We are in an age of the ‘Internet of Everything’ where boundaries between citizens, governments, media, and societal organisations are becoming increasingly fuzzy as interconnected digital devices enable the collection and exchange of vast amounts of information across the globe. The availability of data gathered by these devices, coupled with advances in channels of digitally mediated communication, has created a host of new systems that are embedded into a range of human activities, including agriculture, energy, transportation, healthcare, policing, and education – creating the potential for a ‘smarter planet’. However, these cyber-physical, socio-technical systems also open the door to new threats from a range of sources, from attackers with malicious intent to opportunists exploiting vulnerabilities in systems to cause deliberate or accidental harm. This talk provides an overview of the challenges created by this ‘Internet of Insecure Things’ and argues for adopting human-centric engineering approaches for addressing these challenges.
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Dealing with the Internet of Insecure Things
1. Dealing with the
Internet of Insecure Things
Arosha K. Bandara – The Open University
arosha.bandara@open.ac.uk / @arosha
2. Dealing with the Internet of Insecure Things
Overview
3
Security
Internet of
Things
IoT Security &
Privacy
Human-centric
Engineering
Future
Directions
3. Background: Internet of Things
4
aka Cyber Physical Systems: co-engineered interacting
networks of physical and computational components …
Food &
Agriculture
Transport
Policing
Health &
Wellbeing
+ …
Heterogeneous
IoT Cloud
IoT Intranet
Hybrid IoT
4. Background: Internet of Things
5
operate at different scales, from individuals
to cities and nations …
Large-scale
5. Background: Internet of Things
6
Data
Actions
Learn
Adapt
Analyse
Interact
driven by data collected from the world …
Data-driven
6. Background: Internet of Things
7
Data
Actions
Learn
Adapt
Analyse
Interact
depend on software to weave
together different technologies …
Software-intensive
Data-driven
7. Dealing with the Internet of Insecure Things
Overview
10
Security
Internet of
Things
IoT Security &
Privacy
Human-centric
Engineering
Future
Directions
9. Background: Security
12
Risk Countermeasures
Security goals/
requirements
Policies
Assets
Threats
Vulnerabilities
Attacks
Problem Space Solution Space
Undiscovered
vulnerabilities
Unexpected
attacks
Variable
risk
Violated/changing
policies
Unknown
threats
Variable assets or
asset values
Failure (hidden
bug/cascading
failure)
Failed/changing goals/reqs
Conflict with other goals/reqs
10. Dealing with the Internet of Insecure Things
Research Challenge
13
Engineering adaptive systems that continue
to satisfy their security and privacy
requirements and that are forensics ready.
Autonomous, Reactive,
Automated, Dynamic, Runtime
Cyber-physical, Socio-technicalSystematic
Goals, Assets, Threats, Context
Validation & Verification, Argumentation, Proof
Design-time
11. Dealing with the Internet of Insecure Things
Overview
15
Security
Internet of
Things
IoT Security &
Privacy
Human-centric
Engineering
Future
Directions
13. Internet of Insecure Things
●New attack surfaces through the physical environment
●For example, acoustic attacks can target gyroscopic
sensors in autonomous vehicles to cause shutdowns.
New Challenges: Physical Channel Attacks
17
Sound Wave @
Resonant Frequency of Gyroscope
Attacker
Drone
14. Dealing with the Internet of Insecure Things
Opportunities: Collaborative Cyber-Physical Security
21
Component 1 Component 2
Component 3 Component 4
Operational Environment E
Component 1
Component 2
Component 4
Secure Operational Environment
Mediator
Requirements analysis1
Feature
Selection
Features-driven
Mediator Synthesis
2
3
Security control
Selected features
Requirements R
Capabilities
Objective
1
2
3
Selecting and configuring components
Making components collaborate
Identify adequate security control
Technique
Mediator synthesis
Feature modelling +
Constraint programming
Goal modelling1
2
3
Bennaceur, A.; Tun, T.T.; Bandara, A. K.; et al. (2017). Feature-driven Mediator Synthesis: Supporting Collaborative Security
in the Internet of Things. ACM Transactions on Cyber-Physical Systems
15. Dealing with the Internet of Insecure Things
Overview
23
Security
Internet of
Things
IoT Security &
Privacy
Human-centric
Engineering
Future
Directions
16. People in the Machine
24
IoT systems involve many different
types of people …
IoT Systems
Users
Software
Engineers
Policy Makers /
Regulators
Administrators
+ others
17. People in the Machine
25
Engineer - Stakeholder
Smart Systems
Users
Software
Engineers
Policy Makers /
Regulators
Administrators
+ others
18. Gathering Requirements
Smart System Exemplars
26Bennaceur, Amel; Mccormick, Ciaran; et al (2016). Feed me, Feed me: An Exemplar for Engineering Adaptive Software.
In: 11th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, May 2016.
Requirements
19. Gathering Requirements
Contravision Technique
27Mancini, Clara; Rogers, Yvonne; et al (2010). Contravision: Exploring users' reactions to futuristic technology.
In: Proceedings of the 28th International Conference on Human factors in computing systems, April 2010.
Requirements
20. People in the Machine
28
Engineer – Smart System
Smart Systems
Users
Software
Engineers
Policy Makers /
Regulators
Administrators
+ others
21. Supporting System Design
IoT Privacy Guidelines
29Perera, C.; Mccormick, C.; et al (2016). Privacy-by-Design Framework for Assessing IoT Applications and Platforms.
In: International Conference on the Internet of Things (IOT 2016), November 2016.
Process/Techniques
22. Supporting Software Design
IoT Privacy Guidelines
30Perera, C.; Mccormick, C.; et al (2016). Privacy-by-Design Framework for Assessing IoT Applications and Platforms.
In: International Conference on the Internet of Things (IOT 2016), November 2016.
Process/Techniques
23. People in the Machine
31
User – Smart System
Smart Systems
Users
Software
Engineers
Policy Makers /
Regulators
Administrators
+ others
24. User - System Interactions
Privacy Itch & Scratch
32Mehta, V.; Bandara, A. K.; et al (2016). Privacy Itch and Scratch: On Body Privacy Warnings and Controls.
In: ACM Conference on Human Factors in Computing Systems, May 2016.
UserInterfaces
25. User - System Interactions
Privacy Band
33
Arduino(
Nano(
Bluetooth(
LE(
3.7V(LiPo(
Ba7ery(
Power(Booster(
Vero(
Board(
On<Off(Switch(
(a)(
7.5cm&7.5cm&
Vibe&Boards&
Fabric&
Patch&1&
Fabric&
Patch&2&
(b)&
UserInterfaces
Mehta, V.; Bandara, A. K.; et al (2016). Privacy Itch and Scratch: On Body Privacy Warnings and Controls.
In: ACM Conference on Human Factors in Computing Systems, May 2016.
26. People in the Machine
34
IoT systems involve many different
types of people …
Smart Systems
Users
Software
Engineers
Policy Makers
Administrators
+ others
Human-centric Security & Privacy
27. Dealing with the Internet of Insecure Things
Overview
36
Security
Internet of
Things
IoT Security &
Privacy
Human-centric
Engineering
Future
Directions
28. Dealing with the Internet of Insecure Things
Future Directions
37
Effective
Security
Collaborative
Composition
Forensic
readiness
Transparency
Socio-technical
resilience
29. Dealing with Internet of Insecure Things
●People are an integral part of the Internet of Things.
●Engineering security and privacy needs to encompass the
cyber-physical-social dimensions of the Internet of Things.
●Human-centric approaches are a critical addressing the
future challenges of securing the Internet of Things.
Key Messages
38