SecureIoT: Five Typical Use Cases

In a previous article, I introduced and described the SecureIoT architecture as a blueprint for building IoT security systems. The architecture is presented in the following figure. In this article, I present five common use cases that can be supported by the SecureIoT architecture and compliant security platforms.

Compliance to Data Privacy Regulations

During the last couple of years, European organizations are heavily investing on systems that can boost their GDPR compliance. This is for example the case with a large number of organizations that handle sensitive data, such as retail and consumer facing organizations, as well as healthcare organizations that deal with patients’ data. In this context, SecureIoT can help organizations to improve their GDPR compliance through: 

• Exploiting the components of the Data Management Group and the Global Repository in order to construct and maintain an audit trail of all personal datasets.
• Creating security templates based on machine learning in order to detecting data breaches, while at the same time analyzing the root causes and explaining the data breaches.
• Monitoring, logging and analyzing changes to credentials and security groups in-line with XACML based security policies.
• Implementing privacy policies that ensure user data are accessed and processed in-line with GDPR mandates. Such policies can be put into effect as part of the Compliance Auditing Services of the project.
• Specifying and implementing privacy policies that provide alerts for indicators of possible violations.
• Producing data privacy reports based on the SLA Management modules of the SecureIoT architecture.

Proactive Protection against Insider Threats

In enterprise environments, a large number of cyberattacks come from the inside. Such attacks are very difficult to detect and to alleviate, given that adversaries appear as legitimate users. In the IoT space, insider threats may hack IoT systems by logging into them and exploiting them for malicious purposes. SecureIoT can be deployed in order to timely detect and mitigate such attacks through:

• Collecting information about how presumably legitimate users access and use IoT systems, including detection of logins to IoT system and configuration changes in their elements such as changes in users’ privileges. Appropriate probes can be developed and used to this end, as part of the Data Management Group.
• Detection of users’ behavioral changes (e.g., strange changes in privileges), as well as other forms of anomalous behavior (e.g., logins on unusual days / times). For this purpose, appropriate security templates can be developed and used based on the use of training datasets that define normal behavior and enable the detection of abnormal activities.
• Detection of correlations and associations of different events that relate to a given set of users. Such events may for example include access to certain sites, use of personal email accounts and violations to normal usage access policies for IoT devices (e.g., policies regarding the use of certain IoT devices such as robots, printers or mobile phones).
• Detection of attempts to move device data (e.g., smart phones, medical devices) outside the organization based on monitoring of network traffic and the production of relevant alerts.

The latter detections can be based on rules and/or data mining algorithms that are implemented as security templates, based on the components and functionalities of the Data Analytics Group of the SecureIoT architecture. Likewise, alerts can be managed and sent based on the SecureIoT SPEP component of the Data Management Group.  Based on the selection of appropriate algorithms, SecureIoT can enable the timely detection of indicators of insider threats, as a means of preventing related incidents.

Securing Smart Objects

SecureIoT enables organizations to monitor IoT devices, including smart objects with semi-autonomous behavior for vulnerabilities. To this end, SecureIoT can be used as follows:

• Collecting data at the network and application levels based on appropriate probes. This can be performed based on the components of the Data Management Group.
• Analyzing collecting data and alerting security officers and users, where the devices exhibit abnormal behavior at either the network or the application level. To this end, components from the Data Analytics Group can be instantiated.
• Monitoring data flows associated with individual devices and raising alerts when unusual volumes or types of data are produced or consumed from the device.
• Matching device traffic or behavioral patterns and resolving them against the Security Knowledge Base (SKB) as a means of identifying vulnerabilities, poor patching of the device or even indicators of some attack against the device (e.g., malware or denial of service).

Implementing Managed IoT Security - SECaaS

SecureIoT enables the delivery of IoT security services based on the SECaaS modality. This makes it an excellent choice for implementing managed security services. The latter can be very appealing to organizations that understand the importance of IoT security, yet lack the knowledge, expertise or equity capital needed to develop, deploy and operate an IoT Security solution in-house. As a prominent example, most SMEs (Small Medium Enterprises) lack the capital and know how needed to integrated and deploy IoT security solutions on premise. As another example, several small-scale, public sector organizations (e.g., small or regional governments) do not typically have the knowledgeable staff members with the expertise needed to analyze the various alerts and take action as needed.

SECaaS services powered by the SecureIoT architecture and paradigm can alleviate the above-listed concerns. A SECaaS service is operated by the SecureIoT services provider and provides continuous (24X7) collection and analysis of security data, as a means of raising alerts and taking remedial actions as required. A SECaaS solution based on the SecureIoT architecture involves:

• Developing, integrating and deploying probes within the infrastructures of the organization to be protected.
• Implementing or reusing security templates for the identification of abnormal behaviors and for the detection of possible vulnerabilities and attack indicators.
• Raising alerts and instigating security automation functions upon the identification of threat indicators.
• Employment of security experts for filtering and analyzing alerts, prior to deciding which measures to employ.
• Suggesting and applying security measures such as patching of devices, upgrade firmware and reconfiguring IoT systems.
• Providing recommendations for regulatory compliance (e.g., GDPR), including recommendations of relevant technical measures.

Interoperable Supply Chain Security

IoT systems are increasingly used in supply chain management applications, in order to enable seamless information flows between stakeholders. This is for example the case in product traceability applications, where supply chain participants exchange information in order to provide transparency and visibility on product information and production processes. Securing IoT systems that transcend multiple stakeholders in the supply chain can be challenging, as different actors employ diverse IoT systems and devices that are subject to different security policies. The SecureIoT architecture provides the means for harmonizing diverse policies and safeguarding trustworthiness across the different systems that comprise IoT services in the supply chain. This can be done based on the functionalities and features of the Security and Privacy Policies Interoperability module, as well as its used by the Policy Engine that can interpret and activate interoperable policies.

In a following article I will present how the SecureIoT platform (based on the SecureIoT architecture) is practically used in Industry4.0, Healthcare and Connected Car use cases.