Critical Infrastructures Protection
The protection of Critical Information Infrastructures (CII) has become one of the most cutting-edge research areas in recent years. In fact, nowadays, diverse private and public entities are joining efforts to offer innovator solutions that help to protect and control, at real-time, the business continuity and its sensitive-information, in addition to ensuring well-being social and economy. Precisely, one of the CIIs with a high-relevance within Critical Information Infrastructure Protection (CIIP) is Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems are specialized systems of critical nature in charge of constantly monitoring the general performance of critical systems as well as their services, such as transportation, communication or energy. Currently, such a control is mainly based on current Information and Communication Technologies, where wireless communication systems and the Internet play a significant role in the local and remote control, respectively. However, not all are advantage and benefit, it is very important to highlight that this new way of controlling brings new security challenges, with new vulnerabilities, faults, failures and, of course, threats.
Given that SCADA systems are as the main kernel of protection for the most of our Critical Infrastructures deployed in our society, NICS has dedicated part of its effort to understand how the use of the current ICTs, standards, wireless communication systems and the Internet could increase performance levels (ATENEA Project). Thanks to this work, NICS has addressed its researches to the protection and prevention topics of critical environments that includes incident management, and design and development of preventive tools (such as for example, Early Warning Systems) and response tools. Some of these tools have been designed under the context of the PROTECT-IC project.
As part of the protection, NICS is also very interested on researching security problems, challenges and solutions relative to complex and dynamic critical networks. Particularly, these researches are focused on addressing aspects related to: (i) secure interconnection between several control systems (i.e., SCADA1 system - SCADA2 system; PISCIS Project); (ii) virtualization of threats and failures in complex critical networks (SACO Project); and security of communication networks and their elements (e.g. RTUs or smart meters) which belong to dynamic critical networks (SECRET Project), such as Smart Grids. Lastly, and taking into account that NICS is one of the groups most specialized in the Wireless Sensor Networks area (more detail below), part of the studies have been focused on such a technology, its application for the prevention and protection at remote substations (CRISIS Project), and the security of the available communication protocols for industrial environments, such as ZigBee PRO, WirelessHART or ISA100.11a (ARES Project).
List of publications More information
Identity Management
It is hard to find a globally accepted definition of the term Identity and even harder to precisely define what is understood by Identity Management. User Authentication, Access Control and Privilege Management form the core three aspects of Identity Management that have been the focus of NICS research from the very beginning. With the emergence of the Internet of Services, more and more complex aspects regarding identity have arisen, most of them related with its interoperability. There have been many developments in this field that have derived in the specification of standards for Identity Federation services. Those developments have motivated further research on related areas such as Trust Management and User Privacy.
At NICS we have covered most of the research areas that fall under Identity Management, some of them as a primary focus and some others transversally in the context of another research area. PRIVILEGE is a national project where we concentrated all our efforts in the definition of a common framework not only for privilege management but for all its related technologies. We have participated in two European projects, SPIKE and PICOS, were Identity management was a specific security target. In SPIKE we have develop mechanisms for rapid setup of identity federations whereas in PICOS the focus were more on users’ privacy.
List of publications More information
Non-repudiation
The network communication grounds (and among them, distance and lack of trust) makes translation of paper-based procedures to networked digital ones not a trivial task. Thus, in order to realise security in Internet (or any other networked including mobile) applications, special protocols are needed to ensure that any dispute could be solved between users if the network fails or an entity misbehaves. In the computer security field, these protocols are known as non-repudiation protocols, a key element for the provision of the non-repudiation service as standardised by the ITU-T X.813.
Research oriented to non-repudiation protocols has been active since the beginning of this millennium; considering in most occasions only two parties as the players of the protocol design scenario. The work in NICS has been focused in multi-party non-repudiation protocols analysis, design, simulation and implementation. This work covers from general designs and analysis to application-driven design and implementation (as the non-repudiation supported OMA-DRM framework developed in the UBISEC project). At the same time, multi-party non repudiation protocols serve as the basis for other value-added services like Certified Electronic Mail and Contract Signing protocols. In this direction NICS has designed optimal multi-party protocols and studied their properties compatibility.
List of publications More information
RFID
Radio Frequency IDentification (RFID) technology provides a seamless link between the items of the physical world and the information system including identification, information and computation capabilities. Due to this, it is being adopted in several sectors and is expected to be a key technology in the upcoming Internet of Things. However, its features turn it into a double-edge sword which arise several privacy and anonymity threats which combined with its extremely constrained computation and communication capabilities has turned RFID security into a relevant and complex research field.
From our group, we have and are working on the secure integration of RFID technology in a variety of scenarios. Up to now, our research has focused in two main scenarios: personal documentation and healthcare environments, both supported by research projects. In the context of the IDENTICA project, we focused on the secure integration of RFID technology in personal documentation. We introduced our concept of secure hybrid documentation and provided suitable mechanisms to improve their security properties. Part of this work included a fully functional prototype implementation of a robust and reliable key management infrastructure to manage the keys required for access the tag and establish a secure communication channel in RFID-based documents.
In the context of the CIES project, we devised the integration of RFID technology in healthcare environments in order ro improve reliability and safety of involved processes with the provision of two lab-tested solutions. First, we proposed a secure RFID-based medical equipment tracking system for healthcare facilities enabling both real-time locations and theft prevention which lab testing showed up relevant limitations of RFID technology. Moreover, we analyzed and provided a solution for care and control of patients in a hospital. Our prototype provides a secure backup data source from personnel and patients' tags, as well as an offline working mode which increase application reliability and patient's safety.
List of publications More information
Trust & Reputation Management
Since their origins trust management systems have been used in order to assist entities that have to interact with others in a system. It has been a very important tool for the decision-making process. Sometimes, the information available about the other entities is not enough for establishing a secure exchange of information, but still the interaction must take place. Trust management systems try to supply this lack of information. In the last years, due to the growth of electronic communications and transactions, reputation systems have been developed to aid trust management systems for assisting the trust decision process.
In order to establish the trust relationship a trust management system is usually composed of a symbolic language for representing trust and a way of measuring trust (trust metrics), that derives the trust assessment. At NICS we have mainly concentrated on designing different trust models. In particular, we designed a trust model based on graph theory and characterized the most suitable trust metrics to be used in each case depending on its properties or the nature of the system. Sometimes, the application case is dynamic and therefore the inclusion of time as a parameter for measuring trust is very convenient. We designed a trust model where besides trust and reliability as parameters time was also considered. Other trust models designed at NICS include delegation privileges for access control or a scale-based model. We also investigated how in the context of federated identity management trust perception can be exported by using a federated reputation system.
As an application of trust and reputation management to a specific field we considered the field Wireless Sensor Networks. We identified which are the main features that a trust and reputation management system should include for its application to WSN and which are the best practices that should govern their design. As an extension to the application of trust and reputation management to WSN we have developed a reputation-based early warning system for critical infrastructures.
List of publications More information
Wireless Sensor Networks
Wireless Sensor Networks, or WSN, have evolved in the past years from a promising research field to a useful technology applicable to numerous scenarios, such as home and industrial environments. Security is a key factor for the successful deployment of this type of networks, as there are multiple issues (e.g. the capabilities of the nodes and the existence of multiple attack points) that must be carefully considered in order to assure a fault tolerant provisioning of protected services. The importance of security is acknowledged by current WSN specifications, such as Zigbee or ISA100.11a, which define their own security mechanisms and protocols.
Moreover, there are also incoming standards strictly focused on WSN security, such as ISO/IEC 29180 and ITU-IT X.1312. Nevertheless, as security is highly related to the needs of an application and its environment, NICS has been working on the analysis and development of security mechanisms specially adapted for the requirements of WSN applications. Not only NICS has studied different areas such as the use of cryptographic algorithms, the distribution of keying material, and the existence of network status systems, but also has provided some guidelines to integrate those mechanisms in middleware architectures (project SMEPP). Moreover, although WSN is a strategic component of the future Internet of Things, there are a considerable number of security challenges that might hinder their complete integration, and those also are currently being studied by NICS (project ARES, SPRINT).