2015 International Conference on Recent Advances in Internet of Things (RioT)

Singapore, 7-9 April 2015

SMARTIE Project: Secure loT Data Management

for Smart Cities

lens-Matthias Bohli
NEC Laboratories Europe
Heidelberg, Germany
lens-Matthias.Bohli@neclab.eu

Antonio Skarmeta, M.Victoria Moreno, Dan Garda

Universidad de Murcia
Murcia, Spain
{skarmeta,mvmoreno,dan.garcia} @um.es

Peter Langendbrfer
Innovations for High Performance Microelectronics Leibniz-Institut
Frankfurt-Oder, Germany
langendoerfer@ihp-microelectronics.com

Security and trust are essential for the success of smart city
Abstract-The VISIOn of SMARTIE (Secure and sMARter solutions and for their acceptance by the citizens. Data
ciTIEs data management) is to create a distributed framework collected in a smart city platform must be protected in order to
for loT-based applications storing, sharing and processing large reduce the risk of data theft that can lead to identity fraud and
volumes of heterogeneous information. This framework is
financial damage. Access to critical components needs to be
envisioned to enable end-to-end security and trust in information
protected in order to avoid disruption of the operation of the
delivery for decision-making purposes following the data owner's
privacy requirements. SMARTIE follows a data-centric
public infrastructure. In particular actuators will allow hackers
paradigm, which will offer highly scalable and secure to extend the outreach of their attacks beyond IT systems into
information for smart city applications. The heart of this the real world. The actual damages caused by possible threats
paradigm will be the "information management and services" can range from small interferences within the system to
plane as a unifying umbrella, which will operate above exposure of private information or significant financial losses.
heterogeneous network devices and data sources, and will With more information and control of smart city assets being
provide advanced secure information services enabling powerful available over ICT networks, the risk and impact of security or
higher-layer applications.
privacy threats is foreseen to be increasing and can have
profound and serious consequences for the community.
Keywords-Smart Cities, loT, Security
Research on solutions that ensure secure operations and
I. INTRODUCTION protect the data and information involved is essential. The EC­
funded project SMARTIE (Secure and sMARter ciTIEs data
There is a strong trend among cities to become smarter in
management) addresses exactly this problem. The project
order to solve the upcoming challenges: in developing regions
develops a secure platform to protect sensors and devices,
the number of mega cities with more than 10 million
enable access control for resources, and to provide secure data
inhabitants will substantially grow in the next decades. In
storage and processing capabilities.
more developed regions, the urban population is growing as
well and the aging society brings challenges to cities. The following Section II presents a data platform for
Furthermore, the global need for energy savings and cost management of a smart city and points out the main security
effectiveness of the city are of paramount importance. Smart and privacy threats. The section also presents use cases
technologies, the availability of fine-grain data about the city showing the benefits of such a platform for realizing typical
and its residents, as well as the possibility to remotely control smart city application. Section III presents a short overview of
the city's infrastructures will have a great social benefit if used innovations that will be developed in the SMARTIE project.
correctly-consider for instance, energy savings or traffic
congestion avoidance. It is an inevitable fact that cities need to II. SMART CITY DATA PLATFORM
become smarter and we are witnessing the beginning of this
move already today. Figure I shows a smart city infrastructure as it is envisioned
by SMARTIE. Various sensors provide data into a data
This work has been partially funded by the European Commission within
the EU FP7 Project SMARTIE, contract number 609062.

978-1-4799-8325-4/15/$31.00 ©2015 IEEE

platform and actuators in the city receive actuation commands
from the platform. The platform offers interfaces for various
kinds of services, such as metering and control of energy
consumption, transportation links, or traffic in the city.
A. Security & privacy threats
A smart city platform monitoring and controlling huge parts of
the city infrastructure introduces several new security and
privacy threats to the city's infrastructure and citizens. The
fundamental principles of information security are
confidentiality, integrity and availability. This needs also to
be protected for many aspects of a smart city
• Confidentiality is needed to protect the privacy of
citizens and valuable information of stakeholders in the
city.
• Integrity protects data against modifications that can
lead to harmful decisions. In actuation requests, it
Unique API (developmrnt imd Integr.ltion)
Inle.ence
.
DlltaMllnipulllliofl
��
Figure 1: Visualization of a Smart City Infrastructure with
Sensors, Smart Data Platform and Applications.
confirms the authenticity of the request to avoid
unauthorized changes in the city's physical
infrastructure.
• Availability of data and control functionality is essential
for managing the city. It is in particular required in
difficult situations and under attack, when e.g. rescue
operations for public safety need to be coordinated.
A critical city infrastructure must be protected against
malicious attacks with security mechanisms in the loT
platform. Furthermore, the platform must control the access to
private information of users and subsystems. In general,
attacks can target the loT infrastructure at any point from
devices in the field, to communication channels, or servers.
The attack might try to sabotage or compromise subsystems to
take over control of certain aspects of the city. Another target
2
is the information data in the loT platform, which is
compromising the privacy of the stakeholders and citizens.
We take in the following a closer look at the threats
differencing between external and internal threats.
1) External threats
As a smart city loT platform grants access to critical
infrastructure and confidential data, it is likely a target of
external attacks. The smart city information platform will have
to be resistant against external attackers. External attackers
can attack devices or communication channels. In particular
the following issues need to be taken into account:
Unauthorized external data access: External attackers may try
to access private data from users, components or subsystems
of the loT environment. For example the energy consumption
of city areas or even single houses is potentially interesting for
unwanted commercial use cases. The platform stores the
information sent by the sensors, so there is the risk that an
attacker tries to access or corrupt private data.
Unauthorized device control: Several actors integrated in the
smart city environment that are controlled automatically or via
remote control. This could be display units, traffic lights,
heating systems or even fire doors. Misapplication of these
devices by external attackers must be prevented by the
platform under all circumstances.
Hacking and Sabotage: There are several scenarios
conceivable where the city infrastructure is sabotaged by
external attackers. The smart city platform will have to fend
denial of service or man-in-the-middle attacks. The platform
must offer suitable mechanisms for intrusion prevention and
data encryption to prohibit failure of subsystems provoked by
unauthorized outsiders. Once parts of the system are
compromised by the attacker, the attacker may use this
compromised subsystem to attack the full smart city
infrastructure, now acting as an internal attacker.
2) Internal threats
Caused by the complexity and multiplicity of the components,
actors and users of the smart city environment there are
several internal security issues which have to be considered.
Internal adversaries are in particular dangerous. They have
detailed knowledge about the infrastructure, direct access to or
control of systems in the city infrastructure or the loT
platform. They also hold or have stolen several keys in the
system. Insider attackers are
• Users or administrators of subsystems.
• Hackers who have compromised already parts of the
system.
Recent reports on malware and backdoors in various systems
show that hackers can easily manage to compromise at least
parts of a system. In an loT system, in particular the restricted
nodes cannot be physically protected and are often the weakest
link.
Once a part or a subsystem is compromised, hackers can act as
internal attackers to the rest of the infrastructure. The defense
in depth principle must be followed to avoid that the
compromise of subsystems poses a major threat to the full
infrastructure. Defense in depth mandates that multiple layers
of security controls are placed in the system, such that
overcoming one security control does not yet compromise the
system. Security-by-design is important when building a
complex infrastructure with multiple layers of security.
Unauthorized internal data access: Internal adversaries might
have the possibility to bypass certain access control
mechanisms and therefore can have access to the raw data. If
the data itself is protected by cryptographic means, the access
to meaningful plaintext is still difficult for internal adversaries.
Violation of data and device integrity: The integration of
several subsystems into one platform threatens data integrity
of components with unexpected side effects from other
components. Software errors or hardware failures should not
influence data or communication of other components.
B. Use Cases
1) Smart Energy Management
Over six billion people are expected to live in cities and
surrounding regions by 2050. Consequently, the autonomic and
smart operation of cities will be a critical requirement in the
near future. Challenges related to the ability of city
infrastructures to cover every citizen's needs in terms of water
supply, transportation, healthcare, education, safety, and, most
importantly, energy usage must be addressed to save and
improve the economic, social and environmental well-being of
citizens.
The goal of this use case is to provide a reference system
able to manage intelligently the energy use of the most relevant
contributor to the energy use at city level-buildings. At the
same time it will allow full control over the data access and the
security of the communications.
Achieving energy efficiency in buildings requires the
interaction between a number of actors and entities providing
energy monitoring and consumption feedback, using
automation systems, sensors and actuators, and carrying out
economic strategies to save energy. In order to cover such
requirements at city level, it is necessary to provide a common
platform that informs users about energy usage as well as gives
user the possibility to interact with the system in order to
define specific strategies for energy saving or to control their
own devices integrated in the platform.
Due to the platform including devices and data whose
owners can be external agents to the platform owner, security
requirements must be satisfied to ensure user privacy, trusted
data sources, confidentiality or secured commu nication, among
others.
For all these reasons energy management is well suitable to
demonstrate the SMARTIE platform. We propose to cover the
use case of smart energy management of buildings where it is
envisioned to enable end-to-end security and trust in
3
information delivery for decision-making purposes addressing
energy efficiency issues and following data owner's privacy
requirements.
The pilot will be set in the Region of Murcia, where different
city facilities will be monitored and managed by the
SMARTIE platform to deal with energy efficiency at city
level. Murcia already has several target facilities in which
energy consumption aspects have been identified as relevant
due to their contribution to the energy consumption at city
level. Among others, public facilities such as schools,
hospitals and public buildings are being monitored in terms of
their energy usage behavior. Therefore, energy consumption
levels associated to different city subsystems can be provided
to become citizen and government aware about this aspect.
Besides, strategies to save energy in such facilities can be
defined as well as future plans for more energy efficient
performances of cities.
2) Smart Traffic
One of the main future challenges for urban administrations
will be the management of the constantly increasing amount of
urban traffic, especially in the metropolitan areas. In nearly
every larger town in the world, congestions situations affecting
large areas of the inner city are a daily occurrence. This is not
only problematic because of the higher amount of noise and
pollution caused by the traffic. It also causes higher transport
costs to the communities and decreases traffic safety
considerably.
The aim of this use case is to use the SMARTIE platform
and solutions to improve the traffic situation, information level
of the road user and traffic safety. Therefore the existing traffic
infrastructure in a region must be combined with the
SMARTIE platform. This will enable the traffic management
authorities to join different traffic data sources and actuators to
improve traffic flow and traffic safety in the relevant area.
Parts of this use case will flow into a pilot system in the city
of Frankfurt (Oder), Germany. The pilot will show the
possibilities of the SMARTIE platform in Smart City Traffic
Scenarios with a special attention to emergency situations.
Therefore the existing traffic infrastructure of Frankfurt (Oder)
will be especially considered in this use case description.
The Traffic Green system, that allows switching traffic
lights whenever an emergency car approaches, is in operation
in Frankfurt (Oder) for over 10 years now. Today about 20
emergency vehicles (mostly fire trucks and ambulances) and
over 30 traffic lights in the city are equipped with the system.
So the most important goal of this use case is to connect
different independent systems, like the ones mentioned here via
the SMARTIE platform to avoid abnormal traffic situations or
resolve them as quick as possible if they have emerged.
This can be supported by:
• Traffic Detection: Real time detection and processing of
relevant traffic information. Abnormal situations or
congestions can be detected immediately and
counteractions can be initiated.
 • Information Displays: The variable message signs offer
a direct return channel to road. So the road users can be
shown every kind of useful content depending on the
situation. This can be information like travel times or
detour information, warnings like congestion warnings
or even traffic signs such as a speed limit.
• Integrated system communication: The integration of
nowadays separated systems to an Internet of Things
back-end offers opportunities that these systems can
cooperate with each other.
• Floating car data: Vehicles are equipped with a GPS
receiver and a direct or indirect data connection to the
SMARTIE network. This might be emergency or public
transport vehicles or even pedestrians with a smart
phone.
• Monitoring: Local city authorities will be enabled to
have a permanent overview of the traffic situation and
the possibility to intervene manually through Graphical
User Interface.
3) Smart Transport
The system proposed in this Use Case aims to improve the
management of the public transportation network in the city of
Novi Sad starting from the Public City Bus Transport Network
with the intention to extend it to other transport means and
networks and thus promote and encourage the greater use of
sustainable transport modes and to provide time and cost
benefits to travelers.
The pilot to be set in Novi Sad, Serbia will be based on
enabling smart transport options for users of a public transport
focusing initially on 2 routes within a city public bus transport
network operated by a local transport company JGSP.
Bus stops covering the 2 routes will be equipped with
Augmented Reality (AR) markers in the form of an image
(e.g. logo or QR code). Furthermore, fleet management
devices will be placed on the appropriate busses in order to
track their location in real-time.
Users (travelers) will be able using their smart phones,
dedicated applications and the AR marker at the bus stop to
find out the bus arrival time and also request the information
on the best route to the specified destination depending on the
user selected criteria.
The data generated by the fleet management devices are
owned by the public transportation company and the access to
this data should be highly restricted to authorized users only.
Furthermore, citizens will be generating private data such as
their GPS location as well as their travel plans. This data
stored within the cloud infrastructure should also be treated
sensitive and access to this data should not be made publicly
available. Furthermore, it should be prevented that any
unauthorized fleet management devices are connected to the
system. Therefore, it is necessary to establish access control
policies for both end users (or citizens) and loT devices (i.e.
4
fleet management devices) connecting to the back-end cloud
platform.
Any communication within the system must be made secure
using the appropriate methods taking into the account different
layers within the system's architectural stack. In particular,
security mechanisms should be able to address this issue
whether operating on the powerful cloud back-end
infrastructure, less powerful mobile phone platforms or
resource restricted loT devices with limited memory, CPU
processing power and low communication bandwidth.
The system infrastructure will address and prevent any
potential threats at different levels of the system utilizing the
SMARTIE platform and solutions. This will be demonstrated
through the following aspects:
• Fleet management (GPS/GPRS) devices mounted on
the busses utilize secure data transfer between the
device and back-end infrastructure. Information related
to location of public vehicles should be accessible to
system users according to the access policy and privacy
rules.
• Users' routing information stored on the cloud utilizes
security and privacy on the server side and secure
storage within the database.
• Preventing and disabling other users that wish to
eavesdrop on other's travel plans which rely on the data
privacy aspects implemented within the SMARTIE
platform.
• Lightweight encryption pnmltlves on devices and
encryption level-dependent strength which
demonstrates dynamic adaptation of security method
available within the SMARTIE platform.
• Power consumption of loT devices is not increased and
thus demonstrates low-complexity security algorithm
executing on device (important when battery operated).
• Web portals secured by appropriate privacy rules are
implemented to support the system by providing access
to real time information on transport requirements and
traffic status which can be used by:
o JGSP to monitor the system and user's
requirements and provide efficient and
convenient transport service
o Police to identify potential transport/traffic
problems causing big delays etc. and thus
ensure a safer transport system
III. SMARTIE CONTRIBUTIONS
Standard network security tools such as firewalls, monitoring
systems or typical access control will not suffice to prevent
sophisticated attacks due to the distributed nature of the loT
and the problem of finding mutually trusted parties. It is
essential that security is directly designed into the
infrastructure rather than being added as an extra plug-in. An
effective protection approach is security in depth, where data
and services are protected by several independent systems.
The challenge will be to design solutions where no single
server has significant power to control the infrastructure or to
access significant amounts of data. This approach is taken by
the project. Several components have been identified to be an
important step in realizing a secure platform and are
developed within the scope of the project.
The following list provides an overview on the innovations
that are developed within SMARTIE. The list is structured
according functional groups that are identified by to the
architecture reference model of 10T-A [1] . This set of
functional groups can be considered common to loT systems
as it gathers the essentials functionality of an loT system.
While the description given here is only intended for giving a
brief overview, the interested reader will find more details in
the recent deliverables of the SMARTIE project.
A. Security Functional Group
DCapBAC[4] is an authorization scheme that takes access
control decisions before the actual service is accessed. It does
this by giving a signed authorization token to a user who is
asking for any particular service or functionality offered by a
thing. The authorization token is sent along with a request to
the thing that verifies the validity of the request and the
authorization token, delivering the requested data, if
successful.
The CP-ABE library links access control and encryption. This
is useful in data distribution, when multiple receivers are
involved. With CP-ABE the information does not need to be
encrypted individually for each receiver, but makes it possible
to encrypt it once according to an access policy, ensuring that
all authorized recipients can decrypt messages.
XACML with ISDN allows to give detailed policies for
authorization, e.g. to be used together with CP-ABE.
The shortECC library provides security mechanisms, i.e.
encryption and digital signature for highly constrained
devices. One approach uses elliptic curves with key length
between 32 and 64 bits while utilizing secret curve
parameters, but the library can also be used with standard ECC
key lengths.
The ImRNG library provides a lightweight approach for the
generation of the cryptographically secure pseudorandom
numbers on computationally constrained devices. This is a
fundamental library, as most security mechanisms require
strong random numbers.
IMASC is an integrity measurement framework that makes use
of a cheap and common secure hardware, the Smartcard, in
order to provide a trusted running environment. Since the
Smartcard is a secure microcontroller that is very difficult for
the attacker to hack, it is used as a trust anchor in the
architecture of the device node to maintain the integrity of its
software stack. The firmware of the device will be tailored to a
measure-before launch execution scheme, so that tampered
code or unknown libraries will be detected and audited before
5
the device decides to execute it. Meanwhile, the Smartcard
protects the integrity of the measurement results so that a
Trusted Third Party can attest each node remotely.
Distributed Kerberos is a component to compute Kerberos­
like authentication tokens. The service can be enriched with
authorization, e.g. with capabilities based on the DCapBAC
module to obtain lightweight capability tokens for
authentication and authorization. The main design guideline
for this component is to prevent that any single compromised
entity is able to compute a capability token. Thus a distributed
design is necessary.
The intrusion detection system (IDS) for loT[7] is used to scan
the network traffic for intrusions to the network and to report
unknown or unwanted traffic to the network operator.
Therefor it gathers and stores data to build a knowledge base
for detection.
B. Communication Functional Group
The light weight Secure CoAP (lwsCoAP) component is used
to provide a secure data channel between the loT devices and
the backend cloud platform employing light-weight encryption
schemes. It is building on CoAP [6] which is an application
layer protocol designed to lower the complexity for the
constrained networks but, also, to enable communication over
the existing internet infrastructure. The core of the security
system is the cryptographic primitive based on elliptic curve
cryptography (ECC), which can be successfully scaled up and
down to provide variable level of protection at the expense of
using more or less resources (i.e. processing power, memory,
generated overhead). The solution is based on ISO/IEC 29192
standards, which aim to provide lightweight cryptography for
constrained devices, including, block and stream ciphers and
asymmetric mechanisms. This method is further optimized in
order to reduce the key size and make the algorithm more
efficient in terms of computational requirements and still
provide the satisfactory level of the security.
C. loT Service Functional Group
Privacy-preserving event detection and correlation enables
analysis of encrypted data. This protects the privacy of people
whose information is sensed or the confidentiality of data
owned by an entity that does not want to disclose the
information. It makes it still possible to use services that are
based on limited features of the data stream by encrypting or
encoding the information so that only the events required for
the service can be detected.
Digcovery is a framework that enables scalable and automated
registration of devices for loT environments using well-known
protocols such as CoAP and CoAP-RD. Other features offered
by Digcovery are search and the use geospatial information to
enhance the search capabilities of the framework.
The tinyDSM middleware provides a shared data storage for
the nodes in a wireless sensor network. The data pieces are
defined as variables, each with a specified type and policy
controlling the behavior of the middleware regarding handling
of the variable. The sharing of the variables is based on
replication and the policies specify its details in terms of the
replication area and consistency parameters. The replication
helps to assure the data availability in case of node failure and
provides a consistent view of the replicas. The configuration is
application specific, static and common for all the nodes in the
network. Exchanging the policy-file allows creating different
versions based on the same application code. Reliable shared
data storage with data monitoring makes it possible for the
nodes to cooperate more autonomic and independent from a
central station by injecting more intelligence into the network.
PrivLoc [5] offers secure location-based services, in particular
a secure geo-fencing service that alerts users if objects enter or
leave a defined area. Location-based services are increasingly
gaining importance. Not only end users but also companies
can make use of location data to track assets (e.g. public
transport services, users looking for transportation or logistics
companies). PrivLoc scrambles location information in a way
that allows computation on intersections of scrambled
geometric objects, which is the main operation behind a
geofencing service.
D. Virtual Entity Functional Group
The Configuration Management allows the look-up and
discovery of information sources, e.g. sensing services that
provide certain information, e.g. the indoor temperature of a
room or the speed of a bus. For the discovery, a geographic
scope can be specified using geographic coordinates, e. g.
discover all services providing information about busses that
are currently within a geographic area given by a geographic
segment specified by the geographic coordinates of two
opposite corners
E. Service Organization Functional Group
The Processing Flow Optimization creates processing flows
according to an optimization criterion, taking into account
constraints. In a processing flow, sources (e.g. sensing
services on sensor nodes) provide information that is
processed by one or more information processing services on
computing nodes. The information then "flows" from the
sources through the information processing services, providing
the required information to the requester. The selection of
sources and the placement of information processing services
on computing nodes are optimized according to an
optimization criterion, e. g. required bandwidth or required
processing power. Computing nodes can, e.g., be sensor
nodes, gateways, dedicated servers or cloud nodes. Constraints
like trust or availability of security keys are taken into
account.
The loT Broker provides applications with one single access
point for accessing loT related information from a possibly
large set of loT sources like sensors, but also information
processors. The loT Broker accesses the information from the
different sources, aggregates it and returns it to the requesting
application.
The Federation of Systems allows temporary cooperation of
independent systems in order to provide a given service,
which cannot be provided by the involved sub-systems
separately.
IV. CONCLUSIONS
The idea of the loT brings new challenges regarding security
and in consequence also for privacy, trust and reliability. The
major issues are:
• Many devices are no longer protected by well-known
mechanisms such as firewalls and can be attacked via
the wireless channel directly. In addition devices can
be stolen and analysed by attackers to reveal their key
material.
• Combining data from different sources is the other
major issue since there is no trust relationship
between data providers and data consumers at least
not from the very beginning.
• Secure exchange of data is required between loT
devices and consumers of their information.
This paper presented the approach taken by the SMARTIE
project. SMARTIE envisions a city data platform that allows
data processing and sharing while protecting the security and
privacy. The described use cases show where such a platform
can make a difference. A set of innovations and enhancements
are being developed within the project to address the
challenges imposed by the application domains.
REFERENCES
[I] loT-A Deliverable D1.5, "Final Architectural Reference Model for the
loT".
[2] SMARTIE Deliverable D3.1, "Components for secure information
gathering and storage", see http://www.smartie-project.eu/publication
deli.html
[3] SMARTIE Deliverable D4.1, "loT information Access and Privacy
Preservation.",see http://www.smartie-project.eu/publication_deli.html
[4] Jose L. Hernandez, Antonio J. Jara, Leandro Marinc and Antonio F.
Skarmeta G6meza. DCapBAC: Embedding Authorization logic into
Smart Things through ECC optimizations. International Journal of
Computer Mathematics, 1-22,2014.
[5] Jens-Matthias Bohli, Dan Dobre, Ghassan O. Karame, Wenting Li:
PrivLoc: Preventing Location Tracking in Geofencing Services. TRUST
2014,143-160
[6] The Constrained Application Protocol (CoAP), RFC 7252,
hUps:l/ datatracker.ietf.org/ doc/rfc7252/
[7] Jana Krimmling and Steffen Peter. Integration and Evaluation of
Intrusion Detection for CoAP in Smart City Applications, M2MSec'/4 -
Workshop on Security and Privacy in Machine-to-Machine
Communications; 2014