As homes fill with smart TVs, lights, kettles and even smart toys, concerns are rising about the security of internet-connected devices. From talking teddy bears to car security systems to healthcare devices such as pacemakers, there is concern that hackers may too easily access and exploit our private data.
A key strategy for improving IoT cybersecurity is for device manufacturers to build more robust security into the design of their devices, so they come to market without security gaps that hackers can easily exploit.
A project between Edinburgh Napier University and Keysight Technologies in Edinburgh, and supported by CENSIS aims to make it easier to test if interconnected devices and networks are secure against hacking attacks – not just consumer goods, but the embedded devices used in smart infrastructure and smart cities. This in turn could be translated into identifiable security standards for IoT devices.
Prof Bill Buchanan, cybersecurity expert at Edinburgh Napier University said: “The biggest thing holding back the development of IoT security – specifically, concerns about the vulnerabilities of devices, the ease of hacking them, and the consequences of such hacks.
“In healthcare, for example, IoT could transform the way we monitor people’s health and manage conditions like asthma. But security concerns are holding back wider adoption of smart devices. Only if we can improve confidence in IoT security can we realise the potential of smart technology.”
The project partners are using data analytics to identify vulnerabilities that could put IoT devices at risk. The project will focus on ‘side channels’ – the tell-tale electromagnetic, power and acoustic signals that hackers can eavesdrop on, and use to crack encryption codes on the device.
The project team will use the data they gather to put together a test framework that manufacturers and designers could use to evaluate the vulnerabilities of different devices. The development of automated vulnerability testing using Keysight’s PathWave platform will make it more feasible for manufacturers to rigorously test connected devices at every point in the design workflow from concept through production prototypes.
These tests could in turn be used to develop a formal industry framework for testing IoT devices for a range of risks and vulnerabilities, and even to develop minimum standards for different types of IoT devices and hardware.
It means that rather than vulnerabilities being exposed once devices are already on the market or in use, manufacturers would identify and deal with security issues at, for example, prototype stage.
Stephen Milne, CENSIS Business Development Manager said “Strong cybersecurity is a prerequisite for the successful integration of sensor and imaging systems and IoT technology. So CENSIS is supporting IoT security by design – whereby engineers and manufacturers build gold-standard IoT security into devices from the outset.
“By developing a reference model for IoT cybersecurity testing, this project could help to strengthen the security armoury of every connected device, whether it’s a consumer or business device, or part of the national infrastructure. It could also help to put Scotland at the forefront of IoT cybersecurity testing.”
Doug Carson, Solutions Consultant at Keysight Technologies commented: “It’s in all of our interests that the Internet of Things is secure – it’s not just about someone hacking your smart TV, but about protecting our critical national infrastructure – transport networks, communications networks and manufacturing supply chains.
“Every device connected to these networks is a potential way in for hackers, so it’s essential we help every supplier to test their devices against rigorous standards before they are ever put into the field. Through this work with CENSIS and Edinburgh Napier University, we can put in place the foundations to do that.”
Dr Owen Lo of Edinburgh Napier University presented the IoT Hardware Security Test Framework project at the International Conference on Big Data in Cyber Security, Edinburgh, 31 May 2018.