State regulation of the IoT in the Russian Federation: Fundamentals and challenges

The purpose of this section is to study the problems with implementing technical and legal regulations for the development of public administration functions in the Russian Federation when using the internet of things (IoT). The introduction is based on an analysis of regulatory legal acts and presents the main strategic directions for the development of public administration functions in the Russian federation when using IoT. State reports, scientific literature, a system of technical and legal regulation are analyzed, and the main problems of implementing the IoT that impede the achievement of effective public administration are studied. The Russian practice of using IoT in various economic areas is investigated. Based on an analysis of the mechanisms for ensuring data safety of information technology users in the Russian federation, problems were investigated, such as the collecting data through IoT, including publicly available personal data in order to profile human activities, and creating of a digital twin of a person. The social constraints for introducing distributed registry technologies are users' distrust in the field of data privacy protection and mathematical algorithms that are used to establish trust in a digital environment instead of trusted centralized intermediaries; these problems were also analyzed. The Russian approach was analyzed in comparison to European experience in this field. To ensure information security and the possibility of its distribution, the IoT is revealed.


INTRODUCTION
In Russia, the use of the Internet of things (IoT) is typical for many sectors of the economy. Despite the fact that IoT technologies are still being tested, a commercially attractive number of IoT devices will appear on the market by 2023-2025. However, some devices for pilot projects were available as early as 2020.
Testing IoT technologies is carried out in the sphere, which includes cars with varying degrees of automation (in the future, autonomous cars), in medicine, logistics, and the entertainment industry based on augmented reality, as well as in certain types of state supervision [1], including in profiling human activities [2]. In Russia, as in the world, IoT is used to create a smart home and smart energy [3]. The development of this economic industry was confirmed by contracts concluded between IT leaders. For example, in 2018, mobile  [4]. The massive use of information technology to solve problems at the household and government levels pose challenges for developing a system of legal and technical regulation that reduces barriers to the use of these technologies, information security of information technologies, protecting privacy, compatibility, and protecting competition. Scientists believe that the use of new technologies will create serious problems and new risks to public safety and national security since they have a dual purpose and are inherently vulnerable to exploitation [5]. Achieving this result is possible by applying an integrated approach at the level of interdisciplinary knowledge. This requires, on the one hand, the joint work of state bodies, international and national organizations, and commercial structures. On the other hand, it is necessary to form a system of views on the complex problems regarding IoT security [6].
The digitalization of the economy and public administration requires a definition of a strategy for the creation and use of information technology, including introducing the IoT as a technology in which the state and business are interested. The Government of the Russian Federation defines as the main activity the need for "the formation and maintenance of state information resources, the definition of rules for the systematization of information in these resources, as well as the harmonization of information between various information resources of authorities" [7].
Between 2017 and 2019, a number of legal documents have been developed that introduced the IoT in the Russian federation [1], [8], [9]. By 2020, the structure of the Russian information technology market has increased the hardware and services market while reducing the software market [10].
Currently, the Russian federation is actively implementing and using the IoT in various areas of economic activity, which allows them to qualitatively strengthen the forecasting capabilities in various fields and to improve the quality of the services provided in the information sphere. Last year, the Government of the Russian Federation launched an experiment to create a digital profile of the infrastructure based on the unified identification and authentication system federal state information system. Since July 1, 2020, an experiment has been conducted to establish special regulations for implementing artificial intelligence technologies in Moscow.
One of the problems in the development of the Russian data market is the lack of clear legal regulation for the interaction of participants in this market. This paper presents an analysis of the threats and risks of the IoT, analyzes the regulatory and technical regulation of the IoT, a number of organizational and legal aspects of ensuring the security of the IoT was revealed. The problems that impede the creation of an effective system for regulating the Russian IoT market were analyzed. This paper presents an analysis of the threats and risks of the IoT, analyzes the regulatory and technical regulation of the IoT, a number of organizational and legal aspects of ensuring the security of the IoT was revealed. The problems that impede the creation of an effective system for regulating the Russian IoT market were analyzed..

RESEARCH METHOD
This research is based on a number of research methods-general scientific methods: deduction and induction and special research methods (comparative research, complex legal regulation, tabular method, and other methods of theoretical research). The use of these research methods seems to the authors to be the most justified for understanding both the objective laws of the field of research and the directions for further use of the results in practice. These methods are widely used when it is necessary to conduct a complex of interdisciplinary research [11].
The transition from general to specific in the process of reasoning allowed the authors to reveal the features of technological solutions used in the IoT. The analysis of the above definitions of IoT led the authors to the conclusion that information is involved in a continuous cycle of reception and transmission, decision making, and interaction of devices in the Internet of things. Accordingly, this allowed the authors to describe the technological methods of information protection. The IoT reference model made it possible to represent the "points" of the organizational and legal impact that require information security. International standards ISO 27000 and ISO-13335 and national standards of Russia were considered as instruments of technical regulation. An analysis of the existing system of division of competences between Russian federal agencies allowed the authors to describe the area of responsibility, identify priorities, and competencies.
The induction method, which includes the movement of cognition from facts to general statements, made it possible to present the structure of IoT security objects, clusters of the basic threat model, a number of specific threats related to the functioning of embedded interconnected IoT devices. In the conclusion, the general conclusion of the study is made. ConsultantPlus, Scopus, Elsevier, SpringerLink, GoogleScholar were used to collect data and analyze the regulatory and scientific base related to data security in general and in the context of IoT.

TECHNOLOGICAL REGULATION: RISKS AND THREATS OF THE IOT 3.1. Different approaches to representing the IoT architecture
The features of the technological solutions used in the IoT determine the specificity of the technological solutions in IoT security. For example, it is proposed to use the splunk SIEM solution to identify and block traffic from compromised IoT devices [12]. To ensure secure aggregation of data, it is proposed to use the efficient-CSDA algorithm [13], and various methods to ensure the security of storing, receiving and transmitting data are being studied [5]- [15].
The concept of building the IoT belongs to Kevin Ashton, who in 1999 expressed the idea that comprehensively implementing RFID tags could modify the logistics chain management system. He proposed combining physical objects ("things") equipped with built-in technologies for interacting with each other or with the external environment into a single computer network (served by Internet protocols). There are currently a number of IoT definitions. For example, the European Union Agency for Cybersecurity ENISA defines IoT as "a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making" [14].
Stemming from the definition is the fact that information lies at the heart of IoT, feeding into a continuous cycle of sensing, decision-making, and actions. The IoT is tightly bound to cyber-physical systems and, in this respect, is an enabler of smart infrastructures (e.g., Industry 4.0, smart grid, smart transport) by enabling services of higher quality and facilitating the provision of advanced functionalities [15].
The IoT technologies are based on a set of requirements for measuring instruments that ensure the conversion of information into machine-readable data (sensors, devices, home systems, and measuring systems), means of automatic identification of objects of the physical world (RFID technologies, barcodes, data matrix, QR codes, means for determining location in real-time, and MAC address of a network adapter), and data communications using wireless and wired networks. The IoT requires the presence of basic components; their interconnection is carried out in the presence of its own IoT architecture and includes:  The totality of the presence on the devices or systems of sensors or identification tags that allow for unique identification;  Fully automatic execution of processes and functionality by devices or systems;  Interaction between devices or systems through communication networks (infrared, wireless, power and low-current networks);  The ability to transfer data in two directions over TCP/IP protocols via Internet channels without human intervention. Of course, there are different approaches to representing the IoT architecture. For example, the National Institute of Standards and Technology (NIST) proposed dividing the IoT into five functional areas [16]: connected devices, consumer-grade IoT medical equipment, and devices used in healthcare, smart buildings, and "Smart" production (including industrial control system). The disadvantages of this approach include the need to develop standards that consider the specifics of the activity.
In this work, the reference architecture of the IoT, developed by the standardization sector of the International Telecommunication Union (ITU-T) Y.2060, details the physical components of the IoT ecosystem used. The IoT reference model is shown in Figure 1 and includes four levels (applications, service support, application support, and network devices), as well as management capabilities and security capabilities. Architecture layers must be connected, integrated, managed, and made available to applications [17]. Since Russia is a member of the ITU, the proposed IoT architecture is used by Russian developers.

Correlation of Russian and international approaches to information security of the IT sector
The problems of ensuring the safety of IoT are actively discussed in the scientific literature, various solutions are proposed. For example, ensuring safety by reducing the response time of data transfer protocols in IoT is proposed [18], [19]. To ensure the safety of IoT switching, new algorithms for optimizing things are proposed [20]. In addition to considering the threats and risks traditional for the IT sector, a number of specific problems, IoT has its own problems:  Device management, remote activation and deactivation of devices, diagnostics, firmware and software updates, device operating state management;  LAN topology management;  Traffic and congestion management detection of network congestion and the implementation of resource reservation for urgent and/or vital traffic flow. Technical regulations for the IoT has been carried out by the Institute of Electrical and Electronics Engineers (IEEE) and the International Electrotechnical Commission (IEC) since 2014 when the IEEE working group began the development of an "architectural framework for the IoT, which focused on the problem of ensuring the reliability and safety of devices. In December 2015, the Interagency Working Group International Cybersecurity Standardization for the IoT was created to describe the goals, risks and threats, and coordinate issues in the field of cybersecurity at the international level [17]. A number of international organizations (e.g., The European Union Agency for Network and information security and the industrial internet consortium) also deal with the issue of ensuring IoT security through the use of an integrated (organizational and legal) approach.

Figure 1. The IoT reference model
Russia takes part in the activities of these organizations both at the level of interstate cooperation and at the level of individual participation; Russian companies use the results from scientists in practice. To ensure information security in general, as well as to solve IoT security problems in the Russian Federation, both international standards ISO 27000 and ISO-13335, and national standards of legal and technical regulation are applied. The state standardization system of Russia allows various versions of the rules for applying international ISO standards by adopting an authentic text of an international standard as a state Russian regulatory document (GOST R) without any additions or with additions reflecting the peculiarities of Russian requirements for standardization. At the same time, the Russian federation is developing its own national standards. The relationship between international and national standards is shown in Table 1.
At the national level, IoT security is provided by the Federal Service for Technical and Export Control (FSTEC of Russia); they organize interdepartmental coordination and interaction and exercise special and control functions in the sphere of information security (applying non-cryptographic methods) in information and telecommunication infrastructure systems. The FSTEC cooperates with government agencies and companies in the field of cybersecurity and countering hacker attacks. The FSTEC created and updated a consolidated vulnerability database for information processing and transmission systems. Currently, the database contains 217 threats and more than 27 thousand vulnerabilities. These data are especially relevant for the protection of state information systems, personal data processing systems, and automated control systems for critical facilities.
The proposed threats can be divided into large clusters, as defined for the basic threat model [21]: an internal attacker, external attacker, built-in hardware bookmark, standalone hardware bookmark, software bookmark, program (e.g., a Trojan horse), software virus; Network malware (e.g., password guessing, remote access) [22]. Within the framework of the IoT, FSTEC has been identified a number of specific threats to the functioning of embedded interconnected devices: theft and use of confidential information and user credentials, ransomware and ransomware attacks, installation of unauthorized firmware, remote access and attacks via mobile devices, data interception, man-in-the-middle attacks, and exploitation of vulnerabilities in applications [22].
The most important role in ensuring wireless data transmission in the IoT is played by factors such as bandwidth resiliency, adaptability and compatibility, efficient data transmission at low speed, reconfiguration, and scalability when using and organizing a network [23]. At the same time, a number of problems have been identified for the IoT: Protection against the use of built-in backdoors and known vulnerabilities in firmware and the detection and blocking of attempts of unauthorized change of firmware. Embedded devices must provide protection that works effectively in isolated networks without an Internet connection, with minimal impact on performance, and complies with legal and industry standards [24], [25].
Testing methods for smart devices relate to the functioning of the devices themselves, interaction with networks, and security. Testing issues go beyond the devices and sensors themselves, and other issues arise related to the processing of large amounts of data. To ensure information security, the Russian Federation since 2015 has defined a strategy for the development of its own economic industry in the development of domestic software and domestic technical standards.
FSTEC offers a set of organizational and technical measures aimed to counter threats to the IoT and ensure information security. A set of measures by the FSTEC was proposed to address information security [22]: identification and authentication of access subjects and access objects, access control of access subjects to access objects, limitation of the software environment, protection of machine media, check the security event, antivirus protection, intrusion detection (prevention), control (analysis) of data security, ensure the integrity of the information system and data, ensure the availability of data, protect the virtualization environment, protect technical means, protect the information system (i.e., its means, communication, and data transmission systems), identify incidents, and configuration management for the information s and data protection systems. Scientists and practitioners offer solutions to the above problems [10]- [18], [21], [26].

RUSSIA'S PARTICIPATION IN THE DEVELOPMENT OF INTERNATIONAL SOLUTIONS TO ENSURE THE SAFETY OF IOT
Currently, the scientific community is discussing the issue of conflict resolution when data analytics and confidentiality conflict with each other. It is believed that overcoming this contradiction is possible as a result of applying a wide range of methods that satisfy different degrees of confidentiality and still allow researchers to use different methods of data analysis [27]. As a practical result, one can imagine the activities of a number of Russian companies to ensure IoT security, such as: Kaspersky Lab, Entrust Datacard, Praetorian, Fujitsu, and Microsoft, in 2019, they prepared the practitioner's guide for IoT Security maturity model [28]. This guide identifies gaps in specific configurations, products, scenarios, and technologies and prioritizes countermeasures accordingly. This practice aims at both revealing known and specific factors that may place the functioning of a given system at risk and accurately describes these factors. Practical activities to ensure the safety of the IoT in Russia is related to a number of factors and are presented in Table 1. In Russia, as in a number of other countries, a public-private partnership (PPP) can act as a coordination platform for pooling financial resources of public authorities and the private sector. This approach is used for the implementation of expensive projects with long payback periods, has a high potential for attracting investments and a set of conditions necessary for the implementation of the project [29], [30]. An example of a public-private partnership is a project of the IoT launched on July 23, 2020, by MegaFon, which will allow public and private medical institutions to offer patients a health monitoring service. At the moment, one solution has been launched for remote monitoring of the health status of patients with hypertension, in the future other solutions will be connected to the system, including the maintenance of measuring devices [31].
For its part, the Government of the Russian Federation must ensure regulatory of the safety of both devices and users. In this regard, the Government of Russia made a strategic decision to ensure information security through the priority use of domestic technological solutions using in various information infrastructures. So, for example, in 2019 the Ministry of Telecom and Mass Communications of Russia approved the Roadmap for the development of "end-to-end" digital technology "Wireless Communication Technologies", which provides for the development of terminal access equipment, collecting parameters by sensors/controlling actuators in communication networks of NB IoT/LTE-MTC using domestic cryptographic algorithms by 2021.
In addition, when creating and developing 5G/IMT-2020 networks on the territory of the Russian Federation, the use of domestic cryptographic algorithms, trusted software, and the electronic component base is also provided, and the introduction of Russian crypto algorithms in the specification of international standards is also proposed [32]. Despite the high security, cryptography has the disadvantage that it is a slower speed. This is noted by scientists and this is confirmed by mathematics [33]. This approach will allow to some extent eliminate the internal uncertainty associated with a large number of data sources, the anonymity of participants, and uncertainty of responsibilities [34], [35].

CONCLUSION
Thus, in ensuring the safety of the IoT, an integrated approach should ensure public-private partnerships at the national and international levels and use leading practices and techniques to ensure protection against threats and risks. IoT security is possible with the practical compatibility of legal and technical regulations. Coordination of legal and practical activities should take into account the autonomy and independence of the norms and the subjects of their application.
An additional problem is the lack of reliable standards, which is associated with the practical interaction of virtual and physical environments in the context of cyber-physical systems. Over a short period of time, the amount of information collected (including about users) has grown significantly, and the number and quality of heterogeneous devices have exponentially increased. This problem is relevant not only for the Russian Federation but also for other developed countries. At the same time, a characteristic threat to IoT security in Russia is the use of technologies, a significant part of which belongs to foreign developers. In the Russian Federation, information security is ensured by the development of domestic software and standards. Of course, one can agree with this position of the state, since the control and supervision of technologies that are created in accordance with domestic regulatory documents are easier to implement.