Although IoT is not a new concept, it was not until recent years that we have seen strongadoption of it. As with any other recent and unproven technology, there is still a lack ofconsensus around it, resulting in a lack of standards and frameworks allowing the creationof architectures and models that would permit a common view and interoperability betweenall IoT stakeholders. This undefinition also impacts security as there is also a lack of commonstandards and best practices for IoT security. Each stakeholder is employing their ownapproach resulting in a weak posture in security, fragmentation in models, andincompatibility between solutions. One possible approach to IoT security and the one that ismore obvious is the adoption of global accepted “traditional ICT” security frameworks. Butit is still not clear at this point if this approach will fit and will be adequate to all IoTparticularities and scenarios. As an example of one IoT characteristics that can hinder the useof current security measures from the “traditional ICT” world, is the use of cryptography.IoT devices are more limited in terms of resources, and current cryptography requires aconsiderable amount of processing power, making the use of cryptography challenging.Currently, there is a strong effort from different entities to advance in this area of IoT, eitherin the definition of common protocols, that will allow interoperability, either in the definitionof common architectures or in the definition of standards, best practices, andrecommendations for IoT security. Giving again the example of cryptography, there arecurrently efforts to develop new algorithms adapted to lower capacities of IoT. Some otherareas that support the development of IoT security, like laws and regulations and auditingand compliance, are also being explored. In the case of the former, we are seeing some effortsfrom some governments in the definition of laws and regulations adapted to the IoT case,trying to set up a baseline of security best practices. These are not the final solution to allproblems, but they could set common baselines in different areas, and more importantly, onsecurity. In the case of security auditing and compliance of IoT environments, this is also acritical aspect as it will allow assessing the security of these new ecosystems with all theseconstraints and specificities. As in the definition of protocols, architectures and security case,is essential also to evaluate if current auditing procedures adapt to IoT characteristics As wecan see, it is critical to advance in the research of IoT security and in the definitions of stableand common standards so that these technologies can be deployed in a safer and controlledway. IoT is going to be part of many of our future day to day life is, and it is vital that securityis on the top of our concerns. More critical are the scenarios where human safety can bejeopardized by a lack of IoT security. The strong physical component of IoT can an attackvector to human safety.One of the important use cases for IoT are Smart Cities. IoT will enable this new concept ofcities that are more efficient and functional. However, using IoT Smart Cities will inherit thesecurity issues of IoT. It is crucial then to assess the concrete overall risks and morespecifically, cybersecurity risk that these new cities will encounter and what type ofmeasures can we use to overcome these risks. Imagine the scenario where a trafficmanagement solution of a smart city is hacked and attacked putting in danger the lives ofpeople or merely causing the chaos in traffic. This work is going to define what are thesecurity risks that a traffic management scenario has, what are the possible risk treatment option and security measures to mitigate it and more important what risks cannot bemitigated with today’s security controls due to IoT specific characteristics.

IoT não é um conceito novo, mas só nos anos recente se assistiu a uma adopção mais generalizada desta tecnologia. Como em qualquer outra tecnologia recente, ainda existe falta de consenso e de normalização. Este aspecto reflecte-se na segurança da própria tecnologia. As abordagens de segurança em IoT hoje em dia são fragmentadas e proprietárias resultando em sistemas pouco seguros. Uma das abordagens possíveis para lidar com este problema é usar o que estabelecido para segurança em sistemas tradicionais, mas ainda não é claro se esta abordagem cobre todas as necessidades de segurança de IoT visto estes sistemas possuírem características diferenciadoras. Por exemplo são usualmente sistemas mais restritos em termos de recursos o que impossibilitam a implementação de medidas existente para sistemas tradicionais. Existe hoje em dia um esforço de várias entidades neste sentido de tornar IoT seguro, na medida que IoT vai começar a estar presente em muitos aspectos nossas vidas. Um destes exemplos são as smartcities. Este novo conceito de cidades inteligentes tem como objectivo facilitar a vida dos cidadãos disponibilizando um conjunto de serviços mais eficientes e eficazes. No entanto este novo conceito pode trazer novos riscos e riscos acrescidos para a segurança das pessoas. Deste modo é importante avaliar quais são as novas ameaças, vulnerabilidades e os riscos que este novo conceito de cidades irá enfrentar, que medidas podem ser usadas para as proteger e se as medidas actuais são suficientes.

Dissertação de Mestrado em Segurança Informática apresentada à Faculdade de Ciências e Tecnologia