Cyber Security for Cloud and the Internet of Things: How Can it be Achieved?

The Internet of Things is one of the new ‘buzz’ technologies of today. The authors consider what it is, how it came to be, and what it is capable of doing.

Go to the profile of Bob Duncan
Sep 06, 2017
Upvote 1 Comment

Author(s): Bob Duncan and Mark Whittington


This article considers the architecture of the IoT technology, what the cyber security challenges are, and demonstrates how difficult these challenges are to resolve. The authors discuss how easily these weaknesses are exploited, and also show how compliance with security standards remains problematic. The authors’ contribution will show how they might approach these challenges to help achieve a better level of cyber security for a sensible level of cost, particularly in the light of recent unwelcome hacking developments. They also talk about the ongoing current and future work they are undertaking to help further address these issues.


As the question in the title asks, how can we achieve cyber security when we use cloud and the Internet of Things (IoT)? Before attempting to answer this question, we need to add an additional ingredient into the mix, namely big data. This is because the IoT is capable of generating huge amounts of data, thus we need to factor this aspect into the equation. In this paper, our main contribution will be to outline the weaknesses presented by the IoT, to attempt to define an interim solution to providing a better level of cyber security for a sensible level of cost.

However, before even addressing this question, we need to ask ourselves another question, what is the IoT anyway? We will address this question in the section ‘What is the IoT’, of this paper, where we first consider the history of the IoT in order to understand a little about the complexities involved, and we look at the range of possible uses for this technology. In the section ‘IoT architecture’, we look at a typical architecture of the IoT, looking at how cloud and big data fit into the picture. In the section ‘What are the Security Challenges?’, we discuss how easily this architecture can be exploited, and how important it is to try to prevent this from happening. In the section ‘Does Compliance Help?’, we consider whether compliance with security standards can help with these problems. In the section ‘What Happens When These Weaknesses Are Exploited?’, we look at what happens when these weaknesses are exploited. In the section ‘How Can We Address These Challenges?’, we consider how we might approach these challenges to help achieve a better level of cyber security for a sensible level of cost, particularly in the light of recent unwelcome hacking developments. In the section ‘Possible Solution’, we outline a possible solution and discuss ongoing and future work in this area. Finally, in the section ‘Conclusion’, we discuss our conclusions.

What is the IoT?

We can define the IoT as: a collection of sensors and actuators embedded in physical objects which are linked through wireless and wired networks, linked mostly to the internet by the same internet protocol (IP) that connects to the internet. The name was coined almost 20 years ago by Kevin Ashton in 1999 during his work at Procter and Gamble. However, it is only in recent years that it has started to take off, mostly enabled due to the advent of cloud computing and big data. To answer why that might be, we need to consider the history of the IoT.

History of the IoT

You may be surprised to learn that some of the foundations of the IoT go back considerably further than the past 20 years. In 1832, Baron Schilling invented an electromagnetic telegraph, then Gauss and Weber invented a communication language in Germany, where they successfully communicated over a distance of 1200 m. By 1844, Samuel Morse had successfully sent the first Morse code message by public telegraph. It would be over a century before further serious progress would take place, and a number of scientists gave predictions of what would be yet to come, including Tesla, Turing, McLuhan and Steinbuch. In 1949, Norman Joseph Woodland conceived the bar code, and as an engineer for IBM obtained the first patent on it in 1952. In 1955, Edward O. Thorp conceived the first wearable computer, a cigarette pack-sized analogue device for predicting roulette wheels. In 1960, Morton Heilig obtained a patent for the first-ever head-mounted display.

In 1967, Hubert Upton invented an analogue wearable computer with eyeglass-mounted display to aid in lip reading. In 1973, Mario Cardullo obtained the first patent for a passive, read-write radio-frequency identification (RFID) tag. The invention of Arpanet in 1969 really started to get things moving, and the basis of TCP/IP was developed 5 years later, in 1974. In 1984, the Domain Name System was introduced, and 5 years later, in 1989, Tim Berners-Lee proposed the World Wide Web. In 1990, John Romkey created the first internet ‘device’, a toaster which could be turned on and off via the internet. In 1991, Tim Berners-Lee created the first web page. In 1993, Quentin Stafford-Fraser and Paul Jardetzky created the Trojan Room Coffee Pot within the Computer Laboratory of the University of Cambridge to monitor coffee levels of the lab coffee pot. The system captured images of the coffee pot level, and saved them using a server, which other lab users could access, which was later adapted for the internet once browsers could display images.

In 1994, while still at school, Steve Mann created WearCam, a wearable camera system based on a computer in a backpack. 1995, the internet goes commercial, as Amazon and eBay are founded, followed in 1998 by Google. In Kevin Ashton’s 1999 work at Procter and Gamble, he proposed the use of RFID technology, Ashton [1], which leads to the development of the Electronic Product Code or EPC, a global RFID-based item identification system intended to replace the Universal Product Code barcode. Thus there was now an understanding of what the IoT could become, but the technology to deliver on the dream was still insufficiently developed to make it a reality. Over the next 7 years, a disparate variety of IoT-capable ‘things’ was developed and released, but the rapidly expanding proliferation of smartphones, tablets and other connected devices was what really started to gain some momentum for the IoT.

In 2007, Gantz et al. [2] forecast that all the electronic data collected throughout the globe would double every 18 months. In 2008, the EU founded an international conference on the IoT, and Cisco suggested that the IoT had now been born, as there were now more connected devices to the internet than people. This also coincided with concerns over the address limitations of internet protocol version 4 (IPv4), which was projected to run out of numbers sometime around the end of the century, one of the reasons that Kevin Ashton had been so keen on the RFID approach. However, internet protocol version 6 (IPv6) had been developed to address this issue, which meant there would no longer be any practical limitation to the number of ‘things’ that could be connected to the internet, and this explains why the use of IP became the preferred route for IoT connection. At this time, cloud computing had also evolved, and this helped too with the expansion of the big data concept. Thus, we can see that through all of these developments in technology, the IoT became much more enabled and really started to take off!

What kind of things can the IoT do?

Having reached the point where the technology has enabled the idea, what can we do with it? The answer to that is pretty well anything we like. We will merely be constrained by our imagination, Bojanova et al. [3]; Sharma et al. [4], although we will talk later about some practical restrictions that may have to be considered.

Here are a few examples of some of the most popular uses for the IoT:

  • domestic and home automation,
  • eHealth,
  • industrial control,
  • logistics,
  • retail,
  • security and emergencies,
  • smart agriculture,
  • smart animal farming,
  • smart cities,
  • smart environment,
  • smart water,
  • smart metering.

Without suggesting in any way that this represents a comprehensive list, by looking at each of these areas in turn, we can get an idea of the range of implementations for which IoT is well suited.

Domestic and home automation: Art preservation, achieved by monitoring conditions inside the home where artworks are stored; energy and water use, where consumption monitoring is used to optimise costs and suggest use of resources; intrusion detection systems, where the detection of window and door openings and violations thereof are used to prevent intruders; and, the use of remote control appliances which switch appliances on and off remotely to avoid accidents and save energy.

eHealth: Fall detection can be used to help provide assistance for elderly or disabled people to allow them to live independently at home; medical fridges can be used to control conditions inside freezers storing vaccines, medicines and organic elements; patient surveillance can be used to monitor the condition of patients inside hospitals and in old people’s homes; athlete care can be provided by monitoring vital signs in high performance centres and out in the field; and, ultraviolet radiation measurement of UV sun rays can be carried out in order to warn people not to be exposed during certain hours.

Industrial control: Indoor air quality can monitor toxic gas and oxygen levels inside chemical plants to ensure safety of workers and goods; indoor location can detect asset location by using active means, such as ZigBee, or by the use of passive tags using either RFID or near-field communications (NFC); machine-to-machine applications allow for machine auto-diagnosis and asset control; ozone presence monitoring systems in food factories can monitor ozone levels during the meat drying process; temperature monitoring can be used to control temperature inside industrial and medical fridges which store sensitive merchandise; and, vehicle auto-diagnosis using information collection from Controller Area Network (CanBus) applications to send real time alarms in the event of emergencies or provide advice to drivers.

Logistics: Fleet tracking can be implemented through control of routes followed for delicate goods like medical drugs, jewels or dangerous merchandise; item location allows search of individual items in large volume areas such as warehouses or harbours; quality of shipment conditions can be ensured by monitoring of vibrations, strokes, container openings or cold chain maintenance for insurance purposes; and, storage incompatibility detection can be achieved through warning of emissions from containers storing inflammable goods close to others containing explosive material.

Retail: Intelligent shopping applications can deliver advice at the point of sale according to customer habits, preferences, the presence of allergic components for them, or expiry dates; NFC payment systems can carry out payment processing based on location or activity duration for public transport, gyms, theme parks and so on; Smart product management allows control of rotation of products in shelves and warehouses to automate restocking processes; and, supply chain control systems monitor storage conditions along the supply chain and provide product tracking for traceability purposes.

Security and emergencies: Explosive and hazardous gases detection can ensure safety of gas levels and leakages in industrial environments, or in the surroundings of chemical factories, and inside mines; liquid presence detection in data centres, warehouses and sensitive building grounds, can help to prevent breakdowns and reduce corrosion; perimeter access control systems can be used to control access to restricted areas and for the detection of people in non-authorised areas; and, radiation levels using distributed measurement of radiation levels in nuclear power stations and their surroundings can be used to generate leakage alerts.

Smart agriculture: Compost control by measuring levels of humidity and temperature levels in alfalfa, hay, straw and so on, can be used to prevent fungal and other microbial contaminants; Golf courses can use selective irrigation in dry zones to reduce the water resources required in the greens; greenhouses can use control of micro-climate conditions to maximise the production of fruits and vegetables and ensure quality; and Meteorological station network can use study of weather conditions in fields to forecast ice formation, rain, drought, snow or wind changes; and in wine quality systems, monitoring of soil moisture and trunk diameter in vineyards can be used to control the amount of sugar in grapes and grapevine health.

Smart animal farming: Animal tracking can be used to monitor location and identification of animals grazing in open pastures or to identify location in large stables; hydroponics systems can control the exact conditions of plants grown in water to get the highest efficiency crop yields; offspring care systems can be used to control the growing conditions of the offspring in animal farms to ensure their survival and health; and, toxic gas level systems can be used to study ventilation system effectiveness and air quality in farms, including detection of harmful gases from excrement.

Smart cities: Electromagnetic field level monitoring can use measurement of the energy radiated by cell stations and WiFi routers to assess electromagnetic risk for citizens; smart lighting can provide intelligent and weather adaptive lighting for street lights, for greater safety and energy control; smart parking can monitor parking space availability throughout the city; smart roads allow the provision of intelligent roadways with warning messages and diversions activated according to climate conditions and unexpected events such as accidents or traffic jams; smartphone detection systems detect any device which works with WiFi or Bluetooth interfaces, which can be used for enhancing tourism, or for public safety announcements in the event of a disaster; structural health systems can monitor vibrations and material condition of buildings, bridges and historical monuments; traffic congestion systems can monitor vehicles and pedestrian levels to optimise driving and walking routes; urban noise maps can be developed to monitor sound in bar areas and other zones in real time; and, waste management systems can use detection of rubbish levels in containers to optimise the rubbish collection routes.

Smart environment: Air pollution control systems can be used to measure the amount of CO 2 emissions from factories, or the pollution emitted by cars, or toxic gases generated in farms; early detection of earthquake systems can provide distributed control around places which are prone to tremors; forest fire detection systems can be used to monitor combustion gases and allow pre-emptive fire responses to be enabled; landslide and avalanche prevention systems can be used to monitor soil moisture, vibrations and earth density to detect dangerous patterns in land conditions; and snow level monitoring systems can be used to check snow level measurement to provide real time assessments of the quality of ski runs and allow advanced warnings of possible avalanche conditions developing.

Smart water: Chemical leakage detection systems in rivers can be used to detect leakages and waste from factories entering rivers; pollution level systems in the sea can be used to control real-time leakages and wastes entering the sea; potable water monitoring systems can be used to monitor the quality of tap water in cities; river flood systems can be used to monitor water level variations in rivers, dams and reservoirs; swimming pool remote measurement allows for remote control of the swimming pool conditions; and, water leakage systems can be used to detect liquid presence outside tanks and pressure variations along pipes.

Smart metering: Photovoltaic systems can be used for monitoring and optimisation of performance in solar energy plants; silos stock calculation systems can measure the emptiness level and weight of the goods in the silo; smart grid systems can be used for energy consumption monitoring and management; tank level systems can be used to monitor levels of water, oil and gas in storage tanks and cisterns; and water flow systems can measure water pressure in water transportation systems.

As you can see, this represents a wide variety in types of systems, areas of application and potential use cases to which the IoT can be put, and there are a few more here: future ideas, Bughin et al. [5], smart city (there are currently 500 smart cities in the Innovation Cities Global list, [6]), Gubbi et al. [7], Suciu et al. [8], Aziz et al. [9], analytics, Larson and Chang [10], analysis of IoT data for business intelligence purposes, Chang et al. [11].

IoT architecture

To come back to earlier questions, how does cloud and big data fit into this picture? We can use the word ‘picture’ to illustrate this point very neatly. Those of you who are old enough to remember the introduction of the VGA standard in 1987 will remember how amazed you were that your screen resolution was now 640 × 480 pixels, a vast improvement on the earlier 320 × 240 pixels. Today, we are all accustomed to having full HD which gives us 1920 × 1080, although Samsung has developed a massive 8 K screen, with a resolution of 7680 × 4320. Thus, in 30 years, the screen size has gone from 307,200 to 2,073,600 pixels, and in the case of 8 K to 33,177,600 pixels. This ever increasing resolution is not limited to computer screens. The same thing is happening to all our technology, and none more so than with camera images. If we consider the best digital cameras from 15 years ago would have had an image resolution of around 2 megapixels, this is the same resolution as our full HD desktop screen. Modern digital cameras can easily far exceed the 33 megapixels of the 8 K screen. Indeed, the car manufacturer Bentley has a 53 gigapixel image on their website Bentley [12]. It is well worth a look to see just what a high level of resolution this image offers.

Thirty years ago, you would not have any digital images to store, since you could not yet buy a commercial digital camera, and the JPEG and MPEG standards had yet to be developed. In the intervening years, as digital still and cine cameras gained traction, the need for storage also started to grow, as resolution also grew year on year. During this time, software systems also grew in complexity, leading to more pressure on storage, resulting in the need to buy ever larger hard drives. In 2010, when Gantz et al. [13] revisited their earlier work, they discovered that the reality of data expansion turned out to be more than double the expansion rate they had predicted, and this is unlikely to slow down any time soon.

Why does this matter for the IoT? It matters because any use of the IoT which relies on capturing and storing data, especially video data, will require an ever larger facility for storage, especially as resolution of the images gets better. This means that conventional computing systems are no longer suited for connecting to IoT systems for storage and processing of data, and this is where big data and the cloud have been the great enabler to allow the IoT to flourish.

For those who are unsure of what cloud computing is, we will use the NIST definition of Cloud Computing, Mell and Grance [14]: ‘Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. 

Since we may not know what resources we may require, or when we may require them, we can programme a cloud system to automatically add, and remove, resources and storage as our needs dictate, as and when these needs arise. Moreover, for those who are not sure what ‘big data’ really is, data is data. However, ‘big data’ is data at huge volume. We can consider ‘big data’ volume to mean volume at such a level that far exceeds our capability to physically analyse the data without the assistance of programmatic tools.

In Fig 1, we show a sample high level view of the layout for an IoT system. This shows the typical view from the user’s perspective, without the underlying system architecture showing for clarity. The idea here is to remove the need for constant physical monitoring by individuals, allowing them instead to ‘manage by exception’, which allows better use of their time (and more cost-effective monitoring by organisations).

Fig 1: Typical user high level view of IoT © 2016 Duncan and Whittington

In Fig 2, we show the architecture of connections at the extreme outside edge of the IoT to illustrate the data flow. The data flows from these, usually small and cheap devices, frequently through a data collection point, where data is aggregated, and sometimes filtered, before its onward journey to cloud storage, where further aggregation, filtering and subsequent deep analysis may also be carried out. Connections are made using Bluetooth, WiFi, LAN, WLAN, Mobile or Radio connections to pass the data on through to the internet.

Fig 2: Example of IoT connections at the edge © 2016 Duncan and Whittington

In Fig 3, we show how users can access the collected information, using various tools, Application Programming Interfaces (API)s and software to understand what is going on, and to pass control instructions down the line.

Fig 3: Example of IoT connections at the control end © 2016 Duncan and Whittington

These, then, are the building blocks we need to run seamless IoT systems, at scale if we need to. However, we do have to consider the security challenges, which we look at in the following section.

What are the security challenges?

Cyber security with conventional distributed systems is challenging. Cyber security in the cloud takes the challenge to new heights. Add the IoT and Big Data on top, and the challenge grows exponentially. So what exactly are the challenges, and where do they come from.

Let us start with conventional distributed systems. Are they secure? Not exactly. The problems are well understood by industry, particularly by large corporates, and they understand well how to mitigate those weaknesses, and set up a secure corporate firewall to protect their systems. Of course, the advent of mobile computing, smartphones and the bring your own device (byod) movement, opened up new vulnerabilities. Again, these threats are well understood by large corporates. These problems are less well understood by small to medium-sized enterprises (SME)s, and for private users, this remains a concern.

When we add cloud to the equation, the major point most users fail to grasp, is the added risk that comes from using a system running on someone else’s hardware. Even large corporates sometimes miss the point that moving their secure software to the cloud is not a smart thing to do, as most of their software is custom configured to suit their own secure environment, and once migrated to the cloud, most of the security features become redundant. Cloud is also highly scalable, and can be configured to automatically scale up, and down, as needed to service varying demand. Often, little things like system logs and audit trails are not properly thought through. Yet, it is too late to think about it after a breach has occurred and you suddenly realise that every time the unwanted instances shut down, the server logs and audit trails vanish along with them. Unlike with conventional systems, where your forensic scientist can recover a remarkable amount of data, with cloud, it is a completely different matter. As soon as an instance is shut down, the resources are then added to the resource pool and re-utilised as quickly as possible by the cloud service provider. This can happen in seconds, and certainly by the time you realise you have had a security breach many weeks later, all hope is lost for any sort of recovery of the lost forensic data. This remains one of the key unsolved challenges of cloud computing.

Then, when we add IoT on top of this equation, we really open up a can of worms. We are generally adding a huge range of heterogeneous ‘things’ to a poorly secured system. Most of the ‘things’ are cheaply made, with scant regard for security, resulting in a potentially exponential increase in attack vectors to our overall system.

So what is the source of these problems? Let us first start with companies themselves. There are a great many security challenges which need to be addressed, and, Duncan and Whittington [15] have developed a useful list of ten key security goals that must be addressed, which we can see in Table 1.


Key security challenges


the definition of security goals


compliance with standards


audit issues


management approach


technical complexity of cloud


lack of responsibility and accountability


measurement and monitoring


management attitude to security


security culture in the company


the threat environment

Table 1: Duncan and Whittington ten key security issues – 2016 Duncan and Whittington [15]

The list in Table 2 outlines five different attacker types, outlining the level of their technical capabilities, their motivation and their financing. It is vital to understand the nature of the security threat we all face. We do not get into any detail on any of these issues, as this is beyond the scope of this paper. We merely point out that these are issues which must be addressed.


Attacker types



state sponsored actors

very high expertise, well-funded


industrial spies

high expertise, reasonably funded



motivated, high expertise, poorly funded


serious criminal actors

motivated, can buy in expertise


amateur hackers

skills vary, motivated

Table 2: Duncan and Whittington five attacker types – 2016

However, of those ten key challenges, the last on the list – the threat environment will itself need to be considered in more detail. Generally, we can break the threats down as coming from five different types of serious attackers.

These all represent serious threats in their own way. The first will be virtually impossible to guard against effectively. These actors are so skilled, that you are unlikely to even be aware that they have been inside your system. On the plus side, they are not usually after your money, they just want to know what you are up to. The second group is of more concern, as they will be looking to steal your intellectual property or trade secrets. An obvious piece of advice would be never to put any of this on a cloud system. The third type, hacktivist actors, are usually out to make a point, or to embarrass your company. Their favourite approach is to compromise or take over your web site. The fourth type will definitely seriously affect your bottom line. They are out to relieve you of as much cash as they are able to remove from you. The last group is generally not out for your cash, but they can cause a lot of damage to your systems. So, in their own way, each will be of some concern.

The third source of security problems comes from the very technology you are trying to use to run your business. Using out of date software, un-patched security fixes, mis-configured server, database or network systems, or applications, can cause serious security issues. These are often relatively easy, and cheap to fix, but this seldom actually happens.

A rather more difficult problem lies in undiscovered software bugs, the holy grail of the attacker. These are extremely difficult to spot, and most companies have neither the expertise nor the budget to do anything about this area. However, an effective approach is to keep up to date with security reports which highlight when these vulnerabilities are discovered. There is a constant battle between security companies and the bad guys. As soon as one patch is fixed, another vulnerability is found, and this arms race constantly evolves, which is why it is important to keep on top of these reports, and more importantly, to actually install the released patches.

However, for the IoT, probably the two most important weaknesses can be found in the title – Internet and Things. First, the internet, since this is the main means by which the architecture functions. The internet being a web-based technology, the most important consideration is to look at all forms of web based technology vulnerabilities. To this end, one of the best sources of information can be found from the work of the Open Web Application Security Project (OWASP), who publish a top ten list of web security vulnerabilities every 3 years. They are not the only providers of this information, but they do provide the most comprehensive list of the most dangerous vulnerabilities and a number of very good mitigation suggestions. The last three OWASP lists for 2007, 2010 and 2013 are provided in Table 3.








injection attacks




broken authentication and session management




cross site scripting (XSS)




insecure direct object references



security misconfiguration


sensitive data exposure


missing function level access control




cross site request forgery (CSRF)


using components with known vulnerabilities


unvalidated redirects and forwards

Table 3: OWASP top ten web vulnerabilities – 2013–2007, OWASP [16]

This list is based on the result of analysis of successful security breaches across the globe, which seeks to highlight the worst areas of weakness in computing systems. It is not exhaustive, but merely illustrates the worst ten vulnerabilities in computing systems globally. It is clearly concerned that the same vulnerabilities recur year on year, which clearly indicates the failure of companies to adequately protect their resources properly.

Thus in any IoT cloud-based system incorporating big data, these vulnerabilities are likely to be present. However, there are likely to be additional potential vulnerabilities which will also need to be considered, due to the differences in the mechanics of the IoT. Since many IoT systems use mobile technology for their communications channels, then we might also look at the OWASP Mobile top ten list of vulnerabilities in Table 4.

2013 code



insecure data storage


weak server side controls


insufficient transport layer protection


client side injection


poor authorisation and authentication


improper session handling


security decisions via untrusted inputs


side channel data leakage


broken cryptography


sensitive information disclosure

Table 4: OWASP top ten mobile vulnerabilities – 2013 OWASP [16]

However, of course, it is not quite as simple as that. The IoT mechanics extend beyond traditional web technology and mobile technology. In 2014, OWASP developed a provisional top ten list of specific IoT vulnerabilities, which we outline in Table 5.

2014 code



insecure web interface


insufficient authentication/authorisation


insecure network services


lack of transport encryption


privacy concerns


insecure cloud interface


insecure mobile interface


insufficient security configure-ability


insecure software/firmware


poor physical security

Table 5: OWASP top ten IoT vulnerabilities – 2014 OWASP [17]

It is worth bearing in mind that the above list represents just the OWASP top ten vulnerability list. OWASP is currently working on a list of 130 possible IoT vulnerabilities which might need to be taken into account.

It is rather worrying that as far back as 2012, Trustwave [18] reports an average of 6 months between breach and discovery. It is also rather worrying to see that 3 years later, Verizon [19], see Fig 4, that 75% of breaches happen within days, yet only 25% of discoveries are actually made within the same time-frame. This still leaves a large gap where compromised systems may still be under the control of malicious users.

Fig 4: Lag between breach and discovery © 2015 Verizon

This presents a clear indication that very few firms are actually scrutinising their server logs. Back in 2012, Verizon [20] highlighted the fact that discovery of security breaches often took weeks, months or even years before discovery, with most discovery being advised by external bodies, such as customers, financial institutions or fraud agencies.

As we mentioned earlier in this section, the other source of concern is the ‘Things’ themselves. At the cheaper end of the spectrum, the devices used usually have very limited system resources, meaning there is little space to house any security resources. Often, there is little thought to ensuring proper secure passwords are used. How many systems are set up with default user name and password of ‘admin’/’admin’? This failure also can extend to some of the more expensive hardware. Users do not help this situation by simply buying the cheapest devices, without regard to the security and privacy implications.

So, we can see that there is currently no complete security solution for cloud. Can we offer a solution to cloud security? No, we cannot. There is no such thing as a complete solution to cloud security, and it is unlikely that there will be, while the current ennui exhibited by many cloud users and indeed some cloud service providers, persists. Likewise, while the constant battle between security experts and outside attackers continues back and forth, this will continue to be a very difficult goal to achieve.

However, it is encouraging to see initiatives, such as the Association for Information Systems (AIS) who aim to develop what is known as the Bright Internet, which aims to drastically reduce cyber-crimes by achieving the Principles of Origin Responsibility, Deliverer Responsibility, Rule-based Digital Search Warrant, and Traceable Anonymity, which they are now developing along with the International Telecommunication Union. Meantime, what we can do is to make some reasonable suggestions, based on our research over many years, to help companies mitigate these vulnerabilities by paying particular attention to all the specific threats they face, many of which we share in this paper.

There are a number of security standards in existence, and many companies have achieved compliance with these standards. Will this solve their problems? We shall address this question in the following section.

Does compliance help?

All companies and businesses based in the UK are subject to legislation. All large companies are subject to corporate governance rules. Many companies work in regulated industries, such as healthcare, agriculture, energy supply, transport, and water, and are subject to tight regulation. Consequently, many of these companies seek to gain compliance with security standards. However, the big question here is, which standard should they comply with? Here is a list of all the organisations who have worked on cloud security standards:

  • American Institute of Certified Public Accountants (AICPA);
  • Association for Retail Technology Standards (ARTS);
  • Basel 3;
  • The Technology Policy Division of the Financial Services Roundtable (BITS);
  • Cloud Security Alliance (CSA);
  • Cloud Standards Customer Council (CSCC);
  • Control objectives for information and related technology (COBIT);
  • Cloud Standards Organisation (CSO);
  • Data Protection Act (DPA);
  • Distributed Management Task Force (DMTF);
  • European Telecommunications Standards Institute (ETSI);
  • Federal Risk and Authorisation Management Program (FedRamp);
  • Generally accepted privacy principles (GAPP);
  • Global Inter-Cloud Technology Forum (GICTF);
  • Health Insurance Portability and Accountability Act (HIPAA);
  • Information Assurance Technology Analysis Center (IATAC);
  • Information Systems Audit and Control Association (ISACA);
  • International Standard on Assurance Engagements (ISAE) 3402;
  • International Organisation for Standardisation/International Electrotechnical Commission (ISO/IEC);
  • Information technology infrastructure library (ITIL); International Telecommunication Union Telecommunication Standardisation Sector (ITU);
  • Jericho Forum;
  • National Institute of Standards and Technology (NIST);
  • North America Electric Reliability Corporation (NERC);
  • Organisation for the Advancement of Structured Information Standards (OASIS);
  • Open Cloud Consortium (OCC);
  • Open Grid Forum (OGF);
  • Object Management Group (OMG);
  • Payment Card Industry Data Security Standard (PCIDSS);
  • Storage Networking Industry Association (SNIA);
  • The Open Group;
  • TM Forum;

The cloud has been around for barely a decade, during which time each of the above organisations have been working on cloud standards. With so many different organisations working on cloud standards, there are no surprises to discover we have yet to see a complete and comprehensive cloud security standard. The situation with big data, and especially the IoT, is even worse, with the IoT to all intents and purposes an unregulated area.

Many large corporates have traditionally sought to gain compliance with the global standards published by the ISO/IEC, and in respect of security, the ISO/IEC 27000 series of standards.

However, for those companies adhering to any of the above standards, accreditation is achieved through compliance or audit. The authors have already written on a number of these issues, addressing some of the inherent weaknesses in approach, including: compliance and standards issues, Duncan and Whittington [21], audit issues, Duncan and Whittington [22], management approach, Duncan and Whittington [23], lack of accountability, Duncan and Whittington [24], measurement and monitoring, Duncan and Whittington [25], cloud audit issues Duncan and Whittington [26], and issues with the cloud audit trail Duncan and Whittington [15].

The pace of evolution of new technology far outstrips the capability of international standards organisations to keep up with the changes, Willingmyre [27], meaning that the time taken for standards to be implemented, merely adds to the problem. Cloud computing started to gain traction around 2006, and while NIST produced a definition of cloud computing in 2009, followed up by a more comprehensive definition in 2011, along with suggestions for mitigating strategies, it took the ISO/IEC until 2014 to even mention the cloud word in their standards.

On the plus side, standards such as ISO/IEC 27002 are now generally well understood by large corporates, and we are finally starting to see the introduction of cloud standards in the ISO/IEC 27000 series. ISO/IEC 27017: 2015, which provides guidance for cloud specific security controls based on ISO/IEC 27002: 2013, was finally approved in 2015. During the current decade, there has been a shift in the ISO 27000 series of standards from a compliance based approach to a risk-based approach, and this is to be welcomed. ISO/IEC 27018: 2014 was published in 2014, and covers the use of personally identifiable information (PII) in public clouds. ISO/IEC 27036–4: 2016 provides guidance on the security of cloud services. This standard does not address business continuity management or resiliency issues for cloud services. These are addressed in ISO/IEC 27031: 2011, although this has been improved on in ISO 22301 : 2012.

There are three security studies currently being conducted by the ISO/IEC on: cloud security assessment and audit; cloud-adapted risk management framework; and cloud security components. Beyond that, the following four areas have been proposed: guidelines for cloud service customer data security; the architecture of trusted connection to cloud services; the architecture for virtual root of trust on cloud platforms; and emerging virtualisation security.

One minor issue with these standards is that they provide an idea of what needs to be done in order to be compliant, but little detail on how this can be achieved is provided. Where the understanding of the issues involved is not clearly understood, this may lead to compliance being achieved, without any useful level of security being present, leading to a false sense of security.

Thus, it is clear that there is no comprehensive security standard yet in place for cloud, nor is there likely to be for some time. As yet, we still have no clear idea on what form IoT security standards will take. This leaves a glaring weakness which bad actors are only too keen to take advantage of.

What happens when these weaknesses are exploited?

The ‘things’ in the IoT are only little. Where is the harm in that? The problem with the ‘things’ in the IoT is not the small size of the hardware resources, rather it is in the scale of ‘things’ involved.

Take the recent large-scale DDoS attacks perpetrated over the last 6–9 months against, among others, the Dyn company’s DNS system attack, resulting in big names including GitHub, Twitter, Reddit, Netflix, AirBnb and others, who were among hundreds of websites rendered inaccessible to millions of people around the world for several hours. Another recent attack resulted in hundreds of thousands of TalkTalk and Post Office broadband customers affected. Deutsche Telekom, KCOM and Irish telco Eir have also been affected. These attacks were perpetrated as a result of many ‘things’, in this case surveillance cameras, being infected with the Mirai virus, which were vulnerable due to poor security, and were turned into a large Bot-Net.

If your personal computer gets infected, you will very quickly notice, as it will slow down significantly, usually because the malware takes over as many of your system resources as it can. However, in this case, the perpetrators took a rather more smart approach. They left just enough system resources for the camera to function properly, and send images on to the data collection point. The software simply used the unused portion of system resources. Since the cameras continued to function normally, nobody noticed that they had been compromised. It is estimated that some 1.2 million IoT devices are currently infected with the Mirai virus. It is further estimated that only 125,000 cameras were used to carry out the attacks, achieving some of the highest attack speeds ever seen, in the order of up to 1200 gigabits per second. The really worrying aspect of this is that the Mirai virus was recently ported to Windows, meaning that once an insecure IoT device has been compromised, then all the Windows devices in the network, including desktops and servers, could then be easily compromised and taken over, and could then seek out other machines to compromise.

Here are a few more of the weaknesses that have been exploited. For IoT breach research, 2015 was a productive year. Researchers managed to use the on board browser to hack into a Tesla S vehicle, [28], having plugged in a laptop behind the dashboard, and were able to start the car and drive it off. Researchers were able to take control of a Jeep on the freeway, and amongst other things, shut off the engine at 70mph [29]. In another worrying piece of research Zetter [30], it was possible to send a fatal drug overdose to a hospital drug pump. Researchers used a cheap insurance company dongle plugged in to the dashboard of a Corvette to disable the brakes [31]. Researchers were able to ‘kill a dummy’ by switching off its pacemaker Koebler [32]. This research activity drove a medical doctor to embark on a crusade to try to improve security of medical devices Zetter [33].

Researchers had a ‘lightbulb’ moment in 2016 Pritchard [34], when they realised how the humble light bulb could be used as an attack vector. Next the importance of protecting wastewater became obvious Kumbhar [35]. Researchers managed to hack an industrial dishwasher Newman [36], to give them a springboard to attack other devices on the network. More warnings about medical device insecurities Newman [37], followed. Uber’s former top hacker admits securing autonomous cars is a really hard problem Greenberg [38].

Shell is a company renowned for its future forecasting and a look round its scenario web pages Shell [39], shows anticipation of rapid applicability of connected solutions in transport, health, water and for the efficient zero emission city of the future. In one of their future reports Shell [40], they discuss the future benefits of a healthy life, which they forsee being enabled by IoT technology. No real surprise that there will continue to be an increasing demand for IoT technology. However, with up to 50 Billion IoT devices in operation by 2020, and no proper security yet, this starts to get more than a little concerning. There is no doubt that we need to take action now, but how? In the next Section, we will consider how we might address these challenges.

On the bright side, we have seen the occasional IoT vigilante throw their hat into the ring. In 2015 Symantec [41], the Linux.Wifatch virus was released by persons unknown. This virus actively sought out vulnerable IoT devices, proceeded to infect them, but rather than doing harm, instead downloaded additional patches to make the systems more secure. Contrast this approach with the very latest BrickerBot virus Coppock [42], which similarly infects vulnerable IoT devices, but instead of improving their security, this virus makes sufficient changes to the system to render it unusable following a reboot, which it forces on the device after infection. This essentially ‘kills’ the device, rendering it completely secure, but useless. It does not appear to be selective, which means it could cause serious problems if mission critical devices were infected.

How can we address these challenges?

This might all sound rather overwhelming. However, it is worth bearing in mind that in addition to providing these comprehensive lists, OWASP also offers advice on how to mitigate the weaknesses highlighted in their lists, OWASP [43]. Thus, it would be a good idea for all IoT users to take full advantage of this advice when seeking to safeguard their IoT systems. There are also many other agencies who have been working on cloud security, such as the CSA, ENISA, NIST and PCIDSS who all have sensible recommendations to make, and it would be useful to take their recommendations into account.

When engaging cloud services, here are a few useful things to consider given in Table 6.



Action required


CSP sales talk

Do not believe the hype. Do your own due diligence


business continuity

prepare a proper disaster recovery plan


cloud security

remember, there is no single solution


rapid deployment

Do not try to do it all at once


ongoing ennui

Do not relax. Be vigilant at all times


other approaches

look out for the loopholes


after a breach

have a plan for what to do after a breach

Table 6: Common mistakes, weaknesses and mitigating strategies © 2016 Duncan and Whittington

While audit is unlikely to be an issue for private individuals, it most certainly will be an issue for companies, and will require to be properly addressed. Of greater concern is dealing with the question of who is responsible for security. Users should pay particular attention to the service level agreements that they sign with the cloud service providers. Careful analysis of the detailed terms contained in these agreements will ensure more clarity and a better understanding on the responsibilities of each party.

However, we can address these vulnerabilities. By carefully analysing the full details of the systems architecture of the IoT system we plan to use, we can identify which of these vulnerabilities the system might be exposed to. There are many defences which have been proposed for each of these vulnerabilities, and providing the right steps are taken, it will be possible to mitigate the risks faced. The OWASP foundation provides a comprehensive set of mitigation strategies for a whole variety of different vulnerabilities, and it would certainly be sensible to take this advice, which is free to download OWASP [44]. In addition, Acunetix [45] has developed a web vulnerability scanner which you can use to check whether your system is vulnerable. You can run a vulnerability scan for free, although you can also subscribe for a more comprehensive paid version.

The first major step we must take is to recognise the extent of the challenges faced when using an IoT system, just as we must do when using mobile systems, or cloud systems, or conventional distributed systems. Recognition is a key first step to achieving a successful cyber security outcome. Then, we must abandon the practice of relying on default settings for all installed components in the system. If the components do not include proper security, we should vote with our wallet, and buy elsewhere, from someone who can provide proper security. And remember, that if we fail to do this, then we are aiding and abetting the bad guys, and are consequently no better than them. We are all responsible for doing our bit to improve our own security.

While cyber security for the IoT certainly would appear on first sight to be an unsolvable challenge, it is clear that taking sensible steps can certainly help you sleep better at night, and we outline a number of these sensible steps in the following section.

Possible solution

There is currently no guaranteed solution to the IoT security problem. However, we can take a pragmatic approach at this stage, which is not likely to be overly expensive, and should ensure we achieve a reasonable level of protection.

  1. We should scrutinise cyber breach reports daily to identify any newly discovered vulnerabilities.
  2. We should scan our system for the most common vulnerabilities Acunetix [45].
  3. We must ensure we use a very robust router, or routers for larger systems. There should be no known back door in the router, and we should ensure that we use sufficiently strong passwords to make ensure they are very difficult to break.
  4. We must ensure that every single ‘thing’ attached to these routers has the same level of security available and we should ensure that we use sufficiently strong passwords to ensure they are very difficult to break.
  5. Ensure that every piece of non-compliant hardware is identified and removed from the system.
  6. Every piece of software with known vulnerabilities should be either patched or changed for more robust software.
  7. All software security patches should regularly be identified and updated.
  8. All open ports should be identified, and any non-required ports should be closed.
  9. An Intrusion Detection System (IDS) should be installed, and monitored.
  10. Where wireless or Bluetooth technology is in use, the most secure version should be used and properly configured.
  11. We must ensure we retain a proper forensic trail. Thus all system logs, user access traffic, including commands used, should be logged securely to an immutable database Duncan and Whittington [46], which is stored on a secure server in a different location. Conventional databases are wide open to attack, and this is the primary target for bad actors so that they can delete all trace of their visit. Using an immutable database makes this substantially more difficult for them to carry out.
  12. Every piece of web-based software used should be made more robust by following the OWASP security recommendations.
  13. Some form of monitoring and data capture for all attached devices should be installed and regularly reviewed.
  14. Strong access controls should be used and enforced at all times.
  15. All system components should be regularly scanned to test for the presence of malicious software.
  16. There should be a well-defined strategy developed for business continuity management in the event of a breach occurring.

We would stress that this possible solution cannot be guaranteed 100% effective, but by following these suggestions, any IoT user can vastly reduce the number of vulnerabilities which need to be addressed.

Of course, in the longer run, there is certainly a need for a more robust approach, and we are involved in four areas of ongoing research into IoT vulnerabilities which will hopefully lead to a more robust long term solution.

  • We are researching a means of providing tighter controls by default.
  • We are researching a means of highlighting and removing vulnerable software by default.
  • We are researching a unikernel-based solution to eliminate the problems brought about through the ever increasing complexity of modern systems Duncan et al. [47].
  • We are involved in research into the Bright Internet – a global research collaboration with the goal of ensuring all traffic sent by servers in the Bright Internet will be virus free. Another goal is that all users will have full anonymity for all their day-to-day activities, but in the event that they perpetrate a criminal act, they will be identifiable, thus ensuring proper accountability.

Of these above research areas, the first two are likely to show the most promise in the short term. The unikernel-based approach is likely to deliver results a year or two down the line, and the Bright Internet a little further down the line again.

There is little doubt that serious action on IoT security must take place, and soon. There is no way that we can possibly leave the status quo to continue, otherwise, there will be serious repercussions to contend with in the future. There is a real danger that the potential future benefits could be lost to society if we collectively do not take the action required now.


We have looked at the history of the IoT, and considered what kind of things it can do, which provides a very exciting insight into what the future of this technology could bring to all of us. We had a brief look at IoT architecture, and how it works at various levels. We have considered the many security challenges which we face in using this technology safely.

We have also considered whether compliance with cloud security standards can help. We have had a brief look at the potential for disaster when we do not take enough care to ensure proper security is provided, often at minimal cost, and resulting in these weaknesses being exploited, a horrifying prospect. Moreover, we have briefly considered how we might address these challenges.

The IoT at this time is an unregulated space. We must all recognise this, and take such steps as are necessary to ensure bad actors cannot get access to our IoT resources to create mayhem for the rest of society. We all bear a responsibility to play our part in this, whether we are a large corporate, an SME, a one man band, or a private individual using the IoT to run their home more efficiently.

Our research was initially focused on identifying key management issues which if not addressed properly would lead to weaknesses in security for cloud users. We are also working on some technical solutions to specific problems, such as ensuring proper audit trails can be effectively maintained; the use of audit to help provide integrity assurance for data; the use of unikernels to provide a more robust environment for running cloud-based systems, including those for the IoT; the use of adaptive soft security measure to police cloud based systems in operation; the development of immutable database systems to ensure data cannot be compromised; investigating the threat environment to help develop better responses to ongoing security threats; and working further on the weaknesses of people in the organisation to security.

Of course, technical solutions alone are not the answer to this problem. The business architecture of a company is a combination of people, process and technology, not technology alone. Thus it is necessary to take a much broader approach to trying to resolve this problem. Moreover, it is no longer a question of ‘if’ your company will suffer a breach, it is a simple matter of time before it will happen. The real question is will you be able to recognise that it has happened, and what will you be able to do about it when it does?


  1. Ashton K.: ‘That ‘Internet of Things’ thing’, RFiD J., 2009, 22, (7), pp. 97–114.
  2. Gantz J. F. Reinsel D. Chute C. et al.: ‘The expanding digital universe: a forecast of worldwide information growth through 2010’. External Publication IDC (Analyse the Future) Information and Data, 2007, pp. 1–21.
  3. Bojanova I. Hurlburt G. Voas J.: ‘Today, the internet of things. Tomorrow, the internet of everything. Beyond that, perhaps, the internet of anything – a radically super-connected ecosystem where questions about security, trust, and control assume entirely new dimensions’. Information-Development, 2013, p. 4.
  4. Sharma S. Chang V. Tim U. S. et al.: ‘Cloud-based emerging services systems’, Int. J. Inf. Manage., 2016, pp. 1–19.
  5. Bughin J. Chui M. Manyika J.: ‘Clouds, big data, and smart assets: ten tech-enabled business trends to watch’, McKinsey Q., 2010, 56, (1), pp. 75–86.
  6. ‘Innovation Cities™ index 2016–2017: global’, 2017.
  7. Gubbi J. Buyya R. Marusic S. et al.: ‘Internet of Things (IoT): a vision, architectural elements, and future directions’, Futur. Gener. Comput. Syst., 2013, 29, (7), pp. 1645–1660.
  8. Suciu G. Vulpe A. Halunga S. et al.: ‘Smart cities built on resilient cloud computing and secure internet of things’. 2013 19th Int. Conf. Control Systems and Computer Science (CSCS), 2013, pp. 513–518.
  9. Aziz B. Arenas A. Crispo B.: ‘Engineering secure internet of things systems’, 2016.
  10. Larson D. Chang V.: ‘A review and future direction of agile, business intelligence, analytics and data science’, Int. J. Inf. Manage., 2016, 36, (5), pp. 1–25.
  11. Chang V. Newman R. Walters R. J. et al.: ‘Review of economic bubbles’, 2014.
  12. Bentley: ‘Bentley used NASA tech to create this 53-gigapixel car photo’, 2016.
  13. Gantz J. F. Reinsel D. Chute C. et al.: ‘The expanding digital universe: a forecast of worldwide information growth through’. Information Data 2007, 2010, pp. 1–21.
  14. Mell P. Grance T.: ‘The NIST definition of cloud computing: recommendations of the National Institute of Standards and Technology’. Technical report, Computer Security Division Information Technology Laboratory National Institute of Standards and Technology, Gaithersburg, MD, 2011.
  15. Duncan B. Whittington M.: ‘Enhancing cloud security and privacy: the power and the weakness of the audit trail’. Submitted to Cloud Computing 2016, Rome, 2016b, pp. 1–6.
  16. OWASP: ‘OWASP top ten vulnerabilities 2013’, 2013.
  17. OWASP: ‘OWASP top 10 IoT vulnerabilities (2014)’, 2014.
  18. Trustwave: ‘2012 global security report’. Technical report, 2012.
  19. Verizon: ‘Verizon 2015 data breach investigation report’. Technical report, 2015.
  20. Verizon: ‘2012 data breach investigation report: a study conducted by the verizon RISK team in cooperation with the United States Secret Service and Others’. Technical report, 2012.
  21. Duncan B. Whittington M.: ‘Compliance with standards, assurance and audit: does this equal security?’. Proc. 7th Int. Conf. Security Information Networks, Glasgow, 2014a, pp. 77–84.
  22. Duncan B. Whittington M.: ‘Reflecting on whether checklists can tick the box for cloud security’. 2014 IEEE 6th Int. Conf. Cloud Computing Technology and Science (CloudCom), Singapore, 2014b, pp. 805–810.
  23. Duncan B. Whittington M.: ‘Company management approaches – stewardship or agency: which promotes better security in cloud ecosystems?’. Cloud Computing 2015, Nice, 2015a, pp. 154–159.
  24. Duncan B. Whittington M.: ‘Enhancing cloud security and privacy: broadening the service level agreement’. In 14th IEEE Int. Conf. Trust, Security and Privacy in Computing Communication, Helsinki, Finland, 2015b, pp. 1088–1093.
  25. Duncan B. Whittington M.: ‘The importance of proper measurement for a cloud security assurance model’. 2015 IEEE 7th Int. Conf. Cloud Computing Technology and Science, Vancouver, 2015c, pp. 1–6.
  26. Duncan B. Whittington M.: ‘Enhancing cloud security and privacy: the cloud audit problem’. Submitted to Cloud Computing 2016, Rome, 2016a, pp. 1–6.
  27. Willingmyre G. T.: ‘Standards at the crossroads’, StandardView, 1997, 5, (4), pp. 190–194.
  28. ‘Researchers hacked a model S, but Tesla’s already released a patch’, 2015b.
  29. ‘Hackers remotely kill a jeep on the highway – with me in it’, 2015a.
  30. Zetter K.: ‘Hacker can send fatal dose to hospital drug pumps’, 2015a.
  31. ‘The doctor on a quest to save our medical devices from hackers’, 2015c.
  32. Koebler J.: ‘Hackers killed a simulated human by turning off its pacemaker’, 2015.
  33. Zetter K.: ‘The doctor on a quest to save our medical devices from hackers’, 2015b.
  34. Pritchard S.: ‘Internet of things: humble lightbulbs could become a form of attack’, 2016.
  35. Kumbhar S.: ‘Critical role for the Internet of Things in wastewater’, 2016.
  36. Newman L. H.: ‘Security news this week: yes, even internet-connected dishwashers can get hacked’, 2017b.
  37. Newman L. H.: ‘Medical devices are the next security nightmare’, 2017a.
  38. Greenberg A.: ‘Securing driverless cars from hackers is hard. Ask the ex-uber guy who protects them’, 2017.
  39. Shell: ‘Shell scenarios: new lenses on future cities’, 2017.
  40. Shell: ‘A better life with a healthy planet’. Technical report, Shell, London, 2016.
  41. Symantec: ‘Is there an internet-of-things vigilante out there?’, 2015.
  42. Coppock M.: ‘New ‘BrickerBot’ malware attack kills unsecured internet of things devices’, 2017.
  43. OWASP: ‘OWASP SQL injection cheat sheet’, 2016.
  44. OWASP: ‘OWASP home page’, 2017.
  45. Acunetix: ‘Scan your website for OWASP Top 10 critical web app vulnerabilities’, 2017.
  46. Duncan B. Whittington M.: ‘Creating an immutable database for secure cloud audit trail and system logging’. Cloud Computing 2017 Eighth Int. Conf. Cloud Computing GRIDs, Virtualization, Athens, 2017, pp. 54–59, ISBN: 978-1-61208-529-6.
  47. Duncan B. Happe A. Bratterud A.: ‘Enterprise IoT security and scalability: how unikernels can improve the status Quo’. 9th IEEE/ACM Int. Conf. Utility and Cloud Computing (UCC 2016), Shanghai, China, 2016, pp. 1–6.
Go to the profile of Bob Duncan

Bob Duncan

Lecturer, University of Aberdeen


Go to the profile of Chris Shire
Chris Shire about 1 month ago

Hello Mr Duncan, I like your approach and the outline "Possible Solution". Have you reviewed the IoT Security Foundation's work on IoT security compliance? If so,  what did you think of it?