Cybersecurity in IOT

Hence, this thesis focuses on the security issues of IoT. Moreover, it suggests gateway as a technology to eradicate or overcome this security. The thesis begins with a clear introduction of IoT’s communication model and its issues. Further, the research context explains the objectives of the study along with the research questions. To identify the solution for these question the adopted methodology is a literature review and quantitative analysis. I would also like to thank the participants of data collection process as without their participation I might not be able to complete this research with the best outcome. Thanks and regards. Yours Sincerely, Table of Contents Chapter 1: Introduction 8 1. 1 Background of the study 8 Chapter 2: Research context and question 10 2. 1 Aims of the study 10 2.

4 Back-end data-sharing communication: 23 3. 4 Requirement for IOT Gateway 23 3. 6 IoT Gateway Architectures 24 3. 7 IoT Gateway Layers 30 3. 8 Security Measures 31 3. 3 Management barriers. 43 Chapter 4: Research Methodology 45 Chapter 5: Findings and analysis 47 5. 1 Quantitative analysis (close end questions) 47 Table 2: Time period involved with internet of things 48 Table 3: Opinion about risk related to IoT 49 Table 4: Addressing security issues in IoT 49 Table 5: Security measures for IoT 50 Table 6: Gateway based security measures for IoT 51 Table 7: Impact of IoT gateway security policies 52 Table 8: Security policies for IoT 53 Table 10: Best technique for securing IoT 54 Table 11: Cryptosystem in IoT 55 Table 12: Access control for IoT 56 Chapter 6: Results and discussion 57 6. 1 Addressing research question 1 57 6. 1 Network Management Policies 57 6. 2 Addressing research question 2 63 Discussion 64 Chapter 7: Conclusion 67 5. 1 Conclusion 67 5. 2 Limitation and future scope 68 References 69 Appendix 73 List of tables Table 2: Time period involved with internet of things 48 Table 3: Opinion about risk related to IoT 49 Table 4: Addressing security issues in IoT 49 Table 5: Security measures for IoT 50 Table 6: Gateway based security measures for IoT 51 Table 7: Impact of IoT gateway security policies 52 Table 8: Security policies for IoT 53 Table 10: Best technique for securing IoT 54 Table 11: Cryptosystem in IoT 55 Table 12: Access control for IoT 56 List of figures Figure 1.

Device-to-device communication model 20 Figure 2: Device-to-cloud communication model 21 Figure 3: Device-to-gateway communication model 22 Figure 4: Back-end data-sharing communication model 23 Figure 5: Using PAN technology to connect to IoT via a gateway 25 Figure 6: Nodes directly connect to the Internet 26 Figure 7: Nodes indirectly connect to the Internet using PAN through 6LoWPAN 27 Figure 8: Semantic Gateway as a Service 27 Figure 9: Intel IoT Gateway Architecture 29 Figure 12: Time period involved with internet of things 48 Figure 13: Opinion about risk related to IoT 49 Figure 14: Addressing security issues in IoT 50 Figure 15: Security measures for IoT 51 Figure 16: Gateway based security measures for IoT 51 Figure 17: Impact of IoT gateway security policies 52 Figure 18: Security policies for IoT 53 Figure 20: Best technique for securing IoT 54 Figure 21: Cryptosystem in IoT 55 Figure 22: Access control for IoT 56 Chapter 1: Introduction 1. 1 Background of the study One of the most important topics in the policy, technology and engineering fields is the Internet of Things (IoT).

However, implementation of IoT is not as simple as it looks. Several issues and challenges impede the task and need to be addressed to realize the potential benefits of IoT (Rose, Eldridge and Chapin, 2015). Several organizations have predicted the potential impact of IoT on the economy and the Internet. For example, Cisco believes that by 2019 the count of interconnected devices could reach up to 24 billion. On the other hand, Morgan Stanley believes that by 2020 the count of IoT objects would reach 75 billion. Thus, a critical infrastructure affects lives of people, and economic activities become an area where IoT is utilized. In this perspective, security measures for IoT system are very important to be considered. Therefore, a shortage of security operations is faced by administrators while using the Internet of Things.

Present research focuses on identifying gateway-based security measures that would be helpful to mitigate security issues on the Internet of Things. Chapter 2: Research context and question 2. These objectives will also contribute to uncovering the essential and trending aspects of the IoT including the Massive Scaling, IoT Architecture, and Dependencies. The Creating Knowledge and Big Data, the robustness of the IoT service, its Openness, Security, Privacy, the involvement of humans in the loop, and much more (Stankovic, 2014). Based on these research objectives, it becomes convenient to discover the common security challenges that occur on IoT gateways. This research will, therefore, help organizations to take particular measure to safeguard and protect their IoT services, the IoT gateways, and devices connected to them. The research objectives will also help the organizations understand the involvement, control, and effects of the human interaction with such a system.

These will also lead to generation or identification of one or more policy guidelines that will help to develop a better and efficient IoT service. Lastly, the research objectives will propose some recommendations for the implementation of the IoT service. 3 Research Questions RQ 1. What should gateway-based mitigation measures be used to address security and privacy issues in IoT?  RQ 2. How device manufacturers users can integrate a culture of information security in IoT systems by addressing the gateway-based barriers. On the other hand, a tremendous implementation of IoT in the world makes it the most promising technology of future. However, the implementation of this technology has security limitation associated with it. The interconnection of devices and the massive data transmission is the basis for this vulnerability.

The manufacturing organizations and the organizations using IoT must focus on developing a system that ensures information vulnerability. It requires the implementation of standard policies to smoothen the security risk associated with the organizations. Now, this technology is significantly helping the scientists and other research professionals to carry out tasks that were never imagined before (Rose, Eldridge and Chapin, 2015). The Internet of Things is the term that refers to scenarios where the computing capabilities and network connectivity is through objects, sensors, IP addresses and computers. Technology has made such devices capable of generating, exchanging and consuming data with minimal human intervention. However, there is no single definition of the Internet of Things. With its growing prevalence and adoption in the almost every industry and every aspect of the everyday life, it has raised concerns about the security of data that travels to and fro from these devices.

A significant amount of this data can be private and personal, related to finances or some company policies. Thus adequate protection of such information is necessary. This task also needs special measures as now data travels over the network in unprecedented amounts and it becomes more challenging to identify threats to the flowing data (Pal and Purushothaman, 2016). When it comes to communication, not always, it takes place after undergoing some level cryptographic confidentiality, authentication algorithms, and integrity measures as part of the protocol on which the devices are working. Almost all of the IoT applications comes loaded with some basic levels of security features. Internet of Things is also greatly susceptible to the Denial of Service (DoS) attack. As a large number of data travels over the network, the IoT devices are highly vulnerable to become a hostage of DDOS attacks.

This denial of service attack works best for the Internet of things as their model involves an enormous amount of data requests from the server (Park, Chen, and Choo, 2017). The recent spread of Internet of Things along with some interconnected devices is increasing dramatically. Also, the connected devices are not limited to the information devices. Apart from homes and workplaces, even Logistics and Transports are already using RFID tags to track their pallets, shipments, and even individual items through the IoT. These are the smart tags that are capable enough to log and report the state of the transport conditions, for example, tilt, temperature, shock, pressure, humidity, etc. The key driver is cost and orderly communication to hundreds and thousands of tags at the same time (Lin and Bergmann, 2016).

Internet of things profoundly influences other industries such as dining, entertainment, hospitality, healthcare, sports and fitness, science, manufacturing, telecommunication, banking, environmental science, education, retail, and more. Thus the security of information is the utmost priority for these sectors (Lin and Bergmann, 2016, p. Several companies today, therefore, fail to meet the maximum levels of security. The probable reason for this low level of security is the profit margin these manufacturers aim to achieve (Gilchrist, 2017). To grab the maximum attention in the market and to meet the demands of the people, several organizations miss and skip the security features in these devices. Also, after a device becomes too popular into the market, it creates pressure on the manufacturers to produce the product in large quantities, within budget, with limited resources, and in less time.

This pressure then lays less focus on implementing better security measures for such devices. 1 Preface In the development of IoT applications, security and testing frameworks act a vital role. This chapter of the research deals with the communication model used in IoT. Also, the issues and need for IoT gateway are discussed to mitigate security issues. The types of implementing IoT gateway, their architectures and layers of the IoT gateway are discussed in this chapter of the research. The chapter also explains security measures, IoT network security, and importance of software-defined networking. Interoperability between products and services might have always been the point of concern when it came to IoT implementation. It is always not feasible or necessary to achieve full interoperability.

However, the IoT devices which face vendor lock-in, a high rate of ownership complexity, and inflexible in integrating with other devices would affect the consumer acceptance (Rose, Eldridge and Chapin, 2015). Apart from poor design, the IoT devices might have negative impacts due to the connected Internet and network resources. Appropriate, generic, open and widely available best practices and standards will provide significant benefits, innovation, and economic opportunity (Rose, Eldridge and Chapin, 2015). 1 Device-to-device communication: In this communication model, the connection and communication of multiple devices take place over IP and many other types of networks. However, the connection among devices in this model often makes use of protocols such as ZigBee, Bluetooth, or Z-wave (Rose, Eldridge and Chapin, 2015). Figure 1. Device-to-device communication model (Rose, Eldridge and Chapin, 2015).

In this model, the devices adhere to a particular protocol for communication and information exchange. The existence of communications mechanisms such as Wi-Fi connections or wired Ethernets provides a lot of advantage to this model to connect the devices and IP network (Rose, Eldridge and Chapin, 2015). Figure 2: Device-to-cloud communication model (Rose, Eldridge and Chapin, 2015). Some of the sought-after consumer IoT devices such as Samsung SmartTV and Nest Labs Learning thermostat make use of the device-to-cloud model. In Samsung’s SmartTV, the user information gets transmitted to the company through the internet which is later used for analysis and enabling the TV’s voice recognition feature. Similarly, in the thermostat, the data is transmitted to cloud database where the home energy consumption data gets analyzed (Rose, Eldridge and Chapin, 2015).

This model has taken several forms in the consumer devices. However, in most of the cases, an application running on a smartphone communicates with the device and acts as a local gateway. Fitness trackers and other consumer items employ this kind of model. These devices rely on smartphones as they are incapable of connecting to the cloud service directly. Here, the role of smartphones is to act as an intermediate gateway. Figure 4: Back-end data-sharing communication model (Rose, Eldridge and Chapin, 2015). 4 Requirement for IOT Gateway IoT is experiencing a lot of innovations day-by-day, especially in the industrial application due to centralized management, automation, and system reliability of end equipment. However, most of these innovations are also applicable to various types of embedded systems which include security devices, wearables, commercial and residential HVAC, medical monitors and many other rapidly evolving consumer applications (Folkens, 2014).

The engineers are facing the challenge of “connectivity” in the process of the Internet of Things (IoT) design. They do not have enough experience, and it falls out of the range to implement secure and robust access to the Wide Area Network (WAN) or the Internet. They can connect any devices irrespective of the amount of voltage, types of the encoder, the frequency of updates or any other variations. They act as a common portal which consolidates the data, connects them to the network and alleviates the issue of device diversity or variation (Folkens, 2014). As a result, the individual nodes become free of high-speed internet cost or complexity. 6 IoT Gateway Architectures There are several architectures to set up IoT gateways. The figure 5, 6 and 7, below show the different methods.

Here, the gateway acts as a point of translation between the WAN and the PAN. Figure 7: Nodes indirectly connect to the Internet using PAN through 6LoWPAN There are many other types of architectures and nodes to build the IoT systems. However, the above three architecture show the general implementation of IoT in the residential and industrial application. The performance and the sophistication might vary depending upon the use of the endpoints, but the above architecture focuses on low cost and high volume applications. The next section describes the various practical IoT gateway architectures. Multi-protocol proxy is the element of the gateway which fetches the information from the physical world, that is, it collects data from the sensors. The language difference at the sensor and the IoT services end requires a multi-protocol proxy to convert the sensor information into a form which is easily understood by the services.

It consists of two additional components to manage the sensor data. First component being topic and which stores the sensor resources and information; the second component is the topic router which contains information about the publisher (sender) and subscriber (receiver) of the message. It ensures safe transmission of sensor information. The semantic gateway as a service is a technique which provides a platform for initiating communication between the real world devices and the technological services. This gateway ensures interoperability and facilitates cross-platform communication using the various network protocols. Furthermore, this architecture encourages the secure transmission of data as the gateway act as a barrier which analyzes the transmitted data and ensures only the authentic information gets forwarded and restricts all the other malicious data.

Thus, the gateway architecture supports IoT and enables safe implementation of services. Intel also offers an IoT gateway to promote an interoperable environment in IoT. It allows the development of wide range of intelligent systems. The platform is responsible for the maintenance, management, and deployment of remote devices. Furthermore, it enables communication over a wide range of communication techniques including wired and wireless networks allowing the devices to transmit the information to the cloud platform efficiently. The security offered by this platform involves device and data protection through secure booting using a wide range of arrays and protocols. The platform supports application written in Lua, JAVA, and OSGi, making the system scalable and reusable for varied application development (Intel IoT Gateway, n.

It provides basic software, hardware, and drivers which lay the foundation for quick development and deployment. The McAfee security system embedded in the architecture creates a trustworthy IoT environment by enabling secure data transmission. It encourages the development of secure and scalable solutions which collects data from various sensor nodes and transmits them to the cloud for further processing and service activation (Intel IoT Gateway, n. d. This gateway architecture allows businesses to innovate because of its efficient manageability, communication, and security. 8 Security Measures IoT gateways are necessary for providing end-to-end connections for transferring the application specific data from the low power sensors to the cloud solutions for processing. The gateways are responsible for the transfer of bulk information comprising of crucial data which requires established security measures to safeguard the information.

However, the vast expanse of the network and its connectivity with a million of the devices worldwide makes it vulnerable to cyber-attacks. The increased case of network breach and data theft has made it crucial for the IoT developers to develop a secure system which ensures safe transmission of information. This secure system requires implementing some preventive measures to assure data safety. Confidentiality. The sensor data must remain confidential to the particular IoT network. Any leakage of the data may cause the complete IoT system to fail. Therefore, it is the primary need to secure the sensor and other device’s data. One of the methods to protect the data is through encryption. Hence, IoT devices can make use of “creation key” and “token” to identify its rightful owner.

Whenever a new thing is created, the entitled system assigns it with a “creation key. ” The manufacturers need to apply this key to the newly created thing. On the other hand, the creators of the “token” are the current owners or the manufacturers. This token is combined with the RFID of the device. Authentication. In an IoT network, every object must have the ability to identify and authenticate other objects uniquely. Hence, the data access must be authorized to transfer authentic information. Implementing authentication in IoT becomes difficult due to the presence of several entities such as service providers, devices, processing units, and people. Moreover, in many cases, an object might need to interact with completely new objects, which is also a matter of concern.

It will safeguard the information from theft and allow only the authorized user to access the data which will help in maintaining the integrity. Heterogeneity. The IoT network comprises of several devices having varied Configurations and different vendors. These numerous devices require a suitable connecting protocol which can efficiently connect all the network devices. Furthermore, there is a requirement of security protocols and adequate cryptography solutions to ensure information security at every node. These devices demand a separate framework for action. Therefore, it is necessary for the organizations and the IoT system development team to develop an independent policy framework for IoT system components (Yousuf et al. , 2015, pp. These policies will assure integrity and confidentiality of data. Encryption key management. Weak passwords give an opportunity to hackers to enter the network and manipulate the confidential data, harming the integrity of the system (Yousuf et al.

, 2015, pp. Thus, it is required to spread proper awareness about h use of various IoT device usage and its security issues to the people to prevent the security breaches. 2 Cryptosystems IoT network comprises of several interconnected components such as sensors, actuators, RFID (Radio Frequency Identification Devices), GPS (Global Positioning Systems) and the internet. The extensive network of different devices and the information flow over the web necessitates the requirement of standard security measures to ensure data security. 3 Access control With the evolution of the technology and increased power of the network, Internet of Things are about to rule the world. The coming future will bring all the electronic devices to be connected to a single network to send and receive messages.

The door lock will open itself as a visitor comes to your door. The light system will automatically work, and the room temperature will adjust itself as you enter the home at the end of the day. Not only the homes, but also this Internet of Things will make their strong presence in a wide variety of domains such as industries, defense, education, agriculture, and so on. This unethical activity demands proper security solution to ensure safety and confidentiality of the crucial data. One way to ascertain this security is through the use of established security solutions such as intrusion protection and others, for every device of the network. However, the implementation of such security solutions is not cost effective. Therefore, there is a need for some affordable safety measures (Al-Fuqaha et al.

Firewall is one such solution which stands between the IoT network and the internet to protect the former from malicious attacks and intrusions. Direction control. It is responsible for deciding information flow direction in the network. It decides on selecting the requests, initiation, and flow direction. It verifies the requests and directs it to the desired system so that it may not disturb the normal workflow of the other network components (Aleshunas, 2010, pp. User control. The configuration of the firewall is such that manages both inbound and outbound messages (Aleshunas, 2010, pp. The following information of the network governs the rules of data flow. Source IP address is the IP address of the system from where the message originated. The destination address is the IP address of the system where the message needs to get delivered.

Source and destination, transport level port number helps to identify the applications used. The port number less than 1024 is the “well known” and are application specific. However, the port numbers greater than 1024 are dynamic and gets allocated temporarily for a particular session. The simple packet filter permits inbound traffic on these higher port numbers which increased the security vulnerabilities of the network which when exploited by unauthorized users can cause some severe damage to the information security of the network. The use of stateful inspection firewall can restrict such security vulnerability as it stiffens the rules for TCP traffic. It creates a directory for outbound TCP connections and maintains a record for each connection. The IoT gateways are the intermediary in this process which is responsible for secure transmission of the cryptographic key from the cloud to the device.

This key received at the time of device installation has lifetime use for encrypting and decrypting of the vital network data. The IoT gateway efficiently manages the secure key and protects it from middle-man attacks and eavesdropping. It necessitates the requirement of secure gateway system with tamper resistance to protect information. Additionally, there is a need to devise a strong cryptanalytic algorithm which cannot easily be decrypted and the malicious attacks can be restricted (Fife, 2015). Any external interface and services other than the intended ones need not be incorporated. It is because these additional interfaces become the backdoors which facilitate the security breaches and hacker attacks. Furthermore, the minimization of the debugging algorithm must follow restricting the authentic users from executing arbitrary code on gateways for the sake of security.

The proper gateway design and imposing of restrictions on the user access will help to protect the information flowing in the IoT network (Fife, 2015). The security measures mentioned above intends to safeguard the IoT gateways which in turn are responsible for the secure information transmission within the IoT network. The primary objective of the security awareness program of an organization is to make the employees aware of their responsibilities. The program helps to safeguard the availability, integrity, and confidentiality of the data shared in an open network. The security of information and its asset is not only the responsibility of IT department but also the users. Users must understand the criticality of data protection (Russell, 2002). People are often the weakest link in IoT security chain because they are not trained and are unaware of the various security vulnerabilities.

Some of the common organizational barriers of the IoT gateway systems are as follows. 2 Personal barriers. Lacking personal efforts. Many people who work in organizations believe the Information Technology Department should maintain the IoT gateway security through the right framework implementation. They show non-cooperative behaviors when new security measures get adopted. New features, policies, and frameworks keep emerging as it is not completely stabilized. Hence, the awareness sessions or programs sometimes do not match the pace at which this technology changes. The awareness team often misses informing the users about the updates in the technology, which averts them from using that particular technology. It is probably the reason behind the accurate and timely implementation of a security awareness programs. These programs should constantly keep track of new changes in IoT gateways and informs them to the users (Russell, 2002).

If both of these problems are not conveyed, the security awareness program can fail. This inappropriate messaging can lead to a significant gap in the security concern even in the case of robust security systems. Sending similar messages for all sorts of security breach issues in IoT gateways can be harmful, as this will not grab the immediate attention of the reader when it is crucially required. Thus, going for a message with “one-size-fits-all” is not a wise thing to do, especially when dealing with the security of the information system. Messages like this can be quickly ignored or put into spam which is undesirable. When the audiences receive regular reminders about handling IoT devices, it works as a feedback loop, eventually improving the overall performance of the gateway security (Russell, 2002).

Breaking communication chain. Sometimes there is a need to send some specific messages to a group of individuals working under a domain; the issue arises when the messages do not reach to all the designated people. Moreover, in the case of IoT implementation, proper communication is necessary to transfer the right message to every individual associated with IoT project. For instance, if a message needs to get delivered to all the programmers of an organization; it may be possible that some of them work together in a team while the others may reside at distributed locations, at different company sites. Such lack of interest probably occurs due to the pressure of jobs and responsibilities of the managers, and they find it difficult to find room for the new security practices.

The new security practices in such cases get disregarded which affects the gateway security (Russell, 2002). Lack of resources. Resources reduce due to the absence of support from the management team or lack of knowledge of the new technology. When the management is unsupportive, it gets difficult to use the available resources efficiently. Weak social engineering. This barrier does not impact the implementation of gateway security mechanism. But, in turn, can affect its success. Its management is critical because this is the “people link” and is incredibly easy to attack. Social engineering is all about hunting on the natural human tendencies, to pull out information that is otherwise hard to obtain. It gets initiated by identifying the shortcomings of theories and viewpoints.

It also helps to identify areas of weakness which require further research. This approach shows that author has an in-depth knowledge of the subject- in this case, the Internet of Things. It also lets the readers understand exactly where research project fits into the area of the study and how the new study adds to the existing body of the agreed knowledge. Under this method, a thorough demonstration of the familiarity with the present body of knowledge is done also establishing the credibility of our study, in this case, the IoT security issues. This approach also emphasizes the significance of the deductions that they generate during the research process. This methodology is conducted using methods that focus on the depth, richness, context, the multi-dimensionality, and complexity of the research study to generate methods to mitigate issues (Mason, 2002).

For instance, in this proposed project, the qualitative research is used to gather evidence and findings of the security issues that the organizations face dealing with the Internet of things. Qualitative research also helped to derive conclusions and inferences that might apply to the different organizations that are actively using IoT. Additionally, our qualitative research also included in-depth interviews to cover all necessary elements that address the research issue. 1 Quantitative analysis (close end questions) 1. How long have you been using and involved with the applications of the internet of things? Options Frequency (%) Total respondents Less than 6 months 26. 67% 15 6 months – 12 months 20% 15 1-2 year 13. 33% 15 3-4 years 20% 15 More than 4 years 13. 33% 15 Table 2: Time period involved with internet of things Figure 12: Time period involved with internet of things 2.

67% 15 Table 4: Addressing security issues in IoT Figure 14: Addressing security issues in IoT 4. What are the security measures you have taken for securing the use of internet of things? Options Frequency (%) Total respondents Heterogeneity 20% 15 Security policies 33. 33% 15 Encryption key management. 33% 15 Security awareness 20% 15 Authentication 13. 33% 15 Table 5: Security measures for IoT Figure 15: Security measures for IoT 5. Which security policy you think more useful for mitigating security issues in IoT? Options Frequency (%) Total respondents Network Management Policies 33. 33% 15 Operational Management Policy 40% 15 Security Management Policies 26. 67% 15 Table 8: Security policies for IoT Figure 18: Security policies for IoT 8. Being an IT professional, what is your opinion regarding the best technique of securing internet of things from an end user? Options Frequency (%) Total respondents proxy service 22. 67% 15 Enabling firewalls 14. 1 Addressing research question 1 Based on the above research and addressing the first research question.

i. e. , What gateway-based mitigation measures should be used to address IoT related security and privacy issues, following security policies are proposed for organizations that have deployed gateway-based mitigation measure to secure IoT infrastructures. Security is an ongoing endeavor; organizations are still developing their strategies. Securing link layer with IEEE 802. 4 protocol: The link layer is a protocol layer which helps transfer the data between the adjacent nodes of a WAN. It divides the outgoing data into frames and manages acknowledgments from the receiver. IP security at the network layer: Implementation of IP security protocol suite will help secure the network. Enforcing end-to-end security with authentication and ensuring confidentiality and integration are the main highlights of the IPsec protocol. Additionally, it supports carrier sense multiple access (CSMA) and acknowledgments for reliability (Camarillo 2015).

The security of the data gets strengthened with the 128-bit AES encryption which makes the data inaccessible to unauthorized users thereby ensure secure data flow within the IoT network. 2 Operational Management Policy Load balancing thresholds: The load balancing policy will enable the service load management to ensure the there is no breach of any threshold. The threshold will include networking, computing balance, and the storage resources. Device and service instance configurations: This policy dictates the services and pre-configuration devices and services. The firewalls and Intrusion Detection Systems (IDS) help in averting such vulnerabilities (Bovet and Hennebert 2013). The characteristics of IoT are similar to that of WSN; hence, the IDS that are suitable for WSN can undoubtedly fit in the IoT network.

In IoT, the IP address helps to identify the nodes globally (Camarillo 2015). For example, in 6LoWPAN, the 6BR (6LoWPAN Border Router) is always reachable to connect to its network through the Internet. Therefore, such cases require end-to-end message security. These components are the means of unwanted activities (Dumay and Cai 2015). Hence, these policies focus on preventing such actions as they might bring huge destruction to the data transmitted over the IoT network. 4 Security Policy Implementation Plan The network, operational, and security policies help to protect the IoT gateways and devices from spy attacks and intrusions. The policies illustrate the respective security components and the means by which it protects the IoT environment. The security policy management should primarily focus on policy authoring and define and policy assignment and delivery.

6 Policy Assignment and Delivery In the process of policy management, there occurs a need for security policy definition for each endpoint (Bovet and Hennebert 2013). Therefore, to define the policy across all the endpoints, a need arises for a coarse-grained mechanism. The reuse of policy elements across various policies is possible only when a policy has a proper structure with sub-elements. A policy library can be used to hold various sub-elements of different policies to avoid the need for redefining policy for minimal changes (Bovet and Hennebert 2013). With a collection of default sub-elements, the policy definition process becomes easy and does not require redefining the entire policy. This approach of information and application filtering protects the IoT gateways from spyware and malware attacks.

8 Policy Administration An administration is necessary for proper enforcement of the policy framework. It is the responsibility of the policy administration to upload and alter the security policies and applications which are important for IoT protection (Kim et al. It is back-end interface designed for admin access. The policy repository is timely updated by the administration, so that latest security policies get stored in the database, and the old ones get replaced (Camarillo 2015). The resolver consists of several sub-components, which validate the attributes of the users. Attribute finder. The attribute finder analyses the set of attributes of users. The attributes get queried from the database, which is used to identify the user attributes. Attribute resolver. This engine links to all the subsequent parts of the policy implementation process.

2 Addressing research question 2 Manufacturers of IoT are facing big challenges and barriers due it's early stage and no standardization. As it has been examined in the above research in great detail the risk associated with IoT products, following approaches are recommended for IoT product manufactures for implementing these technologies in the life cycle. 1- Gain certifications Manufacturers are advised to gain ISO 27001 and other security-related certification for their new innovative devices and the production of IoT devices. 2- Security by design: Why? • Changes are much easier to make early in the product lifecycle • Privacy and security is not something that can be added at later stage How? • Manufacturer should think like hacker • Assess magnitude of a compromise • Evaluate technology components Some of the core information security concepts for building IoT products include 1) Authentication 2) Encryption 3) Data Integrity.

The interconnection of millions of devices defines the Internet of things; however, this extensive network connection is prone to numerous vulnerabilities and intrusion threats. The IoT network transmits crucial information across the web and hence it is necessary to secure the network. IoT gateways act as the barrier between the organizational network and the internet, and therefore there is a need to secure the gateway to block the entry of unwanted elements into the private network. The security policies defined in this research project mainly focus on network protection, operational management, and information security. These IoT policies focus on implementing protection at the various network layers to ensure total safety. It overcomes the gateway problems and barriers. These policies guide the proper operations of the information system.

The security policy demonstrates the information security need for any IoT network. It explains that data is always vulnerable in a network. There always exist threats to data theft and data manipulation. The gateway security policies ensure that IoT gateways transmit safe information in and out of the network thereby assuring data integrity. Chapter 7: Conclusion 5. 1 Conclusion Internet of things is a hot topic in the field of technology, policy, and engineering. It is expected to enhance the ways people live. The experts expect it to change not only people’s lifestyle but all organization’s way of working. The implementation of IoT will have to consider the legal and regulation rights related to data, civil, security, personal and many other aspects.

One of the major issues is the security, upon which the paper focusses. The paper discusses several security challenges for implementing IoT. The communication in such technologies requires cryptographic confidentiality, authentication, and integrity. However, despite such secure communication, they are still prone to security issues such as interface debugging, side channel attack, and DoS attack. Lastly and most importantly, Security is never a single person’s responsibility; no one person will understand the full scope of the environment. It’s a team game. Security is not a product rather it is a process, attackers continue to find vulnerabilities to attack, and industry endlessly prevents attackers from securing their infrastructure. It’s going to be very hard for manufacturers to secure their products 100%.

The burden of security comes to security experts to secure the environment where IOT is being installed and used. webster. edu/aleshunas/COSC%205130/Chapter-22. pdf [Accessed 28 Jun. Al-Fuqaha, A. , Guizani, M. symantec. com/content/en/us/enterprise/fact_sheets/b-insecurity-in-the-internet-of-things-ds. pdf. Banafa, A.  IoT standardization and implementation challenges. Semantics for the internet of things: early progress and back to the future. [ebook] Guildford: Centre for communication systems research, University of Surrey. Available at: http://ai2-s2-pdfs. s3. amazonaws. Available at: https://www. atkearney. com/documents/4634214/6398631/A. T. +Kearney_Internet+of+Things+2020+Presentation_Online. Physical access control. [ebook] Randallstown. Available at: http://www. ittoday. info/AIMS/DSM/8305101. Flow-based security for IoT devices using an SDN gateway. 2016 IEEE 4th international conference on the future internet of things and cloud (FiCloud).

Camarillo, G, (2015). Constrained Application Protocol (CoAP) Usage for Resource Location Discovery (RELOAD). International journal of science, engineering, and technology research, [online]. What is an IoT gateway and how do I keep it secure?. [online] Globalsign. com. Available at: https://www. globalsign. com/36c3/477502ac9df418f2c6c6304e820ad344ce56. pdf [Accessed 14 Jun. Dhanjani, N. Abusing the internet of things. 1st ed. citrix. com/blogs/2015/04/20/resurrecting-duckling-a-model-for-securing-iot-devices/ [Accessed 29 Jun. Fife, C.  Securing the IoT gateway. [online] Citrix Blogs. Gilchrist, A. IoT security issues. 1st ed. Walter de Gruyter GmbH & Co KG, 2017. Hossain, M. pdf [Accessed 24 Jun. Information technology — Security techniques — Information security management systems-Requirements. 1st ed. [ebook] Switzerland, pp. Available at: http://webcache. d. [ebook] Intel. Available at: https://www. intel.

com/content/dam/www/public/us/en/documents/product-briefs/gateway-solutions-iot-brief. pdf [Accessed 24 Jun. Jones, B.  Improving security in the FDDI Protocol. [ebook] Naval Postgraduate School, pp. Available at: http://www. res/integrity-and-trust-in-the-internet-of-things. pdf. Kim, J. The requirement of security for IoT application based on gateway system.  International Journal of Security and Its Applications, [online] 9(10), pp. com/2078-2489/7/3/44/pdf [Accessed 7 Jun. Man In the middle attack. (n. d. [ebook] p. and Purushothaman, B. IOT technical challenges and solutions. 1st ed. Artech House, p. Panasenko, S. Advanced multimedia and ubiquitous engineering. 1st ed. Springer, p. Park, N. and Kang, N. Reddy, A.  Safeguarding the Internet of Things. [ebook] pp. Available at: https://www. cognizant. , Eldridge, S. , and Chapin, L. The internet of things: An overview.

Internet Society, pp. Available at: https://www. [ebook] Palo Alto: Open networking foundation, p. Available at: https://www. opennetworking. org/images/stories/downloads/sdn-resources/technical-reports/TR_SDN-ARCH-Overview-1. pdf [Accessed 24 Jun. IEEE Internet of Things Journal, 1(1), pp. The Royal Literary Fund. Literature reviews. [online] Available at: https://www. rlf. , Aloul, F. and Zualkernan, I. Internet of Things (IoT) security: Current status, challenges, and countermeasures.  International Journal for Information Security Research, [online] 5(4), pp. Available at: http://www. Proceedings of the 16th international workshop on mobile computing systems and applications. Appendix Survey questionnaire: A closed type questionnaire was administered to IT professional involved in IoT who gave responses that helped in completing the study. The selected participants had worked in different IoT and device manufacturing companies for at least two years.

Also, professionals and users who owned IoT devices were involved in the survey. From the IT professionals, they shared information especially regarding the challenges they encounter during development and implementation of IoT while the user of IoT devices shared the issues and concerns they experienced while using IoT devices. How far do you believe the use of internet of things is risky as security concerns involved with it? Options Strongly Agree Agree Neutral Disagree Strongly Disagree 3. How far do you believe that is important to address the security issues involved with the internet of things? Options Strongly Agree Agree Neutral Disagree Strongly Disagree 4. What are the security measures you have taken for securing the use of internet of things? Options Heterogeneity Security policies Encryption key management.