RUNNING HEAD: THE INTERNET OF THINGS 1
American Public University System
American Military University
The Internet of Things: The Next Major Concern for Cyber SecurityProfessionals
Date: December 21, 2014
Timothy Brian Miller
Session #I001 Fall 2014
Submitted in partial fulfillment of the degree requirements forthe
BA in Security Management
THE INTERNET OF THINGS 2
Abstract
This qualitative study will utilize a case study methodology to
explore the current scope and reach of the Internet of Things and
examine whether the cyber security industry is prepared to deal
with the challenges that having millions of devices communicating
over the Internet will bring. The study will also examine the
vulnerabilities which will arise with regard to the Internet of
Things being used for illegal or terroristic activities and how
industry security professionals will need to react to these
contingencies. This study will also examine the security of the
Internet of Things and what more needs to be done to secure the
data which these billions of devices transmit via the Internet.
THE INTERNET OF THINGS 3
Introduction
Problem Statement
Managing security in cyberspace is difficult at best, chaotic
at worst. There are a growing number of devices today which
connect via the Internet. Some of these devices communicate
without any human intervention and are known as the Internet of
Things (IoT). At first glance it may appear that the addition of
IoT devices in the near future may not be much of a problem.
However, Gartner Research (2013) estimates there could be as many
as 26 billion devices in the IoT by the year 2020 (para. 1). The
question then becomes, will the security concerns of this
burgeoning sector of the information technology industry be
adequately addressed by the corporate world or is a more
concerted, industry-wide and governmental effort on the part of
THE INTERNET OF THINGS 4
cyber security professionals warranted to protect these
additional devices from exploitation, attacks and hijacking? To
put this problem into some perspective, a survey of nearly 600
information technology and business executives in the retail,
consumer products, manufacturing, transportation, government,
oil/gas, healthcare and hospitality industries shows that over
80% believe IoT solutions will be the most strategic technology
initiative for their organizations in a decade (Violino, 2014,
para. 2). To make the point of IoT security more succinctly,
however, one must consider that within the IoT are objects which
sustain life such as insulin pumps and heart monitoring and
controlling devices. Experts in cyber security such as Robert
Siciliano (2014) have noted that the U.S. Food and Drug
Administration (FDA), which is currently in charge of setting
standards for medical equipment usage, is quite new to handling
problems of this kind and this fact should be of concern to
patients whose life depends on the proper day-to-day functioning
of these devices (para. 2). The security of how and what these
IoT devices transmit over the Internet is currently controlled by
THE INTERNET OF THINGS 5
corporate entities or other organizations leaving these devices
open to potential exploitation by criminals or even terrorists.
Purpose Statement
The purpose of this qualitative research study is to examine
the more commonly utilized devices included in the IoT which are
vulnerable to exploitation, attack or hijacking, and what effect
the exploitation of these devices would have on the entities
which use them. Additionally, will the IoT become a means for
illegal or terrorist activity, what measures need to be taken to
arrest the manipulation of these devices, and is a more
cooperative and concerted effort on the part of private and
public cyber security professionals warranted? To realize a
solution to the problems noted, a mixture of academic,
professional and other resources will be utilized.
Research Questions
Q1. Which types of devices connected to the Internet are the
most vulnerable to exploitation?
THE INTERNET OF THINGS 6
Q2. What would be the impact on entities which utilize
devices connected via the Internet if these devices were subject
to attacks in transmission security or other exploits by criminal
or terrorists?
Q3. What measures need to be taken to address security on the
IoT and who is to be responsible for providing this security?
Key Points Addressed
P1. Devices which comprise the IoT and how human interaction
with these devices become a potential security problem
P2. Devices which are tempting targets for attackers and how
they can be exploited
P3. Criminal or terrorist uses for the IoT
P4. IoT cyber security: Cyber security professionals’
responsibilities and why a more proactive stance is needed
THE INTERNET OF THINGS 7
P5. Policing the IoT: Governmental or private industry
responsibility?
Proposed Methodology/Research Strategy
For this project the student will be using the qualitative
method of research with a case study approach. This case study
approach of the IoT will detail the security concerns generated
by the expected explosion of devices into the IoT within this
decade. Inductive reasoning will be utilized to bring into focus
the broad nature of the IoT with the ultimate goal of this
research being to ascertain whether the IoT needs more security
and if so what kinds of events would the extra security work to
alleviate.
Research for this project will be from peer-reviewed American
Public University System and Internet sources, focusing on the
ways in which the IoT is vulnerable and how it can or must be
protected against exploitation of these vulnerabilities. The
student will not be using first hand studies for this project due
to the complexity of such studies and because of time constraints
placed on the student to finish and submit this project.
THE INTERNET OF THINGS 8
Assumptions
The student realizes that situations could arise that would
serve to slow or speed up the process of his research, such as
the sheer volume of recently published information on the IoT,
and the student realizes that this sets up the potential for
information overload in his research efforts but this is not a
noted problem as of the time of this writing. Should any
problems of this sort or others arise, the student is confident
that through consultations with his instructor any problems can
be dealt with in a manner which will not be detrimental to the
student’s research.
Scope
The scope of this study will be to identify devices
comprising the IoT which present the highest probability for
exploitation of their security vulnerabilities in order to cause
harm or injury in some way to the user of these devices. The
project will then proceed to define the ways in which the
selected devices could be used for illegal or terroristic
purposes. Finally, this study will suggest some preventative
THE INTERNET OF THINGS 9
measures which if taken will protect the IoT from those who would
wish to use the connected devices to cause harm or other such
circumstances to the users of the IoT.
Limitations
The student sees very little at this point which would impede
the successful completion of this study. However, if such
impediments do arise, such as new devices for which there is
little or no associated research, the student will deal with them
in consultation with his instructor.
Body
The job of securing the varied facets of the Internet and the
devices which access it is a daunting task even in the best of
times. However, the recent introduction of machine to machine
(M2M) communications into this equation only serves to complicate
an already multifarious situation. According to research
conducted by Roman, Najera, and Lopez of the University of Madrid
THE INTERNET OF THINGS 10
(2011), traditional protection mechanisms such as “lightweight
cryptography, secure protocols, and privacy assurance” (p. 51)
are not sufficient to protect the this new M2M infrastructure and
further note that security professionals and researchers need to
scrutinize existing security protocols and determine if they are
worth integrating into the IoT or whether new designs are
necessary. In the interim security professionals must not only
deal with users and systems that interact via the Internet but
now must also account for a complex set of independent devices
which communicate via the Internet without any human
intervention.
The IoT can be thought of essentially as a “gateway between
the digital world and the physical world” (Orebaugh, 2013, para.
3) in which devices are enabled to communicate with the physical
world around them via digital means. The devices that make up
the IoT use a plethora of different ways to communicate their
data, for example RFID, Bluetooth, WiFi, Z-Wave and ZigBee, each
of which must be secured to protect the integrity and privacy of
the information being transmitted. The IoT currently is, for the
most part, made up of devices which provide users comfort,
THE INTERNET OF THINGS 11
convenience, safety, and life-sustaining services. Some of these
devices include household appliances such as Smart thermostats
which can adjust the temperature of a home or business when no
occupants are present, thereby saving money on heating and air
conditioning, Smart refrigerators which can indicate to its user
when they are running low on milk or other items by reading
embedded RFID tags embedded in the product packaging, and Smart
TV’s which can suggest programming based on one’s viewing history
and preferences. The IoT also includes many devices which
provide for safety such as traffic control devices which adjust
for changing conditions in volume of traffic or changing weather
conditions and Smart devices in cars utilizing GPS technology
which can suggest alternate routes if there is traffic
congestion, road construction, or even to avoid the scene of an
accident. Another area where the IoT is providing services is in
the area of life-sustaining or life-saving devices such as
pacemakers, automatic defibrillators, insulin pumps and devices
which dispense chemotherapy or other drugs into a person’s system
automatically without the inconvenience of visiting a doctor’s
office. Also in the health and fitness area there is currently
THE INTERNET OF THINGS 12
an explosion of what is being called wearable technology. These
devices collect, store, and communicate data such as a person’s
location and how far they have traveled during a certain time
frame and a multitude of biological readings including heart and
respiration rates, rate of perspiration and blood glucose levels.
With the spread of these new technologies, security experts like
Rashmi Knowles, chief security architect at RSA, EMC's security
division, as quoted in an article in Information Management (2014),
note that as wearable technologies make their way into the
workplace, they represent a “multiplication of potential attack
surfaces” (para. 4) affecting a wide range of security policies.
Figure 1 indicates just a few of the many items which make up the
IoT and how they potentially interact in the digital world.
THE INTERNET OF THINGS 13
Figure 1: The Internet of Things connections (Stammberger, 2009).
ABI Research (2014) estimates that the number of devices
connected to the IoT will exceed 16 billion units for 2014 and
will reach a staggering 40.9 billion units by the year 2020
(para. 1). Gartner Research (2013) also suggests that the number
of IoT devices could top 26 billion by the year 2020 (para. 1).
These figures represent a growth of somewhere between 150% and
250% in the next 6 years alone and from those estimates it is
easy to see how the IoT is poised to become the biggest security
concern since the introduction of “Bring Your Own Device” in the
early 21st century. Pierluigi Paganini, an expert in security
THE INTERNET OF THINGS 14
matters and noted security management specialist, used Figure 2
below in a recent presentation at the ISACA Roma & OWASP Italy
conference, “The State of the Art for the Internet of Things
Paradigm” (Paganini, 2014, slide 5) to emphasize the explosive
growth the IoT is going to go through in the coming years.
Figure 2: The Internet of Things growth scenario.
Alternatively, when considering the IoT from a security
standpoint it becomes clear that all this convenience does not
come without a price. The increased hacking of computer systems
around the world demonstrates that attacks are turning from
THE INTERNET OF THINGS 15
nuisance attacks to ones which involve some sort of financial
gain or with the objective of interrupting services. With
security of the IoT in its infancy, stepped up hacking can be
expected because of the ease of accomplishing such attacks on the
IoT infrastructure. One of the many attacks which may be carried
out in the IoT is identity theft. Vidalis and Angelopoulou
(2014) note that such identity theft attacks on the IoT can be
carried out by spoofing either the IP address of a device or by
spoofing the Arp and using the MAC address to gain access (p.
16).
In researching its structure, the IoT can generally be
divided into three categories in line with how devices are
marketed to and used by consumers and other organizations. These
categories, according to Melanie Swan, writing for the Journal of
Sensor and Actuator Networks (2012), include “monitoring and
controlling the performance of homes and buildings, automotive
and transportation applications, and health self-tracking and
personal environment monitoring” (para. 2). A further
examination of two of these categories gives a more detailed
THE INTERNET OF THINGS 16
explanation of how devices within these categories are vulnerable
to security exploits.
In the area of health-tracking, there are a growing number of
life-sustaining and life-saving devices being connected to the
IoT. These devices present vulnerabilities both in how they are
manufactured and maintained and in the way in which they
communicate with other systems and devices. First, and most
importantly, the design, manufacturing, and distribution of such
devices are strictly controlled by the FDA so as to protect the
integrity of the devices and the information they store and
transfer to other networks. However, currently this compliance
model stipulates that the manufacturer alone is responsible for
device configuration. This means that the end users, including
the doctor, the patient, and even the health industry information
technology professional, are essentially locked out of the
device’s operating software and the ability to make changes or
install secondary cybersecurity measures when vulnerabilities are
discovered (Wirth, 2011, p. 27). This is where regulatory
changes must be made by the FDA in order to protect these life-
THE INTERNET OF THINGS 17
saving and life-sustaining devices less vulnerable to attack and
exploitation.
The healthcare industry is also becoming heavily invested in
the IoT through their use of implantable medical devices which
are surgically implanted into a patient’s body. According to
Sandler, Orhstrom, Moy, and McVay (2010), in 2008, in the United
States alone some 350,000 pacemakers and 140,000 implantable
cardioverter defibrillators (ICD) were implanted (p. 3). Once
implanted, ICDs can provide medical professionals with data such
as electrocardiogram readings via a wireless connection to the
Internet. Additionally, medical professionals can modify device
setting without invasive surgery using the same Internet
connection. According to Sandler et al, a recent study by
researchers from three universities partially reverse-engineered
the communications module from a 2003 model ICD and launched
several wireless attacks from close range (p. 3). In the study
researchers were able to access the device’s programming module
and send commands to disable the device and also to command the
device to deliver multiple shocks consecutively to the device (p.
3). It was also discovered that the device could be ordered to
THE INTERNET OF THINGS 18
remain “awake” instead of returning to a standby mode after
transmission of data causing the battery of the ICD to be
exhausted much quicker and thereby requiring that the device be
extracted earlier than planned from the patient (p. 3). The
study concluded that the software which controls the ICD needs to
be patched or completely rewritten so that the device can
distinguish between signals from a proper authority and an
attacker and also noted that it would be very easy to engineer a
device as small as a cellular phone which could cause havoc in
situations like a crowded subway, mall or anywhere else where
people gather “sending its heart attack command to random
victims” (p. 3). This study shows the dangers of the medical
devices in general which are connected via the IoT if security is
not integrated into the devices from the development and
manufacturing stages.
Although there is a long way to go, there has been some
movement recently in the medical device area by the U.S. Congress
to reorganize the oversight which the FDA holds over medical
devices. In October 2013, Representative (Rep.) Marsha Blackburn
(R-TN) introduced the Sensible Oversight for Technology which
THE INTERNET OF THINGS 19
Advances Regulatory Efficiency (SOFTWARE) Act of 2013 which would
amend the Federal Food, Drug, and Cosmetic Act to apply it to
medical software to the same extent and in the same manner as it
applies to devices (Congress.gov, 2013, para. 1). The SOFTWARE
Act and its companion bill in the Senate the Preventing
Regulatory Overreach To Enhance Care Technology (PROTECT) Act,
which was introduced in early 2014, are working their way toward
passage in their respective committees in both Houses of
Congress. These acts, when they are passed by Congress and
signed by the President will, according to Congress, “establish a
risk-based regulatory framework that reduces regulatory burdens,
promotes patient safety, and fosters innovation” (para. 6).
These pieces of legislation would separate the regulatory
responsibility for software from the device that holds it giving
the medical device industry more flexibility in designing
software which could be updated or patched when new threats are
discovered, much like software which is currently installed in
devices from home computers to mobile devices. The legislation
will also “exempt so-called ‘clinical software’ and ‘health
software’ from FDA oversight, leaving the regulatory agency to
THE INTERNET OF THINGS 20
focus on ‘medical software’—posing the highest risk to patient
safety” (Slabodkin, 2014, para. 2). Recently, Rep. Blackburn
made statements that she sees the bill passing the Congress in
early 2015. Rep. Blackburn also stated at a Dec. 3, 2014
Bipartisan Policy Center forum in Washington, D.C. “We think it’s
important enough that we’ve spent about a year and a half working
this legislation” (para. 4). Rep. Blackburn and her colleagues
on the House Energy and Commerce Committee have been working on
this legislation since October 2013 when it was first introduced
in order to specifically deal with the language of the
legislation before it is voted on by the Congress.
Security of medical devices is also important because when
control of these devices is compromised through exploitation of
vulnerabilities they provide gateways into larger healthcare
networks where cyber criminals can steal personal healthcare
information, alter patient records and prescriptions, and launch
denial of service attacks which could be devastating to
healthcare professionals and patients alike. Martha Vockley
(2012) points out that wired or wireless technology which
provides real-time patient data through any network, for either
THE INTERNET OF THINGS 21
centralized or remote clinical review, is particularly vulnerable
to network disruptions which could interrupt or adversely affect
patient care (p. 166). As of this writing, the FDA has not
codified into law any guidance regarding cybersecurity for
medical devices but with the imminent passage of the SOFTWARE and
PROTECT Acts in Congress this codification may be upcoming.
Another area where the IoT is already being heavily invested,
and where much vulnerability exists which will eventually be
exploited successfully by an attacker, or group of attackers, is
the utilities grid. The systems which control the water, natural
gas, and electrical grids are already beginning a transformation
to the IoT technology from remote sensing devices, alarms and
other devices. According to the Electric Power Research
Institute (2010) cybersecurity is a “critical” issue due to the
increasing potential of attacks (p. 99). As more electric
providers upgrade and change their infrastructure from its
current form to an interconnected model closely mirroring the
IoT, the opportunities for security exploitation of this new
Smart grid will increase. According to Hersent, Boswarthick, and
Elloumi (2012), as the dynamic model of the electrical grid
THE INTERNET OF THINGS 22
changes “the key assets of an energy operator will no longer be
the means of production, but the next-generation communication
network and information system” additionally, “M2M
communications…will be key enablers for this evolution” (p.
15.1). This statement shows the elemental changes which the IoT
will bring to the electrical grid once systems are fully upgraded
and expanded.
Two of the already established key applications in the
existing electric grid structure for Smart Grid technology are
the supervisory control and data acquisition (SCADA) and
teleprotection. SCADA in a power grid application, according to
McBride and McGee (2012), involves gathering data in the field
and then transmitting it to a central system for monitoring and
control of power grid devices such as remote actuators and
sensors (p. 89). Teleprotection applications on the other hand
involve the signal-aided relay-to-relay communications between
connected adjoining substations. In this system when protection
equipment at either end of this connection detects a fault then
the other end is notified and a protective action is taken such
as tripping a circuit breaker (p. 89). The remote sensing and
THE INTERNET OF THINGS 23
controlling aspects of these two applications will be key factors
in building the Smart grid. The representation in Figure 3 shows
the difference between a conventional SCADA grid design and one
enhanced by the IoT. Of note in this figure are the expansion of
the number of data points and the ability to notify first
responders, police and fire department personnel, automatically
in the event of an emergency situation.
Figure 3: Current SCADA configuration and the IoT SCADA configuration (Roman, et al, 2011, p. 52).
Having discussed a few areas where the IoT is currently being
developed and integrated into society as a whole, a more
extensive examination of the attack surface for the IoT is
necessary. What attackers will be going after, for the most
THE INTERNET OF THINGS 24
part, is information that they can turn into financial gain of
some sort. In gaining information which will be financially
lucrative, identity theft is one of the most beneficial
undertakings for hackers. In an online environment, identity
theft occurs when an individual’s Personally Identifiable
Information (PII) is stolen by a hacker, then sold to a third
party who uses the PII to set up false identification documents,
bank and credit card accounts, and other ways to fraudulently use
the PII. Another area where hackers are, and will continue to
be, very active is in the disruption of networks by means of
distributed denial of service attacks, flooding attacks, buffer
overflow attacks, malware and viruses, just to name a few.
Hackers may also install root kits on a captured system to allow
them to return later and conduct further exploitation or to use
the device as a “bot”, a platform from which the hacker can
launch attacks against other systems. Botnets are dangerous due
to the fact that they give an attacker multiple avenues of up to
thousands of unrelated computers all acting under orders from a
central hacker and with the addition of IoT devices to this
equation, perhaps billions of more devices could be used. To
THE INTERNET OF THINGS 25
reinforce this point Gregory P. Schaffer (2006) quoted David
Dittrich of the Center for Information Assurance & Cyber Security
at the University of Washington as saying “conventional worms
released from a single point can take hours to circle the globe,
botnet worms can appear from multiple points simultaneously and
thus can potentially impact vulnerable hosts worldwide in
minutes” (p. 52). With the IoT poised to comprise tens of
billions of devices in as little as six years from the time of
this writing, the time to impact vulnerable hosts worldwide could
be cut down to a matter of seconds. From this perspective it is
clear that thingbotnets will have to be at the top of security
professionals’ watch lists.
Exploitation of the IoT will not be the exclusive purview of
hackers however. Attacks with much more serious implications to
users, organizations, and governments as well will come from
criminals and in extreme cases from radical left and right wing
fanatics and terrorist organizations. As more functions in
society are taken over by M2M (IoT) technology and humans are
taken out of the loop in the area of oversight, the possibility
for remote-control havoc increases. With respect to the ability
THE INTERNET OF THINGS 26
for cyberterrorism to operate in the future, Dorothy Denning
(2009) in quoting Mark Pollitt, an FBI special agent, stated “As
we build more and more technology into our civilization, we must
ensure that there is sufficient human oversight and intervention
to safeguard those whom technology serves” (p. 283). This is the
danger that the IoT brings with it. At some point, as IoT
technology progresses and becomes more reliable, humans will come
to trust the IoT and rely on it to service our basic needs
without question. Successful attacks of the system will be able
to derive the most damage on a given population, once these
prerequisites are satisfied. This is another reason why security
is of prime importance in IoT infrastructure.
With all this potential for harm the IoT is going to have to
be protected but what measures must security professionals take
in order to protect the data that the billions of devices will
create? First, and most importantly, the real challenge for
security professionals is going to be taking a proactive stance
with respect to securing their infrastructure for the
implementation of IoT devices. However, security professionals
will not be required to start from scratch with regard to
THE INTERNET OF THINGS 27
security for the IoT. Many of the procedures and policies which
protect networks and systems now, patching, passwords, and system
monitoring, will be able to be adapted for use with the IoT. As
Kevin Beaver (2014) notes, security for the IoT is not going to
be very dissimilar from what is done now to secure any other
aspect of the network, however, new policies are likely to be
required to cover the new security situations which the IoT will
create (paras. 5-6). Beaver goes on to state that one of the
most difficult parts of securing the IoT, or protecting your
network against it, will be convincing stake holders and users of
the need to protect networks against vulnerabilities from
“seemingly harmless devices that have minimal business purpose”
(para. 7). For example, how will security professionals convince
the C-suite that they need to pay attention to the coffeemaker in
the break room or the Fitbit devices which employees wear to keep
track of their cardiovascular exercise? Complexity is the
central issue that is going to be facing security professionals
with regard to protecting systems with connections to the IoT.
Security solutions will have to be better, faster, and cheaper
than ever before to keep pace with the growing number of threats
THE INTERNET OF THINGS 28
which will be introduced onto the Internet by the billions of
devices which will make up the IoT of the future.
Another area where problems could arise for security
professionals with regard to the IoT is in the business arena.
Some business units are knowingly, or unknowingly, keeping their
information technology (IT) departments in the dark by not
including them in the process of bringing IoT solutions into
their network. In a recent study of IT professionals conducted
by Infoblox in the U.S. and U.K., their chief infrastructure
officer, Cricket Liu noted “IT departments have a seat at the
table when business units want to move forward with IoT
deployments but these business units often get deep into the
buying process before calling IT, sometimes forcing IT to
scramble to provide support” (Scroxton, 2014, para. 10). It is
in this area where communication among different units within a
business is going to be essential so as to have a smooth
incorporation of IoT devices into existing systems and networks.
In finding a solution to security on the IoT will there need
to be an overall authority for regulation of the IoT and the
THE INTERNET OF THINGS 29
billions of devices which will be introduced, or will individual
industries and service providers need to formulate the
regulations which govern how data is used and who can access it?
At this point organizations and agencies around the world such as
the U.S. Federal Trade Commission (FTC) and bodies within the
European Union (EU) are beginning to construct regulations to
control access to the data created on the IoT but there is a long
way to go for even the most prepared organization. As an example
of the control that the FTC is trying to exert in this area,
according to an article in Compliance Week magazine, the FTC in
September of 2013 reached a settlement with California-based
TRENDnet, a maker of security cameras that can be monitored via
the Internet, in a case where TRENDnet failed to provide adequate
security measures to consumers even though it had stated that it
was doing so and also failed “to employ reasonable security in
the design and testing of its software” (Mont, 2014, p. 14). For
its part, the EU is also starting to address the issues of
responsibility for data security and privacy on the IoT. In a
recommendation dated May 12, 2009, the EU invited member states
to provide for guidance on the design and operation of RFID-
THE INTERNET OF THINGS 30
enabled devices in a “lawful, ethical and socially and
politically acceptable way, respecting the right to privacy and
ensuring protection of personal data” (Weber, 2010, p. 29). In
other words, the EU is trying to find a compromise way from its
members on how to regulate the IoT taking into account privacy,
security and availability of the data. The IoT will require a
very broad interpretation of privacy and other standards in order
to be accepted and implemented globally which according to Rolf
Weber (2010), requires “heterogeneous and differentiated legal
framework that adequately takes into account the globality,
verticality, ubiquity and technicity of the IoT” (p. 30). Many
security experts agree currently that the solution to this
problem is murky at best. Eric Hanselman, chief analyst for New
York-based 451 Research noted in a recent interview that
responsibility for damages incurred as a result of interaction
with the IoT is not currently clear and further noted that “loss
of privacy doesn't have an established value yet in the U.S.”
(McGillicuddy, 2014, para. 21). Others, like Earl Perkins,
research vice president for Stamford, Conn.-based Gartner Inc.,
note that the responsibility for making sure that the devices
THE INTERNET OF THINGS 31
connected to the IoT are secure will rest with the businesses
that provide the services hosted by the device or alternatively
with the service provider that provides the network, or both
(para. 23). Another consideration for businesses is where and
how all of the data that is generated by all these IoT devices
will be stored, what data will actually be stored (as storing all
data would be prohibitively expensive), and how existing networks
in cloud computing can be leveraged to provide access and storage
of this deluge of data.
The ultimate resolution to the problem of who will be
responsible for the devices which make up the IoT will be a long
and complicated process which security professionals will have to
be intimately involved for the effort to effective. For the IoT
to recognize its full potential, security will have to be part of
the equation from the start instead of being an after the fact
solution which is added on to existing structure as it is
currently treated. The IoT itself is heavily dependent on the
communications between objects and the Internet to function
smoothly. The convergence of communications over the Internet
THE INTERNET OF THINGS 32
has gone through many phases. According to Dlamini, Eloff and
Eloff (2009),
“the Internet has moved from isolated and only when in
office (mainframe computing) connectivity; to anywhere at
any time (mobile computing) connectivity; to anywhere at
any time in anyway (network convergence) connectivity;
and now it is moving towards a new era of the future
Internet characterized by anywhere at any time in anyway by
anything (Internet of all things) connectivity” (para.
4).
It is clear from this description that as the Internet has
evolved, the problems with securing it have increased
exponentially. It is within this exponential growth that
information security professionals find themselves. Security
professionals will have to take on a more proactive stance with
regard to securing the IoT than has been present in the current
structure of the Internet. With the IoT, as Dlamini, Eloff and
Eloff note, the new era of the future Internet which is
delineated by connectivity anytime, anywhere, in anyway, by
THE INTERNET OF THINGS 33
anything will be a great challenge for security professionals
going forward.
Findings/Conclusions
The convergence of voice, video, and data networks in the
future Internet will include such things as next generation
networks, over the Internet Protocol, voice over IP, and IP
Television as the starting points of a network of interconnected
devices over a shared and service independent network. The IoT
will bring a whole other dimension into this convergence giving
users an almost unlimited choice of data points and will also
bring with it security concerns which need to be addressed in the
development and testing phases because of the IoT devices having
such limited capacities for growth once they are fully developed
and deployed.
As noted previously, security in the world of the IoT needs
to move from a reactive to a proactive stance in order to be
effective; security will need to be programmed into the devices
of the IoT from the beginning stages of product development and
testing instead of being an add-on or after though as it is
THE INTERNET OF THINGS 34
currently sometimes seen; and a more cooperative perspective must
be taken with regard to who will be responsible for regulating
the IoT and how problems and other situations will be handled and
by whom. If all of these parts are able to come together in a
harmonious rhythm, then the IoT will not be such a threat to the
users that will come to depend on it. However, if these aspects
do not come together then a slowing of the deployment of the IoT
can be expected.
References
ABI Research. (2014). The Internet of Things Will Drive Wireless
Connected Devices to 40.9 Billion in 2020. ABI Research website
online, August 20, 2014. Retrieved from
https://www.abiresearch.com/press/the-internet-of-things-
will-drive-wireless-connect
Beaver, K. (2014). Securing the Internet of Things. TechTarget
website online, August 2014. Retrieved from
http://searchsecurity.techtarget.com/feature/Securing-the-
Internet-of-Things
THE INTERNET OF THINGS 35
Beware security pros: The wearable revolution is coming. (2014).
Information Management, 48(3), 7. Retrieved from
http://search.proquest.com/docview/1548702550?accountid=8289
Bradley, T., Thibodeau, P., & Ng, V. (2014). The Internet of
Things: Threats and Challenges. Network World Asia website online,
March/April 2014.
Denning, D. (2009). Activism, Hacktivism, and Cyberterrorism: The
Internet as a Tool for Influencing Foreign Policy, Chapter 8.
Rand Corporation website online. Retrieved from
http://www.rand.org/pubs/monograph_reports/MR1382.html
Dlamini, M., Eloff, M., & Eloff, J. (2009). Internet of things:
Emerging and Future Scenarios from an Information Security
Perspective. Southern Africa Telecommunication Networks and
Applications Conference 2009.
Gartner Research. (2013). Gartner Says the Internet of Things
Installed Base Will Grow to 26 Billion Units By 2020. Gartner
Research website online, December 12, 2013. Retrieved from
http://www.gartner.com/newsroom/id/2636073
Hersent, O., Boswarthick, D., & Elloumi, O. (2012). The Smart
Grid. In The Internet of Things: Key applications and protocols.
THE INTERNET OF THINGS 36
Chichester, West Sussex: Wiley. Retrieved from
http://common.books24x7.com.ezproxy1.apus.edu/toc.aspx?
bookid=46260
McBride, A., & McGee, A. (2012). Assessing Smart Grid Security.
Bell Labs Technical Journal, 17(3), 87-103. doi:10.1002/bltj.21560
McGillicuddy, S. (2014). Internet of Things security: Who is
responsible and how is it done? TechTarget website online, April 14,
2014. Retrieved from
http://searchnetworking.techtarget.com/news/2240218840/Intern
et-of-Things-security-Who-is-responsible-and-how-is-it-done
Mont, J. (2014). Next Up: Regulating the Internet of Things.
Compliance Week 11(126), p. 14-15, July 2014.
Orebaugh, A. (2013). Secure all the (Internet of) Things.
TechTarget website online, December 2013. Retrieved from
http://searchsecurity.techtarget.com/feature/Secure-all-the-
things
Paganini, P. (2014). Internet of Things – Security and privacy
issues. Security Affairs website online, December 13, 2014. Retrieved from
http://securityaffairs.co/wordpress/31062/cyber-crime/interne
t-of-things.html
THE INTERNET OF THINGS 37
Rogers-Nazarov, A. (2009). The Internet of Things. Information
Week, September 7, 2009; 1240; pp. HB4-HB6, HB8, HB10, HB12,
HB14. Retrieved from
http://search.proquest.com/docview/229192429?accountid=8289
Roman, R., Najera, P., & Lopez, J. (2011). Securing the Internet
of Things. Computer, 44(9) pp.51-58, Sept. 2011 doi:
10.1109/MC.2011.291. Retrieved from
http://ieeexplore.ieee.org.ezproxy2.apus.edu/xpls/abs_all.js
p?arnumber=6017172&tag=1
Sandler, K., Orhstrom, L., Moy, L., & McVay, R. (2010). Killed by
Code: Software Transparency in Implantable Medical Devices.
Software Freedom Law Center website online, July 21, 2010.
Schaffer, G. (2006) Worms and Viruses and Botnets, Oh My!
Rational Responses to Emerging Internet Threats. Security and
Privacy, IEEE, 4(3), pp. 52-58, May 30, 2006. Retrieved from
http://ieeexplore.ieee.org.ezproxy1.apus.edu/xpls/abs_all.jsp
?arnumber=1637381
Scroxton, A. (2014). Internet of Things already stretching
networks to capacity. Computer Weekly website online, June 30, 2014.
Retrieved from
THE INTERNET OF THINGS 38
http://www.computerweekly.com/news/2240223584/Internet-of-
Things-already-stretching-networks-to-capacity
Siciliano, R. (2014). How the Internet of Things Can Go Very
Wrong. Robert Siciliano [weblog] online, November 25, 2014. Retrieved from
http://robertsiciliano.com/blog/2014/11/25/how-the-internet-
of-things-can-go-very-wrong/
Slabodkin, G. (2014). Health IT SOFTWARE Act: What It May Mean.
Information Management website online, December 8, 2014. Retrieved from
http://www.information-management.com/news/Software-Act-2015-
Healthcare-FDA-Information-Tech-10026317-1.html
Stammberger, K. (2009). Current Trends in Cyber-Attacks on Mobile
and Embedded Systems. Embedded Computing Design website online,
September 29, 2009. Retrieved from http://embedded-
computing.com/article-id/?4226#
Swan, M. (2012). Sensor Mania! The Internet of Things, Wearable
Computing, Objective Metrics, and the Quantified Self 2.0.
Journal of Sensor and Actuator Networks, 1(3), November 8, 2012. Retrieved
from http://www.mdpi.com/2224-2708/1/3/217/htm
THE INTERNET OF THINGS 39
Vidalis, S., & Angelopoulou, O. (2014). Assessing Identity Theft
in the Internet of Things. IT CoNvergence PRActice (INPRA), 2(1),
14-20.
Violino, B. (2014). Research: Internet of Things Becomes Big
Priority. Information Management website online, November 19, 2014.
Retrieved from
http://www.information-management.com/news/IoT-Internet-of-
Things-Forrester-Research-Forecast-10026262-1.html
Virkki, J. & Chen, L. (2013). Personal Perspectives: Individual
Privacy in the IoT. Advances in Internet of Things, 2013, 3, pp. 21-26.
Retrieved from http://dx.doi.org/10.4236/ait.2013.32003
Vockley, M. (2012). Safe and secure? Healthcare in the
cyberworld. Biomedical Instrumentation & Technology, 46(3), 164-173.
doi:10.2345/0899-8205-46.3.164
Weber, R. (2010). Internet of Things – New security and privacy
challenges. Computer Law & Security Review, 26(1), January 2010, pp. 23-30.
Retrieved from
http://www.sciencedirect.com/science/article/pii/S02673649090
01939
THE INTERNET OF THINGS 40
Wirth, A. (2011). Cybercrimes Pose Growing Threat to Medical
Devices. Biomedical Instrumentation and Technology, January/February 2011.
Retrieved from
https://aami.org/hottopics/cybersecurity/AAMI/2011JF_CyberCri
mes.pdf
Annotated Bibliography
ABI Research. (2014). The Internet of Things Will Drive Wireless
Connected Devices to 40.9 Billion in 2020. ABI Research website
online, August 20, 2014. Retrieved from
https://www.abiresearch.com/press/the-internet-of-things-
will-drive-wireless-connect
THE INTERNET OF THINGS 41
This article, authored by ABI Research, discusses the IoT’s
potential growth, market share and factors which are set to
catapult this fairly new segment of the consumer market into a
major player in global economic structures. The article gives
figures for the estimated current usage of IoT devices and also
projects the growth for the popularity of these devices in the
coming years. The article also discusses new communications
technologies which will require some original equipment
manufacturers to greatly rethink their current communications
infrastructure for IoT devices. The method of delivering the
convenience of IoT via new technologies is also discussed and
mentions the thin film process of creating printed electronics.
This article is pertinent to the student’s research in that it
gives estimates of the scope of the IoT and provides some
indication of magnitude which the IoT will have in the very near
future. The article also takes into account technologies which
are currently being developed which could further innovate the
ways in which the IoT is able to provide services to its growing
number of users worldwide.
THE INTERNET OF THINGS 42
Beaver, K. (2014). Securing the Internet of Things. TechTarget
website online, August 2014. Retrieved from
http://searchsecurity.techtarget.com/feature/Securing-the-
Internet-of-Things
This article published on the website TechTarget.com gives an
overall view of how cybersecurity professionals should
approach the problems associated with the trials of
integrating security for the IoT into their existing security
policies. The author, Kevin Beaver, a 25-year veteran of the
cybersecurity profession who specializes in performing
independent security vulnerability assessments of network
systems, as well as Web and mobile applications, gives a good
overall explanation of the actions which need to be taken to
control the new challenges presented by the IoT. Beaver
suggests asking what role will existing security policies
play; will new security policies be required; who will be
responsible for enforcing policies associated with the IoT;
and who is going to be monitoring the IoT in order to get
THE INTERNET OF THINGS 43
individual entities ready for the challenging environment the
IoT will present. The author points out that the IoT is
coming and security professionals everywhere should seriously
consider updating policies and procedures in order to reign
in the security dangers that the IoT presents. The author
ends the article by saying “any positive action toward a
better, more secure IoT will provide many long-term payoffs
for the business as a whole” (para. 10).
The warnings to cybersecurity professionals contained in this
article will be helpful in giving meat to the argument the
student intends to put forth that not being properly prepared
for the coming IoT will be dangerous and foolish for
cybersecurity professionals. The article puts forth some no-
nonsense suggestions with respect to the IoT which the
student feels will be beneficial for his study.
Beware security pros: The wearable revolution is coming. (2014).
Information Management, 48(3), 7. Retrieved from
http://search.proquest.com/docview/1548702550?accountid=8289
THE INTERNET OF THINGS 44
This article published in Information Management magazine in
May/June of 2014 explains wearable technology and the security
threat that this new technology poses to a burgeoning area of
cyber security, that being the Internet of Things. The article
quotes the Chief Security Architect at RSA, Rashmi Knowles and
provides a short but concise overview of what security threats
this new wearable technology poses for security professionals.
This article adds depth to the discussion of wearable technology
that the student brings up in his paper through the quoting of
the noted security expert Rashmi Knowles and thereby adds
validity to the argument that better and more comprehensive
security policies are needed right away to handle the onslaught
of new devices which will be connecting to the Internet in the
very near future.
Bradley, T., Thibodeau, P., & Ng, V. (2014). The Internet of
Things: Threats and Challenges. Network World Asia website online,
March/April 2014.
THE INTERNET OF THINGS 45
This article, written by Tony Bradley, Patrick Thibodeau, and
Victor Ng for Network World Asia in March 2014, covers some
of the threats, privacy issues, and interoperability concerns
related to the IoT. The authors of this article quote noted
Cisco Systems engineer Eric Vyncke, who spoke at the 2014
RSA Security Conference in San Francisco, who outlined some
of the challenges and threats that the IoT pose as it
continues to expand into the daily lives of just about
everyone on the planet. Vyncke noted that the IoT has a
tremendous potential to enhance our standard of living but
also introduces risk by exposing devices that were not
vulnerable prior to the IoT.
This article also presents the problem of interoperability
and discusses the recent movement to make an open source
operating system for the IoT called AllSeen which is being
promoted by the same people who originated the open source
availability of the Linux OS. Dubbed the AllSeen Alliance,
the group is working toward a system that can help all
THE INTERNET OF THINGS 46
devices communicate with each other and also provide the
security which Linux provides to the systems using it.
Denning, D. (2009). Activism, Hacktivism, and Cyberterrorism: The
Internet as a Tool for Influencing Foreign Policy, Chapter 8.
Rand Corporation website online. Retrieved from
http://www.rand.org/pubs/monograph_reports/MR1382.html
This research was authored by Dorothy Denning and published as
Chapter 8 of the book Networks and Netwars (2010), John Arquilla, David
Ronfeldt (Ed.). In this chapter, Denning puts forth the idea that
cyberterrorism should be regarded as a viable option for use by
terrorist or other groups if not now, perhaps in the near future
and explores what those tactics would involve if brought to
fruition. The chapter also discusses the topics of activism and
hacktivism and how they use the Internet for their own purposes.
This chapter is relevant to the student’s research because it
points out the fact that cyberterrorism, although not an
immediate threat, could become a useful tool in a terrorists
THE INTERNET OF THINGS 47
arsenal given the correct circumstances, those being mankind’s
reliance on technology to provide services like the ones that the
IoT is poised to give them.
Dlamini, M., Eloff, M., & Eloff, J. (2009). Internet of Things:
Emerging and Future Scenarios from an Information Security
Perspective. Southern Africa Telecommunication Networks and
Applications Conference 2009.
This article was written by Dlamini, Eloff and Eloff and given at
the Southern Africa Telecommunication Networks and Applications
Conference of 2009. The article takes a critical look at the IoT
focusing on information security and how that instead of a
reactive stance, the information security industry must start to
take a more proactive focus. The article discusses the types of
threats which will be likely in the new IoT world which is fast
becoming a reality in everyday life.
This article is relevant to the student’s research in that it
examines the future of threats which will be most important for
THE INTERNET OF THINGS 48
information security professionals to pay attention to with
regard to securing the IoT. The article takes a proactive
instead of a reactive stance and points out some of the future
threats which are likely to emerge as the IoT begins to become
more of a part of everyday living.
Gartner Research. (2013). Gartner Says the Internet of Things
Installed Base Will Grow to 26 Billion Units By 2020. Gartner
Research website online, December 12, 2013. Retrieved from
http://www.gartner.com/newsroom/id/2636073
This article by Gartner Research outlines the potential growth
for the IoT in the future to include as many as 26 billion
devices by the year 2020. The article also examines the impact
that the IoT will have on security and computer networks as it
brings forth mountains of data into an already information-laden
Internet. The article also explains what devices encompass the
IoT and how their integration into the existing Internet will be
a challenge.
THE INTERNET OF THINGS 49
This article adds weight to the student’s paper by giving
estimates of the impact that the IoT will have in just six years’
time if the current rate of growth is not slowed by outside
factors such as security of data or storage of data in the cloud
computing model.
Hersent, O., Boswarthick, D., & Elloumi, O. (2012). The Smart
Grid. In The Internet of Things: Key applications and protocols.
Chichester, West Sussex: Wiley. Retrieved from
http://common.books24x7.com.ezproxy1.apus.edu/toc.aspx?
bookid=46260
This book by Oliver Hersent, David Boswarthick and Omar Elloumi
discusses the key applications and protocols of the IoT that will
be used by the developers of the Smart Grid to make the Smart
Grid a reality. The authors also demonstrate how the next
generation utilities, by using the physical environment as the
IoT now does, will be able to deliver more energy with less
impact on our natural resources.
THE INTERNET OF THINGS 50
This book gives a plethora of information of how the IoT
technology can be used to revolutionize the electrical grid but
also contains a warning about the security which will be involved
with this switchover. This makes this reference topical and
relevant to the student’s research.
McBride, A., & McGee, A. (2012). Assessing Smart Grid Security.
Bell Labs Technical Journal, 17(3), 87-103. doi:10.1002/bltj.21560
The authors of this article, Alan J. McBride and Andrew R. McGee,
put forth a paper on the security of the Internet of Things
enhanced Smart Grid and what challenges are likely to occur in
building the Smart Grid based on IoT technologies. Some of the
topics discussed in this paper include data network
transformation, distributed functionality, and two-way
information flow between supplier and customer, all of which are
principal components of the Smart Grid.
This paper pertains to the student’s paper in that it discusses
the security which will be necessary for the new Smart Grid based
THE INTERNET OF THINGS 51
on the IoT technology and how those technologies will be
protected in the world of hacking that is prevalent in today’s
cyber security field.
McGillicuddy, S. (2014). Internet of Things security: Who is
responsible and how is it done? TechTarget website online, April 14,
2014. Retrieved from
http://searchnetworking.techtarget.com/news/2240218840/Intern
et-of-Things-security-Who-is-responsible-and-how-is-it-done
This article, written by Shamus McGillicuddy, Director of News
and Features at Tech Target, takes an overview look of who is
responsible for the security of data transmitted and stored as a
result of the IoT. The article covers such topics as what
responsibilities individual companies have to consumers, the use
of encryption, risk management, and security management to
protect data on the IoT, and who owns the security problems
associated with the IoT.
THE INTERNET OF THINGS 52
This article is germane to the student’s research in that it
covers regulation and who is responsible for the security on the
IoT and how that security will be carried out. The article also
gives practical solutions to coping with the expansion of the
current Internet to include the IoT and how organizations can
start to cope with monitoring and controlling the data flow which
is going to be introduced to their systems.
Mont, J. (2014). Next Up: Regulating the Internet of Things.
Compliance Week 11(126), p. 14-15, July 2014.
This article by Joe Mont writing for Compliance Week magazine in
July 2014, examines the how regulators are currently struggling
with beginning to regulate the IoT with regard to what data is
being collected, how it is aggregated, and how it is being used.
The article covers the legal issues that regulators are facing
with regard to the reworking of what is to be identified as PII
on the IoT and if that PII is compromised, stolen or otherwise
used by persons or entities not authorized to this data how will
the legal system deal with it. The article also gives advice to
THE INTERNET OF THINGS 53
businesses trying to rework their stated privacy policies to “do
what you say you will do” with regard to protecting an
individual’s privacy on the IoT.
This article is applicable to the student’s research in that it
gives an indication of the current state of regulation and what
businesses must do in order to remain in compliance with data
privacy constraints in the changing world of the IoT. The
article is also relevant in that it gives outlines some of the
questions which the FTC is trying to work through in formulating
new regulations to deal with the data that will be available from
billions of IoT-connected devices.
Orebaugh, A. (2013). Secure all the (Internet of) Things.
TechTarget website online, December 2013. Retrieved from
http://searchsecurity.techtarget.com/feature/Secure-all-the-
things
This article by Angela Orebaugh, a security professional who
works for Booz Allen Hamilton, outlines the measures and policies
THE INTERNET OF THINGS 54
that need to be taken to protect the IoT from a security
standpoint. The article discusses what the IoT is, how it
communicates, and what issues confront security professionals as
more and more of these devices are added to the Internet.
Orebaugh states that the security of the IoT rests with the
professionals who must take a proactive stance in order to avoid
exploitation chaos in a catch up scenario that could take years
to get control of.
This article fits the student’s research in that it gives an
overall perspective of the security which the IoT needs to have
in order to function successfully in scheme of things on the
Internet. It gives examples of what security measures must be
taken to ensure that the IoT does not become a security
catastrophe. The article also gives a perspective on how
security can be built into the IoT from start to finish.
Paganini, P. (2014). Internet of Things – Security and privacy
issues. Security Affairs website online, December 13, 2014. Retrieved from
THE INTERNET OF THINGS 55
http://securityaffairs.co/wordpress/31062/cyber-crime/interne
t-of-things.html
This article by Pierluigi Paganini outlines the presentation
Paganini made at the ISACA Roma & OWASP Italy conference. In
this presentation Paganini outlines the issues surrounding the
implementation, operation, and security of the IoT. The
presentation includes details of the diffusion of the IoT
devices, forecast on its growth and information related to the
economy behind the paradigm. The presentation also explores the
possible misuses (i.e. DDoS, malware, thingbot) of the IoT
devices analyzing threat actors and the attack techniques
implemented in real cases.
This article and presentation are relevant to the student’s
research as it covers many of the areas which the student will
cover in this paper. Being that the article was written by
Pierluigi Paganini, one of the top security experts today, it
provides a well-informed opinion on how the IoT will develop,
THE INTERNET OF THINGS 56
integrate into society, and perhaps be a security threat as it
integrates into the Internet.
Rogers-Nazarov, A. (2009). The Internet of Things. Information
Week, September 7, 2009; 1240; pp. HB4-HB6, HB8, HB10, HB12,
HB14. Retrieved from
http://search.proquest.com/docview/229192429?accountid=8289
This article, written by Amy Rogers-Nazarov in 2009, outlines
the myriad of possibilities for connection of ‘things’ to the
IoT and how data from these objects could be used for good
and bad purposes. Also, the article touches on the security
needed to ensure that data is kept secure and how the data
must be shared to some extent between all entities to be
effective. With this issue, the author states, quite
rightly, that some may not want some particular data shared
with everyone and everything out there and that rules
governing how data is to be shared, with whom, and for how
long a period of time must be formulated.
THE INTERNET OF THINGS 57
This article delves into several areas where the student
feels that the information included may be of great use to
his study. The article states information and gives examples
of how information on the IoT is already being shared and how
the data has the potential for being shared in the future.
The article also points out that with all this data out there
the consumption of this data must be controlled in some
fashion so that an information overload does not sweep the
globe. This is another area in which the student plans to
use the information contained in this article.
Roman, R., Najera, P., & Lopez, J. (2011). Securing the Internet
of Things. Computer, 44(9) pp.51-58, Sept. 2011 doi:
10.1109/MC.2011.291. Retrieved from
http://ieeexplore.ieee.org.ezproxy2.apus.edu/xpls/abs_all.js
p?arnumber=6017172&tag=1
This article by Rodrigo Roman, Pablo Najera, and Javier
Lopez, of the University of Malaga, Spain, covers the
challenges of protocol and network security, data and
THE INTERNET OF THINGS 58
privacy, identity management, trust and governance, and
fault tolerance for the IoT. The authors state that in the
IoT every physical object has a virtual presence which will
be able to consume and produce services and such “extreme
interconnection” (para. 1) will bring extreme convenience
and economy but also will also require novel approaches to
make the system safe and ethical.
The concept of security on the IoT is of great concern to
everyone involved in the development and future use of the
IoT. It is this fact above all else why the student
selected this article for use in his project paper. Without
the proper mix of convenience, utility, and safety, the IoT
will run virtually out of control and give attackers another
playground in which to exploit the personal data of everyone
connected to the IoT.
Sandler, K., Orhstrom, L., Moy, L., & McVay, R. (2010). Killed by
Code: Software Transparency in Implantable Medical Devices.
Software Freedom Law Center website online, July 21, 2010.
THE INTERNET OF THINGS 59
This article, written by Karen Sandler, Lysandra Orhstrom, Laura
Moy, and Robert McVay in 2010, makes the case for free and
accessible software for medical devices which are being implanted
at an astonishing rate in patients all over the world. The
article also makes the point that the current state of medical
devices is precarious at best with regard to security and many
other aspects of their manufacture, use, and operation. Later in
the article the topic of medical device manufacturer’s liability
for injury or death in some circumstance is a murky topic at best
as it is currently handled.
This article is generic to the student’s research in that it
points out a very important flaw in the current state of medical
device technology and how the freeing of software from
proprietary boundaries would eventually lead to a much more
secure and safe environment for the patients who depend on these
devices for daily life sustainment.
THE INTERNET OF THINGS 60
Schaffer, G. (2006) Worms and Viruses and Botnets, Oh My!
Rational Responses to Emerging Internet Threats. Security and
Privacy, IEEE, 4(3), pp. 52-58, May 30, 2006. Retrieved from
http://ieeexplore.ieee.org.ezproxy1.apus.edu/xpls/abs_all.jsp
?arnumber=1637381
This article was written by Gregory P. Schaffer is chief security
officer for Alltel communications. In this article the threats
caused by botnets, a network of computers which are infected with
a virus, worm or other malware and taken over by an attacker for
many nefarious uses, are explored. Topics covered by Schaffer in
this article include, the emerging bot threat, an overview of
botnets and how they function, distributed denial of service
attacks (a botnet’s most useful function), response options, and
the legal options under the Computer Fraud and Abuse Act. Also
covered in this article are defense strategies and other ways in
which an enterprise can protect itself from becoming a victim of
a botnet attack.
THE INTERNET OF THINGS 61
This article is of relevance to the student’s paper as it
describes how botnets function and what their primary uses are in
the hacker community. This type of attack is extraordinarily
relevant to the student’s topic as this attack strategy will be
used in future attacks on enterprises and others using the IoT as
a launching pad.
Scroxton, A. (2014). Internet of Things already stretching
networks to capacity. Computer Weekly website online, June 30, 2014.
Retrieved from
http://www.computerweekly.com/news/2240223584/Internet-of-
Things-already-stretching-networks-to-capacity
This article, written by Alex Scroxton, Networking Editor at
Computer Weekly, covers the concerns of some network
professionals that fear that the flood of IoT devices on their
networks may become a deluge. The article gives statistics from
a survey conducted by the computer information firm Infoblox
where IT professionals were surveyed on a number of topics to
include readiness to handle the influx of IoT devices, concerns
that their networks are already at capacity, and problems with IT
THE INTERNET OF THINGS 62
departments not being included in business decisions to adopt IoT
devices into their networks.
This article is relevant to the student’s research in that it
gives a professional outlook for the integration of the IoT into
networks which may not be prepared for the capacity the IoT will
need. The concerns of IT professionals that their networks may
already be operating at capacity and may not be adequately
prepared to take on any other devices are a growing concern of IT
professionals is relevant to the student’s research as well.
Siciliano, R. (2014). How the Internet of Things Can Go Very
Wrong. Robert Siciliano [weblog] online, November 25, 2014. Retrieved from
http://robertsiciliano.com/blog/2014/11/25/how-the-internet-
of-things-can-go-very-wrong/
This article, written by Robert Siciliano, personal security and
identity theft expert, outlines the various points in the IoT
which are open to attacks. Siciliano notes that hacking of such
things as medical devices, airline satellite equipment, and TSA
THE INTERNET OF THINGS 63
carry-on baggage scanners is possible and instructs the public
not to worry about these avenues but to do something about them
and protect them against attack. Siciliano notes that at a
minimum consumers should lock down their wireless routers with
encryption to keep them safe and to take all measures (antivirus,
antiphishing, antispyware, and firewalls) to secure their access
to the Internet.
This article is relevant to the student’s research in that it
gives examples of where the IoT is vulnerable and gives
instruction on where and how to protect the devices which already
exist in preparation for connection with some in the future which
may or may not have the same level of protection.
Slabodkin, G. (2014). Health IT SOFTWARE Act: What It May Mean.
Information Management website online, December 8, 2014. Retrieved from
http://www.information-management.com/news/Software-Act-2015-
Healthcare-FDA-Information-Tech-10026317-1.html
THE INTERNET OF THINGS 64
This article, written by Greg Slabodkin for Information
Management online, discusses the recent movement of the SOFTWARE
Act and its companion bill the PROTECT Act through the Congress.
The article outlines the background of the two pieces of
legislation and how they will impact the way that medical
software is regulated by the FDA in the future. The author of
the article quotes two different groups, one for and one against
the legislation, and lists the bills’ major pros and cons.
This article is pertinent to the student’s research as it
compliments another resource which the student already used to
outline the progress which is being made in the area of
regulation of healthcare software and how it pertains to patients
health and safety.
Stammberger, K. (2009). Current Trends in Cyber-Attacks on Mobile
and Embedded Systems. Embedded Computing Design website online,
September 29, 2009. Retrieved from http://embedded-
computing.com/article-id/?4226#
THE INTERNET OF THINGS 65
This article by Kurt Stammberger, who chairs the security working
group for the IP for Smart Objects (IPSO) Alliance, contains
information on the state of hacking trends in 2009 and gives
advice on ways to mitigate the threat from hacking. This article
also contains a graphic which the student borrowed to illustrate
the reach of the IoT.
The student used relevant parts of this article, including a
graphic representation, to further his research into
vulnerabilities in the IoT. The article is relevant to the
student’s research in that it discusses the burgeoning threat
profile involved with the rapid expansion of the IoT and what can
be done by security professionals to help thwart the abuse of the
IoT.
Swan, M. (2012). Sensor Mania! The Internet of Things, Wearable
Computing, Objective Metrics, and the Quantified Self 2.0.
Journal of Sensor and Actuator Networks, 1(3), November 8, 2012. Retrieved
from http://www.mdpi.com/2224-2708/1/3/217/htm
THE INTERNET OF THINGS 66
This paper was written by Melanie Swan in 2012 for the Journal of
Sensor and Actuator Networks. The paper outlines the ways in which the
IoT is generating its own ecosystem of systems and networks
specifically to manage this emerging technology. The paper also
gives details on the different kinds of devices which are rapidly
being introduced into the IoT, the software processing and data
transmission as well as the ways in which all the data being
created will be stored, used, and possibly hijacked by attackers
for various nefarious reasons.
This paper fits well into the research for the student’s paper in
that it gives a far reaching look into the IoT and explains many
of the facets of the IoT in great detail. This paper is also
pertinent in that it explains the reasons why medical devices are
at risk from attackers.
Vidalis, S., & Angelopoulou, O. (2014). Assessing Identity Theft
in the IoT. IT CoNvergence PRActice (INPRA), 2(1), 14-20.
THE INTERNET OF THINGS 67
In this article by Stilianos Vidalis, University of
Staffordshire, UK and Olga Angelopoulou, University of Derby, UK,
the possibilities of conducting identity theft using the IoT is
contemplated. The article explores the identity cyberattacks
which can be carried out against the IoT and also presents a
vulnerability assessment model which tries to predict how an
environment can be influenced by identity cyberattacks.
This article explores the various ways that the IoT can be
exploited for identity theft purposes and thereby fits well into
the research that the student is conducting on this subject.
This article also breaks down a vulnerability assessment model
which could be of assistance in the student’s paper.
Violino, B. (2014). Research: Internet of Things Becomes Big
Priority. Information Management website online, November 19, 2014.
Retrieved from
http://www.information-management.com/news/IoT-Internet-of-
Things-Forrester-Research-Forecast-10026262-1.html
THE INTERNET OF THINGS 68
This information-packed article by Bob Violino, an expert in
the cyber security world, gives an insight into the world of
business and the IoT. Violino notes that research done by
Forrester Research recently shows that executives in a number
of business areas are looking to IoT technologies as a way to
address a variety of strategic, operational and business
challenges. Violino also notes that the research done by
Forrester shows that roughly three-quarters of companies
which they surveyed are already working on IoT solutions and
have deployed or are in the process of deploying IoT
products. The article finally notes that key enterprises
globally are gearing up to become part of the IoT to “arm
themselves with the real-time data and intelligence to become
smarter and more connected” (para. 5).
This article give credence to the importance of the IoT to
businesses around the globe and how it will be positioned to
provide consumers with the convenience and economy that will
make these IoT products desirable and in some cases
inescapable. The student plans to use information from this
THE INTERNET OF THINGS 69
article to show the global dominance of the IoT and how
executives plan on using the IoT products in the future.
Virkki, J. & Chen, L. (2013). Personal Perspectives: Individual
Privacy in the IoT. Advances in Internet of Things, 2013, 3, pp. 21-26.
Retrieved from http://dx.doi.org/10.4236/ait.2013.32003
This research on the IoT, conducted by Johanna Virkki, of
the Department of Electronics and Communications
Engineering, Tampere University of Technology, Tampere,
Finland, and Liquan Chen, of the School of Information
Science and Engineering, Southeast University, Nanjing,
China, in 2013 focuses on the individual opinions on the IoT
and the opinions on the issue of privacy as it relates to
the IoT given by 22 people working with different aspects of
IoT development in Finland and China.
The researchers in this study concluded that generally, the
22 people surveyed felt that the use of the IoT would become
mandatory sometime in the future and most agreed that
THE INTERNET OF THINGS 70
personal privacy protection of the data transmitted via the
IoT is the most important aspect for developers and
researchers to focus on. The researchers also noted that
the subject of personal privacy elicited more concern in
China than it did in Finland which was an unexpected result.
This research is relevant to the student’s project in that
it gives the opinions of people who work in the development
of the IoT in two countries and delves into the issue of
personal privacy.
Vockley, M. (2012). Safe and secure? Healthcare in the
cyberworld. Biomedical Instrumentation & Technology, 46(3), 164-173.
doi:10.2345/0899-8205-46.3.164
This article by Martha Vockley, principal of VockleyLang, LLC, a
communications and marketing firm based in Reston, VA, covers the
threats to medical networks from internal (insider) and external
(hackers) threats. It also includes mention of the ever-growing
number of wireless medical devices which can lead a hacker into a
THE INTERNET OF THINGS 71
larger network-based medical system through exploitable
vulnerabilities in those devices.
This article is relevant to the student’s research as it contains
the exploits to be found on a larger medical network that are
originally obtained through hacking of medical devices which
communicate via the IoT to the larger networks of medical
systems.
Weber, R. (2010). Internet of Things – New security and privacy
challenges. Computer Law & Security Review, 26(1), January 2010, pp. 23-30.
Retrieved from
http://www.sciencedirect.com/science/article/pii/S02673649090
01939
The author of this article, Rolf H. Weber, writing for Computer
Law and Security Review magazine, outlines the EU efforts to control
and regulate the IoT. Weber covers such areas in this article as
the notional and technical background of the IoT, security and
privacy needs of the IoT, milestones for an adequate legal
THE INTERNET OF THINGS 72
framework for the IoT, and the overall outlook for the future of
the IoT.
This article fits the student’s research as it gives the overall
perspective of the topic of the IoT from the standpoint of the EU
and what measures are being, and will be, taken by the EU in the
future. The article encompasses an overview of all the actions
that the EU is taking on all fronts and thereby adds some good
content to the arguments presented by the student.
Wirth, A. (2011). Cybercrimes Pose Growing Threat to Medical
Devices. Biomedical Instrumentation and Technology, January/February 2011.
Retrieved from
https://aami.org/hottopics/cybersecurity/AAMI/2011JF_CyberCri
mes.pdf
The author of this article is Axel Wirth, MS, National
Healthcare Solutions Architect at Symantec Corp., global
computer software and services company. The article
addresses the many security problems which medical devices
THE INTERNET OF THINGS 73
have currently in their design and regulation and how these
problems can and must be overcome in order to prevent cyber-
attacks. The article also discusses the protection of health
information stored and forwarded by these devices and the
vulnerabilities that are present due to regulatory, design,
and cyber security concerns.
This article provides the student with substantiation for
claims that vulnerabilities to medical devices could be used
by criminals or terrorists to cause harm or death to patients
outfitted with these devices by targeted hacking of the
vulnerabilities these devices now present.