Periodic Reporting for period 2 - IOTAC (SECURITY BY DESIGN IOT DEVELOPMENT AND CERTIFICATE FRAMEWORK WITH FRONT-END ACCESS CONTROL)
Période du rapport: 2022-03-01 au 2023-08-31
Security is foundational for the operation of IoT systems and devices. In IoT, physical things are in need of protection and securing them is much more challenging than has traditionally been the case with IT systems. The rapid adoption and the sheer volume of connected IoT devices is the basis for a growing cybersecurity threat landscape. As the number of connected devices grows, so do attempts to compromise their security. IoT devices are often connected unprotected to the Internet. Many IoT devices used in critical infrastructures have insufficient security measures and are good targets for malicious cyber attackers.
There were profound changes going on in the society, partly inducted by general technology evolution, partly by the Covid epidemic.
• Corporations are heavily outsourcing.
• Architectures are moving to the cloud.
• Employees are working from home.
• Employees are using their own devices.
• Consumers are purchasing online.
All these changes increase the vulnerability of businesses, open new attack surfaces.
To counter the known and emerging threats the IoTAC (Security By Design IoT Development and Certificate Framework with Front-end Access Control) project had the objective to deliver a secure and privacy-friendly IoT architecture that will facilitate the development of more resilient IoT service environments. Our approach focuses on adding security both at IoT architecture level and at the level of software applications that run on its various components.
There were profound changes going on in the society, partly inducted by general technology evolution, partly by the Covid epidemic.
• Corporations are heavily outsourcing.
• Architectures are moving to the cloud.
• Employees are working from home.
• Employees are using their own devices.
• Consumers are purchasing online.
All these changes increase the vulnerability of businesses, open new attack surfaces.
To counter the known and emerging threats the IoTAC (Security By Design IoT Development and Certificate Framework with Front-end Access Control) project had the objective to deliver a secure and privacy-friendly IoT architecture that will facilitate the development of more resilient IoT service environments. Our approach focuses on adding security both at IoT architecture level and at the level of software applications that run on its various components.
The IoTAC project started its work with the assessment of various IoT architectures and the requirement elicitation of the pilot operators.
The project elaborated its Security Baseline. This document is to orientate and define the framework of all security related aspects of the work.
Technical research and development in respect of the actual components of the IoTAC architecture followed two parallel tracks.
The design time Secure Software Development (SSD) platform consists of three core modules, the Design and Requirements module, the Security Assurance Module, and the Software Security Certification module. The first two modules provide mechanisms for monitoring and optimizing the security of IoT applications and the 3rd one validates the overall security of the IoT software application.
The runtime modules include the Secure IoT Gateway, the Attack Detection module, the Honeypot, the Front-end Access Management system, and the Runtime Monitoring System. These components combined realize a multi-layer security concept. Implementation of the modules have been completed and after the unit tests they have been integrated into the IoTAC platform through a databus, and the results of their operations have been presented on the IoTAC management dashboard. After security testing of the modules, they have been integrated and used in the pilot operations.
Pilot related work included the definition of the most important targets of the two phases of the operations, the expected development cycles within, and between the phases, as well as the definition of KPIs and the elaboration of the deployment plans. The actual pilots have been conducted in one longer continuous activity with active collaboration between the technical teams and pilot operators. As a result, all the modules and the integrated IoTAC platform realized and exceeded all the established security KPIs and had no negative effects on the performance of the legacy operations.
The project has also elaborated a security assessment program which was first validated with the IoTAC security modules and pilot environments before sharing it with the broader community.
IoTAC also successfully contributed to standardisation with launching two action items with ETSI and submitting its security concept related to the reference architecture ISO 30141.
An active dissemination-communication program complemented the work covering both the scientific and research progress, as well as the broader expected impact of the project. The dissemination tools/media include the project website, multiple social media platforms including LinkedIn, Facebook, Twitter and a YouTube channel, publication of academic papers, presentations on conferences as well as quarterly newsletters, 6 press releases and the project’s own annual IoT Day Roundtable. The project has exceeded most related KPIs.
The project elaborated its Security Baseline. This document is to orientate and define the framework of all security related aspects of the work.
Technical research and development in respect of the actual components of the IoTAC architecture followed two parallel tracks.
The design time Secure Software Development (SSD) platform consists of three core modules, the Design and Requirements module, the Security Assurance Module, and the Software Security Certification module. The first two modules provide mechanisms for monitoring and optimizing the security of IoT applications and the 3rd one validates the overall security of the IoT software application.
The runtime modules include the Secure IoT Gateway, the Attack Detection module, the Honeypot, the Front-end Access Management system, and the Runtime Monitoring System. These components combined realize a multi-layer security concept. Implementation of the modules have been completed and after the unit tests they have been integrated into the IoTAC platform through a databus, and the results of their operations have been presented on the IoTAC management dashboard. After security testing of the modules, they have been integrated and used in the pilot operations.
Pilot related work included the definition of the most important targets of the two phases of the operations, the expected development cycles within, and between the phases, as well as the definition of KPIs and the elaboration of the deployment plans. The actual pilots have been conducted in one longer continuous activity with active collaboration between the technical teams and pilot operators. As a result, all the modules and the integrated IoTAC platform realized and exceeded all the established security KPIs and had no negative effects on the performance of the legacy operations.
The project has also elaborated a security assessment program which was first validated with the IoTAC security modules and pilot environments before sharing it with the broader community.
IoTAC also successfully contributed to standardisation with launching two action items with ETSI and submitting its security concept related to the reference architecture ISO 30141.
An active dissemination-communication program complemented the work covering both the scientific and research progress, as well as the broader expected impact of the project. The dissemination tools/media include the project website, multiple social media platforms including LinkedIn, Facebook, Twitter and a YouTube channel, publication of academic papers, presentations on conferences as well as quarterly newsletters, 6 press releases and the project’s own annual IoT Day Roundtable. The project has exceeded most related KPIs.
The IoTAC project was generating a security architecture as well as multiple technologies and solutions which are beyond the state of the art.
The project extended the ISO/IEC 30141:2018 Internet of Things (IoT) - Reference Architecture (RA) with a particular focus on security. The recommended security extensions will be considered in the forthcoming modification of the standard.
IoTAC also started two action items with ETSI which are going to be published within weeks.
IITIS and CERTH were working on the System-wide Vulnerability Assessment (SWVA) mechanism, to compute the likelihood for a software component to be vulnerable at the system-level of granularity.
IITIS has developed methods using Dense Random Neural Network with auto-associative and online learning for attack detection for the traffic from individual IoT devices. This method does not require the offline collection of any attack traffic data for the learning procedure.
IITIS has developed the Adversarial Random Neural Network. This machine learning method makes assessment of an attack over the network by considering the communication between IoT devices.
TUB was delivering advanced threat detection using a Honeypot Network in which honeypots share the detection of minor incidents with other honeypots to identify shared threats.
SafePay has implemented a new Identity and Access Management concept. The underlying idea of the solution is to delegate the authorisation function to a secure element (chip card) of the user. The solution has an issued patent.
ATOS and SafePay were implementing a card farm operation which manages a large number of chip cards on a remote server which operates a special multireader device to concurrently manage a large number of chip cards. The solution provides secure cloud-based storage for the access credentials. The system has a patent pending.
Intrasoft implemented a data collection and monitoring framework which is detached from the underlying infrastructure and therefore can be applied in various IoT environments.
KSP was implementing a new type of secure internet gateway (KISG) to support the operation of independent 3rd party applications with its secure core OS.
All the work performed by the IoTAC project contributes to the improvement of IoT security, to higher level of protection for many different services and operations. The advances will not only make future developments more secure, more reliable, less vulnerable, but most results can also be implemented to improve cyber security of legacy architectures as well.
The IoTAC results will contribute to the improvement of IoT security. The simple and affordable modules will make consumer and SME operations more secure, where advance cybersecurity expertise is not readily available but the configurable IoTAC gateway still can be deployed providing high level protection for the environment.
The project extended the ISO/IEC 30141:2018 Internet of Things (IoT) - Reference Architecture (RA) with a particular focus on security. The recommended security extensions will be considered in the forthcoming modification of the standard.
IoTAC also started two action items with ETSI which are going to be published within weeks.
IITIS and CERTH were working on the System-wide Vulnerability Assessment (SWVA) mechanism, to compute the likelihood for a software component to be vulnerable at the system-level of granularity.
IITIS has developed methods using Dense Random Neural Network with auto-associative and online learning for attack detection for the traffic from individual IoT devices. This method does not require the offline collection of any attack traffic data for the learning procedure.
IITIS has developed the Adversarial Random Neural Network. This machine learning method makes assessment of an attack over the network by considering the communication between IoT devices.
TUB was delivering advanced threat detection using a Honeypot Network in which honeypots share the detection of minor incidents with other honeypots to identify shared threats.
SafePay has implemented a new Identity and Access Management concept. The underlying idea of the solution is to delegate the authorisation function to a secure element (chip card) of the user. The solution has an issued patent.
ATOS and SafePay were implementing a card farm operation which manages a large number of chip cards on a remote server which operates a special multireader device to concurrently manage a large number of chip cards. The solution provides secure cloud-based storage for the access credentials. The system has a patent pending.
Intrasoft implemented a data collection and monitoring framework which is detached from the underlying infrastructure and therefore can be applied in various IoT environments.
KSP was implementing a new type of secure internet gateway (KISG) to support the operation of independent 3rd party applications with its secure core OS.
All the work performed by the IoTAC project contributes to the improvement of IoT security, to higher level of protection for many different services and operations. The advances will not only make future developments more secure, more reliable, less vulnerable, but most results can also be implemented to improve cyber security of legacy architectures as well.
The IoTAC results will contribute to the improvement of IoT security. The simple and affordable modules will make consumer and SME operations more secure, where advance cybersecurity expertise is not readily available but the configurable IoTAC gateway still can be deployed providing high level protection for the environment.