IoT-based Application of Information Security Triad

— Information Security is the foremost concern for IoT (Internet of things) devices and applications. Since the advent of IoT, its applications and devices have experienced an exponential increase in numerous applications which are utilized. Nowadays we people are becoming smart because we started using smart devices like a smartwatch, smart TV, smart home appliances. These devices are part of the IoT devices. The IoT device differs widely in capacity storage, size, computational power, and supply of energy. With the rapid increase of IoT devices in different IoT fields, information security, and privacy are not addressed well. Most IoT devices having constraints in computational and operational capabilities are a threat to security and privacy, also prone to cyber-attacks. This study presents a CIA triad-based information security implementation for the four-layer architecture of the IoT devices. An overview of layer-wise threats to the IoT devices and finally suggest CIA triad-based security techniques for securing the IoT devices.


Introduction
Some application domains well define the IoT (Internet of Things) comprising health, agriculture, home, supply chain and manufacturing, city and transportation utilities. In these domains, physical devices are connected via Internet [1].
Further, the home device comprising appliances, thermostats, smart door locks, smart homes, wearable, smart vehicles. The health devices for monitoring and recording the patients' data namely heartbeat monitoring system, pacemakers, and glucose monitoring system. Manufacturing or industrial supply chain Radio Frequency Identification (RFID) tags and sensor networks. Whereas, agricultural IoT devices include green-house sensor systems, monitoring fields, and irrigation controllers. The streetlights water distribution systems are applications for city IoT domains [2][3][4][5][6][7].
It is the IoT that equally benefits organizations, individuals, and municipalities. Home-life has become more economical and convenient with the help of IoT devices and inexpensive remote sensor networks. The sensor networks monitor those areas which are inaccessible and hard to monitor [3][4][5][6]. IoT technology of smart cities allows to monitor and track energy usage and the environment. While health care IoT technologies provide the error-free and most precise results of health conditions for elderly or remote patients. All application domains in IoT attracted the interest of academia, business, and investors [8][9][10].
With these enormous benefits, the IoT brings a lot of challenges to privacy and security. IoT constraints in power supply comparing to traditional IT devices namely smartphones, laptops, and desktops [11]. So, the IoT lacks memory and processing capabilities ranging from tens of kilobyte (kB) of Random Access Memory (RAM) at the end sensor. Another limitation is to update the system, where IoT devices may not allow users to update while traditional IoT allows users to update [12].
The uses of Internet of Things (IoT) devices are growing exponentially from the last six years. Estimated connected devices in 2020 will be 30.73 billion and in 2025 estimations are for 75.44 billion as shown in Figure 1. As indicated in a report by Gartner that in 2020-21 the internet-connected things may be more than 8.4bn (Billion) [13]. It is also presumed that this number will grow exponentially up to 42.62bn (billion) by the year 2022 connected via IoT technology as shown in Figure 1. Therefore, as the size of the IoT network exponentially increases the security and privacy issues of IoT applications come to light [13]. These consist of wireless sensors, RFID tags, and many more smart devices. These devices share a large amount of information either it's our health information or our day-to-day cash transaction information, this massive quantity of information is shared between many different devices over the common platform i.e., IoT. As the IoT network expands we need some architecture for better work of IoT devices.  [13] The constraints in the capacity of power and processing lead to the limited ability to run a specific cryptographic protocol. However, an integrated security solution is hard to achieve in the face of heterogeneous protocols and hardware of devices [14]. Though usage of IoT devices at a significant level has risen security and privacy concerns, they also promise convenient and better living by smart devices. Again, the huge number of data and various quantities of new IoT devices create a significant space for information security and privacy concerns. Thus, user security and privacy are under a threat caused by vulnerability to the IoT framework.
This paper is divided into seven sections. Section I starts with the introduction of IoT and information security concerns in IoT. Section II provides the literature review of IoT-based security and privacy. Section III and Section IV discuss CIA Triad and IoT scope and architecture. Information security-related threats are comprised in Section V. Section VI discusses the CIA Triad-based implementation in IoT. Section VII encloses the concluding remarks and future work.

Related work
The study of [15] supports the CIA triad-based division of IoT three layers into the Perception layer, Application layer, and Network layer. Where technological challenges have been addressed as wireless network technologies, IoT hardware heterogeneity, security, and scalability containing both end-to-end security and CIA triad. The authors mainly focused on security challenges concerning layers and their counter-measurements namely federated architecture, trust establishment, and authentication. An approach on security for three-layered internet of things architecture has been suggested in [14,15]. Three layers namely application, transportation, and perception utilized along with physical sensors and sensor actuators. The sensor uses RFID tags to connect with the physical environment or world. Smart functionality for the user is provided by the application layer. While the Network layer fulfills the responsibilities of information transportation via wireless technologies to the other two layers. In [16], scholars debated for an additional layer known as a Processing layer. It sketches an intelligent interface for the Network layer and Application layer. This aims to process information from the Physical layer by data mining, cloud, and parallel computing.
A five-layer security system in IoT with end-user layer represented in [17]. The architecture has been suggested with an Edge Network layer which is responsible for the collection, transmission, and processing of the data from the IoT devices. Where the Core Network layers transport the processed data towards the Storage layer and service layer by edge network. Therefore, further analysis on the received data is carried out by the data servers where some software servers hold data and operating system images. Similarly, the study suggested in [18] discusses an end-to-end scenario with six layers for security architecture. The scholars composed six layers namely the internal communication layer, end device layer, a Gateway Information (GI) layer, Information transmission layer along the cloud layer.
Another study with a comparison of three models is suggested in [19]. These models namely the CISCO Seven layer model, the alternative five-level model, the early 3-layer model used for analysis and comparison. All security measures and countermeasure, security needs for the edge-level attacks have been sorted. The edge level measures include communication among devices, edge nodes dispersed in an area, and Fog computing or edge computing. The study claims that the security cannot be fulfilled and adequately provide desired outcomes with the CIA triad alone. So, IoT security with CIA triad expanded further by the addition of the IAS Octave security paradigm. They claim good outcomes of IAS-Octave in counter the attacks. Therefore, the insecurity increases with the growth of IoT devices exceedingly and privacy implications to such a huge amount of data or information remains to build a suitable design.

CIA triad
Confidentiality, Integrity, and Availability (CIA) form a triad that fulfills the basic security needs. For security and privacy of the IoT devices, should satisfy the CIA triad [12] [20][21]. These all three components are important for the better security of the devices as illustrated in Figure 2. So, these security doctrines apply as a whole to the IoT same as they apply on the Internet [22][23].

Confidentiality
Confidentiality ensures that access must be granted to the authorized user to the information and data reports. The access is subject to the extent of the need for access.

Integrity
The Integrity is determined and ensured when the data is well secured and protected. The encrypted data only be modified by the authentic user during the process, transmission and storage.

Availability
Availability of the data play an important role. Information security and authentication are very vital for data security. But, the availability of the data at the required time is a must. It is useless if the data is not available on time or in an emergency or critical situation. For security and privacy of the IoT devices, it should satisfy the CIA triad. Components of the CIA triad are confidentiality, integrity, and availability. These all three components are important for the better security of the devices [12]. It poses a significant impact to any individual or institution or organization involved in any CIA triad basic requirements is missed. As a definition for impacts provided by the NIST (the National Institute for Standards and Technology) suggesting High, Moderate, and Low potential impacts due to the loss of CIA triad in FIPS 199 [24,25]. The loss of availability differs from application to application in an IoT scenario [26]. Confidentiality and integrity are provided by encryption and cryptography for the data on IoT devices and data transportation across the network [27].

Over of IoT scope and IoT architecture
The IoT has made our routine activities very convenient and easy. The IoT is not the same as it was in the early days it was born, in late 1960 [28]. In its early days, security was not among the design goals, therefore, security issues were not a major focus. On the other hand, today the security is vital for IoT and its adoption. Almost, none can deny the fact that IoT-based devices and applications have flooded all aspects of life.
The IoT comprising WSNs (Wireless Sensor Networks) WBANs (Wireless Body Area Networks) are playing a very essential role in numerous health-related issues and healthcare atmospheres [3][4][5][6], [29][30][31]. Smart homes, automated and hyper-connected homes, intelligent household systems, and devices including light bulbs, power outlets, thermostats, and other numerous applications are connected through the Internet which allows operating remotely. There are numerous IoT devices and applications are in our surroundings namely smart homes, automatic and smart cars, railway trains, agriculture, transportation, and business. Thus, all spheres of life are surrounded by IoT applications and devices as illustrated in Figure 3. The estimation of usage and consumption of IoT devices shows that the current rate of IoT devices will grow and expand exponentially by the year 2025 [32]. It is predicted that IoT connected device approximately reaches around 75bn (Billion) as shown in Figure 4. So there is a Four-Layer architecture being used for IoT devices. Four layers of the architecture are the sensing layer, network layer, middleware layer, and application layer. Access to Information and data, for example, can bring significant security threats to a network by introducing viruses that might have devastating effects on the operations of an organization. This scenario shows that IoT devices may be used for both good and bad activities, hence, significant research on IoT security threat detection and challenges can help shape the longer term of the IoT domain [33].
IoT devices are connected to the internet, machine to machine, and also a machine to humans. At the very start of IoT, there were only a few devices that could connect to the internet but as time goes the devices get increased which can connect to the internet. So there is a need to be a certain architecture at which a device can work properly. There are two IoT architectures: three layers and four layers [34]. There are three fundamental layers in the IoT. These layers are 1). Sensing Layer 2). Network Layer 3). Application layer. Due to security reasons, a new layer was introduced to IoT architecture and this layer is the Middleware layer. Figure 5 shows the four-layer architecture with characteristics [17], [34,35].

Sensing layer
The Sensing layer is the bottom layer of IoT architecture. The sensing layer consists of a network of different kinds of data sensors that collects data and information from the environment and transmits it to the network. So this layer is the very important layer of architecture [2] [18].

Network layer
The network layer is the collection of different communication technologies whose function is data routing and information transmission to different IoT hubs and devices. At this layer different platforms like cloud computing, internet gateways, and routing devices are using different internet technologies like 3G/4G, LTE, Wi-Fi, Bluetooth, and ZigBee, etc. to transmit data through the internet [10].

Middleware layer
The middleware layer is a software layer between the network layer and the application layer. It is a security span between the network layer and the application layer. This layer is focused on the data exchanged. It provides Confidentiality, Integrity, and Authenticity to the data exchanged. This layer is associated with the conversation of data stored at different data storing platforms [26].

Application layer
The Application layer is the topmost layer of IoT architecture. This layer provides a user-friendly environment to the user where users can access data sensed by different sensors. This helps users to identify current trends and decision making [14], [36].

Information security threats in IoT
The field of IoT is expanding exponentially over the last five to seven years. So the threats are also emerging at the same rate as IoT expanding. As the IoT devices have resource limitations there are many threats to the IoT System. Though at this level we cannot secure all the threats to the System we can secure big threats to the system. We can classify the threats in the four-layer architecture:

Sensing layer threats
As sensors are the least secure devices in the whole architecture, threats based on the sensing layer are most important. Because sensors can be the easiest entrance to enter the entire IoT architecture and launch an attack [8]. Attackers can use sensors to inject malicious code and activate it to capture sensitive data exchanged between different IoT devices. If sensors are located in open locations so that attackers can do side-channel attacks which are based on electromagnetic field monetization, power consumption monetization or timing monetization to attack different encryption mechanisms or they can inject noise to the signals [22] [35]. An attacker can also data manipulate at sensors, can do boot attacks, can capture a Node [18].

Network layer threats
Everything is embedded in an IoT network, so attackers are attracted to attack in the network layer. A Man-in-the-Middle (MiTM) attack weakens the network layer and the attacker introduces a malicious node among genuine nodes. In MiTM, the attacker can eavesdrop, modify and monitor the overall communication which takes place over the IoT communication system [37].
Sybil attack in which attacker steals information and breaks the integrity by showing a single node at multiple locations within the IoT network. The attacker compromises an IoT device that can pretend to have many genuine identities in the IoT system and imitate them [38]. Having different identities, the compromised device (Sybil device) sends fabricated information to its neighboring devices.
In addition, routes that include the Sybil device as a forwarding node could be deceived that many routes are available when there is only one route available where all traffic transmitted will go. This can lead to different attacks, such as a DoS or jamming attack [21]. In the Sybil attack, nodes are used with fake IDs which results from the outnumbers in real nodes in a network, [38]. The attacker can perform Distributed denial of service attack. In a DDoS attack, the attacker captures a node from the network, which has an assigned IP and can make requests to a server, either public or private depending on the nature and complexity of the attack. After capturing the node server is flooded by the request and the server gets overloaded. So the user is no longer able to access the Server [10] [11] [17].

Middleware layer threats
At this layer, an internal attacker deliberately modifying and extracting data or information within the network. An underlying attack is a platform-as-a-service (Paas)based attack as shown in Figure 6. Third-party relationship attacks are caused by thirdparty components such as mashup, which increase the security of the data and network on Paas. In an SQL injection attack, an attacker injects a malicious SQL query into a program to make it malicious. In Cloud Malware Injection the attacker obtains control to inject malicious code or virtual machine to the cloud and the attacker pretends to be a valid service [13].

Application layer threats
At the application layer data is provided to the final user to their smart devices. So the shared malicious data enters the smart devices of the final user. The attacker enters a malicious object like malware, Trojan horses, and spyware into the system and gets full access to the system [3], [16].
In contrast to the RFID (Radio Frequency Identification) tags, the DoS attacks are vulnerable, and the tag reader is unable to interpret the tag. RF channel is being jammed and difficult to read, therefore, DoS causes unavailability of tags [39]. Apart from channel jamming, a node jamming attack is a vulnerability type where the attacker attacks by transmitting a noise signal over the channel. This interference in the communication channel helps to occupy IoT data and cause signal jamming. The attacker introduces new nodes which creates the increments of fake nodes. The fake nodes create collisions with real nodes and unnecessary retransmit the signal. All real once attacked with unnecessary retransmissions by fake nodes results in depletion of the energy. Thus, nodes get depleted and die down quickly before the estimated time. However, the quick energy consumption due to the jamming of signals disables the communication between devices and nodes. Ultimately, the signal jamming resulting in the DoS of the nodes prevents communication for the IoT nodes or whole network [13,35,[40][41][42][43].

Implementation of CIA triad in IoT
Information security and privacy in IoT fields demand IoT consideration and concerns. Undoubtedly, the biggest issue in the field of IoT is information security. Without addressing the security concerns which come along with IoT, the application or device is worthless. To counter these issues we have the CIA triad. We implement the standard triad of Confidentiality, Integrity, and Availability (CIA) for information security. For ensuring the security of data IoT architecture should provide confidentiality, integrity, and availability of data to the system [12], [35].
All IoT-based fields require a specific information security implementation. The security-based on CIA triad ensures that unauthorized use is no longer to access the data. CIA triad-based techniques provide desired results when the security meets the layers-based authorization, trust, and privacy criterion as given in Table 1. At the sensing layer level, it is very important to develop some encryption techniques to secure information and information access to authorized users only. Encryption methods may include the cryptographic hash algorithms and digital signatures as described in Table 1. Figure 7 shows the IoT information security. For data privacy, user authentication plays a very important role. Where user authorization and mutual trust between the data provider and user ensure that the information is being used is safe and no harm to secured information as depicted in Table 1. Apart from this, authentication at the network layer level needs to be full-filed by point-topoint encryption and cryptographic hash algorithms. The routing of data throughout the network demands much more consideration and focus.

IoT Layers
Security Technique Implementation

Authenticity
The authenticity can be ensured through encryption and digital signature along with cryptographic hash algorithms.

Data Privacy
Privacy cannot be ignored at any level. So, lightweight cryptographic algorithms and encryption algorithms are crucial for the privacy of information to prevent unauthorized access to information assets.

Network Layer
Authenticity At this layer, authentication can be provided by point-to-point encryption algorithms to block unauthorized access.

Routing Security
Information routing is very sensitive to errors. To make sure of errorfree routing some robust routing mechanisms either with multiple routing paths or only recognized routing path selections, can be adopted.
Data Privacy Data is to be ensured for its safe and sound utilization. The data privacy techniques are useful to detect intrusion attacks and verification authorized users. The integrity helps to the correctness of data.

(Continued)
IoT Layers Security Technique Implementation

Middleware Layer
Confidentiality At this layer level, a better lightweight cryptographic algorithm with cryptographic keys and cryptographic hash method helps in data confidentiality. Confidentiality must be checked during the data exchange process.

Data Storage
Good data storage with encryption of stored data can provide efficient data protection to data storage. For this, instead of using a centralized cloud service, we can use a decentralized Blockchain for reliable and secure data protection.

Application Layer
Authenticity User authentication is crucial at this point. Different authorization and authentication methods help to prove user authorization and identity.

Intrusion Detection
At this layer intrusion detection gives a lot of advantages. The data can be kept safe if the intruder is timely identified. The intrusion detection mechanisms can be applied to constantly monitor the user activities and send the acknowledgment to the system if any suspicious activity is monitored over the system. It may use a data mining approach to detect intrusion.

Data Security
At the application layer level, firewalls can be a good choice to protect data and also prevent information stealing or tempering in information.
However, the routing security is required to ensure that the data transmission or reception is only from the trusted user and from the recognized path as described in Table 1. At the Network layer level, data privacy is only to ensure the authorized and trusted user is sending or receiving the information as described in Table 1.
At the middleware layer level, confidentiality plays a vital role. CIA triad provides complete security in terms of data confidentiality, user and information provider integrity, and availability of request information to the authorized user as described in Table 1. Data or information availability requires good guaranteed and secured data storage. So, data protection is essential to secure using encryption and cryptographic algorithms. Also, decentralized BlockChain services can be utilized instead of centralized cloud services for secured data storage and information usage as described in Table 1. The data can be kept safe if the intruder is timely identified. The intrusion detection mechanisms can be applied to constantly monitor the user activities and send the acknowledgment to the system if any suspicious activity is monitored over the system. It may use a data mining approach to detect intrusion.

Conclusions
Information Security is the major concern for IoT devices and applications. Since the advent of IoT, its applications and devices have experienced an exponential increase in numerous applications which are utilized. The IoT device differs widely in capacity storage, size, computational power, and supply of energy. With the rapid increase of IoT devices in different IoT fields, information security and privacy are not addressed well. Most IoT devices having constraints in computational and operational capabilities are Table 1. Information security triad implementation inter of things (Continued) a threat to security and privacy, also prone to cyber-attacks. This study presents a CIA triad-based information security implementation for the four-layer architecture of the IoT devices. The data can be kept safe if the intruder is timely identified. The intrusion detection mechanisms can be applied to constantly monitor the user activities and send the acknowledgment to the system if any suspicious activity is monitored over the system. firewalls can be a good choice to protect data and also prevent information stealing or tempering in information. It may use a data mining approach to detect intrusion. Confidentiality plays a vital role. CIA triad provides complete security in terms of data confidentiality, user and information provider integrity, and availability of request information to the authorized user. The CIA triad-based technique for the enhanced information security and further research for fully adoption of application-specific IoT mitigation and countermeasures of the information security concerns is the future challenge.