IOT UND AKTUELLE TECHNOLOGIETRENDS IN DER FORSCHUNG
Helmut Leopold Head of Center for Digital Safety & Security AIT Austrian Institute of Technology Dornbirn, FH Vorarlberg, 27. April 2017
Technikforum IoT
New Sensor Technologies
Intelligent Cameras & Video Analytics
2
CENTER FOR DIGITAL SAFETY & SECURITY
Dependable Systems Engineering
Visual Surveillance & Insight Digital Identity Management
Verification & Validation of Complex Systems
Modelling & Automated Test Case Generation
Runtime Verification Predictive System Health Monitoring
Safety & Security Co-Engineering Security for Industrial Control Systems
Risk Management Security by Design
Cloud Security Cryptography
Cyber Attack Information System (CAIS) Cyber Incident Information Sharing (CIIS)
Cyber Range
Data Science
Machine Learning Scalable Data Analytics
Blockchain Technologies
Physical Layer Security
Wireless M2M Communication 5G & Broadband Technologies Optical Quantum Technologies
Crisis and Disaster Management
IoT Sensor Networks Command & Control Systems
Community Engagement Environmental Management
Smart Sensor Solutions Signal Processing & Pattern Analysis
Situational Awareness & Decision Support
Cyber Security
Highest System Reliability Surveillance and Protection Critical Cyber Infrastructures
• 180+ experts (Master, 1/3 with PhD) 51% Scientists, 39% Engineers • 50% of new employees with international education • 30+ EU running projects
• Community involvements:
• Strategic partnerships:
Digital Market Austria
07.02.2011
KRITISCHE IOT INFRASTRUKTUREN …
Connected Cars
Industry 4.0
Smart grid eHealth Smart
City Digital
Transport Communication Finance Supply
chain
Energy
Industry 4.0
IoT Communication
Supply Chains
… sind komplexe Netze
… bauen auf virtuelle IT auf
… wir brauchen neue Methoden und neue Werkzeuge um widerstandsfähige Systeme zu bauen
Finance
… sind eng verknüpft mit der echten Welt
Reliable Wireless Communication (5G)
Data Science IoT Cyber Security
DATA SCIENCE
5 28.04.2017
DATA SCIENCE
Informatik grosse
Datenmengen Mathematik &
Statistik
Domänen Wissen
Data Science
Data Science ist eine auf Hypothesen basierte Methode um aus sehr grossen Datenmengen Muster zu erkennen
grosse Datenmengen: z.B. BITCOIN Blockchain: • 100te millionen von Knoten • Milliarden von Beziehungen
6 28.04.2017
DATA SCIENCE METHODOLOGY
Data Processing at Scale Data Interoperability
Statistical Modelling
Machine Learning Deep Neural Networks
User Interface Design
Linked Open Data
Metadata
7 28.04.2017
Blockchain Digital Insight Platform @ AIT
“Overall, Bitcoin is beginning to feature heavily in many EU law enforcement investigations, accounting for over 40% of all identified criminal-to-criminal payments.” (Quelle: Europol Bericht 2016)
Data Science für “fintech” Markt - Blockchain Führende Analysetechnologie @ AIT
Data Science für Smart Cities
• Web Crawling and Scraping • Large-scale network and server infrastructure • Automatic navigation through linked web sites • Structured data extracted from HTML page • Simultaneous monitoring of multiple platforms
• Data Insight • Visualisierungen • Trendanalysen • Berichte
• Wie ist Einfluss der neuen “Share Economy” auf eine Stadt? • AIT´s Digital Insight Team analysiert öffentliche Internetdaten und macht aus
Daten Informationen und Wissen!
IoT Industrie 4.0 – Datenbasierte intelligente Wartungsprozesse
reduzierte Verfügbarkeit
ungeplante Ausfälle
längere Nutzungsdauer von Systemteilen
ineffiziente Wartungsprozesse
ineffektive Wartungsarbeiten
fehlende Verknüpfung von Maschinen-, Produkt- und Prozessdaten
unzureichende Datenlage
fehlende automatisierte Prognose von Ausfällen
Prognose von Systemrisiken
Industrie 4.0 – IoT „Predictive Maintenance“ @ AIT
Problemstellung Auswahl Maschinen-, Prozess-
und Produktdaten Installation Sensorik
Visualisierung Kennzahlen Analysen – Feedbackschleifen in die Planung
RELIABLE WIRELESS COMMUNICATION (5G)
Zuverlässige IoT Kommunikation - Connected Vehicles
S C 2 C C i ti C ti htt // t /
5G node 2 (relay) 5G node 1
(relay)
5G node 3 (relay)
5G
Design of reliable communication systems needs an understanding of the underlying radio channel (e.g. V2X) • Radio waves interact with surrounding objects • Missing line-of-sight (LOS) between Tx and Rx • Multipath propagation leading to delay-dispersion and
Doppler-dispersion that changes with time due to mobility
node 1
node 2
node 3 (relay)
controller 5G gateway
Zuverlässige IoT Kommunikation - Industry 4.0 5G
Small amount of information highest reliability – minimum delay (usec)
IOT CYBER SECURITY
Die Angriffsfläche für Cyber Attacken nimmt zu z.B. DDOS Angriff, Oktober 2016 „Mirai IoT Botnet“
19 28.04.2017
900 Gbit/s
Sources: http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforscher-krebs-vom-netz-1609-123419.html http://www.golem.de/news/hilfe-von-google-brian-krebs-blog-ist-nach-ddos-angriff-wieder-erreichbar-1609-123453.html
Passwort: 12345, password
Journalist Krebs
Google Project Shield
20 4/28/2017
• Low budget devices • Low processing
capabilities on devices • Huge number of devices • Sensor Communication
(M2M • Sensor-actuator - control
systems (feed-back loops)
• Cyber Physical Systems (CPS)
IOT SAFETY & SECURITY HERAUSFORDERUNGEN
• Limited system resources • Low processing
capabilities • Not part of the value
added assets of a system • Limited Operation and
Maintenance (OAM) – life cycle management
• No or infrequent SW-updates
• Trust on sensor data
IoT Characteristics IoT Device Consequences
• Devices are connected to critical infrastructure
• Complex system behavior
• Large amount of data - Data Science
• Highly reliable wireless communications (5G)
• Communication protocols and platforms
• Standards • Virtual IT (cloud)
System Consequences
Security: CIA Confidentiality, Integrity, Availability
Reliability System resilience
Safety, Privacy Reliability
Safe and Secure Data in the Cloud
AIT´S PORTFOLIO FÜR KRITISCHE IOT INFRASTRUKTUREN
21
Safe & Secure
IoT Systems
Smart Encryption for IoT and
Cloud Systems
Safety and Security by Design for
IoT systems
CAIS Cyber Attack
Information Systems
Skill & Capacity Building by Cyber Ranges
Smart Encryption for Privacy & Security in Cloud based IoT Systems
22 28.04.2017
Internet Development State of the Art
Research @ AIT Develop novel cryptographic solutions which protect
the authenticity and security of data in a very agile way Enable the next generation trustworthy smart
manufacturing services with provably authentic data in all system stages and levels of the hierarchy.
Future IoT Internet Safe & Secure Public Cloud
Challenge: Protect data in cyber physical systems to ensure
authenticity and security from the source (i.e., sensor) to the consumer (i.e., closed-loop controls, business intelligence)
Enable sharing of authentic data over cloud-based infrastructures between multiple stakeholders.
23 28.04.2017
AUTHENTICITY AND E2E SECURITY IN IOT SYSTEMS
• Strong (public-key) cryptography to protect IoT systems needed.
• Established encryption and authentication protocols from today‘s Internet, e.g., the TLS protocol, cannot be adapted easily to the diversity of the IoT.
asymmetry – resources (gateways – sensors/actuators)
established cryptographic protocols are not light-weight (e.g. need heavy
computations)
• Crypto research @ AIT • Improve and adapt lightweight cryptography to enable real-time
applications for authentic data provisioning • Develop methods for data aggregation over time and keys, and study
potential privacy benefits • Research to which extent data could stay encrypted
Name:
Acc.: PIN:
Name:
Acc.: PIN:
Name:
Acc.: PIN:
Name:
Acc.: PIN:
Name:
Acc.: PIN:
Name: ....
Acc.: .... PIN: ....
#1
#2
#3
#4
#5
Distributed Storage – State-of-the-art
asfjkajalkgjalgkjalkgjal
sdghz
agasd6b46b34
346b4b5sdgdfgvg43z
587olegs346erhsh69
hj673uzto566uhsht5
Simple replication
#1
#2
#3
#4
#5
46kdgs J40$j5j jkaslj53
ehalk5j 3kl<59f tj3k2l9
82ngkd 940“gld agu90!
aJfw#5 032*ngl afsdgn
6gbaga
fasfa5 hsbc89
Smart Encryption @ AIT Secure Distributed Storage by Shamir´s Secret Sharing
46kdgs J40$j5j jkaslj53
ehalk5j 3kl<59f tj3k2l9
82ngkd 940“gld agu90!
aJfw#5 032*ngl afsdgn
6gbaga
fasfa5 hsbc89
Name: ....
Acc.: .... PIN: ....
Name: ....
Acc.: .... PIN: ....
Decompose message m into shares (𝜎1,...,𝜎𝑛) Every subset of at least 𝑡 shares allows to recover 𝑚 𝑡 − 1 shares do not contain any information about 𝑚
Increased data reliability Support of data sharing in the
cloud No un-secure key-distribution
Safe and Secure Data in the Cloud
26
Safe & Secure
IoT Systems
Smart Encryption for IoT and
Cloud Systems
Safety and Security by Design for
IoT systems
CAIS Cyber Attack
Information Systems
Skill & Capacity Building by Cyber Ranges Secure System
Design of ICS
AIT´S PORTFOLIO FÜR KRITISCHE IOT INFRASTRUKTUREN
From IT device protection to resilient IoT Systems
27 28.04.2017
Future Internet is a complex IoT network and is intertwined with the real world – Cyber Physical Systems (CPS)
Internet Development State of the Art
Protection of devices
Future Internet Complex IoT network with sensors
and actuators
Resilient network infrastructures (architecture, redundancy,
validation, etc.)
28
CYBER PHYSICAL SYSTEMS (CPS) COMPLEX SECURITY REQUIREMENTS
Energy network/Industry 4.0 ICT network
NISTIR 7628 Interface Categories and
Security Requirements
Responsibilities Interfaces
Logical Actors
BSI threat catalogue … other threat catalogues
AIT Smart Grid threat catalogue
• Manufacturer • System integrator • Network operator • Service operator • Network planning • Security management • Business management
MODEL DRIVEN SECURE NETWORK DESIGN
29
A defined cyber security context has to be put in context:
– national security – economical – technical feasibility – …
A common model (common language)
Tools Model driven design &
analyses, reporting, verification, etc.
Dedicated implementations will happen based on different background and business strategies (architecture, processes, different manufacturers, etc.)
we need …. a support to manage the complexity
Systematic approach Method for scenario
management, ensuring open standards,
recommendations
Scenario evaluation
Definition of security requirements
Support of risk management
Verification of security levels
Reports
Open standards (IEC, IEEE, NIST, CEN-
CENELEC-ETSI, ENTS-E, etc.)
Attack / Failure (cause) analysis
Failure / threat mode(s)
Impact (effect) analysis
Failure Attack Step
Attack surface Vulnerability Attacker
Security Safety
• Resilience measures • Incident response procedures, • System architectural measures, • Monitoring measures.
Impact evaluation
Safety requirements
Security requirements
Identify Safety Failure modes
Identify Security Vulnerabilities Attack surfaces Potential Attackers
FMVEA tool support @
AIT
Safety & Security Co-Engineering Failure Modes, Vulnerabilities and Effects Analysis (FMVEA)
30
combined failure and threat modes
Assess Fault/Threat detection Effects Impact
Derive Safety requirements Security requirements
Safe and Secure Data in the Cloud
31
Safe & Secure
IoT Systems
Smart Encryption for IoT and
Cloud Systems
Safety and Security by Design for
IoT systems
CAIS Cyber Attack
Information Systems
Skill & Capacity Building by Cyber Ranges Secure System
Design of ICS
CAIS Cyber Attack Information Systems
Protection from unknown threats
AIT´S PORTFOLIO FÜR KRITISCHE IOT INFRASTRUKTUREN
32 28.04.2017
Selbstlernende Systeme CAIS Cyber Attack Information System @ AIT Künstliche Intelligenz zur Abwehr von Cyberangriffen
Distributed Anomaly Detection Engine Self-learning and flexible anomaly detection
using data collected across different machines, systems and organizational units.
Firewall Logs
IDS/IPS Logs
Application Server Logs
Performance Logs
unknown attack anatomy Signature-based detection does not work no specification self-learning of “normal behavior
multiple attack vectors looking at isolated systems or single points in a network is not sufficient
Possibility to see stealthy attacks looking for “related” events
Safe and Secure Data in the Cloud
AIT´S SOLUTION PORTFOLIO FOR CRITICAL IOT INFRASTRUCTURES
33
Safe & Secure
IoT Systems
Smart Encryption for IoT and
Cloud Systems
Safety and Security by Design for
IoT systems
CAIS Cyber Attack
Information Systems
Skill & Capacity Building by Cyber Ranges Secure System
Design of ICS
CAIS Cyber Attack Information Systems
Protection from unknown threats
Cyber Range for Skill & Capacity
Building
CASTLE CYBER SECURITY RANGE @ AIT
34
Enterprise ICT Environments
Simulation specific systems
Physical environment
Connected Cars
Industry 4.0
Smart grid eHealth Smart
City Digital
Transport Social media
Virtual and Simulated Physical
Cyber Security R&D
Security Technology Validation
Training Ethical Hacking
Modelling & Simulation
Test Data Generation
Architecture Scenario Planning
Threat Emulation
Cyber Exercises
Cyber Training
35
2.
3.
4.
5.
6.
1. 1. Competences of the attackers
2. Competences and processes of the CIOs and his team
3. CIIS-1 communication processes among companies
4. CIIS-2 communication processes between organizations and (sector-specific) CERTs
5. CIIS-3: communication between organizations and cyber security centers
6. National security level
CYBER INCIDENT INFORMATION SHARING (CIIS)
36
• Integrated Cyber Threat Intelligence (TI) framework to enable organizations to manage and effectively apply TI: • efficient use of information about vulnerabilities, attacks, weaknesses,
exploits etc., to steer internal security management.
• AIT framework offering a TI toolchain utilizing effective approaches for the management of TI information: • selection • interpretation • Application
COLLABORATIVEN INFORMATIONSAUSTAUSCH UM BESSERE LAGEBILDER BEI CYBER ATTACKEN ZU ERHALTEN
• Increased effectiveness by usability of human-computer interaction (HCI)
INNOVATION @ AIT DSS
Science Creativity
Technology
Implementation capability
System competence
38 28.04.2017
Mobiles Identitätsmanagement
Schutz kritischer Infrastrukturen
Augmented reality
Innovation @ AIT
39
International Competence Center for Airport Securtiy, Border Control & Mobile Identity
sichere Prozess
e
Bildverarbeitung
Kameranetze
Biometrie
Vernetzte IT-Systeme
sichere Prozesse
sichere Prozesse
sichere Prozesse
sichere Prozesse
Cyber Security
sichere Behördenprozesse
sichere Prozesse
ASAP FBC
https://youtu.be/nEOoDY2wxpc 17.11.2016
ZiB1 19.4.2017 28 Mio €
programme budget
Mobile ID Smartphone 2.0
40
Contact less finger prints
Face recognition
Passport (optical MRZ, chip RFID)
Number plate recognition
scenes
1
2
3
4
5
https://youtu.be/nEOoDY2wxpc
Mobile Identity AIT Security Technologies
3D Que-Length Detection
3D Vision based Access Control ID Erfassung
Verk.kontrolle
Fallaufnahme
Anwendung x
17.11.2016
ZiB1 19.4.2017
28.04.2017 41
UNMANNED ARIAL VEHICLE BASED SITUATION AWARENESS Real-time situation awareness for first responders
42 28.04.2017
Intelligent Vision Systems
3D, high-speed
autonome Systeme
Industrie 4.0 optische Inspektion
High-Performance 3D dental scanner@AIT
43 28.04.2017
smallest intelligent optical 3D Scan-Sensor of the world
Facts 10 times smaller than existing systems on the market Significantly cheaper for mass production Higher resolution than silicon impressions
3D Fahrerassistenzsystem für intelligente Straßenbahnen
Bombardier Transportation und AIT setzen neue Maßstäbe beim Thema Sicherheit bei Straßenbahnen
Wissenschafts- preis
ZiB 1 Beitrag 05/2014
Sichere Baumaschinen durch autonome Systeme
46
Liebherr setzt auf AIT Technologie für intelligente Baumaschinen
47
28.04.2017 ORF Beitrag im ZiB Flash Ausstrahlung 28.11.2016 (17:57)
SEHEN UND VERSTEHEN – CYBER SECURITY 30. Mai 2017, Sky Stage, Tech Gate Vienna
Programm und Anmeldung: www.ikt.wien
Helmut Leopold Head of Center for Digital Safety & Security AIT Austrian Institute of Technology GmbH Donau-City-Straße 1 |1220 Wien, Austria [email protected] | www.ait.ac.at
http://www.fhv.at/veranstaltungen/detail/calendar/2017/04/27/event/tx_cal_phpicalendar/technikforum-iot/?no_cache=1&tx_cal_controller%5Bstart_day%5D=18.04.2017&tx_cal_controller%5Bend_day%5D=18.05.2017
