Cybersecurity Threat Detection for Internet of Things Connected Devices

The problem detected that the project aims to solve is that lack of effective security provision in software engineering impedes development speed, driven by the following factors:
- One bad design choice can lead to hundreds of security bugs,
- 80% of software flaws are introduced during the requirements and design phases (source: McConnell “Code Complete”),
- Insecure libraries, frameworks and 3rd party components introduce problems and vulnerabilities,
- Developers often do not understand how what they are NOT doing is putting their application/service at risk.
These factors lead to re-work and vulnerability remediation time (sunk costs) becoming increasingly expensive the later that security flaws are addressed.

These factors are particularly pertinent in the Internet of Things domain, a fast growing but still fragmented sector of industry and technology. Consumers' privacy is being affected by the surge in devices reaching the market with sub-standard safety provisions, meaning a negative impact on individuals and wider society.

Over the last two decades, the Internet and more broadly cyberspace has had a tremendous impact on all aspects of society. Our daily lives, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly. Information and communications technology has become the backbone of our economic growth and is a critical resource that all economic sectors rely on. Cybersecurity incidents, be it intentional or accidental, are increasing at an alarming pace and could disrupt the supply of essential services to citizens, such as water, healthcare, electricity or telecommunication services. Furthermore, if we follow the emerging markets in the short-medium term it will be characterised by a combination of IoT with Cloud Computing and Big Data creating “smart environments”.

The overall objectives of the project:
- Deep analysis of the potential idea and its global market opportunity: The innovation strategy needs to be truly inspiring and should describe a desirable future state for the company.
- Development of a technological research and innovation roadmap & IPR plan: The innovation strategy is an open process that will be empowered by the effort and expertise of the innovation associate. Secure Secure aims to bring the outside in and raise the bar in terms of ambition and to more quickly get to more mature plans. The innovation strategy will be set up taking under account the available capabilities, technologies and gaps that may need to be filled.
- Development of an innovation strategy: Secure Secure’s main objective within this recruitment is to boost the development of an open and adaptive innovation programme for the company to enter in the IoT market sector.

The project was broken down into four work packages.

WP1: Project Management
Completion of the recruitment process of the Innovation Associate and the creation and observation of management, communication, implementation and monitoring plans for the project

WP2: Deep analysis of the potential idea
- The company induction
- Requirements setting and workplan creation
- Technical and functional requirement setting
- Training (tailored trainings for IoT security specific accreditations and EC provisioned trainings)

WP3: Technological research and innovation roadmap
- Research to identify appropriate vulnerability identification tools and frameworks
- Research and identity most appropriate and efficient processes for deploying tools and frameworks
- Delivery of threat identification functionality for specified technical criteria and devices/chipsets
- Technological research and innovation roadmap with IPR plan

WP4: Innovation programme
- Analysis of all the previous results of the project
- Development of the Innovation Programme

The main exploitable results from the project are as follows:
- Training certifications gained during the grant: mean that the AI is able to perform certain cybersecurity industry standard tests and award compliance certificates. This will be exploited by allowing Secure Secure to go to market with new consulting and compliance services that leverage the gained skills and certifications (for instance, awarding ISO27001 compliance).
- Technical feasibility proven with prototype of a functional, simplistic API: exploitable to inform the next stage of design and development. This will be exploited through the development of IPR assets that are based on the functional results of the developed API.
- Technological Roadmap and IPR Plan: the plan represents an important segment of the future business plan for Secure Secure and will be exploited further to seek funding for continued development of the solution, IPR, product positioning in the market and market replication.
- Innovation Programme: the innovation programme forms an additional part of the business and innovation plan for Secure Secure. It will be exploited by informing the future R&D programme as well as applications for funding, partnership strategy and business development.

The following events were attended as part of dissemination activities to discover prospective partners:
- Mobile World Congress, Barcelona, February 2018 (MWC 2018)
- P&G and Partners Event, Brussels, June 2018
- ETSI Security Week, Future-Proof IoT Security and Privacy, Sophia Antipolis, France, June 2018

The SecIoT project goes beyond the state of the art and the novelty of the project lies in its holistic approach to the detection and diagnosis of vulnerabilities in IoT. The key market is composed mainly of consulting firms who offer scanning services as a sideline to their main business. The current commercial approach to these problems have focussed on providing services to security experts. While there is a gradual shift towards providing tools that are more appropriate for developers, all lack the full suite of functionality that would enable a developer, particularly within an SME, to utilise just one main tool. The focus of the services is to democratise security to SMEs and individual developers.

Alternative solutions only offer limited spectrum scanning at prices comparable to Secure Secure’s offering. Full spectrum scanning costs at least 4x more, and requires the intervention of a security expert to interpret results.

A summary of alternative solutions’ downfalls when compared to what users require:
- Mostly irregular or scheduled scanning frequency which leaves assets vulnerable,
- Tools better suited to security professionals and not developers due to highly technical jargon,
- Results and scan depth that are usually just good-enough for passing audits or being compliant, not for being truly secure,
- No facilities for scanning containers, upon which many developers now rely,
- Solutions that focus on servers or SDKs from a single provider, or limited operating systems.

As an impact on wider society, we see that the SecIoT innovation democratises access to a SaaS solution integrated with software development frameworks that provides continuous and consistent scanning. Users benefit in terms of reduced costs, saved time and increased expertise as the solution provides assistance to resolve vulnerabilities in “developer language”, removing the need to call upon security experts to configure multiple tools un-pick jargon.