Building secure and trusted digital urban twins
Digital urban twins must handle large amounts of information transmitted to them from the physical world. The challenge is to ensure that this information is secure and trusted throughout the whole process.
Legacy systems, insecure communications, unpatched vulnerabilities in software and hardware all jeopardise information security. Add to this mix the ever increasing number of low-cost sensor devices and you get a pretty big surface area susceptible to a wide range of attacks.
Threats relevant to IoT infrastructures include
Information interception by means of network reconnaissance, session or protocol hijacking
Network outages leading to a loss of support services, failures of devices or an entire system
Abuse in the form of malware, DDoS attacks, identity theft, privacy violations
Damage and malfunctions caused by exploits, information leaks, data disclosures, third party failures
Unintentional damage caused by erroneous use of devices and systems, or modification of source code and data
Legal consequences resulting from the violation of rules and regulations, as well as breach of contract obligations
Figure 1. DUET threat taxonomy
Many of these threats are relevant to DUET. To protect our ecosystem, we’re going to implement specific measures, or Technical Controls (TCs), in five key areas: run-time authentication, authorisation and monitoring; communications; and the software development lifecycle.
Run-time authentication is required to connect to a DUET backend service, visualisation system or sensor. There are many ways to ensure secure authentication. For example, through standardised and effective cryptography and security protocols, such as TLS that helps protect the confidentiality, authenticity and/or integrity of data and information (including control messages) in transit. Measures such as rate limiting can be applied to control requests to backend service, which can minimise the risk of automated attacks, while specific methods such as two-factor authentication should be enabled by default for critical DUET subsystems and actions.
For run-time authorisation it’s important to implement access control whereby the system verifies that users and applications have the right permissions. Security roles and privileges should be established for both systems or users and fine-grained authorisation mechanisms should be in place for limiting the actions allowed. Furthermore, applications and users shall follow the principle of least privilege and operate at the lowest privilege level possible.
The implementation of run-time monitoring and auditing requires regular checks to verify device behaviour, detect malware and discover integrity errors. For example, anomaly-based methods compare the observed network traffic with normal traffic and attacks such as DoS are detected when irregular activities are spotted. In addition, a logging system is needed to record events relating to user authentication, management of accounts and access rights, modifications of security rules, and the functioning of the system.
From using modern cryptographic hash algorithms, to implementing a DDoS-resistant and Load-Balancing infrastructure, to accepting devices and APIs only via secure protocols (https), there are many ways to ensure that communications are secure and trusted. We also want to stress that all errors should be handled correctly, that all input/output data is validated before it is accepted, and that queries use parameterisation (or other equivalent security measure) to avoid code injections e.g. XSS, CSRF, SQL.
Under data protection and compliance we want to reiterate principles that most people working in the GDPR environment are probably familiar with: personal data must be collected and processed fairly, lawfully and in a transparent manner; it should never be collected and processed without the data subject’s consent; personal data should be used only for those purposes for which it was originally collected (data minimisation principle), and that any further processing of personal data is compatible and that the data subjects are well informed. To make our digital twins compliant with the GDPR, we will link a data stream within the system with its owner. Such dynamic consent management will enable citizens to give or revoke consent from any service that uses their data.
Finally, security measures for the software development lifecycle will vary from stage to stage. For example, under planning we foresee mechanisms for self-diagnosis and healing to expedite recovery from failure, malfunction or a compromised state; under authentication and authorisation - a separation of duties to enable collusion-resistant processes that minimise risk exposure; under development - libraries and third-party components that are patched for latest known vulnerabilities; under monitoring and auditing - protections against privilege abuse and software logs registering all relevant security events. All TCs for this and other areas are shown in the diagram below.
Figure 2. Taxonomy of DUET security measures
The foregoing security measures will cover every underlying asset in the DUET ecosystem, including sensor devices used to collect information on traffic, weather and noise pollution; external systems and network elements (routers, gateways, virtual machines); middleware; computing infrastructure; and information in different states (at rest, in transit, in use), as well as metadata.
The ultimate goal is to provide a digital twin solution that can be trusted by end-users who are becoming increasingly conscious of both cybersecurity risks and their rights as data subjects.
If you would like further details on DUET’s security architecture, feel free to drop us a line or check this report.