If a smart home is hacked and residents wake up at night to blaring music, it’s extremely annoying. However, hacking and attacking IoT systems can cause much more damage. It is worth thinking about where it could lead, for example, if unauthorized people gain access to the control of self-driving cars, or if the network of household power plants is attacked.
How secure are systems in which a large number of simple devices, such as sensors, are connected to a network? There are IoT systems where basic level protection such as username/password protection is sufficient, but there are also those where personal and other sensitive data must be protected at the highest level. An international consortium led by Hungary wants to create an IoT architecture for the latter that enables the development and operation of flexible and resilient IoT service environments. In the IOTAC project, funded by the European Union, 13 industrial players, research centers and universities from seven European countries work together. The domestic participants of the consortium are Atos Magyarország Kft. (coordinator), Budapest University of Technology and Economics (BME) and SafePay Systems Kft. The duration of the project is 36 months, and completion is expected in August 2023. Did the development start from scratch, or were there already basic solutions that could be built on? – we asked the question András Vilmos for project manager and László Vajtafor the BME c. his university teacher.
András Vilmos: Before we submitted the application, we mainly had concepts and basic solutions. We undertook to develop the modules that implement our ideas during the project.
László Vajta: It is a clear trend that the number of protected, in some cases very simple elements whose capacity is not suitable for receiving expensive, sophisticated protection will increase drastically in IoT systems. In such circumstances, it became necessary to approach the protection of IoT systems with a large number of endpoints in a new way.
Computerworld: How new is the approach?
András Vilmos: It is a flexible system in which protection modules are connected to a central gateway, namely front-end authorization control, as well as various runtime security functions: artificial intelligence-based detection models, honeypots, rollback points, and real-time monitoring system. These technologies provide adequate protection at both hardware and software levels. Since the system can be flexibly configured, it can not necessarily be used only in large industrial environments, but also in small and medium-sized companies or even household environments where the appropriate expertise and security support for the creation of protection are lacking. The basis of the system is the paradigm of planned security. The recommended policies and procedures cover the entire lifecycle of secure software development, from design, development and testing, to evaluation and certification. It is very important that not only certain technological elements are developed during the project, but that they are also implemented through practice-oriented pilot projects with a sense of life.
CW: In which IoT service environment are the results of the developments tested?
László Vajta: With the cooperation of the consortium members, we have pilot projects in industrial (prosumer system), residential (intelligent home), automotive (autonomous vehicle) and aerial (drone operation) IoT service environments. With the participation of the BME, we will form a household-sized, independent energy management unit that produces and consumes energy from the combination of renewable energy and energy storage. On this so-called prosumer unit, we test the applicability of the technologies, as well as investigate safety issues. It is noteworthy that the proliferation of household power plants entails serious security risks. If, for example, many household power plants are attacked simultaneously, the energy supply of even larger areas can be seriously threatened. The IOTAC project therefore also has a kind of mission: to draw attention to the special challenges of IoT systems, to reveal potential dangers, and to draw attention to the possibilities of reducing risks. Fortunately, more and more decision-makers recognize the problem and are looking for a solution.
András Vilmos: BME also participates in other pilot projects: our partner is a French company for drone operation, a Spanish company for autonomous vehicles, and a Greek company for smart homes. Atos is creating an interesting, brand new solution for the chip card access control system that provides the highest level of protection for everyone. The point is that the physical chip cards are stored in the cloud, so that every cardholder can access them anywhere and at any time, without a separate device.
CW: Are the tests conducted in a real or simulated environment?
András Vilmos: There are real, simulated and mixed pilots. Prosumer and smart home tests, for example, take place in a real environment, in Athens. We have created a half-real, half-emulated environment for self-driving cars. This means that the partly real, partly computer-simulated cars drive on a real, closed test track. Drone pilot is completely a simulation.
CW: There is roughly half a year left in the project. Where are they at work?
András Vilmos: Developments are more or less complete. We are currently deploying and testing the pilots. The results of the tests are fed back to the developers, who fine-tune the systems based on the signals and satisfy any new needs that may arise along the way. We are progressing fully according to the plans and schedule.
CW: Do BME involve students in the research and development work?
László Vajta: Yes, master’s students and doctoral students. Their activities are always managed by tutors. Typically, we entrust them with smaller tasks. Since the tasks are of a rather high level and complicated, we were able to involve relatively few students in the work.
CW: The IOTAC consortium recently participated as an exhibitor at the Cyber Security Congress in Barcelona, which was organized together with the IoT Solutions World Congress (IOTSWC). What were their experiences?
András Vilmos: More and more people are becoming aware that something needs to be done, as the number of devices connected to the network is increasing rapidly, and consequently the danger is increasing. IoT security is in focus, the demand for protection solutions is increasing. By the way, we did not only participate in the IOTWSC with the IOTAC project, but our partners also presented other EU projects closely or tangentially related to IoT technologies.
CW: Do other forums promote the importance of protecting IoT systems?
András Vilmos: We are organizing the IoT Day Roundtable for the third year, where we choose a special topic each time. Last year it was usually about standardization, this year a new European Union law, the EU Cyber Resilience Act, will be the main topic. The essence is how to prepare the various consumer IoT devices in such a way that security is included by default. Naturally, we will also present the IOTAC project at this year’s event. We also invite representatives of the European Commission, ENISA (European Union Agency for Cybersecurity) and various industry organizations to the IoT Day Roundtable (April 17). In addition to the domestic players, there will be speakers from several European countries, and even an expert from the NIST (National Institute of Standards and Technology) will present from the United States. The virtual event can be followed online anywhere in the world.
CW: After the completion of the IOTAC project, what will be the fate of the results of the developments?
András Vilmos: During the project, we created the IOTAC Association, whose task is to coordinate the utilization of the results. The association does not carry out business activities, but supports appearances in industry organizations, communication with partners, and commercial activities of project members. It is therefore a clear goal that the participants make a business out of the results of the project. The business model was developed and the IOTAC framework is built in such a way that it can be sold uniformly as a single system. We strived for flexibility, i.e. individual modules can be activated separately, but most of them can also be used independently. The IOTAC Association also has tasks in the field of standardization. Together with ETSI, we are working on creating standards that describe how IoT environments should be protected, what conditions should be met, and how the tools for this should be made. Our tasks include spreading this knowledge and expectations.
CW: Who and what kind of organizations are expected to be the customers, the main users?
László Vajta: Let’s take an example! Nowadays, every household or small power plant sends the data generated during its operation – partly for security reasons – to the cloud of the inverter manufacturer. After that, all data access (which we perceive as communication with our own power plant) takes place with the knowledge and permission of the foreign manufacturer. One of the results of the IOTAC project is that it enables the separation of small power plants from the manufacturer’s cloud while ensuring the necessary data protection and data access. This is a good example of how a research and development project can bring usable, tangible results.
András Vilmos: We see great potential in smart homes. We will have to contact the manufacturers, service providers, and integrators that install smart homes. We need to achieve that our solution is treated as an option or a default option. In general, our direct partners are not the end users, but the system integrators who install the IoT system. The result created in the IOTAC project is therefore not directly a B2C, but rather a B2B2C solution.
Hardware, software, tests, interesting and colorful news from the world of IT by clicking here!