Ensuring Security and Privacy in IoT-based Ecosystems

By Antonio Kung, CTO Trialog

The Internet of Things (IoT) refers to a trend where physical world environments increasingly integrate connected devices and computing resources thereby allowing for the deployment of applications providing intelligent services. Devices could be low-end smart elements such as sensors or actuators, but they could also include complex systems such as smart phones, robots, autonomous vehicles, or drones. Applications could be in any vertical domain such as energy, health, agriculture, transport or factories but not only because they could also be cross-domain, for instance an energy management system for an electric vehicle system. IoT systems must therefore have to comply with the operational requirements of such domains or cross domains such as safety. 

Information and communication technology (ICT) systems until recently involved less complex supply chains. Before the advent of smart phones, a mobile phone offer would typically consist of a mobile operator and a mobile phone supplier. The same stakeholder would play the role of application manager, operator and integrator.

This is no longer the case in the era of IoT systems where many stakeholders playing different roles might be involved. The term ecosystem, initially used in biology to designate an ecological community together with its environment is now widely used to designate the complex network of stakeholders associated with the building, deployment and operation of ICT systems: Suppliers provide the components of an IoT system: a sensor, a cloud facility, electronic components, security components, operating systems, middleware, tools, methods and so forth. Integrators build the IoT system, integrating the various components provided by suppliers. Operators deploy, operate and maintain the IoT system. Application providers are the stakeholders that provide intelligent services to the customers or end-users. Policy makers provide regulations concerning the applications to meet the requirements of the domain.

Let me illustrate this with the example of a smart transport application providing real-time traffic advice to citizens in a city. End users are the inhabitants or visitors of a city. The policy maker could be the city authority. The application provider could be a small local SME, perhaps a spin-off from a local university. It could rely on the facilities provided by a major international cloud operator. The integrator could also be a large national company with experience in building complex systems. The suppliers can be local producers of devices (e.g. a display system), or major vendors (e.g. an operating system).

IoT ecosystems become even more complex when we consider security or privacy. To integrate security, suppliers will have to provide components that may contain security capabilities (e.g. dedicated security hardware, or security mechanisms integrated in a larger component); integrators will have to provide the overall security capabilities integrating those provided by suppliers; security operators have to carry out the specific security operation duties (e.g. security supervision, security incident management); security policy makers provide operation rules to the security operators (e.g. guidelines upon security incident): auditors verify that operation rules are well followed (e.g. security management conformance). Likewise, to integrate privacy, suppliers will have to provide components that may contain data protection capabilities (e.g. de-identification mechanisms, personal data removal mechanisms, transparency mechanisms); integrators have to provide the overall data protection capabilities integrating those provided by suppliers; data controllers and data processors carry out data protection related operations (e.g. consent management, privacy breach management); data protection authorities provide operation rules to the data controllers and data processors (e.g. privacy impact analysis guidelines); auditors verify that operation rules concerning privacy management are well followed.

I would like now to point out two important challenges to ensuring security and privacy in IoT-based ecosystems.

The first challenge is the need for integration of security and privacy in the lifecycle: the recognition that cybersecurity incidents or privacy breaches are bound to happen has profoundly changed the mindset. We are switching from a defensive mindset where the focus was on building a system that is protected so that incidents cannot happen to a resilience mindset where the focus is to build a system that is protected throughout its lifecycle.

This change of mindset is well reflected in the recent cybersecurity framework proposed by NIST1. It advocates a life cycle perspective covering the following five processes: identify risks, protect, detect, respond and recover. This change of mindset is also visible in the area of privacy. I am currently the editor of ISO/IEC 27550 privacy engineering. We have considered all the 30 processes of the ISO/IEC 12588 standard on system lifecycle processes, and identified seven processes which are profoundly impacted by privacy as showed in the table below.

The second challenge is the need for co-engineering. In the past, application engineering, security engineering, privacy engineering where separated processes carried out by specialised experts. We need to change this practice to one of co-engineering. For instance the security risk analysis, privacy risk analysis and safety risk analysis should be carried out in a coordinated manner. An integrated risk analysis process must be applied as showed in the figure: the central point is the event one wishes to avoid; cybersecurity feared event, privacy breach, dependability failure.


The left part focuses on sources: threats/vulnerabilities, problematic data action (using NIST terminology), and faults/errors. The right part focuses on consequences: impact on the protection of digital assets, impact on the privacy on individuals, and on the safety of operations. The result of an integrated risk analysis process should be a set of organisational and technical measures covering the three types of concerns: security, privacy, and safety.