Scroll Top

INTERNET OF THINGS

At its core, the idea of the Internet of Things (IoT) can be defined in one simple sentence: “a worldwide network of interconnected entities.” Still, this core idea can be expanded in a multitude of ways. One of the cornerstone concepts of the IoT, the “things” themselves, actually encompasses multiple types of devices: from simple RFID tags and wireless sensor devices to complex systems like connected cars, consumer devices such as TVs and cameras, and even basic facilities like fridges and doors. The scope of the IoT can also be refined and/or extended, covering new areas such as in the Industrial Internet of Things (describing how IoT applies to the industrial and manufacturing sector) and in the Internet of Everything (which includes the things alongside people, processes, data, and their connections). Moreover, the IoT has become closely related to other paradigms, either because they have similar core values (as is the case with machine-to-machine systems and cyber-physical systems), or because they make use of one another (as is the case with Edge Computing). This heterogeneity, plus other factors, make the creation of fault-tolerant IoT infrastructures that are protected against failures and attacks a very complex task [1][2]. For this very reason, over the last few years NICS has been working on the development of novel IoT security and privacy mechanisms.

One example are the challenges that IoT security and privacy face in areas such as Industry 4.0 (SEGRES, SADCIP) and Industry 5.0 (SecTwin, DISS-IIoT), 5G (5G+TACTILE_4), and Edge Computing (SecureEDGE, SMOG). As IoT is one of the core concepts of the Industry 4.0, it is essential to assess how IoT-enabled cyberattacks can affect our critical infrastructures [3]. Precisely, NICS has developed a novel APTs (Advanced Persistent threats) traceability solution for industrial ecosystems [4][5] that can also integrate the output of industrial IoT devices, regardless of the technologies used [6]. As for 5G and Edge Computing, NICS mainly focuses on innovative deployment strategies of intrusion detection systems. These strategies include not only the deployment of passive detection mechanisms from a bottom-up perspective (crowdsourced IoT entities [7]) and from a top-down perspective (immune system-like agents deployed from the cloud [8]), but also the deployment of proactive agents (i.e. honeypots) that actively analyze the behavior of malicious IoT entities [9]. Besides, NICS has also explored other security and privacy aspects related to 5G and Edge computing, including the integration of security and privacy mechanisms in the Internet of Vehicles [10], the deployment of a distributed and user-friendly privacy platform [11], and even the security of the Edge itself [12][13]. Finally, we have studied the requirements related to the certification of IoT devices (CIES), and provided some solutions that allow human operators to reduce the time needed to analyze a device [14].

Research lines

Other mechanisms that are being actively studied by NICS researchers include trust and IoT forensics. On the subject of trust and the IoT, we are tackling several challenges, such as the inclusion of trust in the development of an IoT entity considering all the phases of its life-cycle [15][16][17][18][19], and the creation of trusted local IoT environments (e.g. smart homes) through segmentation and trust management [20]. Precisely, in this line of work we have analyzed the behavior of smart home devices, and defined trust models that aim to address their security risks [21]. Many of these developments have been carried out under the umbrella of several projects, such as IoT-Trust.

As for IoT forensics, our work focuses on two areas: the development of cybersecurity profiles, where we automate the process of gathering IoT data (extracted from devices [22] or the cloud [23]) and link it to human users, and the creation of ‘Digital Witnesses’, where IoT devices are capable of obtaining, safeguarding, and securely electronic evidence related to a (cyber)crime [24]. During the development of these concepts, carried out under the IoTest project, we carefully considered the privacy of users: our work allows citizens to share their data with some privacy guarantees [25].

There are other security challenges that have been studied by NICS in the last years, such as the security requirements and protocols that will be needed in a distributed IoT. Here, multiple entities located at the edge of the network can locally and remotely collaborate with each other without depending on a purely centralized infrastructure. In the context of various projects, such as SPRINTNESSoS, and IOT-SEC, we studied the security challenges [26] and secure engineering challenges [27] related to this particular deployment strategy, developed various security protocols such as key exchange between constrained clients and servers [28], and analyzed the feasibility of new deployment models where local IoT environments, such as smart homes, behave as interconnected islands [29].

Finally, in previous projects, NICS has developed several IoT security mechanisms in scenarios such as i) Smart homes, where we studied attacks and countermeasures related to wireless hacking [30]; ii) Smart Cities (ENVIA), where we studied how smart pavement and other local (e.g. mobile phones) and remote entities (e.g. Internet Services) could securely interact with each other; iii) Intelligent Transport systems (DEPHISIT, SAVE) where sensors located within a vehicle enabled value-added services such as traffic management and road safety, and iv) e-Health, where we analyzed the secure interaction of IoT building blocks (WSN, RFID) [31].

Wireless Sensor Networks

In addition to our work on the Internet of Things, NICS has also been involved in the security of sensor devices that are not directly connected to the Internet: Wireless Sensor Networks (WSN). Such networks must implement various lightweight underlying protocols, such as routing, aggregation, and time synchronization, to enable the provisioning of its services. Still, these protocols are not enough to adequately protect WSNs [32][33][34]. It is necessary to implement various security mechanisms that will provide support for the different protocols of the network. Moreover, such security mechanisms must be adapted to the specific requirements of the WSNs applications and environments, so as to optimally make use of the limited network resources.

At NICS, we have studied and designed many of these security mechanisms in the context of several projects, such as ARES and CRISIS. In particular, not only we have studied the different security primitives that can be used in a WSN [35][36], but also we have analyzed how keys can be transmitted using out-of-band channels [37], how public key infrastructures could be applied in this context [38], and how key management systems can be optimally selected to manage the cryptographic keys used by those primitives [39][40][41][42][43]. Beyond the creation of secure channels, we have also investigated how other supporting protocols, such as intrusion detection systems [44][45][46] and trust management systems [47][48][49][50], can benefit all the protocols of the network by giving a quasi-real-time map on the state of the network and the behavior of its elements. Finally, we also have investigated how all these mechanisms could be efficiently integrated into a software architecture, devising a transversal layer that retains the benefits of layered architectures while limiting the disadvantages of cross-layer architectures [51][52]. Precisely, some of the ideas of this transversal layer were applied to a peer-to-peer context in the SMEPP project [53] and in the Feel@Home project [54][55].

Another aspect related to the security of WSN is location privacy [56]. An adversary can obtain sensitive information about the network itself or the area/phenomenon being monitored. In particular, the location of the nodes reporting data [57], and consequently the location of events, is part of the information that could be leaked because of the nature of WSNs, more precisely due to the communications pattern. NICS considers that this contextual data must be carefully protected since the events can be directly related either to individuals or to important assets. The criticality of the location privacy problem is evident in many current WSNs scenarios, such as Critical Infrastructure monitoring, endangered animal species surveillance, and cargo tracking. On top of that, the communication pattern may also reveal the location of the base station, which may result in attackers being able to compromise the whole network. In this respect, we devised a solution which was capable of providing robust protect against traffic analysis attacks [58] as well as against node compromise attacks [59].

References

  1. Rodrigo Roman and Pablo Najera and Javier Lopez (2011): Securing the Internet of Things. In: IEEE Computer, vol. 44, no. 9, pp. 51 -58, 2011, ISSN: 0018-9162.
  2. Rodrigo Roman and Javier Lopez and Stefanos Gritzalis (2018): Evolution and Trends in the Security of the Internet of Things. In: IEEE Computer, vol. 51, pp. 16-25, 2018, ISSN: 0018-9162.
  3. Ioannis Stellios and Panayiotis Kotzanikolaou and Mihalis Psarakis and Cristina Alcaraz (2021): Risk Assessment for IoT-Enabled Cyber-Physical Systems. In: Advances in Core Computer Science-Based Technologies, pp. 157-173, Springer International Publishing, Cham, 2021, ISBN: 978-3-030-41196-1.
  4. Juan E. Rubio and Rodrigo Roman and Javier Lopez (2018): Analysis of cybersecurity threats in Industry 4.0: the case of intrusion detection. In: The 12th International Conference on Critical Information Infrastructures Security, pp. 119-130, Springer Springer, 2018.
  5. Ioannis Stellios and Panayiotis Kotzanikolaou and Mihalis Psarakis and Cristina Alcaraz and Javier Lopez (2018): Survey of IoT-enabled Cyberattacks: Assessing Attack Paths to Critical Infrastructures and Services. In: IEEE Communications Surveys and Tutorials, vol. 20, pp. 3453-3495, 2018, ISSN: 1553-877X.
  6. Juan E. Rubio and Rodrigo Roman and Javier Lopez (2020): Integration of a Threat Traceability Solution in the Industrial Internet of Things. In: IEEE Transactions on Industrial Informatics, vol. 16, no. 6575-6583, 2020, ISSN: 1551-3203.
  7. Ana Nieto and Antonio Acien and Gerardo Fernandez (2018): Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation. In: Mobile Networks and Applications (MONET), pp. 881-889, 2018, ISSN: 1383-469X.
  8. Rodrigo Roman and Ruben Rios and Jose A. Onieva and Javier Lopez (2019): Immune System for the Internet of Things using Edge Technologies. In: IEEE Internet of Things Journal, vol. 6, pp. 4774-4781, 2019, ISSN: 2327-4662.
  9. Antonio Acien and Ana Nieto and Gerardo Fernandez and Javier Lopez (2018): A comprehensive methodology for deploying IoT honeypots. In: 15th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2018), pp. 229–243, Springer Nature Switzerland AG Springer Nature Switzerland AG, Regensburg (Germany), 2018.
  10. Jose A. Onieva and Ruben Rios and Rodrigo Roman and Javier Lopez (2019): Edge-Assisted Vehicular Networks Security. In: IEEE Internet of Things Journal, vol. 6, pp. 8038-8045, 2019, ISSN: 2327-4662.
  11. Ruben Rios and Jose A. Onieva and Rodrigo Roman and Javier Lopez (2022): Personal IoT Privacy Control at the Edge. In: IEEE Security & Privacy, vol. 20, pp. 23 – 32, 2022, ISSN: 1540-7993.
  12. Ruben Rios and Rodrigo Roman and Jose A. Onieva and Javier Lopez (2017): From Smog to Fog: A Security Perspective. In: 2nd IEEE International Conference on Fog and Edge Mobile Computing (FMEC 2017), pp. 56-61, IEEE Computer Society IEEE Computer Society, Valencia, Spain. 8-11 May 2017, 2017, ISBN: 978-1-5386-2859-1.
  13. Rodrigo Roman and Javier Lopez and Masahiro Mambo (2018): Mobile edge computing, Fog et al.: A survey and analysis of security threats and challenges. In: Future Generation Computer Systems, vol. 78, pp. 680-698, 2018, ISSN: 0167-739X.
  14. Manuel Ruiz and Ruben Rios and Rodrigo Roman and Antonio Muñoz and Juan Manuel Martínez and Jorge Wallace (2022): AndroCIES: Automatización de la certificación de seguridad para aplicaciones Android. In: XVII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2022), pp. 192-197, Ediciones Universidad Cantabria Ediciones Universidad Cantabria, Santander, Spain, 2022.
  15. Davide Ferraris and Carmen Fernandez-Gago and Javier Lopez (2018): A Trust-by-Design Framework for the Internet of Things. In: 2018 9th IFIP International Conference on New Technologies Mobility and Security (NTMS), IEEE IEEE, Paris, 2018, ISSN: 2157-4960.
  16. Davide Ferraris and Carmen Fernandez-Gago (2019): TrUStAPIS: A Trust Requirements Elicitation Method for IoT. In: International Journal of Information Security, pp. 111-127, 2019, ISSN: 1615-5262.
  17. Martin Kolar and Carmen Fernandez-Gago and Javier Lopez (2020): A Model Specification Implementation for Trust Negotiation. In: The 14th International Conference on Network and System Security (NSS 2020), pp. 327-341, Springer Springer, Melbourne, Australia, 2020.
  18. Davide Ferraris and Carmen Fernandez-Gago and Javier Lopez (2022): Novel Approaches for the Development of Trusted IoT Entities. In: 37th International Conference on ICT Systems Security and Privacy Protection – IFIP SEC 2022, pp. 215-230, Springer Springer, Copenhagen, 2022, ISSN: 1868-4238.
  19. Davide Ferraris and Carmen Fernandez-Gago and Javier Lopez (2022): Verification and Validation Methods for a Trust-by-Design Framework for the IoT. In: 36th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec’22), pp. 183-194, Springer Springer, Newark, NJ, USA, 2022, ISBN: 978-3-031-10683-5.
  20. Davide Ferraris and Carmen Fernandez-Gago and Joshua Daniel and Javier Lopez (2019): A Segregated Architecture for a Trust-based Network of Internet of Things. In: IEEE Consumer Communications & Networking Conference 2019, IEEE IEEE, Las Vegas (USA), 2019.
  21. Davide Ferraris and Daniel Bastos and Carmen Fernandez-Gago and Fadi El-Moussa and Javier Lopez (2019): An Analysis of Trust in Smart Home Devices. In: The 20th World Conference on Information Security Applications: WISA-Workshop 2019, Springer Springer, Jeju Island, Korea, 2019.
  22. Ana Nieto and Ruben Rios (2019): Cybersecurity Profiles based on Human-Centric IoT Devices. In: Human-centric Computing and Information Sciences, vol. 9, no. 1, pp. 1-23, 2019, ISSN: 2192-1962.
  23. Ana Nieto (2020): Becoming JUDAS: Correlating Users and Devices during a Digital Investigation. In: IEEE Transactions on Information Forensics & Security, vol. 15, pp. 3325-3334, 2020, ISSN: 1556-6013.
  24. Ana Nieto and Rodrigo Roman and Javier Lopez (2016): Digital Witness: Safeguarding Digital Evidence by using Secure Architectures in Personal Devices. In: IEEE Network, pp. 12-19, 2016, ISSN: 0890-8044.
  25. Ana Nieto and Ruben Rios and Javier Lopez (2018): IoT-Forensics meets Privacy: Towards Cooperative Digital Investigations. In: Sensors, vol. 18, no. 492, 2018, ISSN: 1424-8220.
  26. Rodrigo Roman and Jianying Zhou and Javier Lopez (2013): On the features and challenges of security and privacy in distributed internet of things. In: Computer Networks, vol. 57, pp. 2266–2279, 2013, ISSN: 1389-1286.
  27. Francisco Moyano and Carmen Fernandez-Gago and Javier Lopez (2013): Towards Engineering Trust-aware Future Internet Systems. In: Franch, Xavier; Soffer, Pnina (Ed.): 3rd International Workshop on Information Systems Security Engineering (WISSE 2013), pp. 490-501, Springer-Verlag Springer-Verlag, Valencia, 2013, ISSN: 1865-1348.
  28. Rodrigo Roman and Cristina Alcaraz and Javier Lopez and Nicolas Sklavos (2011): Key management systems for sensor networks in the context of the Internet of Things. In: Computers & Electrical Engineering, vol. 37, pp. 147-159, 2011, ISSN: 0045-7906.
  29. Hiroshi Tsunoda and Rodrigo Roman and Javier Lopez and Glenn Mansfield Keeni (2018): Feasibility of Societal Model for Securing Internet of Things. In: KSII Transactions on Internet and Information Systems, vol. 12, no. 8, pp. 3567-3588, 2018, ISSN: 1976-7277.
  30. Antonio Muñoz and Carmen Fernandez-Gago and Roberto Lopez-Villa (2022): A Test Environment for Wireless Hacking in Domestic IoT Scenarios. In: Mobile Networks and Applications, 2022, ISSN: 1383-469X.
  31. Pablo Najera and Rodrigo Roman and Javier Lopez (2013): User-centric secure integration of personal RFID tags and sensor networks. In: Security and Communication Networks, vol. 6, pp. 1177–1197, 2013, ISSN: 1939-0114.
  32. Rodrigo Roman and Jianying Zhou and Javier Lopez (2005): On the Security of Wireless Sensor Networks. In: Computational Science and Its Applications (ICCSA’05), pp. 681-690, Springer Springer, Singapore, 2005, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  33. Javier Lopez and Rodrigo Roman and Cristina Alcaraz (2009): Analysis of Security Threats, Requirements, Technologies and Standards in Wireless Sensor Networks. In: Foundations of Security Analysis and Design 2009, pp. 289-338, Springer Berlin/Heidelberg Springer Berlin/Heidelberg, Bertinoro (Italy), 2009, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  34. Rodrigo Roman and Javier Lopez (2009): Integrating Wireless Sensor Networks and the Internet: A Security Analysis. In: Internet Research, vol. 19, no. 2, pp. 246-259, 2009, ISSN: 1066-2243.
  35. Rodrigo Roman and Cristina Alcaraz and Javier Lopez (2007): A Survey of Cryptographic Primitives and Implementations for Hardware-Constrained Sensor Network Nodes. In: Mobile Networks and Applications, vol. 12, no. 4, pp. 231-244, 2007, ISSN: 1383-469X.
  36. Rodrigo Roman and Cristina Alcaraz and Nicolas Sklavos (2008): On the Hardware Implementation Efficiency of Cryptographic Primitives. In: Lopez, Javier; Zhou, Jianying (Ed.): Wireless Sensor Network Security, IOS Press, 2008, ISBN: 978-1-58603-813-7.
  37. Rodrigo Roman and Javier Lopez (2008): KeyLED – Transmitting Sensitive Data over out-of-band Channels in Wireless Sensor Networks. In: 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems (MASS’08), pp. 796-801, IEEE IEEE, Atlanta (USA), 2008, ISBN: 978-1-4244-2574-7.
  38. Rodrigo Roman and Cristina Alcaraz (2007): Applicability of Public Key Infrastructures in Wireless Sensor Networks. In: European PKI Workshop: Theory and Practice (EuroPKI’07), pp. 313-320, Springer Springer, Mallorca (Spain), 2007, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  39. Cristina Alcaraz and Rodrigo Roman (2006): Applying Key Infrastructures for Sensor Networks in CIP/CIIP Scenarios. In: 1st International Workshop on Critical Information Infrastructures Security (CRITIS’06), pp. 166-178, Springer Berlin / Heidelberg Springer Berlin / Heidelberg, 2006, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  40. David Galindo and Rodrigo Roman and Javier Lopez (2008): A Killer Application for Pairings: Authenticated Key Establishment in Underwater Wireless Sensor Networks. In: Proceedings of the 7th International Conference on Cryptology and Network Security (CANS’08), pp. 120-132, Springer Springer, Hong Kong (China), 2008, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  41. David Galindo and Rodrigo Roman and Javier Lopez (2012): On the Energy Cost of Authenticated Key Agreement in Wireless Sensor Networks. In: Wireless Communications and Mobile Computing, vol. 12, pp. 133-143, 2012, ISSN: 1530-8669.
  42. Rodrigo Roman and Javier Lopez and Cristina Alcaraz and Hsiao-Hwa Chen (2011): SenseKey – Simplifying the Selection of Key Management Schemes for Sensor Networks. In: 5th International Symposium on Security and Multimodality in Pervasive Environments (SMPE’11), IEEE IEEE, Singapore, 2011.
  43. Cristina Alcaraz and Javier Lopez and Rodrigo Roman and Hsiao-Hwa Chen (2012): Selecting key management schemes for WSN applications. In: Computers & Security, vol. 31, no. 38, pp. 956–966, 2012, ISSN: 0167-4048.
  44. Rodrigo Roman and Jianying Zhou and Javier Lopez (2006): Applying Intrusion Detection Systems to Wireless Sensor Networks. In: IEEE Consumer Communications & Networking Conference (CCNC 2006), pp. 640-644, IEEE IEEE, Las Vegas (USA), 2006, ISBN: 1-4244-0085-6.
  45. Rodrigo Roman and Javier Lopez and Stefanos Gritzalis (2008): Situation Awareness Mechanisms for Wireless Sensor Networks. In: IEEE Communications Magazine, vol. 46, no. 4, pp. 102-107, 2008, ISSN: 0163-6804.
  46. Olga Leon and Rodrigo Roman and Juan Hernandez Serrano (2011): Towards a Cooperative Intrusion Detection System for Cognitive Radio Networks. In: Workshop on Wireless Cooperative Network Security (WCNS’11), Springer Springer, 2011.
  47. Carmen Fernandez-Gago and Rodrigo Roman and Javier Lopez (2007): A Survey on the Applicability of Trust Management Systems for Wireless Sensor Networks. In: 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU’07), pp. 25-30, IEEE Computer Society IEEE Computer Society, Istanbul (Turkey), 2007.
  48. Rodrigo Roman and Carmen Fernandez-Gago and Javier Lopez (2007): Featuring Trust and Reputation Management Systems for Constrained Hardware Devices. In: 1st International Conference on Autonomic Computing and Communication Systems (Autonomics’07), ICST ICST, Rome (Italy), 2007, ISBN: 978-963-9799-09-7.
  49. Rodrigo Roman and Carmen Fernandez-Gago and Javier Lopez and Hsiao-Hwa Chen (2009): Trust and Reputation Systems for Wireless Sensor Networks. In: Gritzalis, Stefanos; Karygiannis, Tom; Skianis, Charalabos (Ed.): Security and Privacy in Mobile and Wireless Networking, pp. 105-128, Troubador Publishing Ltd, 2009, ISBN: 978-1905886-906.
  50. Javier Lopez and Rodrigo Roman and Isaac Agudo and Carmen Fernandez-Gago (2010): Trust Management Systems for Wireless Sensor Networks: Best practices. In: Computer Communications, vol. 33, no. 9, pp. 0140-3664, 2010, ISSN: 0140-3664.
  51. Rodrigo Roman and Javier Lopez and Pablo Najera (2011): A Cross-layer Approach for Integrating Security Mechanisms in Sensor Networks Architectures. In: Wireless Communications and Mobile Computing, vol. 11, pp. 267-276, 2011, ISSN: 1530-8669.
  52. Pablo Najera and Rodrigo Roman and Javier Lopez (2012): Secure architecure for the integration of RFID and sensors in personal networks. In: 7th International Workshop on Security and Trust Management (STM’11), pp. 207-222, Springer Springer, Copenhagen, Denmark, 2012, ISBN: 978-3-642-29962-9.
  53. Rafael J. Caro and David Garrido and Pierre Plaza and Rodrigo Roman and Nuria Sanz and Jose L. Serrano (2009): SMEPP: A Secure Middleware for Embedded P2P. In: ICT Mobile and Wireless Communications Summit (ICT-MobileSummit’09), Santander (Spain), 2009, ISBN: 978-1-905824-12-0.
  54. Rodrigo Roman and Javier Lopez and Olivier Dugeon and Marc Lacoste and Pierre Plaza Tron and Marta Bel (2012): Advanced Secure Multimedia Services for Digital Homes. In: Information Systems Frontiers, vol. 14, pp. 527-540, 2012, ISSN: 1387-3326.
  55. Romain Carbou and Michel Diaz and Ernesto Exposito and Rodrigo Roman (2011): Digital Home Networking. Wiley-ISTE, 2011, ISSN: 1848213212.
  56. Ruben Rios and Javier Lopez and Jorge Cuellar (2016): Location Privacy in Wireless Sensor Networks. Taylor & Francis, 2016, ISBN: 9781498776332.
  57. Ruben Rios and Javier Lopez (2011): Exploiting Context-Awareness to Enhance Source-Location Privacy in Wireless Sensor Networks. In: The Computer Journal, vol. 54, pp. 1603-1615, 2011, ISSN: 0010-4620.
  58. Ruben Rios and Jorge Cuellar and Javier Lopez (2012): Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy in WSN. In: Foresti, Sara; Yung, Moti; Martinelli, Fabio (Ed.): 17th European Symposium on Research in Computer Security (ESORICS 2012), pp. 163-180, Springer Springer, Pisa, Italy, 2012, ISSN: 0302-9743.
  59. Ruben Rios and Jorge Cuellar and Javier Lopez (2015): Probabilistic receiver-location privacy protection in wireless sensor networks. In: Information Sciences, vol. 321, pp. 205 – 223, 2015, ISSN: 0020-0255.