A research team at Purdue University has received a grant for $6 million from the Office of Naval Research, a division of the U.S. Department of the Navy, to improve security of electronic devices in physical environments or industrial control systems.
Electronic devices are increasingly being produced with communication capability - everything from sensors to controllers. These devices communicate with each other, forming a network known as the Internet of Things (IoT). These "things" have their own localized communication patterns and use standard communication protocols to understand each other.
"It's like a standard language that needs to be spoken by all the communicating devices," said Dongyan Xu, a professor of computer science at Purdue and interim director of the Center for Education and Research in Information Assurance and Security (CERIAS). "There has been a lot of effort to standardize these protocols so that devices can communicate freely, but a side effect is that adversaries can also understand and speak the same language."
Hackers can eavesdrop on or disrupt communications between devices by intercepting messages between endpoints. Electronic control units of a car, for example, need to communicate with each other for the vehicle to function properly. If a hacker was able to send malicious messages to the brakes, cruise control system or fuel sensors, the car could malfunction.
In collaboration with computer science professors Xiangyu Zhang, Mathias Payer and Byoungyoung Lee, and researchers at Intelligent Automation Inc., Xu hopes their research will make such attacks significantly harder to launch by creating dialects for "islands" of communicating devices. "For example, an 'island' could be a vehicle or a power plant - some independent physical system - where its embedded devices communicate routinely amongst themselves, but less frequently to the outside world," Xu said. "We want to create different dialects for each island, meaning that only the nodes or devices legitimately within the island could speak and understand that dialect."
These dialects would still be based on the same universally defined protocols that have supported IoT communications until now, but with sufficient variation to make them difficult for adversaries to understand, learn and speak. The team hopes to strike a balance between efficiency, interoperability and security.
The research will also address the "bloat" in communication protocols. Protocols are sometimes implemented as a large and comprehensive program in order to accommodate a wide range of devices and functions.
"For a specific device, only a small portion of the protocol code will be used," Xu said. "The rest, ironically, might be exploited by attackers." The team aims to customize and minimize the portion of a protocol needed for a specific device. Not only would the protocol code be safer, but it would take up less space on devices with scarce memory.
"This work is addressing a problem that we've seen play out several times over the last two decades - new technologies are introduced by product designers who focus on building easy-to-use, feature-laden products, but overlook security principles. We often end up with useful products, but ones that leave us dealing with privacy gaps and security vulnerabilities in the future," said Tomás Díaz de la Rubia, chief scientist and executive director of Purdue's Discovery Park. "This IoT dialect research is showing that products do not have to lose capabilities or efficiency to uphold security for both the individual device as well as its interconnected system or network."
The five-year project, entitled "IoT-D: Towards Internets of Dialect-Speaking Things," was awarded through the Total Platform Cyber Protection program in the Office of Naval Research.
CERIAS is one of the nation's largest and foremost interdisciplinary academic institutes addressing cyber and cyber-physical assurance, security, privacy and resiliency. CERIAS is a domain "cross-cutting" center and part of Purdue University's Discovery Park.