This article was originally published in Hungarian in Computerworld.
If a smart home is hacked and the residents wake up to blaring music at night, it is extremely annoying. However, hacking and attacking IoT systems can cause a lot more damage. It is worth a thought where this can lead, for example, if unauthorized persons gain access to self-driving cars, or if the network of household power plants is attacked.
How secure are systems in which a large number of simple devices, such as sensors, are connected to a network? There are IoT systems where basic level protection such as username/password is sufficient, but there are also those ones where personal and other sensitive data must be protected at the highest level. An international consortium led by Atos Hungary intends to create an IoT architecture for these latter ones that enables the development and operation of flexible and resilient IoT service environments. In the IOTAC project, funded by the European Union, 13 industrial players, research centers, and universities from seven European countries collaborate. The project is running for 36 months, and completion is expected in August 2023.
Did the development start from scratch or were there already basic solutions that could be built on? – we asked project manager András Vilmos and László Vajta, professor of BME, Budapest University of Technology and Economics.
András Vilmos: When submitting the project proposal, we had the concepts and basic solutions. During the project, we develop the modules that implement these ideas.
László Vajta: It is a clear trend in the IoT systems that the number of protected components is drastically increasing which in some cases are very simple with low capacity and are not suitable for receiving expensive, sophisticated protection. In such circumstances, it became necessary to have a new approach for the protection of IoT systems with large number of endpoints.
Computerworld: How novel is the approach?
András Vilmos: It is a flexible system in which protection modules are connected to a central gateway. These modules are the front-end access management, as well as various runtime security functions: artificial intelligence-based attack detection models, honeypots, rollback points, and the real-time monitoring system. These technologies provide adequate protection at both hardware and software levels. Since the system can be flexibly configured, it can be used both in large industrial environments, as well as in small and medium-sized companies or even in household environments where the appropriate expertise and cyber-security background are missing for the protection. The basis of the system is the security-by-design paradigm. The recommended policies and procedures cover the entire lifecycle of secure software development, from design through development and testing, to evaluation and certification. It is very important that not only certain technological components are implemented during the project, but that they are also validated in pilot operations.
CW: In which IoT service environments will the results of the development work be validated?
László Vajta: With the cooperation of the consortium members, pilots will be running in industrial (prosumer system), residential (intelligent home), automotive (autonomous vehicle), and aerial (drone operation) IoT service environments. BME will set up a household-sized, independent energy management unit that produces and consumes energy from the combination of renewable energy and energy storage. In this so-called prosumer unit, we test the applicability of the technologies, as well as analyse security issues. It must be noted that the proliferation of household power plants entails serious security risks. If, for example, many household power plants are attacked simultaneously, the energy supply of even larger areas can be seriously threatened. The IoTAC project therefore also has the mission to draw attention to the special challenges of IoT systems, to reveal potential dangers, and to draw attention to the possibilities of reducing risks. Fortunately, more and more decision-makers recognize the problem and are looking for a solution.
Vilmos András: IoTAC also participates in other pilots: with Airbus in drone operation, with Tecnalia using autonomous vehicles, and with CERTH, in smart home management. Atos is creating a new solution for chip card-based access control that provides the highest level of protection. The point is that the physical chip cards are stored in the cloud, so that every cardholder can access them anywhere, anytime, without the need for a separate device.
CW: Are the tests conducted in real or simulated environments?
András Vilmos: There are real, simulated, and mixed pilots. The prosumer and smart home pilots, for example, take place in real environments, in Balatonfüred in Hungary and in Thessaloniki, Greece. We have created a half-real, half-emulated environment for self-driving cars. This means that real, and computer-simulated cars drive on a real, closed test track in Spain. The drone pilot is completely simulated.
CW: There is roughly half a year left from the project. How far have you come?
András Vilmos: The development works are more or less completed. We are currently deploying and testing the pilots. The results of the tests are fed back to the developers, who finetune the systems based on the feedback and satisfy any new needs that may arise along the way. We are progressing fully according to the plans and schedule.
CW: Does BME involve students in the research and development work?
László Vajta: Yes, masters students and doctoral students. Their activities are always managed by tutors. Typically, we entrust them with smaller tasks. Since the tasks are of a rather high level and complicated, we were able to involve only a few students in the work.
CW: The IoTAC consortium recently participated as an exhibitor at the Cyber Security Congress in Barcelona, which was organized together with the IoT Solutions World Congress (IOTSWC). What experiences did you gain there?
András Vilmos: More and more people are becoming aware that something needs to be done, as the number of devices connected to networks is rapidly increasing, and consequently risks are increasing. IoT security is in focus, and demand for security solutions is on the rise. By the way, we did not only participate in the IOTWSC with the IOTAC project but together with 6 EU sister projects, also related to IoT technologies.
CW: Do you promote the importance of protecting IoT systems at other forums as well?
András Vilmos: This April, we are organizing the IoT Day Roundtable for the third year, where we choose a special topic each time. Last year it was about standardization, this year the EU Cyber Resilience Act is the main topic. The Act regulates how to implement consumer IoT devices with security being integrated by default. The event obviously will also introduce the IoTAC project. We invited representatives of the European Commission, and various industry organizations, with speakers from several European countries, as well as an expert from NIST (National Institute of Standards and Technology) from the United States. The virtual event can be followed online from anywhere in the world and the recording is available on the IoTAC website.
CW: After completion of the IoTAC project, how will the project results be used?
András Vilmos: During the project, we created the IoTAC Association, whose task is to coordinate the utilization of the results. The association does not carry out business activities but supports presence in industry organizations, communication with partners, and commercial activities of project members. The goal of the partners is to commercially exploit the project results. The business model was developed and the IoTAC framework is built in such a way that it can be marketed as one platform. We strived for flexibility, the individual modules can be activated separately, and most of them can also be used as standalone products. The IoTAC Association also has its tasks in standardization. In collaboration with ETSI, we are working on creating standards that describe how IoT environments should be protected, what requirements should be met, and how the tools to accomplish these should be developed. Disseminating this knowledge and requirements also belongs to our tasks.
CW: Who and what kind of organizations are expected to be the customers, the main users?
László Vajta: Let’s take an example! Nowadays, every household or small power plant sends the data generated during its operation – partly for security reasons – to the cloud of the inverter manufacturer. Thereafter, all data access (which we perceive as communication with our own power plant) takes place with the knowledge and permission of the foreign manufacturer. One of the results of the IOTAC project is that it enables the separation of small power plants from the manufacturer’s cloud while ensuring the necessary data protection and data access. This is a good example of how a research and development project can bring usable, tangible results.
András Vilmos: We see great potential in smart homes. We will have to contact the manufacturers, service providers, and integrators that install smart homes. We need to ensure that our solution is treated as an option or a default option. In general, our direct partners are not the end users, but the system integrators who install the IoT system. The results created in the IoTAC project are therefore not directly B2C, but rather B2B2C solutions.