IoT Security Challenges: Cloud and Blockchain, Postquantum Cryptography, and Evolutionary Techniques

: Internet of Things connects the physical and cybernetic world. As such, security issues of IoT devices are especially damaging and need to be addressed. In this treatise, we overview current security issues of IoT with the perspective of future threats. We identify three main trends that need to be speciﬁcally addressed: security issues of the integration of IoT with cloud and blockchains, the rapid changes in cryptography due to quantum computing, and ﬁnally the rise of artiﬁcial intelligence and evolution methods in the scope of security of IoT. We give an overview of the identiﬁed threats and propose solutions for securing the IoT in the future.


Introduction
The perceived reality of every person consists not only of physical dimensions but includes a significant virtual presence in cyberspace. The cyberspace dimension, however, is not separate: a huge array of connected sensors brings data from the physical world to cyberspace. These data influence the behavior of people connected to cyberspace, as well as feed back to processes in the physical world, especially in control systems. Similarly, data produced only in cyberspace can influence the physical world either by influencing human minds or control systems connected to cyberspace.
The connected physical and cybernetic world faces many important questions, such as: What if the data are incorrect or even malicious? What if the processes are incorrectly programmed or are outright programmed to produce harmful results? Can people with wrong intentions influence our cybernetic systems and, through them, the physical world in unexpected or outright forbidden ways? We know that the answer is yes, and the potential of physical harm through the virtual world is real. Thus, it is critically important to focus on security aspects of cybernetic reality, especially in domains, where it has a strong interaction with the physical world.
The core of the interactions between physical and virtual worlds is due to the emergence and spread of the Internet of Things. Similar to the classical Internet, the Internet of Things is extremely complex. In the security domain, a core principle is to keep things simple. Complex things are difficult to secure: the attacker has an advantage, as he only needs to find a single chain of exploitable vulnerabilities to achieve his goals. On the other hand, the defender needs to protect all parts of the system, and all interactions between the system, its components, and the rest of the world. The security of complex systems, such as the Internet of Things, requires a combination of partial security solutions, which create a further potential for attacks. Nevertheless, we need to study even these partial solutions, because without them the attackers' task becomes trivial, and security nonexistent.
In this article, we focus on emerging security technologies that are promising to provide security for IoT applications in the (near) future. Cloud storage and blockchain therefore, it is important to first identify possible threats and then implement appropriate countermeasures for the specific architecture of the developed IoT system.

Security Model for IoT, Standards and Protocols
Security modeling is an important preliminary for building secure systems. In this section, we summarize the security model for IoT infrastructure we used. In general, we can consider IoT area to suffer from all standard classes of adversaries with attributes typical to internet-based attackers. Thus, we can use the general models of attackers for internet applications, such as one introduced in Chapter 1 of the book [7].
We can point out some specific differences when considering IoT: Specifically for industrial IoT, industrial espionage agents can play a more significant role as threat agents. Their specific objectives include industrial secrets and know-how and a potential disruption of industrial processes.
A dangerous category of attackers with potentially high impact are cyber terrorists. These attackers might target specific IoT devices that have the potential for a physical world impact as a consequence of a cyber attack. Their objectives are thus a real-world (physical) impact, where IoT device represents a transitional asset, instead of a final aim of the attacker.
Another important difference between the general security model and IoT specific model is that attackers' capabilities can be significantly enhanced by a physical access to IoT devices, such as sensors or physically unprotected computing nodes.
A significant problem for IoT security is a lack of standards. The IoT solution integrates various kinds of hardware types, communication protocols, and services. This is a doubleedged sword that provides comfort to users but can also create a large number of security threats and attacks.
In Figure 1, we summarize the attack types that can be used by the attacker on various layers of IoT solution. In a specific security modeling, the IoT builders need to map possible attacks to their IoT architecture and assign appropriate risks according to asset and attacker models. The attack-type features in Figure 1 are described in more details in the rest of this section. Note that when modeling attackers and their capabilities, we should consider all parts of an IoT solution, including all parts of the solution on the physical layer, network layer, and application layer. Attackers try to target the weakest part of the system. A security breach on one layer can undermine potential defenses on other layers; thus, it is also necessary to include crosslayer security in the security model.
Survey [8] analyzes various research challenges and open issues related to the security of IoT protocols, on the network and application layers. The survey describes different types of communication protocols, and protocols used for security based on the IoT layer architecture. A significant lack of standards for IoT is also pointed out in [9], which primarily analyzes various types of IoT architectures. Different architectures have been proposed for IoT, such as three-layer [10], middleware-based architecture [11], serviceoriented architecture (SOA) [12,13], four-layer [14], and five-layer [11].
In Figure 1, we adopted only the basic three-layer architecture model, with different classification of layers related to security. IoT architecture and layer description are important for security modeling, as each layer of the IoT model is connected to specific security challenges and, at the same time, a possibility to enforce security and privacy standards and protocols (see also [15] for more details). Study [9] surveys advanced features of IoT solutions such as IoT data, machine learning algorithms, and light encryption algorithms, and propose a new compacted and optimized architecture for IoT based on five layers. A more fine-grained model can lead to a better security model but can be more complex to analyze and properly understand all interactions.
Study [15] also proposed new IoT layered models: generic and stretched with the privacy and security components and layers identification. This is a model more suitable for evaluation of solutions that include cloud/edge support. The security protocols and critical management sessions are between each of the architectural layers to ensure the privacy of the users' information. A categorization of attacks can be also performed relative to standard network layers. E.g., survey [16] summarized the common attacks and security issues according to network layers and protocols. A comprehensive study [17] tried to characterize the types of attacks on IoT into four categories: Physical attack, Network attack, Software attack, and Encryption Attack. We adopt the methodology from [17] and characterize the attacks in more details in the following subsections.

Physical Attacks
This category includes attacks targeting the hardware itself.

•
Node Tampering-to perform this attack, the attackers must have physical access to the IoT device. Their goal is to obtain sensitive information such as the encryption key used to communicate with other nodes. According to the authors [18], it is possible to characterize these attacks as invasive and noninvasive. An invasive attack requires expensive equipment because the attacker tries to obtain the contents of the processor's memory by directly observing the semiconductor chip. Noninvasive methods consist of gaining access to the bus, which can be used to access the microprocessor's memory. The JTAG bus is very often harnessed for these purposes. In this way, it is possible to cause great damage, because it is possible, e.g., overwrite the bootloader of the processor with its bootloader and activate reads and writes operations in memory at the request of the attacker. According to [19], it is possible to protect against this attack relatively easily, by detecting an intrusion into the device box. Mechanical switches or additional sensors can be used to detect fluctuations in the supply voltage. A problem with using this countermeasure can be a frequent false alarm. • RF interference-interferences are caused by transmitting several devices at the same time on the same frequency. An attacker does not have to transmit any data; it is enough to transmit noise on the carrier or subcarrier frequency of a given communication channel. The goal of this attack is to achieve denial of service. • Node Jamming-this attack is mainly known from Wireless Sensor Networks (WSN). In WSN, the communication between nodes is essential; therefore, rapid attack detection is highly desirable. To successfully execute the attack, the attacker needs to have a high understanding of the communication protocol. Publication [20] describes this attack in detail. The authors of the article also suggest various countermeasures, e.g., channel hopping, frequency hopping, and spread-spectrum modulation. It is also possible to use software solutions related to the modification of the communication protocol. By adjusting the routing, it is possible to avoid jammed areas. JAM (jammedarea mapping protocol), SAD-SJ (self-adaptive and decentralized MAC-layer), or JAM-BUSTER protocols are suitable. • Malicious Node Injection-an attacker tries to cause a collision in the network. It is a coordinated attack of several malicious nodes. To perform the attack, the attacker must have certain data of the node to be attacked (e.g., encryption key). The attack consists of two phases. In the first phase, a copy of the node whose data have been compromised is created. This first malicious node has the properties of a legitimate node, but of course, it has other features that make it malicious. The compromised node is isolated from the network (removed or depleted its power). The malicious node creates its copy and attacks another suitable node in a coordinated way. When a legitimate node is requested (either directly or only to forward a message), these two malicious nodes create a collision. The victim never receives or forwards the message, and the other legitimate nodes mark it as malicious or defective. As a result, this node is excluded from the network. It is assumed that the network has certain protection elements to detect malfunctioning nodes. This attack can effectively bypass these bases of protection. A countermeasure could be the MOVE protocol developed by the authors of [21]. It works on the principle of monitoring the transmission of packets in nodes, taking into account the mobility of nodes in the network. • Physical Damage-this is an attack causing a denial of service. It is necessary to equip IoT devices with quality boxes with simultaneous detection of such an attack in the form of an antitamper technique to mitigate it [19]. • Sleep Deprivation Attack-the IoT device is mostly battery powered and therefore has a limited life. For this reason, IoT devices have implemented sleep modes with varying degrees of energy savings. The purpose of this attack is to prevent IoT devices from going into sleep mode. In this way, the devices run out of power very quickly and switch off permanently. There are several ways to perform this attack. The first way is the so-called barrage attack. In this scenario, the attacker constantly bombs the victim with legitimate requests and thus does not allow it to activate the sleeping mode. This method is simple to implement but can also be easily detected. The second method is based on querying the node in a more sophisticated way. Ultimately, the attack also prevents the IoT device from going to sleep, but it takes longer to drain the battery entirely compared to the previous case. One suitable approach against the sleep deprivation attack is the solution proposed by the authors in [22]. The solution is based on reducing the chance for an attacker to become the central node of the cluster (cluster heads). • Malicious Code Injection-is a dangerous attack that, if the attacker succeeds, can cause extensive damage. An example is the Stuxnet worm, which has spread to PLC devices controlling various industrial processes. Another type of attack can take control of a large number of IoT devices and launch a large-scale distributed denial of service (DDoS) on the IT infrastructure. An example is the Mirai malware [23]. The attack aims to get full control over the IoT device. An attacker can, for example, steal confidential data from the device or force the victim to carry out the attacker's commands and thus take part in other malicious activities. The attacker exploits the weaknesses of the IoT devices. The most attractive IoT devices for an attacker are those devices that have relatively large computing power and have an operating system, e.g., various IP cameras, routers, or popular hardware platforms such as Raspberry Pi, BeagleBone, or ESP32. Authors in [24] also found a vulnerability in a less powerful platform, Arduino Yún. The main idea of the attack is the so-called memory corruption, specifically buffer overflows and control flow hijacking. A known protection against such attacks is address space layout randomization (ASLR). For low-power IoT devices, implementing memory randomization can be challenging. The author of the publication [25] managed to implement such protection using external FLASH memory and an additional ATmega processor. Such solutions are possible on less powerful devices but always at the expense of energy consumption and solution price.

Network Attacks
• Traffic Analysis Attacks-a prerequisite for the realization of this attack is the possibility of interception of communication between the IoT gateway and users who communicate with the gateway via the Internet. Passive eavesdropping allows an attacker to find out the type of IoT devices and the activity of IoT devices connected to the gateway. Communication can also be encrypted. It does not matter for this attack whether the communication is encrypted or not. Traffic analysis provided data that are needed for other dangerous attacks, e.g., Malicious Code Injection. According to [26], there is no perfect protection against this attack, but it is possible to mitigate this attack. The authors in [27] describe a traffic morphing technique that masks real traffic using dummy traffic. This method can significantly reduce the success of the machine learning technique, which is used for analyzing obtained traffic data. • Sinkhole Attack-the basic idea of the attack is to compromise the data communication of nearby nodes around the malicious node. There are two main types of countermeasures. The first way is to implement an intrusion detection system such as [28,29]. In general, the disadvantage of these systems is the accuracy and thus the relatively high frequency of false alarms. Another option is proper key management [30], in which the identity of each node is secured using an identity-based encryption algorithm. • Man-in-the-Middle Attacks-this attack is similar to malicious node injection. In a passive attack, the attacker eavesdrops the communication. If the attack is active, the attacker takes control of the communication. They can delay packets, drop packets, or alter their content. The difference is that the attacker does not have to be part of the network because the whole attack takes place exclusively through a given network communication protocol of the sensor network. The most common protection against MITM is a quality intrusion detection system (IDS). In this solution, a compromise is sought between low latency, high detection rate, low CPU load, and the resulting low power consumption of the algorithm. IDS is usually deployed on hierarchically higher and more powerful devices such as gateways for Fog or Edge devices. Publications [31,32] resolve the problematic properties of IDS on these IoT devices. • Denial of Service-a more accurate description of the attack is given in the publication [21]. An attacker exploits the TCP-based protocol by sending a disproportionate amount of data requests to the victim's device. In this way, all the free resources of the IoT device are gradually occupied. The IoT device thus does not respond to legitimate data requests and ceases to fulfill its function. According to [33], there are three levels of defense against DoS: attack detection, attack mitigation, and attack prevention. Several approaches are known. These are the various classification algorithms, machine learning algorithms, honeypot, IDS, mutual authentication schemes, and many more.
To mitigate the DoS attack, a newly developed IOTA protocol may also be used [34]. IOTA protocol was originally developed to verify IOTA cryptocurrency transactions, and it is designed specifically for IoT. • Sybil Attack-in this attack, the adversary has several identities in the network. They can either create or steal identities. The adversary can then reduce network performance and cause DoS. If data are sent unencrypted, the attacker can steal it and misuse it for other purposes. They can also forward altered data and significantly disrupt the functionality of the proposed system. Protection against this attack is user authentication, encryption of communication, and an efficient Sybil's node detection algorithm [35,36].

Software Attacks
These types of attacks are implemented at the application layer of the solution. The most common threats are the following: • Phishing Attacks-most IoT solutions use websites to control IoT devices, collect data, or visualize them. In this attack, the intruder tries to obtain sensitive data from users, such as the name and password. The intruder uses an email with a link to a fake website to lure private user data. The counterfeit website looks similar to the original, so the user submits his login details freely. Suitable antiphishing software [37,38] is a good countermeasure. It can detect suspicious emails and also has a database of suspected websites. • Virus, Worm, Trojan horse, Spyware, and Adware-the attacker tries to cause damage to the victim through the attacker's malicious code. Typically, an attacker exploits the vulnerabilities of the IoT device and takes control of it. They can then use the device for another type of attack (e.g., phishing, DDoS, and cyber spying) and spread the malware to other devices. More powerful IoT devices can have a full operating system loaded. Attackers often exploit unsecured default settings (e.g., open service ports, a default admin password, etc.). The diversity of operating systems, communication protocols, and installed software is constantly creating new security threats. As the number of IoT devices connected to the network grows, the risk of malware infection specifically directed against IoT devices and their infrastructure increases [9,39]. A specific problem is ransomware, where IoT is an ideal target for attackers [40]. This is growing more serious as the quality of ransomware implementations has improved in recent years [41]. According to publication [17], there are several countermeasures. Depending on the IoT architecture and capabilities, it is advisable to have a strong antivirus system, use a firewall, or use a honeypot to detect dangerous software signatures. Note that these countermeasures are typically applied on devices with full OS support, and parts of IoT infrastructure, such as servers, gateways, edge devices, or cloud infrastructure. • Malicious Scripts-an attacker can run a malicious script through a website visited on the Internet and gain control over devices in the entire LAN network of the victim [42]. An attacker could gain access to devices that are hidden behind NATs. The suggested countermeasures from [42] are based on the correct configuration of the webserver. • Denial of Service-it is also possible to attack the application layer of the IoT device. This attack is primarily an attack on a web server that usually has some more powerful IoT devices. An attacker could also target a web server (or cloud) to which IoT devices send messages.

Encryption Attacks
The goal of this group of attacks is to obtain a private key from an IoT device. An attacker can gain the necessary data through the various techniques mentioned below.
• Side-channel Attacks-a measure of power consumption of the device during cryptographic operations associated with the private key is the most common way to gain a secret parameter. Simple power analysis or differential power analysis is an example of such attacks. There are other techniques: for example, measuring the EM spectrum emitted by the device; acoustic attacks, where the sound generated by the various components of the IoT device is measured; and time attacks, where the time duration of running program is measured at specially selected values on the input. A more detailed description of previous attacks and countermeasures can be found in publications [43][44][45]. • Man-in-the-Middle Attacks-an attacker eavesdrops on a user's communication by exchanging the public key. The attacker is in the function of an intermediary. They can inadvertently throw their public key and can read and modify encrypted messages between users [46].

How to Improve Security
To improve security, IoT devices that need to be directly accessible over the Internet should be segmented into their network segment and have other network access restricted. The network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem.
In [47], authors mainly focus on the security threats for cloud-based IoT, especially in the aspects of secure packet forwarding with outsourced aggregated transmission evidence generation and efficient privacy-preserving authentication with outsourced message filtering. Besides the traditional data confidentiality and unforgeability, the unique security and privacy requirements in cloud-based IoT are presented: • Identity Privacy: the mobile IoT user's real identity should be well protected from the public; on the other hand, when some dispute occurs in emergency cases, it can also be effectively traced by the authority. • Location Privacy: If the adversary knows that the target node with pseudonym PID occasionally visits n locations, sets of nodes' real identities passing by these n locations can be observed. The intersection would reveal the target node's real identity and its private activities in other regions. • Node Compromise Attack: the adversary extracts from the resource-constrained IoT devices all the private information including the secret key used to encrypt the packets, the private key to generate signatures, and so on, and then reprograms or replaces the IoT devices with malicious ones under the control of the adversary. • Layer Removing/Adding Attack: the attack occurs when a group of selfish IoT users removes all the forwarding layers between them to maximize their rewarded credits by reducing the number of intermediate transmitters sharing the reward. • Forward and Backward Security: due to the mobility and dynamic social group formulation in IoT, newly joined IoT users can only decipher the encrypted messages received after but not before they join and revoked IoT users can only decipher the encrypted messages before but not after leaving the cluster. • Semitrusted and/or Malicious Cloud Security: for the convergence of the cloud with IoT, the security and privacy requirements for the cloud should be specially considered. For outsourced computation, the following three security targets should be achieved: -Input privacy: The data owner's inputs should be well protected even from collusion between the cloud and authorized data receivers.

-
Output privacy: The computation result should only be successfully deciphered by authorized data receivers. -Function privacy: The underlying function must be well protected even from the collusion of the cloud and malicious IoT users.
In [47], a focus is given on providing security mechanisms for complete cloud systems by implementing encryption and intrusion detection systems. They applied hybrid encryption on data at the cloud client level. This means that both data in the medium as well as stored in the cloud server are secured. Security can be improved by implementing an intrusion detection system that detects the anomaly traffic toward the server and blocks unauthorized and unauthenticated traffic. Specific cipher types might be more suitable for IoT applications [48].
The authors in [49] discuss risks if cloud security is not handled properly: • Privacy and Legal Compliance Risks: such as identity theft resulting in a privacy breach. • Common Threats and Vulnerabilities: Common threats to both cloud and traditional computing include eavesdropping, fraud, theft, denial of service, logon, abuse, and network intrusion.
According to them, the principal requirement of a secure cloud-based system is to mitigate any known vulnerabilities in the system and make sure that system performance is not compromised when it is under external malicious attack. The key factors that they recommend for the secure cloud system are: They suggest a way to ensure that requirements of a secure cloud system are captured unambiguously using the S.M.A.R.T.E.R. method (Specific, Measurable, Achievable, Relevant, Time-Oriented, Evaluate, and Revise). They recommend NIST 33 Security principles as guidance for developing any cloud applications. They highlight that the design principles should also be used as a guideline for cloud application security testing to ensure that the cloud applications are built in the right (secured) way to achieve their goals.
IoT and cloud provide a large attack surface and need a significant effort to achieve optimal security. Different authors suggest several core challenges for the security of IoT and cloud systems. The authors in [47] identify these important challenges: 1.
Fine-grained ciphertext access control in cloud-based IoT.

2.
Besides data confidentiality, location privacy and query privacy for cloud-based IoT users in location-based service (LBS) should also be protected.

3.
Increasing batches of data to be processed securely.

4.
Privacy-preserving outsourced data mining in cloud-based IoT.
Authors of [49] consider security policy implementation as the most challenging task in cloud computing for service providers. The key challenges include also: Denial of Service.
In [50], the main challenge is that the attacks are becoming more intelligent and diverse as time passes. Conventional security intrusion incident detection and response technologies typically use pattern-based and behavior-based statistical methods. However, an effective intelligent response method is required. An access control technique based on ontology reasoning was suggested as a solution. This can be achieved by adopting a variety of intelligent reasoning technologies for security intrusion incidents. Various reasoning technologies based on ontology and semantic web technology are being actively studied in intelligent systems. Malicious code detection technologies based on an intelligent access control model, text mining, and natural language processing technologies were proposed in [51].

Cloud and Blockchain in IoT Security
In recent years, there have been a lot of proposals for using blockchain technologies as a replacement for cloud storage. According to [52]: "Utilizing blockchain can bring increased security and efficiency of network maintenance. The key feature of blockchain, immutability, brings resistance to unauthorized modifications." There is a large number of papers that focus on blockchain and IoT integration. A comprehensive recent survey of blockchain and IoT integration is provided by [53]. In our work, we focus on security issues related to blockchains, which apply to IoT applications.
First, we need to analyze the differences between blockchain and standard cloud solutions for IoT (see e.g., [54] for a recent survey of the topic). In the core of the Internet of Things is the network of physical objects connecting and exchanging data with other objects over the Internet [55]. These objects can potentially be fully autonomous. However, a typical IoT solution requires a management layer, to provide basic configuration, software updates, monitoring, and other noncore functionality. When creating a complex IoT solution, we have three principal options for creating the management layer: • Solution hosted by IoT owner (or manufacturer). This solution does not scale well and has additional costs associated with maintenance. It is also prone to a single point of failure security problems: any successful attack on the management node can compromise the whole network. We can also use this category for integration platforms such as [56,57]. • Solution hosted in the cloud. There is a large number of examples, surveyed e.g., in [58]. We can include new trends in this, such as serverless computing [59]. Cloud provider provides scalability of the solution and cares for security. Costs of the cloud solution can be lower than maintenance of own servers, depending on the required services and the infrastructure and personnel costs of the IoT solution owner. The security of the solution depends on the quality of the cloud service, and its costs are typically included in the service cost. This requires trust in the cloud provider and does not remove the single point of failure property. However, we can use multiple providers to provide redundancy and attack resiliency (for an increase in operating costs). A recent study focused on security of cloud based solutions is [60]. • Solution based on peer-to-peer decentralized technology, typically a blockchain solution. There are many recent examples, including [61][62][63][64][65][66], and the number of solutions is growing quickly. Decentralization removes the requirement of trusting the cloud provider. Costs of the decentralized solution, however, can be significant, and, depending on the technology chosen, the current transaction fees in a blockchain network. The core question is, does the blockchain-based solution avoid a single point of failure property, and does it provide required scalability?
The main confusion comes from the fact, that the term blockchain joins multiple technologies under the same name. In the previous paragraph, we have used the term "blockchain" as an antonym to centralized hosting, either owned or rented on a cloud. However, some blockchain technologies (a private blockchain) can be characterized as centralized hosting. Blockchain is sometimes used to denote distributed databases, distributed ledger, or even a distributed virtual machine (such as Ethereum, see e.g., [67] for its security overview).
Proper scientific blockchain taxonomy is still evolving, see e.g., [68] for current definitions. We define a blockchain as a sequence of blocks joined by cryptographic hashes, typically shared by many peers (in the network). Once the hash of the final block is known, then the history of the chain is immutable. It is computationally infeasible to change previous blocks in such a way that the final hash stays the same. However, any peer can append anything to the chain as a new valid block. The extension of the chain requires a consensus protocol, which provides some security guarantees that all members of the network share the same final block and by extent the whole chain. Examples are Nakamoto consensus based on proof of work [69], proof-of-Stake protocols [70], and others [71], with different degrees of resilience against compromised peers in the network. Once the consensus protocol is correctly specified, the blockchain can provide a public bulletin board: peers can append data to the end (and never remove them), and everyone in the network can read the data, with a guaranteed common history. Such a public bulletin board then can be a base for many other solutions, such as transaction ledger for (crypto-)currencies, publicly shared virtual machine (such as Ethereum), and many others.
What the IoT implementer needs to understand is that blockchain, in general, does not equal cryptocurrencies, or a distributed solution. Here, the important part is also the definition of who the network peers are. We can run a blockchain on a single node (e.g., to build an immutable log file). We can build a blockchain for a closed network (private blockchain). If those nodes are fully trusted, a simple first-come-first-appends consensus might be sufficient. A simple voting consensus can be sufficient if no more than 50% of the peers are compromised. For open blockchains (such as Bitcoin), a potential peer is every device connected to the Internet. Nakamoto proof of work [69] requires that no untrusted peer or group of peers can control more than 50% of the computational resources of the whole network. Thus, the cost of the consensus is extremely high. In a private blockchain (such as [72]), e.g., a chain with defined peers and restricted access, the cost of consensus agreement can be much lower than on public blockchains. However, private blockchain requires additional security solutions to guarantee correct access control. See, e.g., [73] for an overview of these issues.

Public Blockchains and IoT Security
By public blockchain, we understand a distributed open peer-to-peer blockchain with a consensus mechanism without central trust. There are many examples of public blockchains and their applications, see, e.g., [74]. In the security sense, a public blockchain is a secure public bulletin board: append-only list of items, which everyone can read, and no one can modify. Note that the history of the chain is immutable only if the security prerequisites of the used technology hold, e.g., there is a trusted majority of nodes in PoS types of protocols, or no attacker can obtain more computing power than other nodes combined in PoW protocols.
Note that open public blockchain does not guarantee legal protection or trust. The main principle of blockchain is replacing the trust in some legal entity (e.g., a cloud provider) with trust in technology (blockchain itself, and the software running the blockchain). Blockchain operations might face various regulatory restrictions, see, e.g., [75]. IoT providers should only select public blockchains that fulfill regulatory mandates. A lack of global standards is a significant problem in this area.
While blockchain technology provides some level of integrity protection, in principle, every operation on a public blockchain is public. Confidential data must be encrypted before submitting them to the blockchain. However, blockchain can reveal important metadata, such as who posted which data when. Hiding techniques (see, e.g., [76]) involve additional costs and might not be sufficient for some use cases.
The availability of blockchain access can be a significant problem. Blockchain operations are costly; thus, posting any information on the blockchain is much more expensive than using standard distributed data storage solutions. Blockchain does not solve the problem of denial of service attacks (see, e.g., [77]), which target the network infrastructure of the IoT clients or command centers. A significant risk related to a public blockchain is that the security of blockchain access is typically fully dependent on the blockchain peer. Access to a blockchain is based on public-key cryptography, and the blockchain peer must secure their private key on their own. Any security breach that leaks this key means a complete takeover of blockchainbased infrastructure, and the loss of the key means complete loss of any further access to the infrastructure.
Despite security problems of the public blockchain technologies, there are some use cases when public blockchains might be useful in providing security solutions for IoT platforms [78]. Inherent integrity protection and public nonrepudiation make public blockchain suitable as a timestamping mechanism: Block hashes in a public blockchain can be used as a control value of a private blockchain in IoT nodes, e.g., for logging and monitoring. Examples include [79][80][81]. Public blockchain can also be used to publish checksums (hash values) for patches, manuals, and similar public materials, as a replacement for PKI signatures. Examples include [52,82,83]. Note however that the problem of revocation remains: if the private key for blockchain access is compromised, the attacker can push untrusted updates to IoT devices.

Private Blockchains and IoT Security
When designing a security solution for IoT, we can consider a private blockchain. Private blockchain does not require a complex consensus mechanism, various protocols are resilient even when some IoT nodes are compromised. Note that mechanisms of public blockchains, such as proof of work are not suitable for private solutions, due to their high costs that reflect the lack of trust in the network. Blockchain storage is not suitable for temporary data, as the data structure of blockchain are append-only. To limit the overall data storage for blockchain, careful consideration is required, what should be stored in the chain. We can save data storage and verification time by using Merkle trees [84] and only store final hashes in the main chain.
Private blockchain requires security mechanisms similar to standard cloud solutions, including access control, administration, backups, etc. Even private blockchain data structure incurs additional operation costs compared to a standard database solution [85]. As such, we recommend using blockchains only as a partial technological solution for the storage of permanent data items, where keeping an immutable linear ordering is required.

Postquantum Cryptography Applications
Cybersecurity is now on the edge of a new era. New results in the development of quantum computer [86] lead to serious consequences. The adversaries have more computing power and new threats appear. Algorithms currently used in IoT devices security, especially for key exchange and digital signatures, are vulnerable to new types of attacks, created by the development of quantum computers. In comparison to classical computers (desktops and laptops), we have another factor to consider. The computing power of attackers is increasing, but we have very limited resources on IoT devices.

Algorithms Used in IoT Security
There are many protocols used to secure IoT communication. However, as we go deeper, and we look at specific cryptographic algorithms they use, we can see that there is only a limited number of ciphers used in these protocols.
The authors of [87] mentioned the most important protocols, used in IoT. For each layer, we show the protocol and used interesting cryptographic algorithms: • Physical layer-As we see in [88], most of the protocols of physical layer (DASH7, LoRa) use AES-128 for providing confidentiality of the data. • Data Link layer-the security is provided by IEEE 802.15.4 [89], which specify several cryptographic options, but all are based on AES (AES-32-AES-128) • Network Layer-IPsec protocol is a requirement for IPv6-allowing for Diffie-Hellman, ECDH, RSA, AES. Another protocol of network layer, 6LoWPAN protocol, only relies on security of transport layer [90]. • Transport Layer-in the transport layer, we can mainly use two types of protocols, TCP or UDP.
-For TCP, security is provided by TLS, which in version 1.3 allows AES and ephemeral Diffie-Hellman. -UDP is secured by DTLS or QUIC. These protocols allow to use ephemeral Diffie-Hellman for key exchange and AES for data confidentiality.
• Application Layer-CoAP protocol proposes to use DTLS to provide security, and AMQP protocol uses TLS. Therefore, the same algorithms are used as in the transport layer.
In all protocols mentioned above, we can see these algorithms: AES, RSA, or Diffie-Hellman (or ECDH). The question here is: are these algorithms secure against the quantum computer?

Quantum Algorithms That Threaten Our Cryptography
When we talk about a quantum computer as a threat to modern cryptography, we talk mainly about two algorithms:

1.
Shor's algorithm is a quantum computer algorithm for finding prime factors of a given number (integer factorization) in polynomial time. This is enough to break modern asymmetric cryptography since it is based on integer factorization or similar problems.

2.
In 1996, Lov Grover published a database search algorithm. One interesting consequence is that Grover's algorithm is able to find the n-bit key with time complexity √ n. As Grover's algorithm can brute force more or less any black-box function, we need to reconsider the security of symmetric cryptography used in IoT.

Vulnerable Public Key Crypto-Algorithms
All public-key algorithms currently used for key exchange or digital signatures are broken. RSA cipher, which is based on integer factorization problem, is the obvious victim of Shor's algorithm. Other commonly used ciphers are based on discrete logarithm problem, as Diffie-Hellman or its variant based on the elliptic curves over finite fields (ECDH). As mentioned in [91], Shor's algorithm can be used also for computing discrete logarithms. Proos and Zalka [92] have shown that breaking cryptography based on elliptic curves is even easier than breaking RSA.

Vulnerable Symmetric Crypto-Algorithms
Symmetric ciphers are not completely broken with Grover's algorithm. The square root speedup of brute-force attacks requires the change of what is considered to be "secure". As we have shown in Section 4.1, the Advanced Encryption Standard (AES) is widely used for providing data confidentiality in IoT. With Grover's algorithm in mind, the security level of AES-128 is lowered to 64 bits. This means that AES settings with a key length of 128 bits or lower is no longer a secure, and AES needs to be used with 192 or 256 bits for key sizes.

Postquantum Cryptography in IoT
In recent years, the topic of postquantum security has become more and more discussed. In 2016, NIST began a standardization process to replace the algorithms mentioned above. A new standard is required for two categories: Public-key Encryption and Key-Establishment Algorithms and Digital Signature Algorithms.

Specifics of IoT Postquantum Security
As we have shown in Section 4.1, the IoT world uses the same mechanisms that are used in other applications. The security of IoT devices requires us to keep in mind another, very important factor: the limits of these small devices, namely power, processing, and memory limitations. These limits should be considered when choosing the suitable postquantum mechanisms, as well as when creating postquantum protocols. For example, in many proposals, there is a significant disparity in the difficulty of encryption/decryption or signing/verifying. Ephemeral key generation is considerably slower, and key sizes can grow significantly in comparison to currently used keys. The protocols employed in IoT should reflect the properties of these new underlying algorithms and delegate computationally harder tasks to the server side. A correct selection of a suitable post quantum cryptographic algorithm can lower the price of client devices and provide a competitive advantage to IoT vendor.

Data Confidentiality in Postquantum World
As mentioned in the previous chapters, AES is considered resistant to quantum computers but with a key size of 192 bits or more. In most cases, this is a simple solution to quantum-resistant symmetric encryption. In some cases, however, the limits of the devices force us to search for alternatives. Along with AES, Singh et al. in [93] advise TWINE, HIGHT, and PRESENT for use in IoT, but for postquantum security, the key sizes are too small. We can increase the key size to meet the postquantum requirements or look for quantum-resistant ciphers by design. Li et al. in [94] presented stream encryption scheme with variable plaintext. In addition, interesting solutions are lightweight ciphers families SIMON and SPECK, published by the National Security Agency (NSA) in 2013 [95], that are developed for limited devices. In [96], Jang et al. evaluated and compared SPECK and SIMON in terms of quantum resources. In PQCRYPTO's recommendations of long-term secure postquantum systems [97], AES-256, Salsa20 with a 256-bit key length and Serpent-256 are advised to use for postquantum security, if the limits of the device allow it.

Key Establishment in Postquantum World
Things are more complicated when we discuss public-key algorithms. Here, we need to replace current algorithms and choose new ones. Good replacement algorithms can be found in the third round of the NIST competition. Here are four candidates for the new standard, but not all are suitable for all IoT applications. It is important to choose the right algorithm according to the limits of the device. Some of the postquantum algorithms are memory intensive, others are computationally intensive, etc.
The first candidate, Classic McEliece [98], is a cryptosystem that takes all the best from classical code-based systems. The first public key system based on a decoding problem was introduced by Robert J. McEliece in 1978 [99]. A random error vector is added to the codeword (ciphertext), and these errors are removed during decryption. The advantage of this method is a relatively high level of security. In the more than 40 years since this system was published, several papers examined its security, and the cipher is still strong. An overview of some of the attacks was written by Zajac and Repka in [100].
McEliece cipher can be also used with symmetric cipher in the dual scheme to provide complete encapsulation of data. In the work of Zajac [101], the symmetric key is embedded into the error vector of the McEliece. If the sender does not want to store the whole message in the memory due to some limitations, the encryption can also be streamed.
The NIST candidate brings a quantum-resistant KEM (key exchange mechanism), based on Niederreiter's dual version of the cipher, and uses the same family of codes as the original design, Goppa codes. The disadvantage of this approach is quite a large size of public keys, which have more than one megabyte at 128 bits of security. In addition, key generation is relatively slow. The advantage is the small size of the ciphertext and the rate of encapsulation and decapsulation.
A better option for IoT devices in terms of saving memory and battery life is a lattice-based cryptosystem. In the third round of the NIST competition, we can find three candidates. NTRU [102], based on finding the shortest vector problem and CRYSTALS-KYBER [103] and SABER [104] based on learning with errors problem (LWE). The memory consumption for NTRU is less than 50 kilobytes. Similarly, the CRYSTALS-KYBER and SABER ciphers have public keys with less than 20 kilobytes. All three lattice-based cryptosystems are a bit slower than Classic McEliece but also range from 10 to 15 ns [105] for both encryption and decryption. Hao et al. [106] also published an implementation of NTRU Prime for IoT devices. An interesting comparison of LWE and Error Correction algorithms focused on lightweight devices can be found in Saarinen's work [107].

Quantum-Resistant Lightweight Digital Signatures
The vulnerability of asymmetric cryptography has also resulted in the need for the updating of algorithms for digital signatures. The NIST [108] competition also includes the standardization of a new digital signature. Two candidates in the third round, CRYSTALS-Dilithium [109] and Falcon [110] are lattice based. The underlying hard problem of CRYSTALS-Dilithium is learning with errors (LWE), and Falcon relies on short integer solution problems (SIS). The third candidate for the new standard is Rainbow [111]. It is based on the problem of solving systems of multivariate polynomial equations.
For the comparison and help with choosing the right algorithm for IoT application, we can find information about energy consumption in the work of Roma et al. [112]. When generating a key pair, CRYSTALS-Dilithium consumes the least amount of energy and can complete the process in less than 1 ms. The Falcon is also good: it can generate key pairs in 22 ms. Signing and signature verification are similar, and all three algorithms did an excellent job. By a small difference, Falcon wins, because it creates a signature in 0.69 ms and verifies it in 0.11 ms. Signature sizes are less than 6 kB in all three cases, as well as the key size for Falcon and CRYSTALS-Dilithium. However, the size of the keys can reach almost 2 MB with the Rainbow algorithm.
All three algorithms are good for IoT applications, the choice depends on the needs of a specific device or application.

Group Communication Using Limited Devices
There are many more challenges in securing IoT communication in the postquantum world. In the work of Colombo et al. [113], the authors proposed a new scheme for group communication in the Quantum Era. Ongoing experiments focus on the implementation of this scheme on a small device with a low-power ARM Cortex-M4 processor (seCube).

Evolutionary Techniques for Security
Evolutionary algorithms are used to solve optimization problems, where the solution search space is too large for a simple brute-force approach. They take inspiration from biology, where a set of organisms (representing solutions) is evolved through various techniques, while the laws of evolution (such as natural selection) apply. The goal is to find the global optimum of a fitness function that evaluates the quality of a solution.
The most popular evolution algorithm used is genetic programming, mostly because it is not difficult to implement and it can provide good results to complex problems.
Evolutionary algorithms may not always find the best global solution. The starting population and definitions of evolution operations (such as crossover and mutation) can greatly influence the ability of the algorithm to find a global optimum.
Artificial intelligence and machine learning are promising solutions to IoT security. They can detect abnormal activities on the network, intrusion, and various malware activities. However, these algorithms have to be trained to successfully detect attacks. This is where GA comes in. Current research focuses on using GA for the optimization of neural network parameters or feature selection. For example, Zhang et al. [114] used specially modified GA to set the parameters of a deep belief network.
Another example where GA is used to optimize the performance of a classification algorithm was presented by Alqahtani et al. [115]. They created a botnet attack classifier using an optimized extreme gradient boosting (GXBoost). GA was used to optimize the parameters of the GXBoost model. Current solutions using GA achieve very good results. GA allows classifiers to be more efficient and effective. However, GA is still sensitive to the initial population, and the global optimum may not always be found. Future research may show how to choose the initial population and how to evolve it so that global optimum may be found with a very high probability.
IoT devices generate a large amount of data containing numerous data points. Even for an expert, it can be difficult to determine which parameters are important for the detection of harmful activity. GA can be used to select features from this data that can be later used in a classifier. Zhang et al. [116] combined ordinary GA with the GWO algorithm, thus eliminating the shortcomings of both algorithms. The selected features were used to train an SVM model. Intrusion detection using this model performed better than previously available methods. In the future, we can expect machine learning to play a major role in malware and intrusion detection. Therefore, it is important to increase the accuracy of these algorithms. Since combining GA with GWO offered better performance, other combinations of various evolutionary algorithms have to be researched to find out which offers the best results.
The advent of 5G networks will further expand the use of new IoT devices. Such a large number of devices requires careful management of spectrum resources so they can maintain a good level of connectivity. One of the management techniques is cooperative spectrum sensing, where devices share sensing information and one control node decides on spectrum assignment. In this configuration, malicious devices sending false information can cause the severe degradation of the performance of the network. Khan et al. [117] proposed the mitigation to these attacks using GA-based soft decision fusion. This scheme achieved better performance and a lower probability of errors than conventional schemes.
One of the important operations in IoT security is the collection of events for the purpose of detecting security incidents and their subsequent mitigation. The technology to process this large collection of data is called complex event processing. This processing consists of filtering, normalization, and subsequent aggregation of information. Since IoT devices do not have large persistent storage space, data are not stored, and these operations are executed on the run. The parallelization and distribution of these operations between network nodes is a complex problem. Kotenko and Saenko [118] used GA to optimize the scheme of aggregation functions. The results were again favorable-the network reached higher throughput, and the CPU load was lower than the scheme without GA.
Intrusion detection systems based on machine learning classifiers use previously recorded data to differentiate between normal traffic and an attack. The obvious disadvantage is that the attackers sooner or later develop an attack that is not classified as an attack and allows them to penetrate the network. Mrugula et al. [119] used the principle of coevolution, where two populations of linked organisms are evolved-predator and prey. In this case, GA is used to evolve new attackers (as predators), and these are then used to train an artificial immune system that detects them. They focused on only one type of attack (interest cache poisoning) with good results. This work has shown that exploring the attack space may uncover vulnerabilities sooner than they are exploited by attackers. In the future, we can expect more similar systems that automatically generate new attackers to improve the detection of IDS and other security systems.
Another disadvantage of classifiers based on machine learning are adversial learning samples. These samples are created from a malicious sample by a careful small modification. The purpose of this modification is to flip the detector result from positive to negative, and the harmful sample thus enters the system. Liu et al. [120] have created a system that uses GA to create new adversarial samples of Android malware. They chose to add various application permissions as the modification. With their adversarial samples, they managed to evade malware detection with almost 100% success. A similar result was obtained in [121], where the adversarial samples of network traffic were created. Artificial intelligence and machine learning are being deployed in an increasing number of security areas, including IoT. Thus, we can expect more research in the field of adversarial samples and on refining machine learning algorithms to make such samples correctly identified.
Many vulnerabilities in IoT devices are caused by software bugs such as buffer overflow, etc. Source code of IoT terminals is usually closed and therefore not available for independent review. It is therefore necessary to use a different method to detect vulnerabilities in such code. Zhu et al. [122] presented a method in which firmware instructions from an IoT terminal are extracted in a form of genes. Subsequently, these genes may be compared to other genes representing the instructions that are known to contain vulnerabilities. The authors used a manually constructed distance function that computed a similarity between genes. We think that GA can be useful in providing ways to find an optimum distance function that may provide even better detection rates.
Deep learning, a successor of machine learning, is also showing good results, often exceeding previous techniques with better accuracy of prediction and classification [123]. Interesting results were achieved by the authors in [124]. Researchers noticed similarities between layered architecture of deep neural and IoT networks. They suggested decentralized classifier scheme that took advantage of IoT network architecture. As a result, their framework used just 4% of the original transmission capacity while providing results with just a 2.5% deterioration in inference.
Deep learning techniques can also provide better protection against adversarial attacks and transferability attacks, in which an attacker simulates a model with their own deep learning network [125]. The proposed solution by the author is to use adversarial training that generates adversarial examples during the training procedure.
Other aspects of IoT security can utilize deep learning, including those we already mentioned in this section. This includes intrusion detection [126][127][128][129] and other types of anomaly detection [130]. A full coverage of these areas would require a separate article.
At present, IoT security research is mainly conducted in simulated environments mainly because such experiments are convenient and simple. The choice of the environment has a great influence on the results of experiments when a seemingly perfect detector in a simulated environment does not work well on a real IoT network. Zhang et al. [116] mentioned a few problems and mistakes that researchers in this field often make. One of them is the use of an old data set from the KDD Cup 1999 competition. As this data set is more than 20 years old, it is outdated and not suitable for use as an IoT network traffic simulation data. Research in this area could be accelerated and improved by creating high-quality and extensive data sets containing real (not simulated) IoT traffic. GA and machine learning can be trained on these data sets with better results that would allow these technologies to transfer into the real world more smoothly. Furthermore, the developed algorithms have to be optimized, so that they can run on the modest hardware that IoT devices offer.

Discussion
The security of IoT applications is becoming a critical factor. Due to the widespread adoption of IoT, attacks in the cybernetic domain can now have significant real-world consequences. IoT devices, especially those connected to the cloud providers can also represent problems with privacy, leaking unintended real-world private data.
There are many security options we can consider in future trends in IoT security. Significant challenges are connected to an interaction between IoT devices and the cloud, with an extra layer added by the emerging integration with blockchain technologies. Careful design and consideration need to be given both to basic security properties such as confidentiality, integrity, and availability. However, we must keep in mind the emerging threats that cross cyber and physical boundaries.
A new asymmetry in potential threat assessment comes from the area of quantum computing. With the rapid development of quantum computing, some of the most used cryptographic algorithms, such as RSA, will become obsolete. When considering physical IoT devices that should stay secure during a longer lifetime, we should consider a way to prepare for migration to quantum-safe algorithms.
We consider the security of IoT as a scope for a cybernetic evolution: attackers evolve new techniques, which are then mitigated by new defense mechanisms. Evolutionary techniques and machine learning have many security applications, especially in processing a large number of network traffic and logs produced by IoT devices. It is an interesting question, whether this type of cybernetic evolution that resembles the natural prey-predator relationship, can lead to the emergence of new artificial intelligence techniques.
Funding: This research was sponsored in part by the NATO Science for Peace and Security Programme under grant G5448. This work was supported in part by the Slovak Research and Development Agency under the Contract no. APVV-19-0220.

Conflicts of Interest:
The authors declare no conflict of interest.