1. Introduction
The emergence of the Industrial Internet of Things (IIoT) acts as a new network paradigm that has transformed traditional capturing, collecting, exchanging, processing, and storing data in the industry. IIoT goes beyond the typical consumer devices, people-to-people (P2P) and people-to-machine (P2M) communication networks associated with the IIoT. IIoT consists of billions of “things” intelligently connected via distributed communication networks, such as machine-to-machine (M2M) communication. These “things” ranging from ultra-efficient sensors and actuators, automation devices, embedded systems, heavy machines to high-performance gateways, with real-time data analytics always present.
In most cases, these “things” are uniquely identified by a variety of addressing schemes, includes electronic product code (EPC), ubiquitous code (ucode) and media access control (MAC) and Internet protocol (IP) address. IIoT promises a transformative future for businesses and governments, including intelligent automation, smart factories, intelligent healthcare, smart homes, smart cities, and intelligent transportation. IIoT’s inherent complexities introduce several security challenges and privacy risks. Several surveys and reviews on analyzing IoT and IIoT security threats and privacy challenges have been published over the last decade. These existing reviews and surveys are chronologically summarised in Table 1.
Table 1. Chronological summary of previous surveys in the IoT and IIoT security.
Year |
Reference |
S |
I |
G |
O |
Focuses |
2010 |
Atzori et al. [1] |
√ |
√ |
|
√ |
Data integrity and privacy issues specifically on wireless technologies: RFID and WSN |
Weber [2] |
|
|
|
√ |
Limited to address data and privacy legislation of the IoT and RFID |
2012 |
Miorandi et al. [3] |
√ |
√ |
|
√ |
A general overview of data confidentiality, privacy and trust specifically on distributed intelligence, communication and identification technologies |
2013 |
Zhao and Ge [4] |
|
√ |
|
√ |
A brief discussion of security attacks and measurements based on three-layer IoT architecture (perception layer, transport layer and application layer) |
2014 |
Ziegeldorf et al. [5] |
|
|
|
√ |
A general overview of IoT privacy threats and challenges |
Jing et al. [6] |
|
√ |
√ |
√ |
Analyze the cross-layer heterogenous and security issues of three-layer IoT architecture (Perception layer, transport layer and application layer) and focuses specifically on WSN and RFID |
2015 |
Fremantle and Scott [7] |
√ |
√ |
|
√ |
Middleware systems and their security properties, as well as a very brief discussion on future works |
Granjal et al. [8] |
|
√ |
|
√ |
IoT communication protocols and technologies specifically on MAC and Physical layers |
Nguyen et al. [9] |
√ |
|
|
√ |
IoT security protocols and key distribution specifically on WSN |
2016 |
Airehrour et al. [10] |
√ |
√ |
|
√ |
Secure routing protocols and trust models |
Qin et al. [11] |
√ |
|
|
√ |
Review IoT from a data-centric perspective, specifically on RFID |
2017 |
Loi et al. [12] |
√ |
√ |
|
√ |
Comprehensive security analysis on consumer IoT Devices |
2018 |
Fernández-Caramés et al. [13] |
|
√ |
|
√ |
Blockchain-based IoT application |
2019 |
Hassija et al. [14] |
√ |
|
|
√ |
Studies on the relationship between IoT application and related technologies: blockchain, machine learning, fog and cloud computing |
Berkay et al. [15] |
√ |
|
|
√ |
Security analysis of IoT programming platforms |
Tabrizi and Pattabiraman [16] |
√ |
|
|
√ |
Design-level and code-level security analysis on IoT devices |
2020 |
Amanullah et al. [17] |
√ |
√ |
|
√ |
Comparative analysis on the relationship of IoT security, deep learning and big data technologies |
Lao et al. [18] |
√ |
√ |
|
√ |
A review on blockchain-based IoT architecture |
Joao et al. [19] |
√ |
|
|
√ |
A general review on threat models and attack path of IoT |
2021 |
Polychronou et al. [20] |
√ |
√ |
|
|
Software attacks targeting hardware vulnerabilities and deep learning detection mechanisms in IIoT |
Gaspar et al. [21] |
|
√ |
|
√ |
A general IoT technologies review on Portugal’s Agro-Industry |
Wu et al. [22] |
√ |
|
|
√ |
Relations between machine learning and blockchain in IIoT |
Latif et al. [23] |
√ |
|
|
√ |
A general review on blockchain-based decentralized IIoT security |
In 2010, Atzori et al.
[1] and Weber
[2] initiated the studies of IoT security issues. Atzori et al.
[1] briefly discuss IoT’s security challenges and privacy issues, particularly in RFID and WSNs. Weber
[2] focuses on the security requirements, privacy legislation and personal data protection of the IoT and RFID. Miorandi et al.
[3] provided an overview of IoT’s data confidentiality, privacy, and trust issues. Subsequently, Ziegeldorf et al.
[4] gave a detailed discussion on privacy threats and challenges of IoT. Zhao and Ge
[5] discussed security issues from the IoT architecture perspective and divided IoT into perception, transport, and application layers. Then, Jing et al.
[6] further conducted a comprehensive analysis of each layer’s features, security issues, and corresponding solutions. After that, the discussion of IoT security is nailed down on the specific technologies and scope. The study of Fremantle and Scott
[7] focuses the analysis on the middleware of IoT security. Granjal et al.
[8] centralized on the security of IoT communication protocols, includes physical and medium access control (MAC) layers, IPv6 over low power wireless personal area network (6LoWPAN), routing protocol for low power and lossy networks (RPL). Nguyen et al.
[9] focus on the security of IoT and WSN communication protocols and their attack-resistant solutions. Subsequently, Airehrour et al.
[10] gave a detailed security analysis of IoT routing protocols, particularly in low-power and lossy networks (LLN). Then, Qin et al.
[11] briefly discussed IoT security from a data-centric perspective. Loi et al.
[12] directed to analyze consumer IoT devices. Fernández-Caramés et al.
[13] and Lao et al.
[18] review the adaptability of blockchain in securing IoT applications and architecture. Hassija et al.
[14] focus on discussing the security of IoT applications. Berkay et al.
[15] and Tabrizi and Pattabiraman
[16] directed to review the IoT security from a programming platform and code-level perspective. Amanullah et al.
[17] discuss the relationship between deep learning, IoT security and big data technologies. Joao et al.
[19] gave a general review of threat models and attack paths of IoT.
Recent IIoT surveys have primarily focused on the general IoT domain rather than the IIoT domain. They either provided a general overview of IoT security
[1[1][2][3][4][5][10][11][19],
2,3,4,5,10,11,19], or a detailed security analysis limited to specific IoT technologies or a particular layer of IoT architecture
[6,7,8,9,12,15,16][6][7][8][9][12][15][16]. In addition, multiple surveys focused on exploring the relationship between IoT security and blockchain technologies
[13,14,17,18][13][14][17][18]. Survey directions have lately been directed to be hammered down in the IIoT domain
[20,21,22,23,24][20][21][22][23][24]. Deep learning in IIoT threat detection
[20,22][20][22] and decentralised blockchain technologies
[22,23][22][23] are the focus of these IIoT security surveys. However, none of them performs comprehensive security analysis on IIoT architecture and its recent industry solutions. Whether these deployed security solutions in the industry are still adequate to be adapted to secure IIoT architecture are questionable. The contributions of this article are:
-
The difference between conventional systems and IIoT security concerns are summarized. Decentralized security approaches with high scalability, high interoperability, lightweight, and secure data processing have urged to address the high heterogeneity of “things,” high volume, and variety of collected sensor data, as opposed to conventional security systems focused on a centralized approach.
-
Unlike recent IIoT architectures
[24,25,26,27][24][25][26][27] that (i) focused on specific industries: aviation industry
[25] and smart manufacturing
[27], and (ii) targeted on particular technologies: M2M communication
[24], green-aware multi-task scheduling
[26] and 5G technology
[27], we generalized the IIoT architecture into a four-layer architecture to cope with a wide of industry technologies and standards.
-
Subsequently, we classify the recent IIoT technologies and standards into the proposed four-layer IIoT architecture
-
The IIoT security requirements are further defined with the CIA+ model, includes confidentially(C), integrity(I), authentication(A), authorization and access control (A) and availability (A).
-
A comprehensive end-to-end security analysis was conducted based on the defined IIoT CIA+ model. Subsequently, a fine-grained review on recent industry technologies and standards in each layer of the proposed IIoT architecture. The identified security risks and threats of these industry technologies, their deployed security countermeasures and future research works are summarized
-
Lastly, we enumerate the open security challenges of IIoT and future research opportunities.
The rest of this article is organized as follows.
Section 2 investigate the characteristic of IIoT, highlights and report the difference between conventional systems and IIoT security concerns.
Section 3 review the recent works of IIoT architecture and propose an IIoT security architecture based on the ITU-T Y.2060 IoT reference model
[20], consisting of four layers: device layer, transport and network layer, processing layer and application layer. Then, we classify the recent industry technologies and standards into the proposed IIoT security architecture. Subsequently,
Section 4 presents a comprehensive end-to-end security analysis on each layer of IIoT architecture by using the CIA+ model. The security risks and threats of each industry technology and their deployed security countermeasure, the gaps of today’s deficiency, and ongoing challenges are reported.
Section 5 discusses the open security challenges, privacy issues and future research opportunities of IIoT. Finally,
Section 6 concludes.
2. IIoT Security Challenges and Concerns
The discussion of IIoT can be traced back to the connection between the physical world and ubiquitous “things” via the Internet during the early 1990s
[28]. While IIoT was still in its infancy growth stage, these definitions’ scope is framed by different business interests and industry application scenarios
[29,30,31,32,33][29][30][31][32][33]. For example, IETF and IEEE definitions are bounded by sensing technologies such as RFID and sensors
[29[29][30],
30], whilst the W3C expound the IoT with the Word Wide Web ecosystems
[31]. IoT’s vision is to enable the connection of any “things” anytime. In most industry cases, we concluded that these “things” are associated with three fundamental characteristics: heterogeneity, unique identities and connectivity.
Along with the growth of IIoT for supporting industries, IIoT security and privacy issues have become more challenging. These security challenges inherit the conventional systems issues such as the advanced persistent threat (APT) and are further exacerbated by the complexity of the newer IIoT associated characteristics such as high heterogeneity, large scale of “things”, and cyber-physical systems. Table 2 further summarises the difference between conventional systems and IIoT security concerns.
Table 2. The difference between conventional systems and IIoT security concerns.
Concerns |
Conventional System |
IIoT |
Connected Nodes/Devices |
Small to medium volume within the local networks |
Billions of sensor nodes, actuators and automation devices connected |
Communication Networks |
Homogenous |
Heterogeneous |
System Scalability |
Optional |
High scalability The design of IIoT security systems should consider the identification and authentication of an enormous scale of “things”, scalability of communication networks and security key distribution and revocation issues in future |
System Interoperability |
Optional |
High interoperability Diverse security mechanisms and defence systems over the distributed networks must be standardized and compatible with each other to communicate, exchange and process data securely |
Collected Data Types |
Unified encoding scheme and data format, structured data |
Confluent with the terms of “big data” characteristic:
|
-
High volume (terabytes–zettabytes),
-
High variety (diverse encoding scheme and format, structured data, unstructured data, semi-structured data, quasi-structure data)
|
|
Data Processing Model |
Moving data to process, moderate speed |
Moving processing to data. In most industrial cases, high velocity necessitates real-time analytical processing |
Security and Privacy Concerns |
Data-at-rest Data-in-memory Data-in-transit |
Data-at-rest Data-in-memory Data-in-transit Data-in-transform |
Authentication and Access Control Mechanisms |
Centralized Approach |
Distributed, decentralized approach Lightweight scheme |
The high heterogeneity of “things” on a large scale implicates the interoperability issues of cross-network communications, cyber-physical systems and IIoT enabled-technologies integration. The intricate maze of interoperability issues arises when: (i) heterogeneous devices and sensor nodes are identified with different naming and addressing schemes; (ii) exploit different data structures and formats; and (iii) communicate through different security protocols with varying requirements of the network (e.g., reliability, communication cost, latency and bandwidth) and integrated to provide a plethora of service applications. The question of whether these conventional security mechanisms and defence systems can be further integrated and standardized universally in resolving IIoT security complexities remains unanswered.
When there is a large scale of “things” (e.g., sensors in the aviation industry that consistently capture engine and aircraft health information during a flight) or diverse “things” in smart factories and manufacturing (e.g., sensors, edge devices, and smart grid) that collaborate to generate and exchange data continuously, these generated data from cyber-physical systems always come in big data flavour
[17]. The data come in high volume and wide variety (e.g., structured, unstructured, quasi-structured, and semi-structured data), which need to be processed at a high velocity or analyzed nearly real-time, resulting in conventional data processing mechanisms being complicated or too expensive to scale and handle them efficiently.
As conventional data processing systems mainly were built-in houses, centralized management, and typically worked within the organization boundaries with a finite number of connected devices and users; therefore, security and privacy issues were not a concern. However, security protection and defences mechanisms are significantly different in the era of IIoT. Collected sensors data are locally processed and analyzed by IIoT gateway or automation system before sending to a centralized cloud platform for remote monitoring and post-analysis. The scalability of the existing security mechanisms to authenticate, fine-grained access control on massive IIoT resources has drawn the industry and researcher’s attention to move forward into a decentralized approach. Subsequently, more lightweight and highly efficient encryption schemes have been proposed recently to protect the tiniest “things” of IIoT, such as edge devices, sensor nodes and WSNs.