Cyber Security of Connected Places

By Simon Arnell:  The UK’s National Cyber Security Centre recently released its “Connected Places: Cyber Security Principles” guidance document to advance the state of security in connected places.

Increasingly, systems that would have previously been considered SCADA systems are now starting to appear in all sorts of new applications using commodity hardware of unknown origin and risk; little to no air gapping exists between these new forms of critical systems allowing potential attacks to spread. Additionally, security cannot be assumed to be inherent in the acquired devices unless care is taken during procurement or the cost of system design accommodates a great deal of focus on security. Therefore it is critical to understand your connected place and the risks associated with it in the event of it being compromised. 

The SYNERGIA project was formed to investigate the challenge of how to provide “secure and energy-efficient IoT systems in resource-constrained environments.” So you may ask, what is a “resource-constrained environment” and why do they require special security consideration? We characterise these as systems that rely on battery power and low-power wireless networking technologies. Resource-constrained devices may not have the compute capabilities to perform otherwise standard cryptography or full networking stacks – instead relying on lightweight alternatives.  

A connected place should be designed to be secure – not allowed to grow organically with ill-fitting security bolted on. A data-centric end-to-end approach is needed to protect data throughout its lifecycle across every part of the network. 

The sorts of applications we would see resource-constrained systems being applied to are ones with multi-year lifetimes such as precision agriculture, smart buildings, smart logistics, smart cities and smart countryside. By their very nature, devices and the network are exposed to the public and therefore have to be assumed to be in hostile environments and potentially compromised. 

Therefore these systems must be designed and implemented to be cyber resilient, the reverse engineering of any one device should not lead to the entire system being compromised. Data should also be protected at rest and in motion – despite operating on a compromised network the data should not be readable or subject to undetectable changes and replays. Likewise the system should be able to detect and respond to attacks, with strong recovery properties that enable it to return to a secure default state.

The SYNERGIA project is now in its ninth month and we are into our full collective swing of design work, we look forward to sharing the outputs of which once we move into development and testing stages of the project where we will operationalise the security of the connected place.  The project will have the first of two demonstration events on 31 January 2022.