TEK5530 - Measurable Security for the Internet of Things

From its-wiki.no
Revision as of 16:11, 3 March 2021 by Gyorgyk (Talk | contribs)

Jump to: navigation, search

TEK5530 - Measurable Security for the Internet of Things


TEK5530
News Lectures on Thursdays 0900-1600h, starting from . The course is given through Zoom https://uio.zoom.us/j/2313898139 or https://uio.zoom.us/my/basicinternet
Organisation UiO
by György Kálmán, Josef Noll
Course.png
Keywords


Abstract The course provides a methodology for measurable security, privacy, and dependability of industrial systems. Based on e.g. a smart grid example we will establish and develop the methodology to perform a multi-metrics analysis from components to sub-systems to systems. The course will allow you to compare security-related application goals with the results from the system analysis.
Objective (max 350 words) After completing the course you will be able to:
  • Describe application-driven security and establish challenges of sensor-driven systems
  • Provide industrial examples, e.g. Smart Grid and automatic meter readings
  • Have an overview of security features and continuous compliance in Amazon Web Services (cloud security)
  • Establish application-driven security goals as well as the semantics of your system
  • Generate matrices to describe the security impact of components and sub-systems, and perform a multi-metrics analysis to establish the system security
  • Analyse application goal versus system security and suggest improvements
Keywords Security, Network Security, Sensor Security, Sensor networks, Energy monitoring, Energy, Resillient Energy Networks
Research Area(s) Security
Type of course Master

Upload TEK5530.png to see a course picture instead of the banner picture. Edit the page by Special:FormEdit/Course/TEK5530.


To add new lectures, use: Add a lecture

Info-2021

Timeline

Zoom: https://uio.zoom.us/j/2313898139 or https://uio.zoom.us/my/basicinternet

  • 21Jan L1 & L2 - Intro and IoT (Josef)
  • 28.01 L3 & L4
  • 04.02 L5 & L6
  • 11.02 L7 & L8
  • 18.02 L9 & L10 Paper analysis
  • 25.02 L11 & L12, with intro do Security Classification tool
  • 04.03 L13 & L14
  • 11.03 L15 & Rehearsal
  • EXAM: 25Mar2021


Note: Please remind us to take Zoom video recording.
Upload: https://kursopplasting.uio.no/opplasting

Lectures in TEK5530 - 2021

Video recording will be available at https://www.uio.no/studier/emner/matnat/its/TEK5530/v21/forelesningsvideoer/

21Jan L1 & L2 (Josef Noll) 09:15-16:00h

L1: Introduction (Josef Noll) Media:TEK5530-L1_v21.pdf
Tesla battery with high earnings when balancing the Australian grid
Tesla battery paid back third of investment in a year
eHealth predictions for 2019
L2: Internet of Things (Josef Noll) Media:TEK5530-L2_v21.pdf
Paper used for the group work on the lecture: Atzori et al. Survey Internet of Things
Video introduction: IBM introduction to IoT, TED talk of John Barrett Introduction to Amazon AWS IoT

28.01 L3 & L4 György Kálmán

L3: Security of the Internet of Things Media:TEK5530-L3_v21.pdf
L4: Smart Grid and AMS Media:TEK5530-L4_v21.pdf

04.02 L5 Semantic Technologies & L6 Multi-Metrics Method

L5: Semantic Technologies - Ontologies Media:TEK5530-L5.pdf
see: intro to semantics https://www.youtube.com/watch?v=4x_xzT5eF5Q
enjoy: ordering a piza https://www.youtube.com/watch?v=RNJl9EEcsoE
details on Ontologies: https://www.slideshare.net/marinasantini1/09-semantic-webontologies?qid=8b178746-ea3c-48db-b4f6-6bc9b0923d9b
IoT Life-Cycle Security, see: IoTSec:Security_and_Privacy_Functionality with document IoT Security and Privacy Functionality Life Map (.pdf)
L6: Multi-Metrics Method for measurable Security Media:TEK5530-L6_Multi-Metrics.pdf
Security threats/attacks on IoT by Tom Gaffney, F-Secure https://eyenetworks.no/wp-content/uploads/2019-shared-insights-tom-gaffney-f-secure-1.pdf
Mirai attack capabilities IoTSec:The_Denial_of_Service_Attack_from_IoT_devices
Privacy label, see Privacy_Label

11.02 L7 Multi-Metrics on an AMR sub-system & L8 System Security and Privacy analysis

Multi-Metrics Analyis, link to owncloud folder: https://owncloud.basicinternet.org/index.php/s/8vgAusswDepivTn
containing three files: MultiMetrics_CarPrivacy.xlsx & SPD_SmartGrid_Multi-Metrics.xlsx & combined SPD_Multi-Metrics.numbers (apple numbers with combined analysis)
L7: Multi-Metrics Weighting of an AMR sub-system Media:TEK5530-L7.pdf
AMS topology: Media:AMI_topology.pdf
L8: System Security and Privacy analysis Media:TEK5530-L8.pdf

18.02

L9 Paper presentations
L10: Security Controls Media:TEK5530-L10.pdf
  • 25.02
L11 Communication in Smart Grid and MS Threat Management tool Media:TEK5530-L11.pdf
L12 Intrusion Detection Media:TEK5530-L12.pdf
  • 04.03
L13 & L14 Cloud basics, security and IoT Media:TEK5530-L13-14.pdf
  • 11.03 L15 & Rehearsal
  • EXAM: 25Mar2021

Papers & Group work

Exam 2021

Exam on 25Mar2021 will most probably be performed electronically, We'll use https://uio.zoom.us/u/ceyOp6k2wu or call +4723960588,,2313898139# - please use camera and headset

As discussed, the exam will consist of 3 parts:

  • Part 1: Present your group-work (8 min) - assessment of Security Classes for IoT or Applying Multi-metrics Method
  • Part 2: Questions to group work (7 min)
  • Part 3: Random questions from the lectures (10 min). Please download questions from https://owncloud.basicinternet.org/index.php/s/tyFTcxO2Bp8YO9e (you will pick 3-5 questions)

Sensorveiledning - Assessor Guidance - TEK5530 (.pdf)

Lectures in TEK5530 - 2020

  • 16Jan (Gyorgy Kalman & Josef Noll) 09:15-16:00h
L1: Introduction (Josef Noll) Media:TEK5530-L1.pdf
Tesla battery with high earnings when balancing the Australian grid
Tesla battery paid back third of investment in a year
eHealth predictions for 2019
L2: Internet of Things (Gyorgy Kalman) Media:TEK5530-L2.pdf Media:TEK5530-L2-notes.pdf
Paper used for the group work on the lecture: Atzori et al. Survey Internet of Things
Video introduction: IBM introduction to IoT, TED talk of John Barrett Introduction to Amazon AWS IoT
  • 23.01 (Gyorgy Kalman)
L3: Security of IoT + Paper list Media:TEK5530-L3.pdf
Advantech Internet Gateway Vulnerability
ICS-CERT alerts
OWASP IoT Project
Data leakage from fitness tracker app reveals base locations
L4: Smart Grid, Automatic Meter Readings Media:TEK5530-L4.pdf
  • 06.02 (Josef Noll)
L5: Semantic Technologies - Ontologies Media:TEK5530-L5.pdf - Whiteboard Notes: Media:TEK5530-L5-L6-Notes.pdf
see: intro to semantics https://www.youtube.com/watch?v=4x_xzT5eF5Q
enjoy: ordering a piza https://www.youtube.com/watch?v=RNJl9EEcsoE
details on Ontologies: https://www.slideshare.net/marinasantini1/09-semantic-webontologies?qid=8b178746-ea3c-48db-b4f6-6bc9b0923d9b
IoT Life-Cycle Security, see: IoTSec:Security_and_Privacy_Functionality with document IoT Security and Privacy Functionality Life Map (.pdf)
L6: Multi-Metrics Method for measurable Security Media:TEK5530-L6_Multi-Metrics.pdf
Security threats/attacks on IoT by Tom Gaffney, F-Secure https://eyenetworks.no/wp-content/uploads/2019-shared-insights-tom-gaffney-f-secure-1.pdf
Mirai attack capabilities IoTSec:The_Denial_of_Service_Attack_from_IoT_devices
Privacy label, see Privacy_Label
  • 13.02 (Josef Noll)
L7: Multi-Metrics Weighting of an AMR sub-system Media:TEK5530-L7.pdf - Handouts L7 & L8 Media:TEK5530-L7-L8.pdf
L8: System Security and Privacy analysis Media:TEK5530-L8.pdf
Security Classification for Smart Grid: Media:Security_Classification_for_Smart_Grid.pdf
Paper by Manish Shrestha on Security Classification for Home Automation
Enhanced security classification methodology (Maunya)
Tool for Security Class evaluationfor SCOTT WP21
  • 27.02 no lecture
  • 05.03 (Gyorgy Kalman)
L11: Service implications on functional requirements Media:TEK5530-L11.pdf
L12: Intrusion Detection Media:TEK5530-L12.pdf
  • 12.03.2020 no lecture due to Corona regulations
  • 19.03 (Gyorgy Kalman)
L15: Cloud basics and cloud architecture
L16: Cloud security, IoT and service examples from AWS Media:TEK5530-L15-L16.pdf
  • 26.03 (Gyorgy Kalman)

gotomeeting, ID 725-796-213

L13: Technology mapping Media:TEK5530-L13.pdf
L14: Communication and security in current industrial automation Media:TEK5530-L14.pdf
  • Exam on 22Apr2020 starting from 09:30h

Course info and lectures in previous years

Course info

  • This course is a combined masters and Phd course (UNIK9750), in 2018 all the lectures will be presented by Gyorgy Kalman.
  • The course takes place on Thursdays, 0900-1600ish at ITS (UNIK) in Kjeller. This year double lectures will be given, so that we are using the day efficiently, and everybody is requested to take the tour to Kjeller. Video conferencing is available. Double lectures allows us to have the exam early in the semester so that the students can focus on their other duties in the exam period. A recording of all lectures will be provided and in addition personal follow-up is offered for students, who cannot attend some of the lectures.
  • We'll have video streaming: mms://lux.unik.no/401
  • Evaluation is based on a presentation of topics and the implementation of your scenario.


  • Group work

Please see the description from 2016: TEK5530 presentation of your Group Work - (suggestions and criteria) I recommend you to form 4 (3-5) person groups. I'm open for any suggestion in selecting the IT infrastructure you would like to analyse. There are not that many groups this year, so you are allowed to use longer time for your presentation.

Examples:

  • AMS
  • Smart home, home automation
  • Implications of GDPR on a specific IoT system
  • GDPR on medical IoT
  • smart car, vehicle-to-vehicle communication, autopilot
  • train control from timetables on tablet to predicting power consumption to order power supply for next month
  • ship control, from predictive maintenance to offering cloud storage for pictures taken on the cruise

and so on. A good delivery from 2018: Media:good_example_group_work.pdf

It should be composed from several "traditional" IT systems interconnected with some communication solution with one end being quite far from the other one. This is to enable you to decompose it to systems of systems relatively easily. Again, no single right answer, I would like to see your way of thinking.


Introduction into Internet of Things (IoT)

This first part will provide the introduction into the Internet of Things (Lecture 1 - 2), with industrial examples

  • Smart Grid and automatic meter system (AMS)
  • Smart Homes with sensors
  • Autonomous cars
  • Cloud technologies

The part will further address potential security threats (L3), through the example of the smart grid. The challenges related to attack surface, legal aspects and relation to office IT security will be presented.

SmartGrid future.png

The distributed nature of the future (smart) electric grid has its operational, financial, technological and social aspects. In the course we will try to cover all the aspects, with focus on the technological - more precisely: on the communication and security challenges. We expect from the operational viewpont the grid to get more unstable if no compensatory action is done to be the counterweight of renewables and consumers becoming dual role consumer/producers. We will use an example of an automatic meter reading (AMR) and -system (AMS) in L4 to address the security and privacy challenges.

The final part of this first block is addressed through lectures L5 and L6, and will create the mapping from functional requirements towards mapping into technology. Examples of such mapping are the translation of privacy requirements - can somebody see from my meter reading if I'm at home - towards technology parameters like how often are values read and published.

Machine-readable Descriptions

The next block deals with the machine-readable description of security and privacy, security functionality and system of systems through ontologies.

  • Establish system description examples of systems,
  • Describing Security and Security Functionality in a semantic way

Security, privacy and dependability functionality (Orig:Owncloud)

Operations Security.png

Dev Maint Audit Security.png

see all SPF.IoTSec.no

Application-driven security goals

This block will develop the security goals resulting from applications.

  • From industrial examples, establish the functional requirements. Example: switch-off time of power circuits less than 10 ms
  • From the functional requirements, select the security and privacy relations
  • Establish application-driven security goals as well as the semantics of your system

Perform Multi-Metrics Analysis

This last block will analyse industrial examples based on the multi-metrics analysis.

  • Generate matrices to describe the security impact of components and sub-systems, and perform a multi-metrics analysis to establish the system security
  • Analyze application goal versus system security and suggest improvements