Content uploaded by Natalia G. Miloslavskaya
Author content
All content in this area was uploaded by Natalia G. Miloslavskaya on May 06, 2019
Content may be subject to copyright.
Natalia Miloslavskaya, Andrey Nikiforov, Kirill Plaksiy and Alexander Tolstoy
National Research Nuclear University MEPhI
(Moscow Engineering Physics Institute)
“Information Security of Banking Systems” Department
Standardization Issues
for the Internet of Things
La Toja Island, 16-18 April 2019
WorldCIST2019
WorldCIST2019
Introduction
1. Related work.
2. The IoT standardisation issues.
A. ITU standards
B. ISO/IEC standards
C. IEEE standards
D. IoT security standards
3. Comparison of standards considered.
Conclusion
La Toja Island, 16-18 April 2019 2
CONTENT
Standardization Issues for the Internet of Things
The Internet of Things (IoT): a computer network of physical objects (things) equipped with
embedded technologies for interacting with each other or with the external environment.
The IoT is developing at a tremendous speed thanks to the ubiquitous spread of wireless networks
and cloud computing, the development of machine-to-machine technology and software-defined
networks, and the active transition to IPv6.
According to Ericsson, in 2018 the number of IoT sensors and devices should have been exceeded
the number of mobile phones. The total annual growth rate of this segment for the 2015-2021 period
will be 23%. There will be approximately 28 billion connected devices worldwide by 2021 and about
16 billion will be connected to the IoT.
=> That leads to an increase in risks: from causing physical harm to people to downtime and
equipment damage
Kaspersky Lab conducted tests among the Russian companies showing that video monitors and
coffee machines can be hacked to intercept video and to transmit information in an unencrypted
form. The device can also save Wi-Fi network password, to which it was connected.
=> IoT systems’ protection comes to the foreground
WorldCIST2019
La Toja Island, 16-18 April 2019 3
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
Introduction (1/2)
An example: all the information stored by
IoT devices is highly demanded because it
shows a complete picture of users'
everyday activities and habits
=> Its availability is useful for companies
that can direct their resources to the
production of goods/services focused on
the habits and preferences of the masses.
=> It is necessary to develop generally
accepted standards that will allow the
same methods and tools to be assessed
adequately to ensure a safe environment
for effective work within the IoT
framework.
The paper’s goal: to review the state of
addressing the IoT's IS issues in
international standards.
WorldCIST2019
La Toja Island, 16-18 April 2019 4
Standardization Issues for the Internet of Things
Introduction (2/2)
La Toja Island, 16-18 April 2019
Kupriyanovskij V.P., Namiot D.E., Kupriyanovskij P.V. Standardization of Smart Cities, Internet of Things and
Big Data. Considerations for practical use in Russia.
Miloslavskaya N., Tolstoy A. Internet of Things: information security challenges and solutions.
Specialized books on IoT security:
Dhanjani N. Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts.
Russell B., Van Duren D. Practical Internet of Things Security.
Hu F. Security and Privacy in Internet of Things: Models, Algorithms, and Implementations.
Shancang Li, Li Da Xu. Securing the Internet of Things.
Prospects for the emergence of the IoT + measures taken worldwide to implement this concept:
Alguliev R., Mahmudov R. Internet of Things. Information society.
Some sections dedicated to the problems of standardization:
Roslyakov A.V. et al. Internet of Things.
A brief overview of the state of standardization issues in general:
Saryan V.K. et al. The Past, Present, and Future of Internet of Things Standardization.
Kess P. et al. Standardization with Iot (Internet-of-Things). Managing Innovation and Diversity in Knowledge
Society Through Turbulent Time
A comparative analysis of the IoT standards on security issues:
Hwang I., Kim Y.G. Analysis of Security Standardization for the Internet of Things.
WorldCIST2019
La Toja Island, 16-18 April 2019 5
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
1. Related work
With the development of the IoT, its users and manufacturers become more and more concerned with
ensuring the safety of people, systems, devices, data transmission channels, etc. In addition to
physical protection, it is necessary to ensure IS for the entire IoT.
To do this, it is required to develop standards in this area and bring all security requirements to a
single universal form. Standards provide people and organizations with a basis for a mutual
understanding of the IoT.
The strongest contributors to the field:
WorldCIST2019
La Toja Island, 16-18 April 2019 6
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3. The IoT standardisation issues
International
Electrotechnical
Commission
International
Telecommunication
Union
IEEE Standards Association
ITU is most interested in the IoT topic
Y.4000/Y.2060 (Overview of the IoT): highlights this important area for future standardization. The
interrelation of various components of the most complex systems leads to significant security
threats to confidentiality, authenticity, and integrity of both data and services. The document
describes generic (at application, network and device layer) and specific security capabilities.
Y.4050/Y.2069 (Terms and definitions for the IoT): specifies the terms and definitions relevant to
the IoT to clarify the IoT and IoT-related activities.
Y.4100/Y.2066 (Common requirements of the IoT): classifies demands of the IoT systems into the
categories, including security and privacy protection requirements. It contains the functional
requirements for data capturing, storing, transferring, aggregating and processing and provision
of services, describes the different roles of participants and shows some use cases.
Y.4103/F.748.0 (Common requirements for IoT applications): focuses on IoT applications.
Y.4552/Y.2078 (Application support models of the IoT): provides three (configurable, adaptable,
reliable) application support models with their basis. It complements Y.4103/F.748.0. List of
capabilities and components and use cases for the models are also of interest.
WorldCIST2019
La Toja Island, 16-18 April 2019 7
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.1 ITU standards (1/3)
Y.4111/Y.2076 (Semantics-based requirements and framework of the IoT): contains requirements
for security capabilities with the use of semantic technologies for security-related decision
making. Semantic annotation, security policy management and access control are proposed for
their efficient use.
Y.4113 (Requirements of the network for the IoT): introduces a basic model of the network for the
IoT, general characteristics of smart meters and sensors, and general issues of this network. It
gives a good explanation of the suitable networks, but security issues are not considered.
Y.4453 (Adaptive software framework for IoT devices): addresses the adaptive software framework
(ASF) concept, identifies high-level requirements and provides a reference functional architecture
for IoT devices. There are some security capabilities provided for ASF secure execution and a
proper example use case and workflow.
Y.4101/Y.2067 (Common requirements and capabilities of a gateway for IoT applications): gives a
brief introduction to gateways for IoT applications, their general requirements, common
capabilities, reference technical framework, typical high-level flows, and use cases.
WorldCIST2019
La Toja Island, 16-18 April 2019 8
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.1 ITU standards (2/3)
Y.4112/Y.2077 (Requirements of the plug and play (PnP) capability of the IoT): describes the concept
and the purpose of this capability and then provides its components as well as requirements. It also
describes Device and Gateway PnP capability, security protection from a counterfeit device, firewall
protection, PnP authorization and access control. PnP use cases are worth exploring.
Y.4401/Y.2068 (Functional framework and capabilities of the IoT): provides a description of the key
IoT capabilities based on the functional, implementation and deployment view of the IoT functional
framework (FF) to fulfill the Y.2066 requirements. It presents proper structures, capabilities for
integration of cloud computing and big data and security considerations. The lists of management
capabilities and components, as well as security and privacy protection capabilities are given.
Y.4806 (Security capabilities supporting safety of the IoT): identifies threats to confidentiality,
integrity, availability that may affect safety and assigns security capabilities which can be applied to
mitigate them. Improper IT system behavior (e.g., software bugs, backdoors, Trojan programs) is
also considered as a source of problems. The document suggests two general universal methods
for keeping the system in a secure state. It also provides some cases for further use.
All these documents are in open access!
WorldCIST2019
La Toja Island, 16-18 April 2019 9
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.1 ITU standards (3/3)
ISO and IEC were the first who decided to assemble best practices for creating IoT standards.
Established in 2012, ISO/IEC JTC 1/SWG 5 Internet of Things is a standardization special working
group of the Joint Technical Committee ISO/IEC JTC 1, which develops and facilitates the
development of standards for the IoT.
ISO/IEC work in this field does not stop: under development (April 2019): ISO/IEC 21823
(Interoperability for IoT systems – Part 2: Network connectivity; Part 3: Semantic interoperability),
ISO/IEC 23093-1 (Internet of media things – Part 1: Architecture), ISO/IEC 27030 (Guidelines for
security and privacy in IoT), ISO/IEC 30149 (IoT Trustworthiness framework) and ISO/IEC 30147
(Methodology for trustworthiness of IoT system/service).
ISO/IEC 20924:2018 (IoT definition and vocabulary).
ISO/IEC 21823-1:2019 (Interoperability for IoT systems – Part 1: Framework).
ISO/IEC 22417:2017 (IoT use cases): suggests using ISO/IEC terms and consists of IoT use case
scenarios.
But ISO/IEC standards are paid!
WorldCIST2019
La Toja Island, 16-18 April 2019 10
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.2 ISO/IEC standards (1/2)
ISO/IEC 29161:2016 (Unique identification for the IoT): establishes a unique identification scheme
for the IoT, based on existing and evolving data structures. It specifies the common rules
applicable to unique identification for any physical/virtual object/person to ensure full
compatibility across different identities. It is intended for use with any IoT media and for IoT
information systems, which need to track or otherwise refer to entities.
ISO/IEC 29181-9:2017 (Future Network – Problem statement and requirements, Part 9: Networking
of everything) (NoE): describes the general characteristics of NoE, which can be applied to Future
Networks, especially from an IoT perspective. It specifies a conceptual NoE model, its definition,
problem statements in conventional networking, standardization activities of other standards-
development organizations, requirements for NoE from an IoT perspective, and technical aspects.
ISO/IEC 30141:2018 (loT reference architecture): provides a standardized IoT Reference
Architecture using a common vocabulary, reusable designs and industry best practices. It uses a
top-down approach, beginning with collecting the most important characteristics of the IoT,
abstracting those into a generic IoT Conceptual Model, deriving a high-level system based
reference with subsequent dissection of that model into 5 architecture views.
The last two standards are interesting for consideration from the IS point of view.
WorldCIST2019
La Toja Island, 16-18 April 2019 11
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.2 ISO/IEC standards (2/2)
P2413 (Architectural framework (AF) for the IoT): defines the AF, including descriptions of various
IoT domains with their abstractions and commonalities between different domains. The IoT’s AF
provides a reference model that defines relationships among various IoT verticals (e.g.,
transportation, healthcare, etc.) and common architectural elements. It provides a blueprint for
data abstraction and the quality "quadruple" trust: protection-security-privacy-safety. It shows a
reference architecture that builds upon the reference model and defines basic architectural blocks
and their ability to be integrated into multi-tiered systems. This architecture addresses how to
document and, if strived for, mitigate architecture divergence. This standard leverages existing
applicable standards and identifies planned/ongoing projects with a similar or overlapping scope.
P1451-99 (Harmonization of IoT devices and systems): defines a method for data sharing,
interoperability and security of messages over a network, where IoT devices can interoperate,
regardless of underlying communication technology. It does not cover APIs for existing IoT or
legacy protocols. But it utilizes the advanced capabilities of the Extensible Messaging and
Presence Protocol (providing globally authenticated identities, authorization, presence, lifecycle
management, interoperable communication, IoT discovery and provisioning). Descriptive meta-
data about devices and operations provides sufficient information for infrastructural components,
services and end-users to dynamically adapt to a changing environment. For a successful Smart
City infrastructure, key components and needs are identified and addressed.
WorldCIST2019
La Toja Island, 16-18 April 2019 12
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.3 IEEE standards (1/)
P1931.1 (AF for real-time onsite operations facilitation for the IoT): defines an AF, protocols and
APIs for providing Real-time Onsite Operations Facilitation (ROOF). ROOF computing and
networking for the data and IoT devices include next-hop connectivity for the devices, real-time
context building and decision triggers, efficient backhaul connectivity to the cloud and security
and privacy. This standard covers interoperability, collaboration and autonomous operation of an
IoT system with computing required for context building, security, access control, data storage,
data aggregation and ability to choose different cloud and application service providers. It defines
how an end user is able to securely provision, commission/decommission the devices, as well as
leverages existing applicable standards and is complementary to AFs defined.
P2668 (Maturity index of IoT: evaluation, grading and ranking): gives the basis for measuring the
maturity of objects in IoT environment, namely things, devices or the entire IoT. It defines the
mechanism and specifications for evaluation, grading and ranking of the performance of IoT
objects by using an indicator value IoT Index (IDex). IDex classifies the objects into multiple levels
of performance, gives a quantitative performance representation and indication and manifests
guidance on blending of IoT objects to evolve into better performance.
WorldCIST2019
La Toja Island, 16-18 April 2019 13
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.3 IEEE standards (2/)
The following is almost a complete list of standards for IoT security or security-related issues:
ISO/IEC 29181-5:2014 (Future Network -- Problem statement and requirements -- Part 5: Security)
X.1362 (Simple encryption procedure for IoT environments)
Y.4102/Y.2074 (Requirements for IoT devices and operation of IoT applications during disasters)
Y.4455 (Reference architecture for IoT network service capability exposure)
Y.4118 (IoT requirements and technical capabilities for support of accounting and charging)
Q.3952 (The architecture and facilities of a model network for IoT testing)
Y.4702 (Common requirements and capabilities of device management in the IoT)
Q.3913 (Set of parameters for monitoring IoT devices)
The European Union Agency for Network and Information Security (ENISA): “Baseline Security
Recommendations for IoT in the context of Critical Information Infrastructures”
Under development:
ISO/IEC 27030 (Guidelines for security and privacy in IoT)
ISO/IEC 30149 (IoT Trustworthiness framework)
ISO/IEC 30147 (Methodology for trustworthiness of IoT system/service)
NISTIR 8228 (Considerations for IoT cybersecurity and privacy risks)
NIST Cybersecurity White Paper (Internet of Things (IoT) Trust Concerns)
The issues of ensuring IoT’s IS look of less importance in other organizations’ documents, and their
consideration is often limited to recommendations about contacting the support service.
WorldCIST2019
La Toja Island, 16-18 April 2019 14
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
3.4 IoT security standards
According to the full content of available documents studied, several comparison criteria were
defined. Using them, common and unique parts of these documents could be identified.
WorldCIST2019
La Toja Island, 16-18 April 2019 15
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
4. Comparison of standards considered (1/2)
IS issues /
Organization ITU ISO/IEC IEEE
Terms and
definitions
Own relevant terms and
definitions
Own relevant terms and
definitions
Own relevant terms and
definitions
IoT
requirements
General and specific,
different from others
General and specific,
different from others
General and specific, different
from others
IoT
capabilities
Disclosed in detail in general
and particular cases
More focused on general
cases
More focused on particular
cases
IoT specifics Reviewed from different
points of view
Reviewed from different
points of view
Reviewed from the perspective
of certain issues
IoT threat
classification
A generic and concrete
version with examples
A generic version with
examples Not defined yet
Findings:
All the organizations pay great attention to the IoT issues.
Each organization has its own vision of the situation and its priorities.
The requirements are described in sufficient detail, specific points are noted, and valuable
comments are made.
Specific applications of these standards are of interest, since they may give a different vision of
problems, initial bases and areas of knowledge.
From the organizations discussed, the ITU standards contain more general and specific
recommendations than others, with appropriate examples.
Security issues are considered from different points of view, although IS problems are not paid
increased attention. Despite this fact and the pace of development in this area, we hope that
these gaps will be filled in the next few years.
WorldCIST2019
La Toja Island, 16-18 April 2019 16
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
4. Comparison of standards considered (2/2)
1. The main problem of IoT's IS standardization today is that the IoT requires a different approach
than a regular network. Although the IoT concept and all its aspects are widely discussed, there
are some issues which require further detailed research. Development of new principles for
working in such networks, as well as the requirements for participants, is really relevant.
2. Most of the standards are focused either on general problems or consider their specific
subjects. The general nature of recommendations for ensuring IS can be looked upon as a
shortcoming of the existing standards. They lack (although not everywhere) of disclosure of
security issues not only for the IoT software but also hardware. It is expected that the situation
will be improved as the best practices will be collected.
Our future work:
oThe development of detailed recommendations, which can be sent to international organizations
involved in the standardization process to verify their correctness and relevance, as well as
subsequent incorporation into documents.
oThe detailed study of IoT's IS issues and assessment of the applicability and correctness of the
developed recommendations.
WorldCIST2019
La Toja Island, 16-18 April 2019 17
La Toja Island, 16-18 April 2019
Standardization Issues for the Internet of Things
Conclusion
WorldCIST2019
WorldCIST2019
18
Standardization Issues for the Internet of Things
Natalia Miloslavskaya
NGMiloslavskaya@mephi.ru
La Toja Island, 16-18 April 2019