Research and Security Innovation Lab for IoT at SUTD’s iTrust
(Photo credit: iTrust)
In February this year, OpenGov reported on iTrust’s ( Centre for Research in Cyber Security) water testbed -the Secure Water Treatment (SWaT)- at the Singapore University of Technology and Design (SUTD). During a recent visit in October to iTrust, OpenGov learned about a new ‘Automatic Security Analysis Testbed for IoTs’ for automatically detecting and analysing Internet-of-Things (IoT) devices in a network. It is the first testbed of its kind in the world.
iTrust Research Director Prof. Yuval Elovici, who leads the research into IoT security and previously shared his expert opinions on the field, gave us an exclusive tour of the laboratory.
He explained that at iTrust they are building full-fledged testbeds, which incorporate all the physical and computational components, replicating real world systems. This allows them to test both attack and very advanced mitigation methods. Having such high quality and one-of-a-kind testbeds in a single location helps iTrust attract researchers and collaborators from all over the world.
Prof. Elovici also talked about knowledge transfer from research to government and industry and the shortage of trained professionals in the area of cyber security.
Can you please explain the purpose of the Automatic Security Analysis Testbed for IoTs?
Automatically identifying the existence of IoTs in your network is a challenge. Many organisations do not know what IoT devices they have in their networks.
If somebody is wearing smart glasses, it is a mobile camera inside the organisation. Usually the organisation would know about where all the IP cameras are on the campus. But do they know where all the smart glasses are? No.
We have developed an amazing technology in the automatic IoT security testbed here for automatically identifying IoT devices in an organisation’s network. This technology is the first one in the world, as far as I know. We are filing a patent for it. You can bring an IoT device here and have it investigated and analysed.
It’s a moving target. We are constantly improving it. When you bring in an IoT device, I am going to understand what is the type of IoT.
What are the functions of the testbed?
Firstly, we analyse what operating system the IoT is using. Then we go online and check for vulnerabilities that are still open for this operating system. This also means that an attacker can likewise do a search online to find these same vulnerabilities and get instructions on how to exploit them.
We give the user an analysis report, telling them how easy it is to attack this IoT, and the potential impact of every known vulnerability on this IoT device.
In addition, we want to develop technologies that are able to determine whether a specific IoT that is brought in is already compromised and under the control of an attacker.
We also want to be able to determine what information is the IoT collecting from its owner. The amount of information collected by IoT devices is staggering. If you put any such device in the testbed, we can tell you if it is collecting information about you that it is not supposed to, and what is the connection between the usage and sending of information to the manufacturer. However, the risk of potential hackers is a bigger concern than the manufacturer collecting the data.
We are also investigating the privacy aspects of IoT devices. For example, you open the fridge and it sends that information to the manufacturer that somebody has just opened the fridge. This is very valuable information, and divulging this may compromise your privacy. You might want to hide the fact that you are at home, yet because of this information someone at the manufacturer knows that you are at home.
How does the process work from research to adoption in the outside world?
It varies. Our research is funded by various governmental agencies. Usually the transfer of knowledge is to the government agencies. Later on, we hope that companies are going to adopt the research results.
The corporate lab with STE has a mechanism which aids in a smoother and faster transfer of results from universities to the company. STE also brings to us the specific users who can take the outcome of whatever we are developing in the laboratory to the industry.
On the other hand, open-ended research is also very important. It is important to have some flexibility for academia because sometimes the industry focuses on immediate problems that are hampering their operations. We sometimes need to think a little bit further, for the long term. At iTrust, we have the freedom to think about things for the future. Then we can transfer the knowledge to either start-up companies or companies who want to commercialise the technologies we develop.
Are there any other areas of focus for iTrust?
The role of iTrust and the corporate lab is not only in developing and transferring concrete technologies. It is also to train people and create the required skill set within the domain of cyber security. That in my opinion is the most important KPI (Key Performance Indicator) for the university.
That's why we are launching a Master of Science in Security by Design programme. The programme will equip students to deal with cybersecurity for critical networks and infrastructure such as water, electrical grids, transportation, manufacturing, banking, telco networks and IoT devices.
There is a huge lack of manpower in the domain of cybersecurity in Singapore and globally. There is a shortage of faculty across levels.
The Cyber Security Agency of Singapore (CSA) wants to open an operational unit with cybersecurity professionals. Companies also want people. The main task we have to focus on is training and creating experts in cybersecurity.
In many domains, rapid changes render today’s technologies irrelevant tomorrow. That is not the case in cybersecurity. Not a single problem that ever emerged has disappeared. The first malware that surfaced is still here today. The number of years you are working in this area is a huge asset, as opposed to other domains where some of working experience is not relevant anymore. In cybersecurity, every year of experience spent honing expertise is relevant.
There are not enough experienced people in the market. If there are, the banks and other financial institutions will be the first in line to take them. As banks move more and more towards e-banking, they need more cybersecurity experts. They are also sought after for defending critical cyber-physical infrastructure, as they are getting more and more computerised and connected.
In fact, every domain that is becoming computerised needs cyber security professionals. If you are going to have autonomous driving, you are going to need cybersecurity people. We are not keeping pace in generating these graduates. There is a shortage of experts working in research too. That is the challenge we must surmount.
Press release announcing the programme: SUTD Launches Singapore’s One-of-a-Kind Master of Science in Security by Design