Cybersecurity in IoT Systems

There is widespread adoption of IoT systems and services in various industries, such as health care, agriculture, smart manufacturing, smart energy systems, intelligent transport systems, logistics (supply chain management), smart homes, smart cities, and security and safety. The primary goal of incorporating IoT into existing systems in various industries is to improve productivity and efficiency. Despite the enormous advantages of integrating IoT into existing systems in various industries, including critical infrastructure, there are concerns about the security vulnerabilities of IoT systems. Businesses are increasingly anxious about the possible risks introduced by IoT systems into their existing infrastructures and how to mitigate them.

One of the weaknesses of IoT devices is that they can easily be compromised. This is because some IoT manufacturers of IoT devices fail to incorporate security mechanisms into the devices, resulting in security vulnerabilities that can easily be exploited. Some manufacturers and developers often focus on device usability and adding features that satisfy the needs of the users while paying little or no attention to security measures. Another reason that IoT device manufacturers and developers pay little or no attention to security is that they are often focused on getting the device to the market as soon as possible. Also, some IoT users focus mainly on the price of the devices and ignore security requirements, incentivising the manufacturers to focus on minimising the cost of the devices while trading off the security of the devices.

A successful malicious attack on an IoT system could result in data deft, loss of data privacy, and further comprise other critical systems that are connected to the IoT systems. IoT systems are increasingly being targeted due to the relative ease with which they can be compromised. Also, they are increasingly being incorporated into critical infrastructure such as energy, water, transportation, health care, education, communication, security, and military infrastructures, making them attractive targets, especially during conventional, hybrid, and cyber warfare. In this case, the goal of the attackers is not only to compromise IoT systems but to exploit the vulnerabilities of the IoT device with the aim of compromising or damaging critical infrastructures. Some examples of large-scale attacks that have been orchestrated by exploiting vulnerabilities of IoT devices include:

• The Mirai Botnet attack: An IoT botnet (a network of IoT devices, each of which runs bots) was used to conduct a massive Distributed Denial of service (DDoS) attack against the internet’s domain name system (DNS) provider Dyn in October 2016. The traffic from the IoT botnet, including devices such as cameras and DVR players, was coordinated to bombard Dyn's DNS servers with traffic until they became overwhelmed and collapsed under the strain. The assault that was sustained for several hours disrupted the services of websites such as Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.
• The Stuxnet attack: It is one of the most well-known IoT attacks. It was designed to target the Iranian uranium enrichment plant in Natanz, Iran. The attack compromised the Siemens Step7 software that was running on a Windows operating system, providing malicious software (worm) access to the industrial program logic controllers. The attack resulted in the damage of several uranium centrifuges, demonstrating the extent to which IoT-based attacks could damage energy systems and critical infrastructure.