The H2020 IoTAC (Security by Design IoT Development and Certificate Framework with Front-end Access Control) project was launched on the 1st of September 2020 with the objective to design, implement, and validate a complex security architecture for the protection of IoT service environments. The relevance of this objective did not diminish during the past years at all, as cybercrime is constantly increasing, inflicting heavy financial and societal damages for businesses and citizens alike.
The project started with the elaboration of the security baseline, listing, and prioritizing all potential threats and related protection measures that the planned security architecture needs to fend off and implement.
The architecture design work resulted in a service platform comprising a secure IoT router and several loosely coupled configurable components – access management system, attack detector, honeypot, runtime monitoring system, and a common data repository with a dashboard – which provide comprehensive protection against a wide range of the most common attacks. The design principle was to establish a system that is flexible, simple to deploy and operate, and can provide high-level protection without the need for highly skilled security professionals for its management, which is in short supply. The target audience for the platform is SMEs and private operators who have started to realize the need for high-level security but lack the necessary expertise for the operation of complex systems.
The IoTAC platform
Implementation of the modules took over a year and was assisted by a sophisticated DevSecOps environment as well as a security-by-design monitoring tool. The purpose of this environment is to ensure high-level code quality, the early detection of potential vulnerabilities, and a seamless continuous development and deployment process.
The completed platform has been validated in four different IoT domains to demonstrate its versatility and adaptability to the various service requirements. The Prosumer cell operation, the Connected car, and Drone operation pilots represented industrial IoT requirements, and the Smart home operation is a consumer environment. At each of these pilots, a different configuration of the platform was deployed and integrated, demonstrating the versatility of the IoTAC platform. Each of the pilot operators was defining performance and security targets, KPIs, that the IoTAC system needed to meet, or exceed. The objective was to increase the security level of the protected environments without interfering with the operation and degrading the quality of service. After a tedious iterative process, by the end of the project, it can be claimed that the deployed architecture at every pilot location not only met but exceeded the initial expectations.
This was the result we aimed for, but it was not something that could be guaranteed, as much of the technology used was truly novel and the integration of the security functions may have carried unanticipated challenges.
Besides improving the security posture of the pilot operations, the technology developers also greatly benefitted from this exercise. These partners not only developed new tools, but also gained first-hand experience from the deployment, integration, and operation of the platform and their individual modules, could remove previously undetected errors, and could also perform improvements both on the operating capabilities of the modules as well as on the service set up, and provisioning procedures.
The IoTAC project has also actively supported standardisation, by working with ISO and ETSI.
The project was using the ISO/IEC 30141 architecture reference model as its underlying guide for the IoTAC architecture and eventually prepared a security extension for the document. The recommendations are related to WG3 IoT Foundational Standards and have been submitted to the working group. If accepted, it would result in a contribution to the newly planned ISO/IEC 30149 document instead of the ISO/IEC 30141 Ed. 2. The publication of the second edition of ISO/IEC 30141 and ISO/IEC 30149 is expected in 2024 at the earliest.
The IoTAC project has actively participated in the work of the ETSI Technical Committee to contribute to the development of ETSI deliverables. Specifically, the project has been involved in the Working Group TST. As part of the project’s engagement, two work items have been initiated. The first document is a Technical Specification (TS) titled “IoT security module testing,”. The second document is a Technical Report (TR) titled “IoT security architecture conformity,”. A publication of both documents TS 103 942 and TR 103 946 is expected in a few weeks and will be publicly available.
IoTAC has actively communicated and disseminated project results via various channels. Project partners published 10 scientific journal papers, one book, presented 20+ papers at academic conferences, and made presentations at several industry events. We published 55 insight posts on the IoTAC homepage. The project exhibited together with sister projects from the same call at the 2023 Barcelona Cybersecurity Congress where the results of our work have been presented to a broader industry audience.
Barcelona Cybersecurity Congress
The project organized the EuroCyberSec 2021 Workshop, publishing the proceedings in a Springer-published book. The organisation of the annual online IoT Day workshops in April has been the most relevant communication achievement of the IoTAC project. Starting in 2021 with presentations of 3 H2020 IoT projects, by 2023 it grew to a large international event with the participation of multiple standard developing organisations, multinational companies, and also the US NIST, focusing on the impact of the new European Cyber Resilience Act, with over 140 participants.
The project has been completed but the work does not stop here. The IoTAC partners have established the IoTAC Association with the purpose to support and coordinate the forthcoming exploitation activities of the project results. It is expected that in a couple of years, the IoTAC platform will become a sought-after niche technology.
