Conference PaperPDF Available

Abstract and Figures

The vast amount of connected devices on the Internet of Things (IoT) creates an enormous potential for new applications, by leveraging synergies arising through the convergence of consumer, business and industrial Internet, and creating open, global networks connecting people, data, and "things". In this context, the SEMIoTICS project aims to develop a pattern-driven framework, built upon existing IoT platforms, to enable and guarantee secure and dependable actuation and semi-autonomic behaviour in IoT/Industrial IoT applications. To achieve this, patterns are used to encode proven dependencies between the security, privacy, dependability and interoperability (SPDI) properties of individual smart objects and corresponding properties of orchestrations (composition) involving them. This paper sketches this approach followed by SEMIoTICS, whereby the SPDI patterns are used to generate IoT orchestrations with proven SPDI properties at design time, while at runtime these properties are monitored in real-time, across system layers, triggering adaptations to return the deployed orchestration to the desired SPDI state, when needed.
Content may be subject to copyright.
Architectural Patterns for Secure IoT Orchestrations
Konstantinos Fysarakis, George Spanoudakis, Nikolaos Petroulakis, Othonas Soultatos,
Arne Br¨
oringand Tobias Marktscheffel§
Sphynx Technology Solutions AG, Zug, Switzerland, Institute of Computer Science,
Foundation for Research and Technology Hellas, Iraklio, Greece, Siemens AG, Corporate Technology
, Munich, Germany, §University of Passau, Passau, Germany
Abstract—The vast amount of connected devices on the
Internet of Things (IoT) creates an enormous potential for
new applications, by leveraging synergies arising through the
convergence of consumer, business and industrial Internet, and
creating open, global networks connecting people, data, and
“things”. In this context, the SEMIoTICS project aims to develop
a pattern-driven framework, built upon existing IoT platforms,
to enable and guarantee secure and dependable actuation and
semi-autonomic behaviour in IoT/Industrial IoT applications. To
achieve this, patterns are used to encode proven dependencies
between the security, privacy, dependability and interoperability
(SPDI) properties of individual smart objects and corresponding
properties of orchestrations (composition) involving them. This
paper sketches this approach followed by SEMIoTICS, whereby
the SPDI patterns are used to generate IoT orchestrations with
proven SPDI properties at design time, while at runtime these
properties are monitored in real-time, across system layers,
triggering adaptations to return the deployed orchestration to
the desired SPDI state, when needed.
Index Terms—security modeling; pattern-based engineering;
internet of things;
I. INTRODUCTION
The introduction of massive numbers of interconnected
smart devices in the IoT era creates significant potential in
various domains, such as industrial and healthcare environ-
ments [1] [2]. Nevertheless, early adopters are faced with
numerous challenges [3] stemming from the intricacies of
the IoT environment, such as their dynamicity, scalability,
and heterogeneity, as well as the end-to-end security, privacy
and Quality of Service (QoS) requirements of each of these
applications domains.
Motivated by the above, project SEMIoTICS
(https://www.semiotics-project.eu/) aims to enable and
guarantee secure and dependable actuation and semi-
autonomic behaviour in IoT/IIoT applications, through a
pattern-driven approach. Patterns are re-usable solutions
to common problems and building blocks to architectures.
The work presented herein focuses on the development of
patterns for orchestration of smart objects and IoT platform
enablers in IoT applications with guaranteed security, privacy,
dependability and interoperability (SPDI) properties. The
achievement of this objective is based on developing patterns
defining generic ways for integrating and orchestrating
different types of smart objects and components that can
guarantee specific SPDI properties, henceforth referred to as
SPDI patterns. This guarantee is based on verification of the
individual properties, via testing or monitoring evidence, a
certificate, and/or formal verification, as appropriate for the
type of properties and the components orchestrated by the
pattern.
Figure 1. High-level view of typical SEMIoTICS deployment
This paper is organised as follows: Section II presents the
concept and the key building blocks of the proposed pattern-
driven IoT service orchestration solution; Section III provides
an example of the use of the solution to guarantee integrity in
the context of a wind park IIoT use case; Section IV presents
related works in the key expertise domains involved, and;
Section V features the concluding remarks and pointers to
future work.
II. CO NC EP T & APPROAC H
Considering the dynamicity, scalability and heterogeneity
of IoT and IIoT ecosystems , as well as the ever-present need
for end-to-end security guarantees, the SEMIoTICS pattern-
driven approach offers a holistic approach covering the Se-
curity, Privacy, Dependability and Interoperability properties
of IoT/IIoT systems. The pattern framework is designed to
cover said properties from both the service orchestration
and actual cyber-physical deployment perspectives. The latter
spans the backend/cloud systems as well as the services and
applications running there, the field layer of a typical IoT/IIoT
deployment where sensors and actuators reside, as well as the
Software Defined Networks (SDN) interconnecting the two
(see Figure 1). Moreover, SPDI patterns are leveraged to cover
both vertical composition of smart objects at different layers
in the implementation stack of IoT applications – including
sensors/actuators, network, infrastructure, IoT platform and
IoT application components – and horizontal composition of
smart objects that appear at any of these layers, as necessary.
The SPDI guarantees are achieved through the verification
of the corresponding properties, which takes place both at
design time, to verify global and/or local level orchestrations
for desired properties based on a model, as well as on run time,
to verify based on registries and the monitoring conditions
(e.g., that monitoring conditions required by patterns are
satisfied). The verification process can also trigger adaptations,
that should by definition guarantee the pursued properties.
To provide a usable solution tailored to the intricacies of
IoT/IIoT environments, the pattern components are augmented
with service orchestration definition capabilities, as well as
real-time monitoring and adaptation mechanisms. The key
building blocks of the provided solution are detailed in the
subsections below.
A. SPDI Property Verification
Pattern-based encoding enables the verification that smart
object orchestrations satisfy certain SPDI properties, and the
generation (and adaptation) of orchestrations in ways that are
guaranteed to satisfy required SPDI properties.
In more detail, machine interpretable SPDI patterns support:
(i) the composition structure of the IoT applications and
platform components; (ii) the end-to-end SPDI properties guar-
anteed by the pattern; (iii) the smart object/component level
SPDI properties required for the end-to-end SPDI properties
to hold; (iv) conditions about pattern components that need
to be monitored at runtime to ensure; (v) end-to-end SPDI
properties; and (vi) ways of adapting and/or replacing individ-
ual IoT application smart objects/components that instantiate
the pattern if it becomes necessary at runtime (e.g., when
some components become unavailable). e Patterns cover all
SPDI properties, including the six core property types, namely
Security (S), broken down to Confidentiality, Integrity and
Availability, as well as Privacy (P), Dependability (D) and
Interoperability (I). Moreover, all three data states are consid-
ered, i.e. Data-in-transit, Data-at-rest, and Data-in-processing,
as well as two cases of IoT platform connectivity, namely
within the SEMIoTICS platform and across IoT platforms;
the latter to support SEMIoTICS interactions with other IoT
platforms.
To enable the above, the SEMIoTICS Pattern Language
is under development, which: (i) provides constructs for
expressing/encoding dependencies between SPDI properties
at the component and at the composition/orchestration level;
(ii) is structural and does not prescribe exactly how the
functions should be executed nor, e.g., how the ports ensure
communication; (iii) it supports the static verification of SPDI
properties; (iv) it is automatically processable by the SEMI-
oTICS framework so that IoT applications can be adapted at
runtime.
Patterns expressed in this language will enable the pattern-
based management process followed in SEMIoTICS, whereby
patterns will be leveraged to encode proven dependencies
between security, privacy, dependability and interoperability
(SPDI) properties of components and corresponding properties
of compositions involving them. The conjunction of the latter
properties is known/proven to entail end-to-end properties.
The encoding of such dependencies between orchestration and
component level SPDI properties enables the following during
the design time of an IoT orchestration and at runtime during
the execution of an IoT orchestration: (i) The verification
at design time that an orchestration satisfies certain SPDI
properties; (ii) The runtime adaptation of orchestrations in
ways that are guaranteed to satisfy required SPDI properties at
the orchestration level. The latter adaptations may take three
forms: (1) to replace particular components of an orchestration,
(2) to change the structure of an orchestration, and (3) a
combination of (1) and (2).
In the work presented herein SPDI patterns cover the
different and heterogeneous orchestration models required for
IoT and IIoT applications, including message-driven, event-
driven and data-driven models [4].
B. Recipes for IoT Orchestrations
When new devices are added to an IoT/IIoT environment,
they need to be connected physically, and the software on
the centralized controller needs to be re-parameterized and
reconfigured. Manually designing composite services is time-
consuming and error-prone, but also unfeasible when consid-
ering the scale of IoT deployments.
Therefore, when designing the composition of services and
devices, the Recipes approach is followed to separate the
design of an IoT service composition from its implemen-
tation [5]. Recipes are used to define an abstract template
of an application, allowing multiple instantiations and reuse,
easy configuration of applications and automated discovery of
matching devices. A semi-automated service composition and
instantiation tool is provided, in order to assist the user in
creating the composition of placeholders for actual services
and devices. Later, these placeholders are replaced with actual
services and devices based on suggestions provided by the
system using semantic reasoning.
In more detail, Recipes define templates for compositions of
Ingredients and their interactions. Ingredients are placeholders
for devices and services that process and transform data. Inter-
actions describe the dataflow between these ingredients. The
Recipe model is a light-weight semantic model that describes
ingredients and interactions semantically. An ingredient of a
Recipe specifies the requirements that should be fulfilled by
concrete devices/services in order to create an application. An
Interaction between the ingredients is defined by creating a
dataflow between them. That is, by connecting the output data
of one ingredient with the input data of another ingredient.
Figure 2. Example of Recipe Definition
In addition to this, an interaction also specifies an operation
that needs to be performed to access the ingredient’s data or
function. A draft of the user interface for the specification of
Recipes is depicted in Figure 2.
Previous works on Recipes are exploited in this regard,
featuring a script-based centralized orchestrator approach [5],
as well as an extension of this approach enabling the dis-
tributed execution of instantiated Recipes as choreographies
[6]. Moreover, the integration of Recipes with SPDI patterns
allows for design-time definition of desired SPDI properties
for the IoT orchestrations, as well as the real-time monitoring
of said properties at runtime, triggering adaptations, if needed.
C. Runtime Monitoring & Adaptation
Ensuring that IoT applications are secure at runtime is a
challenging task due to the complexity and heterogeneity of
the sensing, communication and computational infrastructures
involved, the changing IoT threat landscape, and the plethora
of non-interoperable monitors operating at different layers.
Nevertheless, monitoring the operation of smart objects and
IoT applications at runtime is necessary for: (i) ascertaining
that conditions, which are necessary for the preservation of
the SPDI properties required of them are preserved, and (ii)
maintaining an awareness of their operational context that can
aid the selection of appropriate adaptation actions for them
when the need arises. Existing IoT application enabling plat-
forms offer comprehensive monitoring capabilities, however
these offer either standard built-in checks or platform specific
languages for defining different checks of specific types (e.g.,
intrusion or performance checks). Hence, checks realizable in
one IoT platform are difficult to be ported to other platforms
when dynamic adaptations in the smart objects and structures
of IoT applications (e.g., addition and departure of smart
devices) occur.
Therefore, SPDI-driven runtime monitoring and adaptations
must be enabled by seamless, extensible and adaptive monitor-
ing. This can be achieved through a monitoring management
layer for: (a) instantiating the parametric monitoring condi-
tions of SPDI patterns into concrete monitoring conditions
regarding the particular smart objects that instantiate a pattern;
(b) checking the monitorability of such conditions across dif-
ferent IoT platforms and creating optimal monitoring strategies
for this purpose; (c) configuring automatically the monitors
of IoT enabling platforms as required for different monitoring
strategies; (d) fusing the results of different monitors (possibly
in different platforms) as necessary for the checks; and (e)
seamlessly adapting the monitoring strategies and monitoring
configurations of different IoT enabling platforms following
changes in IoT applications and smart objects to enable
continuous uninterrupted monitoring.
III. APP LI CATI ON EXAMP LE
As an application example, let us consider an IIoT deploy-
ment at a wind park [7], where Data captured by an IIoT
sensor on a Wind Turbine triggers, after analytics, a change in
an actuator’s state (e.g., to avoid possible wind turbine failure).
We further assume that the overarching goal of the system
owners is to have verifiable end-to-end integrity throughout
this process. This scenario is visualized in Figure 3, while
the interaction steps involved in this process are: (i) Sensor
P1captures and transmits data to IIoT Gateway; (ii) Gateway
P2performs analytics on data; (iii) Gateway P2transmits
processed data to backend through the SDN network; (iv)
Backend system P3performs enhanced analytics on received
data; (v) Actionable output is sent from Backend isntance P3
to the Gateway P2; (vi) Relevant data/processing results stored
in Cloud Data Store P4(e.g., to data historian application,
for auditing purposes); (vii) Gateway P2transmits trigger
command to actuator P5.
As depicted in the right side of Figure 3, the end-to-end
integrity property can be broken down into individual integrity
properties, covering different data states, to be pursued at
Figure 3. End-to-end Integrity in Wind Park scenario
design time and monitored/verified at runtime. To simplify
the example, and without loss of generality, we assume that
the connections between sensors, actuators and the Gateway,
as well as the ones between the Backend and the Cloud
services, are protected by secure communication protocols
with integrity provisions, and thus we do not examine the
corresponding properties. A high level definition of the in-
tegrity properties of interesting, using the notation for inputs
and outputs shown in the figure, is as follows:
Data Integrity in-transformation:
1) Out(P2) = F(Out(P1))
2) Out(P3) = F(In(P3))
3) In(P5) = F(In(P2))
4) In(P4) = F(In(P3) Out(P3))
Data Integrity in-transit:
5) In(P3) = Out(P2)
6) In(P2) = Out(P3)
Data Integrity at-rest:
7) Out(P4, t0) = In(P4, t)
End-to-end Data Integrity:
8) In(P5) = F(Out(P1))
The above covers integrity in all data transformations that
happen at the Gateway P2(properties #1, #3) and the Backend
P3(properties #2, #4), as well as the exchange of information
between Gateway and Backend through the SDN communi-
cation infrastructure (properties #5 and #6). Moreover, data
integrity at rest is covered (property #7), where we assume
that a record of the input and output of the Backend system is
stored in a private cloud data store P4at time tfor auditing
purposes, and this is retrieved by another application at time t0.
Finally, the end-to-end property is also defined for the whole
process (property #8), which only holds if all the individual
properties defined above (with the exception of property #7,
which refers to future interactions) also hold.
In terms of verification of the individual properties, these
can be based on testing or monitoring evidence, a certificate
that a component may hold, or formal verification, as appropri-
ate for the type of properties and the smart objects/components
involved. Some hypothetical cases for each of the properties
will be presented here, aiming to cover diverse types of
verification.
For data integrity in transformation taking place at the
Gateway (component P2, properties #1 and #4), we assume
that it comes with a static certificate by the manufacturer, for
the properties carried out internally. An interface should be
declared, where the validity of the certificate can be verified.
In contrast, in the case of transformations taking place at
the backend (component P3, property #2 and #3), we assume
that the IIoT Backend instance has a dynamic certificate,
which is verified at runtime by monitoring internal processes.
To achieve this, data integrity must be monitored internally
at all compute nodes participating in the computation, and
these nodes must have event emission capabilities, therefore
the application code will have to be decorated to enable
this (e.g., with internal hash checks in critical parts of the
internal program functions). An example of such a monitoring
condition that could be evaluated internally could be:
-Happens(writes(n1, M 1), t1,[t1, t1])
HoldsAt(Hash(M1, h1), t1)
-Happens(reads(n2, M 1), t2,[t1, t2])
HoldsAt(Hash(M1, h2), t2)
h2 = h1
In the above, n1is the data being stored in memory position
M1at t1, with a hash of h1, and n2is the data being read
from the same memory position at t2. So, if the two hashes,
h1and h2pass the match check, then the integrity property
holds within the processing functions.
In the case of the integrity in transit property at the SDN
network (properties #5 and #6), we can apply a sequential
integrity in-transit pattern that applies to serial communication
between 3 entities, (C1, C2, C 3). Therefore, serial commu-
nication C1C2C3has integrity, when: C1has
integrity; C1C2communication has integrity; C2C3
communication has integrity.
Then, the individual properties a,b, and ccan be verified
independently, using one of the methods defined above. It
should be noted that this sequential pattern can be applied
to serial communications across layers (e.g., communication
from edge, to SDN and backend, as in the scenario here), as
well as within layers (e.g., within the SDN layer, to verify
properties in exchanges between the SDN Controller and
network switches under its control).
In addition to the above, a simple monitoring-based veri-
fication rule can be defined for the integrity of data at rest
(property #7), where a hash is calculated when data is stored
and when it is retrieved, checking that the two hashes match
(to verify integrity). This monitoring could be implemented
through an external monitoring agent, or within the data
store application, in cases where access to the source code
is available.
Finally, as an example of a potential adaptation that could be
triggered in this scenario we can consider the communication
within SDN which, when verifying properties #5 and #6, is
decomposed to a serial communication such as V N F 1
vSwitch1V N F 2. Then, when applying Sequential In-
tegrity Pattern (as previously presented), vSwitch1is found
not to satisfy the integrity requirement (e.g., its certificate has
expired). This could trigger an adaptation action at the SDN
Controller (where the SDN pattern engine resides) to reroute
traffic within the SDN network to skip vSwitch1and use
vSwitch2instead, which has a valid certificate. The resulting
serial communication V N F 1vSwitch2V N F 2would
satisfy the integrity property, and consequently the end-to-end
integrity property (assuming all other integrity property checks
verified as true), returning the system to the desired state.
IV. REL ATED WORK
Property Verification: The pattern-driven approach of
SEMIoTICS follows the “security-by-design” concept, which
aims to guarantee system-wide security properties by virtue of
the design of the involved systems and their subsystems. This
is leveraged to provide orchestration-level SPDI guarantees,
while encompassing all involved components and entities
which are composed to create the orchestrations (e.g., physical
devices and software). A key capability required in security-
by-design is the ability to verify the desired security properties
as part of the design process. A typical way to achieve
this is using model-based techniques [8], [9], [10], whereby
software component and service compositions are modelled
using formal languages and the required security properties are
expressed as properties on the model [11]. The satisfiability of
the required properties is based on model checking [12], [13].
Other approaches focus on software service workflows using
business process modelling languages (e.g., Sec-MoSC [14]).
Pino et al. [15] use secure service orchestration (SSO) patterns
to support the design of service workflows with required
security properties, leveraging pattern-based analysis to verify
security properties. This avoids full model checking that is
computationally expensive and non-scalable to larger systems,
such as the IoT. Moreover, some model-based approaches
(e.g., [15]) support the transformation of security requirements
to code for automated checking of the required properties,
both at design and at runtime. The SEMIoTICS pattern-driven
framework’s operation is inspired from similar pattern-based
approaches used in service-oriented systems [4], [16], cyber-
physical systems [17], and networks [18], [19], covering more
aspects in addition to Security, and also providing guarantees
and verification capabilities that span both the service orches-
tration and deployment perspectives, as detailed in Section II
above.
Service Composition: There have been attempts to fully
automate the generation of service compositions based on
some user defined request or goal. For example [20] present
a service composition system that enables the goal-driven
configuration of smart environments based on semantic meta-
data and reasoning. Such fully automated approaches are still
facing challenges. The key difficulty lies in the unambiguous
semantic description of the goal and states that lead to the
goal, which is challenging when dealing with more complex
environments, where a lot of devices can interact in a lot of
ways and each has a lot of possible states. In such environ-
ments semantic models become complex, and reasoners turn
to be inefficient when solving goals over them. Due to these
challenges, a semi-automated approach that supports users in
creating service compositions, rather than to fully automate the
process, seems to be the most promising direction. Previous
work has been done in this direction, such as [21], where
optimal service compositions are automatically computed with
support of composition templates. Commercially successful
systems such as “If This Then That” (at ifttt.com) use sim-
ple composition techniques similar to the Recipe concept,
but create and execute centralized orchestrations instead of
decentralized choreographies [22]. The IFTTT platform lacks
systematic engineering support leading to widely duplicated
recipes [23]. Node-RED is another tool that follows a similar
approach, through a browser-based editor that makes it easy
to wire hardware devices, APIs and online services, thereby
creating application flows (specified in JSON). In this work
a semi-automated approach is followed for the definition of
IoT service compositions, via the integration of dependability
patterns (in addition to security, privacy and interoperability),
as detailed above, based on previous work on Recipes [5], [6].
Runtime Monitoring & Adaptation: There is a plethora of
different types of monitors that may operate at different levels;
e.g., at the network level there are Network Management
Systems (NMS) and Security Information and Event Manage-
ment (SIEM) [24]. Computational infrastructures include their
own monitors of different types and with varying topologies
(e.g., on host systems or virtual machines). Typically, these
monitors focus on performance monitoring (e.g., [25]) or mon-
itor incidents and performance at the hypervisor level (e.g.,
[26]). This segmented landscape makes it difficult to obtain
an integrated and holistic run-time picture of IoT applications’
security due to the lack of information sharing and correlation
among the different types of monitoring data that they pro-
duce. System adaptation has also been studied extensively in
the context of service-based and agent-based systems, where
availability of components, functionality, and operational and
context conditions change frequently. Depending on the type
of the adaptation actions supported, existing approaches can
be distinguished into those which modify the behaviour of
the systems (e.g., [27]) and those that alter the compositional
structure of the system and/or the partner services involved in
it (e.g., [28]). Fewer approaches support the adaptation in ways
that can preserve and/or restore security (e.g., [29]). The run-
time monitoring and adaptation mechanisms adopted herein
are inspired from a more comprehensive approach supporting
the runtime adaptation of service compositions in ways that
can guarantee desired security properties, as described in [4]
and [30]. These also align with the pattern-driven IoT service
orchestration pursued by SEMIoTICS, as they leverage secure
service orchestration (SSO) patterns, specifying primitive ways
of composing services that guarantee the satisfaction of spe-
cific security properties (e.g., confidentiality).
V. CONCLUSIONS
This paper presented the SEMIoTICS framework’s approach
towards the development of patterns for orchestration of smart
objects and IoT platform enablers in IoT applications with
guaranteed security, privacy, dependability and interoperability
properties.
Following the finalisation of the framework’s architecture,
the definition of the pattern language and the development
of a first set of SPDI patterns, future work will focus
on the development of concrete mechanisms for automated
translation from application-level IoT recipes into executable
SPDI pattern configurations, the automated reasoning based
on said patterns, as well as their monitoring of those at
runtime, through the implementation of the corresponding
pattern engine components at all layers of the SEMIoTICS
framework. Moreover, an extended evaluation path will be
pursued, comprising of analytical assessments, followed by
simulations of network and applications, as well as final
experiments in real-world testbeds in the areas of industrial
networks and healthcare.
ACKNOWLEDGMENT
This work has received funding from the European Union’s
Horizon 2020 research and innovation programme under grant
agreement No. 780315 (SEMIoTICS).
REFERENCES
[1] Hatzivasilis, G. et al., ”The industrial internet of things as an enabler
for a circular economy Hy-LP: a Novel IIoT protocol, evaluated on
a wind park’s SDN/NFV-enabled 5G industrial network”, Computer
Communications, 119, 127-137, 2018.
[2] Katsikeas S. et al., ”Lightweight & secure industrial IoT communications
via the MQ telemetry transport protocol” 2017 IEEE Symposium on
Computers and Communications (ISCC), Heraklion, 2017, pp. 1193-
1200.
[3] Botta A. et al., “Integration of Cloud computing and Internet of Things:
A survey,” Futur. Gener. Comput. Syst., vol. 56, pp. 684–700, 2016
[4] Pino L. et al., ”Discovering Secure Service Compositions”. 4th Interna-
tional Conference on Cloud Computing and Services Sciences (CLOSER
2014), Barcelona, Spain, April 2014
[5] Thuluva, A.S. et al., ”Recipes for IoT Applications”. In Proc. of the 7th
Int. Conference on the Internet of Things (IoT 2017), 22.-25. October
2017, Linz, Austria. ACM.
[6] Seeger, J., R.A. Deshmukh, A. Br¨
oring, ”Running Distributed and Dy-
namic IoT Choreographies”. Global Internet of Things Summit (GIoTS
2018), 4.-7. June 2018, Bilbao, Spain. IEEE.
[7] Sakic E. et al., ”VirtuWind – An SDN- and NFV-Based Architecture
for Softwarized Industrial Networks”. In proc. Measurement, Modelling
and Evaluation of Computing Systems. MMB 2018. LNCS, vol 10740,
Springer, 2018.
[8] Bartoletti M, et al. ”Semantics-based design for secure web services.”
Software Engineering, IEEE Trans. on, 2008.
[9] Deubler M., et al. ”Sound development of secure service-based systems.
In Proc. of the 2nd Int. Conf. on Service oriented computing. ACM, 2004.
[10] Geor G., et al. ”Verification and trade-off analysis of security properties
in UML system models.” IEEE Trans. on Software Engineering, 36(3):
338-356, 2010.
[11] Dong, J., et al, “Automated verification of security pattern composi-
tions”. Inf. Softw. Technol., vol. 52, no. 3, 2010.
[12] Siveroni I., Zisman A., Spanoudakis G.: ”A UML-Based Static Verifica-
tion Framework for Security, Requirements”, Engineering Journal, 15(1):
95-118, 2010.
[13] Rossi, S.; “Model checking adaptive multilevel service compositions”;
International Workshop of Formal Aspects of Component Software 2010.
[14] Andre R. Souza, et al. “Incorporating Security Requirements into Service
Composition: From Modelling to Execution”, in ICSOC-ServiceWave
’09, 2009.
[15] Pino L., Mahbub K., Spanoudakis G., ”Designing Secure Service
Workflows in BPEL”, International Conference on Service-Oriented Com-
puting, 2014.
[16] Pino L., et al. ”Pattern Based Design and Verification of Secure Service
Compositions.” IEEE Trans. on Services Computing (2017).
[17] Ma˜
na A et al., ”Extensions to Pattern Formats for Cyber Physical
Systems.” Proceedings of the 31st Conference on Pattern Languages of
Programs (PLoP’14. Monticello, IL, USA. Sept. 2014.
[18] Petroulakis N. et al., ”Patterns for the design of secure and dependable
software defined networks.” Computer Networks 109 (2016): 39-49
[19] Petroulakis N. et al., ”Fault Tolerance Using an SDN Pattern Frame-
work”, 2017 IEEE Global Communications Conference (GLOBECOM),
2017
[20] Mayer S. et al., ”Smart Configuration of Smart Environments”. IEEE
Trans. on Automation Science and Engineering 13, 3 (2016), 1247–1255.
[21] L´
ecu´
e F. et al., ”SOA4All: An innovative integrated approach to services
composition”. In Web Services (ICWS), IEEE International Conference
on. IEEE, 58–67, 2010.
[22] Ovadia S., ”Automate the Internet With If This Then That (IFTTT)”.
Behavioral & Social Sciences Librarian 33, 4 (2014), 208–211
[23] Ur B. et al., ”Trigger-Action Programming in the Wild: An Analysis of
200,000 IFTTT Recipes”, In Proc. of 2016 CHI Conference on Human
Factors in Computing Systems (CHI ’16). 3227–3231, 2016.
[24] Network Monitoring Tools, https://stanford.io/1KZttzT
[25] Nagios, http://www.nagios.org/
[26] Amazon Cloudwatch, http://aws.amazon.com/cloudwatch
[27] Console L. et al., “WS-DIAMOND: an approach to Web Services -
DIAgnosability, MONitoring and Diagnosis,” in e-Challenges Conf. 2007,
The Hague, Oct. 2007.
[28] Ardagna D. et al., “Adaptive Service Composition in Flexible Processes,
IEEE Trans. Software Eng., vol. 33, no. 6, pp. 369–384, 2007.
[29] Khan K.M. et al., ”Security oriented service composition: A framework”.
In Proc. of International Conference on Innovations in Information
Technology (IIT), pp. 48-53, 2012.
[30] Pino L. et al., ”Finding Secure Compositions of Software Services:
Towards A Pattern Based Approach”, 5th IFIP Int. Conf. on New
Technologies, Mobility & Security, Turkey, 2012
... • Aggregation, adaptation, and specification of patterns based on a novel pattern specification language defined for that purpose (as detailed in our previous works [9][10][11]), focusing on the core properties of Security and Privacy, while also briefly covering additional properties related to Dependability and Interoperability. These patterns include adaptations of concepts identified by surveying the relevant literature as well as original patterns developed within the SEMIoTICS project. ...
... (accessed on 2 December 2020))), visualizing the Ecore part of the EMF metamodel, which contains the information about the defined classes. A detailed representation of the pattern language and model is presented in our previous work [9,10]. ...
Article
Full-text available
Security and privacy (SP)-related challenges constitute a significant barrier to the wider adoption of Internet of Things (IoT)/Industrial IoT (IIoT) devices and the associated novel applications and services. In this context, patterns, which are constructs encoding re-usable solutions to common problems and building blocks to architectures, can be an asset in alleviating said barrier. More specifically, patterns can be used to encode dependencies between SP properties of individual smart objects and corresponding properties of orchestrations (compositions) involving them, facilitating the design of IoT solutions that are secure and privacy-aware by design. Motivated by the above, this work presents a survey and taxonomy of SP patterns towards the creation of a usable pattern collection. The aim is to enable decomposition of higher-level properties to more specific ones, matching them to relevant patterns, while also creating a comprehensive overview of security- and privacy-related properties and sub-properties that are of interest in IoT/IIoT environments. To this end, the identified patterns are organized using a hierarchical taxonomy that allows their classification based on provided property, context, and generality, while also showing the relationships between them. The two high-level properties, Security and Privacy, are decomposed to a first layer of lower-level sub-properties such as confidentiality and anonymity. The lower layers of the taxonomy, then, include implementation-level enablers. The coverage that these patterns offer in terms of the considered properties, data states (data in transit, at rest, and in process), and platform connectivity cases (within the same IoT platform and across different IoT platforms) is also highlighted. Furthermore, pointers to extensions of the pattern collection to include additional patterns and properties, including Dependability and Interoperability, are given. Finally, to showcase the use of the presented pattern collection, a practical application is detailed, involving the pattern-driven composition of IoT/IIoT orchestrations with SP property guarantees.
... The ability to acquire and freely correlate data from different sources (smart markets, transportation, smart grid, smart schools, smart hospitals, smart factories, etc.) allows treating such systems in terms of complex systems and using algorithms for the prediction or planning of resource consumption, e.g., energy. Structured access to the system for the acquisition and processing of data prepared using a universal model will allow the relatively easy implementation of new mechanisms for the orchestration of IoT elements [30][31][32] and an adaptation to new methods of connecting resources in distributed IoT systems [33]. ...
Article
Full-text available
IoE components are becoming an integral part of our lives and support the operation of systems such as smart homes, smart cities, or Industry 4.0. The large number and variety of IoE components force the creation of flexible systems for data acquisition, processing, and analysis. The work presents a proposal for a new flexible architecture model and technology stack designed for the diagnostics and monitoring of industrial components and processes in an IoE device environment. The proposed solutions allow creating custom flexible systems for managing a distributed IoT environment, including the implementation of innovative mechanisms like, for example: predictive maintenance, anomaly detection, business intelligence, optimization of energy consumption, or supervision of the manufacturing process. In the present study, two detailed system architectures are proposed, and one of them was implemented. The developed system was tested in near-production conditions using a real IoT device infrastructure including industrial systems, drones, and sensor networks. The results showed that the proposed model of a central data-acquisition and -processing system allows the flexible integration of various IoE solutions and has a very high implementation potential wherever there is a need to integrate data from different sources and systems.
... Paper Fysarakis et al. (2019) discusses a pattern-driven framework solution to encode dependencies between the security concerns mentioned in "Security and privacy concerns" section. More specifically, paper Fysarakis et al. (2019) presents orchestration models required for IoT and IIoT applications to guarantee quality properties including security, privacy. In the same direction but more on the trustfulness, paper Pahl et al. (2018) proposes an architecture pattern based on blockchain to ensure the identity of hardware devices and software applications, the origin and integrity of data and the contractual nature of orchestration. ...
Article
Full-text available
Security of the Internet of Things (IoT)-based Smart Systems involving sensors, actuators and distributed control loop is of paramount importance but very difficult to address. Security patterns consist of domain-independent time-proven security knowledge and expertise. How are they useful for developing secure IoT-based smart systems? Are there architectures that support IoT security? We aim to systematically review the research work published on patterns and architectures for IoT security (and privacy). Then, we want to provide an analysis on that research landscape to answer our research questions. We follow the well-known guidelines for conducting systematic literature reviews. From thousands of candidate papers initially found in our search process, we have systematically distinguished and analyzed thirty-six (36) papers that have been peer-reviewed and published around patterns and architectures for IoT security and privacy in the last decade (January 2010–December 2020). Our analysis shows that there is a rise in the number of publications tending to patterns and architectures for IoT security in the last three years. We have not seen any approach of applying systematically architectures and patterns together that can address security (and privacy) concerns not only at the architectural level, but also at the network or IoT devices level. We also explored how the research contributions in the primary studies handle the different issues from the OWASP Internet of Things (IoT) top ten vulnerabilities list. Finally, we discuss the current gaps in this research area and how to fill in the gaps for promoting the utilization of patterns for IoT security and privacy by design.
... Paper Fysarakis et al. (2019) discusses a pattern-driven framework solution to encode dependencies between the security concerns mentioned in "Security and privacy concerns" section. More specifically, paper Fysarakis et al. (2019) presents orchestration models required for IoT and IIoT applications to guarantee quality properties including security, privacy. In the same direction but more on the trustfulness, paper Pahl et al. (2018) proposes an architecture pattern based on blockchain to ensure the identity of hardware devices and software applications, the origin and integrity of data and the contractual nature of orchestration. ...
Preprint
Full-text available
Security for the Internet of Things (IoT) is of paramount importance but very difficult to address. Security patterns consist of domain-independent time-proven security knowledge and expertise. How are they useful for developing secure IoT systems? Are there architectures that support IoT security? We aim to systematically review the research work published on patterns and architectures for IoT security (and privacy). Then, we want to provide an in-depth analysis on that research landscape to answer our research questions. We follow the well-known guidelines for conducting systematic literature reviews. From thousands of candidate papers initially found in our search process, we have systematically distinguished and analyzed thirty-six (36) papers that have been peer-reviewed and published around patterns and architectures for IoT security and privacy in the last decade (January 2010-December 2020). Our analysis shows that there is a rise in the number of publications tending to patterns and architectures for IoT security in the last three years. Within this rise, we see that most patterns and architectures are applicable to all IoT systems, while some are limited within specific domains. We have not seen any approach of applying systematically architectures and patterns together that can address security (and privacy) concerns not only at the architectural level, but also at "weak link" at the network or IoT devices level. We also accumulated how the research contributions in the primary studies handle the different issues presented by the OWASP Internet of Things (IoT) top ten vulnerabilities list. Indeed, our study shows that the last decade marked the beginning of the research effort on patterns for IoT security and privacy. We discuss the current gaps in this research area and how to fill in the gaps for promoting the utilization of patterns for IoT security and privacy by design.
... When it comes to patterns, we want to highlight papers #3, #8, and #11. Paper #3 by Fysarakis et al. [17] discusses a pattern-driven framework solution to encode dependencies between the security concerns mentioned in Section IV-C. Paper #8 by Syed et al. [18] shows a misuse pattern for Distributed Denial of Service (DDoS) in IoT. ...
... When it comes to patterns, we want to highlight papers #3, #8, and #11. Paper #3 by Fysarakis et al. [17] discusses a pattern-driven framework solution to encode dependencies between the security concerns mentioned in Section IV-C. Paper #8 by Syed et al. [18] shows a misuse pattern for Distributed Denial of Service (DDoS) in IoT. ...
Preprint
We have entered a tremendous computerized revolution of the Internet of Things (IoT) era when everything is connected. The popularity of IoT systems makes security for the IoT of paramount importance. Security patterns consist of domain-independent time-proven security knowledge and expertise. Would they be applicable to develop secure IoT systems? We aim to draw a research landscape of patterns and architectures for IoT security by conducting a systematic literature review. From more than a thousand of candidate papers, we have systematically distinguished and analyzed twenty-two (22) papers that have been published around patterns and architectures for IoT security (and privacy). Our analysis shows a rise in the number of publications tending to security patterns and architectures in the last two years. Within this rise, we see that most patterns and architectures are applicable for all IoT systems, while some are limited within specific domains. However, there are gaps in this research area that can be filled in to promote the utilization of patterns for IoT security and privacy.
Article
Complex and large software-intensive systems are increasingly present in several application domains, including Industry 4.0, connected health, smart cities, and smart agriculture, to mention a few. These systems are commonly composed of diverse other systems often developed by different organizations using various technologies and, as a consequence, interoperability among these systems becomes difficult. Many architectural strategies for interoperability have already been proposed; however, selecting adequate strategies is challenging. Additionally, it lacks an overview of such strategies. This work presents TASIS, a typology of architectural strategies for the interoperability of software-intensive systems. We also validated it with 33 practitioners from different countries with an extensive experience in integration projects. This work also offers 12 industry-based association rules that suggest how to combine those strategies to mitigate issues at different interoperability levels. As a result, our typology can serve as a starting point to further aggregate new strategies and, ultimately, supports software architects in designing interoperability-driven architectural solutions.
Chapter
The design of the Internet of Things (IoT) system is a complex process, not only in terms of the balance between resource consumption and extensive functionality but also in the context of security. As various technical devices are now widespread and have access to all kinds of critical information, they become one of the main targets for attackers. Consequently, it is vital to consider the IT security aspect during the development of any system. A practical way to do it is to use security patterns. There are many different patterns that can address particular problems, but not all of them are suitable due to the wide range of requirements in such systems. In this paper, we present a systematic collection and categorisation of IoT-applicable security patterns and analyse gaps in recent research works related to security. We provide a catalogue of 61 patterns organised in a top-down approach that follows the World Forum’s IoT Architecture Reference Model, this collection is able to play an important role in the future development of secure IoT solutions.
Article
Full-text available
Internet of Things (IoT) systems are exposed to a large variety of threats due to the inclusion of many devices which may have different owners and manufacturers. IoT applications often include parts in clouds and fogs as well as being part of larger cyber-physical systems; that is, these systems are very complex, which also contributes to their security problems. The design of IoT-based applications must be able to handle this complexity and heterogeneity; patterns are a good approach for this purpose because of their abstraction power. When using patterns, a good catalog is necessary. We survey and classify existing IoT security patterns to see their coverage and quality to evaluate how appropriate they are to be part of a useful catalog. A practical catalog must cover most of the standard security mechanisms. Pattern descriptions include several sections according to a template. We conclude that the number of existing patterns is insufficient for a working catalog and most of them are incomplete or use different descriptions; we need to build a unified catalog. We have started in that direction by creating new patterns or rewriting existing patterns to make them follow a common description. To use the patterns we need a secure development methodology and we survey IoT development methodologies; we find that none of them considers security or uses patterns. As a solution, we propose modifying existing pattern-based methodologies for distributed systems, of which there is a good variety, using one of them as reference for concreteness. We provide a list of possible research directions about these topics.
Article
Full-text available
Smart interconnected devices, including Cyber-Physical Systems (CPS), permeate our lives and are now an integral part of our daily activities, paving the way towards the Internet of Things (IoT). In the industrial domain, these devices interact with their surroundings and system operators, while often also integrating industrial cloud applications. This 4th Industrial Revolution guides new initiatives, like the introduction of 5th Generation Mobile Networks (5G), to implement exible, effcient, QoS- and energy- aware solutions that are capable of serving numerous heterogeneous devices, bringing closer the vision of a sustainable, Circular Economy. However, the lack of interoperable solutions that will accommodate the integration, use and management of the plethora of devices and the associated services, hinders the establishment of smart industrial environments across the various vertical domains. Motivated by the above, this paper proposes the Hy-LP - a novel hybrid protocol and development framework for Industrial IoT (IIoT) systems. Hy-LP enables the seamless communication of IIoT sensors and actuators, within and across domains, also facilitating the integration of the Industrial Cloud. The proposed solution is compared with existing standardised solutions on a common application, working around the protocols' intrinsic characteristics and features to produce each variant. The developed systems are evaluated on a common testbed, demonstrating that the proposed solution is around 10 times faster for the same CPU usage level, while consuming 7 times less memory. Moreover, the applicability of the proposed solutions is validated in the context of a real industrial setting, analyzing the network characteristics and performance requirements of an actual, operating wind park, as a representative use case of industrial networks.
Conference Paper
Full-text available
IoT systems are growing larger and larger and are becoming suitable for basic automation tasks. One of the features IoT automation systems can provide is dealing with a dynamic system -- Devices leaving and joining the system during operation. Additionally, IoT automation systems operate in a decentralized manner. Current commercial automation systems have difficulty providing these features. Integrating new devices into an automation system takes manual intervention. Additionally, automation systems also require central entities to orchestrate the operation of participants. With smarter sensors and actors, we can move control operations into software deployed on a decentralized network of devices, and provide support for dynamic systems. In this paper, we present a framework for automation systems that demonstrates these two properties (distributed and dynamic). We represent applications as semantically described data flows that are run decentrally on participating devices, and connected at runtime via rules. This allows integrating new devices into applications without manual interaction and removes central controllers from the equation. This approach provides similar features to current automation systems (central engineering, multiple instantiation of applications), but enables distributed and dynamic operation. We demonstrate satisfying performance of the system via a quantitative evaluation.
Chapter
Full-text available
VirtuWind proposes the application of Software Defined Networking (SDN) and Network Functions Virtualization (NFV) in critical infrastructure networks. We aim at introducing network programmability, reconfigurability and multi-tenant capability both inside isolated and inter-connected industrial networks. Henceforth, we present the design of the VirtuWind architecture that addresses the requirements of industrial communications: granular Quality of Service (QoS) guarantees, system modularity and secure and isolated per-tenant network access. We present the functional components of our architecture and provide an overview of the appropriate realization mechanisms. Finally, we map two exemplary industrial system use-cases to the designed architecture to showcase its applicability in an exemplary industrial wind park network.
Conference Paper
Full-text available
The Internet of Things (IoT) is on rise. More and more physical devices and their virtual shadows emerge and become accessible through IoT platforms. Marketplaces are being built to enable and monetize the access to IoT offerings, i.e., data and functions offered by platforms, things, and services. In order to maximize the usefulness of such IoT offerings we need mechanisms that allow their efficient and flexible composition. This paper describes a novel approach for such compositions. The approach is based on the notion of Recipes that define work-flows on how their ingredients, i.e., instances of IoT offerings, shall interact with each other. Furthermore the paper presents a novel user interface that enables users to create and instantiate recipes by selecting their ingredients. An example from the smart mobility domain guides through the paper, illustrates our approach, and demonstrates as a proof-of-concept.
Conference Paper
Full-text available
Massive advancements in computing and communication technologies have enabled the ubiquitous presence of interconnected computing devices in all aspects of modern life, forming what is typically referred to as the “Internet of Things”. These major changes could not leave the industrial environment unaffected, with “smart” industrial deployments gradually becoming a reality; a trend that is often referred to as the 4th industrial revolution or Industry 4.0. Nevertheless, the direct interaction of the smart devices with the physical world and their resource constraints, along with the strict performance, security, and reliability requirements of industrial infrastructures, necessitate the adoption of lightweight as well as secure communication mechanisms. Motivated by the above, this paper highlights the Message Queue Telemetry Transport (MQTT) as a lightweight protocol suitable for the industrial domain, presenting a comprehensive evaluation of different security mechanisms that could be used to protect the MQTT-enabled interactions on a real testbed of wireless sensor motes. Moreover, the applicability of the proposed solutions is assessed in the context of a real industrial application, analyzing the network characteristics and requirements of an actual, operating wind park, as a representative use case of industrial networks.
Article
Ensuring the preservation of security is a key requirement and challenge for Service-Based Systems (SBS) due to the use of third party software services not operating under different security perimeters. In this paper, we present an approach for verifying the security properties of SBS workflows and adapting them if such properties are not preserved. Our approach uses secure service composition patterns. These patterns encode proven dependencies between service level and workflow level security properties. These dependencies are used in reasoning processes supporting the verification of SBS workflows with respect to workflow security properties and their adaptation in ways that guarantee the properties if necessary. Our approach has been implemented by extending the Eclipse BPEL Designer and validated experimentally. The experimental evaluation has produced positive results, indicating that even for complex workflows and large sets of secure service composition patterns verification can be performed efficiently.
Article
In an interconnected world, cyber and physical networks face a number of challenges that need to be resolved. These challenges are mainly due to the nature and complexity of interconnected systems and networks and their ability to support heterogeneous physical and cyber components simultaneously. The construction of complex networks preserving Security and Dependability (S&D) properties is necessary to avoid system vulnerabilities, which may occur in all the different layers of Software Defined Networking (SDN) architectures. In this paper, we present a model based approach to support the design of secure and dependable SDN. This approach is based on executable patterns for designing networks able to guarantee S&D properties and can be used in SDN networks. The design patterns express conditions that can guarantee specific S&D properties and can be used to design networks that have these properties and manage them during their deployment. To evaluate our pattern approach, we have implemented executable pattern instances, in a rule-based reasoning system, and used them to design and verify wireless SDN networks with respect to availability and confidentiality. To complete this work, we propose and evaluate an implementation framework in which S&D patterns can be applied for the design and verification of SDN networks.
Conference Paper
While researchers have long investigated end-user programming using a trigger-action (if-then) model, the website IFTTT is among the first instances of this paradigm being used on a large scale. To understand what IFTTT users are creating, we scraped the 224,590 programs shared publicly on IFTTT as of September 2015 and are releasing this dataset to spur future research. We characterize aspects of these programs and the IFTTT ecosystem over time. We find a large number of users are crafting a diverse set of end-user programs---over 100,000 different users have shared programs. These programs represent a very broad array of connections that appear to fill gaps in functionality, yet users often duplicate others' programs.
Article
One of the central research challenges in the Internet of Things and Ubiquitous Computing domains is how users can be enabled to “program” their personal and industrial smart environments by combining services that are provided by devices around them. We present a service composition system that enables the goal-driven configuration of smart environments for end users by combining semantic metadata and reasoning with a visual modeling tool. In contrast to process-driven approaches where service mashups are statically defined, we make use of embedded semantic API descriptions to dynamically create mashups that fulfill the user’s goal. The main advantage of our system is its high degree of flexibility, as service mashups can adapt to dynamic environments and are fault-tolerant with respect to individual services becoming unavailable. To support users in expressing their goals, we integrated a visual programming tool with our system that allows to model the desired state of a smart environment graphically, thereby hiding the technicalities of the underlying semantics. Possible applications of the presented system include the management of smart homes to increase individual well-being, and reconfigurations of smart environments, for instance in the industrial automation or healthcare domains.