Security elements have been included in numerous IEEE standards and standards projects over many years. If one searches the IEEE standards status report[1] by entering “security,” and views the project scope, purpose and/or abstract, multiple references to security can be seen. These standards and standards projects cover topics as diverse as vehicle communications, smart grid technologies, personal health devices, networking, mobile devices, and storage devices. All these and more could conceivably be part of the Internet of Things (IoT). A number of these standards were developed before the term “Internet of Things” became widely used.
IoT Architecture
IEEE has a specific initiative (one of IEEE’s important, multi-disciplinary, cross-platform Initiatives) for the Internet of Things (IoT). The IEEE IoT website includes a link for educational resources such as webinars, other videos, and podcasts. The link to the IEEE-SA IoT website is for standards and related information. In particular, the project IEEE P2413 , Standard for an Architectural Framework for the Internet of Things (IoT), has a subworking group focused on Quadruple Trust i.e. “Protection, Security, Privacy and Safety”. This involves a holistic end-to-end approach, including development of a threat model for IoT.[2] This considers the various vertical applications for IoT and documentation of architecture needs to address the threat model. The participants in IEEE P2413 include representatives from major corporations involved in IoT from regions around the world and provide expertise in all aspects of IoT including security and compliance. To involve startup companies, IEEE-SA hosts a number of events where the companies can present their projects for evaluation as well as learn about the IEEE’s activities in IoT.
The following are examples of IEEE standards and projects related to security and IoT.
Cryptography
- The IEEE 1363 series of standards for public key cryptography beginning with IEEE 1363-2000, IEEE Standard Specifications for Public-Key Cryptography, and including IEEE 1363a-2004, IEEE 1-2008, IEEE 1363.2-2008, IEEE 1363.3-2013 is developed by 1363 WG.
- The IEEE 1619 series of standards for encryption in storage media beginning with IEEE 1619-2007, IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices, and continuing with IEEE 1619.1-2007, IEEE 1619.2-2010 is developed by SIS-WG, Security in Storage Working Group.
Devices and sensors/actuators
- Within the IEEE 1451/ 21450[3]/21451 series of standards for transducers for sensors and actuators including IEEE 21451-1-2010, IEEE21451-2-2010, IEEE 21451-4-2010, IEEE 21451-7-2011, a new project IEEE P24151-1-4, Standard for a Smart Transducer Interface for Sensors, Actuators, and Devices – eXtensible Messaging and Presence Protocol (XMPP) for Networked Device Communication, being developed by the XMPPI – XMPP Interface Working Group, specifically addresses issues of security, scalability, and interoperability in session initiation and protocol transport.
- IEEE 2410-2015, IEEE Standard for Biometric Open Protocol, provides “Identity assertion, role gathering, multilevel access control, assurance, and auditing”[4] and was developed by the BOP – Biometrics Open Protocol working group.
- A new project approved in 2015, IEEE P1912, Standard for Privacy and Security Architecture for Consumer Wireless Devices, being developed by the P1912 WG will describe a common communication architecture and approaches for end user security including device discovery/recognition, user authentication, and user control of tracking items/people and sharing of information.
- IEEE 2600-2008, IEEE Standard for Information Technology: Hardcopy Device and System Security, covers printers, copiers and multifunction devices. It defines security requirements such as authentication, authorization, privacy, integrity, device management, physical security and information security.
Networking for IoT
- IEEE 802.1X-2010, IEEE Standard for Local and metropolitan area networks–Port-Based Network Access Control, covering common architecture, functional elements, and protocols for mutual authentication and secure communication between the clients of ports attached to the same LAN and its amendment IEEE 802.1Xbx-2014 were developed by 1 – Higher Layer LAN Protocols Working Group.
- IEEE 802.1AE-2006, IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security, specifies “how all or part of a network can be secured transparently to peer protocol entities that use the MAC Service provided by IEEE 802 LANs to communicate.”[5] Its amendment IEEE 802.1AEbw-2013 expands its security capabilities. These were developed by 1 – Higher Layer LAN Protocols Working Group.
- IEEE 802.1AR-2009 , Standard for Local and metropolitan area networks – Secure Device Identity, enables the secure association of locally significant device identities with manufacturer provisioned identities for use in provisioning and authentication protocols and was developed by 1 – Higher Layer LAN Protocols Working Group.
- The latest editions of IEEE 11-2012, IEEE Standard for Information technology–Telecommunications and information exchange between systems Local and metropolitan area networks–Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications developed by WG802.11 – Wireless LAN Working Group and IEEE 802.15.4-2015, IEEE Standard for Local and metropolitan area networks–Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) developed by WG802.15 – Wireless Personal Area Network (WPAN) Working Group include extensive sections on security.
- IEEE project 15.9, IEEE Draft Recommended Practice for Transport of Key Management Protocol (KMP) Datagrams, developed by WG802.15 – Wireless Personal Area Network (WPAN) Working Group provides guidelines for support of key management in IEEE 802.15.4.
- IEEE 802.21a-2012, IEEE Standard for Local and Metropolitan Area Networks: Media Independent Handover Services – Amendment for Security Extensions to Media Independent Handover Services and Protocol was developed by 21 – Media Independent Handoff Working Group.
- The IEEE 1888 series beginning with IEEE 1888-2014, IEEE Standard for Ubiquitous Green Community Control Network Protocol, and including IEEE 1888.1-2013, IEEE 1888.2-2014 has a specific standard for security IEEE 1888.3-2013, IEEE Standard for Ubiquitous Green Community Control Network: Security was developed by UGCCNET-SEC/P1888.3 WG – Ubiquitous Green Community Control Network: Security Working Group/UGCCNET-SEC/P1888.3. It includes security requirements, architecture, authentication, authorization, and security procedures and protocols.
Infrastructure systems (note – intranets may incorporate IoT while not necessarily connected to the public internet.)
- IEEE 692-2013, IEEE Standard for Criteria for Security Systems for Nuclear Power Generating Stations, developed by WG 3.2 – Security Systems Working Group addresses security system equipment for “detection, assessment, surveillance, access control, communication, and data acquisition”.
- The numerous IEEE smart grid systems standards[6] include a number focused on security, e.g. IEEE C37.240-2014 – IEEE Standard Cybersecurity Requirements for Substation Automation, Protection, and Control Systems developed by 240 WG – PC37.240 Cyber Security Standard and IEEE 1686-2013 – IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities developed by WGC1 – Substations Working Group C1.
Other Considerations
It should be noted that IEEE P2413 includes in its definition for properties of the “thing” in the Internet of Things, virtual properties such as might be derived from big data analysis. The IEEE Big Data Initiative includes standards development as a key focus area. Privacy and security remains a concern for Big Data.
While not official IEEE standards, the documents “Building Code for Medical Device Software Security”, and “Avoiding the Top 10 Software Security Design Flaws” provide guidance for software designers including those involved in software for IoT. They were developed as part of the IEEE Cybersecurity Initiative.
In addition to IEEE, other organizations are also involved in standards for IoT and security. Another article “IoT Interoperability Requires Security” includes along with IEEE, descriptions of the work in several of these organizations.
[1] http://standards.ieee.org/develop/project/status.html
[2] http://grouper.ieee.org/groups/2413/Intro-to-IEEE-P2413.pdf
[3] http://standards.ieee.org/findstds/standard/21450-2010.html
[4] http://standards.ieee.org/findstds/standard/2410-2015.html
[5] http://standards.ieee.org/findstds/standard/802.1AE-2006.html
[6] http://smartgrid.ieee.org/resources/standards
Cherry Tom