Nieke Roos
8 October

With billions, and in the near future potentially trillions, of connected devices, the internet of things is a growing security and privacy threat. Bringing together over 40 partners from academia, industry, government and civil society, the Intersect project is laying the groundwork for an internet of secure things. On 14 and 15 October, the consortium is organizing its first annual conference.

The internet of things is turning out to be one of the weakest spots in our infrastructure. With billions, and in the near future potentially trillions, of devices, the security risks are growing at great rates. While this pervasive network of IoT devices will oversee our lives and economy, it will be completely unmanageable from a security perspective. To compound the risk, IoT systems are often devised and engineered in places beyond our control, and unless we want to surrender our digital sovereignty by only relying on foreign solutions for our national cybersecurity, we need to find a way to secure them regardless.

“We are at a watershed moment in history and if we don’t take action now, we run the risk of being overcome by technology that will fundamentally and irreversibly undermine our cybersecurity and safety. This is not just another issue of data theft – this is about products that can be abused to attack and even destabilize critical infrastructures,” says Harold Weffers, coordinator of the Intersect public-private partnership. “Run in the context of the Dutch National Research Agenda, the Intersect project has the ambition to start a societal transition towards an internet of secure things. In the next eight years, we want to take concrete steps to deliver new approaches to making IoT devices more secure.”

Zombies

“Securing the internet of things is not like securing regular IT,” Sandro Etalle points out. Etalle is the Security group leader at Eindhoven University of Technology and Intersect’s scientific coordinator. “We have some methods and tools to secure IT, at least to some extent, but they take too much time and money to scale from thousands of computers to billions. If they scale at all – we simply cannot put an intrusion detection system on a very small IoT device. We need new ways to design these devices. With Intersect, we want to lay down the foundations for that.”

Etalle gives an example, focusing on monitorability – “one of the key aspects of security,” according to him. “Most of the systems around us are simply not monitorable. Take a smartphone. While developed with security in mind, it wasn’t developed with the idea that someone would need to be able to monitor it. They put a wall around it, making it difficult to get in but also almost impossible to see if the device is hacked. Generalizing, one of the reasons why we can’t secure systems is that we can’t monitor them. And one of the reasons why we can’t monitor them, strangely enough, is that security specialists have made them as non-monitorable as possible. Now, a smartphone is powerful enough to implement elaborate methods of self-protection, but when we move to IoT, we enter a world where we can’t build these walls anymore, where devices are mostly unsuitable to implement high-level defenses and where the number of systems requiring security is so high that we can’t apply our traditional security toolbox. In Intersect, we aim to lay down good-design principles for monitorable systems, such that we can monitor not tens of devices but tens of thousands.”

Device management is another important issue. “It’s difficult enough to do that for a few hundred computers, imagine having to update the firmware of a few million,” illustrates Etalle. “Then imagine losing a few thousand. We’re going to see more and more of these so-called zombie devices, also from vendors that have gone bankrupt. Having a high chance of running an outdated operating system or containing known bugs, they’re ideal targets for attackers. Intersect aims to provide ways to incorporate management functionality from the very beginning.”

Similarly, Etalle calls for governance by design. “Next to security, safety and privacy, there’s also the compliance with the law to consider,” he explains. “Policies and regulations change. The only way to deal with that is to design devices in such a way that governance isn’t an afterthought but something built-in. We want to provide the tools for solving these challenges.”

Call to action

In less than a year, Intersect has already borne fruit. “A big achievement is that we’ve gotten everyone to talk to everyone,” notes TUE professor Etalle. “From Dutch academia, next to my university, we have Amsterdam for the attack, Delft for the governance, Nijmegen for the design and development, Tilburg for the law and Twente for the defense. We’ve also got several knowledge institutes and universities of applied sciences on board. The participation of key companies ensures a solid landing in industry. This gives us the cross-fertilization we need to tackle this huge problem.”

“There’s a strong basis for laying the scientific foundations, supplemented with broad support from industrial partners who have the ambition to build platforms and other solutions on top of that,” Weffers adds. “It will most likely take more than the eight-year duration of this project, but eventually, our joint efforts will result in a host of technologies and supporting systems to enable the internet of secure things.”

In the immediate future, on 14 and 15 October, the consortium is organizing its first annual conference on cybersecurity for the IoT. During this virtual get-together, accessible free of charge to registered participants, they’re going to address the problems, possible (directions for) solutions and the related R&D and innovation performed in the context of the project. Etalle: “The program will touch on the technical aspects, as well as the challenges for society at large, so it will be interesting not only for techies, for those developing IoT devices, but also for those keen on learning what the future will bring – good or bad.”

“It’s a call to action,” concludes Weffers. “Now is the time to create awareness for the problem, to inform people and to get them to start acting accordingly. The Intersect project is also intended to be a seed for a more durable virtual research institute. We want other interested parties, not yet in the consortium, to connect to us so that we can extend our footprint and further the take-up and scale-up of the project results. For these parties, whether from academia, industry, government or civil society, the conference is a showcase of the ‘latest and greatest’ in IoT security and an ideal opportunity to come into contact with us.”