Balancing requirements of Security, Usability and Functionality within IoT

Introduction

This blog post shows the content that was presented at ETSI IoT Week 2019. It is based on the work of ETSI User-Group and how their work links to the world of IoT. It will also be based on previous work that has been carried out by the ETSI Cyber-Group. Part of this post will focus on the areas of security, privacy, GDPR, data protection and single-sign-on technologies. These areas will be presented from the User-Group perspective. 
The other part will focus on usability and functionality of IoT devices with how design choices can impact security and vice versa. Along, with how standards have the potential to aid in balancing these three elements. 

Problem Space

The majority of IoT devices coming onto the market are designed to be low-cost and simple to use as possible. But this leads to a compromised design with security and privacy protections often being neglected. Therefore, we need to able to develop guidelines and requirements for IoT devices which have security designed into them while also maintain the ease of usability and functionality that business and consumer users have come to expect. While we are already heading in this direction with the advent of the mass-market rollout of 5G within the next few years will most likely lead to an explosion in the number of IoT devices. Therefore, I will argue that we need to update guidelines to ensure that security is not pushed aside but also that when security is implemented it doesn’t affect the usability or functionality of IoT devices. 


Perfect Security

Within that cube is an IoT widget. That cube ensures that no can attack the device by blocking all electromagnetic radiation, prevent access to any ports or user interface. Though for the user it does mean that they cannot use it for the intended function apart from maybe a paperweight. Therefore perfect security is an obtainable goal. We have to accept a certain degree of risk in order to ensure usability and functionality.

Usability vs Functionality 

Usability - Sunbeam Classic Toaster

                                                                               VS

Functionality - Talkie Toaster 

One side a dumb device, no electronics apart from the thermostat and the power supply for the toasting coils. Usability dead easy to use. Though limited functionally. Security not a problem. 

On the other side is a Smart toaster. Connected to the internet, AI, etc. Greater functionality, mixed usability need to set-up, get connected and ensured paired other device etc. Because those increased number of functions security becomes a key cornerstone in the design. As you now have greater attack surface to defend from threats.

Relationships

A holistic approach combining human factors, technology and design. That balances between security, usability and functionality whiles also has to satisfy privacy and data protection legalisation is required.

• These include; GDPR, Cybersecurity Act, ePrivacy Act, Human-System Interaction and the Relationship between the User and the Service Provider.

When we think about usability and functionality of IoT devices it is not just the related to the device but also to the ease ensuring security measures are implemented and set-up by the user. Which if are secure by design/default the User apart from setting up some form of access control shouldn't have to think about what security measures are part the device or service. This leads on to the security usability paradox. 

Security Usability Paradox

Any method must provide the level of security that the user feels is appropriate for that application, and it must do so in a manner that is as natural as possible to the user. If ease of use is not considered, users are likely either to consider dropping a service or to adopt insecure workarounds. Security is not just about technology; it is about the users who want to access that technology. Applications must get the balance right between security and usability.
There are instances within which security and usability can be synergistically improved. The perceived antagonism of security and usability can be scaled back or eliminated by revising the underlying designs on which systems are conceived. The errors in system design, computer user interfaces, and interaction design can lead to common errors during insecure operation. By identifying and correcting these errors, users can naturally and automatically experience more secure operation. IoT devices can benefit hugely from an established set of design frameworks which are optimised for security operations.

The NCSC has produced guides and advice aimed at tackling this problem. For further reading and interest. Though this can lead to situation which needs to be avoided. 

Stand Alone Complex of Cybersecurity

Definition: “Elements who, with no coordination or knowledge of others actions, act as though they're working together toward a common goal”.
This seems to come from a checklist mentality or adding on cybersecurity elements to product and services at the end of the design process.
The implementation needs to focus on people, processes and technology. One guide is the Confidentially (protecting data from unauthorised access), Integrity (preventing unauthorised change to data) and Availability (data is available when and where it is needed) (CIA) model. There need to be sufficient means in place to provide cybersecurity, data protection and maintain the privacy of sensitive information either their own or their customers' data. 

When a cybersecurity plan, policy or design is done well this scenario can be avoided. This situation is neither positive or negative one. But leads to a risk of duplication or gaps in cybersecurity or at its worst weakens cybersecurity overall. 

Systems Engineering

The definition of systems engineering includes the human element, "a system is the combination of elements that function together to produce the capability required to meet a need. The elements include all hardware, software, equipment, facilities, personnel, processes, and procedures needed for this purpose."
For example, the mindset from safety and testing in the aviation industry. When mishaps involving aerospace vehicles, in which human factors played a significant role. Including, engineers, leaders, managers, and the operators (e.g., pilots). Such accidents and incidents rarely resulted from a single cause but were the outcome of a chain of events in which altering at least one element might have prevented disaster.
The areas we need to have knowledge or awareness of include; design,  psychological and organisational factors which are often the causes of cybersecurity failures. Taking lessons from other engineering areas is a vital step if we are ever going to reduce the rates of successful cyberattacks. 

This design mindset is needed to stop us from seeing cybersecurity as a stand-alone set of tools which are bolted/added on at the end of the design process they integrated as the system, device or service is being made. This is needed to prevent the kind of cyberattacks which can affect IoT devices for example DDOS attacks, bot nets, stalking and harassment etc. 

Role of ETSI?

• Areas include the creation and maintaining of standards, education/awareness, testing of devices, how safe they are etc.
• Cyber-0048 (EN 303 645) “Securing Consumer IoT”. Provides requirements on; Accessibility and usability; User security; Privacy and Safety
• Draft WID Security Assessment for Mobile Device. Proposed requirements; Accessibility and/or Usability; Control of devices through a user interface; Control of services; User security; Privacy and Safety.
• Guide to Identity Based Cryptography. A survey and explainer for IBC – technologies, use-cases, properties. The report describes the key management issues, the cryptography that underpins IBE, the threats and mitigations surrounding IBE.
• Proposal for Trusted Home Gateway Development Guidance: Proposal on trust verification for routers partially comes under the remit of HF and User. 

These current and proposed work items from the Cyber Group can be considered part of the steps that needed to ensure a secure IoT device and ecosystem they will work in.  

Work of the USER-Group 

Their remit covers Users of ICT products and services. The goals are to produce reports on users' requirements on topics previously defined by either the User Group or other relevant ETSI body for recommendation to the ETSI Board and General Assembly. Such reports will analyse the users' requirements under a functional approach to improve the standardisation work. They are the interface with the policy and priority setting bodies in ETSI to transmit users' concerns and viewpoints on subjects of relevance. 

Ensuring the balance of security, functionality and usability in the design of IoT is not pushed aside to focus on one area at the expense of others. By and large we are sort of keeping these three areas in balance but mistakes keep being made. Parts of this discussion has been rehashed many times before but it should not be ignored until all IoT devices sold do not have security problem while having ease of usability and functions. Instead one of those areas being sacrificed. There a couple of solutions that the User-Group are key to ensuring the balance between usability, functionality and security these are Security as a Service and Single Sign-On.

Security as a Service (SaaS)

In the always-connected world, cybersecurity providers must offer a catalogue of services, adaptable to each case, pooling skills and defences, at prices that meet the different expectations of companies.
By providing SaaS for end-user there are key challenges which include big data, IoT privacy and IoT Security.
A key recommendation is Secure by Default: No default passwords; Keep software updated; Securely store credentials and security-sensitive data; Communicate securely; Minimise exposed attack surfaces; Ensure software integrity; Ensure that personal data is protected; Make systems resilient to outages; Monitor system telemetry data; Make it easy for consumers to delete personal data. These have to be implemented by the device manufactories and the service providers. 

Today the company must reason differently about the security of its IT, data and people. The most important thing now is to detect threats as quickly as possible and secure what is essential for example data and device assets. Most of the defence techniques are reserved for large companies that can afford them, and that does not change much across the different areas' companies operate in. SaaS is one way to achieve this. Previously, security consisted of closing or severely limiting access to data, devices and applications. Today, it is impossible for the modern businesses and that are transforming to adopt the same strategy. First, because the infrastructure is virtualized and ends up in the cloud. Then because the uses are focused on mobility, and that the company has its assets dispersed outside the scope of their own physical computing abilities.

The UK National Cyber Security Centre (NCSC) and France Agence Nationale de la Sécurité des Systèmes d'Information/ National Agency for Information Security Systems (ANSSI) both provide that guidelines are an example of a model for applying best security practice within the environment of IoT and network connected systems. 

Single Sign-On (SSO)

SSO is an authentication process that allows a user to access multiple applications or services with one set of login credentials. 
Enables composition of services for providers by automating or simplifying the user access or login process. 

While they are positive and negatives to SSO it attempts to solve the problem of trying to remember uniques credentials for each online account or service a user might use. 

GDPR

There are five key points that focus on the User. These are part of the functionality of IoT devices and the services that they link too. 

• Breach Notification  - Within 72 hours of first having become aware of the data breach. Companies will have to notify their customers, the controllers.
• Right to Access – Users can obtain from companies confirmation as to whether or not personal data concerning them are being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. 
• Right to be Forgotten - entitles the user to have companies erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. 
• Data Portability - the right for a user to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another company. 
• Privacy by Design (Data Protection by Design) - calls for companies to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Ideally, any security professional should have some experience or knowledge how these work in practise otherwise they risk poorly implementing them into their companies services.

Data Protection and Privacy

Requires a company to have the means to protect data throughout its life cycle. Meaning the moment data is created, processed, stored and destroyed.
Achieved by protecting the data in transit, at rest, when it resides on the IoT device along with companies own servers and finally the means to ensure the secure disposal of the data.
Four principal methods for ensuring data protection include regular backups of data, encryption, pseudonymisation and access controls.
Defined as freedom from damaging publicity, public scrutiny, secret surveillance, or unauthorised disclosure of one’s personal data or information, as by a government, corporation, or an individual.
Privacy is linked to the confidentially of personal data between the user and the service provider. The user expects confidentially to mean having another's trust or confidence when entrusting companies with private information. 

In the context of online and connected services means the privacy and security level of personal data published via the Internet or held by a company. 

It is a broad term that refers to a variety of factors, techniques and technologies used to protect sensitive and private data, communications, and preferences. 

Online privacy and anonymity are paramount to users as shown by conducted surveys. For example from a survey carried out by the User-Group revealed that 40% never or rarely use a Wi-Fi connexion for privacy and security reasons, and that is the main reason for not using public Wi-Fi.

Conclusion

The is No silver bullet to balancing requirements of security, usability and functionality for IoT devices. IoT device can be better optimised for security, usability and functionality if the relationship between them is clearly understood.Ideally, the majority of cybersecurity measures should be invisible to the user with access control and verification being their interaction with cybersecurity measures. Also, ease of usability and functionality doesn’t just apply to the design of the IoT device but also the highlighted points under GDPR. Vital to challenge and solve these problems of implementing security, ensuring usability and functionality in IoT devices before they evolve into the Internet of Everything.