A key strategy for improving Internet of Things (IoT) cybersecurity is for device manufacturers to build more robust security into the design of their devices, so they come to market without security gaps that hackers can easily exploit.
A new cybersecurity project in Scotland aims to create a breakthrough, making it easier to test if interconnected devices and networks are secure against hacking attacks – not just consumer goods, but the embedded devices used in smart infrastructure and smart cities. This in turn could be translated into identifiable security standards for IoT devices.
Security concerns around smart devices
The project involves cybersecurity experts at Edinburgh Napier University and Keysight Technologies in Edinburgh. It’s supported by CENSIS, the Innovation Centre for Sensor and Imaging Systems which brings together academia and industry to work on industry challenges and opportunities around sensor systems and IoT.
Lead academic on the project is Edinburgh Napier University’s Professor Bill Buchanan, an expert on cybersecurity, threat analysis and cryptography. He explains: “The biggest thing holding back the development of the Internet of Things is security – specifically, concerns about the vulnerabilities of devices, the ease of hacking them, and the consequences of such hacks.
“In healthcare, for example, IoT could transform the way we monitor people’s health and manage conditions like asthma. But security concerns are holding back wider adoption of smart devices. Only if we can improve confidence in IoT security can we realise the potential of smart technology.”
Using testing to improve hardware design
With this new 12-month project, Edinburgh Napier University and Keysight are using data analytics to identify vulnerabilities that could put IoT devices at risk. The project will focus on ‘side channels’ – the tell-tale electromagnetic, power and acoustic signals that hackers can eavesdrop on, and use to crack encryption codes on the device.
The project team, led from the Edinburgh Napier side by Dr Owen Lo, will use the data they gather to put together a test framework that manufacturers and designers could use to evaluate the vulnerabilities of different devices. The development of automated vulnerability testing using Keysight’s PathWave platform will make it more feasible for manufacturers to rigorously test connected devices at every point in the design workflow from concept through production prototypes.
These tests could in turn be used to develop a formal industry framework for testing IoT devices for a range of risks and vulnerabilities, and even to develop minimum standards for different types of IoT devices and hardware.
It means that rather than vulnerabilities being exposed once devices are already on the market or in use, manufacturers would identify and deal with security issues at, for example, prototype stage.
Dr Stephen Milne of CENSIS says “Strong cybersecurity is a prerequisite for the successful integration of sensor and imaging systems and IoT technology. So CENSIS is supporting IoT security by design – whereby engineers and manufacturers build gold-standard IoT security into devices from the outset.
“By developing a reference model for IoT cybersecurity testing, this project could help to strengthen the security armoury of every connected device, whether it’s a consumer or business device, or part of the national infrastructure. It could also help to put Scotland at the forefront of IoT cybersecurity testing.”
Project background and detail
The collaboration between CENSIS, Keysight Technologies and Edinburgh Napier University builds on an earlier project supported by The DataLab (like CENSIS, one of Scotland’s eight Innovation Centres). That project developed algorithms to identify leakage of cryptographic keys; these were demonstrated successfully at international conferences.
This follow-on project develops that work further, putting together an IoT security ontology that defines the attack surface and tests that can be performed on it; defines measurements from the tests that should be recorded and how to interpret them; and packages those tests and analytics into an open test framework.
The testing package might encompass devices’ network connections, security of information stored on them, and their robustness in the face or cryptography cracking and denial of service attacks. For example, password and username security testing could run to different levels – from testing a device against 1 million commonly used passwords, to higher levels of tests involving every password ever used or every possible password iteration.
According to Doug Carson, Solutions Consultant at Keysight Technologies: “It’s in all of our interests that the Internet of Things is secure – it’s not just about someone hacking your smart TV, but about protecting our critical national infrastructure – transport networks, communications networks and manufacturing supply chains.
“Every device connected to these networks is a potential way in for hackers, so it’s essential we help every supplier to test their devices against rigorous standards before they are ever put into the field. Through this work with CENSIS and Edinburgh Napier University, we can put in place the foundations to do that.”