A new project will make it easier to design and certify IoT systems

IoT devices are blending into the infrastructure of both society and our personal lives. Many of these devices run in uncontrolled, potentially hostile environments, which makes them vulnerable to security attacks. Moreover, with the increasing number of safety critical IoT devices, such as medical and industrial IoT devices, IoT security is a public safety issue. Thus, the need for security in these systems has even been recognized at governmental and legislative level, e.g. in the EU, US and UK, resulting in a proposed legislation to enforce at least a minimum of security consideration in deployed IoT products.

Photo by Søren Kjeldgaard

Professor Jaco van de Pol will lead the DIREC project Secure IoT systems (SIoT), which aims to model security threats and countermeasures for IoT systems and services, to develop secure solutions, and to analyze residual security risks.

“Our goal with the SiOT project is to make it easier to design and certify secure IoT devices. Security and privacy are very important to many people and organizations that use IoT devices for measurements in smart cities, natural environments, logistics chains, and in their private homes. Engineering IoT devices is challenging, since they are physically small and must run on low power. Yet, they must perform accurate measurements and communicate with high efficiency. So how can one achieve security on top of that? We will provide new tools to model security threats, implement countermeasures, and analyze the final security risks”.

Jaco van de Pol continues: “I am happy to be able to work with a team that includes both academic researchers and industrial experts. This will ensure that the project addresses the right questions, and that we can find new solutions by combining the expertise from several disciplines. And we can evaluate the solutions in an industrial setting.”

The strategy is to use algorithms from automata theory and game theory to automate risk analysis and security strategy synthesis. The implementation of the security policies will consider both technical as well as social aspects, in particular usability in organizations and training of people.

For TERMA A/S, who are part of the project, their motivation is to be aware of the landscape in IoT systems in order to make them more cyber-resilient. Samant Khajuria, Chief Specialist Cybersecurity at TERMA A/S, explains:

“When we integrate IoT systems in our line of business, our main purpose is to provide safety for critical systems. Our systems go both to the defense and civilian sector such as Wind Farms, airports or harbors. We know that IoT devices sooner or later become obvious pieces of the puzzle in providing good systems in the future. And before integrating in systems like this we need to understand the threats and risks. Secondly, we would like to collaborate with universities in Denmark, because the researchers are working with this everyday. We are merely the users of the technology.”

Jørgen Hartig is Managing Director and Partner in SecurIOT, who are also part of the project. He hopes the project will help create the needed awareness on both sides of the “table” about the environment of industry 4.0. They often hear customers saying: “Why would the hackers go for us? We do not produce anything interesting…” or “the production has been for 25 years, and we haven’t had an issue” or “there are no connections between IT systems and OT systems.”

“The last statement will be challenged dramatically in the next 5-10 years. IoT and OT vendors will come out with new technology solutions that will utilize cloud-enabled applications and 5G connections to the factory floor, so there will be no “air-gap” in the future. I am not saying it is wrong, I am just saying that the consumers and IoT vendors need to work with the cyber threats and risks in a structured way.”

According to Gert Læssøe Mikkelsen, Head of Security Lab at the Alexandra Institute, there is a need for improved cyber security in IoT, which is also the reason why they participate in the project:

“We see a need for academic research in close collaboration with industry to deal with this. We hope that the tools and methodologies developed in this project will be deployed and improve the cybersecurity of IoT so we are all ready for the future, where we both expect an increase in the threats from cybercriminals and, as a consequence, an increase in requirements and regulation in this area that the industry must be ready to handle.”

About DIREC – Digital Research Centre Denmark

The purpose of the national research centre DIREC is to bring Denmark at the forefront of the latest digital technologies through world-class digital research. To meet the great demand for highly educated IT specialists, DIREC also works to expand the capacity within both research and education of computer scientists. The centre has a total budget of DKK 275 million and is supported by the Innovation Fund Denmark with DKK 100 million. The partnership consists of a unique collaboration across the computer science departments at Denmark’s eight universities and the Alexandra Institute.

The activities in DIREC are based on societal needs, where research is continuously translated into value-creating solutions in collaboration with the business community and the public sector. The projects operate across industries with focus on artificial intelligence, Internet of Things, algorithms and cybersecurity among others.

Read more at direc.dk

SIoT

In SIoT, the following parties will participate as collaborators:

  • Aarhus University
  • Aalborg University
  • DTU
  • Copenhagen Business School
  • Alexandra Institute
  • Terma
  • Grundfos
  • Develco Products
  • Beumer Group
  • Micro Technic
  • SecuriOT
  • Seluxit

Contact
Jaco van de Pol
Department of Computer Science
Aarhus University
jaco@cs.au.dk