Nader Mbarek - Service Level Management in Emerging Environments

All types of transportation systems may benefit from the advantages offered by the IoT. IoT solutions promise to make transportation systems more intelligent and better performing by improving safety, the efficiency of their journeys, the maintenance of vehicles and by offering more strategic traffic-management (Alcatel Lucent Enterprise 2018). Communication systems between vehicles and infrastructure (V2I) and communication systems between vehicles (V2V) enhance safety, efficiency and the performance of public and private transport. They also contribute to reducing congestion and improving space management. Drivers of connected cars can benefit from a large number of services such as navigation, real-time traffic and parking information, as well as the integration of smartphones with the dashboard and portable devices (International Electrotechnical Commission 2017). The revolutionizing of the transportation world by applying the IoT in the field of vehicular networks has been possible because of the use of sensor networks and applications for parking management, traffic management, etc. For example, smart roads use sensors to determine the number of cars in each lane and then manage traffic lights based on this information so as to minimize congestion. The effectiveness of this field of application of the IoT can be seen in the implementation of this transformative technology in different projects. For example, the ParkDC project, implemented by the Washington D.C. transport department, uses a surveillance system based on the IoT to alert drivers to parking spots that are available and to calculate the appropriate parking charges based on real-time demand (Njit 2018).

The security of information systems is made up of all technical, organizational, legal and human resources required to prevent the unauthorized use, misuse, modification or hijacking of the information system. At present, security is a major challenge in the information world and the goal of security in this context is to maintain the trust of the users and the consistency of the entire information system. Several norms have arisen around concepts related to security, for example the X800 recommendation by ITU-T (1991), which emphasizes the role played by different security services and their applicability.

The IoT is characterized by an environment that is subject to constraints across several levels, which makes it difficult to adopt security mechanisms that were designed for conventional systems. An IoT environment includes objects with low memory resources and limited computational power. Further, the techniques normally used in conventional networks were designed for systems that contained powerful microprocessors and had high storage capacities (Hanna 2015). Existing security techniques must thus be adapted. Further, the large number of objects in an IoT environment makes it a difficult and onerous task to adapt existing security algorithms. For example, methods and algorithms for identification and controlling access to objects become more and more complex as the number of objects in the environment keeps increasing.

Before a device or a user can access IoT services, mutual authentication and authorization between the device/user and the IoT system must be established in accordance with predefined security policies. Security policies must be drawn up with great precision in order to comprehensively cover all possible use cases and must also follow standardized models in order to respond to the requirements of the IoT. It is, therefore, important to standardize security policies for the IoT environment. Further, access to data or services must be entirely transparent, traceable and reproducible. This results in an enormous volume of trace files created in the IoT environment given the large number of connected objects. Thus, the mechanisms to optimize traceability must be designed for the context of the IoT. In this kind of an IoT environment, a variety of operating systems with different architectures are available for IoT objects. We can cite here, among others, the example of Google’s Android Things (formerly called Brillo) (Google’s Internet of Things Solutions 2018), Huawei’s LiteOS (2018) and Windows 10’s IoT Core (2018). This diversity can make it even more difficult to standardize security mechanisms and measures.

As concerns user privacy, data can be collected in IoT systems without involving the users. In this context, this data feedback must be secured and the user’s privacy must be ensured during the collection, transmission, aggregation, storage, extraction and processing of the data. In order to meet these requirements, the appropriate mechanisms for data confidentiality, data authentication and data integrity must be included within the IoT, while respecting the needs of this kind of environment (ITU-T 2012).

A number of international organizations have worked on concepts related to security and privacy in the IoT, either by offering appropriate security mechanisms or by offering methodologies that can be applied across the layers of their IoT architectures. We thus have the ITU-T Y.2060 recommendation (ITU-T, 2012) that aims to secure the IoT environment by starting with an analysis of the threats that are specific to the IoT application. Then, specific security services and mechanisms will be supported at every layer of the IoT architecture to ensure global security within this environment. In terms of the application layer of the ITU-T reference model, different security services will be considered, such as authorization, authentication, privacy and integrity of application data, and also the protection of privacy. As concerns the network layer, the security services include authentication, confidentiality of the application data and the signaling data (configurations and commands) and the protection of the integrity of the network management techniques. For the lowest level of ITU-T IoT architecture, namely the device layer, the main services and mechanisms offered to guarantee security are authentication, authorization, validation of the device integrity, access control, confidentiality of data and the protection of integrity. Following the recommendation (ITU-T, 2014), several specific security abilities must be considered in the IoT environment: the ability to ensure secured communications to guarantee the confidentiality and integrity of the data during transmission and during storage. Further, the recommendation specifies an ability to provide a secure service that guarantees that fraudulent services will be forbidden and an ability for authentication and mutual authorization between objects and users in accordance with predefined policies to guarantee the security of information access. They are closely tied to the specific needs of IoT applications and depend on their field of application. Recommendation Y.2060 (ITU-T 2012) also emphasizes the need for security functions and mechanisms to be supported by IoT gateways interconnecting the different components of the different layers of the IoT architecture specified by ITU-T. In the following section, we will describe the different security services that must be considered in the IoT environment.

In order to ensure security in the IoT environment, various security services must be provided by applying mechanisms that are specific and adapted to the characteristics of this kind of environment.

Identification refers to establishing the identity of the user of a service. It is based on the principle of each user being individually assigned an identifier. Authentication follows identification and enables the user to prove their identity. The user should use an authenticator or a secret code, which only they know. Authentication does not give the right of access. It is the access control that guarantees this privilege if authentication has been successful (ITU-T 1991). Authentication mechanisms can offer several advantages to the IoT environment. Thus, through the identification and authentication mechanisms, the IoT environment takes into account robust devices that are able to reduce the risk of intrusion and avoid violations (Li 2017).