IoT security is not traditional cybersecurity, but a fusion of cybersecurity with other engineering disciplines. It addresses much more than mere data, servers, network infrastructure, and information security. Rather, it includes the direct or distributed monitoring and/or control of the state of physical systems connected over the Internet. Cybersecurity, generally does not address the physical and security aspects of the hardware device or the physical world interactions it can have. Digital control of physical processes over networks makes the IoT unique in that the security equation is not limited to basic information assurance principles of confidentiality, integrity, non-repudiation, and so on, but also that of physical resources and machines that originate and receive that information in the physical world. In other words, the IoT has very real analog and physical elements. IoT devices are physical things, many of which are safety-related. Therefore, the compromise of such devices may lead to physical harm of persons and property, even death.
The subject of IoT security, then, is not the application of a single, static set of meta-security rules as they apply to networked devices and hosts. It requires a unique application for each system and system-of-systems in which IoT devices participate. IoT devices have many different embodiments, but collectively, an IoT device is almost anything possessing the following properties:
- Ability to communicate either directly on, or indirectly over the Internet
- Manipulates or monitors something physical (in the device or the device's medium or environment), that is, the thing itself, or a direct connection to a thing
Cognisant of these two properties, anything physical can be an IoT device because anything physical today can be connected to the Internet with the appropriate electronic interfaces. The security of the IoT device is then a function of the device's use, the physical process or state impacted by or controlled by the device, and the sensitivity of the systems to which the device connects.
We expect that in the frame of this course the students will
- understand vulnerabilities, attacks, and countermeasures, and methods of managing them
- understand how to securely engineer IoT products and systems
- understand the the IoT system security lifecycle, which is tightly integrated into a secure development, integration, and deployment process
- be familiarised with the background on establishing cryptographic security for IoT implementations and deployments
- understand the problems and technical solutions for identity and access management of IoT devices
- be familiarised with the privacy principles and concerns introduced by the IoT
Course Content (Syllabus)
Threats, vulnerabilities, and risks. Attacks and countermeasures. IoT attacks. Secure design. The secure IoT system implementation lifecycle. Cryptography and its role in securing the IoT. Cryptographic module principles. Cryptographic key management fundamentals. Cryptographic controls for IoT protocols. Introduction to identity and access management (IAM) for the IoT - The identity lifecycle, Authentication credentials, IoT IAM infrastructure, Authorisation and access control. Privacy challenges introduced by the IoT. Performing an IoT Privacy Impact Assessment. Privacy by Design principles. Cloud Security for the IoT.
Threats, vulnerabilities and attacks, Security by Design, Cryptography, Access control, Authentication, Privacy, Cloud security
Additional bibliography for study
1. B. Russel, D. V. Duren, Practical Internet of Things Security, PACKT Publishing, 2016
2. D. Lacamera, Embedded Systems Architecture, PACKT Publishing, 2018