Data Security and Cyber-Physical SystemsFfrom smart thermostats to personal fitness trackers, consumers are embracing IoT technology. While consumers have an array of IoT devices to choose from, the technology poses new risks.
“Many devices have sensitive data,” said Dr. Murat Kantarcioglu, associate professor of computer science and director of the Data Security and Privacy Lab at UT Dallas. “A motion detector records when someone is home. Some track medical data you wouldn’t want everyone to know.”
Postdoctoral researcher Jairo Giraldo (left) and Dr. Murat Kantarcioglu are combining their expertise in cyber-physical systems, control theory and cybersecurity to develop an IoT security instrument.
Kantarcioglu and his collaborator Dr. Alvaro Cárdenas, associate professor of computer science and Fellow, Eugene McDermott Professor, recently received funding from the National Science Foundation to create an instrument that can gather and secure data from multiple cyber-physical systems (CPS).
CPS HACKS, GREAT AND SMALL
CPS devices range in size and scope from household IoT devices to large-scale industrial and government systems with both computer and physical components.
CPS hacks can cause significant physical damage. For example, the recent Stuxnet attack successfully subverted Iran’s nuclear system. This system was not connected to the internet, yet was vulnerable to a covert attack that involved spinning and stopping centrifuges producing enriched uranium. While no state has claimed responsibility, the hack has raised concerns about CPS security in general.
Kantarcioglu (left) and Dr. Alvaro Cárdenas will secure and compile data from multiple IoT devices using both hardware and open-source software.
“A lone hacker did not do this,” Kantarcioglu said. “This was a sophisticated actor — probably $2 million invested and a large team, because someone needed to know how the centrifuges were programmed as well as how to control the device drivers.”
Smaller systems critical to infrastructure could also be vulnerable.
“A CPS operating a dam could be hacked by an individual,” Kantarcioglu said. “Someone could stop and start the flow of the dam remotely.”
Additionally, consumers may have reason to be concerned about home IoT security.
“Imagine a situation like divorce proceedings,” Kantarcioglu said. “How do you maintain privacy when your daily activity is tracked? As more people use these devices, I think we’ll see more related court cases.”
DATA MINIMIZATION AND SECURITY
One major concern about CPS devices is excess data collection. From a household system to health care or manufacturing control systems, risk increases.
“If a utility company only intends to collect data for billing purposes, then it shouldn’t collect more fi ne-granular data than what is necessary,” Cárdenas said. “Data minimization is a key principle in the new European Union’s General Data Protection Regulation (GDPR) and the Fair Information Practices from Canada. My research goal has been to use the minimal amount of data necessary to achieve the CPS’s objective.”
Kantarcioglu and Cárdenas are both members of the Cyber Security Research and Education Institute (CSI) at UT Dallas. For this project, they will collaborate with Dr. Bhavani Thuraisingham, Louis A. Beecherl Jr. Distinguished Professor of computer science and the executive director of CSI, as well as other researchers to develop a system that can consolidate data from multiple devices. The key, then, is regulating what is shared.
“Privacy is a major concern,” Kantarcioglu said. “While we are combining data, we also need to secure it using encryption and hardware. The vulnerability to attack depends upon the device.”
The team will work with graduate student developers to create open-source soft ware that will secure multiple data streams while adjusting the frequency and granularity of data collection.
Dr. Jairo Giraldo, a postdoctoral research associate at UT Dallas, met Cárdenas while studying electrical engineering in Colombia. While Giraldo initially focused on control theory and power systems applications, he became increasingly interested in CPS cybersecurity.
“Many people can take advantage of broad, open-source instruments for security and privacy, even people from other research areas like control systems,” Giraldo said.
Cárdenas said: “Our collaboration exemplifies the importance of interdisciplinary dialogue. We are adapting cybersecurity to the unique characteristics of CPS applications.”
Researchers from other universities and institutions as well as industry and government are expected to continue the effort. The average person will likely not have the skills to implement the soft ware at home just yet. However, Kantarcioglu foresees the instrument becoming widely accessible.
“Our soft ware will require some technical background,” Kantarcioglu said. “Soon, however, I imagine a company will take this concept and market a product for the end user.”