IoT solution information security certification conceptual framework: On improving the transparency and accountability of IoT Solutions through an Open World perspective

  • Luiz Otavio Duarte Facti
  • José Augusto de Lima Prestes Facti

Resumo


The rapid growth of Internet of Things (IoT) solutions development and the rise of agile development utilization, combined with the so-called “low touch economy” and the recent discussions on privacy and data protection brought several demands related to Information Security. Despite the existence of several efforts – either academic or not – focused on the definition and implementation strategies for certification of Information Security models designed for Information Technology and Communications (ICT) solutions, these aren't widely adopted. In addition, there are significant differences between typical IoT solutions and ICT solutions as traditionally presented, which ends up demanding different certification strategies. Continuous and more dynamic certification models (using cutting edge technologies such as blockchain, self-regulation, analytics, and artificial intelligence) are demanded in this context. This work discusses more effective forms of certification, using innovative edge concepts and technologies, at first aiming to identify a set of inhibiting factors, offenders, challenges or issues that need to be addressed correctly when developing an effective large-scale security certification model.

Palavras-chave: Internet of Things, Edge Devices, Security Certification, Information Security, Security Compliance

Referências

R. Roman, P. Najera and J. Lopez. 2011. Securing the Internet of Things. In Computer, vol. 44, no. 09, pp. 51-58,. doi: 10.1109/MC.2011.291 

General requirements for the competence of testing and calibration laboratories. 2006. ISO/IEC 17025, International Organization for Standardization/International Electrotechnical Committee, Geneva.

Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model, ISO/IEC 15408-1:2009, International Organization for Standardization/International Electrotechnical Committee, Geneva, 2009.

C. Preschern. 2012. Catalog of security tactics linked to common criteria requirements. In Proceedings of the 19th Conference on Pattern Languages of Programs, page 7. The Hillside Group, 

FIPS PUB 140-2: Security Requirements for Cryptographic Modules. NIST. July 26, 2007.

Wyk, K.R. & McGraw, G.. 2005. Bridging the Gap between Software Development and Information Security. In Security & Privacy, IEEE. 3. 75-79. 10.1109/MSP.2005.118. 

Joanna Cecilia da Silva Santos, Katy Tarrit, and Mehdi Mirakhorli. 2017. A Catalog of Security Architecture Weaknesses. 220-223. 10.1109/ICSAW.2017.25.

IoT Security Foundation. 2019. IoT Security Reference Architecture for the Healthcare, Retrieved May 07, 2021 from: [link].

IoT Security Foundation. 2018. IoT Security Compliance Framework, Retrieved May 07, 2021 from: [link].

MCTIC. 2018. Documento de referência do plano nacional de internet das coisas IoT.BR. Retrieved May 07, 2021 from: [link].

Câmara IoT. 2016. Identificação dos tópicos de relevância para a viabilização da Internet das Coisas no Brasil. Retrieved May 07, 2021 from: http://www.abinee.org.br/informac/arquivos/aiot.pdf.

BNDES e MCTIC, Internet das Coisas: um plano de ação para o Brasil, Relatório Final do Estudo - Produto 9a, 2018. Retrieved May 07, 2021 from [link].

Inmetro. Brazilian National Institute of Metrology, Standardization and Industrial Quality. Retrieved May 07, 2021 from https://www.gov.br/inmetro/.

NIST. National Institute of Standards and Technology. Retrieved May 07, 2021 from https://www.nist.gov.

IEEE. Institute of Electrical and Electronics Engineers. Retrieved May 07, 2021 from https://www.ieee.org.

IoTSF, IoT Security Foundation. Retrieved May 07, 2021 from https://www.iotsecurityfoundation.org.

PCI Security Standards Council. Retrieved May 07, 2021 from https://pt.pcisecuritystandards.org.

Sazzadur Rahaman, Gang Wang, and Danfeng (Daphne) Yao. 2019. Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security(CCS '19). Association for Computing Machinery, New York, NY, USA, 481–498. DOI: https://doi.org/10.1145/3319535.3363195

Kang, S.; Kim, S. 2017. How to Obtain Common Criteria Certification of Smart TV for Home IoT Security and Reliability. In Symmetry 2017, 9, 233. https://doi.org/10.3390/sym9100233

R. Neisse, J. L. Hernández-Ramos, S. N. Matheu, G. Baldini and A. Skarmeta. 2019. Toward a Blockchain-based Platform to Manage Cybersecurity Certification of IoT devices, In IEEE Conference on Standards for Communications and Networking (CSCN), 2019, pp. 1-6, doi: 10.1109/CSCN.2019.8931384.

Renata Araujo. 2017. Information Systems and the Open World. In: I GranDSI-BR - GrandResearch Challenges in Information Systems in Brazil 2016-2026. Special Committee on Information Systems (CE-SI): BrazilianComputer Society (SBC), pp. 42–51

Recommendation ITU-T Y.2060, Overview of the Internet of things, Retrieved May 07, 2021 from http://www.itu.int/rec/T-REC-Y.2060.

JEON, Jonghong; IN, Minkyo; LEE, Seungyun. Considerations on Standardization of WoT. W3C's Web of Things Workshop.

Bax, Marcello. (2014). Design science: filosofia da pesquisa em ciência da informação e tecnologia. In. XV Encontro Nacional de Pesquisa em Ciência da Informação – ENANCIB 2014. 42. 3883-3903.
Publicado
07/06/2021
DUARTE, Luiz Otavio; PRESTES, José Augusto de Lima. IoT solution information security certification conceptual framework: On improving the transparency and accountability of IoT Solutions through an Open World perspective. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 17. , 2021, Uberlândia. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2021 .