Smart lamps, a smart doorbell, thermostat, smoke alarm or smart toothbrush. More and more devices are being linked to the internet - also known as the Internet of Things (IoT) - so you can operate them with your smartphone.
How convenient to be at work yet able to tell the delivery person standing on your doorstop where the package can be left, or to have a toothbrush that changes its brushing program to suit you, based on facial recognition. They promise to make your life easier but smart devices also involve very real risks. What happens to all that data they are generating and sharing? And what is the manufacturer doing with all your personal information?
Last summer it was announced that TU/e will be leading a national research project designed to make the Internet of Things more secure. Taking part in this project ‘An Internet of Secure Things - INTERSECT’ are forty-five bodies - universities, companies, civic organizations and government agencies.
Together with Harold Weffers, coordinator of external partnerships, TU/e professor of Cybersecurity Sandro Etalle is the driving force behind INTERSECT. “It's a very good thing that we will soon be starting work with a highly multidisciplinary team,” says Weffers. “We depend entirely on services on the internet these days. But this convenience has a downside. Imagine that a hacker gains access via the solar panels on your roofs to other devices on the network. While this is certainly damaging, it's a problem that as an individual user you could shrug off. But what if this were to happen to a large group of users at the same time, making it a Distributed Denial of Services (DDos) attack?”
The huge increase in smart devices and the lightning fast developments related to the IoT are forcing us to look at cybersecurity in a different way, Etalle explains. “This isn't a problem we can lay wholly at the consumer's door. There are already some twenty billion smart devices coupled to the IoT and this number is increasing rapidly. A system like this is very complex and dynamic; and we are now seeing that little control is being exercised over how it develops. This has consequences for security and privacy issues. With the INTERSECT project, we want to keep the IoT manageable and secure, and this requires a systematic approach.”
Whole chain approach
For a couple of years now, Etalle has been one of the authors of the National Security Research Agenda (NSRA), an agenda for national research on digital security. The NSRA is divided into five pillars: design, defense, attacks, organization and privacy. The meetings to develop the NSRA gave rise to a new partnership between various cybersecurity experts, and the realization that for the IoT the ‘pillar approach’ is not efficient.
Etalle says, “To ensure security, we must address the whole chain and we are taking a broad approach; involved in our project we have technicians as well as business owners, criminologists and lawyers. It starts right back at the product design stage. A product must be high quality not just in terms of functionality but also regarding the processes related to security. Just stop and think what happens after a manufacturer goes bankrupt: the company's devices remain in use and they still need security, to be monitored and patched. Unfortunately, the importance of this is often underestimated. We hope to make companies more aware of the need to market secure products.”
In view of this, the fact that the Netherlands has both a strong manufacturing industry and many important suppliers to the international market is a big plus for the project.
As well as awareness-raising among trade and industry, INTERSECT hopes to bring about a change in society, says Weffers. “It would be nice if people who are currently inclined to buy a cheap device of some kind imported from who knows where - to name no names - were to stop and think about their own security and pick a different product instead. As an individual, use your common sense. The government should also be paying more attention to this change of behavior.”
With a Dutch slogan akin to ‘Don't get hacked, check your updates’ the Ministry of Economic Affairs last week kicked off its campaign to keep smart devices secure not just in theory but also in practice. For although the majority of users know that their devices can be hacked, only half carry out an update in good time, one of the easiest ways to increase security. “So there is still considerable room for improvement here,” Weffers concludes.
As became evident when INTERSECT was set up, ever more companies are recognizing the importance of cybersecurity. It was not hard to find partners in industry who were keen to cooperate. At the various universities, twenty-seven doctoral candidates have been recruited, and universities of applied sciences and TNO are also providing staff who will contribute to the project. Together, over the next eight years, they will develop building blocks for the design, security and administration of IoT systems, with Etalle in the role of scientific leader. “We'll be setting up a IoT lab here, where we want to foster cross-fertilization. It is important that knowledge is used. We have plenty of experience in this area, thanks in part to our digital security company Security Matters (cofounded by Etalle and acquired by US company ForeScout in 2018, ed.). With the affiliation of parties like Brainport, not only do companies in the consortium benefit from existing knowledge, but the project will be rolled out further in the region. And in this way we all hope to take major steps towards making the IoT secure, in a sustainable, long-term way.”
The INTERSECT kick-off will be held at TU/e on Monday April 6th. Information about the program, which will include a symposium, and enrollment will follow.
As a cybersecurity expert, Etalle is already involved, together with his team, in TU/e's ICT security. Cutting-edge research can be applied immediately to protect the university network against cyber attacks, such as the ransomware attack at the end of 2019 at Maastricht University.
Watertight protection is impossible, says Etalle. “We must be prepared for attacks like these. On this occasion they penetrated the UM network, but it could have been any other university. Of course, we have a very good team of security experts here, and since the Maastricht attack security measures have been tightened up, but we are and will continue to be a relatively open structure that is difficult to keep secure.”
What makes the situation particularly worrying, says Etalle, is that until now such targeted attacks have only ever been part of industrial and political espionage. “Here, we saw criminals trying to disable not individual users but the entire infrastructure. Something on this scale requires major investment on the part of the criminal. That such an attack has now happened at a public institution is a sign that this kind of cybercrime is becoming commercialized. The events in Maastricht emphasize the need to improve the universities' security. Cooperation between researchers and security staff is therefore crucial.”
The field of education is also adapting to these new developments. For example, TU/e offers the master's track in Information Security Technology, with a focus on computer security. As part of this, Etalle and his colleague Luca Allodi are running the new master's course ‘Cyberattacks, Crime and Defences’. Etalle is keen to teach students early on all they need to know about the cybercriminals' modus operandi.
“An endless race is going on between academics and criminals. By giving students an insight into how criminals think and how attacks are carried out in practice, we hope to be able to intercept ever more attacks in future and to be able to prevent attacks, so that eventually we can guarantee increasing network security.”