When computer scientist Jeffrey Voas set out to determine the security implications of the Internet of Things for the National Institute of Standards and Technology, he ran into an unusual complication.
“When I started this work about two years ago, I couldn’t find a satisfactory definition of IoT,” Voas told the Federal Drive with Tom Temin.
Voas was able to find the things the media was talking about, the things the hype was built around, but he couldn’t find the science behind it.
“What I wanted to do was figure out ‘What’s the science? What’s the foundation of IoT?’ and then ‘What are the security ramifications?’” he said. “That’s where this document started, and that’s what this document is about.”
The document he created, NIST Special Publication 800-183, uses the terms IoT and NoT (Network of Things) interchangeably because, it explains, IoT refers to a network connected to the internet. That’s by no means a given, however; it’s completely possible to have a local area network of things that is not connected to the internet.
What Voas found, once he sifted through the hype, is that when NoT is boiled down to its basic fundamentals, it looks very familiar: it’s just distributed computing with more sensing.
The four fundamentals of NoT are the same as distributed computing, consisting of:
The only difference is that with traditional distributed computing, there’s far less sensing going on. With IoT/NoT, practically every device is a sensor. That’s where IoT/NoT’s biggest security problem comes in.
“Once you put sensing in there, what do you wind up with? You wind up with a lot of data,” Voas said.
Voas said that securing data even on a small scale is difficult, so when it’s scaled to an IoT/NoT scenario, it becomes even more so.
“From a security standpoint, if we couldn’t solve it when it was smaller, how do we solve it now that it’s scaled up?” he asked.
The problems, he said, are heterogeneity and pedigree. The larger a NoT system is, the more difficult it is to tell when a new “thing” — which could be a smartphone, a laptop, or any other number of connected devices — is connected. It’s also difficult to tell where that thing came from. This leads to questions about the integrity of the data.
He said that there used to be more hands-on control when networks had clear boundaries. But IoT is unbounded, which leads to yet another issue: security and reliability research, involving comparisons and analytics, have to be done on specific networks.
If a network is unbounded, how can it be analyzed and compared? As the report says, “There is no singular IoT, and it is meaningless to speak of comparing one IoT to another.”
So Voas took a page from more traditional computer science: he broke the concept down into five primitives, the building blocks a system is made out of, in order to have something to compare. These primitives are:
Sensors – a physical device which collects raw data.
Aggregators – software that converts raw data into meaningful groupings.
Communication channels – how data is transmitted (e.g. USB, wireless, wired).
External utilities – software or hardware products or services that “execute processes or feed data into the overall workflow of a NoT (e.g. databases, mobile devices, clouds, CPUs).”
Decision trigger – a conditional expression that triggers an action.”
Voas included in the document security ramifications that affect each of the primitives during the architecture of a NoT.
“This is kind of a way to look at a system and say your NoT has these certain properties,” he said. “It’s a distributed system, but it’s also advanced, because things have advanced over time.”
He said that establishing this foundation was necessary in order to fully understand IoT and its security implications.
“Most people want to move [into IoT],” Voas said. “But most people need a fundamental vocabulary and a scientific foundation to understand what they are moving into. Then they can do their risk trade-off, their risk assessment, and all that.”