It has been an eventful two years since ISOfocus first reported on the Internet of Things (IoT) in 2016. Firstly, a new subcommittee was established that focused entirely on developing standards such as ISO/IEC 30141 for this rapidly expanding sector. Secondly, several high-profile attacks on the IoT vividly demonstrated why these standards are essential.
It was about 20 years ago that the British technology pioneer Kevin Ashton coined the phrase the “Internet of Things” when he was working for Procter & Gamble. Ashton demonstrated in a presentation how the company could use radio-frequency identification or RFID – the wireless technique now widely applied in contactless payments and smart ID cards – to track and trace products. And the phrase stuck.
The official definition of the IoT formulated by ISO and the International Electrotechnical Commission (IEC) is “an infrastructure of interconnected entities, people, systems and information resources together with services which process and react to information from the physical world and from the virtual world”. But in simple terms, the IoT is a network of computerized and often wireless devices that allows us, as well as machines, to see, sense and even control much of the world around us, whether at the individual level or to wider, global scales.
Indeed, IoT devices and systems have increasingly found roles in most, if not all, aspects of modern life. Some are already well-known and in common parlance in domestic and consumer markets, yet the largest users of the IoT work within industrial, healthcare, municipal and agricultural sectors. Put simply, any technology prefixed with smart is likely to be part of the rapidly growing IoT family; for example, smart meters, smart cars, smart cards, smart fitness-trackers, smart cities, smart phones, smart watches, smart utilities, smart agriculture, smart healthcare and even smart manufacturing, said to be the next industrial revolution.
Bringing us closer
Collectively, the IoT can make us more connected, knowledgeable, efficient, effective and less wasteful. But if handled incorrectly, it can make our computer networks and our data less secure and lacking resilience. For it is the relative simplicity of IoT devices that creates as many challenges as it does opportunities. “The benefits are numerous but, at the same time, the biggest risks are resilience and security,” remarks Francois Coallier, the Chair of joint technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 41, Internet of Things and related technologies. ISO and IEC founded JTC 1/SC 41 to focus on standards for the IoT, whilst JTC 1 itself is responsible for international standardization in the field of IT and has published well over three thousand standards since its inception in 1987.
The challenges of interoperability – or the ability of IoT devices to connect to each other and other systems in a seamless way – and security are linked. “Technologies are developing all the time and at an extremely rapid pace,” adds Coallier, “so their addition to network has been both fast and often ad hoc as new technologies emerge.” The growth of the IoT is exponential, with the estimated potential of up to 50 billion connected IoT devices projected by 2020 and a market conceivably worth trillions of US dollars.
A lightbulb year
2016, the same year that saw the founding of JTC 1/SC 41, was also a lightbulb year for the Internet of Things in both the literal and figurative senses, due to some high-profile attacks on networks through the IoT. In March that year, for example, the “Mirai Botnet” attack paralysed much of the Internet on the eastern side of the USA, in the biggest strike on the Internet to date. Many people were surprised at just how fast the malicious code spread and how easy it was for the hacker to get into supposedly secure networks. So how did it happen? It was a case of the weakest link in a chain or, in this case, IoT devices at the edge of a network.
“The Mirai Botnet’s creator targeted devices such as wireless CCTV cameras and smart televisions, sold with a limited number of default administrator names and passwords,” explains Coallier. The manufacturer made millions of these devices. “The attacking botnet tried each combination of administrator name and password in turn until the attack succeeded, thus permitting the botnet to take control of the device,” he says. “With more than a hundred thousand of these devices under its control, the attacker could generate intense denial of service attacks that were able to bring down temporarily part of the Internet in the US.”
In another well-documented hack, a factory was sabotaged through a social engineering attack on administrative personal computers (PCs). “In this case, it seems that it was possible from these PCs to access the industrial production systems,” adds Coallier, “this would not have happened if the industrial production systems were isolated from the administrative PCs exposed to the Internet through proper network segmentation.” More importantly, the network could have been much securer simply by applying well-documented processes and procedures already described in many standards, such as the ISO/IEC 27033 series for IT security techniques, which is one standard prescribing segmented networks for added security.
In the same year as the Mirai Botnet, a group of Israeli researchers demonstrated the potential for hacking into the lighting networks using a modified airborne drone and exploiting a vulnerability in a popular smart lightbulb. Simply through bypassing the security measures in just one lamp, they could infect adjacent, compatible bulbs and then control them. The researchers reported that if there are enough smart lightbulbs present in a city using the same communication protocols, then a malicious attack could easily access and infect the entire network of bulbs within minutes. Whilst this would be an extreme scenario, as a demonstration exercise, it showed the potential for massive malicious attacks in ostensibly secure networks by exploiting overlooked vulnerabilities in simple devices at the edge of a network.
Enter IoT standards
Therein lies the challenge with IoT devices, which is their simplicity coupled with inadvertent ad hoc implementation, compounded if users overlook their security. Many such devices are simplified, low-power mini-computers with a compact operating system based on the widely available Linux, a system popular with computer hackers. This means IoT devices have different requirements from other computers, so when users do not rigorously apply standards for security, these factors make the IoT a growing target for attacks. “It’s a question of yin and yang with the IoT. It provides opportunities, but we need to balance those with careful implementation and pay much more attention to security,” observes Coallier.
This is where International Standards will underpin the operability and resilience of the IoT. How can they do this? The ISO/IEC 29192 series of standards, for example, defines techniques in lightweight cryptography ideal for low-powered, simpler devices. In the lightbulb example, the Israeli researchers recommended a specific security technique described in ISO/IEC 29192-5, which specifies three hash-functions suitable for applications requiring lightweight cryptographic implementations. But as in any developing field, we will need new standards too, and this is the role of JTC 1/SC 41 whose well-rounded scope covers interoperability, safety and, above all, security.
The JTC 1 subcommittee has published 18 deliverables to date, mostly focusing on sensor networks. Included is a guidance note in the form of technical report ISO/IEC TR 22417, Information technology – Internet of Things (IoT) use cases, which provides a context for users of IoT standards. This guide covers important issues such as basic requirements, interoperability and standards that users have applied. Most importantly, the examples given clarify where existing standards have a role and highlight where further standardization work is needed.
Building the basics
Standards for the Internet of Things establish common ground regarding topics such as terminology or reference architectures that will help product developers deploy an interoperable ecosystem. ISO/IEC 30141 provides a foundation and reference framework for the many applicable standards produced by JTC 1/SC 41. “We saw a need for a reference architecture to maximize the benefits and reduce the risks,” explains Coallier who is the Chair of the ISO subcommittee. Another foundational standard is ISO/IEC 20924, Information technology – Internet of Things (IoT) – Definition and vocabulary. “It is important that those working with the IoT talk the same language,” adds Coallier. ISO/IEC 20924 and ISO/IEC 30141 provide the necessary language.
The working group that developed ISO/IEC 30141 was led by Dr Jie Shen from China, supported by two co-editors who were Wei Wei from Germany and Östen Frånberg from Sweden. Collectively, the project leaders have many decades of experience in the field, enhanced by over 50 other specialists who directly contributed to the standard. “There are a lot of risks and opportunities with the IoT,” informs Dr Jie Shen, adding that “ we need to design the perfect maintenance mechanism to overcome these risks; this itself is a matter of detail.”
Much of the detail is already provided in the many standards published by the JTC 1 subcommittees, and ISO/IEC 30141 supplies a reference architecture to meld them all together, along with several new standards that JTC 1/SC 41 is developing. “ISO/IEC 30141 provides a common framework for designers and developers of the IoT,” explains Coallier. “The standard describes the main characteristics of the IoT, together with a conceptual model and a reference architecture,” he adds. Numerous examples accompany the descriptions.
A six-domain chain
ISO/IEC 30141 also includes a novel and innovative structure known as the Six-Domain Model for IoT reference architecture. This provides a framework for system designers to integrate the multiplicity of devices and operations within the IoT. The project team found that conventional approaches are not suitable for simpler networks. Dr Jie Shen explains: “It is more complicated to build the ecosystem in the IoT, to connect many heterogeneous entities such as human users, physical objects, devices, service platforms, applications, databases, third-party tools and other resources. We found that the conventional layered reference model traditionally applied in IT systems was insufficient.” The Six-Domain Model, on the other hand, can help to subdivide the IoT ecosystem very clearly and guide users to establish the new business model of the IoT. The model itself will be even more effective when underpinned by blockchain, the highly secure technique now increasingly used in financial transactions.
The standard also describes a great deal about interoperability – or enabling diverse types of device to communicate seamlessly – and the IoT concept of trustworthiness. This in turn is defined as the degree of confidence users can have that a system performs as expected, whilst ensuring safety, security, privacy, reliability and resilience when faced with disruptions such as natural disasters, faults, human errors and attacks.“ There are already many published standards for resilience, safety and security, whilst ISO/IEC 30141 provides the reference architecture to apply them,” informs Coallier. At the same time, as the Internet of Things continues to evolve and grow, JTC 1/SC 41 is developing nine further standards for the IoT, to provide for increasing trustworthiness, interoperability, security and technical specifications.