The design of secure IoT applications using patterns: State of the art and directions for research

Abstract Internet of Things (IoT) systems are exposed to a large variety of threats due to the inclusion of many devices which may have different owners and manufacturers. IoT applications often include parts in clouds and fogs as well as being part of larger cyber-physical systems; that is, these systems are very complex, which also contributes to their security problems. The design of IoT-based applications must be able to handle this complexity and heterogeneity; patterns are a good approach for this purpose because of their abstraction power. When using patterns, a good catalog is necessary. We survey and classify existing IoT security patterns to see their coverage and quality to evaluate how appropriate they are to be part of a useful catalog. A practical catalog must cover most of the standard security mechanisms. Pattern descriptions include several sections according to a template. We conclude that the number of existing patterns is insufficient for a working catalog and most of them are incomplete or use different descriptions; we need to build a unified catalog. We have started in that direction by creating new patterns or rewriting existing patterns to make them follow a common description. To use the patterns, we need a secure development methodology and we survey IoT development methodologies; we find that none of them considers security or uses patterns. As a solution, we propose modifying existing pattern-based methodologies for distributed systems, of which there is a good variety, using one of them as reference for concreteness. We provide a list of possible research directions about these topics.