Periodic Reporting for period 2 - ARMOUR (Large-Scale Experiments of IoT Security Trust)
Reporting period: 2017-02-01 to 2018-01-31
The project’s grand objective is to provide duly tested, benchmarked methods and tools to support the Security & Trust certification of large-scale IoT solutions using upgraded FIRE large-scale IoT/Cloud testbeds properly-equipped for Security & Trust experimentations.
3 objectives were defined to make the realization of the abovementioned grand objective possible:
#1 Upgrade FIRE testbeds for supporting large-scale IoT Security & Trust experiments, which are world-class Internet-of-Things testbeds, provided by the European Commission FIRE initiative that make possible large-scale experimentally-driven research. To do so, The ARMOUR project using feedback from all seven experiments, contributed to evolve its FIRE testbeds: IoT Lab and FIESTA-IoT. More specifically, on one hand, the IoT Lab testbed proposed new communication services for interaction between the testing tool, the experiment and the testbed (IoT Lab). This evolution specifically addressed the needs for large-scale executions and as a service that facilitates the labelling and certification process, set as the main objective of the toolbox. On the other hand, an instance of FIESTA-IoT platform was deployed and modified to be able to semantically model the datasets generated by the ARMOUR experiments. During the 2-years project duration, it was developed a set of tools to support a data-driven integration of ARMOUR datasets and benchmarks into FIESTA-IoT platform, allowing to generate experiment reports using the data being stored in the FIESTA-IoT platform.
#2 Provide experimented solutions for Secure & Trusted large-scale IoT environments. It has been done delivering a set of duly experimented and properly validated methods and technologies to enable Security & Trust in large-scale Internet-of-Things conditions. This is the reason why, ARMOUR addressed six IoT experiment contexts, leading to seven experiments:
A. Bootstrapping and group sharing procedures (EXP1)
B. Sensor node code hashing (EXP2)
C. Secured OS:
• Secured bootstrapping/join for the IoT (EXP3)
• Secured OS/ Over the air updates (EXP4)
D. Trust aware and wireless sensors networks routing (EXP5)
E. Secure IoT Service Discovery (EXP6)
F. Secure IoT Platforms (EXP7)
All over the project duration, each experiment applied the testing and certification methodology. The consortium managed to apply the methodology and the tools for the identified IoT levels: devices and data, connectivity, applications, services and platforms. Summarising, these different security technologies were evaluated using the ARMOUR systematic approach and ARMOUR toolbox.
#3 Benchmarks, framework and novel certification scheme for Secure & trusted large-scale IoT, which support the development of Security and Trusted IoT applications and setting confidence in their deployment. At the end of the project, ARMOUR project provided a certification methodology and set of tools to support the IoT security certification. It is based on an instantiation of the approach proposed by ETSI (European Telecommunications Standards Institute), using a risk assessment and the ARMOUR testing methodology. The methodology is the result of the study of the different schemes and their comparison to market needs for suitable strategy for the IoT environment. It considered the characteristics of the IoT environments, notably its high dynamics and the large-scale aspect. A proof of concept has been applied to the 7 experiments defined in ARMOUR, thus assessing the experiments identified: security aspects, on one hand, and the large-scale aspects of the tooling, on the other hand."
The seven experiments cover different IoT segments. Towards reaching the Objective #2, each experiment identified a set of security requirements (for instance vulnerabilities of interest) and experiment requirements related to the FIRE infrastructures to deliver reproducible experiments by the community. The IoT toolbox provided facilities for integration and reproduction of the experiments within the testbeds, which allowed the deployment of the experiments.
With respect to the project’s Objective #3, a methodology has been delivered connecting the benchmarking and the labelling to the testing framework, providing thus an end-to-end formal methodology based on security test patterns and models. An initial definition of the benchmarking methodology and labelling scheme, based on the Common criteria.
Regarding the exploitation of the project results, the consortium has clearly refined the assets they intend to exploit and have been already engaged in several actions for exploitation activities. The partners were active on individual basis but also on collective exploitation such as on important parts of standardisation or support to policies. As “IoT trust and security” is a hot topic discussed within many different environments, and partners have promoted ARMOUR potential values within various important discussion groups such as on Cyber Security PPP, AIOTI, oneM2M just to mention few ones.
Based on this new ARMOUR security framework, the project proposes a new general ARMOUR security testing methodology, which in a unique way integrates three different Model-Based Testing (MBT) approaches to ensure security & trust of IoT systems and services: standard/compliance testing, pattern driven and behavioural fuzzing. This highly impacts the existing state of the market and state of the art in the world research community, as IoT testing solutions are limited to providing test management and execution tools, and very little concentrated on automated security test cases conception.
The ARMOUR MBT approach has made a proof on concept for its scalability in large IoT dimensions and has shown its benefices on the conception on functional and security test suites in TPLan and respectively TTCN-3 based on MBT models for the oneM2 standard. This paves the way towards the European innovation and competitiveness expected impact, which will directly and indirectly lead to an environmental and social impact.