Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

2015 International Conference on Recent Advances in Internet of Things (RioT)

Singapore, 7-9 April 2015

SMARTIE Project: Secure loT Data Management

for Smart Cities

lens-Matthias Bohli
NEC Laboratories Europe
Heidelberg, Germany
lens-Matthias.Bohli@neclab.eu

Antonio Skarmeta, M.Victoria Moreno, Dan Garda


Universidad de Murcia
Murcia, Spain
{skarmeta,mvmoreno,dan.garcia} @um.es

Peter Langendbrfer
Innovations for High Performance Microelectronics Leibniz-Institut
Frankfurt-Oder, Germany
langendoerfer@ihp-microelectronics.com

Security and trust are essential for the success of smart city
Abstract-The VISIOn of SMARTIE (Secure and sMARter solutions and for their acceptance by the citizens. Data
ciTIEs data management) is to create a distributed framework collected in a smart city platform must be protected in order to
for loT-based applications storing, sharing and processing large reduce the risk of data theft that can lead to identity fraud and
volumes of heterogeneous information. This framework is
financial damage. Access to critical components needs to be
envisioned to enable end-to-end security and trust in information
protected in order to avoid disruption of the operation of the
delivery for decision-making purposes following the data owner's
privacy requirements. SMARTIE follows a data-centric
public infrastructure. In particular actuators will allow hackers
paradigm, which will offer highly scalable and secure to extend the outreach of their attacks beyond IT systems into
information for smart city applications. The heart of this the real world. The actual damages caused by possible threats
paradigm will be the "information management and services" can range from small interferences within the system to
plane as a unifying umbrella, which will operate above exposure of private information or significant financial losses.
heterogeneous network devices and data sources, and will With more information and control of smart city assets being
provide advanced secure information services enabling powerful available over ICT networks, the risk and impact of security or
higher-layer applications.
privacy threats is foreseen to be increasing and can have
profound and serious consequences for the community.
Keywords-Smart Cities, loT, Security
Research on solutions that ensure secure operations and
I. INTRODUCTION protect the data and information involved is essential. The EC­
funded project SMARTIE (Secure and sMARter ciTIEs data
There is a strong trend among cities to become smarter in
management) addresses exactly this problem. The project
order to solve the upcoming challenges: in developing regions
develops a secure platform to protect sensors and devices,
the number of mega cities with more than 10 million
enable access control for resources, and to provide secure data
inhabitants will substantially grow in the next decades. In
storage and processing capabilities.
more developed regions, the urban population is growing as
well and the aging society brings challenges to cities. The following Section II presents a data platform for
Furthermore, the global need for energy savings and cost management of a smart city and points out the main security
effectiveness of the city are of paramount importance. Smart and privacy threats. The section also presents use cases
technologies, the availability of fine-grain data about the city showing the benefits of such a platform for realizing typical
and its residents, as well as the possibility to remotely control smart city application. Section III presents a short overview of
the city's infrastructures will have a great social benefit if used innovations that will be developed in the SMARTIE project.
correctly-consider for instance, energy savings or traffic
congestion avoidance. It is an inevitable fact that cities need to II. SMART CITY DATA PLATFORM
become smarter and we are witnessing the beginning of this
move already today. Figure I shows a smart city infrastructure as it is envisioned
by SMARTIE. Various sensors provide data into a data
This work has been partially funded by the European Commission within
the EU FP7 Project SMARTIE, contract number 609062.

978-1-4799-8325-4/15/$31.00 ©2015 IEEE


platform and actuators in the city receive actuation commands is the information data in the loT platform, which is
from the platform. The platform offers interfaces for various compromising the privacy of the stakeholders and citizens.
kinds of services, such as metering and control of energy
We take in the following a closer look at the threats
consumption, transportation links, or traffic in the city.
differencing between external and internal threats.

A. Security & privacy threats 1) External threats


A smart city platform monitoring and controlling huge parts of As a smart city loT platform grants access to critical
the city infrastructure introduces several new security and infrastructure and confidential data, it is likely a target of
privacy threats to the city's infrastructure and citizens. The external attacks. The smart city information platform will have
fundamental principles of information security are to be resistant against external attackers. External attackers
confidentiality, integrity and availability. This needs also to can attack devices or communication channels. In particular
be protected for many aspects of a smart city the following issues need to be taken into account:
• Confidentiality is needed to protect the privacy of Unauthorized external data access: External attackers may try
citizens and valuable information of stakeholders in the to access private data from users, components or subsystems
city.
of the loT environment. For example the energy consumption
• Integrity protects data against modifications that can of city areas or even single houses is potentially interesting for
lead to harmful decisions. In actuation requests, it unwanted commercial use cases. The platform stores the
information sent by the sensors, so there is the risk that an
attacker tries to access or corrupt private data.

Unauthorized device control: Several actors integrated in the


smart city environment that are controlled automatically or via
Unique API (developmrnt imd Integr.ltion)
remote control. This could be display units, traffic lights,
heating systems or even fire doors. Misapplication of these
devices by external attackers must be prevented by the
Inle.ence
.
DlltaMllnipulllliofl
�� platform under all circumstances.

Hacking and Sabotage: There are several scenarios


conceivable where the city infrastructure is sabotaged by
external attackers. The smart city platform will have to fend
denial of service or man-in-the-middle attacks. The platform
must offer suitable mechanisms for intrusion prevention and
data encryption to prohibit failure of subsystems provoked by
unauthorized outsiders. Once parts of the system are
compromised by the attacker, the attacker may use this
compromised subsystem to attack the full smart city
infrastructure, now acting as an internal attacker.

2) Internal threats
Figure 1: Visualization of a Smart City Infrastructure with
Sensors, Smart Data Platform and Applications. Caused by the complexity and multiplicity of the components,
actors and users of the smart city environment there are
confirms the authenticity of the request to avoid several internal security issues which have to be considered.
unauthorized changes in the city's physical Internal adversaries are in particular dangerous. They have
infrastructure. detailed knowledge about the infrastructure, direct access to or
control of systems in the city infrastructure or the loT
• Availability of data and control functionality is essential
platform. They also hold or have stolen several keys in the
for managing the city. It is in particular required in
system. Insider attackers are
difficult situations and under attack, when e.g. rescue
operations for public safety need to be coordinated. • Users or administrators of subsystems.
A critical city infrastructure must be protected against • Hackers who have compromised already parts of the
malicious attacks with security mechanisms in the loT system.
platform. Furthermore, the platform must control the access to
private information of users and subsystems. In general, Recent reports on malware and backdoors in various systems
attacks can target the loT infrastructure at any point from show that hackers can easily manage to compromise at least
devices in the field, to communication channels, or servers. parts of a system. In an loT system, in particular the restricted
The attack might try to sabotage or compromise subsystems to nodes cannot be physically protected and are often the weakest
take over control of certain aspects of the city. Another target link.

2
Once a part or a subsystem is compromised, hackers can act as information delivery for decision-making purposes addressing
internal attackers to the rest of the infrastructure. The defense energy efficiency issues and following data owner's privacy
in depth principle must be followed to avoid that the requirements.
compromise of subsystems poses a major threat to the full
The pilot will be set in the Region of Murcia, where different
infrastructure. Defense in depth mandates that multiple layers
city facilities will be monitored and managed by the
of security controls are placed in the system, such that
SMARTIE platform to deal with energy efficiency at city
overcoming one security control does not yet compromise the
level. Murcia already has several target facilities in which
system. Security-by-design is important when building a
energy consumption aspects have been identified as relevant
complex infrastructure with multiple layers of security.
due to their contribution to the energy consumption at city
Unauthorized internal data access: Internal adversaries might level. Among others, public facilities such as schools,
have the possibility to bypass certain access control hospitals and public buildings are being monitored in terms of
mechanisms and therefore can have access to the raw data. If their energy usage behavior. Therefore, energy consumption
the data itself is protected by cryptographic means, the access levels associated to different city subsystems can be provided
to meaningful plaintext is still difficult for internal adversaries. to become citizen and government aware about this aspect.
Besides, strategies to save energy in such facilities can be
Violation of data and device integrity: The integration of
defined as well as future plans for more energy efficient
several subsystems into one platform threatens data integrity
performances of cities.
of components with unexpected side effects from other
components. Software errors or hardware failures should not 2) Smart Traffic
influence data or communication of other components.
One of the main future challenges for urban administrations
will be the management of the constantly increasing amount of
B. Use Cases
urban traffic, especially in the metropolitan areas. In nearly
1) Smart Energy Management every larger town in the world, congestions situations affecting
large areas of the inner city are a daily occurrence. This is not
Over six billion people are expected to live in cities and
only problematic because of the higher amount of noise and
surrounding regions by 2050. Consequently, the autonomic and
pollution caused by the traffic. It also causes higher transport
smart operation of cities will be a critical requirement in the
costs to the communities and decreases traffic safety
near future. Challenges related to the ability of city
considerably.
infrastructures to cover every citizen's needs in terms of water
supply, transportation, healthcare, education, safety, and, most The aim of this use case is to use the SMARTIE platform
importantly, energy usage must be addressed to save and and solutions to improve the traffic situation, information level
improve the economic, social and environmental well-being of of the road user and traffic safety. Therefore the existing traffic
citizens. infrastructure in a region must be combined with the
SMARTIE platform. This will enable the traffic management
The goal of this use case is to provide a reference system
authorities to join different traffic data sources and actuators to
able to manage intelligently the energy use of the most relevant
improve traffic flow and traffic safety in the relevant area.
contributor to the energy use at city level-buildings. At the
same time it will allow full control over the data access and the Parts of this use case will flow into a pilot system in the city
security of the communications. of Frankfurt (Oder), Germany. The pilot will show the
possibilities of the SMARTIE platform in Smart City Traffic
Achieving energy efficiency in buildings requires the
Scenarios with a special attention to emergency situations.
interaction between a number of actors and entities providing
Therefore the existing traffic infrastructure of Frankfurt (Oder)
energy monitoring and consumption feedback, using
will be especially considered in this use case description.
automation systems, sensors and actuators, and carrying out
economic strategies to save energy. In order to cover such The Traffic Green system, that allows switching traffic
requirements at city level, it is necessary to provide a common lights whenever an emergency car approaches, is in operation
platform that informs users about energy usage as well as gives in Frankfurt (Oder) for over 10 years now. Today about 20
user the possibility to interact with the system in order to emergency vehicles (mostly fire trucks and ambulances) and
define specific strategies for energy saving or to control their over 30 traffic lights in the city are equipped with the system.
own devices integrated in the platform.
So the most important goal of this use case is to connect
Due to the platform including devices and data whose different independent systems, like the ones mentioned here via
owners can be external agents to the platform owner, security the SMARTIE platform to avoid abnormal traffic situations or
requirements must be satisfied to ensure user privacy, trusted resolve them as quick as possible if they have emerged.
data sources, confidentiality or secured commu nication, among
This can be supported by:
others.

For all these reasons energy management is well suitable to


• Traffic Detection: Real time detection and processing of
relevant traffic information. Abnormal situations or
demonstrate the SMARTIE platform. We propose to cover the
congestions can be detected immediately and
use case of smart energy management of buildings where it is
counteractions can be initiated.
envisioned to enable end-to-end security and trust in

3
• Information Displays: The variable message signs offer fleet management devices) connecting to the back-end cloud
a direct return channel to road. So the road users can be platform.
shown every kind of useful content depending on the
situation. This can be information like travel times or Any communication within the system must be made secure
detour information, warnings like congestion warnings using the appropriate methods taking into the account different
or even traffic signs such as a speed limit. layers within the system's architectural stack. In particular,
security mechanisms should be able to address this issue
• Integrated system communication: The integration of whether operating on the powerful cloud back-end
nowadays separated systems to an Internet of Things infrastructure, less powerful mobile phone platforms or
back-end offers opportunities that these systems can resource restricted loT devices with limited memory, CPU
cooperate with each other. processing power and low communication bandwidth.
• Floating car data: Vehicles are equipped with a GPS The system infrastructure will address and prevent any
receiver and a direct or indirect data connection to the
potential threats at different levels of the system utilizing the
SMARTIE network. This might be emergency or public
SMARTIE platform and solutions. This will be demonstrated
transport vehicles or even pedestrians with a smart
through the following aspects:
phone.
• Fleet management (GPS/GPRS) devices mounted on
• Monitoring: Local city authorities will be enabled to
the busses utilize secure data transfer between the
have a permanent overview of the traffic situation and
device and back-end infrastructure. Information related
the possibility to intervene manually through Graphical
to location of public vehicles should be accessible to
User Interface.
system users according to the access policy and privacy
3) Smart Transport rules.

The system proposed in this Use Case aims to improve the • Users' routing information stored on the cloud utilizes
management of the public transportation network in the city of security and privacy on the server side and secure
Novi Sad starting from the Public City Bus Transport Network storage within the database.
with the intention to extend it to other transport means and • Preventing and disabling other users that wish to
networks and thus promote and encourage the greater use of eavesdrop on other's travel plans which rely on the data
sustainable transport modes and to provide time and cost privacy aspects implemented within the SMARTIE
benefits to travelers. platform.
The pilot to be set in Novi Sad, Serbia will be based on • Lightweight encryption pnmltlves on devices and
enabling smart transport options for users of a public transport encryption level-dependent strength which
focusing initially on 2 routes within a city public bus transport demonstrates dynamic adaptation of security method
network operated by a local transport company JGSP. available within the SMARTIE platform.
Bus stops covering the 2 routes will be equipped with • Power consumption of loT devices is not increased and
Augmented Reality (AR) markers in the form of an image thus demonstrates low-complexity security algorithm
(e.g. logo or QR code). Furthermore, fleet management executing on device (important when battery operated).
devices will be placed on the appropriate busses in order to
• Web portals secured by appropriate privacy rules are
track their location in real-time.
implemented to support the system by providing access
Users (travelers) will be able using their smart phones, to real time information on transport requirements and
dedicated applications and the AR marker at the bus stop to traffic status which can be used by:
find out the bus arrival time and also request the information o JGSP to monitor the system and user's
on the best route to the specified destination depending on the requirements and provide efficient and
user selected criteria. convenient transport service
The data generated by the fleet management devices are o Police to identify potential transport/traffic
owned by the public transportation company and the access to problems causing big delays etc. and thus
this data should be highly restricted to authorized users only. ensure a safer transport system
Furthermore, citizens will be generating private data such as
their GPS location as well as their travel plans. This data III. SMARTIE CONTRIBUTIONS
stored within the cloud infrastructure should also be treated
Standard network security tools such as firewalls, monitoring
sensitive and access to this data should not be made publicly
systems or typical access control will not suffice to prevent
available. Furthermore, it should be prevented that any
sophisticated attacks due to the distributed nature of the loT
unauthorized fleet management devices are connected to the
and the problem of finding mutually trusted parties. It is
system. Therefore, it is necessary to establish access control
essential that security is directly designed into the
policies for both end users (or citizens) and loT devices (i.e.
infrastructure rather than being added as an extra plug-in. An
effective protection approach is security in depth, where data

4
and services are protected by several independent systems. the device decides to execute it. Meanwhile, the Smartcard
The challenge will be to design solutions where no single protects the integrity of the measurement results so that a
server has significant power to control the infrastructure or to Trusted Third Party can attest each node remotely.
access significant amounts of data. This approach is taken by
Distributed Kerberos is a component to compute Kerberos­
the project. Several components have been identified to be an
like authentication tokens. The service can be enriched with
important step in realizing a secure platform and are
authorization, e.g. with capabilities based on the DCapBAC
developed within the scope of the project.
module to obtain lightweight capability tokens for
The following list provides an overview on the innovations authentication and authorization. The main design guideline
that are developed within SMARTIE. The list is structured for this component is to prevent that any single compromised
according functional groups that are identified by to the entity is able to compute a capability token. Thus a distributed
architecture reference model of 10T-A [1] . This set of design is necessary.
functional groups can be considered common to loT systems
The intrusion detection system (IDS) for loT[7] is used to scan
as it gathers the essentials functionality of an loT system.
the network traffic for intrusions to the network and to report
While the description given here is only intended for giving a
unknown or unwanted traffic to the network operator.
brief overview, the interested reader will find more details in
Therefor it gathers and stores data to build a knowledge base
the recent deliverables of the SMARTIE project.
for detection.

A. Security Functional Group B. Communication Functional Group


DCapBAC[4] is an authorization scheme that takes access The light weight Secure CoAP (lwsCoAP) component is used
control decisions before the actual service is accessed. It does to provide a secure data channel between the loT devices and
this by giving a signed authorization token to a user who is the backend cloud platform employing light-weight encryption
asking for any particular service or functionality offered by a schemes. It is building on CoAP [6] which is an application
thing. The authorization token is sent along with a request to layer protocol designed to lower the complexity for the
the thing that verifies the validity of the request and the constrained networks but, also, to enable communication over
authorization token, delivering the requested data, if the existing internet infrastructure. The core of the security
successful. system is the cryptographic primitive based on elliptic curve
The CP-ABE library links access control and encryption. This cryptography (ECC), which can be successfully scaled up and
is useful in data distribution, when multiple receivers are down to provide variable level of protection at the expense of
involved. With CP-ABE the information does not need to be using more or less resources (i.e. processing power, memory,
encrypted individually for each receiver, but makes it possible generated overhead). The solution is based on ISO/IEC 29192
to encrypt it once according to an access policy, ensuring that standards, which aim to provide lightweight cryptography for
all authorized recipients can decrypt messages. constrained devices, including, block and stream ciphers and
asymmetric mechanisms. This method is further optimized in
XACML with ISDN allows to give detailed policies for order to reduce the key size and make the algorithm more
authorization, e.g. to be used together with CP-ABE. efficient in terms of computational requirements and still
provide the satisfactory level of the security.
The shortECC library provides security mechanisms, i.e.
encryption and digital signature for highly constrained
devices. One approach uses elliptic curves with key length C. loT Service Functional Group
between 32 and 64 bits while utilizing secret curve Privacy-preserving event detection and correlation enables
parameters, but the library can also be used with standard ECC analysis of encrypted data. This protects the privacy of people
key lengths. whose information is sensed or the confidentiality of data
owned by an entity that does not want to disclose the
The ImRNG library provides a lightweight approach for the
information. It makes it still possible to use services that are
generation of the cryptographically secure pseudorandom
based on limited features of the data stream by encrypting or
numbers on computationally constrained devices. This is a
encoding the information so that only the events required for
fundamental library, as most security mechanisms require
the service can be detected.
strong random numbers.
Digcovery is a framework that enables scalable and automated
IMASC is an integrity measurement framework that makes use
registration of devices for loT environments using well-known
of a cheap and common secure hardware, the Smartcard, in
protocols such as CoAP and CoAP-RD. Other features offered
order to provide a trusted running environment. Since the
by Digcovery are search and the use geospatial information to
Smartcard is a secure microcontroller that is very difficult for
enhance the search capabilities of the framework.
the attacker to hack, it is used as a trust anchor in the
architecture of the device node to maintain the integrity of its The tinyDSM middleware provides a shared data storage for
software stack. The firmware of the device will be tailored to a the nodes in a wireless sensor network. The data pieces are
measure-before launch execution scheme, so that tampered defined as variables, each with a specified type and policy
code or unknown libraries will be detected and audited before controlling the behavior of the middleware regarding handling

5
of the variable. The sharing of the variables is based on different sources, aggregates it and returns it to the requesting
replication and the policies specify its details in terms of the application.
replication area and consistency parameters. The replication
The Federation of Systems allows temporary cooperation of
helps to assure the data availability in case of node failure and
independent systems in order to provide a given service,
provides a consistent view of the replicas. The configuration is
which cannot be provided by the involved sub-systems
application specific, static and common for all the nodes in the
separately.
network. Exchanging the policy-file allows creating different
versions based on the same application code. Reliable shared
data storage with data monitoring makes it possible for the IV. CONCLUSIONS

nodes to cooperate more autonomic and independent from a The idea of the loT brings new challenges regarding security
central station by injecting more intelligence into the network. and in consequence also for privacy, trust and reliability. The
major issues are:
PrivLoc [5] offers secure location-based services, in particular
a secure geo-fencing service that alerts users if objects enter or • Many devices are no longer protected by well-known
leave a defined area. Location-based services are increasingly mechanisms such as firewalls and can be attacked via
gaining importance. Not only end users but also companies the wireless channel directly. In addition devices can
can make use of location data to track assets (e.g. public be stolen and analysed by attackers to reveal their key
transport services, users looking for transportation or logistics material.
companies). PrivLoc scrambles location information in a way
that allows computation on intersections of scrambled
• Combining data from different sources is the other
geometric objects, which is the main operation behind a major issue since there is no trust relationship
geofencing service. between data providers and data consumers at least
not from the very beginning.
D. Virtual Entity Functional Group • Secure exchange of data is required between loT
The Configuration Management allows the look-up and devices and consumers of their information.
discovery of information sources, e.g. sensing services that
This paper presented the approach taken by the SMARTIE
provide certain information, e.g. the indoor temperature of a
project. SMARTIE envisions a city data platform that allows
room or the speed of a bus. For the discovery, a geographic
data processing and sharing while protecting the security and
scope can be specified using geographic coordinates, e. g.
privacy. The described use cases show where such a platform
discover all services providing information about busses that
can make a difference. A set of innovations and enhancements
are currently within a geographic area given by a geographic
are being developed within the project to address the
segment specified by the geographic coordinates of two
challenges imposed by the application domains.
opposite corners

REFERENCES
E. Service Organization Functional Group
[I] loT-A Deliverable D1.5, "Final Architectural Reference Model for the
The Processing Flow Optimization creates processing flows
loT".
according to an optimization criterion, taking into account
[2] SMARTIE Deliverable D3.1, "Components for secure information
constraints. In a processing flow, sources (e.g. sensing gathering and storage", see http://www.smartie-project.eu/publication
services on sensor nodes) provide information that is deli.html
processed by one or more information processing services on [3] SMARTIE Deliverable D4.1, "loT information Access and Privacy
computing nodes. The information then "flows" from the Preservation.",see http://www.smartie-project.eu/publication_deli.html

sources through the information processing services, providing [4] Jose L. Hernandez, Antonio J. Jara, Leandro Marinc and Antonio F.
Skarmeta G6meza. DCapBAC: Embedding Authorization logic into
the required information to the requester. The selection of Smart Things through ECC optimizations. International Journal of
sources and the placement of information processing services Computer Mathematics, 1-22,2014.
on computing nodes are optimized according to an [5] Jens-Matthias Bohli, Dan Dobre, Ghassan O. Karame, Wenting Li:
optimization criterion, e. g. required bandwidth or required PrivLoc: Preventing Location Tracking in Geofencing Services. TRUST
2014,143-160
processing power. Computing nodes can, e.g., be sensor
[6] The Constrained Application Protocol (CoAP), RFC 7252,
nodes, gateways, dedicated servers or cloud nodes. Constraints
hUps:l/ datatracker.ietf.org/ doc/rfc7252/
like trust or availability of security keys are taken into
[7] Jana Krimmling and Steffen Peter. Integration and Evaluation of
account. Intrusion Detection for CoAP in Smart City Applications, M2MSec'/4 -
Workshop on Security and Privacy in Machine-to-Machine
The loT Broker provides applications with one single access Communications; 2014
point for accessing loT related information from a possibly
large set of loT sources like sensors, but also information
processors. The loT Broker accesses the information from the

You might also like