The Rise research institute works with computer security, especially in the field of IoT. Sensors are often small devices with limitations in terms of, for example, battery life and computing power, so you want to keep down both what consumes battery and calculations, such as communication and security. This is, among other things, why you cannot use the kind of security that is used on the internet, but it must be a much more adapted solution.

“Sensors are small gadgets that are not capable of advanced security calculations,” Thomas Carnehult told an interview at the end of 2019. We want to make it safe anyway. Therefore, Rise applied for and received the support of Vinnova's computer security program and the project aimed to use one of the newest standards for IoT security.

“We heard about Future by Lund's SOM project and realized that it would be a perfect fit for us to use. That way we don't have to build our own infrastructure,” said Thomas Carnehult.

SOM project managers Anders Trana and Johan Lindén at Mobile Heights also saw advantages in connecting on a security project. When Vinnova also gave the green light, we just had to start.

In the project, sensor values were collected in electrical cabinets in central Lund via a box supplied by U-blox. The electrical cabinets communicate with each other via Bluetooth Mesh and the values were then collected and sent via NB-IoT. Finally, the data ended up on Sensative's platform Yggio. The sensor data passed many steps along the way.

The project started with a threat analysis on the existing infrastructure in SOM. The focus was on seeing what protocols were being used, what was wanted to protect and how it would be transported.

“Sensative and U-blox have security in their hardware at each end. Even in the communication between each node there is security. It is in the nodes that are passed on the road we are unsure whether safety can be maintained. Shortcomings can arise especially every time a protocol is changed, according to Thomas Carnehult.

Thomas explained with an allegory so that everyone can understand:

— Imagine that you are going to travel by car, train, subway and taxi. In every mode of transport you are quite safe — in the car you have a seat belt, the train is safe, etc. But when you change the mode of transport, you can, for example, get hit. Imagine if you could then encase yourself in Styrofoam and do the whole trip in the same Styrofoam. Then you as an object are protected all the way. That's what we do with sensor data. We also make sure that the protection is locked at the beginning of the trip and unlocked at the end. But the ticket can always be read so that you arrive at the right place.

The entire project was run in labs parallel to the SOM project and then moved over to the SOM setup.

“What's a little refined about this is that our work is really only needed when you pack the data and when you unpack it again,” said Thomas Carnehult. It is the payload, the load, that is encrypted. The other entities don't see that.

The project used a new standard that solved security all the way. The standard for IoT security was named RFC8613. The standard became an example of a possible security solution for other IoT Sweden projects.

Rise also works with, for example, Ericsson in the standards organization IETF to ensure that different IoT players work with the same secure standard so that there is no need to change the security solution along the way of data. The gadgets are supposed to be able to easily talk to each other without being from the same provider.

Does the project mean that whoever sends the values can be absolutely sure that no one can access them?

I would say that the values are very safe. Security is always a cat and mouse game and we are constantly trying to make the systems as safe as possible.

Many people are concerned about the security of IoT. Is it justified to be worried?

“I don't think there is reason to worry, but there is reason to do better all the time. Among other things, various legal issues must be related to the technical solutions. Sure there are things that hook up with a lack of security but worried I don't agree that one should be. Most of it works anyway. It's easy to get worried if you don't have enough facts. There is a lot of research and work going on how to manage all the data that is generated. The questions are about how to protect the data but also about who owns the data and who can share it and how to do it,” concluded Thomas Carnehult.

‍

What was the result?

The project led to a solution that can encrypt sensor data from start point to end point. The solution works for some protocols — such as BLE, Z-way and NB-IoT, but not for technologies such as LoRa and Sigfox. “A technology that should be used in the future,” says project partner Johan Lindén at Mobile Heights, but also a board member of the Swedish Cyber Security Node.

The project developed a demonstrator for IoT security intended for public environments and used one of the sub-projects from the SOM (Smart Public Environments) project. It used the latest achievements and standards in IoT security by demonstrating today's lab solutions in a real-world environment.

The project implemented completely new IETF standards (RFC 8613on Object Security for Constrained RESTful Environments (OSCORE)) end-to-end from sensors to back-end and on to data users.

The benefit of this project was primarily to increase the security of Sensative's Yggio and u-blox BLE IoT platforms and the services that collaborate in the SOM project. We mainly used the new IoT security standards from the IETF in which Sweden has participated and developed. u-blox's ambition is to use OSCORE in future IoT modules based on Wi-Fi, Bluetooth and/or mobile communications, all with low power. This is an important development step for Sensative's IoT platform Yggio, and we will bring this solution into other critical use cases and IoT applications.

‍

‍

How is the project taken forward?

The building blocks exist and can be taken further after the end of the project. Who will run such a project is being investigated at the time of writing.

‍

Facts IoT Security in Public Environment

Project Time: 2018-11-01 - 2019-12-31

Project Manager: Thomas Carnehult, RISE

Project partners: RISE, Sensative, U-blox, Mobile Heights, Ericsson, Power Ring

Total budget: SEK 2.7 million

Financier: Vinnova

‍Follow-up projects: Investigated IoT security using examples from Smart Public Environments II.

 Classification in the Future by Lund framework

Layer: ! 3

Zone: Green (B)

What do we mean by zone and layer?

Future by Lund works with a framework to create understanding and provide a basis for strategic decisions regarding the development of the innovation ecosystem where the partnership will be able to review the ecosystem together and conduct strategic dialogues about future development. Working with zones is a way to show what kind of innovation activity and development phase it is, while layers are a way of showing the amount of activities and partner involvement, where you can follow seed investments, project financing and the journey ahead as a result of a project.

Blue, green and yellow zone

To explain the possibilities of the organizational gap between the municipality, business and the university, a model with a blue, a green and a yellow zone is used.

In the blue zone the organization decides everything itself and has control and mandate. Here you control yourself and there is a structure for how you conduct your business. Outside there is Green Zone, located in the gap between organizations. There is a need for cooperation and dialogue with shared mandates. Organizations negotiate and create agreements about who does what, what can be done together, and how it should be done. For example, cities and construction companies often work together to build new areas or concrete projects with common goals and shared tasks and resources. If you go further into it yellow zone the mandate is rather unclear and organisations share challenges and opportunities. Who owns what and who will do what is not clear, presenting greater risks. It is necessary to co-create. In this zone, you need to stimulate, facilitate, test and monitor the outside world in order to create knowledge and understanding. The organizations share the risks surrounding the unknown and the unarticulated. Participant engagement and presence drives the opportunities. Many in Future by Lund's network work precisely with things that are located in the green and yellow zones in areas that you share with others. Activities carried out in the green or yellow zone can eventually become business opportunities and then end up in the blue zone where organizations take home results, use them, build business and scale.

Consequential effects through the layer model

To demonstrate the importance of innovation activities for a system of actors, Future by Lund's associate researcher Emily Wise works with the “layer model” — which is a reporting method used in Vinnova's Vinnprogram and captures dynamics and the “ripple effects” that the initiatives contribute to.

First layer är the support (or base funding) that comes directly to the innovation platform.

Second layer consists of project funding for projects that Future by Lund either leads or participates in.

Third layer is project funding that goes to partners in projects in which Future by Lund does not participate. This is called a spinoff project or follow-on project.

Fourth layer are the qualitative events in the system that are signs that change is taking place in the direction of the sustainable city. It can be new businesses, new products, an increase in the number of employees, new investment streams, new infrastructure and an increase in attention.

‍

‍