Chapter 1: Introduction

1.1 Background of the study

One of the most important topics in the policy, technology and engineering fields is the
Internet of Things (IoT). It has taken over the headlines in popular media and press. It
encompasses a broad spectrum of network systems, sensors, and products. These elements
productively offer new potential through the extensive use of the advancements of electronic
miniaturizations, computing power, and network interconnections that were not possible
previously. There are various reports, news articles, journals, and conferences that keenly
discuss on the revolution that IoT could bring to the society and life of humans. It would provide
new opportunities in the market and business models that focus on privacy, device
interoperability. (Rose, Eldridge and Chapin, 2015).
Many aspects of our life could improve if IoT devices get implemented on a large scale.
The consumers could experience higher security and energy efficiency with the emergence of
Internet-enabled appliances such as components and devices for energy management and
home automation. Moreover, other devices such as health monitoring devices, wearable
fitness, and medical devices enabled through networking will help to transform the way of
delivering healthcare services. Apart from health applications, the implementation of IoT would
help in fulfilling the vision of “smart cities” with vehicles interconnected, intelligent systems to
control traffic, and roads and bridges installed with sensors. However, implementation of IoT is
not as simple as it looks. There are several issues and challenges that impede the task and
needs to be addressed to realize the potential benefits of IoT (Rose, Eldridge and Chapin, 2015).

Several organizations have predicted the potential impact of IoT on the economy and the
Internet. For example, Cisco believes that by 2019 the count of interconnected devices could
reach up to 24 billion. On the other hand, Morgan Stanley believes that by 2020 the count of IoT
objects would reach 75 billion. Additionally, Huawei raises the bar with a prediction of 100
billion by the end of 2025. McKinsey Global Institute analyzed IoT’s impact on world economy
and identified a worth of $3.4 to $11.1 trillion by 2025 (Rose, Eldridge and Chapin, 2015). With
varied projection, on the whole, they all point towards global growth.

IoT also has some protestors who believe that it would violate privacy and security or
the living being through extensive surveillance. However, the primary focus of the Internet
Society is only to grow interactions between people and institutions in their social, personal,
and economic lives. The explosion of IoT would change the way users engage and exchange
data. It would have a different effect in the various countries and regions, resulting in a global
pool of challenges and opportunities (Rose, Eldridge and Chapin, 2015).

Through making connection between several devices to a network and enabling data
gathering and analysis, Internet of things is expected contributing to create customer value.
Thus, a critical infrastructure affects lives of people and economic activities become an area
where IoT is utilized. In this perspective, security measures for IoT system are very important to
be considered. Therefore, a shortage of security operations is faced by administrators while
using Internet of Things. Present research focuses on identifying gateway based security
measures that would be helpful to mitigate security issues in Internet of Things.
 Chapter 2: Research context and question

2.1 Aims of the study

The research aims to finding security issues while using Internet of Things in daily life. In
addition, the research is conducted on gateway-base security measures that would be helpful to
cover up the communication gap between IoT devices such as sensors, equipment, systems and
cloud.

2.2 Objectives of the study

 To find out the security issues faced while using Internet of Things in daily life.

 To identify the gateway-based security measures useful for mitigating security

issues in IoT.

 To critically analyze the role of gateway based security measures covering up the
communication gap between IoT devices.

 To scrutinize the challenges faced while implementing gateway based security

measures in Internet of Things.

 To identify the barriers manufacturing organizations and end users in integrating

culture of information security in IoT system.

 To recommend solutions for overcoming the challenges.

Description of research objectives

These research objectives will observe and cover the IoT security vulnerabilities, their
causes and effects. The research objectives will also help in better understanding of the
research problem. These objectives will also contribute to uncovering the essential and trending
aspects of the IoT including the Massive Scaling, IoT Architecture, and Dependencies, Creating
Knowledge and Big Data, the robustness of the IoT service, its Openness, Security, Privacy, the
involvement of humans in the loop, and much more (Stankovic, 2014).
Based on these research objectives, it becomes convenient to discover the common
security challenges that occur on IoT gateways. This research will, therefore, help organizations
to take special measure to safeguard and protect their IoT services, the IoT gateways, and
devices connected to them. The research objectives will also help the organizations understand
the involvement, control, and effects of the human interaction with such a system. These
behaviors are observed under different conditions where (i) humans are in direct control of the
system, (ii) human are passively involved - the system observes it and take appropriate actions
(iii) applications which passively monitors human beings for their physiological parameters, and
a combination of (i), (ii), and (iii) (Stankovic, 2014).
Research objectives are also aimed to help evolve the “Internet of Mobile things.” As the
intelligent things that work on the network, known as the “Internet of Things” are on the way to
be controlled over by mobile devices, organizations today are developing mobile applications
for everything they want to do with these devices. These mobile applications are quite easy and
quick to develop and are capable enough to carry out basic operations and control the devices
that connect to the IoT gateways. Such mobile applications, their flexibility, and widespread use
will open new opportunities and a wide space for the attackers to cause harm to the network
and the service.
The research objectives will help the organizations and developers of the IoT services
observe the key areas to monitor, manage and optimize the flow of data and information that
might be critical for the service. Developers and designers will also better understand the
optimal data capture, processing, and transmission for the Internet of Things. With a huge
amount of data traveling over the network, the research objectives will help the organizations
also uncover the better opportunities of the cloud storage and its active involvement in the
operations of the Internet of things.
In the end, the research objective will help find the optimal gateway based measures
that will add security and enhance the efficiency, productivity, competency, and reliability of the
Internet of Things. These will also lead to generation or identification of one or more policy
guidelines that will help to develop a better and efficient IoT service. Lastly, the research
objectives will propose some recommendations for the implementation of the IoT service.

2.3 Research Questions

2.3
R1. What are the security issues and vulnerabilities found in the applications of IoT

in digital marketing?

R2. What are the barriers of adopting security in IoT projects used for digital

marketing?

Description of research questions

Amid the previous 15 years, the Internet upheaval has reclassified business-to-customer
(B2C) ventures, for example, media, retail and budgetary administrations. In the following 10
years, the Internet of Things unrest will significantly modify fabricating, vitality, farming,
transportation and other modern areas of the economy which, together, represent about 66%
of the worldwide total national output.

It will likewise on a very basic level change how individuals will function through new
cooperation amongst people and machines. Named the Industrial Internet (of Things), this most
recent flood of mechanical change will bring uncommon open doors, alongside new dangers, to
business and society. It will join the worldwide reach of the Internet with another capacity to
straightforwardly control the physical world, including the machines, production lines and
foundation that characterize the cutting edge scene. Be that as it may, similar to the Internet
was in the late 1990s, the Industrial Internet is presently in its beginning times. Numerous
essential inquiries remain, including how it will affect existing enterprises, esteem chains, plans
of action and workforces, and what activities business and government pioneers need to take
now to guarantee long haul achievement. In order to address these and different inquiries
confronting business and government pioneers, the World Economic Forum's IT Governors
propelled the Industrial Internet activity at the Annual Meeting 2014 in Davos, Switzerland.
Amid the most recent eight months, the task group has built up a directing structure and led a
progression of research exercises, incorporating into individual workshops, virtual working
gathering sessions, meetings of key idea pioneers, and an overview of trailblazers and early
adopters around the globe.

As the Industrial Internet increases more extensive reception, organizations will move
from items to result based administrations, where organizations contend on their capacity to
convey quantifiable outcomes to clients. Such results may go from ensured machine uptimes on
industrial facility floors, to genuine measures of vitality funds in business structures, to ensured
edit yields from a particular package of farmland. Conveying such results will require new levels
of joint effort over a biological community of business accomplices, uniting players that
consolidate their items and administrations to address client issues. Programming stages will
develop that will better encourage information catch, collection and trade over the biological
system. They will help make, disseminate and adapt new items and administrations at
extraordinary speed and scale. The enormous victors will be stage proprietors and accomplices
who can bridle the system impact characteristic in these new advanced plans of action to make
new sorts of significant worth. For example, Qualcomm Life's 2net stage underpins an extensive
variety of associated gadgets that would all be able to contribute tolerant wellbeing information
to enhance doctor's facility to-home wellbeing and monetary results.

The research additionally demonstrates that the Industrial Internet will drive
development in efficiency by displaying new open doors for individuals to update aptitudes and
go up against new sorts of occupations that will be made. A larger part of officials we
overviewed trust that the developing utilization of "advanced work" as shrewd sensors, savvy
collaborators and robots will change the abilities blend and center of tomorrow's workforce.
While bring down talented employments, regardless of whether physical or intellectual, will be
progressively supplanted by machines after some time, the Industrial Internet will likewise make
new, high gifted occupations that did not exist some time recently, for example, therapeutic
robot planners and lattice enhancement engineers. Organizations will likewise utilize Industrial
Internet innovations to enlarge specialists, making their employments more secure and more
profitable, adaptable and locks in. As these patterns grab hold, and new abilities are required,
individuals will progressively depend upon savvy machines for work preparing and aptitudes
improvement.

Internet of Things (IoT) was the most built up innovation in 2014. Much of this buildup
focuses on customer applications, for example, savvy homes, associated autos and shopper
wearables like wristband action trackers. Nonetheless, it is the IoT's mechanical applications, or
the Industrial Internet", which may at last diminutive person the purchaser side in potential
business and financial effects. The Industrial Internet will change numerous enterprises,
including assembling, oil and gas, horticulture, mining, transportation and medicinal services. By
and large, these record for almost 66% of the world economy.3 As society develops towards a
coordinated advanced human workforce, the Industrial Internet will reclassify the new sorts of
new occupations to be made, and will reshape the very idea of work. Given the more
noteworthy noteworthiness, this report concentrates only on the Industrial Internet. The
Industrial Internet is still at a beginning period, like where the Internet was in the late 1990s.
Our overview comes about underscore this point: most by far (88%) of respondents say that
despite everything they don't completely comprehend its basic plans of action and long haul
suggestions to their ventures. While the advancement of the shopper Internet in the course of
recent decades gives some essential lessons, it is indistinct the amount of this learning is
material to the Industrial Internet given its special extension and prerequisites. For instance,
constant reactions are regularly basic in assembling, vitality, transportation and social insurance.
Continuous for the present Internet as a rule implies a couple of moments, while ongoing for
modern machines is regularly sub-millisecond. The designing general guideline directs that a
10x change in execution requires a totally new approach, also the 100x change that the
Industrial Internet will probably require. Another imperative thought is dependability. The
present Internet typifies a "best exertion" approach, which gives satisfactory execution to web
based business or human associations. Surprising server glitches at Google or Amazon cause
delays in email or spilled video. Be that as it may, the disappointment of the power network, the
airport regulation framework or a mechanized production line for a similar time allotment
would have considerably more genuine outcomes. This solid inclination towards constant and
unwavering quality, which has added to a traditionalist culture among mechanical organizations
in grasping change and new advances, together with the high cost and long life expectancy of
regular modern items, are largely basic factors in forming how the Industrial Internet will
develop.

2.4 Problem Statement

Internet of Things has undoubtedly captured almost every digital device that we are
using today. The term at present refers to anything that has an IP address, can send and receive
data and is connected to the internet. In other words, it seamlessly combines deep analytical
insights, ubiquitous connectivity, and embedded intelligence to accomplish complete tasks in no
time (Blanter and Holman, n.d.).
Unlike the computers from the past, with the rapid advancement of science and
technology, every device today is capable enough to share information over the network. This
technology and its concept came into existence when the fields of wireless technology and
microelectronics converged together. Now, this technology is significantly helping the scientists
and other research professionals to carry out tasks that were never imagined before (Rose,
Eldridge and Chapin, 2015).
The Internet of Things is the term that refers to scenarios where the computing
capabilities and network connectivity is through objects, sensors, IP addresses and computers.
Technology has made such devices capable of generating, exchanging and consuming data with
minimal human intervention. However, there is no single definition of the Internet of Things.
With its growing prevalence and adoption in the almost every industry and every aspect of the
everyday life, it has raised concerns about the security of data that travels to and fro from these
devices. Since these devices can rapidly share data and information that can be highly critical,
the security is grabbing maximum attention. (Rose, Eldridge and Chapin, 2015, p.1).

2.5 Rationale of the study

What is the issue?

Internet of things technology has not only come with some benefits, opportunities, and
ease, it has also raised a major security concern, especially for the businesses. Major sectors
that are much concerned about the security include banking, financial services, business
organizations, government security agencies, and more. The quick and insecure use of the IoT
can cause different types of security risks such as theft of sensitive or private data, malicious act
on data, disruption of business operations, slowing down of the business functionalities, data
interruption, change or destruction of the essential IoT infrastructure, and so on (Pal and
Purushothaman, 2016).

Why is it an issue?

The technology has made a significant place not only in the industrial context but also,
in the homes, workplaces, and educational institutions. The last two decades have experienced
a surge in the use of electronic devices such as electric kettles, microwave ovens, washing
machines, toasters, refrigerators, and automobiles such as cars and bikes. These now operate
on a network that connects dozens of microprocessors together at a single place in a network
(Lin and Bergmann, 2016). As one of their essential features, the IoT devices are capable of
collecting a huge amount of data, in a small interval of time and process, transmit, and share it.
A significant amount of this data can be private and personal, related to finances or some
company policies. Thus adequate protection of such information is necessary. This task also
needs special measures as now data travels over the network in unprecedented amounts and it
becomes more challenging to identify threats to the flowing data (Pal and Purushothaman,
2016). When it comes to communication, not always, it takes place after undergoing some level
cryptographic confidentiality, authentication algorithms, and integrity measures as part of the
protocol on which the devices are working. Almost all of the IoT applications comes loaded with
some basic levels of security features. Also, in some cases, they offer some flexibility to
configure for specific application requirements (Pal and Purushothaman, 2016).
Along with all the other security considerations such as debugging the interfaces and
generating secure storage of confidential data in hardware, the IoT hardware designers are
worried about the side channel attack. In this attack, the critical information gets collected from
the physical aspects of the system. This information is then leveraged to break security controls
and cause potential harms such as stealing the passwords and encryption keys. These attacks
mainly focus on data presentation rather than the information. These attacks are usually made
to capture information that is required to get an unauthorized entry into the IoT system, finally
leading to damage and data loss (Dhanjani, 2015).

Thus, it becomes important to find out the issues that are responsible for security
concerns in Internet of Things.

Why is it an issue now?

The immediate future is undoubtedly going to bring about 26 to 30 billion devices into
the everyday life with a market worth of about $9 trillion. This growing number of devices will
generate a huge amount of data, need for larger storage capabilities, faster networks, and more
bandwidth to support the growing internet traffic. Apart from the mentioned above
functionalities, these devices also need strong data protection methods (Pal and
Purushothaman, 2016).
Internet of Things is also greatly susceptible to the Denial of Service (DoS) attack. As a
large number of data travels over the network, the IoT devices are highly vulnerable to become
hostage of DDOS attacks. This denial of service attack works best for the Internet of things as
their model involves an enormous amount of data requests from the server (Park, Chen and
Choo, 2017).

The recent spread of Internet of Things along with number of interconnected devices is
increasingly dramatically. In addition, the connected devices are not limited to the information
devices. The devices comprise increasingly distinguish among the list of items that includes life-
related to the items like vehicles and medical equipment along with the items that have
potentially large impact on the society like power stations and nuclear facilities. Internet of
Things includes several network-connected devices (Brindha and Shaji 2015). If the device is
infiltrated by malware, it becomes the starting point for spreading infiltration to different
devices, which could ultimately threaten the critical infrastructure. Previously security incidents
have demonstrated vulnerabilities in communication software of the devices connected to the
critical infrastructure like surveillance cameras targeted for enabling unauthorized access from
the outside. The devices are used as starting points in order to make critical infrastructure work
abnormally. Thus, it becomes a great issue of concern for security while using IoT.
 How the research sheds light on?

Rapid development of Internet of Things allows using in several areas. The IoT services
of smart homes or offices get leveraged connecting the IoT devices with gateways. In such
cases, the attacker manipulates the gateway targeting every device in the network. In this
attack, even though the gateway does not manipulate, a connected malicious device can initiate
the DoS attack hamper the communication.

Apart from homes and workplaces, even Logistics and Transports are already using RFID
tags to track their pallets, shipments, and even individual items through the IoT. These are the
smart tags that are capable enough to log and report the state of the transport conditions, for
example, tilt, temperature, shock, pressure, humidity, etc. The key driver is cost and orderly
communication to hundreds and thousands of tags at the same time (Lin and Bergmann, 2016).
Internet of things deeply influences other industries such as dining, entertainment,
hospitality, healthcare, sports and fitness, science, manufacturing, telecommunication, banking,
environmental science, education, retail, and more. Thus the security of information is the
utmost priority for these sectors (Lin and Bergmann, 2016, p.3).
Such widespread use if the Internet of Things has laid a greater amount of pressure on
the manufacturers. Although building an end-to-end security into the IoT design is a lofty work
for the designers and developers. They must aim to ensure that the device meets an acceptable
level of trust in their products. The major challenge for the manufacturers in developing a
strong security subsystem is the integration and aggregation of some technologies. This open
exposure to some technical fronts makes the threat map, and the attack surfaces larger for the
malicious users (Gilchrist, 2017).
When people use computers, laptops, or smartphones, they have some built-in basic
versions of firewalls to protect the data breach. Sometimes they use a 3 rd party software that is
readily available to allow or deny some specific types of activities on the network. These options
may provide some protection to the data and information that flows in and out of the device. In
the case of the Internet of things, having a security subsystem is necessary, the system should
be highly competent, difficult to cut through, highly economical, and easy to install. However,
the maintenance and consistent updates is still a big challenge for most of the IoT developing
companies. Several companies today, therefore, fail to meet the maximum levels of security.
The probable reason for this low level of security is the profit margin these manufacturers aim
to achieve (Gilchrist, 2017).
To grab the maximum attention in the market and to meet the demands of the people,
several organizations miss and skip the security features in these devices. Also, after a device
becomes too popular into the market, it creates pressure on the manufacturers to produce the
product in large quantities, within budget, with limited resources, and in less time. This pressure
then lays less focus on implementing better security measures for such devices. The
manufacturers start taking shortcuts to manufacture products that are of low quality and with
minimal or no security features. Security the primary thing is then compromised when it comes
to mass production of IoT. This compromise is because the buyers do not lay much emphasis
and fail to notice the minimal security features (Gilchrist, 2017).
Security is also sometimes compromised by the manufacturers of the IoT devices due to
the use of mobile applications. Today, there is a mobile application for all the technological
needs of people. Almost every service or product available in the market is being some way or
the other operated by a mobile application. This rapid involvement of the mobile platform left
many breaches in the security of these internet-powered devices. These mobile apps designed
for IoT consists of insufficient security provisions for authentication and authorization. They
even lack data transport encryption, a secure mobile interface, and a secure cloud interface
making them more vulnerable (Gilchrist, 2017).
 Chapter 3: Literature review

3.1 Preface
In the development of IoT applications, security and testing frameworks acts a vital role.
This chapter of the research deals with the communication model used in IoT. In addition, the
issues and need for IoT gateway are discussed in order to mitigate security issues. The types of
implementing IoT gateway, their architectures and layers of the IoT gateway are discussed in
this chapter of the research. The chapter also explains security measures, IoT network security
and importance of software-defined networking. The use of cryptosystems, access control,
proxy service, firewalls and LAN gateway and secure on boarding, firmware updates and limiting
interfaces associated with the use of IoT are explained in the chapter of research. It is important
to identify the barriers to secure information security in IoT system such as organizational
barriers.

3.2 Overview of IoT security issues

Privacy. The IoT will show its full potential only when the privacy choices of the
individuals are respected. The nature of IoT gives it a tremendous opportunity to access a large
amount of user data. However, the adoption of IoT might get affected due to the privacy
concerns, which means it becomes significant to ensure the safety of the privacy rights of the
users. The implementation of IoT could change the process of data collection, analysis, usage,
and protection. Privacy issues such as increased surveillance, unable to avoid certain data
collection and much more bring a concern in the implementation of IoT. Hence, strategists
would require the come up with new choices to realize the opportunities lying within and
beyond the scope IoT (Rose, Eldridge and Chapin, 2015).
Interoperability. Interoperability between products and services might have
always been the point of concern when it came to IoT implementation. It is always not feasible
or necessary to achieve full interoperability. However, the IoT devices which face vendor lock-in,
a high rate of ownership complexity, and inflexible in integrating with other devices would affect
the consumer acceptance (Rose, Eldridge and Chapin, 2015). Apart from poor design, the IoT
devices might have negative impacts due to the connected Internet and network resources.
Appropriate, generic, open and widely available best practices and standards will provide
significant benefits, innovation, and economic opportunity (Rose, Eldridge and Chapin, 2015).
Emerging economies. The emerging and developing economies have an
opportunity to exploit IoT to experience social and economic benefits in areas such as managing
environment, sustained agriculture, industrialization, and healthcare. However, the developing
economies would require addressing various IoT challenges such as infrastructure readiness,
technical skill requirements and much more (Rose, Eldridge and Chapin, 2015).

Legal and regulation rights. The concept of IoT has raised many legal and regulatory
questions which have an extensive scope. For example, issues such as cross-border data flows,
data misuse, civil rights and law enforcing surveillance conflicts, retention of data, security
breaches, legal liabilities of unintended uses, or lapse of privacy (Rose, Eldridge and Chapin,
2015). However, to enable the user’s rights through the laws and regulations of IoT, several
architectures and principles have started evolving (Rose, Eldridge and Chapin, 2015).

3.3 Communication models in Internet of Things

Regarding technical communication, it is beneficial to learn about the connection and
communication between IoT devices. The IAB in 2015 released an architectural model to guide
the networking of smart objects. It outlines four common communication frameworks: device-
to-device, device-to-cloud, device-to-gateway, and back-end data-sharing model (Rose, Eldridge
and Chapin, 2015).

3.3.1 Device-to-device communication:

In this communication model, the connection and communication of multiple devices
take place over IP and many other types of networks. However, the connection among devices
in this model often makes use of protocols such as ZigBee, Bluetooth, or Z-wave (Rose, Eldridge
and Chapin, 2015).
 Figure 1. Device-to-device communication model
(Rose, Eldridge and Chapin, 2015).

In this model, the devices adhere to a particular protocol for communication and
information exchange. It mostly finds implementation in applications where devices require low
data rate and communicate through small data packages. For example, the devices in a home
automation system such as bulbs, thermostats, door locks, and light switches make use of small
amount of information to communicate (Rose, Eldridge and Chapin, 2015).
The device-to-device model has a lot of interoperability challenges. According to
an article of IETF journal “these devices often have a direct relationship, they usually have built-
in security and trust [mechanisms], but they also use device-specific data models that require
redundant development efforts [by device manufacturers].” In such cases, manufacturers of
various devices will have to implement data formats that are specific to the device, resulting in a
lot of investment in development efforts (Rose, Eldridge and Chapin, 2015).

From an end-user perspective, this model would require the users to selects
devices which are compatible with other devices. For example, the devices using ZigBee might
not be compatible with Z-wave devices. Such restrictions result in the limited choice of device
selection for the users (Rose, Eldridge and Chapin, 2015).

3.3.2 Device-to-cloud communication:

In this model, the device in the IoT network connects to the Internet cloud. Here, the
devices exchange data and control message traffic just like an application service provider. The
existence of communications mechanisms such as Wi-Fi connections or wired Ethernets
provides a lot of advantage to this model to connect the devices and IP network (Rose, Eldridge
and Chapin, 2015).

Figure 2: Device-to-cloud communication model

(Rose, Eldridge and Chapin, 2015).
Some of the sought-after consumer IoT devices such as Samsung SmartTV and Nest Labs
Learning thermostat make use of the device-to-cloud model. In Samsung’s SmartTV, the user
information gets transmitted to the company through the internet which is later used for
analysis and enabling the TV’s voice recognition feature. Similarly, in the thermostat, the data is
transmitted to cloud database where the home energy consumption data gets analyzed (Rose,
Eldridge and Chapin, 2015).
Similar to device-to-device communication model, even this model faces
interoperability challenges. Here, the issue arises when the integrating devices from different
manufacturers. In most of the cases, the vendor of the cloud service and the device are same,
which gives no option for the consumers to switch to alternate service providers. Such case is
commonly known as “vendor lock-in” (Rose, Eldridge and Chapin, 2015).

3.3.3 Device-to-gateway communication:

This communication model is also known as device-to-application-layer gateway (AGL)
model. The devices in this model connect to the cloud service through the AGL service i.e. the
application software that operates on a local gateway device performs the task of a mediator
between the cloud service and the device. Moreover, it provides various additional functionality
such as security, protocol translation and much more (Rose, Eldridge and Chapin, 2015).
 Figure 3: Device-to-gateway communication model
(Rose, Eldridge and Chapin, 2015).

This model has taken several forms in the consumer devices. However, in most of
the cases, an application running on a smartphone communicates with the device and acts as a
local gateway. Fitness trackers and other consumer items employ this kind of model. These
devices rely on smartphones as they are incapable of connecting to the cloud service directly.
Here, the role of smartphones is to act as an intermediate gateway. This model is helping to
address the interoperability issues faced in the above two models (Rose, Eldridge and Chapin,
2015).
An article in IETF Journal provides more detail about the model from a technical
perspective: “This [communication model] gets implemented in situations where the smart
objects require interoperability with non-IP [Internet protocol] devices. Sometimes this
approach is taken for integrating IPv6-only devices, which means a gateway is necessary for
legacy IPv4-only devices and services” (Rose, Eldridge and Chapin, 2015).

Similarly, IAB in one of its documents suggests an outlook for device-to-gateway

communication model: “It is expected that in the future, more generic gateways will be
deployed to lower cost and infrastructure complexity for end consumers, enterprises, and
industrial environments. Such generic gateways are more likely to exist if IoT device designs
make use of generic Internet protocols and not require application-layer gateways that translate
one application-layer protocol to another one. The use of application-layer gateways will, in
general, lead to a more fragile deployment, as has been observed in the past…”(Rose, Eldridge
and Chapin, 2015).

3.3.4 Back-end data-sharing communication:

This model is a communication architecture where users have the ability to export and
analyze the data of the smart device. The exported data could either be from the cloud or any
other source. Acting as an extension to single device-to-cloud model, allowing the users to
upload data to various third parties rather than just the vendor service. This model attempts to
achieve interoperability among back-end systems (Rose, Eldridge and Chapin, 2015).

Figure 4: Back-end data-sharing communication model

(Rose, Eldridge and Chapin, 2015).
3.4 Requirement for IOT Gateway
IoT is experiencing a lot of innovations day-by-day, especially in the industrial application
due to centralized management, automation, and system reliability of end equipment. However,
most of these innovations are also applicable to various types of embedded systems which
include security devices, wearables, commercial and residential HVAC, medical monitors and
many other rapidly evolving consumer applications (Folkens, 2014).
The engineers are facing the challenge of “connectivity” in the process of Internet of
Things (IoT) design. They do not have enough experience, and it falls out of the range to
implement a secure and robust access to the Wide Area Network (WAN) or the Internet.
Moreover, the process of designing Internet of Things (IoT) becomes more tedious for the
engineers when the scope of multiple device access adds up to the list. Such kind of
implementation is beyond the processing capabilities of the engineers (Folkens, 2014). Hence,
engineers need to consider all these implementations in such a way that the efficiency of the
cost and power of the entire system remains unaffected.
A gateway to connect all the end points makes the solution feasible. It is necessary for
connecting the end devices such as a pressure sensor to the Internet. It can increase the
complexity and cost implementation, especially when the devices do not have their processors.
Additionally, different end equipment has different interfaces which increase further complexity
in IoT designing (Folkens, 2014). Hence, the collection and aggregation of data from several end
devices require the engineers to bridge the gap between the varying interfaces and capabilities
of devices reliably and consistently.
Gateways act as one of the perfect solutions available till date to simplify the complexity
that the Internet of Things poses. They support various ways through which the nodes can
connect, which is the reason they play a significant role in solving IoT designing issues. They
have the ability to connect any devices irrespective of the amount of voltage, types of the
encoder, the frequency of updates or any other variations. They act as a common portal which
consolidates the data, connects them to the network and alleviates the issue of device diversity
or variation (Folkens, 2014). As a result, the individual nodes become free of high-speed
internet cost or complexity.
3.6 IoT Gateway Architectures
There are several architectures to set up IoT gateways. The figure 5, 6 and 7,
below show the different methods. In figure 5, the IoT nodes will connect with the help of a
gateway. The nodes cannot directly connect to the Internet or the WAN as they are not IP-
based. To overcome the connectivity issue, they connect to gateways with the help of wireless
or wired PAN technology, which is less complex and inexpensive. An IoT agent is maintained for
each node to manage the data of every node which gives an option to locate application
intelligence within the gateway (Folkens, 2014).

Figure 5: Using PAN technology to connect to IoT via a gateway

In figure 6, the end node makes use of WAN to connect to the Internet directly.
The WAN connection could be through Ethernet or Wi-Fi. In this case, the gateway works as a
router. On the other hand, when the nodes autonomously manage themselves through their
own IoT agent, then the gateway can simply be a router (Folkens, 2014).
 Figure 6: Nodes directly connect to the Internet
There is only one exception that the nodes in this architecture make use of a PAN
connection to connect to the internet. The PAN connection could include 6LoWPAN, Bluetooth,
ZigBee or any other PAN technology. Here, the gateway acts as a point of translation between
the WAN and the PAN.
 Figure 7: Nodes indirectly connect to the Internet using PAN through 6LoWPAN
There are many other types of architectures and nodes to build the IoT systems.
However, the above three architecture show the general implementation of IoT in the
residential and industrial application. The performance and the sophistications might vary
depending upon the use of the end points, but the above architecture focuses on low cost and
high volume applications. The next section describes the various practical IoT gateway
architectures.
The advancement in the IoT technology has paved the way for the further developed IoT
gateway architecture, implementing semantic gateway as a service as shown in figure 7. The
semantic IoT architecture comprises of three entities, the sink nodes, the gateway nodes and
the IoT services. The sink nodes represent the sensors, actuators and other appliances which
collect the IoT data from the surroundings. The gateway nodes are the intermediary nodes
which collects data from the sensors and other devices and forwards them to the IoT services
for further processing. The IoT services then process the received information and perform
functions and provide desired services to the user. The main component of the semantic IoT
architecture is the semantic gateway as a service. This service connects the sink nodes to the
internet cloud using various transmission protocols such as CoAP. MQTT, XMPP, and others
(Desai, Sheth and Anantharam, n.d.).
 Figure 8: Semantic Gateway as a Service
The semantic gateway as a service consists of three components which include, multi-
protocol proxy, semantic annotation service, and the gateway service interface. Multi-protocol
proxy is the element of the gateway which fetches the information from the physical world, that
is, it collects data from the sensors. The language difference at the sensor and the IoT services
end requires a muti-protocol proxy to convert the sensor information into a form which is easily
understood by the services. It consists of two additional components to manage the sensor
data. First component being topic and which stores the sensor resources and information; the
second component is the topic router which contains information of the publisher (sender) and
subscriber (receiver) of the message. It ensures safe transmission of sensor information. The
sensor data collected does not contain annotations which limit their usability in designing of
applications and services. It is the reason the data before being sent to the services is given
proper annotations at the semantic annotation service component of the gateway. These
annotations help in the clear understanding of the data and give the opportunity to the service
provider to build an effective service around the received data. Once the annotations assign to
the data, it gets forwarded to the IoT gateway service interface. This interface is responsible for
transmitting the sensor data to the services interface. This component of the gateway connects
to the service interface using REST and publish-subscribe methodology. The sensor data and the
service gateways remain independent of each other, and the gateways unite the two
independent components by acting as a bridge which connects the data to services (Desai,
Sheth and Anantharam, n.d.) The difference in format of data of the sensor and the service gets
managed by the gateway. The data after manipulation transmits to the service interface where
it is processed by the various application to draw necessary inference about the surrounding
environment.
The semantic gateway as a service is a technique which provides a platform for initiating
communication between the real world devices and the technological services. This gateway
ensures interoperability and facilitates cross-platform communication using the various network
protocols. Furthermore, this architecture encourages the secure transmission of data as the
gateway act as a barrier which analyzes the transmitted data and ensures only the authentic
information gets forwarded and restricts all the other malicious data. Thus, the gateway
architecture supports IoT and enables safe implementation of services.
Intel also offers an IoT gateway to promote an interoperable environment in IoT. The
gateway incorporates various network technologies and protocols, embedded system
controllers, and security mechanism to effectively transmit the real world information to the
applications and services which process it and generate a relevant outcome. It is responsible for
sending the physical world data to the cloud platform as shown in figure 8. The Intel IoT
gateway collects the information from the sensors and controllers embedded in the system and
then filter out the most significant data from the bulk. It then decides on the selecting the best
mechanism for connecting to the cloud. The gateway implements various security solutions
such as data encryption to ensure secure data transmission. It is built on an open architecture to
support interoperability and enable easy and effective application development. Its integrated
components ensure quick and flexible application development and deployment (Intel IoT
Gateway, n.d.). The main components of the Intel IoT gateway architecture are as follows.

Figure 9: Intel IoT Gateway Architecture

  Intelligent device platform XT is a software package which comes equipped with pre-
validated software, drivers, and hardware components to support security, connectivity
and manageability of the IoT applications. It allows the development of wide range of
intelligent systems. The platform is responsible for the maintenance, management, and
deployment of remote devices. Furthermore, it enables communication over a wide
range of communication techniques including wired and wireless networks allowing the
devices to transmit the information to the cloud platform easily. The security offered by
this platform involves device and data protection through secure booting using a wide
range of arrays and protocols. The platform supports application written in Lua, JAVA,
and OSGi, making the system scalable and reusable for varied application development
(Intel IoT Gateway, n.d.). The intelligent device platform XT is the most suitable software
stack which encourages the development of intelligent systems which matches the
industry standard.
 McAfee embedded control is security standard integrated with the Intel IoT gateway
which is responsible for system integrity and allows the execution and manipulation of
authorized code only. The program creates an automatic whitelist of the codes that
could run on the platform and is used as a checklist to authorize the execution of only
selective programs on the platform. McAfee provides kernel level security to the
applications which help to protect files and disks and prevents malware infections. The
system continually monitors the critical files, directories, and registries to check for
unauthorized changes, and report the officials about the compliance issues thereby
ensuring information security (Intel IoT Gateway, n.d.). The embedded McAfee system in
the Intel architecture enables the developers to design a secure, intelligent system which
meets the industry requirements.
The Intel IoT gateway architecture designed to connect constraint devices to the
cloud find its implementation in various industry applications which include building
automation, industrial automation, smart city infrastructure, office automation, and much
more. The integrated architecture of the gateway makes room for innovations and better
designing. It provides basic software, hardware, and drivers which lay the foundation for quick
development and deployment. The McAfee security system embedded in the architecture
creates a trustworthy IoT environment by enabling secure data transmission. It encourages the
development of secure and scalable solutions which collects data from various sensor nodes
and transmits them to the cloud for further processing and service activation (Intel IoT Gateway,
n.d.). This gateway architecture allows businesses to innovate because of its efficient
manageability, communication, and security.

3.7 IoT Gateway Layers

The designing of effective gateway-based security measures must align to three primary
IoT layers. The first layer involves the perception layer, which is the core IoT layer indicating the
origin of the information. As a result, the perception layer senses and gathers information from
the physical settings using the wireless and technology sensors. The second layer involves the
network layer, which is known as the transport layer. This layer encompasses the core and
access networks facilitating data transmission. Some of the core aspects characterizing the
network layer include the radio access network and the mobile network. The last layer involves
the service layer, which is also known as the application layer. This layer enhances data
processing and management. Therefore, the gateway security measures needed to address the
security issues emerging in the IoT ecosystems must be based on the three key IoT layers to
ensure their efficiency in protecting data (C.P, 2016).

3.8 Security Measures

IoT gateways are necessary for providing end-to-end connections for transferring the
application specific data from the low power sensors to the cloud solutions for processing. The
gateways are responsible for the transfer of bulk information comprising of crucial data which
requires established security measures to safeguard the information. However, the vast expense
of the network and its connectivity with a million of the devices worldwide makes it vulnerable
to cyber-attacks. The increased case of network breach and data theft has made it crucial for
the IoT developers to develop a secure system which ensures safe transmission of information.
This secure system requires implementing some preventive measures to assure data safety. The
primary demand for such a system is authorization and authentication. The devices must allow
only the authentic and genuine users to access the information restricting the illegal access
(Yousuf et al., 2015, pp.610-613). Apart from authorization there exist several security concerns
which require immediate attention to ensure safe transmission within the IoT network. Securing
the IoT gateways is one of those important safety concerns. The IoT network needs to take
effective preventive measure to deal with its security issues. The below listed are the general
IoT network security actions and the specific steps of gateway safety for avoiding security
breach in the IoT network.

3.8.1 IoT network security

The IoT network security aims at secure communication between the various IoT devices
and the software solutions. It ensures that data transmitted over the network remains
unaffected by the external elements. The IoT system must consider the below-stated security
issues and implement the appropriate measures to deal with the same.
Confidentiality. The sensor data must remain confidential to the particular IoT
network. Any leakage of the data may cause the complete IoT system to fail. Therefore, it is the
primary need to secure the sensor and other device’s data. One of the methods to protect the
data is through encryption. Encrypting the data before transmission will ensure that only the
transmitter and receiver understand the information restricting any third-party person to
intrude the network (Yousuf et al., 2015, pp.610-613). It will reduce the chances of information
theft and will assure safe data traversal.
Integrity. The nature of IoT involves the exchange of data among various devices,
and hence, it is critical to ensure the accuracy of the data. The integrity of data gets maintained
when the information transferred remains authentic. The transmitted data or information must
remain genuine without any tampering issues. The integrity of the data can be maintained
through the implementation of end-to-end security. Moreover, the traffic of data can be
maintained using necessary firewalls and protocol settings. However, IoT uses small devices with
low computational capabilities, which limit the application of end-to-end security in the form of
firewalls. Hence, IoT devices can make use of “creation key” and “token” to identify its right
owner. Whenever a new thing is created, the entitled system assigns it with a “creation key”.
The manufacturers need to apply this key on the newly created thing. On the other hand, the
creators of the “token” are the current owners or the manufacturers. This token is combined
with the RFID of the device. Any change in the information requires owner permission, which is
provided using the token and the keys. These parameters restrict any unauthorized access to
the information and ensure integrity (Yousuf et al., 2015, pp.610-613).
Availability. The main component of the IoT system is the IoT devices because
they transmit crucial information. It is, therefore, necessary that the devices are always
available for supplying information. It requires that the devices must always connect to the
network. Additionally, the timely transmission of information is necessary which mandates that
the delay time of devices remain low (Yousuf et al., 2015, pp.610-613). Thus, data availability
requires an efficient IoT device design along with its proper placement to ensure continuous
and timely transmission of information.
Authentication. In an IoT network, every object must have the ability to uniquely
identify and authenticate other objects. Hence, the data access must be authorized to transfer
authentic information. Implementing authentication in IoT becomes difficult due to the
presence of several entities such as service providers, devices, processing units, and people.
Moreover, in many cases an object might have the need to interact with completely new
objects, which is also a matter of concern. Hence, these issues present a need for a scheme for
the objects to mutually authenticate with one another. One such scheme involves the usage of
hashing and feature extraction. This scheme provides a healthy solution for authentication and
helps to screen out collision attacks. It focusses on authentication when a data is sent to a
terminal node from a platform. Another way to implement authentication at sensor is to make
use of one time one-cipher method. This method encrypts the data using the cipher generated
in the pre-shared matrix method. In particular, the direct sharing of decryption key does not
occur in this case. Rather, the coordinate information gets distributed to all the nodes from
which the decryption key gets derived, and the data gets decrypted (Yousuf et al., 2015, pp.610-
613). This method ensures that only the concern node has access to the information. It will
safeguard the information from theft and allow only the authorized user to access the data
which will help in maintaining the integrity.
Heterogeneity. The IoT network comprises of several devices having varied
Configurations and different vendors. These numerous devices require a suitable
connecting protocol which can efficiently connect all the network devices. Furthermore, there is
a requirement of security protocols and adequate cryptography solutions to ensure information
security at every node. Additionally, it is necessary to develop a scalable and adaptable IoT
system to effectually cope with the ever-changing technology needs (Yousuf et al., 2015,
pp.610-613). Thus, a proper check of all the devices and the network connection is necessary
before actual information transfer in the IoT network, to assure security in the system.
Security policies. Every system needs policies to create a standard for quality
assurance. The IoT system must also implement security policies to verify the safety standards.
Since the IoT system is a network of various devices, standard policies will help ascertain that all
the components of the network abide by the security framework. This compliance to security
policies will affirm protection against data theft, intrusions, and other security vulnerabilities.
IoT implementation involves various services, and it is necessary to identify the service level
agreements for every service to ensure it is compliant with the existing system. Furthermore,
IoT systems do not implement the usual security policy standards, because it uses low power
computational devices. These devices demand a separate framework for action. Therefore, it is
necessary for the organizations and the IoT system development team to develop an
independent policy framework for IoT system components (Yousuf et al., 2015, pp.610-613).
These policies will assure integrity and confidentiality of data.
Encryption key management. The establishment of secure communication
between the various IoT system components requires encryption. This encryption gets
facilitated by using a particular key which is responsible for encrypting and decrypting the data.
The transmission of this key is very confidential because if the key gets lost the data can be
easily decoded by any external entity. It is, for this reason, there is a need for secure key
transmission mechanism in the IoT system. It requires a lightweight system which could
confidentially distribute the IoT keys among the IoT devices without consuming much of their
computational power (Yousuf et al., 2015, pp.610-613).
Security awareness. It is another security measure which promotes the growth
of the IoT network. It requires that the people using the IoT system are aware of the security
vulnerabilities and take appropriate safety measure at their ends to protect information in the
network. It requires that the users of various IoT devices must implement the underlying
security such as setting up strong passwords and avoid using the default product passwords.
Weak passwords give an opportunity to hackers to enter the network and manipulate the
confidential data, harming the integrity of the system (Yousuf et al., 2015, pp.610-613). Thus, it
is required to spread proper awareness about h use of various IoT device usage and its security
issues to the people to prevent the security breaches.

3.8.2 Cryptosystems
IoT network comprises of several interconnected components such as sensors,
actuators, RFID (Radio Frequency Identification Devices), GPS (Global Positioning Systems) and
the internet. The extensive network of different devices and the information flow over the web
necessitates the requirement of standard security measures to ensure data security. Moreover,
considering the IoT gateways which connect the devices the cloud mandates the
implementation of high-level security for data confidentiality. It is because the millions of
devices connected to the cloud exploiting its computational services. This interconnection of
devices at one point demonstrates the power of IoT while on the other hand poses a threat to
the information security. It is because when millions of devices connect to the same networks,
there increase the chances of intrusions and malicious attacks within the network. This
potential security risk demands the implementation of appropriate prevention mechanisms to
avoid security breaches. It needs updating of the internet protocols and implementing TLS
(Transport Layer Security) and TCP/IP protocol to ensure safe transmission. Use of suitable
cryptographic solution also helps in secure data transmission (Kim, 2015, pp.201-203).

The lightweight cryptosystems are particularly useful in the constrained

environment where the resources are limited, and the security is the primary concern.
Specifically, it is beneficial in the IoT networks which use low-power devices such as sensors,
RFID tags, and others. Below describes are some of the lightweight block cipher algorithms
specially designed for use in the constrained environment.

3.8.3 Access control

With the evolution of the technology and increased power of the network, Internet of
Things are about to rule the world. The coming future will bring all the electronic devices to be
connected to a single network to send and receive messages. The door lock will open itself as a
visitor comes to your door. The light system will automatically work, and the room temperature
will adjust itself as you enter the home at the end of the day. Not only the homes, but also this
Internet of Things will make their strong presence in a wide variety of domains such as
industries, defense, education, agriculture, and so on.
As the service is growing at an exponential rate, the network has to open up access to a
huge number of devices. This technology revolution will not only make things easier; it will
introduce new threat for the network. As an increased number of access points became
available on the network, they also open a wide area of risk factors and opportunities for
malicious use of information.
To meet such diverse and rising security issues, the access control system is integrated as
an important contributing component to the safety of the IoT. One of the primary element that
can protect data from theft or alterations is having a proper access control. As this approach
base on granting permissions to the entities that directly or indirectly interact with the Internet
of Things (Janak, Nam and Schulzrinne, 2012).

3.8.4 Firewalls
The Internet has revolutionized the information system and has made data access simple
and quick. Furthermore, it supports IoT, allowing millions of devices to connect to a single
network and share information. However, this extensive network has its limitations. The
Internet is open to all providing an equal opportunity to the anti-social elements to manipulate
the legitimate information of the network. This unethical activity demands proper security
solution to ensure safety and confidentiality of the crucial data. One way to ascertain this
security is through the use of established security solutions such as intrusion protection and
others, for every device of the network. However, the implementation of such security solutions
is not cost effective. Therefore, there is a need for some affordable safety measures (Al-Fuqaha
et al., 2015). Firewall is one such solution which stands between the IoT network and the
internet to protect the former from malicious attacks and intrusions. It provides a single
checkpoint that restricts all the destructing data and ascertains smooth functioning of the IoT
network.
The key feature of the firewall is to protect the network from the external influence. It
manages this security by restricting the traffic both from inside to outside and vice versa. The
firewall allows only authorized users to enter the network thereby protecting the system from
fatal attacks. Additionally, the system which gets implemented as firewalls will be immune to
attacks creating a secure environment for information transmission.
Service control. Firewalls allow the access of only the authentic service to the internal
network restricting all other services. It performs data filtering by IP address, protocols, and
port number. It also provides proxy software which validates the service before passing it on to
the destination. This service control mechanism ensures that no destructive services enter the
network and harm its integrity (Aleshunas, 2010, pp.2-12).
Direction control. It is responsible for making a decision about information flow
direction in the network. It decides on selecting the requests, initiation, and flow direction. It
verifies the requests and directs it to the desired system so that it may not disturb the normal
workflow of the other network components (Aleshunas, 2010, pp.2-12).
User control. It specifically occurs within the internal environment of the organization.
This access control of the firewall monitors the way the internal network users are using a
particular service. It manages the services and permits access to the user based on their
requirement. This service checks the internal network components and tries to resolve the
internal errors so that risk of information security can be reduced (Aleshunas, 2010, pp.2-12).
The firewall filters the network information through packet filtering. It either works as a
positive filter allowing access to only authorized information, or, as a negative filter, which
restricts all malicious data. Different type of firewalls has differing capabilities of examining the
data packets and protocols headers which help to identify the data content. Discussed below
are some of these firewall types.
Packet filter firewall. This firewall implements rule-based approach to verify the
incoming and outgoing messages and then makes the forwarding decision based on it. The
configuration of the firewall is such that manages both inbound and outbound messages
(Aleshunas, 2010, pp.2-12). The following information of the network governs the rules of data
flow.

1. Source IP address is the IP address of the system from where the message originated.
2. The destination address is the IP address of the system where the message needs to get
delivered.
3. Source and destination, transport level port number helps to identify the applications
used.
 4. IP protocol field of the network packet contributes to determining the transport
protocol.
5. Interface information helps to know the interface or the port where the packet initiated
and where it needs to reach in the case of firewalls with more than two ports.
The firewall examines the network mentioned above packet information and matches it
with the set rules. If the information matches the rule, the corresponding action gets
performed. However, in the case of unmatched rules, the default action occurs which involves
either packet forwarding or packet discard. The packet discard policy gets implemented in the
business and government organization to help protect the network from external attacks
because they transmit mission critical data. IoT must also implement discard policy in the case
of the unmatched rule to safeguard crucial system information (Aleshunas, 2010, pp.2-12).
Stateful inspection firewalls. The packet filter firewall is unable to tighten up security on
the TCP-based traffic. Specifically, in TCP session, the client whose TCP port number lies
between 1024 and 65535 establishes a connection with the host TCP application having a port
number less than 1024. The port number less than 1024 is the “well known” and are application
specific. However, the port numbers greater than 1024 are dynamic and gets allocated
temporarily for a particular session. The simple packet filter permits inbound traffic on these
higher port numbers which increased the security vulnerabilities of the network which when
exploited by unauthorized users can cause some severe damage to the information security of
the network. The use of stateful inspection firewall can restrict such security vulnerability as it
stiffens the rules for TCP traffic. It creates a directory for outbound TCP connections and
maintains a record for each connection. The firewall then allows connection to only those
clients whose information it has stored in the directory. The advantage of this firewall over the
packet filter firewall is that it not only filters the network packet but also secures the TCP
connections making the communication safer by avoiding attacks such as session hijack. It
enhances the security of the network and safeguards information (Aleshunas, 2010, pp.2-12).

3.8.5 Secure onboarding

The IoT devices when first gets configured; it necessitates the requirement of
maintaining equipment safety which is known as secure onboarding. This process involves the
exchange of secure encryption keys that facilitate secret information transmission and checks
the middle-man attacks as well as information leaks. Implementing this technique require a
security model for transmission of the key. The “resurrecting duckling security model” is one
such framework which ensures key management. This model proposed by Frank Stajano find its
basis in the metaphor of a duckling emerging from its egg, which imprints on the first thing its
sees moving and follows its instruction for the rest of the life. The same principle must apply to
the new IoT devices while configuring them for the first time. When the IoT devices get installed
in the network, it connects to the cloud using the gateways (Fife, 2015). The IoT gateways are
the intermediary in this process which is responsible for secure transmission of the
cryptographic key from the cloud to the device. This key received at the time of device
installation has lifetime use for encrypting and decrypting of the vital network data. The IoT
gateway efficiently manages the secure key and protects it from middle-man attacks and
eavesdropping. It necessitates the requirement of secure gateway system with tamper
resistance to protect information. Additionally, there is a need to devise a strong cryptanalytic
algorithm which cannot easily be decrypted and the malicious attacks can be restricted (Fife,
2015). Thus, gateway security along with strong encryption helps protect the IoT information.

3.8.6 Firmware updates

Firmware is the permanent software installed on any system which helps it to
perform dedicated applications. IoT devices and the IoT gateways also have the firmware
installed which helps them to perform their desired operation. The ever-changing technology
trends and security vulnerabilities necessitate the requirement of timely firmware updates in
the IoT devices and gateways. The device manufacturers regularly upgrade the existing system
to make it compatible with the market need and to remove the shortcomings of the previous
versions. The firmware updates ensure that the latest version of the software is free from the
vulnerabilities of the previous version and is more secure. The safe update requires the system
to have an earlier version, and the new version of the firmware and the new version undergoes
validity check to ascertain it is authentic and then is gets installed on the IoT gateways and
devices. This update will affirm that the updated version is more secure and has lesser security
vulnerabilities which reduce the threat of hacker and attacks exploiting the system loopholes
(Fife, 2015).

3.8.7 Limiting interfaces

The IoT gateway manufacturer must be cautious about the additional interfaces. The
design of the gateways should be simple and to the point. Any external interface and services
other than the intended ones need not be incorporated. It is because these additional
interfaces become the backdoors which facilitate the security breaches and hacker attacks.
Furthermore, the minimization of the debugging algorithm must follow restricting the authentic
users from executing arbitrary code on gateways for the sake of security. The proper gateway
design and imposing of restrictions on the user access will help to protect the information
flowing in the IoT network (Fife, 2015).
The security measures mentioned above intends to safeguard the IoT gateways which in
turn are responsible for the secure information transmission within the IoT network.

3.9 Barriers to information security in IoT systems

Secure information gets characterized by its aavailability, confidentiality, and integrity.
On the other hand, people, process, and technology explain the way these elements require
security. The above three factors play a significant role in information security in an IoT network,
but, often get neglected due to technical controls such as firewalls.
Firewalls and other security control can provide excellent protection to the IoT
networks; however, they can turn out to be useless if the user exploits it either intentionally or
unintentionally. For instance, if a user gets tricked into deliberately revealing the user id and
password to unauthorized personnel, it could lead to a security breach. Such situations can
cause a substantial loss not only to the user but also to the security architecture of a system.
There exist many ways which make users a threat to the IoT security gateway. Moreover, as the
count of authorized user increase, the overall potential for risk also increases. As a result, the
human interference in the IoT environment is the primary factor responsible for its success or
failure. Therefore, the organizations must devise a security awareness program to prevent the
human errors (Russell, 2002).
 The primary objective of the security awareness program of an organization is to
make the employees aware of their responsibilities. The program helps to safeguard the
availability, integrity, and confidentiality of the data shared in an open network. The security of
information and its asset is not only the responsibility of IT department but also the users. Users
must understand the criticality of data protection (Russell, 2002).
People are often the weakest link in IoT security chain because they are not
trained and are unaware of the various security vulnerabilities. Employees must understand
how their actions affect the overall security of IoT network. (Russell, 2002). A comprehensive
awareness program with the aim to reinforce the IoT security policy and other information
security practices should be conducted within the organization aligning with its other policies to
ascertain the careful use of IoT gateways for information security.
Apart from employee awareness, another factor which obstructs Iot implementation
are the faulty network components. There is need to protect the network as a whole using
reliable IoT devices and layered protection. The section below describes the various security
barriers and measures in implementing an IoT network.

3.9.1 Organizational barriers.

One of the major barriers in an organization is to implement a successful security
awareness program for the usage of IoT gateways. Even the most secure systems can face
obstacles due to the human errors. It is therefore important to understand some of the security
barriers of IoT gateways, which can be a threat to the organization’s safety. Some of the
common organizational barriers of the IoT gateway systems are as follows.

3.9.2 Personal barriers.

Lacking personal efforts. Many people who work in organizations believe the
Information Technology Department should maintain the IoT gateway security through the right
framework implementation. They show non-cooperative behaviors when new security
measures get adopted. They also overlook the safety implication of IoT gateways and devices
and tend to restrict their roles to the lowest level, focussing on their primary job
responsibilities. Such ignorance is one of the reasons for the failure of security in IoT gateways.
It is therefore important for all the employees to understand the need for their participation in
making the security compliance more powerful (Russell, 2002).
Unwillingness to accept IoT as a new technology. IoT is a new concept and technology.
IoT gateways, though have attracted people, is still new for people to completely know and
understand it. Whenever a new technology gets introduced, it brings a slight change in the
behavior of individuals that are going to use it. It is hard for some users to get into the habit of
using IoT devices through gateways. It also takes a learning curve a certain amount of time to
get acquainted. Additionally, IoT is a constantly changing technology. New features, policies, and
frameworks keep emerging as it is not completely stabilized. Hence, the awareness sessions or
programs sometimes do not match the pace at which this technology changes. The awareness
team often misses informing the users about the updates in the technology, which averts them
from using that particular technology. It is probably the reason behind the accurate and timely
implementation of a security awareness programs. These programs should constantly keep
track of new changes in IoT gateways and informs them to the users (Russell, 2002).
Data confidentiality. Every organization must understand the criticality of data
confidentiality. The companies do not give high priority to data confidentiality, and therefore, it
is not integrated right from the beginning. These beliefs give the users a chance to develop
habits that can cause threats to the security of critical data and information sent through IoT
gateways. It’s hard to change these habits, and hence, the security implementation in IoT and
IoT gateways becomes even more complicated. In such a case, people not only need to learn
the new IoT gateway security practices,l but also to forgo their old practices. Sometimes, such
employees also consider the new security mechanism as an extra effort and an unnecessary
change or work overhead (Russell, 2002).
Communication barriers.
Improper messaging. In IoT gateway, security awareness programs are necessary to
understand the safety issues in IoT as well as IoT gateways. If both these issues are not clearly
conveyed, the security awareness program can fail. This inappropriate messaging can lead to a
significant gap in the security concern even in the case of robust security systems. Sending
similar messages for all sorts of security breach issues in IoT gateways can be harmful, as this
will not grab the immediate attention of the reader when it is crucially required. Thus, going for
a message with “one-size-fits-all” is not a wise thing to do, especially when dealing with the
security of the information system. Messages like this can be quickly ignored or put into spam
which is undesirable. This strategy can be easy to implement but is ineffective when it comes to
security (Russell, 2002).
Unorganized strategies. Several gateway awareness programs fail to keep the users
engaged through their random processes. As mentioned earlier, IoT gateway security is a huge
topic, and it requires a well-designed strategy to deliver proper, organized, and meaningful
messages, without which the awareness regarding gateway security system remains ineffective.
The messaging always needs to have an appropriate theme, style, and an organized way to
reach the audience. This way, the users remain connected to the system and know what to
expect. A proper messaging system will increase engagement and connection (Russell, 2002).
Lack of a consistent communication. Many gateway security systems launch with a
greater wave of enthusiasm but fail to follow up with the weak system later in the cycle. This
lack of communication acts as a barrier to the successful implementation of the security system.
When the audiences receive regular reminders about handling IoT devices, it works as a
feedback loop, eventually improving the overall performance of the gateway security (Russell,
2002).
Breaking communication chain. Sometimes there is a need to send some specific
messages to a group of individuals working under a domain; the issue arises when the messages
do not reach to all the designated people. Moreover, in the case of IoT implementation, proper
communication is necessary to transfer the right message to every individual associated with
IoT project. For instance, if a message needs to get delivered to all the programmers of an
organization; it may be possible that some of them work together in a team while the others
may reside at distributed locations, at different company sites. In such a case, the message
curated for all the programmers do not reach the ones working remotely. Thus, implementing
IoT gateway security does not function properly and as efficiently as needed. Hence, a proper
security mechanism to maintain the integrity and proper delivery of the messages is necessary
to keep everyone on the same page (Russell, 2002).

3.9.3 Management barriers.

Unsupportive management. Another important factor that makes a security system
weak is the timid support of the management. It is one of the most challenging situations. An
IoT system implementation requires complete support from employees, to management and
the users. The gateway security implementation system will always work best if it gets the
support from top to bottom. Although many managers show personal desires in supporting new
initiatives; however, practically implementing it is an entirely different scenario. Such lack of
interest probably occurs due to the pressure of jobs and responsibilities of the managers, and
they find it difficult to find room for the new security practices. The new security practices in
such cases get disregarded which affects the gateway security (Russell, 2002).
Lack of resources. Resources reduce due to the absence of support from the
management team or lack of knowledge of the new technology. When the management is
unsupportive, it gets difficult to use the available resources efficiently. Even the organization is
unable to pull in new external resources as the new resources do not have enough knowledge
about IoT gateways or its technology. Also, when a team is unable to employ adequate security
resources, it obstructs them to achieve the highest level of security enforcements (Russell,
2002).
Social barriers.
Lack of awareness. The best way to initiate an IoT gateway security awareness programs
is to educate their users about the importance of information safety. The security enforcement
teams sometimes cover all aspects of the gateway security but fail to motivate the users about
its significance. People who very well understand the importance of safety will cooperate to
change their behavior or the way the things are done to ensure security. For instance, if the
gateway security mechanism requires the users to enable advanced password policy that has
complex rules, this arrangement will appear to them as an overhead. But, if the team discusses
and explains to the employees about the vulnerabilities of the current gateway security, the
latter will show an active drive towards the new gateway security system. This approach will
inspire them to take responsibility and ownership towards safety (Russell, 2002).
Weak social engineering. This barrier does not impact the implementation of gateway
security mechanism. But, in turn, can affect its success. Its management is critical because this is
the “people link” and is incredibly easy to attack. Social engineering is all about hunting on the
natural human tendencies, to pull out information that is otherwise hard to obtain. The
employees think that no one will purposely manipulate or trick them, but instead, social
engineering is one of the popularly used types of attacks carried out. It is the most commonly
used type of attack as it is convenient to implement and can occur in a short duration of time.
The most common ways to pull out information from the people is by giving excessive and
insincere praise for interest, impersonation, third party authorization and a sense of urgency.
Although it 's hard to design and reinforce an educational plan that primarily targets social
engineering, however, it requires special attention. The most unfortunate thing about this type
of attack is that even the most intellectual user can be tricked into conversations to get critical
information out (Russell, 2002).

Chapter 4: Research Methodology

The literature survey is the methodology used to explore the area of security issues that
prevail in the Internet of Things space. It is a method that examines the literature in the chosen
area of study. It is an in-depth search and evaluation method of literature in the preferred study
area. This method integrates the information from the literature into an abstract giving a
comprehensive overview of the conducted research.
The literature review also precariously observes the collected information by finding
gaps in the present knowledge. It gets initiated by identifying the shortcomings of theories and
viewpoints. It also helps to identify areas of weakness which require further research. This
approach shows that author has an in-depth knowledge of the subject- in this case, the Internet
of Things. It also lets the readers understand exactly where research project fits into the area of
the study and how the new study adds to the existing body of the agreed knowledge.
Under this method, a thorough demonstration of the familiarity with the present body
of knowledge is done also establishing the credibility of our study, in this case, the IoT security
issues. The Literature review summarizes the prior research and describes how the present
study links with it. The literature review conducts a critical study about the need for securing
the IoT security systems. The IoT systems security is studied in depth covering the application
areas of the Internet of things, its growth opportunities in the future, possibilities of expansion,
need of the security gateways and how they connect the different devices on the internet, and
much more. The literature review is the primary stage of any research project. This step is all
about synthesizing, surveying, critically analyzing, and presenting the study in a more detailed
summary (“The Royal Literary Fund,” 2017).
Furthermore, qualitative methodology is used to obtain the findings that are
needed to address the research area. This approach is used to conduct the study because of its
appropriateness in providing in-depth information that concerns the research phenomenon.
Qualitative research is one of the most rewarding activities in the research process as it engages
the researchers with things that are important and in how they are important. This approach
helped us explore a wide array of dimensions of the social world including, how our research
subject is affecting the everyday lives of people? This method also helped to obtain a better
understanding, experience, perspective, and imagination of our research participants.
Additionally, qualitative research aptly describes how our social process, institutions,
institutions, and organizations work around with the growing technology and the interference
of the Internet of Things in the day to day lives. This approach also lays emphasis on the
significance of the deductions that they generate during the research process. This
methodology is conducted using methods that focus on the depth, richness, context, the multi-
dimensionality, and complexity of the research study to generate methods to mitigate issues
(Mason, 2002).
For instance, in this proposed project, the qualitative research is used to gather evidence
and findings of the security issues that the organizations face dealing with the Internet of
things. Qualitative research also helped to derive conclusions and inferences that might apply to
the different organizations that are actively using IoT.
Additionally, our qualitative research also included in-depth interviews to cover all
necessary elements that address the research issue. In this process, managers from the
organizations that are using the Internet of Things are interviewed to collect information based
on their experience while using the technology. These qualitative research elements are
structured to cover all the practical steps that the organizations have taken to foster the security
measures for their Internet of Things and the network on which it operates. Also, it helps to
resurface the appropriate security measures that can safeguard the network for such
organizations (Barnaghi et al., n.d.).
Proposed IoT/M2M Security Framework

In order to address highly diverse IoT environment as well as related security challenges,

it is required for a flexible security framework. Below, it illustrates the security environment

from IoT perspective.