Behovet for sikkerhed i IoT-systemer er enormt, men det er svært at opnå på grund af systemernes karakteristika.
Sammen med en række virksomheder har dette projekt til formål at identificere sikkerheds- og sikkerhedskrav til IoT-systemer og udvikle algoritmer til kvantitativ risikovurdering og beslutningstagning, samt skabe værktøjer til at designe og certificere IoT-sikkerhedstræningsprogram, der vil sætte danske virksomheder i stand til at opnå sikkerhedcertificering af deres IoT-enheder, hvilket kan give dem et forspring på et marked, der sandsynligvis vil kræve en sådan certificering i den nærmeste fremtid..
Projektperiode: 2022-2025
Budget: 25,10 millioner kr.
When developing novel IoT services or products today, it is essential to consider the potential security implications of the system and to take those into account before deployment. Due to the criticality and widespread deployment of many IoT systems, the need for security in these systems has even been recognised at the government and legislative level, e.g., in the US and the UK, resulting in proposed legislation to enforce at least a minimum of security consideration in deployed IoT products.
However, developing secure IoT systems is notoriously difficult, not least due to the characteristics of many such systems: they often operate in unknown and frequently in privacy‐sensitive environments, engage in communication using a wide variety of protocols and technologies, and must perform essential tasks such as monitoring and controlling (physical) entities. In addition, IoT systems must often perform within real‐ time bounds on limited computing platforms and at times even with a limited energy budget. Moreover, with the increasing number of safety‐critical IoT devices (such as medical devices and industrial IoT devices), IoT security has become a public safety issue. To develop a secure IoT system, one should take into account all of the factors and characteristics mentioned above, and balance them against functionality and performance requirements. Such a risk analysis must be performed not only at the design stage, but also throughout the lifetime of the product. Besides technical aspects, the analysis should also take into account the human and organizational aspects. This type of analysis will form an essential activity for standardization and certification purposes.
In this project, we will develop a modelling formalism with automated tool support, for performing such risk assessments and allowing for extensive “what‐if” scenario analysis. The starting point will be the well‐ known and widely used formalism of attack‐defense trees extended to include various quantities, e.g., cost or energy consumption, as well as game features, for modelling collaboration and competition between systems and between a system and its environment.
In summary, the project will deliever:
The main research problems are:
Throughout the project, we focus on the challenges and needs of the partner companies. The concrete results and outcomes of the project will also be evaluated in the contexts of these companies. The project will combine the expertise of five partners of DIREC (AAU, AU, Alexandra, CBS and DTU) and four Work Streams from DIREC (WS7: Verification, WS6: CPS and IoT systems, WS8: Cybersecurity and WS5: HCI, CSCW and InfoVis) in a synergistic and collaborative way.
Business value
While it is difficult to make a precise estimate of the number of IoT devices, most estimates are in the range 7‐15 billion connected devices and expected to increase dramatically over the next 5‐10 years. The impact of a successful attack on IoT systems can range from nuisance, e.g., when baby monitors or thermostats are hacked, over potentially expensive DDoS attacks, e.g., when the Mirai malware turned many IoT devices into a DDoS botnet, to life‐threatening, e.g., when pacemakers are not secure. Gartner predicted that the worldwide spending on IoT security will increase from roughly USD 900M to USD 3.1B in 2021 out of a total IoT market up to USD 745B.
The SIOT project will concretely contribute to the agility of the Danish IoT industry. By applying the risk analysis and secure design technologies developed in the project, these companies get a fast path to certification of secure IoT devices. Hence, this project will give Danish companies a head‐start for the near future where the US and UK markets will demand security certification for IoT devices. Also, EU is already working on security regulation for IoT devices. Furthermore, it is well known that the earlier in the development process a security vulnerability or programming error is found, the cheaper it is to fix it. This is even more important for IoT products that may not be updatable “over‐the‐air” and thus require a product recall or physical update process. The methods and technologies developed in this project will help companies find and fix security vulnerabilities already from the design phase and exploration phase, thus reducing long‐term cost of maintenance.
Societal value
It is an academic duty to contribute to safer and more secure IoT systems, since they are permeating the society. Security issues quickly become safety incidents, for instance since IoT systems are monitoring against dangerous physical conditions. In addition, compromised IoT devices can be detrimental for our privacy, since they are measuring all aspects of human life. DTU and Alexandra Institute will disseminate the knowledge and expertise through the network built in the joint CIDI project (Cybersecure IoT in Danish Industry, ending in 2021), in particular a network of Danish IoT companies interested in security, with a clear understanding of companies’ needs for security concerns.
We will strengthen the cybersecurity level of Danish companies in relation to Industry 4.0 and Internet of Things (IoT) security, which are key technological pillars of digital transformation. We will do this by means of research and lectures on several aspects of IoT security, with emphasis on security‐by‐design, risk analysis, and remote attestation techniques as a counter measure.
Capacity building
The education of PhD students itself already contributes to “capacity building”. We will organize a PhD Summer school towards the end of the project, to disseminate the results, across the PhD students from DIREC and students abroad.
We will also prepare learning materials to be integrated in existing course offerings (e.g., existing university courses, and the PhD and Master training networks of DIREC) to ensure that the findings of the project are injected into the current capacity building processes.
Through this education, we will also attract more students for the Danish labor market. The lack of skilled people is even larger in the security area than in other parts of computer science and engineering.
Projektet vil give danske virksomheder et forspring i den nærmeste fremtid, når både EU, USA og det britiske marked vil kræve sikkerhedscertificering af IoT-enheder.
Ved at anvende risikoanalyse og sikre designteknologier udviklet i projektet får danske virksomheder en hurtig vej til certificering af sikre IoT-enheder.
Copenhagen Business School
Department of Digitalization
Copenhagen Business School
Department of Digitalization
Aalborg University
Department of Computer Science
Aalborg University
Department of Computer Science
Technical University of Denmark
DTU Compute
Technical University of Denmark
DTU Compute
Technical University of Denmark
DTU Compute
Aalborg University
Aarhus University
Department of Computer Science
Technical University of Denmark
DTU Compute
The Alexandra Institute
The Alexandra Institute
The Alexandra Institute
Copenhagen Business School
Department of Digitalization
Micro Technic
SecuriOT
Beumer Group
Beumer Group
Grundfos
Develco Products
Seluxit
Terma
Aalborg University