The role of academia in IoT security – a rear view mirror into the future?

Kenny Paterson, Professor of Information Security,
Royal Holloway, University of London

When it comes to the security of the IoT, it makes sense to look for allies and, just as Bletchley Park did during WW2 to crack the Enigma code, where better to go than academia, writes IoT Now’s editor, Alun Lewis. Cooperation between industry and academia might not always go smoothly, but when it does, the results can change society and many of the high-tech tools we take for granted today started life in a university laboratory. What’s more, academic research can prove invaluable to business, providing what one industry-academia liaison manager once described to me as “a rear-view mirror into the future”.

While improving links between academia and industry is something that we at IoT Now are keen to cover in the future, we thought that we’d take this opportunity to do a quick and very superficial snapshot of some security-related IoT research currently underway in the UK.

For Kenny Paterson, Professor of Information Security, Royal Holloway, University of London and on the board of the IoT Security Foundation (IoT SF), “The IoT has great promise, but also great potential for tragedy if it isn’t appropriately secured. The IoTSF is taking a leading role in promoting awareness of the security issues that IoT throws up, bringing together the leading players, and setting the agenda for how the industry should approach security for IoT – and academia has a key role to play in this endeavour.

Paterson adds, “Academia’s viewpoint is by nature longer-term than that of manufacturers and service providers. While universities today do face market pressures, they are not of the same magnitude as those felt by companies in the IoT rush to market. Academia is also, in principle, vendor-neutral. This means that academics can – and do – act as critical voices, will take apart IoT systems, and, subject to a process of responsible disclosure, publish their results. Additionally academia is a reservoir of experience and deep knowledge that can be applied to help tackle the fearsome security problems that IoT systems will bring.”

He concludes, “Academia – and UK academia especially – is well placed to respond. The UK’s main research funding body, RCUK, in combination with several other partners, is putting around £40 million into the area over the next three years. The intention is to bring about a step-change in the broad research areas of cyber security, designing in trust, privacy, security and resilience associated with the IoT. A £9.8 million “Research Hub” in the area of privacy and trust for the IoT is one of the major initiatives in this programme. The IoT SF will seek to partner with the winning consortium of universities, as part of fulfilling its mission of making the IoT secure, aiding its adoption and maximising its benefits.”

Philip Mills, business development manager, Centre for Secure Information Technologies (CSIT), Queen’s University, Belfast
Philip Mills, business development manager, Centre for Secure Information Technologies (CSIT), Queen’s University, Belfast

Philip Mills, business development manager at the Centre for Secure Information Technologies (CSIT) at Queen’s University, Belfast, comments, “The connection of a vast range of devices and people introduces some serious security questions. How can I be sure of the identity of the person or device I am communicating with? How can I be sure that the communication channel is secure? How can I be assured that the data I share will only be accessed by those who have the right to access it? CSIT is at the forefront of technology research to find answers to those questions, employing more than 50 researchers – academics, research assistants and PhD candidates – across three complementary research strands. These three research programmes are also supported by an engineering and commercial team of over 20 people who provide market engagement with companies like Thales, BAE Systems and Roke Manor Research to ensure the research addresses real-world problems, and that the results have impact in the marketplace.

Mills explains, “Firstly, The Device Authentication programme looks at technologies for the secure authentication of hardware components, including PicoPUF, a tiny semiconductor IP core that can provide a secure, unique digital fingerprint for even the cheapest microchips. This group also leads SAFECRYPTO, a project funded under the EU Horizon 2020 programme, which investigates technologies which will guarantee the long term security of ICT systems through advanced encryption techniques. The Secure Ubiquitous Networking programme looks at the security issues presented by large, complex and diverse communications networks, including the challenge of real-time threat detection, countermeasures and rapid recovery. The Security Analytics and Informatics group examines the application of machine learning, real-time graph analysis and artificial intelligence techniques to the huge data sets that exist within the IoT and uncovers technologies for creating actionable intelligence from such data. These three programmes come together in pursuit of a vision of making the Internet – and the IoT – a safe, secure and dependable place for everyone.”

Dr Kevin Curran, Reader, Computer Science, University of Ulster
Dr Kevin Curran, Reader, Computer Science, University of Ulster

Dr Kevin Curran is a Reader in Computer Science at the University of Ulster, group leader for the Ambient Intelligence Research Group and IEEE Technical Expert for Internet/Security matters since 2008. He advises, “Academics can continue to work on consultancy, joint funded projects and sit on task boards. Of course the research papers help enormously. Many of the flaws in modern devices and systems are found by academics who, for the most part, publish responsibly by first allowing the people who own the device/system or algorithm to fix it before they release the details of the flaw to the world.

“Recently a Russian website provided links to 73K+ devices,” he adds. “We are all aware of the excellent Shodan HQ search engine which focuses on compromised IoT devices. We’ll start to see more threats with the arrival of smart locks, driverless cars, car GPS, car dashboards, car diagnostics etc. In the medical arena, we could see compromised IoT medical devices such as insulin pumps, heart rate monitors, ventilators and blood chemistry analysis machines. There is a CSI episode where someone gets killed through hacking a heart pacemaker. I wonder has this ever happened – and how would we know?”

Curran also flags the commercial pressures that vendors and developers are under: “Of course, the main problem is the worry about getting product to market. Manufacturers are taking products designed for private networks and placing them online for a quick sale. Often these devices have no way to be upgraded. That is the cardinal sin of security! Updates are the only weapon we have. Those in the industry know that many IoT devices have neglected the end-to-end security aspect. The main reason is that many of the embedded devices do not simply have enough computing power to implement all the relevant security layers and functionality necessary. There is then the actual heterogeneity of devices and the lack of industry or de facto standards for connecting the IoT.”

Professor Carsten Maple, director, Cyber Security research, WMG Cyber Security Centre, University of Warwick
Professor Carsten Maple, director, Cyber Security research, WMG Cyber Security Centre, University of Warwick

For Professor Carsten Maple, director for Cyber Security research at the WMG Cyber Security Centre, University of Warwick, UK, it’s the sheer size and complexity of the IoT world that also poses problems: “Such complex interconnected and interdependent business systems create challenges for assuring security and resilience. When I co-authored the SOCA (Serious Organised Crime Agency) -supported UK Security Breach Investigations Report in 2010, I found that 18% of all breaches occurred through a business partner.  Subsequent reports have found much higher percentages. In systems where many different components and infrastructure are connected, the attack surface becomes difficult to manage.”

Professor Maple adds, “A further challenge for the successful adoption of IoT requires recognition that there are a great number of competing objectives to balance.  Business wish to be quick to market, but ensuring product and system security takes time.  When is a product or service secure enough? The data accumulated in an IoT environment can be useful for maintaining a persistent identity, thereby enhancing service, but this comes at a cost to consumer privacy.  We will have very powerful systems that can benefit consumers greatly but, as the complexity grows, can we really ensure that there is informed consent for usage of data generated by a consumer?”

And of the role that universities can play, Maple says: “Academia is working hard with industry to find solutions to these pressing issues.  It is expected that there will be a new research hub announced in the next 12 months that will unite government, industry and academia in this effort.  Academics are keen to lead the charge in developing multi-disciplinary, multi-stakeholder and multi-lateral approaches to understanding and tackling the problem. The WMG Cyber Security Centre at the University of Warwick is just one example of a group working with leading industrial and academic partners in areas such as defence, transport, construction and smart cities to make a significant impact in ensuring the security and resilience of IoT systems.”

RECENT ARTICLES

Army’s new next generation squad weapon programme to launch ARC’s weapons intelligence platform

Posted on: August 12, 2022

Washington – Armaments Research Company, Inc, a technology and data company serving national security and public safety customers, announced their Internet-of-Things (IoT) full-stack technology will be introduced in the Next Generation Squad Weapon (NGSW) programme of record, in partnership with Sig Sauer. For the first time in 65 years, the U.S. Army’s initiative will replace

Read more

Connected logistics market to hit $47.6bn valuation by 2029 backed by MaaS for fleet management

Posted on: August 12, 2022

The global connected logistics market stands at a valuation of US$22.2 billion (€21.61 billion) in 2022 and is projected to reach $47.6 billion (€46.34 billion) by the end of 2029. Demand for connected logistics is estimated to increase at a compound annual growth rate (CAGR) of 11.5% over the forecast period (2022-2029).

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox