Elsevier

Internet of Things

Volume 14, June 2021, 100129
Internet of Things

A survey on internet of things security: Requirements, challenges, and solutions

https://doi.org/10.1016/j.iot.2019.100129Get rights and content

Abstract

Internet of Things (IoT) is one of the most promising technologies that aims to enhance humans’ quality of life (QoL). IoT plays a significant role in several fields such as healthcare, automotive industries, agriculture, education, and many cross-cutting business applications. Addressing and analyzing IoT security issues is crucial because the working mechanisms of IoT applications vary due to the heterogeneity nature of IoT environments. Therefore, discussing the IoT security concerns in addition to available and potential solutions would assist developers and enterprises to find appropriate and timely solutions to tackle specific threats, providing the best possible IoT-based services. This paper provides a comprehensive study on IoT security issues, limitations, requirements, and current and potential solutions. The paper builds upon a taxonomy that taps into the three-layer IoT architecture as a reference to identify security properties and requirements for each layer. The main contribution of this survey is classifying the potential IoT security threat and challenges by an architectural view. From there, IoT security challenges and solutions are further grouped by the layered architecture for readers to get a better understanding on how to address and adopt best practices to avoid the current IoT security threats on each layer.

Introduction

Internet of Things (IoT) paradigm has brought the attention of massive service providers, businesses, and industries such as Healthcare, Autonomous Vehicles, Smart Grids, Digital Agriculture, and many others. IoT enables objects to hear, listen, talk, and act in smart manners for which IoT usage is expected to be more pervasive by the end of 2020 as a part of Industry 4.0 revolution [1].

“Things” refer to a set of objects that could communicate and act with/without human interaction for which the IoT can be seen as robotic of things (RoT). The things can be sensors, automobiles, refrigerators, washer machines, and many other [2]. Understanding the IoT space requires defining the IoT layers and elements to describe the possible IoT architectures based on the required services and fields. There have been different architectures proposed for IoT environments. Generally, such architectures are grouped into three classes as follows (a glossary for each abbreviation and acronym that mentioned in this paper are shown in Table 1):

  • 1.

    Three-layered architecture: This class is the most common type among most of the publications and fellow researchers [3]. It is structured through top-down approach layers named as (a) Application layer in which both application and services functions operate there (b) Network/ Transmission layer (c) Perception/Edge layer which is related to the things or end-point devices of the architecture.

  • 2.

    Four-layered architecture: The structure of this class is very similar to the three-layered architecture, while application and service are defined with a separate layer in the architecture.

  • 3.

    Five-layered architecture: In this architecture two additions are considered (a) a business layer above application layer for delivering a wide range of functionalities in each different domain of IoT, or (b) a sub-layer in the edge layer for those applications of IoT which may be very critical at the device level.

Although there is no comprehensive standard is presented for the IoT application layer, this layer can provide a range of services in different applications. For example, application of IoT in smart cities and home [4], [5], smart grids [6], [7], [8], healthcare [9], [10], autonomous vehicles [11], [12], [13]. The application layer can also operate as middleware [14], a communication protocol, and cloud computing for service support; thus, security concern would be different based on the environment and industry of the application. As can be seen in Fig. 1 in the application layer architecture different components are defined, and each component operations depend on the application of the environment. For instance, in healthcare for medical records retrieval, there will be a need for special application programming interface (API), or special applications as binary in client and server sides [15]. Most application security architectures focus on securing the CoAP protocol using DTLS. Whereas, the other application security architectures have proposed their model based on the encryption of HTTP payloads [16], [17], [18], [19], [20].

In the network layer data transmission among the other layers is managed. This layer also provides access to the perception layer via different standards and protocols like IEEE 802.x, Global Positioning System (GPS), and Near-Field Communication (NFC). As shown in Fig. 2, this layer is also backed by a cloud back-end infrastructure, mobile devices, and the Internet protocol [21]. Moreover, the network layer can be treated with different aspects based on the applied environment. However, the most common security mechanism in the network layer of IoT architectures includes Block-chain technology, Intelligence Intrusion Detection Systems, and key management and encryption systems [22], [23], [24], [25], [26], [27] (Fig. 3).

In this layer, end-users (cloud-edge) IoT devices can interact with the client or their working domains like sensors, smart meters or IoT edge layer servers of a gateway which has a coordinator role in the working domain. Due to the physical exposure of edge-layer in the IoT architecture, this layer faces a large number of attacks. The most common security components that applied in this layer include Multi-factor authentication mechanism, end-point anti-malware solution, secure channeling, and machine learning-based solutions for anomaly detection in the cloud-edge devices [28], [29], [30], [31], [32], [33].

The disruptive usage of IoT devices with increasing computational resources in different application domains has led to a wide range of vulnerabilities in IoT environments. These vulnerabilities can cause fatal failures and information lost in different domains. Thus, the security of IoT environments has been considered as one of the hot topics in recent years, drawing research community’s attention. As evidence of this trend, Table 2 shows the recent work on security vulnerabilities in the IoT architecture.

From the security aspect, regardless of the architecture of the IoT environments, there are a wide range of threats associated with each layer of IoT architecture. Each threat needs an appropriate security solution to prevent, detect and compensate the attack. Hence, from the top-down approach, security threats in the application layer usually include information stealing, malware propagation and botnet attack on web services. The network layer is very favorable to attackers of IoT environments to exploit vulnerabilities, which exist in protocols and standards. Denial of Service (DoS), session hijacking, and corruption are the most common threats occur in protocols and standards [51]. In cloud computing components of IoT, users encounter a wide range of security threats and vulnerabilities such as misconfiguration, lack of good identity management, inappropriate data access control, infrastructure security, and data privacy violation [52]. In the edge-layer, due to the predictable location of the connected devices in IoT environment and having computation resources limitation, this layer faces a whole range of different threats including node sabotaging, node failure, node disconnection, offline information gathering, false node message corruption, exhaustion, Sybil, jamming, tampering, and collisions [36].

Up to this point, there are several high-quality survey papers published in the literature in the domain of IoT covering security and privacy, architecture and applications [1], [3], [51], [52], [53], [54]. In this paper, we attempt to cover significant works, which conducted in the last 10 years toward identifying security requirements, challenges and include those that give appropriate solutions to mitigate IoT security problems. In addition, we propose a three layer-based taxonomy for mapping security requirements in each functional level of IoT architecture for the readers with a diverse background in IoT. Moreover, we perform a descriptive analysis of the identified security requirements, challenges, and solutions from a top-down approach upon the essential security needs in different applications of the IoT. Most of the highly referred research papers consider the three-layer architecture as an essential structure for IoT [55], [56], [57], [58], which is well inline with the objectives of this research.

The specific contributions of this paper include:

  • Identifying and analyzing security requirements and vulnerabilities of the IoT environments, as well as a taxonomy based on a three layer architecture for IoT security requirements and vulnerabilities.

  • Presenting and evaluating security challenges and their corresponding solutions of the IoT environments, as well as a taxonomy based on a three layer architecture for security challenges and solutions.

The rest of this paper is structured as follows. In Section 2, we deal with the IoT applications and security requirements. In Section 3, we present IoT security and privacy challenges. Section 4 provides security solutions for each challenge in a three-layer architectural way, and finally in Section 5 we discuss IoT security and privacy challenges and requirements solutions in the current and future applications based on the identified requirements.

Section snippets

IoT applications and security requirements

To mitigate the cyber threat impacts in different IoT applications, security requirements need to properly provided. In this view, this section first proposes a taxonomy of IoT applications based on the degree of involvement in each layer. Afterward, it gives the essential security requirements from layered-based architecture.

IoT security and privacy challenges

According to the IoT properties and due to the commercialization aspect in most domain applications, IoT faces a large number of security challenges [85]. Each security challenge could be involved in one or more layers of the IoT architecture, thus each one demands significant upkeep. For example, the diversity of IoT devices in terms of their functionalities can lead to security challenges. Due to the high diversity of connected devices and their associated communication protocols in IoT,

IoT security and privacy solutions

Security challenges in each layer of IoT architecture involved with all application-based (i.e. application, firmware, interfaces, etc.), network-based (i.e. cloud back-end, standards, protocols, etc.), and device-based (i.e. physical devices, cloud gateways, etc.) components of this paradigm. In this section, we present a taxonomy based on state-of-art solutions for each security challenge. Application layer solutions are presented in Table 4, Network layer solutions are presented in Table 5,

Conclusion

With increasing the usage of IoT devices in most business domains and personal lives, security concerns get higher. Due to the limitation in resources and diversity of components in different IoT environments, a wide range of vulnerabilities have emerged. Most of these vulnerabilities can lead to system failure in the working environment of the IoT. Since there is no predefined standard for IoT environment, most of the conducted researches to date have presented IoT security challenges and

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (157)

  • D.E. Kouicem et al.

    Internet of things security: a top-down survey

    Comput. Netw.

    (2018)
  • C. Konstantinou et al.

    Impact of firmware modification attacks on power systems field devices

    2015 IEEE International Conference on Smart Grid Communications (SmartGridComm)

    (2015)
  • K. Zhao et al.

    A survey on the internet of things security

    2013 Ninth International Conference on Computational Intelligence and Security

    (2013)
  • N. Neshenko et al.

    Demystifying IoT security: an exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations

    IEEE Commun. Surv. Tut.

    (2019)
  • T.M. Behera et al.

    I-sep: an improved routing protocol for heterogeneous WSN for IoT based environmental monitoring

    IEEE Internet Things J.

    (2019)
  • L. Atzori et al.

    Assignment of sensing tasks to IoT devices: exploitation of a social network of objects

    IEEE Internet Things J.

    (2019)
  • A. Kumari et al.

    Fog data analytics: a taxonomy and process model

    J. Netw. Comput. Appl.

    (2019)
  • L. Barreto et al.

    An authentication model for IoT clouds

    2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)

    (2015)
  • W.-C. Chien et al.

    A SDN-SFC-based service-oriented load balancing for the IoT applications

    J. Netw. Comput. Appl.

    (2018)
  • R. Roman et al.

    On the features and challenges of security and privacy in distributed internet of things

    Comput. Netw.

    (2013)
  • M. Brachmann et al.

    End-to-end transport security in the IP-based internet of things

    2012 21st International Conference on Computer Communications and Networks (ICCCN)

    (2012)
  • M. Sethi et al.

    End-to-end security for sleepy smart object networks

    37th Annual IEEE Conference on Local Computer Networks-Workshops

    (2012)
  • J. Lin et al.

    A survey on internet of things: architecture, enabling technologies, security and privacy, and applications

    IEEE Internet Things J.

    (2017)
  • M. Chiang et al.

    Fog and IoT: an overview of research opportunities

    IEEE Internet Things J.

    (2016)
  • X. Jia et al.

    RFID technology and its applications in internet of things (IoT)

    2012 2nd International Conference on Consumer Electronics, Communications and Networks (CECNet)

    (2012)
  • N. Binti A Kamaludeen et al.

    Guideline-based approach for IoT home application development

    2019 International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)

    (2019)
  • M. Yun et al.

    Research on the architecture and key technology of internet of things (IoT) applied on smart grid

    2010 International Conference on Advances in Energy Engineering

    (2010)
  • J. Sakhnini et al.

    Security aspects of internet of things aided smart grids: a bibliometric survey

    Internet Things

    (2019)
  • T.M. Behera et al.

    Residual energy-based cluster-head selection in WSNS for IoT application

    IEEE Internet Things J.

    (2019)
  • L. Catarinucci et al.

    An IoT-aware architecture for smart healthcare systems

    IEEE Internet Things J.

    (2015)
  • G. Srivastava et al.

    Data sharing and privacy for patient IoT devices using blockchain

    The 7th International Conference on Smart City and Informatization (iSCI 2019)

    (2019)
  • W. He et al.

    Developing vehicular data cloud services in the IoT environment

    IEEE Trans. Ind. Inf.

    (2014)
  • A. Paranjothi et al.

    Hybrid-vehfog: a robust approach for reliable dissemination of critical messages in connected vehicles

    Trans. Emerg. Telecommun.Technol.

    (2019)
  • A. Paranjothi et al.

    Gstr: secure multi-hop message dissemination in connected vehicles using social trust model

    Internet Things

    (2019)
  • J. Qi et al.

    Advanced internet of things for personalised healthcare systems: a survey

    Pervasive Mob. Comput.

    (2017)
  • V. Karagiannis et al.

    A survey on application layer protocols for the internet of things

    Trans. IoT Cloud Comput.

    (2015)
  • J. Choi et al.

    Secure IoT framework and 2D architecture for End-To-End security

    J. Supercomput.

    (2018)
  • S. Arvind et al.

    An overview of security in CoAP: attack and analysis

    2019 5th International Conference on Advanced Computing & Communication Systems (ICACCS)

    (2019)
  • A. Bhattacharjya et al.

    CoAP—application layer connection-less lightweight protocol for the internet of things (IoT) and CoAP-IPSEC security with DTLS supporting CoAP

    Digital Twin Technologies and Smart Cities

    (2020)
  • J. Santos et al.

    An IoT-based mobile gateway for intelligent personal assistants on mobile health environments

    J. Netw. Comput. Appl.

    (2016)
  • M.A. Khan et al.

    IoT security: review, blockchain solutions, and open challenges

    Fut. Gener. Comput. Syst.

    (2018)
  • D. Minoli et al.

    Blockchain mechanisms for IoT security

    Internet Things

    (2018)
  • J. Chen et al.

    Optimal secure two-layer IoT network design

    IEEE Trans. Control Netw. Syst.

    (2019)
  • P. Mahalle et al.

    Identity management framework towards internet of things (IoT): roadmap and key challenges

    International Conference on Network Security and Applications

    (2010)
  • D. Puthal et al.

    Threats to networking cloud and edge datacenters in the Internet of Things

    IEEE Cloud Comput.

    (2016)
  • J. Canedo et al.

    Using machine learning to secure IoT systems

    2016 14th Annual Conference on Privacy, Security and Trust (PST)

    (2016)
  • E.M. Dovom et al.

    Fuzzy pattern tree for edge malware detection and categorization in IoT

    J. Syst. Archit.

    (2019)
  • J. Ren et al.

    Serving at the edge: a scalable IoT architecture based on transparent computing

    IEEE Netw.

    (2017)
  • B. Ur et al.

    The current state of access control for smart devices in homes

    Workshop on Home Usable Privacy and Security (HUPS)

    (2013)
  • J. Wurm et al.

    Security analysis on consumer and industrial IoT devices

    2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)

    (2016)
  • Cited by (0)

    View full text