A survey on internet of things security: Requirements, challenges, and solutions
Introduction
Internet of Things (IoT) paradigm has brought the attention of massive service providers, businesses, and industries such as Healthcare, Autonomous Vehicles, Smart Grids, Digital Agriculture, and many others. IoT enables objects to hear, listen, talk, and act in smart manners for which IoT usage is expected to be more pervasive by the end of 2020 as a part of Industry 4.0 revolution [1].
“Things” refer to a set of objects that could communicate and act with/without human interaction for which the IoT can be seen as robotic of things (RoT). The things can be sensors, automobiles, refrigerators, washer machines, and many other [2]. Understanding the IoT space requires defining the IoT layers and elements to describe the possible IoT architectures based on the required services and fields. There have been different architectures proposed for IoT environments. Generally, such architectures are grouped into three classes as follows (a glossary for each abbreviation and acronym that mentioned in this paper are shown in Table 1):
- 1.
Three-layered architecture: This class is the most common type among most of the publications and fellow researchers [3]. It is structured through top-down approach layers named as (a) Application layer in which both application and services functions operate there (b) Network/ Transmission layer (c) Perception/Edge layer which is related to the things or end-point devices of the architecture.
- 2.
Four-layered architecture: The structure of this class is very similar to the three-layered architecture, while application and service are defined with a separate layer in the architecture.
- 3.
Five-layered architecture: In this architecture two additions are considered (a) a business layer above application layer for delivering a wide range of functionalities in each different domain of IoT, or (b) a sub-layer in the edge layer for those applications of IoT which may be very critical at the device level.
Although there is no comprehensive standard is presented for the IoT application layer, this layer can provide a range of services in different applications. For example, application of IoT in smart cities and home [4], [5], smart grids [6], [7], [8], healthcare [9], [10], autonomous vehicles [11], [12], [13]. The application layer can also operate as middleware [14], a communication protocol, and cloud computing for service support; thus, security concern would be different based on the environment and industry of the application. As can be seen in Fig. 1 in the application layer architecture different components are defined, and each component operations depend on the application of the environment. For instance, in healthcare for medical records retrieval, there will be a need for special application programming interface (API), or special applications as binary in client and server sides [15]. Most application security architectures focus on securing the CoAP protocol using DTLS. Whereas, the other application security architectures have proposed their model based on the encryption of HTTP payloads [16], [17], [18], [19], [20].
In the network layer data transmission among the other layers is managed. This layer also provides access to the perception layer via different standards and protocols like IEEE 802.x, Global Positioning System (GPS), and Near-Field Communication (NFC). As shown in Fig. 2, this layer is also backed by a cloud back-end infrastructure, mobile devices, and the Internet protocol [21]. Moreover, the network layer can be treated with different aspects based on the applied environment. However, the most common security mechanism in the network layer of IoT architectures includes Block-chain technology, Intelligence Intrusion Detection Systems, and key management and encryption systems [22], [23], [24], [25], [26], [27] (Fig. 3).
In this layer, end-users (cloud-edge) IoT devices can interact with the client or their working domains like sensors, smart meters or IoT edge layer servers of a gateway which has a coordinator role in the working domain. Due to the physical exposure of edge-layer in the IoT architecture, this layer faces a large number of attacks. The most common security components that applied in this layer include Multi-factor authentication mechanism, end-point anti-malware solution, secure channeling, and machine learning-based solutions for anomaly detection in the cloud-edge devices [28], [29], [30], [31], [32], [33].
The disruptive usage of IoT devices with increasing computational resources in different application domains has led to a wide range of vulnerabilities in IoT environments. These vulnerabilities can cause fatal failures and information lost in different domains. Thus, the security of IoT environments has been considered as one of the hot topics in recent years, drawing research community’s attention. As evidence of this trend, Table 2 shows the recent work on security vulnerabilities in the IoT architecture.
From the security aspect, regardless of the architecture of the IoT environments, there are a wide range of threats associated with each layer of IoT architecture. Each threat needs an appropriate security solution to prevent, detect and compensate the attack. Hence, from the top-down approach, security threats in the application layer usually include information stealing, malware propagation and botnet attack on web services. The network layer is very favorable to attackers of IoT environments to exploit vulnerabilities, which exist in protocols and standards. Denial of Service (DoS), session hijacking, and corruption are the most common threats occur in protocols and standards [51]. In cloud computing components of IoT, users encounter a wide range of security threats and vulnerabilities such as misconfiguration, lack of good identity management, inappropriate data access control, infrastructure security, and data privacy violation [52]. In the edge-layer, due to the predictable location of the connected devices in IoT environment and having computation resources limitation, this layer faces a whole range of different threats including node sabotaging, node failure, node disconnection, offline information gathering, false node message corruption, exhaustion, Sybil, jamming, tampering, and collisions [36].
Up to this point, there are several high-quality survey papers published in the literature in the domain of IoT covering security and privacy, architecture and applications [1], [3], [51], [52], [53], [54]. In this paper, we attempt to cover significant works, which conducted in the last 10 years toward identifying security requirements, challenges and include those that give appropriate solutions to mitigate IoT security problems. In addition, we propose a three layer-based taxonomy for mapping security requirements in each functional level of IoT architecture for the readers with a diverse background in IoT. Moreover, we perform a descriptive analysis of the identified security requirements, challenges, and solutions from a top-down approach upon the essential security needs in different applications of the IoT. Most of the highly referred research papers consider the three-layer architecture as an essential structure for IoT [55], [56], [57], [58], which is well inline with the objectives of this research.
The specific contributions of this paper include:
- •
Identifying and analyzing security requirements and vulnerabilities of the IoT environments, as well as a taxonomy based on a three layer architecture for IoT security requirements and vulnerabilities.
- •
Presenting and evaluating security challenges and their corresponding solutions of the IoT environments, as well as a taxonomy based on a three layer architecture for security challenges and solutions.
The rest of this paper is structured as follows. In Section 2, we deal with the IoT applications and security requirements. In Section 3, we present IoT security and privacy challenges. Section 4 provides security solutions for each challenge in a three-layer architectural way, and finally in Section 5 we discuss IoT security and privacy challenges and requirements solutions in the current and future applications based on the identified requirements.
Section snippets
IoT applications and security requirements
To mitigate the cyber threat impacts in different IoT applications, security requirements need to properly provided. In this view, this section first proposes a taxonomy of IoT applications based on the degree of involvement in each layer. Afterward, it gives the essential security requirements from layered-based architecture.
IoT security and privacy challenges
According to the IoT properties and due to the commercialization aspect in most domain applications, IoT faces a large number of security challenges [85]. Each security challenge could be involved in one or more layers of the IoT architecture, thus each one demands significant upkeep. For example, the diversity of IoT devices in terms of their functionalities can lead to security challenges. Due to the high diversity of connected devices and their associated communication protocols in IoT,
IoT security and privacy solutions
Security challenges in each layer of IoT architecture involved with all application-based (i.e. application, firmware, interfaces, etc.), network-based (i.e. cloud back-end, standards, protocols, etc.), and device-based (i.e. physical devices, cloud gateways, etc.) components of this paradigm. In this section, we present a taxonomy based on state-of-art solutions for each security challenge. Application layer solutions are presented in Table 4, Network layer solutions are presented in Table 5,
Conclusion
With increasing the usage of IoT devices in most business domains and personal lives, security concerns get higher. Due to the limitation in resources and diversity of components in different IoT environments, a wide range of vulnerabilities have emerged. Most of these vulnerabilities can lead to system failure in the working environment of the IoT. Since there is no predefined standard for IoT environment, most of the conducted researches to date have presented IoT security challenges and
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (157)
A survey on internet of things architectures
J. King Saud Univ.
(2018)- et al.
IoT middleware: a survey on issues and enabling technologies
IEEE Internet Things J.
(2016) - et al.
Application-layer security for the WoT: extending CoAP to support end-to-end message security for internet-integrated sensing applications
International Conference on Wired/Wireless Internet Communication
(2013) - et al.
Cyber and physical security vulnerability assessment for IoT-based smart homes
Sensors
(2018) Preventing DDOS Attacks Against IoT Devices
(2018)- et al.
Enhancing IoT security through network softwarization and virtual security appliances
Int. J. Netw. Manage.
(2018) - et al.
DRAFT NIST Special Publication 800-63-3 Digital Identity Guidelines
(2017) - et al.
A lightweight framework for secure life-logging in smart environments
Inf. Secur. Tech. Rep.
(2013) - et al.
Lightweight and escrow-less authenticated key agreement for the internet of things
Comput. Commun.
(2017) - et al.
Green lights forever: analyzing the security of traffic infrastructure
8th ${$}USENIX$}$ Workshop on Offensive Technologies (${$}WOOT$}$ 14)
(2014)