A current trend is the introduction of "smart" utility accounting systems as one of the components of a "smart city" concept in particular and the development of the "Internet of things" in general. This causes threats to information security when transmitting information from metering devices via wireless communication channels to billing centers. The article is devoted to the analysis of these threats and the forecast of ways to protect against them. The purpose of the article is to develop additional recommendations for the safe use of narrow-band wireless networks of the "Internet of things", used in wireless automated systems for accounting for resource consumption.
resources, as well as improving the speed and quality of data collection, maintaining objective statistics, and improving consumer payment discipline [5].
According to forecasts of the International Wireless Research forum, the number of things united in a single network by 2020 will amount to 7 trillion. units. According to Cisco, the cost volume of devices connected to the Internet in the current decade is estimated at 14.4 trillion US dollars. The results of the Cisco review showed that 99 % of physical devices are not yet connected, which opens up huge prospects for growth and development of the concept, and according to some experts – in the future, this will lead to the formation of the Internet of things economy. In general, the maximum value of the number of things that can be linked into a single network is estimated as 3,000-5,000 units per person, which makes it possible to talk about the prospects of combining up to 50 trillion things connected to a unified information exchange network.
The introduction of the concept of the Internet of things and its accompanying technologies on one hand opens up undeniable opportunities for modern organizations, and on the other hand generates new threats to information security, some of which are of a specific nature, therefore, is not yet well understood by managers, businessmen and society as a whole.
The main concept of IoT is the ability to connect all sorts of objects (things) that a person can use in everyday life. All these objects should be equipped with built-in sensors or sensors that can process information coming from the environment, as well as controlled objects, exchange it and perform various actions depending on the information received.
Currently in the process of application, the Internet of things poses threats to information security that limit its widespread use. Messages such as hacking of Internet-connected devices, surveillance problems and concerns about personal privacy attract the attention of its existing and potential users [6].
A type of Internet of things technology is resource accounting systems, which are designed to collect data from various devices (sensors) for their accounting. Ensuring the information security of wireless resource accounting systems is a determining factor and a difficult task when creating and operating them [7]. The main vulnerabilities of these systems can be considered as: vulnerability of channels to accessing and spoofing messages, since the transmission medium is public; not secure nodes, because they are located in open places; the lack of infrastructure makes classical security systems inapplicable; based on the nature of the radio channel, approaches to ensuring information security in wireless networks differ significantly from approaches to implementing information security in wired networks;
the lack of a clear topology in wireless networks, so that each node can move freely, which makes it easier for a cybercriminal to attack.
The purpose of the article is to develop additional recommendations for the safe use of narrowband wireless networks of the "Internet of things", used in wireless automated systems for accounting for resource consumption.
A significant number of IoT devices are connected through gateways based on local and personal networks in radio frequency bands used in a simplified manner. At the same time, the gateways themselves can then be connected via cellular mobile networks or narrow-band wireless IoT networks [8].
Although narrowband wireless IoT networks are not considered the most widespread segment of wireless technologies for IoT, this type of network is intended to connect IoT devices in many industries for a wide range of applications that will be difficult or impossible to implement using other types of wireless communication [9]. Let's highlight the most significant areas of application of the Internet of things [10]: Mechanism management (M2M, automated process control system); Monitoring of consumption of resources; Transport and logistics; Security monitoring; Smart home appliances; Collecting statistics and determining trends.
Let's consider typical solutions for building wireless automated resource consumption accounting systems.
1. Household water meters with built-in radio modem for data transmission to the control room.
This type of device is a combination in a single housing of a device for measuring water consumption and a module for collecting and transmitting data on water consumption over a wireless communication channel [11]. The advantages of this type of device include ease of installation and operation. In addition, there are devices of this type on the market, produced by domestic companies and using proprietary radio modules. These devices can encrypt the transmitted data. For data transmission, both LPWAN (XNB) protocols can be used, which require the deployment of their own base stations for data collection, and NB -IoT protocols, which use the services of mobile operators [12] (SIM-card availability and payment for transmitted traffic are required [13]).
2. Household water meters with the ability to connect wireless data transfer devices to the control room.
This solution requires connecting an external radio module and antenna to the water meter to transmit data using cables of various lengths. RS485 and RS232 protocols can be used for data transmission over the cable. In this type of solution, a connected wireless data transfer device can be used with either one counter or simultaneously with several. However, data can be collected simultaneously from both water meters and gas and electricity meters. For data transmission, both LPWAN family protocols can be used, which require the deployment of their own base stations for data collection, and NB -IoT protocols, which use the services of mobile operators (you need to have a SIM card and pay for the transmitted traffic). Since the data transfer device can collect information from several counters and has a significant price, it is advisable to use this solution in apartment buildings, for example, by combining counters in apartments within a floor of a single entrance. For use in private households, it is necessary to place an outdoor installation cabinet, where the data transmission device and antenna will be located (possibly a backup power supply system). In this case, you will need to connect the meter cables located in the wells to the data transmission device located in the installation cabinet.
3. Household water meters with the ability to transfer data to a nearby device.
The solution of this type includes water meters with Bluetooth Low Energy radio modules, remote displays that can receive data via Bluetooth, mobile applications on consumers' phones, as well as a personal account of the management company on the developer's server, where data is centrally accumulated. In this solution, meter readings are transmitted over the radio channel to the mobile app or to a remote display. The transmission distance is up to 10 meters. The mobile application receives data from the counter via Bluetooth, then the user's phone transmits the information to the personal account of the management company on the developer's server via Internet channels available to it (WI-Fi, GSM). This solution is characterized by the low cost of hardware. No additional technical infrastructure is required to collect information from consumers. However, the terms and prices for registering a personal account on the developer's server for managing companies are not clear. The main share of profit under this business model is earned by the developer on this procedure when interacting with management companies. There is no way to oblige consumers to send counter readings with a certain frequency.
It is worth noting that the Internet of things, as a rule, consists of portable devices with low power consumption, a small form factor and limited capabilities. Also, most often, devices are unmanaged, i.e. they work without the participation of an operator, who could enter credentials or make a decision about how much the team or application is trusted [14], so the devices must independently make such decisions. Therefore, when building the architecture of IoT systems, you should pay attention to the “dangerous features” zones (areas) in these systems where threats to information security can b implemented [15]: for example, a data collection server; a database; a radio channel between the subscriber's transmission device and the data collection base station; interfacing of the mechanical and electronic parts of the counter, etc.
The security of the Internet of things becomes a key aspect when building such networks. Having gained access to one device, an attacker can get into the network, and then any confidential information is exposed to threats [16]. Hence, the relevance of information security issues in such networks, where it is necessary to take into account the limitations of devices included in them [17].
Applying traditional methods of protecting IoT devices, such as encryption, identification/authentication, and implementing physical security measures [18], requires significant reengineering and adaptation, as devices have many limitations. The main problem with using IoT networks is that they do not have protection from malicious attacks. This can lead, at best, to damage to the user's property, and at worst – to their health and life. For example, devices that monitor and control the electrical network can be hijacked by an attacker using any device that has access to the Internet and related software. Having obtained full or partial control of the device, an attacker can disable or damage electrical devices, including critical devices (life support systems in hospitals, industrial monitoring systems, security systems, etc.), create short circuits in the network, and even cause a fire or accident, if it is a production. That is why there is an urgent problem of researching the security of the Internet of things and, in particular, the security of the user, his property and personal information that is transmitted, processed and stored in IoT networks.
Due to their portability, IoT devices are physically accessible to hackers, and can be stolen to gain access to confidential data and establish communication with other network devices. To prevent this threat, you need to provide physical protection, for example, by using protective covers on devices or enclosures that restrict direct access to devices.
In addition to direct access, devices can provide remote access to update configuration data or software. To protect against this, you must provide for closing the software ports and applying strong passwords at the download and firmware update level, which will prevent access to the device if it is compromised.
Also, many IoT devices become vulnerable to cyberattacks because their software is not updated in a timely manner [19]. To minimize such risks, we recommend implementing automatic updates by default. In addition, you should pay attention to the organization of data storage on the devices themselves, because often this information is related to the user's personal data, financial transaction data, and data about critical objects in various fields of activity. Safety must be ensured both during the entire time of operation of the product and after its decommissioning.
To protect networks, "strong authentication" methods must be provided, including, for example, two-factor authentication, assigning "hard" unique identification and authentication data, and using modern secure protocols. Cryptographic algorithms must be adapted to the Internet of Things network. In order to minimize the risks of denial-of-service attacks against devices, it is recommended to limit the bandwidth of the Internet of Things network of devices, both at the software and hardware levels. If suspicious traffic is detected, the devices must provide an alarm capability with subsequent analysis of the detected threat. If the device is compromised, it should be possible to immediately erase key information used in cryptographic operations. IoT devices should transmit and process only the information that is necessary for the implementation of their main functions.
In addition to the heterogeneity of networks, a feature of the Internet of Things is that devices have different computing resources, bandwidth, and support different technologies and protocols. The lack of unified standards and protocols remains a serious problem when building a network of "things". Also, many "things" have limited power supply capabilities and must support power-saving modes. These features of the Internet of Things also impose limitations when building a security system on such a network.
The usual methods of protecting information in wireless networks may not be sufficient, or they may not be applicable due to the limitations imposed by the Internet of Things network. Therefore, the security subsystem must be designed to provide protection for devices and gateways, the transmission network, and applications that are deployed to ensure that the devices function.
Complex issues of information security, including those applicable to narrow-band wireless IoT networks, are considered in a separate area of implementation of the Digital economy of the Russian Federation program. For this reason, the "Concept of building and developing wireless narrow-band communication networks of the Internet of Things on the territory of the Russian Federation" considers only the key aspects of regulating protection and information security methods necessary for the successful construction and development of narrow-band wireless IoT communication networks. These aspects are illustrated in Figure 1.
applicationsIoT
c) it is necessary to ensure regular educational work among operators and users of the Internet of things network aimed at responsible attitude and compliance with information security standards on the entire perimeter of the network.
2. In part of the access network a) it is recommended to give preference to open, well-documented standards for narrow-band wireless Internet of things networks, for which the stability of embedded information security mechanisms is analyzed by a large community of researchers and developers, thus reducing the risk of undetected vulnerabilities.
3. In terms of the platform and applications a) it is advisable to consider the possibility of applying cryptographic protection and monitoring the integrity of messages transmitted between the subscriber's device and the Internet of things platform. The implementation of cryptographic protection and integrity control must have the property of having the lowest possible impact on the power consumption of the subscriber's device. At the same time, before introducing this requirement as a mandatory one, it is advisable to conduct a pilot project in a separate region to work out the possible risks of such a replacement; b) regular internal and external information security audits should be encouraged.
According to the authors of the narrow-band wireless networks of the "Internet of things" used in wireless automated systems for accounting for resource consumption, the following recommendations should also be considered for use: 1 In terms of subscriber devices and embedded software a) it is recommended to provide a power of attorney for the hardware of terminal devices, by localizing the processes of its development and production, or by declaring their compliance with the established requirements. The greatest attention should be paid to the power of attorney of such hardware components of end devices as the controller and the receiving and transmitting module; b) it is necessary to ensure the power of attorney of software endpoints, by localizing its development processes;
c) to ensure information security in the networks used in wireless automated resource consumption accounting systems, it is necessary to consider the issue of ensuring the use of cryptographic information protection tools by the subscriber device and the IoT platform.
2 In part of the access network a) it is necessary to ensure the use for the authentication of subscribers of cryptographic protection of information, certified by the appropriate protection class subject to the protected objects and the set of capabilities that can be used to create methods, training and carrying out attacks on these objects, to the applied information technologies, environments and hardware.
It should be noted that Russia is still lagging behind the leading countries in terms of promotion of IoT technologies. The globalization of the global economy challenges Russia to quickly introduce innovative IoT technologies that will make everyday life safe and convenient, and will contribute to increasing satisfaction of human needs and society as a whole.
The use of "smart" technologies for the development of ways to manage the city's infrastructure is a necessary condition for maintaining competitiveness, especially in the context of an economic crisis. The world practice of applying these technologies shows that the indicators of efficiency and efficiency of urban economy institutions are significantly increasing.
Based on the general recommendations for ensuring information security of narrow-band wireless networks of the Internet of things for narrow-band wireless networks of the Internet of things used in wireless automated resource consumption accounting systems, the authors propose to additionally use the proposed recommendations in terms of subscriber devices and embedded software and in part of the access network.
This work was supported by the Russian Foundation for Basic Research, project No. 18-07-01020. 7. References