and adding features that satisfy the users' needs while paying little or no attention to security measures. Another reason that IoT device manufacturers and developers pay little or no attention to security because they are often focused on getting the device to the market as soon as possible. Also, some IoT users focus mainly on the price of the devices and ignore security requirements, incentivising the manufacturers to focus on minimising the cost of the devices while trading off the security of the devices.

Also, IoT hardware constraints make it challenging to implement reliable security mechanisms, making them vulnerable to cyber-attacks. Since batteries with limited energy capacities power IoT devices, they possess low-power computing and communication systems, making it hard to implement sufficient security mechanisms. Using power-hungry computing and communication systems that would permit the incorporation of reliable security mechanisms will significantly reduce the device's lifetime (the time from when the device is deployed to when the energy stored in its battery is completely drained). As a result, manufacturers and developers tend to trade off the security of the device with the reliability and lifetime of the device.

A successful malicious attack on an IoT system could result in data theft, loss of data privacy, and damage to other critical systems connected to the IoT systems. IoT systems are increasingly being targeted due to the relative ease with which they can be compromised. Also, they are increasingly being incorporated into critical infrastructure such as energy, water, transportation, health care, education, communication, security, and military infrastructures, making them attractive targets, especially during conventional, hybrid, and cyber warfare. In this case, the attackers' goal is not only to compromise IoT systems but to exploit the vulnerabilities of the IoT device to compromise or damage critical infrastructures. Some examples of attacks that have been orchestrated by exploiting vulnerabilities of IoT devices include:

• The Mirai Botnet attack: An IoT botnet (a network of IoT devices, each of which runs bots) was used to conduct a massive Distributed Denial of service (DDoS) attack against the internet's domain name system (DNS) provider Dyn in October 2016. The traffic from the IoT botnet, including devices such as cameras and DVR players, was coordinated to bombard Dyn's DNS servers with traffic until they became overwhelmed and collapsed under the strain. The assault that was sustained for several hours disrupted the services of websites such as Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.
• The Stuxnet attack: It is one of the most well-known IoT attacks. It was designed to target the Iranian uranium enrichment plant in Natanz, Iran. The attack compromised the Siemens Step7 software running on a Windows operating system, providing malicious software (worm) access to the industrial program logic controllers. The attack damaged several uranium centrifuges, demonstrating the extent to which IoT-based attacks could damage energy systems and critical infrastructure.
• The Jeep Hack: This test attack was conducted by researchers in July 2015 on a Jeep SUV. They successfully took control of the vehicle by exploiting a firmware update vulnerability. They demonstrated that this attack can control the vehicle's speed and steer it off the road. Therefore, as more IoT sensors are added to cars, there is a serious risk that they can be exploited to cause a massive attack on cars, which could result in huge accidents. This kind of vulnerability can be exploited for terror attacks or targeted killings.
• Cold in Finland: Cybercriminals conducted an IoT-based attack on heating systems in the Finnish city of Lappeenranta by turning off the heating system. They also conducted a DDoS attack on the heating infrastructure, forcing the heating controllers to reboot the system repeatedly and preventing the heating system from ever turning on. This is a severe attack, given the cold temperatures in Finland during the winter season. A similar attack may be conducted against air conditioning systems in a hot environment, which may cause serious problems for inhabitants. Thus, IoT systems may be leveraged to conduct attacks on critical civilian infrastructures to disrupt the proper functioning of society.
• The Verkada hack: This attack was conducted against a cloud-based video surveillance service provider, Verkada. The attackers successfully compromised the privacy of their customers (including factories, hospitals, schools, and prisons) by gaining access to live feeds from about 150000 cameras. This shows the risk of a successful full compromise on IoT cloud/fog computing service providers' customers, especially customers that provide critical services for society.

The attacks mentioned above are just a few examples of how cybercriminals may exploit the vulnerabilities of IoT devices to compromise and disrupt services in other sectors, especially the disruption of critical infrastructure. These examples demonstrate the urgent need to incorporate security mechanisms into IoT infrastructures, especially those integrated with essential infrastructures. The above attack examples also indicate that the threat posed by IoT is real and can seriously disrupt the functioning of society and result in substantial final and material losses. It may even result in the loss of several lives. Thus, if serious attention is not given to IoT security, IoT will soon be an Internet of Threats rather than an Internet of Things.

Therefore, IoT security involves design and operational strategies to protect IoT devices and other systems against cyber attacks. It includes the various techniques and systems developed to ensure the confidentiality of IoT data, the integrity of IoT data, and the availability of IoT data and systems. These strategies and systems are designed to prevent IoT-based attacks and ensure IoT infrastructures' security. In this chapter, we will discuss IoT security concepts, IoT security challenges, and techniques that can be deployed to secure IoT data and systems from being compromised by attackers and used for malicious purposes.