When it comes to the security of the IoT, it makes sense to look for allies and, just as Bletchley Park did during WW2 to crack the Enigma code, where better to go than academia, writes IoT Now’s editor, Alun Lewis. Cooperation between industry and academia might not always go smoothly, but when it does, the results can change society and many of the high-tech tools we take for granted today started life in a university laboratory. What’s more, academic research can prove invaluable to business, providing what one industry-academia liaison manager once described to me as “a rear-view mirror into the future”.
While improving links between academia and industry is something that we at IoT Now are keen to cover in the future, we thought that we’d take this opportunity to do a quick and very superficial snapshot of some security-related IoT research currently underway in the UK.
For Kenny Paterson, Professor of Information Security, Royal Holloway, University of London and on the board of the IoT Security Foundation (IoT SF), “The IoT has great promise, but also great potential for tragedy if it isn’t appropriately secured. The IoTSF is taking a leading role in promoting awareness of the security issues that IoT throws up, bringing together the leading players, and setting the agenda for how the industry should approach security for IoT – and academia has a key role to play in this endeavour.
Paterson adds, “Academia’s viewpoint is by nature longer-term than that of manufacturers and service providers. While universities today do face market pressures, they are not of the same magnitude as those felt by companies in the IoT rush to market. Academia is also, in principle, vendor-neutral. This means that academics can – and do – act as critical voices, will take apart IoT systems, and, subject to a process of responsible disclosure, publish their results. Additionally academia is a reservoir of experience and deep knowledge that can be applied to help tackle the fearsome security problems that IoT systems will bring.”
He concludes, “Academia – and UK academia especially – is well placed to respond. The UK’s main research funding body, RCUK, in combination with several other partners, is putting around £40 million into the area over the next three years. The intention is to bring about a step-change in the broad research areas of cyber security, designing in trust, privacy, security and resilience associated with the IoT. A £9.8 million “Research Hub” in the area of privacy and trust for the IoT is one of the major initiatives in this programme. The IoT SF will seek to partner with the winning consortium of universities, as part of fulfilling its mission of making the IoT secure, aiding its adoption and maximising its benefits.”
Philip Mills, business development manager at the Centre for Secure Information Technologies (CSIT) at Queen’s University, Belfast, comments, “The connection of a vast range of devices and people introduces some serious security questions. How can I be sure of the identity of the person or device I am communicating with? How can I be sure that the communication channel is secure? How can I be assured that the data I share will only be accessed by those who have the right to access it? CSIT is at the forefront of technology research to find answers to those questions, employing more than 50 researchers – academics, research assistants and PhD candidates – across three complementary research strands. These three research programmes are also supported by an engineering and commercial team of over 20 people who provide market engagement with companies like Thales, BAE Systems and Roke Manor Research to ensure the research addresses real-world problems, and that the results have impact in the marketplace.
Mills explains, “Firstly, The Device Authentication programme looks at technologies for the secure authentication of hardware components, including PicoPUF, a tiny semiconductor IP core that can provide a secure, unique digital fingerprint for even the cheapest microchips. This group also leads SAFECRYPTO, a project funded under the EU Horizon 2020 programme, which investigates technologies which will guarantee the long term security of ICT systems through advanced encryption techniques. The Secure Ubiquitous Networking programme looks at the security issues presented by large, complex and diverse communications networks, including the challenge of real-time threat detection, countermeasures and rapid recovery. The Security Analytics and Informatics group examines the application of machine learning, real-time graph analysis and artificial intelligence techniques to the huge data sets that exist within the IoT and uncovers technologies for creating actionable intelligence from such data. These three programmes come together in pursuit of a vision of making the Internet – and the IoT – a safe, secure and dependable place for everyone.”
Dr Kevin Curran is a Reader in Computer Science at the University of Ulster, group leader for the Ambient Intelligence Research Group and IEEE Technical Expert for Internet/Security matters since 2008. He advises, “Academics can continue to work on consultancy, joint funded projects and sit on task boards. Of course the research papers help enormously. Many of the flaws in modern devices and systems are found by academics who, for the most part, publish responsibly by first allowing the people who own the device/system or algorithm to fix it before they release the details of the flaw to the world.
“Recently a Russian website provided links to 73K+ devices,” he adds. “We are all aware of the excellent Shodan HQ search engine which focuses on compromised IoT devices. We’ll start to see more threats with the arrival of smart locks, driverless cars, car GPS, car dashboards, car diagnostics etc. In the medical arena, we could see compromised IoT medical devices such as insulin pumps, heart rate monitors, ventilators and blood chemistry analysis machines. There is a CSI episode where someone gets killed through hacking a heart pacemaker. I wonder has this ever happened – and how would we know?”
Curran also flags the commercial pressures that vendors and developers are under: “Of course, the main problem is the worry about getting product to market. Manufacturers are taking products designed for private networks and placing them online for a quick sale. Often these devices have no way to be upgraded. That is the cardinal sin of security! Updates are the only weapon we have. Those in the industry know that many IoT devices have neglected the end-to-end security aspect. The main reason is that many of the embedded devices do not simply have enough computing power to implement all the relevant security layers and functionality necessary. There is then the actual heterogeneity of devices and the lack of industry or de facto standards for connecting the IoT.”
For Professor Carsten Maple, director for Cyber Security research at the WMG Cyber Security Centre, University of Warwick, UK, it’s the sheer size and complexity of the IoT world that also poses problems: “Such complex interconnected and interdependent business systems create challenges for assuring security and resilience. When I co-authored the SOCA (Serious Organised Crime Agency) -supported UK Security Breach Investigations Report in 2010, I found that 18% of all breaches occurred through a business partner. Subsequent reports have found much higher percentages. In systems where many different components and infrastructure are connected, the attack surface becomes difficult to manage.”
Professor Maple adds, “A further challenge for the successful adoption of IoT requires recognition that there are a great number of competing objectives to balance. Business wish to be quick to market, but ensuring product and system security takes time. When is a product or service secure enough? The data accumulated in an IoT environment can be useful for maintaining a persistent identity, thereby enhancing service, but this comes at a cost to consumer privacy. We will have very powerful systems that can benefit consumers greatly but, as the complexity grows, can we really ensure that there is informed consent for usage of data generated by a consumer?”
And of the role that universities can play, Maple says: “Academia is working hard with industry to find solutions to these pressing issues. It is expected that there will be a new research hub announced in the next 12 months that will unite government, industry and academia in this effort. Academics are keen to lead the charge in developing multi-disciplinary, multi-stakeholder and multi-lateral approaches to understanding and tackling the problem. The WMG Cyber Security Centre at the University of Warwick is just one example of a group working with leading industrial and academic partners in areas such as defence, transport, construction and smart cities to make a significant impact in ensuring the security and resilience of IoT systems.”