Content uploaded by Jianli Pan
Author content
All content in this area was uploaded by Jianli Pan on Feb 05, 2018
Content may be subject to copyright.
Cybersecurity Challenges and Opportunities in the New “Edge
Computing + IoT” World
Jianli Pan∗
University of Missouri, St. Louis
Saint Louis, Missouri
pan@umsl.edu
Zhicheng Yang†
University of California, Davis
Davis, California
zcyang@ucdavis.edu
ABSTRACT
The paradigm shift to the Internet of Things (IoT) and the emer-
gence of the edge computing concept have brought huge potentials
for various future IoT application scenes such as smart home, smart
transportation, smart health, smart grids, and smart energy. It also
brings a series of new Cybersecurity challenges. We envision that
many new research and innovation opportunities will emerge in
the conjunction of “Cybersecurity + edge computing + IoT + AI”. In
this article, we will discuss the major new Cybersecurity challenges
and the related opportunities in such a vision.
CCS CONCEPTS
•Security and privacy →Network security
;
•Networks →
Network architectures;
KEYWORDS
Cybersecurity, Edge computing, Internet of Things, IoT, Blockchain,
Articial Intelligence, Deep Learning
ACM Reference Format:
Jianli Pan and Zhicheng Yang. 2018. Cybersecurity Challenges and Oppor-
tunities in the New “Edge Computing + IoT” World. In SDN-NFV Sec’18:
2018 ACM International Workshop on Security in Software Dened Networks
& Network Function Virtualization, March 2018, Tempe, AZ, USA. ACM, New
York, NY, USA, Article 4, 4 pages. https://doi.org/10.1145/3180465.3180470
1 INTRODUCTION
The data processing and service provisioning in the current Internet
is generally a centralized structure in which most of the data are col-
lected and sent to a small number of remote datacenters with rich
resources in storage, processing, and networking. Such a traditional
cloud computing architecture succeeded in lowering the users’ cost,
creating on-demand pay-as-you-go service, enabling scalable and
∗
Corresponding author Dr. J. Pan is with the Department of Mathematics and Com-
puter Science in University of Missouri-St. Louis, St. Louis, MO 63121, USA. (Email:
pan@umsl.edu)
†
Mr. Z. Yang is with the Computer Science Department of University of California,
Davis, CA 95616, USA.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specic permission and/or a
fee. Request permissions from permissions@acm.org.
SDN-NFV Sec’18, March 2018, Tempe, AZ, USA
©2018 Association for Computing Machinery.
ACM ISBN 978-1-4503-5635-0/18/03. . . $15.00
https://doi.org/10.1145/3180465.3180470
elastic services, and facilitating big-data analytics. However, such
a centralized data model is not sustainable when the Internet is
experiencing a signicant paradigm shift to the Internet of Things
(IoT). The IoT trend generally means that massive number of mobile
and wireless devices, which are mostly located at the bottom of the
Internet hierarchy, will be connected and could generate a huge
amount of data in a very high speed. This trend could potentially
turn the Internet data ow upside-down. It is simply impossible
or infeasible to collect all the data to the remote datacenters and
wait for the results to be sent back to the edge after big-data pro-
cessing. Two factors will essentially prohibit it. The rst factor is
the volume and its velocity of accumulation of the generated data
by the IoT devices. Local data storage and processing is inevitable.
The second factor is the low latency or fast response requirement
from many future IoT applications such as Virtual Reality (VR),
Augmented Reality (AR), and autonomous vehicles that involve
Articial Intelligence (AI) function to make faster decisions.
As the result of these trends, it is widely believed that more
computation, storage and networking resources will be situated at
the edge of the networks and be closer to users and the IoT devices
where data are generated. This is also called “edge computing”, fog
computing or mobile edge computing (MEC) in dierent literature.
The integration of edge computing and IoT would signicantly
reduce data trac especially in backbone Internet, provide in-situ
data intelligence, reduce latency and improve the response speed.
Such a paradigm would especially benet various emerging IoT
applications such as smart home, smart transportation, smart health,
smart grids, and smart energy. However, such an emerging “edge
computing + IoT” trend is also bringing Cybersecurity challenges
from dierent aspects.
2 CYBERSECURITY CHALLENGES
In this section, we will identify ve of new challenges that come
with the integration of edge computing and IoT, and briey discuss
their major security implications and impacts.
2.1 Challenge #1: Massive Numbers of
Vulnerable IoT Devices
In the future IoT world, massive number of resource-poor IoT de-
vices could be much more vulnerable to all kinds of malicious
attacks due to their lack of computation, storage, and battery re-
sources in providing better security. Such vulnerabilities could lead
to large-scale security breaches and cause large amount of economic
losses [
2
,
9
]. The IoT devices tend to have limited capability to run
standard encryption, authentication, and access control algorithms.
SDN-NFV Sec’18, March 2018, Tempe, AZ, USA J. Pan et al.
They are also more fragile facing the targeted Denial of Service
(DoS) availability attacks. Some possible examples of the attacks
targeting at the IoT devices include: (1) physically tampering and
stealing data, codes and keys; (2) identity forging that compromises
data integrity; (3) eavesdropping through shared wireless channels;
(4) fake nodes maliciously jamming the links between IoT devices
and the edge nodes. It is possible that the edge computing platform
could play an important role in assisting the IoT devices, coordinat-
ing with the security functions, and even detecting and protecting
against malicious external attacks. However, the edge computing
concept is relatively new and its many security implications are
still not well understood comparing with the traditional centralized
cloud computing.
2.2 Challenge #2: NFV-SDN Integrated Edge
Cloud Platform
Network Function Virtualization (NFV) and Software Dened Net-
working (SDN) are two emerging technologies that can be comple-
mentary with each other to enable a virtualized and shared edge
cloud platform. Using NFV, the edge cloud can dynamically launch
Virtual Machines (VMs) to perform application-specic computing
or to provide security-related such as rewall VMs or intrusion
detection application protections. SDN, with the embedded sepa-
ration of the control and data forwarding, can be adopted to work
with NFV to network, congure, control, and manage the VMs.
Coherent integration of NFV and SDN could potentially enable an
agile edge cloud platform with easy conguration and management
for future IoT applications [
11
]. However, the downside is that both
NFV and SDN are developing and evolving respectively, and many
Cybersecurity challenges are yet to be solved for each of them,
not to mention that additional security risks and problems could
emerge due to the integration of them. For example, it is still an
open issue for SDN to prevent DoS attack, spoong attack, and
malicious injection attack in a virtualized environment [
1
]. Also,
for NFV, security risks broadly exist with the hypervisor in isolating
Virtualized Network Functions (VNF) and managing virtualized
network topology, in VNFs migrating across domain boundaries,
and in preventing DoS attack and malicious insider attack [5].
2.3 Challenge #3: Data Privacy and Security
Much larger number of IoT devices that are connected to the Inter-
net will also generate large amount of data at a very high speed.
Since it is infeasible to store all the data in centralized places for
processing as what happened in the current cloud computing model,
these data will have to be stored and processed at many decentral-
ized edge computing nodes or edge clouds. The data privacy and
security handling will also be dierent. On the one hand, it may
be desirable for the application users (such as medical or health
IoT application users) who want to possess, store, and fully con-
trol their own data instead of putting them on the hands of cloud
providers where they cannot have full control and cannot guaran-
tee the cloud providers will not use their data or use the data in
a both agreed way. On the other hand, however, it is often than
not these decentralized edge clouds are more susceptible to and
hence less well defended against various data breaching attempts,
DoS attacks, and even physical tampering. Much more research is
needed to provide data privacy and security from multiple layers
(including perception layer, transport layer, and application layer)
and from multiple aspects (including physical security, information
security, and management security). How to make data privacy and
security better protected in a much decentralized edge computing
environment is still an open and challenging problem.
2.4 Challenge #4: Oloading and Interaction
Between Edge and IoT Devices
One of the traits of the open edge cloud era [
11
,
12
] is that it will
be very common for the resource-poor IoT devices to ooad tasks
to the resource-rich edge computing platform for fast processing.
The IoT devices could also help each other with dierent tasks
depending on their resource availability and the incentive policy.
Such tasks ooading and collaboration could also bring additional
security concerns. The rst one is about software security. The
task codes need to be written and built in a way that they can be
dynamically scheduled to execute on dierent systems such as the
edge computing and IoT devices. Cross-platform code migration
and dynamic scheduling could also be a challenging task that needs
secure APIs or interfaces. Second, the orchestrator of the edge
cloud is also required to coordinate the interaction between the
mobile/wireless IoT devices and edge cloud entities such as VMs, to
provide sucient resources from the edge cloud side. Appropriate
access control mechanism is needed to protect the moving codes
between the edge cloud and IoT devices from malicious attacks.
In addition, the communication links between the IoT devices and
the edge cloud are mostly wireless and mobile links. All the wire-
less/mobile network related security concerns also exist here. For
example, appropriate encryption is needed for all the communica-
tions over these wireless links. However, because of the IoT devices
are mostly resource-poor, it is important to nd some ecient but
lightweighted methods for authentication, encryption, and access
control. The resource-rich edge cloud can help facilitate these IoT
security functions.
2.5 Challenge #5: Trust and Trustworthiness
Trust is a particularly important issue in the “edge computing +
IoT” world. The IoT devices are generally with limited resources
and unique communication mode (from IoT devices to the edge
cloud), which makes them more vulnerable to malicious attacks.
Moreover, when some of such nodes are compromised and become
malicious, the system need to be able to identify and detect them.
Relying on password mechanisms or encryption algorithm is not
sucient. Trust is usually implemented in digital signature tech-
nology through certication. Currently, the certication is mostly
a human-centered process and any changes to a deployment could
trigger recertication which is very costly and time-consuming.
Automated certication is much desirable but there is a long way to
go yet. Between the edge cloud and the IoT devices, and among the
IoT devices, it is an important security concern of how much trust
they can put on each other when they exchange data and work with
each other. The key to create such trust is somewhat visibility and
transparency, and auditability of the transactions. In a relatively
complex NFV/SDN enabled edge cloud environment with various
hardware and software components, and dealing with various IoT
Cybersecurity Challenges and Opportunities in the New “Edge Computing + IoT” World SDN-NFV Sec’18, March 2018, Tempe, AZ, USA
devices, it is important to create a systematic and eective trust
and trust management system to enable better trustworthiness and
security among involved entities. Recent development in Trusted
Platform Module (TPM) [
7
] made an attempt to enable new levels
of trust to cloud computing.
3 CYBERSECURITY OPPORTUNITIES
Due to the emergence of a series of technologies such as Blockchain,
Articial Intelligence (AI) and Machine Learning (ML), we envision
that some new research and innovation opportunities will emerge
in the conjunction of “Cybersecurity + edge computing + IoT + AI”.
In this section, we will discuss the major challenges and the related
new opportunities in such a vision.
3.1 Opportunity #1: Blockchain and Zero-trust
Security
Blockchain technology recently attracts broad attention from both
industry and academia. It is deemed as a technology that could
potentially change not only how people use currencies (Bitcoin
or other cryptocurrencies) but also how to deal with all kinds of
transactions with people, organizations and entities whom they
do not trust. Blockchain uses a distributed ledger that is shared
among all the users. The ledger records all the transactions that
can be created, shared, and validated by other participants of the
blockchain through a distributed network of computers. The trans-
actions are highly transparent and accessible by all the participating
parties. The structure of Blockchain makes it almost impossible to
maliciously tamper the recorded transactions.
Due to these features, it has been widely believed that blockchain
could have considerable potentials to allow organizations to build
their own Cybersecurity systems for logging transactions, messag-
ing, user authentications, identity and access control management.
A typical example is that DARPA recently tried to call for proposals
to build a blockchain based secure messaging system for battle-
eld usage [
3
]. In the “edge computing + IoT” context,
private
blockchains
could be built to enable smart contracts that allow to
redene the transactions and interaction among entities without
pre-dened trust relationship.
Zero-trust security also becomes possible due to the blockchain’s
feature of enabling a trustless environment. Old security models
often use a perimeter-based security strategy that trusts entities
inside their own networks which is vulnerable to inside attacks. A
zero-trust framework [
10
] usually means that the participants
by
default never trust each other and always verify
the identities
of each other. Such a method would make the attackers that have
compromised an internal endpoint dicult to move laterally toward
the targets with sensitive data or content. Moreover, it would ensure
data access and resource usage secure and auditable. Access control
could also be applied more strictly. Potentially a new zero-trust
framework utilizing blockchain could be very useful to build a more
secure “edge computing + IoT” environment.
3.2 Opportunity #2: AI and Machine Learning
The revival of AI and machine learning (deep learning particularly)
technologies have experienced signicant developments over the
last a couple of years, especially with the success of AlphaGo and
autonomous driving applications. These technologies work best
and produce best predictive results when there are a large size of
data available for model construction and parameters tuning. In the
new “edge computing + IoT” environment, there are also plenty of
scenarios that AI and machine learning technologies could be used
in predicting and making intelligent decisions in order to optimize
many dierent things such as resource usage and access scheduling.
From the Cybersecurity perspective, it is also a tremendous oppor-
tunity to apply AI and machine learning into “edge computing +
IoT” to better analyze dierent cyber behaviors, identify potential
threats and vulnerabilities for repairing or patching, and detect ma-
licious attacks. For example, with sucient collected data and the
deducted pattern, the deep learning technology could be able to tell
or predict whether a specic user’s behavior or action is suspicious
and match a specic type of attack attempts targeting at sensitive
data, or whether the user is actually the person that perform those
operations. Such an additional high-level function could provide
any organization with another level of defense against potential
malicious attacks and identify potential misuses.
Empowered by AI and machine learning technologies, it is also
possible to deploy a dedicated
automatic robot
that silently scan
and check the organization’s environment and activities to see if
there are any potential threats, vulnerabilities, or malicious activi-
ties going on. It will also identify and detect any misuses and send
out reminders. On behalf of the human adminstrators, they could
also potentially take prompt actions to respond to some specic
threats. With sucient past data and construction of a well-trained
model, such robots would be very helpful and useful for Cyberse-
curity.
3.3 Opportunity #3: Lightweight IoT Security
Ubiquitous IoT devices are generally more susceptible to attacks
due to limited resources and less network protection. Thus, we need
a certain degree of protection against potential attacks. In most
cases, we can only look for lightweight methods and algorithms to
nd a balance between security and power consumption on the de-
vices. Such lightweight algorithms can exist for authentication [
6
],
encryption [
14
], access control and key exchanges [
13
]. A typical
example of such a lightweight authentication mechanism is for the
802.11ah or “WiFi HaLow” for low-rate and long-range IoT applica-
tions, in which the base station and the IoT devices work together
with a much simpler and lightweight authentication mechanism.
Since the lightweight solutions are usually not as powerful as the
normal ones, it is necessary to make sure that during real usage they
could meet the specic requirements of the applications. Potentially
a ner granularity categorizing method is needed to dierentiate
various levels of requirements in computing complexity and secu-
rity. By doing this, various lightweight IoT security methods with
dierent levels of complexity could satisfy the specic requirements
better. Much research is still needed in this regard, especially for
the emerging “edge computing + IoT” environment.
3.4 Opportunity #4: Deception Based Cyber
Defense
Most of the traditional cyber defense mechanisms such as encryp-
tion, authentication and access control are passive defense which
SDN-NFV Sec’18, March 2018, Tempe, AZ, USA J. Pan et al.
means that they are not actively seeking attackers but trying to
make it more dicult for the attackers to break in. Deception based
defense is one of the
active cyber defense
techniques that are
used to enhance cyber defense capabilities of a specic organization.
Typical example methods include address hopping, honeypots and
network telescopes. Deception and some continuous unpredictable
changes in network congurations could potentially perplex and
confuse the attackers, or lure them toward some pre-deployed hon-
eypot traps [
4
]. Deception based technique can also generate a large
number of fake credentials on the organization’s network which
makes the cyber attackers dicult to gain access to the systems
as a set of legitimate user identities. If the attackers use these fake
credentials, they will be detected and monitored by security admin-
istrators. Once they are logged and tracked, the attackers’ activity
traces and records would be further analyzed to understand how
they attacked the target system and the general patterns they have
used. These knowledge are very useful in fortifying the defense of
the organization’s networks. The honeypot traps are usually physi-
cal or virtual machines that pretend to be the actual devices while
under close monitoring and logging by the security administrators.
They aim to mislead the attackers to take actions in the defenders’
favor or simply waste time and resource on false targets. However,
this is not a one-ways street in the sense that the attackers some-
times can also try to avoid being detected by using dierent types
of methods ranging from a suspicious one to a seemingly normal
one. It is expected that deception based cyber defense techniques
could play a more important role in keeping the large-scale “edge
computing +IoT” systems more secure.
3.5 Opportunity #5: Isolated IoT Identity and
Naming Systems Other Than IP
Almost all the current Internet devices are based on IP (IPv4 or
IPv6). It brings huge convenience in terms of inter-connectivity
by enabling devices to communicate with each other and to get
contents and services. Such rich inter-connectivity also makes the
administrators’ live much easier through remote conguration or
management. However, the drawback is that it essentially expose
all the systems including those critical industrial control systems
such smart grids to a dangerous position because potential hackers
could also get access to them if stealing some simple credentials
and pretending to be legitimate users. Traditional rewalls can
lter some trac but they mostly use a perimeter-based security
method and the rewall ltering is usually based on arbitrary IP
addresses. It cannot prevent the inside attacks either. To tackle this
security challenge, an isolated new identity and naming system
dierent from IP can be useful to separate the IoT devices from the
outside world. A typical example is the host identiers that were
used in the Host Identity Protocol (HIP) [
8
] can be used for the IoT
devices as a separate identity and naming system other than the
IP addresses. With such an overlay identity and naming system,
the connection to the IoT devices will require to use host identities
instead of IP addresses. Before two entities could talk to each other,
they need to create a binding to share cryptographic keys. This
would prevent the outside world to be able to directly access critical
IoT devices and systems without passing strict security procedures.
Similarly, in the future “edge computing +IoT” world, especially
for those resource-poor IoT devices in critical systems that need
additional protection, an isolated and secure identity and naming
system other than IP would be very useful. We envision that there
will be quite some research opportunities in this regards.
4 CONCLUSIONS
The paradigm shift to the Internet of Things (IoT) and the emer-
gence of edge computing is bringing signicant benets for many
future IoT applications. It also brings signicant Cybersecurity chal-
lenges. In this article, we identied and discussed ve Cybersecurity
challenges and ve emerging Cybersecurity opportunities related
to this vision. Among these opportunities, creating some synergy
between the “edge computing +IoT” platform and the emerging
blockchain and AI technologies could potentially generate many
useful impacts.
ACKNOWLEDGMENTS
The authors would like to thank Dr. Hongxin Hu and other work-
shop organizers of the SDN-NFV Sec’18. The work is supported
by the National Security Agency (NSA) under grant No.: H98230-
17-1-0393 and H98230-17-1-0352, and by a research grant from
University of Missouri System Research Board (UMRB).
REFERENCES
[1]
Adnan Akhunzada, Ejaz Ahmed, Abdullah Gani, Muhammad Khurram Khan,
Muhammad Imran, and Sghaier Guizani. 2015. Securing software dened net-
works: taxonomy, requirements, and open issues. IEEE Communications Magazine
53, 4 (2015), 36–44.
[2]
Sucuri Blog. 2016. Large CCTV Botnet Leveraged in DDoS At-
tacks. (2016). available at: https://blog.sucuri.net/2016/06/
large-cctv- botnet-leveraged- ddos-attacks.html.
[3]
Stan Higgins. 2016. DARPA Seeks Blockchain Messaging System for
Battleeld Use. (2016). available at: https://www.coindesk.com/
darpa-seeks- blockchain-messaging- system-for- battleeld-back- oce-use/.
[4]
Quang Duy La, Tony QS Quek, Jemin Lee, Shi Jin, and Hongbo Zhu. 2016. De-
ceptive attack and defense game in honeypot-enabled networks for the internet
of things. IEEE Internet of Things Journal 3, 6 (2016), 1025–1035.
[5]
Shankar Lal, Tarik Taleb, and Ashutosh Dutta. 2017. NF V: Security threats and
best practices. IEEE Communications Magazine 55, 8 (2017), 211–217.
[6]
Jun-Ya Lee, Wei-Cheng Lin, and Yu-Hung Huang. 2014. A lightweight authenti-
cation protocol for internet of things. In Next-Generation Electronics (ISNE), 2014
International Symposium on. IEEE, 1–2.
[7]
Thomas Morris. 2011. Trusted platform module. In Encyclopedia of cryptography
and security. Springer, 1332–1335.
[8]
Robert Moskowitz, Pekka Nikander, Petri Jokela, and Thomas Henderson. 2008.
Host identity protocol. IETF RFC 5201. available at: https://www.rfc-editor.org/
rfc/rfc5201.txt.
[9]
Motherboard. 2016. How 1.5 Million Connected Cameras Were Hijacked to Make
an Unprecedented Botnet. (2016). available at: https://motherboard.vice.com/
en_us/article/8q8dab/15-million- connected-cameras- ddos-botnet- brian-krebs.
[10]
Palo Alto Networks. 2016. Whitepaper: Getting Started with a Zero
Trust Approach to Network Security. (2016). available at: https:
//www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=
/content/pan/en_US/resources/whitepapers/zero-trust- network-security.
[11]
Jianli Pan, Lin Ma, Ravishankar Ravindran, and Peyman TalebiFard. 2016. Home-
Cloud: An edge cloud framework and testbed for new application delivery. In
Telecommunications (ICT), 2016 23rd International Conference on. IEEE, 1–6.
[12]
Jianli Pan and James McElhannon. 2017. Future edge cloud and edge computing
for internet of things applications. IEEE Internet of Things Journal (2017).
[13]
Shahid Raza, Thiemo Voigt, and Vilhelm Jutvik. 2012. Lightweight IKEv2: a
key management solution for both the compressed IPsec and the IEEE 802.15.
4 security. In Proceedings of the IETF workshop on smart object security, Vol. 23.
Citeseer.
[14]
Xuanxia Yao, Zhi Chen, and Ye Tian. 2015. A lightweight attribute-based encryp-
tion scheme for the Internet of Things. Future Generation Computer Systems 49
(2015), 104–112.
