See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/327248925

The Classification of Internet of Things (IoT) Devices Based on Their Impact on

Living Things

Article  in  SSRN Electronic Journal · June 2017

DOI: 10.2139/ssrn.3350094

CITATION READS
1 2,591

1 author:

Felix Uribe
University of Maryland University College
1 PUBLICATION   1 CITATION   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Internet of Things (IoT) View project

All content following this page was uploaded by Felix Uribe on 27 August 2018.

The user has requested enhancement of the downloaded file.

 The classification of Internet of Things (IoT) devices
Based on their impact on Living Things

Felix Uribe
felix@uribe100.com
Uribe100.com

Abstract

This paper describes how to classify Internet of Things (IoT) devices based on their impact on
Living Things. The IoT classification I propose is based on the potential impact (physical,
economic or social) on living things in the event that the confidentiality, availability, or integrity
of the IoT device’s information, internal operations, or components is compromised. As millions
and millions of IoT devices are built and introduced into the world's ecosystem, the ability for us
to be able to classify their impact on humans, animals, and plants will allow us to identify and
address many of today’s security and privacy issues affecting the trustworthiness of the world’s
current IoT environments.

Introduction

Although there is not a standard definition for IoT, I will refer to it as the network of devices
(things) capable of interacting with other devices and/or living things via the Internet or through
a private local or global network not connected to the internet.

Recent IoT growth projections suggest that by the year 2020 the number of connected devices on
this planet will reach approximately 50 billion (Cisco, 2011). Riding along with this growth, the
number of IoT devices compromised by cybercriminal is also expected to intensify (Stroz
Friedberg, 2017). It is clear that few years from now and due to the rapid growth of technology,
IoT devices will become a ubiquitous part of our lives and ecosystem touching every aspect of
our lives. Therefore, a better method of classification must be developed.

IoT Classification Methodology

IoT devices can be classified in many ways. For example, they can be classified based on the
type of data they handle such as, medical and financial or the sector in our society where they are
used such as, manufacturing, transportation, retail, consumer and home.

The National Institute of Standards and Technology (NIST) categorizes information and
information systems based on “the potential impact on an organization should certain events

1
© Felix Uribe, 2017
occur which jeopardize the information and information systems needed by the organization to
accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its
day-to-day functions, and protect individuals.” (NIST, 2004). In a similar way, the IoT
classification I propose for IoT devices is based on the potential impact on living things1 in the
event that the confidentiality, availability, or integrity of the IoT device’s information2, internal
operations or components3 are compromised.

Confidentiality, integrity, and availability will constitute the security objectives for which the
“loss” is defined as follows:

Confidentiality: Preserve unauthorized disclosure of the IoT device’s information, internal

operations, and components.

Loss: Unauthorized disclosure of the IoT device’s information, internal operations, or

components.

Integrity: Maintain the integrity (truthfulness) of the IoT device’s information, internal
operations, and components.

Loss: Modification or destruction of the IoT device’s information, internal operations, or

components.

Availability: Uninterrupted access to the IoT device’s information, internal operations, and
components.

Loss: Device’s information, internal operations, or components can’t be accessed.

1
Humans, animals and plants.
2
Information can be sensor data, personal information, operating system, software applications or any other type of
data collected, stored, processed and shared by the IoT device.
3
Components of an IoT device can be microcontrollers, sensors, actuators, memory, storage, and other components
that is embedded or connected to the device and that forms part of its operation.

2
© Felix Uribe, 2017
Based on these definitions, the IoT device can be classified as one of these types.

If the loss of one or all of the security objectives causes severe physical,
Type A economic or social harm to the living thing4. For example, malfunction of
wireless pacemaker, a vehicle brake system, or a farm irrigation system.

If the loss of one or all of the security objectives causes minor physical,
economic or social harm to the living thing5. For example, malfunction of one
Type B
of the components of a heating, ventilation and air conditioning (HVAC)
control system may cause heat exhaustion to humans and animals.

If the loss of one or all of the security objectives causes very minor or no harm
Type C to the living thing. For example, a cash register cannot process financial
transactions online.

The selection of any IoT type by an individual or organization is a risk-based decision that may
take into account other factors unique to their personal or organizational functions. An IoT
device may be classified as a type A in one organization while another organization may classify
it as a type B even though it is the same device. In addition, individuals or organizations can
expand each type with “subtypes” to offer further sub-classification and granularity or create an
IoT risk index. For example, Type A(1) = Life support system, Type A(2) stand-alone wireless
blood pressure monitor.

Examples of IoT devices and their types.

(Colored coded, Type A (red), Type B (yellow), and Type C (green))
Type A Type B Type C

Medical pumps, monitors, HVAC control systems, Alarms, dishwashers,

implants, connected cars. traffic lights. cameras, lights, garage
openers.

4
Examples of severe physical, economic or social harm may include severe injury, death, identity theft, and loss of
reputation.
5
Examples of minor physical, economic or social harm may include temporary incapacitation and credit damage.

3
© Felix Uribe, 2017
The following floor plan shows how the classification and location of IoT devices in a connected
home.

Based on this information, it is easy to see that Bedroom 1 and 3 each contain an IoT device of
type A and the utility room one of type B.

Once the types of the IoT devices is known, a security and privacy assessment on an IoT
infrastructure can be performed and the required security and privacy controls, policies and
procedures for every type of device or group of devices can be implemented accordingly.

Conclusion

The exponential growth of IoT devices and their everyday applications calls for their
classification in order to address today’s security and privacy concerns affecting the
trustworthiness of the world’s current IoT domain. This classification gives current users of IoT
devices the ability to see and understand the risks and find an effective way to implement
security and privacy controls in their IoT environments. IoT device manufacturers should take
this classification into account when designing and manufacturing IoT devices and its
components to ensure that security and privacy is implemented by design and does not come up
as an afterthought during the IoT device development life cycle.

4
© Felix Uribe, 2017
 References

Evans D. (2011). The Internet of Things: How the Next Evolution of the Internet Is Changing
Everything. Retrieved from
http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

NIST (2004). Standards for Security Categorization of Federal Information and Information
Systems. Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Stroz Friedberg (2017). 2017 Cybersecurity Predictions. Retrieved from

https://www.strozfriedberg.com/wp-content/uploads/2017/01/2017-Stroz-Friedberg-
Cybersecurity-Predictions-
Report.pdf?utm_campaign=CYBER%202017%20PREDICTIONS%20CAMPAIGN&utm_s
ource=IoT%20Blog%20Postm

5
© Felix Uribe, 2017

View publication stats