With billions, and within the close to future probably trillions, of related units, the web of issues is a rising safety and privateness risk. Bringing collectively over 40 companions from academia, business, authorities and civil society, the Intersect mission is laying the groundwork for an web of safe issues. On 14 and 15 October, the consortium is organizing its first annual convention.
The web of issues is popping out to be one of many weakest spots in our infrastructure. With billions, and within the close to future probably trillions, of units, the safety dangers are rising at nice charges. While this pervasive community of IoT units will oversee our lives and financial system, it will likely be fully unmanageable from a safety perspective. To compound the chance, IoT techniques are sometimes devised and engineered in locations past our management, and until we wish to give up our digital sovereignty by solely counting on overseas options for our nationwide cybersecurity, we have to discover a option to safe them regardless.
“We are at a watershed moment in history and if we don’t take action now, we run the risk of being overcome by technology that will fundamentally and irreversibly undermine our cybersecurity and safety. This is not just another issue of data theft – this is about products that can be abused to attack and even destabilize critical infrastructures,” says Harold Weffers, coordinator of the Intersect public-private partnership. “Run in the context of the Dutch National Research Agenda, the Intersect project has the ambition to start a societal transition towards an internet of secure things. In the next eight years, we want to take concrete steps to deliver new approaches to making IoT devices more secure.”
“Securing the internet of things is not like securing regular IT,” Sandro Etalle factors out. Etalle is the Security group chief at Eindhoven University of Technology and Intersect’s scientific coordinator. “We have some methods and tools to secure IT, at least to some extent, but they take too much time and money to scale from thousands of computers to billions. If they scale at all – we simply cannot put an intrusion detection system on a very small IoT device. We need new ways to design these devices. With Intersect, we want to lay down the foundations for that.”
Etalle provides an instance, specializing in monitorability – “one of the key aspects of security,” in accordance with him. “Most of the systems around us are simply not monitorable. Take a smartphone. While developed with security in mind, it wasn’t developed with the idea that someone would need to be able to monitor it. They put a wall around it, making it difficult to get in but also almost impossible to see if the device is hacked. Generalizing, one of the reasons why we can’t secure systems is that we can’t monitor them. And one of the reasons why we can’t monitor them, strangely enough, is that security specialists have made them as non-monitorable as possible. Now, a smartphone is powerful enough to implement elaborate methods of self-protection, but when we move to IoT, we enter a world where we can’t build these walls anymore, where devices are mostly unsuitable to implement high-level defenses and where the number of systems requiring security is so high that we can’t apply our traditional security toolbox. In Intersect, we aim to lay down good-design principles for monitorable systems, such that we can monitor not tens of devices but tens of thousands.”
Device administration is one other vital concern. “It’s difficult enough to do that for a few hundred computers, imagine having to update the firmware of a few million,” illustrates Etalle. “Then imagine losing a few thousand. We’re going to see more and more of these so-called zombie devices, also from vendors that have gone bankrupt. Having a high chance of running an outdated operating system or containing known bugs, they’re ideal targets for attackers. Intersect aims to provide ways to incorporate management functionality from the very beginning.”
Similarly, Etalle requires governance by design. “Next to security, safety and privacy, there’s also the compliance with the law to consider,” he explains. “Policies and regulations change. The only way to deal with that is to design devices in such a way that governance isn’t an afterthought but something built-in. We want to provide the tools for solving these challenges.”
Call to motion
In lower than a yr, Intersect has already borne fruit. “A big achievement is that we’ve gotten everyone to talk to everyone,” notes TUE professor Etalle. “From Dutch academia, next to my university, we have Amsterdam for the attack, Delft for the governance, Nijmegen for the design and development, Tilburg for the law and Twente for the defense. We’ve also got several knowledge institutes and universities of applied sciences on board. The participation of key companies ensures a solid landing in industry. This gives us the cross-fertilization we need to tackle this huge problem.”
“There’s a strong basis for laying the scientific foundations, supplemented with broad support from industrial partners who have the ambition to build platforms and other solutions on top of that,” Weffers provides. “It will most likely take more than the eight-year duration of this project, but eventually, our joint efforts will result in a host of technologies and supporting systems to enable the internet of secure things.”
In the rapid future, on 14 and 15 October, the consortium is organizing its first annual conference on cybersecurity for the IoT. During this digital get-together, accessible freed from cost to registered participants, they’re going to deal with the issues, attainable (instructions for) options and the associated R&D and innovation carried out within the context of the mission. Etalle: “The program will touch on the technical aspects, as well as the challenges for society at large, so it will be interesting not only for techies, for those developing IoT devices, but also for those keen on learning what the future will bring – good or bad.”
“It’s a call to action,” concludes Weffers. “Now is the time to create awareness for the problem, to inform people and to get them to start acting accordingly. The Intersect project is also intended to be a seed for a more durable virtual research institute. We want other interested parties, not yet in the consortium, to connect to us so that we can extend our footprint and further the take-up and scale-up of the project results. For these parties, whether from academia, industry, government or civil society, the conference is a showcase of the ‘latest and greatest’ in IoT security and an ideal opportunity to come into contact with us.”