Predictive Security for IoT Platforms and Networks of Smart Objects

The IoT market is currently undergoing transformation from applications involving semi-passive devices operating within a single platform, to applications involving smart objects with embedded intelligence while spanning multiple platforms. Unfortunately, state-of-the-art security mechanisms are not sufficient for protecting end-to-end this wave of IoT applications as they offer limited support for end-to-end security, lack interoperability and scalability and are also not able to deal with very volatile and dynamic environments comprising networks of smart objects.

The main goal of the SecureIoT project is to introduce, validate and promote a novel approach to the security of IoT applications, which emphasizes a timely, predictive and intelligent approach to the identification and mitigation of security threats and incidents. One of the main characteristics of this approach is its ability to deal with smart objects, while at same time supporting security interoperability in scenarios that involve multiple IoT systems and platforms with diverse security capabilities. In order to achieve this ambitious target, the SecureIoT project has identified and has been working towards the following objectives:

• Architect an Open End-To-End Security Framework for IoT Services Involving Multiple IoT Platforms and Smart Objects with Embedded Intelligence and (Semi)Autonomous Behaviour
• Provide Adaptive Data Collection Services for Security Monitoring of IoT Entities at Multiple Levels (Devices, Edge Nodes, Cloud)
• Provide Data Driven Mechanisms for Predicting and Anticipating the Security Behaviour of IoT components - Enable proactive vulnerabilities identification through analysis across All levels of an IoT system
• Analyse & Harmonize trust relationships and security Policies of Diverse IoT Platforms and Ecosystems (Including Smart Objects) - Enable enhanced situational-awareness and correlation of data sets across domains
• Implement and Provide Open SECaaS (Security-as-a-Service) services over the SecureIoT framework, including Security Risk Assessment, Security Compliance Audits and Developers’ Support
• Challenge and showcase SecureIoT innovations through various Use cases and Usage Scenarios in High Impact Applications with Clear Market Relevance
• Introduce and Validate Business Models for Security-as-a-Service for IoT services Spanning Multiple Platforms and Ecosystems
• Establish and Sustain a Market Platform of Threat models and IoT Security policies for different Use Cases in Various Application Domains

During the second period of the project, significant work has taken place to deliver the integrated version of the SecureIoT platform which aims at providing security support to IoT systems and applications. Towards this end, a set of 3 diverse use cases were put executed and validated, not only matching the interests and daily business of project partners, but also calling inherently for substantial security features. These use cases covered also a broad range of diverse areas in the IoT domain, ranging from the industry environment (including the supply chain) to the connected vehicles environment and socially assistive robots for autism and elderly rehabilitation environment; all critical ecosystems with different characteristics and needs (e.g. types of IoT devices and data) to also prevent the SecureIoT approach from being locked to a specific vertical domain, rendering it of limited usefulness.

Based on these use cases, more detailed scenarios deemed very susceptible to and impacted heavily by security attacks were elaborated and a set of requirements with respect to security, privacy and trust were derived and were eventually mapped to components, functionalities and interfaces in the SecureIoT platform. These covered the whole lifecycle of security support from the collection, sharing and processing of security information at various levels of IoT systems, to the reasoning and early identification/prediction of security incidents, their assessment and mitigation. In addition, to support the ever-increasing need for compliance against regulations and directives, components to support this have been developed. To further foster the “by design” security of IoT applications, components to help developers design secure applications have been accounted for, while a wealth of security information that can help taking well-reasoned and effective decisions is also imported and leveraged. Acknowledging that IoT systems cannot be viewed in isolation but in many cases need to interact, cross-platform security support has also been put in place through security and privacy policies definition and alignment.

These identified components and supported functionalities were developed, tested and evaluated during the three use cases. On a side-track to ensure long-term viability of the project’s solutions, the project continuously audited its architecture and solutions to ensure that there were not any legal or regulatory issues that would prevent them from reaching the market; also a market platform has been implemented that will be used as an exploitation catalyst beyond the project duration by creating and maintaining an active community evolving around the project’s and other third-party security solutions.

As an outcome of the project, SecureIoT first established and extended a strong and solid “know-how”, which then started being leveraged for development and implementation of platform components that support the objectives set out by the project. In addition to the use case validation, this has also led to a number of publications, which together with the participation in numerous events has ensured that the work of SecureIoT has been made very visible to relevant communities and stakeholders and useful feedback from this exposure has also been taken on board to guide further research directions.

SecureIoT provided a toolbox of security solutions fit for use in the IoT domain and tailor-made to address the particularities of IoT devices and smart objects which act not only as data sources but have embedded decision making and actuation capabilities. The use cases and scenarios tested within the project act as success stories and the SecureIoT solutions portfolio was thoroughly checked from a legal and regulatory compliance point of view and were made available through the project’s marketplace to ensure the long-term viability and legacy of the project, while at the same time providing revenue streams for the developing partners. This was on top of the exploitation potential and impact that the project partners have achieved by applying the developed solutions in their every-day business (use cases) and extending them when needed to be applicable in different domains that are part -or may in the future constitute part- of their core business.

By achieving its objectives and offering its developed solutions and know-how through the market platform, SecureIoT will lower the security, privacy and data protection barriers to IoT adoption, through alleviating relevant concerns for applications involving smart objects. In this way, it will facilitate their acceptance by end-users and subsequently their wider uptake and use.