The Internet of Things: The Next Major Concern for Cyber Security Professionals

RUNNING HEAD: THE INTERNET OF THINGS 1

American Public University System

American Military University

The Internet of Things: The Next Major Concern for Cyber SecurityProfessionals

Date: December 21, 2014

Timothy Brian Miller

Session #I001 Fall 2014

Submitted in partial fulfillment of the degree requirements forthe

BA in Security Management

THE INTERNET OF THINGS 2

Abstract

This qualitative study will utilize a case study methodology to

explore the current scope and reach of the Internet of Things and

examine whether the cyber security industry is prepared to deal

with the challenges that having millions of devices communicating

over the Internet will bring. The study will also examine the

vulnerabilities which will arise with regard to the Internet of

Things being used for illegal or terroristic activities and how

industry security professionals will need to react to these

contingencies. This study will also examine the security of the

Internet of Things and what more needs to be done to secure the

data which these billions of devices transmit via the Internet.


Introduction

Problem Statement

Managing security in cyberspace is difficult at best, chaotic

at worst. There are a growing number of devices today which

connect via the Internet. Some of these devices communicate

without any human intervention and are known as the Internet of

Things (IoT). At first glance it may appear that the addition of

IoT devices in the near future may not be much of a problem.

However, Gartner Research (2013) estimates there could be as many

as 26 billion devices in the IoT by the year 2020 (para. 1). The

question then becomes, will the security concerns of this

burgeoning sector of the information technology industry be

adequately addressed by the corporate world or is a more

concerted, industry-wide and governmental effort on the part of


cyber security professionals warranted to protect these

additional devices from exploitation, attacks and hijacking? To

put this problem into some perspective, a survey of nearly 600

information technology and business executives in the retail,

consumer products, manufacturing, transportation, government,

oil/gas, healthcare and hospitality industries shows that over

80% believe IoT solutions will be the most strategic technology

initiative for their organizations in a decade (Violino, 2014,

para. 2). To make the point of IoT security more succinctly,

however, one must consider that within the IoT are objects which

sustain life such as insulin pumps and heart monitoring and

controlling devices. Experts in cyber security such as Robert

Siciliano (2014) have noted that the U.S. Food and Drug

Administration (FDA), which is currently in charge of setting

standards for medical equipment usage, is quite new to handling

problems of this kind and this fact should be of concern to

patients whose life depends on the proper day-to-day functioning

of these devices (para. 2). The security of how and what these

IoT devices transmit over the Internet is currently controlled by


corporate entities or other organizations leaving these devices

open to potential exploitation by criminals or even terrorists.

Purpose Statement

The purpose of this qualitative research study is to examine

the more commonly utilized devices included in the IoT which are

vulnerable to exploitation, attack or hijacking, and what effect

the exploitation of these devices would have on the entities

which use them. Additionally, will the IoT become a means for

illegal or terrorist activity, what measures need to be taken to

arrest the manipulation of these devices, and is a more

cooperative and concerted effort on the part of private and

public cyber security professionals warranted? To realize a

solution to the problems noted, a mixture of academic,

professional and other resources will be utilized.

Research Questions

Q1. Which types of devices connected to the Internet are the

most vulnerable to exploitation?


Q2. What would be the impact on entities which utilize

devices connected via the Internet if these devices were subject

to attacks in transmission security or other exploits by criminal

or terrorists?

Q3. What measures need to be taken to address security on the

IoT and who is to be responsible for providing this security?

Key Points Addressed

P1. Devices which comprise the IoT and how human interaction

with these devices become a potential security problem

P2. Devices which are tempting targets for attackers and how

they can be exploited

P3. Criminal or terrorist uses for the IoT

P4. IoT cyber security: Cyber security professionals’

responsibilities and why a more proactive stance is needed


P5. Policing the IoT: Governmental or private industry

responsibility?

Proposed Methodology/Research Strategy

For this project the student will be using the qualitative

method of research with a case study approach. This case study

approach of the IoT will detail the security concerns generated

by the expected explosion of devices into the IoT within this

decade. Inductive reasoning will be utilized to bring into focus

the broad nature of the IoT with the ultimate goal of this

research being to ascertain whether the IoT needs more security

and if so what kinds of events would the extra security work to

alleviate.

Research for this project will be from peer-reviewed American

Public University System and Internet sources, focusing on the

ways in which the IoT is vulnerable and how it can or must be

protected against exploitation of these vulnerabilities. The

student will not be using first hand studies for this project due

to the complexity of such studies and because of time constraints

placed on the student to finish and submit this project.


Assumptions

The student realizes that situations could arise that would

serve to slow or speed up the process of his research, such as

the sheer volume of recently published information on the IoT,

and the student realizes that this sets up the potential for

information overload in his research efforts but this is not a

noted problem as of the time of this writing. Should any

problems of this sort or others arise, the student is confident

that through consultations with his instructor any problems can

be dealt with in a manner which will not be detrimental to the

student’s research.

Scope

The scope of this study will be to identify devices

comprising the IoT which present the highest probability for

exploitation of their security vulnerabilities in order to cause

harm or injury in some way to the user of these devices. The

project will then proceed to define the ways in which the

selected devices could be used for illegal or terroristic

purposes. Finally, this study will suggest some preventative


measures which if taken will protect the IoT from those who would

wish to use the connected devices to cause harm or other such

circumstances to the users of the IoT.

Limitations

The student sees very little at this point which would impede

the successful completion of this study. However, if such

impediments do arise, such as new devices for which there is

little or no associated research, the student will deal with them

in consultation with his instructor.

Body

The job of securing the varied facets of the Internet and the

devices which access it is a daunting task even in the best of

times. However, the recent introduction of machine to machine

(M2M) communications into this equation only serves to complicate

an already multifarious situation. According to research

conducted by Roman, Najera, and Lopez of the University of Madrid


(2011), traditional protection mechanisms such as “lightweight

cryptography, secure protocols, and privacy assurance” (p. 51)

are not sufficient to protect the this new M2M infrastructure and

further note that security professionals and researchers need to

scrutinize existing security protocols and determine if they are

worth integrating into the IoT or whether new designs are

necessary. In the interim security professionals must not only

deal with users and systems that interact via the Internet but

now must also account for a complex set of independent devices

which communicate via the Internet without any human

intervention.

The IoT can be thought of essentially as a “gateway between

the digital world and the physical world” (Orebaugh, 2013, para.

3) in which devices are enabled to communicate with the physical

world around them via digital means. The devices that make up

the IoT use a plethora of different ways to communicate their

data, for example RFID, Bluetooth, WiFi, Z-Wave and ZigBee, each

of which must be secured to protect the integrity and privacy of

the information being transmitted. The IoT currently is, for the

most part, made up of devices which provide users comfort,


convenience, safety, and life-sustaining services. Some of these

devices include household appliances such as Smart thermostats

which can adjust the temperature of a home or business when no

occupants are present, thereby saving money on heating and air

conditioning, Smart refrigerators which can indicate to its user

when they are running low on milk or other items by reading

embedded RFID tags embedded in the product packaging, and Smart

TV’s which can suggest programming based on one’s viewing history

and preferences. The IoT also includes many devices which

provide for safety such as traffic control devices which adjust

for changing conditions in volume of traffic or changing weather

conditions and Smart devices in cars utilizing GPS technology

which can suggest alternate routes if there is traffic

congestion, road construction, or even to avoid the scene of an

accident. Another area where the IoT is providing services is in

the area of life-sustaining or life-saving devices such as

pacemakers, automatic defibrillators, insulin pumps and devices

which dispense chemotherapy or other drugs into a person’s system

automatically without the inconvenience of visiting a doctor’s

office. Also in the health and fitness area there is currently


an explosion of what is being called wearable technology. These

devices collect, store, and communicate data such as a person’s

location and how far they have traveled during a certain time

frame and a multitude of biological readings including heart and

respiration rates, rate of perspiration and blood glucose levels.

With the spread of these new technologies, security experts like

Rashmi Knowles, chief security architect at RSA, EMC's security

division, as quoted in an article in Information Management (2014),

note that as wearable technologies make their way into the

workplace, they represent a “multiplication of potential attack

surfaces” (para. 4) affecting a wide range of security policies.

Figure 1 indicates just a few of the many items which make up the

IoT and how they potentially interact in the digital world.


Figure 1: The Internet of Things connections (Stammberger, 2009).

ABI Research (2014) estimates that the number of devices

connected to the IoT will exceed 16 billion units for 2014 and

will reach a staggering 40.9 billion units by the year 2020

(para. 1). Gartner Research (2013) also suggests that the number

of IoT devices could top 26 billion by the year 2020 (para. 1).

These figures represent a growth of somewhere between 150% and

250% in the next 6 years alone and from those estimates it is

easy to see how the IoT is poised to become the biggest security

concern since the introduction of “Bring Your Own Device” in the

early 21st century. Pierluigi Paganini, an expert in security


matters and noted security management specialist, used Figure 2

below in a recent presentation at the ISACA Roma & OWASP Italy

conference, “The State of the Art for the Internet of Things

Paradigm” (Paganini, 2014, slide 5) to emphasize the explosive

growth the IoT is going to go through in the coming years.

Figure 2: The Internet of Things growth scenario.

Alternatively, when considering the IoT from a security

standpoint it becomes clear that all this convenience does not

come without a price. The increased hacking of computer systems

around the world demonstrates that attacks are turning from


nuisance attacks to ones which involve some sort of financial

gain or with the objective of interrupting services. With

security of the IoT in its infancy, stepped up hacking can be

expected because of the ease of accomplishing such attacks on the

IoT infrastructure. One of the many attacks which may be carried

out in the IoT is identity theft. Vidalis and Angelopoulou

(2014) note that such identity theft attacks on the IoT can be

carried out by spoofing either the IP address of a device or by

spoofing the Arp and using the MAC address to gain access (p.

16).

In researching its structure, the IoT can generally be

divided into three categories in line with how devices are

marketed to and used by consumers and other organizations. These

categories, according to Melanie Swan, writing for the Journal of

Sensor and Actuator Networks (2012), include “monitoring and

controlling the performance of homes and buildings, automotive

and transportation applications, and health self-tracking and

personal environment monitoring” (para. 2). A further

examination of two of these categories gives a more detailed


explanation of how devices within these categories are vulnerable

to security exploits.

In the area of health-tracking, there are a growing number of

life-sustaining and life-saving devices being connected to the

IoT. These devices present vulnerabilities both in how they are

manufactured and maintained and in the way in which they

communicate with other systems and devices. First, and most

importantly, the design, manufacturing, and distribution of such

devices are strictly controlled by the FDA so as to protect the

integrity of the devices and the information they store and

transfer to other networks. However, currently this compliance

model stipulates that the manufacturer alone is responsible for

device configuration. This means that the end users, including

the doctor, the patient, and even the health industry information

technology professional, are essentially locked out of the

device’s operating software and the ability to make changes or

install secondary cybersecurity measures when vulnerabilities are

discovered (Wirth, 2011, p. 27). This is where regulatory

changes must be made by the FDA in order to protect these life-


saving and life-sustaining devices less vulnerable to attack and

exploitation.

The healthcare industry is also becoming heavily invested in

the IoT through their use of implantable medical devices which

are surgically implanted into a patient’s body. According to

Sandler, Orhstrom, Moy, and McVay (2010), in 2008, in the United

States alone some 350,000 pacemakers and 140,000 implantable

cardioverter defibrillators (ICD) were implanted (p. 3). Once

implanted, ICDs can provide medical professionals with data such

as electrocardiogram readings via a wireless connection to the

Internet. Additionally, medical professionals can modify device

setting without invasive surgery using the same Internet

connection. According to Sandler et al, a recent study by

researchers from three universities partially reverse-engineered

the communications module from a 2003 model ICD and launched

several wireless attacks from close range (p. 3). In the study

researchers were able to access the device’s programming module

and send commands to disable the device and also to command the

device to deliver multiple shocks consecutively to the device (p.

3). It was also discovered that the device could be ordered to


remain “awake” instead of returning to a standby mode after

transmission of data causing the battery of the ICD to be

exhausted much quicker and thereby requiring that the device be

extracted earlier than planned from the patient (p. 3). The

study concluded that the software which controls the ICD needs to

be patched or completely rewritten so that the device can

distinguish between signals from a proper authority and an

attacker and also noted that it would be very easy to engineer a

device as small as a cellular phone which could cause havoc in

situations like a crowded subway, mall or anywhere else where

people gather “sending its heart attack command to random

victims” (p. 3). This study shows the dangers of the medical

devices in general which are connected via the IoT if security is

not integrated into the devices from the development and

manufacturing stages.

Although there is a long way to go, there has been some

movement recently in the medical device area by the U.S. Congress

to reorganize the oversight which the FDA holds over medical

devices. In October 2013, Representative (Rep.) Marsha Blackburn

(R-TN) introduced the Sensible Oversight for Technology which


Advances Regulatory Efficiency (SOFTWARE) Act of 2013 which would

amend the Federal Food, Drug, and Cosmetic Act to apply it to

medical software to the same extent and in the same manner as it

applies to devices (Congress.gov, 2013, para. 1). The SOFTWARE

Act and its companion bill in the Senate the Preventing

Regulatory Overreach To Enhance Care Technology (PROTECT) Act,

which was introduced in early 2014, are working their way toward

passage in their respective committees in both Houses of

Congress. These acts, when they are passed by Congress and

signed by the President will, according to Congress, “establish a

risk-based regulatory framework that reduces regulatory burdens,

promotes patient safety, and fosters innovation” (para. 6).

These pieces of legislation would separate the regulatory

responsibility for software from the device that holds it giving

the medical device industry more flexibility in designing

software which could be updated or patched when new threats are

discovered, much like software which is currently installed in

devices from home computers to mobile devices. The legislation

will also “exempt so-called ‘clinical software’ and ‘health

software’ from FDA oversight, leaving the regulatory agency to


focus on ‘medical software’—posing the highest risk to patient

safety” (Slabodkin, 2014, para. 2). Recently, Rep. Blackburn

made statements that she sees the bill passing the Congress in

early 2015. Rep. Blackburn also stated at a Dec. 3, 2014

Bipartisan Policy Center forum in Washington, D.C. “We think it’s

important enough that we’ve spent about a year and a half working

this legislation” (para. 4). Rep. Blackburn and her colleagues

on the House Energy and Commerce Committee have been working on

this legislation since October 2013 when it was first introduced

in order to specifically deal with the language of the

legislation before it is voted on by the Congress.

Security of medical devices is also important because when

control of these devices is compromised through exploitation of

vulnerabilities they provide gateways into larger healthcare

networks where cyber criminals can steal personal healthcare

information, alter patient records and prescriptions, and launch

denial of service attacks which could be devastating to

healthcare professionals and patients alike. Martha Vockley

(2012) points out that wired or wireless technology which

provides real-time patient data through any network, for either


centralized or remote clinical review, is particularly vulnerable

to network disruptions which could interrupt or adversely affect

patient care (p. 166). As of this writing, the FDA has not

codified into law any guidance regarding cybersecurity for

medical devices but with the imminent passage of the SOFTWARE and

PROTECT Acts in Congress this codification may be upcoming.

Another area where the IoT is already being heavily invested,

and where much vulnerability exists which will eventually be

exploited successfully by an attacker, or group of attackers, is

the utilities grid. The systems which control the water, natural

gas, and electrical grids are already beginning a transformation

to the IoT technology from remote sensing devices, alarms and

other devices. According to the Electric Power Research

Institute (2010) cybersecurity is a “critical” issue due to the

increasing potential of attacks (p. 99). As more electric

providers upgrade and change their infrastructure from its

current form to an interconnected model closely mirroring the

IoT, the opportunities for security exploitation of this new

Smart grid will increase. According to Hersent, Boswarthick, and

Elloumi (2012), as the dynamic model of the electrical grid


changes “the key assets of an energy operator will no longer be

the means of production, but the next-generation communication

network and information system” additionally, “M2M

communications…will be key enablers for this evolution” (p.

15.1). This statement shows the elemental changes which the IoT

will bring to the electrical grid once systems are fully upgraded

and expanded.

Two of the already established key applications in the

existing electric grid structure for Smart Grid technology are

the supervisory control and data acquisition (SCADA) and

teleprotection. SCADA in a power grid application, according to

McBride and McGee (2012), involves gathering data in the field

and then transmitting it to a central system for monitoring and

control of power grid devices such as remote actuators and

sensors (p. 89). Teleprotection applications on the other hand

involve the signal-aided relay-to-relay communications between

connected adjoining substations. In this system when protection

equipment at either end of this connection detects a fault then

the other end is notified and a protective action is taken such

as tripping a circuit breaker (p. 89). The remote sensing and


controlling aspects of these two applications will be key factors

in building the Smart grid. The representation in Figure 3 shows

the difference between a conventional SCADA grid design and one

enhanced by the IoT. Of note in this figure are the expansion of

the number of data points and the ability to notify first

responders, police and fire department personnel, automatically

in the event of an emergency situation.

Figure 3: Current SCADA configuration and the IoT SCADA configuration (Roman, et al, 2011, p. 52).

Having discussed a few areas where the IoT is currently being

developed and integrated into society as a whole, a more

extensive examination of the attack surface for the IoT is

necessary. What attackers will be going after, for the most


part, is information that they can turn into financial gain of

some sort. In gaining information which will be financially

lucrative, identity theft is one of the most beneficial

undertakings for hackers. In an online environment, identity

theft occurs when an individual’s Personally Identifiable

Information (PII) is stolen by a hacker, then sold to a third

party who uses the PII to set up false identification documents,

bank and credit card accounts, and other ways to fraudulently use

the PII. Another area where hackers are, and will continue to

be, very active is in the disruption of networks by means of

distributed denial of service attacks, flooding attacks, buffer

overflow attacks, malware and viruses, just to name a few.

Hackers may also install root kits on a captured system to allow

them to return later and conduct further exploitation or to use

the device as a “bot”, a platform from which the hacker can

launch attacks against other systems. Botnets are dangerous due

to the fact that they give an attacker multiple avenues of up to

thousands of unrelated computers all acting under orders from a

central hacker and with the addition of IoT devices to this

equation, perhaps billions of more devices could be used. To


reinforce this point Gregory P. Schaffer (2006) quoted David

Dittrich of the Center for Information Assurance & Cyber Security

at the University of Washington as saying “conventional worms

released from a single point can take hours to circle the globe,

botnet worms can appear from multiple points simultaneously and

thus can potentially impact vulnerable hosts worldwide in

minutes” (p. 52). With the IoT poised to comprise tens of

billions of devices in as little as six years from the time of

this writing, the time to impact vulnerable hosts worldwide could

be cut down to a matter of seconds. From this perspective it is

clear that thingbotnets will have to be at the top of security

professionals’ watch lists.

Exploitation of the IoT will not be the exclusive purview of

hackers however. Attacks with much more serious implications to

users, organizations, and governments as well will come from

criminals and in extreme cases from radical left and right wing

fanatics and terrorist organizations. As more functions in

society are taken over by M2M (IoT) technology and humans are

taken out of the loop in the area of oversight, the possibility

for remote-control havoc increases. With respect to the ability


for cyberterrorism to operate in the future, Dorothy Denning

(2009) in quoting Mark Pollitt, an FBI special agent, stated “As

we build more and more technology into our civilization, we must

ensure that there is sufficient human oversight and intervention

to safeguard those whom technology serves” (p. 283). This is the

danger that the IoT brings with it. At some point, as IoT

technology progresses and becomes more reliable, humans will come

to trust the IoT and rely on it to service our basic needs

without question. Successful attacks of the system will be able

to derive the most damage on a given population, once these

prerequisites are satisfied. This is another reason why security

is of prime importance in IoT infrastructure.

With all this potential for harm the IoT is going to have to

be protected but what measures must security professionals take

in order to protect the data that the billions of devices will

create? First, and most importantly, the real challenge for

security professionals is going to be taking a proactive stance

with respect to securing their infrastructure for the

implementation of IoT devices. However, security professionals

will not be required to start from scratch with regard to


security for the IoT. Many of the procedures and policies which

protect networks and systems now, patching, passwords, and system

monitoring, will be able to be adapted for use with the IoT. As

Kevin Beaver (2014) notes, security for the IoT is not going to

be very dissimilar from what is done now to secure any other

aspect of the network, however, new policies are likely to be

required to cover the new security situations which the IoT will

create (paras. 5-6). Beaver goes on to state that one of the

most difficult parts of securing the IoT, or protecting your

network against it, will be convincing stake holders and users of

the need to protect networks against vulnerabilities from

“seemingly harmless devices that have minimal business purpose”

(para. 7). For example, how will security professionals convince

the C-suite that they need to pay attention to the coffeemaker in

the break room or the Fitbit devices which employees wear to keep

track of their cardiovascular exercise? Complexity is the

central issue that is going to be facing security professionals

with regard to protecting systems with connections to the IoT.

Security solutions will have to be better, faster, and cheaper

than ever before to keep pace with the growing number of threats


which will be introduced onto the Internet by the billions of

devices which will make up the IoT of the future.

Another area where problems could arise for security

professionals with regard to the IoT is in the business arena.

Some business units are knowingly, or unknowingly, keeping their

information technology (IT) departments in the dark by not

including them in the process of bringing IoT solutions into

their network. In a recent study of IT professionals conducted

by Infoblox in the U.S. and U.K., their chief infrastructure

officer, Cricket Liu noted “IT departments have a seat at the

table when business units want to move forward with IoT

deployments but these business units often get deep into the

buying process before calling IT, sometimes forcing IT to

scramble to provide support” (Scroxton, 2014, para. 10). It is

in this area where communication among different units within a

business is going to be essential so as to have a smooth

incorporation of IoT devices into existing systems and networks.

In finding a solution to security on the IoT will there need

to be an overall authority for regulation of the IoT and the


billions of devices which will be introduced, or will individual

industries and service providers need to formulate the

regulations which govern how data is used and who can access it?

At this point organizations and agencies around the world such as

the U.S. Federal Trade Commission (FTC) and bodies within the

European Union (EU) are beginning to construct regulations to

control access to the data created on the IoT but there is a long

way to go for even the most prepared organization. As an example

of the control that the FTC is trying to exert in this area,

according to an article in Compliance Week magazine, the FTC in

September of 2013 reached a settlement with California-based

TRENDnet, a maker of security cameras that can be monitored via

the Internet, in a case where TRENDnet failed to provide adequate

security measures to consumers even though it had stated that it

was doing so and also failed “to employ reasonable security in

the design and testing of its software” (Mont, 2014, p. 14). For

its part, the EU is also starting to address the issues of

responsibility for data security and privacy on the IoT. In a

recommendation dated May 12, 2009, the EU invited member states

to provide for guidance on the design and operation of RFID-


enabled devices in a “lawful, ethical and socially and

politically acceptable way, respecting the right to privacy and

ensuring protection of personal data” (Weber, 2010, p. 29). In

other words, the EU is trying to find a compromise way from its

members on how to regulate the IoT taking into account privacy,

security and availability of the data. The IoT will require a

very broad interpretation of privacy and other standards in order

to be accepted and implemented globally which according to Rolf

Weber (2010), requires “heterogeneous and differentiated legal

framework that adequately takes into account the globality,

verticality, ubiquity and technicity of the IoT” (p. 30). Many

security experts agree currently that the solution to this

problem is murky at best. Eric Hanselman, chief analyst for New

York-based 451 Research noted in a recent interview that

responsibility for damages incurred as a result of interaction

with the IoT is not currently clear and further noted that “loss

of privacy doesn't have an established value yet in the U.S.”

(McGillicuddy, 2014, para. 21). Others, like Earl Perkins,

research vice president for Stamford, Conn.-based Gartner Inc.,

note that the responsibility for making sure that the devices


connected to the IoT are secure will rest with the businesses

that provide the services hosted by the device or alternatively

with the service provider that provides the network, or both

(para. 23). Another consideration for businesses is where and

how all of the data that is generated by all these IoT devices

will be stored, what data will actually be stored (as storing all

data would be prohibitively expensive), and how existing networks

in cloud computing can be leveraged to provide access and storage

of this deluge of data.

The ultimate resolution to the problem of who will be

responsible for the devices which make up the IoT will be a long

and complicated process which security professionals will have to

be intimately involved for the effort to effective. For the IoT

to recognize its full potential, security will have to be part of

the equation from the start instead of being an after the fact

solution which is added on to existing structure as it is

currently treated. The IoT itself is heavily dependent on the

communications between objects and the Internet to function

smoothly. The convergence of communications over the Internet


has gone through many phases. According to Dlamini, Eloff and

Eloff (2009),

“the Internet has moved from isolated and only when in

office (mainframe computing) connectivity; to anywhere at

any time (mobile computing) connectivity; to anywhere at

any time in anyway (network convergence) connectivity;

and now it is moving towards a new era of the future

Internet characterized by anywhere at any time in anyway by

anything (Internet of all things) connectivity” (para.

4).

It is clear from this description that as the Internet has

evolved, the problems with securing it have increased

exponentially. It is within this exponential growth that

information security professionals find themselves. Security

professionals will have to take on a more proactive stance with

regard to securing the IoT than has been present in the current

structure of the Internet. With the IoT, as Dlamini, Eloff and

Eloff note, the new era of the future Internet which is

delineated by connectivity anytime, anywhere, in anyway, by


anything will be a great challenge for security professionals

going forward.

Findings/Conclusions

The convergence of voice, video, and data networks in the

future Internet will include such things as next generation

networks, over the Internet Protocol, voice over IP, and IP

Television as the starting points of a network of interconnected

devices over a shared and service independent network. The IoT

will bring a whole other dimension into this convergence giving

users an almost unlimited choice of data points and will also

bring with it security concerns which need to be addressed in the

development and testing phases because of the IoT devices having

such limited capacities for growth once they are fully developed

and deployed.

As noted previously, security in the world of the IoT needs

to move from a reactive to a proactive stance in order to be

effective; security will need to be programmed into the devices

of the IoT from the beginning stages of product development and

testing instead of being an add-on or after though as it is


currently sometimes seen; and a more cooperative perspective must

be taken with regard to who will be responsible for regulating

the IoT and how problems and other situations will be handled and

by whom. If all of these parts are able to come together in a

harmonious rhythm, then the IoT will not be such a threat to the

users that will come to depend on it. However, if these aspects

do not come together then a slowing of the deployment of the IoT

can be expected.

References

ABI Research. (2014). The Internet of Things Will Drive Wireless

Connected Devices to 40.9 Billion in 2020. ABI Research website

online, August 20, 2014. Retrieved from

https://www.abiresearch.com/press/the-internet-of-things-

will-drive-wireless-connect

Beaver, K. (2014). Securing the Internet of Things. TechTarget

website online, August 2014. Retrieved from

http://searchsecurity.techtarget.com/feature/Securing-the-

Internet-of-Things


Beware security pros: The wearable revolution is coming. (2014).

Information Management, 48(3), 7. Retrieved from

http://search.proquest.com/docview/1548702550?accountid=8289

Bradley, T., Thibodeau, P., & Ng, V. (2014). The Internet of

Things: Threats and Challenges. Network World Asia website online,

March/April 2014.

Denning, D. (2009). Activism, Hacktivism, and Cyberterrorism: The

Internet as a Tool for Influencing Foreign Policy, Chapter 8.

Rand Corporation website online. Retrieved from

http://www.rand.org/pubs/monograph_reports/MR1382.html

Dlamini, M., Eloff, M., & Eloff, J. (2009). Internet of things:

Emerging and Future Scenarios from an Information Security

Perspective. Southern Africa Telecommunication Networks and

Applications Conference 2009.

Gartner Research. (2013). Gartner Says the Internet of Things

Installed Base Will Grow to 26 Billion Units By 2020. Gartner

Research website online, December 12, 2013. Retrieved from

http://www.gartner.com/newsroom/id/2636073

Hersent, O., Boswarthick, D., & Elloumi, O. (2012). The Smart

Grid. In The Internet of Things: Key applications and protocols.


Chichester, West Sussex: Wiley. Retrieved from

http://common.books24x7.com.ezproxy1.apus.edu/toc.aspx?

bookid=46260

McBride, A., & McGee, A. (2012). Assessing Smart Grid Security.

Bell Labs Technical Journal, 17(3), 87-103. doi:10.1002/bltj.21560

McGillicuddy, S. (2014). Internet of Things security: Who is

responsible and how is it done? TechTarget website online, April 14,

2014. Retrieved from

http://searchnetworking.techtarget.com/news/2240218840/Intern

et-of-Things-security-Who-is-responsible-and-how-is-it-done

Mont, J. (2014). Next Up: Regulating the Internet of Things.

Compliance Week 11(126), p. 14-15, July 2014.

Orebaugh, A. (2013). Secure all the (Internet of) Things.

TechTarget website online, December 2013. Retrieved from

http://searchsecurity.techtarget.com/feature/Secure-all-the-

things

Paganini, P. (2014). Internet of Things – Security and privacy

issues. Security Affairs website online, December 13, 2014. Retrieved from

http://securityaffairs.co/wordpress/31062/cyber-crime/interne

t-of-things.html


Rogers-Nazarov, A. (2009). The Internet of Things. Information

Week, September 7, 2009; 1240; pp. HB4-HB6, HB8, HB10, HB12,

HB14. Retrieved from


Roman, R., Najera, P., & Lopez, J. (2011). Securing the Internet

of Things. Computer, 44(9) pp.51-58, Sept. 2011 doi:

10.1109/MC.2011.291. Retrieved from

http://ieeexplore.ieee.org.ezproxy2.apus.edu/xpls/abs_all.js

p?arnumber=6017172&tag=1

Sandler, K., Orhstrom, L., Moy, L., & McVay, R. (2010). Killed by

Code: Software Transparency in Implantable Medical Devices.

Software Freedom Law Center website online, July 21, 2010.

Schaffer, G. (2006) Worms and Viruses and Botnets, Oh My!

Rational Responses to Emerging Internet Threats. Security and

Privacy, IEEE, 4(3), pp. 52-58, May 30, 2006. Retrieved from

http://ieeexplore.ieee.org.ezproxy1.apus.edu/xpls/abs_all.jsp

?arnumber=1637381

Scroxton, A. (2014). Internet of Things already stretching

networks to capacity. Computer Weekly website online, June 30, 2014.

Retrieved from


http://www.computerweekly.com/news/2240223584/Internet-of-

Things-already-stretching-networks-to-capacity

Siciliano, R. (2014). How the Internet of Things Can Go Very

Wrong. Robert Siciliano [weblog] online, November 25, 2014. Retrieved from

http://robertsiciliano.com/blog/2014/11/25/how-the-internet-

of-things-can-go-very-wrong/

Slabodkin, G. (2014). Health IT SOFTWARE Act: What It May Mean.

Information Management website online, December 8, 2014. Retrieved from

http://www.information-management.com/news/Software-Act-2015-

Healthcare-FDA-Information-Tech-10026317-1.html

Stammberger, K. (2009). Current Trends in Cyber-Attacks on Mobile

and Embedded Systems. Embedded Computing Design website online,

September 29, 2009. Retrieved from http://embedded-

computing.com/article-id/?4226#

Swan, M. (2012). Sensor Mania! The Internet of Things, Wearable

Computing, Objective Metrics, and the Quantified Self 2.0.

Journal of Sensor and Actuator Networks, 1(3), November 8, 2012. Retrieved

from http://www.mdpi.com/2224-2708/1/3/217/htm


Vidalis, S., & Angelopoulou, O. (2014). Assessing Identity Theft

in the Internet of Things. IT CoNvergence PRActice (INPRA), 2(1),

14-20.

Violino, B. (2014). Research: Internet of Things Becomes Big

Priority. Information Management website online, November 19, 2014.

Retrieved from

http://www.information-management.com/news/IoT-Internet-of-

Things-Forrester-Research-Forecast-10026262-1.html

Virkki, J. & Chen, L. (2013). Personal Perspectives: Individual

Privacy in the IoT. Advances in Internet of Things, 2013, 3, pp. 21-26.

Retrieved from http://dx.doi.org/10.4236/ait.2013.32003

Vockley, M. (2012). Safe and secure? Healthcare in the

cyberworld. Biomedical Instrumentation & Technology, 46(3), 164-173.

doi:10.2345/0899-8205-46.3.164

Weber, R. (2010). Internet of Things – New security and privacy

challenges. Computer Law & Security Review, 26(1), January 2010, pp. 23-30.

Retrieved from

http://www.sciencedirect.com/science/article/pii/S02673649090

01939


Wirth, A. (2011). Cybercrimes Pose Growing Threat to Medical

Devices. Biomedical Instrumentation and Technology, January/February 2011.

Retrieved from

https://aami.org/hottopics/cybersecurity/AAMI/2011JF_CyberCri

mes.pdf

Annotated Bibliography

ABI Research. (2014). The Internet of Things Will Drive Wireless

Connected Devices to 40.9 Billion in 2020. ABI Research website

online, August 20, 2014. Retrieved from

https://www.abiresearch.com/press/the-internet-of-things-

will-drive-wireless-connect


This article, authored by ABI Research, discusses the IoT’s

potential growth, market share and factors which are set to

catapult this fairly new segment of the consumer market into a

major player in global economic structures. The article gives

figures for the estimated current usage of IoT devices and also

projects the growth for the popularity of these devices in the

coming years. The article also discusses new communications

technologies which will require some original equipment

manufacturers to greatly rethink their current communications

infrastructure for IoT devices. The method of delivering the

convenience of IoT via new technologies is also discussed and

mentions the thin film process of creating printed electronics.

This article is pertinent to the student’s research in that it

gives estimates of the scope of the IoT and provides some

indication of magnitude which the IoT will have in the very near

future. The article also takes into account technologies which

are currently being developed which could further innovate the

ways in which the IoT is able to provide services to its growing

number of users worldwide.


Beaver, K. (2014). Securing the Internet of Things. TechTarget

website online, August 2014. Retrieved from

http://searchsecurity.techtarget.com/feature/Securing-the-

Internet-of-Things

This article published on the website TechTarget.com gives an

overall view of how cybersecurity professionals should

approach the problems associated with the trials of

integrating security for the IoT into their existing security

policies. The author, Kevin Beaver, a 25-year veteran of the

cybersecurity profession who specializes in performing

independent security vulnerability assessments of network

systems, as well as Web and mobile applications, gives a good

overall explanation of the actions which need to be taken to

control the new challenges presented by the IoT. Beaver

suggests asking what role will existing security policies

play; will new security policies be required; who will be

responsible for enforcing policies associated with the IoT;

and who is going to be monitoring the IoT in order to get


individual entities ready for the challenging environment the

IoT will present. The author points out that the IoT is

coming and security professionals everywhere should seriously

consider updating policies and procedures in order to reign

in the security dangers that the IoT presents. The author

ends the article by saying “any positive action toward a

better, more secure IoT will provide many long-term payoffs

for the business as a whole” (para. 10).

The warnings to cybersecurity professionals contained in this

article will be helpful in giving meat to the argument the

student intends to put forth that not being properly prepared

for the coming IoT will be dangerous and foolish for

cybersecurity professionals. The article puts forth some no-

nonsense suggestions with respect to the IoT which the

student feels will be beneficial for his study.

Beware security pros: The wearable revolution is coming. (2014).

Information Management, 48(3), 7. Retrieved from



This article published in Information Management magazine in

May/June of 2014 explains wearable technology and the security

threat that this new technology poses to a burgeoning area of

cyber security, that being the Internet of Things. The article

quotes the Chief Security Architect at RSA, Rashmi Knowles and

provides a short but concise overview of what security threats

this new wearable technology poses for security professionals.

This article adds depth to the discussion of wearable technology

that the student brings up in his paper through the quoting of

the noted security expert Rashmi Knowles and thereby adds

validity to the argument that better and more comprehensive

security policies are needed right away to handle the onslaught

of new devices which will be connecting to the Internet in the

very near future.

Bradley, T., Thibodeau, P., & Ng, V. (2014). The Internet of

Things: Threats and Challenges. Network World Asia website online,

March/April 2014.


This article, written by Tony Bradley, Patrick Thibodeau, and

Victor Ng for Network World Asia in March 2014, covers some

of the threats, privacy issues, and interoperability concerns

related to the IoT. The authors of this article quote noted

Cisco Systems engineer Eric Vyncke, who spoke at the 2014

RSA Security Conference in San Francisco, who outlined some

of the challenges and threats that the IoT pose as it

continues to expand into the daily lives of just about

everyone on the planet. Vyncke noted that the IoT has a

tremendous potential to enhance our standard of living but

also introduces risk by exposing devices that were not

vulnerable prior to the IoT.

This article also presents the problem of interoperability

and discusses the recent movement to make an open source

operating system for the IoT called AllSeen which is being

promoted by the same people who originated the open source

availability of the Linux OS. Dubbed the AllSeen Alliance,

the group is working toward a system that can help all


devices communicate with each other and also provide the

security which Linux provides to the systems using it.

Denning, D. (2009). Activism, Hacktivism, and Cyberterrorism: The

Internet as a Tool for Influencing Foreign Policy, Chapter 8.

Rand Corporation website online. Retrieved from

http://www.rand.org/pubs/monograph_reports/MR1382.html

This research was authored by Dorothy Denning and published as

Chapter 8 of the book Networks and Netwars (2010), John Arquilla, David

Ronfeldt (Ed.). In this chapter, Denning puts forth the idea that

cyberterrorism should be regarded as a viable option for use by

terrorist or other groups if not now, perhaps in the near future

and explores what those tactics would involve if brought to

fruition. The chapter also discusses the topics of activism and

hacktivism and how they use the Internet for their own purposes.

This chapter is relevant to the student’s research because it

points out the fact that cyberterrorism, although not an

immediate threat, could become a useful tool in a terrorists


arsenal given the correct circumstances, those being mankind’s

reliance on technology to provide services like the ones that the

IoT is poised to give them.

Dlamini, M., Eloff, M., & Eloff, J. (2009). Internet of Things:

Emerging and Future Scenarios from an Information Security

Perspective. Southern Africa Telecommunication Networks and

Applications Conference 2009.

This article was written by Dlamini, Eloff and Eloff and given at

the Southern Africa Telecommunication Networks and Applications

Conference of 2009. The article takes a critical look at the IoT

focusing on information security and how that instead of a

reactive stance, the information security industry must start to

take a more proactive focus. The article discusses the types of

threats which will be likely in the new IoT world which is fast

becoming a reality in everyday life.

This article is relevant to the student’s research in that it

examines the future of threats which will be most important for


information security professionals to pay attention to with

regard to securing the IoT. The article takes a proactive

instead of a reactive stance and points out some of the future

threats which are likely to emerge as the IoT begins to become

more of a part of everyday living.

Gartner Research. (2013). Gartner Says the Internet of Things

Installed Base Will Grow to 26 Billion Units By 2020. Gartner

Research website online, December 12, 2013. Retrieved from

http://www.gartner.com/newsroom/id/2636073

This article by Gartner Research outlines the potential growth

for the IoT in the future to include as many as 26 billion

devices by the year 2020. The article also examines the impact

that the IoT will have on security and computer networks as it

brings forth mountains of data into an already information-laden

Internet. The article also explains what devices encompass the

IoT and how their integration into the existing Internet will be

a challenge.


This article adds weight to the student’s paper by giving

estimates of the impact that the IoT will have in just six years’

time if the current rate of growth is not slowed by outside

factors such as security of data or storage of data in the cloud

computing model.

Hersent, O., Boswarthick, D., & Elloumi, O. (2012). The Smart

Grid. In The Internet of Things: Key applications and protocols.

Chichester, West Sussex: Wiley. Retrieved from

http://common.books24x7.com.ezproxy1.apus.edu/toc.aspx?

bookid=46260

This book by Oliver Hersent, David Boswarthick and Omar Elloumi

discusses the key applications and protocols of the IoT that will

be used by the developers of the Smart Grid to make the Smart

Grid a reality. The authors also demonstrate how the next

generation utilities, by using the physical environment as the

IoT now does, will be able to deliver more energy with less

impact on our natural resources.


This book gives a plethora of information of how the IoT

technology can be used to revolutionize the electrical grid but

also contains a warning about the security which will be involved

with this switchover. This makes this reference topical and

relevant to the student’s research.

McBride, A., & McGee, A. (2012). Assessing Smart Grid Security.

Bell Labs Technical Journal, 17(3), 87-103. doi:10.1002/bltj.21560

The authors of this article, Alan J. McBride and Andrew R. McGee,

put forth a paper on the security of the Internet of Things

enhanced Smart Grid and what challenges are likely to occur in

building the Smart Grid based on IoT technologies. Some of the

topics discussed in this paper include data network

transformation, distributed functionality, and two-way

information flow between supplier and customer, all of which are

principal components of the Smart Grid.

This paper pertains to the student’s paper in that it discusses

the security which will be necessary for the new Smart Grid based


on the IoT technology and how those technologies will be

protected in the world of hacking that is prevalent in today’s

cyber security field.

McGillicuddy, S. (2014). Internet of Things security: Who is

responsible and how is it done? TechTarget website online, April 14,

2014. Retrieved from

http://searchnetworking.techtarget.com/news/2240218840/Intern

et-of-Things-security-Who-is-responsible-and-how-is-it-done

This article, written by Shamus McGillicuddy, Director of News

and Features at Tech Target, takes an overview look of who is

responsible for the security of data transmitted and stored as a

result of the IoT. The article covers such topics as what

responsibilities individual companies have to consumers, the use

of encryption, risk management, and security management to

protect data on the IoT, and who owns the security problems

associated with the IoT.


This article is germane to the student’s research in that it

covers regulation and who is responsible for the security on the

IoT and how that security will be carried out. The article also

gives practical solutions to coping with the expansion of the

current Internet to include the IoT and how organizations can

start to cope with monitoring and controlling the data flow which

is going to be introduced to their systems.

Mont, J. (2014). Next Up: Regulating the Internet of Things.

Compliance Week 11(126), p. 14-15, July 2014.

This article by Joe Mont writing for Compliance Week magazine in

July 2014, examines the how regulators are currently struggling

with beginning to regulate the IoT with regard to what data is

being collected, how it is aggregated, and how it is being used.

The article covers the legal issues that regulators are facing

with regard to the reworking of what is to be identified as PII

on the IoT and if that PII is compromised, stolen or otherwise

used by persons or entities not authorized to this data how will

the legal system deal with it. The article also gives advice to


businesses trying to rework their stated privacy policies to “do

what you say you will do” with regard to protecting an

individual’s privacy on the IoT.

This article is applicable to the student’s research in that it

gives an indication of the current state of regulation and what

businesses must do in order to remain in compliance with data

privacy constraints in the changing world of the IoT. The

article is also relevant in that it gives outlines some of the

questions which the FTC is trying to work through in formulating

new regulations to deal with the data that will be available from

billions of IoT-connected devices.

Orebaugh, A. (2013). Secure all the (Internet of) Things.

TechTarget website online, December 2013. Retrieved from

http://searchsecurity.techtarget.com/feature/Secure-all-the-

things

This article by Angela Orebaugh, a security professional who

works for Booz Allen Hamilton, outlines the measures and policies


that need to be taken to protect the IoT from a security

standpoint. The article discusses what the IoT is, how it

communicates, and what issues confront security professionals as

more and more of these devices are added to the Internet.

Orebaugh states that the security of the IoT rests with the

professionals who must take a proactive stance in order to avoid

exploitation chaos in a catch up scenario that could take years

to get control of.

This article fits the student’s research in that it gives an

overall perspective of the security which the IoT needs to have

in order to function successfully in scheme of things on the

Internet. It gives examples of what security measures must be

taken to ensure that the IoT does not become a security

catastrophe. The article also gives a perspective on how

security can be built into the IoT from start to finish.

Paganini, P. (2014). Internet of Things – Security and privacy

issues. Security Affairs website online, December 13, 2014. Retrieved from


http://securityaffairs.co/wordpress/31062/cyber-crime/interne

t-of-things.html

This article by Pierluigi Paganini outlines the presentation

Paganini made at the ISACA Roma & OWASP Italy conference. In

this presentation Paganini outlines the issues surrounding the

implementation, operation, and security of the IoT. The

presentation includes details of the diffusion of the IoT

devices, forecast on its growth and information related to the

economy behind the paradigm. The presentation also explores the

possible misuses (i.e. DDoS, malware, thingbot) of the IoT

devices analyzing threat actors and the attack techniques

implemented in real cases.

This article and presentation are relevant to the student’s

research as it covers many of the areas which the student will

cover in this paper. Being that the article was written by

Pierluigi Paganini, one of the top security experts today, it

provides a well-informed opinion on how the IoT will develop,


integrate into society, and perhaps be a security threat as it

integrates into the Internet.

Rogers-Nazarov, A. (2009). The Internet of Things. Information

Week, September 7, 2009; 1240; pp. HB4-HB6, HB8, HB10, HB12,

HB14. Retrieved from


This article, written by Amy Rogers-Nazarov in 2009, outlines

the myriad of possibilities for connection of ‘things’ to the

IoT and how data from these objects could be used for good

and bad purposes. Also, the article touches on the security

needed to ensure that data is kept secure and how the data

must be shared to some extent between all entities to be

effective. With this issue, the author states, quite

rightly, that some may not want some particular data shared

with everyone and everything out there and that rules

governing how data is to be shared, with whom, and for how

long a period of time must be formulated.


This article delves into several areas where the student

feels that the information included may be of great use to

his study. The article states information and gives examples

of how information on the IoT is already being shared and how

the data has the potential for being shared in the future.

The article also points out that with all this data out there

the consumption of this data must be controlled in some

fashion so that an information overload does not sweep the

globe. This is another area in which the student plans to

use the information contained in this article.

Roman, R., Najera, P., & Lopez, J. (2011). Securing the Internet

of Things. Computer, 44(9) pp.51-58, Sept. 2011 doi:

10.1109/MC.2011.291. Retrieved from

http://ieeexplore.ieee.org.ezproxy2.apus.edu/xpls/abs_all.js

p?arnumber=6017172&tag=1

This article by Rodrigo Roman, Pablo Najera, and Javier

Lopez, of the University of Malaga, Spain, covers the

challenges of protocol and network security, data and


privacy, identity management, trust and governance, and

fault tolerance for the IoT. The authors state that in the

IoT every physical object has a virtual presence which will

be able to consume and produce services and such “extreme

interconnection” (para. 1) will bring extreme convenience

and economy but also will also require novel approaches to

make the system safe and ethical.

The concept of security on the IoT is of great concern to

everyone involved in the development and future use of the

IoT. It is this fact above all else why the student

selected this article for use in his project paper. Without

the proper mix of convenience, utility, and safety, the IoT

will run virtually out of control and give attackers another

playground in which to exploit the personal data of everyone

connected to the IoT.

Sandler, K., Orhstrom, L., Moy, L., & McVay, R. (2010). Killed by

Code: Software Transparency in Implantable Medical Devices.

Software Freedom Law Center website online, July 21, 2010.


This article, written by Karen Sandler, Lysandra Orhstrom, Laura

Moy, and Robert McVay in 2010, makes the case for free and

accessible software for medical devices which are being implanted

at an astonishing rate in patients all over the world. The

article also makes the point that the current state of medical

devices is precarious at best with regard to security and many

other aspects of their manufacture, use, and operation. Later in

the article the topic of medical device manufacturer’s liability

for injury or death in some circumstance is a murky topic at best

as it is currently handled.

This article is generic to the student’s research in that it

points out a very important flaw in the current state of medical

device technology and how the freeing of software from

proprietary boundaries would eventually lead to a much more

secure and safe environment for the patients who depend on these

devices for daily life sustainment.


Schaffer, G. (2006) Worms and Viruses and Botnets, Oh My!

Rational Responses to Emerging Internet Threats. Security and

Privacy, IEEE, 4(3), pp. 52-58, May 30, 2006. Retrieved from

http://ieeexplore.ieee.org.ezproxy1.apus.edu/xpls/abs_all.jsp

?arnumber=1637381

This article was written by Gregory P. Schaffer is chief security

officer for Alltel communications. In this article the threats

caused by botnets, a network of computers which are infected with

a virus, worm or other malware and taken over by an attacker for

many nefarious uses, are explored. Topics covered by Schaffer in

this article include, the emerging bot threat, an overview of

botnets and how they function, distributed denial of service

attacks (a botnet’s most useful function), response options, and

the legal options under the Computer Fraud and Abuse Act. Also

covered in this article are defense strategies and other ways in

which an enterprise can protect itself from becoming a victim of

a botnet attack.


This article is of relevance to the student’s paper as it

describes how botnets function and what their primary uses are in

the hacker community. This type of attack is extraordinarily

relevant to the student’s topic as this attack strategy will be

used in future attacks on enterprises and others using the IoT as

a launching pad.

Scroxton, A. (2014). Internet of Things already stretching

networks to capacity. Computer Weekly website online, June 30, 2014.

Retrieved from

http://www.computerweekly.com/news/2240223584/Internet-of-

Things-already-stretching-networks-to-capacity

This article, written by Alex Scroxton, Networking Editor at

Computer Weekly, covers the concerns of some network

professionals that fear that the flood of IoT devices on their

networks may become a deluge. The article gives statistics from

a survey conducted by the computer information firm Infoblox

where IT professionals were surveyed on a number of topics to

include readiness to handle the influx of IoT devices, concerns

that their networks are already at capacity, and problems with IT


departments not being included in business decisions to adopt IoT

devices into their networks.


gives a professional outlook for the integration of the IoT into

networks which may not be prepared for the capacity the IoT will

need. The concerns of IT professionals that their networks may

already be operating at capacity and may not be adequately

prepared to take on any other devices are a growing concern of IT

professionals is relevant to the student’s research as well.

Siciliano, R. (2014). How the Internet of Things Can Go Very

Wrong. Robert Siciliano [weblog] online, November 25, 2014. Retrieved from

http://robertsiciliano.com/blog/2014/11/25/how-the-internet-

of-things-can-go-very-wrong/

This article, written by Robert Siciliano, personal security and

identity theft expert, outlines the various points in the IoT

which are open to attacks. Siciliano notes that hacking of such

things as medical devices, airline satellite equipment, and TSA


carry-on baggage scanners is possible and instructs the public

not to worry about these avenues but to do something about them

and protect them against attack. Siciliano notes that at a

minimum consumers should lock down their wireless routers with

encryption to keep them safe and to take all measures (antivirus,

antiphishing, antispyware, and firewalls) to secure their access

to the Internet.


gives examples of where the IoT is vulnerable and gives

instruction on where and how to protect the devices which already

exist in preparation for connection with some in the future which

may or may not have the same level of protection.

Slabodkin, G. (2014). Health IT SOFTWARE Act: What It May Mean.

Information Management website online, December 8, 2014. Retrieved from

http://www.information-management.com/news/Software-Act-2015-

Healthcare-FDA-Information-Tech-10026317-1.html


This article, written by Greg Slabodkin for Information

Management online, discusses the recent movement of the SOFTWARE

Act and its companion bill the PROTECT Act through the Congress.

The article outlines the background of the two pieces of

legislation and how they will impact the way that medical

software is regulated by the FDA in the future. The author of

the article quotes two different groups, one for and one against

the legislation, and lists the bills’ major pros and cons.

This article is pertinent to the student’s research as it

compliments another resource which the student already used to

outline the progress which is being made in the area of

regulation of healthcare software and how it pertains to patients

health and safety.

Stammberger, K. (2009). Current Trends in Cyber-Attacks on Mobile

and Embedded Systems. Embedded Computing Design website online,

September 29, 2009. Retrieved from http://embedded-

computing.com/article-id/?4226#


This article by Kurt Stammberger, who chairs the security working

group for the IP for Smart Objects (IPSO) Alliance, contains

information on the state of hacking trends in 2009 and gives

advice on ways to mitigate the threat from hacking. This article

also contains a graphic which the student borrowed to illustrate

the reach of the IoT.

The student used relevant parts of this article, including a

graphic representation, to further his research into

vulnerabilities in the IoT. The article is relevant to the

student’s research in that it discusses the burgeoning threat

profile involved with the rapid expansion of the IoT and what can

be done by security professionals to help thwart the abuse of the

IoT.

Swan, M. (2012). Sensor Mania! The Internet of Things, Wearable

Computing, Objective Metrics, and the Quantified Self 2.0.

Journal of Sensor and Actuator Networks, 1(3), November 8, 2012. Retrieved

from http://www.mdpi.com/2224-2708/1/3/217/htm


This paper was written by Melanie Swan in 2012 for the Journal of

Sensor and Actuator Networks. The paper outlines the ways in which the

IoT is generating its own ecosystem of systems and networks

specifically to manage this emerging technology. The paper also

gives details on the different kinds of devices which are rapidly

being introduced into the IoT, the software processing and data

transmission as well as the ways in which all the data being

created will be stored, used, and possibly hijacked by attackers

for various nefarious reasons.

This paper fits well into the research for the student’s paper in

that it gives a far reaching look into the IoT and explains many

of the facets of the IoT in great detail. This paper is also

pertinent in that it explains the reasons why medical devices are

at risk from attackers.

Vidalis, S., & Angelopoulou, O. (2014). Assessing Identity Theft

in the IoT. IT CoNvergence PRActice (INPRA), 2(1), 14-20.


In this article by Stilianos Vidalis, University of

Staffordshire, UK and Olga Angelopoulou, University of Derby, UK,

the possibilities of conducting identity theft using the IoT is

contemplated. The article explores the identity cyberattacks

which can be carried out against the IoT and also presents a

vulnerability assessment model which tries to predict how an

environment can be influenced by identity cyberattacks.

This article explores the various ways that the IoT can be

exploited for identity theft purposes and thereby fits well into

the research that the student is conducting on this subject.

This article also breaks down a vulnerability assessment model

which could be of assistance in the student’s paper.

Violino, B. (2014). Research: Internet of Things Becomes Big

Priority. Information Management website online, November 19, 2014.

Retrieved from

http://www.information-management.com/news/IoT-Internet-of-

Things-Forrester-Research-Forecast-10026262-1.html


This information-packed article by Bob Violino, an expert in

the cyber security world, gives an insight into the world of

business and the IoT. Violino notes that research done by

Forrester Research recently shows that executives in a number

of business areas are looking to IoT technologies as a way to

address a variety of strategic, operational and business

challenges. Violino also notes that the research done by

Forrester shows that roughly three-quarters of companies

which they surveyed are already working on IoT solutions and

have deployed or are in the process of deploying IoT

products. The article finally notes that key enterprises

globally are gearing up to become part of the IoT to “arm

themselves with the real-time data and intelligence to become

smarter and more connected” (para. 5).

This article give credence to the importance of the IoT to

businesses around the globe and how it will be positioned to

provide consumers with the convenience and economy that will

make these IoT products desirable and in some cases

inescapable. The student plans to use information from this


article to show the global dominance of the IoT and how

executives plan on using the IoT products in the future.

Virkki, J. & Chen, L. (2013). Personal Perspectives: Individual

Privacy in the IoT. Advances in Internet of Things, 2013, 3, pp. 21-26.

Retrieved from http://dx.doi.org/10.4236/ait.2013.32003

This research on the IoT, conducted by Johanna Virkki, of

the Department of Electronics and Communications

Engineering, Tampere University of Technology, Tampere,

Finland, and Liquan Chen, of the School of Information

Science and Engineering, Southeast University, Nanjing,

China, in 2013 focuses on the individual opinions on the IoT

and the opinions on the issue of privacy as it relates to

the IoT given by 22 people working with different aspects of

IoT development in Finland and China.

The researchers in this study concluded that generally, the

22 people surveyed felt that the use of the IoT would become

mandatory sometime in the future and most agreed that


personal privacy protection of the data transmitted via the

IoT is the most important aspect for developers and

researchers to focus on. The researchers also noted that

the subject of personal privacy elicited more concern in

China than it did in Finland which was an unexpected result.

This research is relevant to the student’s project in that

it gives the opinions of people who work in the development

of the IoT in two countries and delves into the issue of

personal privacy.

Vockley, M. (2012). Safe and secure? Healthcare in the

cyberworld. Biomedical Instrumentation & Technology, 46(3), 164-173.

doi:10.2345/0899-8205-46.3.164

This article by Martha Vockley, principal of VockleyLang, LLC, a

communications and marketing firm based in Reston, VA, covers the

threats to medical networks from internal (insider) and external

(hackers) threats. It also includes mention of the ever-growing

number of wireless medical devices which can lead a hacker into a


larger network-based medical system through exploitable

vulnerabilities in those devices.

This article is relevant to the student’s research as it contains

the exploits to be found on a larger medical network that are

originally obtained through hacking of medical devices which

communicate via the IoT to the larger networks of medical

systems.

Weber, R. (2010). Internet of Things – New security and privacy

challenges. Computer Law & Security Review, 26(1), January 2010, pp. 23-30.

Retrieved from

http://www.sciencedirect.com/science/article/pii/S02673649090

01939

The author of this article, Rolf H. Weber, writing for Computer

Law and Security Review magazine, outlines the EU efforts to control

and regulate the IoT. Weber covers such areas in this article as

the notional and technical background of the IoT, security and

privacy needs of the IoT, milestones for an adequate legal


framework for the IoT, and the overall outlook for the future of

the IoT.

This article fits the student’s research as it gives the overall

perspective of the topic of the IoT from the standpoint of the EU

and what measures are being, and will be, taken by the EU in the

future. The article encompasses an overview of all the actions

that the EU is taking on all fronts and thereby adds some good

content to the arguments presented by the student.

Wirth, A. (2011). Cybercrimes Pose Growing Threat to Medical

Devices. Biomedical Instrumentation and Technology, January/February 2011.

Retrieved from

https://aami.org/hottopics/cybersecurity/AAMI/2011JF_CyberCri

mes.pdf

The author of this article is Axel Wirth, MS, National

Healthcare Solutions Architect at Symantec Corp., global

computer software and services company. The article

addresses the many security problems which medical devices


have currently in their design and regulation and how these

problems can and must be overcome in order to prevent cyber-

attacks. The article also discusses the protection of health

information stored and forwarded by these devices and the

vulnerabilities that are present due to regulatory, design,

and cyber security concerns.

This article provides the student with substantiation for

claims that vulnerabilities to medical devices could be used

by criminals or terrorists to cause harm or death to patients

outfitted with these devices by targeted hacking of the

vulnerabilities these devices now present.

The Internet of Things: The Next Major Concern for Cyber Security Professionals

Documents

Transcript of The Internet of Things: The Next Major Concern for Cyber Security Professionals