Autonomous Trust, Security and Privacy Management Framework for IoT

The increasing adoption of Internet of Things (IoT) has had a profound impact in society and its different sectors (e.g. eHealth, utilities). As the number of adopted IoT devices worldwide increases, so do the reports of associated vulnerabilities. This leads into proportionally higher concerns, as existing IoT security- and privacy-related issues remain unaddressed.
To ensure that the transformation brought by IoT will benefit all citizens in a way that warrants security and privacy, the research of innovative and advanced security management mechanisms and technologies that can seamlessly be integrated in a variety of contexts and applications (across different vertical market segments/applications/use cases) is needed. ARCADIAN-IoT aims at enabling a holistic framework, which establishes vertical planes to manage identity, trust and recovery in IoT systems considering its distinct entities (persons, IoT objects or devices and apps/services), while being complemented by horizontal planes enabling advanced privacy, security and encryption in a decentralized manner. The framework aims to enable a Chain of Trust (CoT) between the diverse entities participating in IoT systems, including persons, IoT objects and related apps/services.

The project requirements and KPIs, IoT use cases, technical, legal and ethical challenges, and architecture were established in WP2 (M1-M12).
The research and development of the horizontal (Privacy, Security and Common) planes, as well as vertical (Identity, Trust and Recovery) planes was performed in WP3 and WP4, respectively. The results from the horizontal planes include:
-Dependable and privacy-preserving Federated Learning capabilities supporting ML models
-APIs for specification of anonymization and encryption policies
-Cognitive loop for automated IoT network monitoring, healing and protection
-Device Behaviour Monitoring supported by federated training and central model aggregator
-Policy-based and event-driven IoT Device Self-Protection
-Extended MISP supporting CTI in IoT
-ABE-based library and decentralized Multi-Party Computation (MPC) protocol for key management
-Hardened Encryption (HE) System with cryptochip as RoT for industrial IoT (Key Exploitable Result - KER#3, IPR protection ongoing)
-SIM security applet for enabling a SIM-based Root of Trust (KER#5)
-Smart Contract for publishing ARCADIAN-IoT data on Hyperledger Fabric.
The results from the vertical planes include:
-Public DIDs supported via Sidetree node integrated with the ARCADIAN-IoT SSI Agent (contributing to KER#2)
-MFA for persons and devices orchestrating 3 authentication factors, issuing protected and signed ID tokens, and informing security components of authentication events
-Network-based Authentication leveraging SIM credentials for IoT authentication to Cloud services (KER#4)
-Drone-collected facial dataset from various people, facial orientation, illumination and distances, solution for face detection & verification from drone-collected stream
-SSI solution & IdP for issuing and verification of Person Verifiable Credentials
-3 Reputation models for persons, devices and services
-Automated Network-based Authorization based on devices trustworthiness
-Remote Attestation with SIM-based hybrid Root of Trust for claim’s HE
-Self-recovery integrating HE and a scalable storage backend
-Credential Recovery supporting encrypted SSI Wallet backup & restore, and DID recovery for IoT devices
Both an intermediate (P1) and final Prototype (P2) of the integrated ARCADIAN-IoT framework (KER#1) and its progressive incorporation by the 3 IoT services (grid, medical, security sectors) were performed. The prototypes were subject to different validation scenarios for assessing ARCADIAN-IoT features and KPIs.
Additionally, the project performed:
-6 training sessions for both ICT and non-ICT end users
-a Communication Task Force with several projects funded under the same call, later evolving to the SecureCyber Cluster communication hub
-5 thematic webinars, 1 Summer School, published 12 newsletters, participated in 15 external events
-3 organized/co-organized workshops
-21 scientific journals and 13 conference/workshop papers published
-6 KERs
-17 relevant contributions to standardization activities (IETF, GSMA)

The project introduced a decentralized framework for managing identity, privacy, trust, security and recovery management for IoT in an integrated way, resulting in the following innovations:
-Permissioned blockchain framework enabling distributed data management by security-related components
-Flexible and decentralized system for encryption hardened with eSIM as RoT implementing Attribute Based Encryption, including a decentralized key management system
-HE with Cryptochip technology for highly constrained industrial IoT devices
-Enhanced data privacy management via user-enabled policy decision engine and flexible policy enforcement
-Novel techniques for data rebalancing and robust and efficient aggregation for FL settings
-Enable IoC sharing by resource-constrained devices (tinySTIX) and enhanced CTI analysis with ML tasks.
-Federated Learning-baswed anomaly detection to detect cyber attacks and policy-based self-protection for IoT devices
-Full automated security self-protection cognitive loop for DDoS attacks mitigation
-New DID:PRIV method for IoT Devices and DID Authentication for constrained devices over an IoT GW
-Notarizer as Protocol Translator reducing the number of flows executed by any IoT device
-Face verification on UAVs from further distances (>2m) with low inference time, achieving a fast, safe and accurate system
-MFA supported via novel combination of authentication factors
-Remote Attestation integrating eSIM as RoT for evidence integrity and ABE for evidence confidentiality, with attestation results contributing to IoT devices and services reputation modelling.
-Support of 3 models for entities' reputation calculation and Integration of reputation information with authorization & attestation policies
-Full SSI Support for IoT Devices in M2M flows with GO Agent for devices with limited resources.
-Network-based authorization ready to enforce communication authorization uplink and downlink bitrates separately
-Self-recovery enabling server-side or client-side triggering for different devices (server, edge, mobile)
-Credentials recovery supporting key rotation on the permissioned blockchain & re-issuing of Verifiable Credential based on the device fingerprint.
The innovations were validated in TRL5-6 settings in different IoT services led by SMEs, directly impacting both the involved business stakeholders roadmap, as well as paving the path for new collaboration and research opportunities for academic and RTOs partners.
The project expects to contribute to the overall EU industry preparation against threats to IoT, such as via early detection and mitigation of IoT cybersecurity incidents, thus reducing the associated economical and societal impact; the facilitated information sharing between / within private and public organisations through the availability of advanced tools for entities such as CERTs or CSIRTs; - the wider adoption of distributed, enhanced trust management schemes for IoT entities; or the availability of trustworthy on-line products, services and business, contributing to a more competitive offering of secure products and services by European providers in the Digital Single Market.