From smart thermostats to personal fitness trackers, consumers are embracing IoT technology. While consumers have an array of IoT devices to choose from, the technology poses new risks.
“Many devices have sensitive data,” said Dr. Murat Kantarcioglu, associate professor of computer science and director of the Data Security and Privacy Lab at UT Dallas. “A motion detector records when someone is home. Some track medical data you wouldn’t want everyone to know.”
Kantarcioglu and his collaborator Dr. Alvaro Cárdenas, associate professor of computer science and Fellow, Eugene McDermott Professor, recently received funding from the National Science Foundation to create an instrument that can gather and secure data from multiple cyber-physical systems (CPS).
CPS HACKS, GREAT AND SMALL
CPS devices range in size and scope from household IoT devices to large-scale industrial and government systems with both computer and physical components.
CPS hacks can cause significant physical damage. For example, the recent Stuxnet attack successfully subverted Iran’s nuclear system. This system was not connected to the internet, yet was vulnerable to a covert attack that involved spinning and stopping centrifuges producing enriched uranium. While no state has claimed responsibility, the hack has raised concerns about CPS security in general.
“A lone hacker did not do this,” Kantarcioglu said. “This was a sophisticated actor — probably $2 million invested and a large team because someone needed to know how the centrifuges were programmed as well as how to control the device drivers.”
Smaller systems critical to infrastructure could also be vulnerable.
“A CPS operating a dam could be hacked by an individual,” Kantarcioglu said. “Someone could stop and start the flow of the dam remotely.”
Additionally, consumers may have reason to be concerned about home IoT security.
“Imagine a situation like divorce proceedings,” Kantarcioglu said. “How do you maintain privacy when your daily activity is tracked? As more people use these devices, I think we’ll see more related court cases.”
DATA MINIMIZATION AND SECURITY
One major concern about CPS devices is excess data collection. From a household system to health care or manufacturing control systems, risk increases.
“If a utility company only intends to collect data for billing purposes, then it shouldn’t collect more fine-granular data than what is necessary,” Cárdenas said. “Data minimization is a key principle in the new European Union’s General Data Protection Regulation (GDPR) and the Fair Information Practices from Canada. My research goal has been to use the minimal amount of data necessary to achieve the CPS’s objective.”
Kantarcioglu and Cárdenas are both members of the Cyber Security Research and Education Institute (CSI) at UT Dallas. For this project, they will collaborate with Dr. Bhavani Thuraisingham, Louis A. Beecherl Jr. Distinguished Professor of computer science and the executive director of CSI, as well as other researchers to develop a system that can consolidate data from multiple devices. The key, then, is regulating what is shared.
“Privacy is a major concern,” Kantarcioglu said. “While we are combining data, we also need to secure it using encryption and hardware. The vulnerability to attack depends upon the device.”
The team will work with graduate student developers to create open-source software that will secure multiple data streams while adjusting the frequency and granularity of data collection.
Dr. Jairo Giraldo, a postdoctoral research associate at UT Dallas, met Cárdenas while studying electrical engineering in Colombia. While Giraldo initially focused on control theory and power systems applications, he became increasingly interested in CPS cybersecurity.
“Many people can take advantage of broad, open-source instruments for security and privacy, even people from other research areas like control systems,” Giraldo said.
Cárdenas said: “Our collaboration exemplifies the importance of interdisciplinary dialogue. We are adapting cybersecurity to the unique characteristics of CPS applications.”
Researchers from other universities and institutions as well as industry and government are expected to continue the effort. The average person will likely not have the skills to implement the software at home just yet. However, Kantarcioglu foresees the instrument becoming widely accessible.
“Our software will require some technical background,” Kantarcioglu said. “Soon, however, I imagine a company will take this concept and market a product for the end-user.”
ABOUT THE UT DALLAS COMPUTER SCIENCE DEPARTMENT
The UT Dallas Computer Science program is one of the largest Computer Science departments in the United States with over 2,800 bachelors-degree students, more than 1,000 master’s students, 190 Ph.D. students, 52 tenure-track faculty members, and 41 full-time senior lecturers, as of Fall 2018. With The University of Texas at Dallas’ unique history of starting as a graduate institution first, the CS Department is built on a legacy of valuing innovative research and providing advanced training for software engineers and computer scientists.