Internet-of-Things Security

Funded by NSW Government
Partners:
Duration: 2017 – 2018

Industrial Control Systems (ICS) used in the management of critical infrastructure were designed to function as isolated systems (first generation). Later, they became distributed (second generation) and networked (third generation) to support larger deployments. Today, with emergence of the Internet of Things (IoT) and cloud computing, ICS environments are transforming once again where old legacy systems and the new IoT technology are deployed together to deliver enhanced understanding and predictive capability (fourth generation). This new environment reveals new security vulnerabilities.

IoT has already started to transform legacy ICT systems that are essential for the operation of transport, energy, water and other infrastructure systems. Devices capable of sending data and receiving commands to/from cloud/fog/edge computers have emerged, and they will soon flood the market with vast varieties. Hence, the major challenge that NSW agencies will face in this inevitable transition is to decide on the inherent security and security management capabilities that they should require from vendors so that agencies can always assure the right information can get to the right thing/person at the right time.

This project aims to develop a guideline document and demonstrate security capabilities essential for IoT to help agencies to complete this transition successfully. The project will start by investigating authentication along with its inherent identity management, key management and integrity problems. While authentication is a challenging issue in legacy ICS, IoT enabled ICS will increase the scale and complexity of the problem due to resource constraints (i.e the level of different activities that a single device can cost-effectively capture, evaluate and send) on IoT devices such as a humidity sensor. New authentication solutions should be dynamically adaptive to situations, as non-intrusive as possible and usable along with the legacy authentication schemes (e.g., DNP3-SA) to be able to tackle these challenges.

It is proposed that there be two Stages to this project:

  1. Stage 1 will investigate and demonstrate the new multi-level authentication solutions that can address the above mentioned challenges, with the aim of ensuring secure operations of new IoT enabled ICS systems. Major findings and literature on IoT enabled ICS scenarios will be collected under the first chapter of the guideline on authentication.
  2. Stage 2 will investigate further security capabilities, and demonstrate and document them in the guideline. Stage Two investigation will consider scenarios, in consultation with NSW agencies, for integrating secure IoT devices into legacy Industrial Control Systems (ICS).

At the end of two stages, this project will deliver Guidelines for Security for IoT Enabled ICS which agencies can ensure only authorised personnel can access and/or operate essential system elements at the most current situation (e.g., standard operation, system maintenance and emergency due to failures or targeted attacks, etc.).