By Bernd-Ludwig Wenning*
Today’s increasingly connected world sees the introduction of Internet of Things (IoT) systems in a huge variety of areas. In industrial settings such as smart manufacturing facilities as well as in personal residential settings where smart home applications are growing in popularity, IoT systems and devices are becoming increasingly ubiquitous. However, this comes with cybersecurity challenges as these systems often comprise resource-limited devices with known or unknown vulnerabilities, making them an attractive target for attackers. Hence, cybersecurity testing and monitoring is required in these systems to make them robust and resilient against attacks.
The TELEMETRY project aims to develop a suite of tools for cybersecurity testing and monitoring in use cases covering the areas of aerospace, smart manufacturing and telecommunications. This suite includes tools for monitoring of network traffic, sensor data and device behaviour, tools for offline testing of software and firmware, and tools that process the test and monitoring results to identify risks and assess trustworthiness within the IoT system.
To facilitate this, there has to be a common data infrastructure that is to be used in the IoT system, as the testing and monitoring tools need to share their findings and make them available for those that perform the risk analysis and trust assessment. Further, the findings should be recorded in a reliable and tamper-proof way so that they are available for cybersecurity audits as well as for incident analysis.
Distributed Ledger Technology
This is where Distributed Ledger Technology (DLT) comes into play: DLT is a technology for distributed data storage. A distributed ledger is essentially a database that is distributed across multiple computers, so-called nodes. Blockchain is one of the best-known types of DLT.
DLT provides key features that enable data sharing among the TELEMETRY tools and auditable record-keeping:
- Decentralised: There is no single database in a single location, but a ledger that is shared among several nodes, avoiding a single point of failure and reducing the risk of manipulation as multiple nodes maintain synchronised copies of the ledger.
- Immutable and append-only: Any data that is committed to the ledger cannot be altered or deleted. New data does not overwrite previous data but is appended to the ledger. This is a critical feature for auditability, as it ensures that whatever is recorded is being kept on the record and cannot be tampered with.
- Consensus-based: As multiple nodes maintain copies of the ledger, any addition to the ledger must be based on a consensus among the participating nodes, preventing single rogue actors from inserting false information.
- Transparent: Every participating node can see all transactions, when they occur and by whom they are made. This ensures that a reliable history is being kept for auditing purposes.
API
Does every tool in TELEMETRY have to become a DLT node? No. While DLT provides the key features mentioned above, having all testing and monitoring tools interact directly with the ledger adds significant complexity and overhead to the tools.
Therefore, the TELEMETRY approach is to have gateways that operate between the tools and the ledger. Such a gateway can serve multiple tools and offers a RESTful API which abstracts from the underlying DLT, providing the tools with an interface that is independent from the actual DLT implementation that is used underneath. Anything sent via this interface is formatted in JSON.
The gateway also facilitates user management and access control to ensure only authorised users have access to the ledger, which is essential as cybersecurity testing and monitoring results may contain sensitive information about the system’s current security posture. Further, it implements a context driven data model that ensures all data transactions adhere to predefined formats.
Context driven data model
What is a context driven data model? A context is a JSON format which defines the structure and meaning of a use-case specific data transaction, similar to a database schema in a conventional database. This includes structures for data as well as metadata. In addition, it defines permissions related to this context, i.e. which users can write or read data transactions for this context.
Any data transaction has to include a context id, indicating the context it relates to. It is then validated against that context, ensuring that the user is permitted to submit this data transaction and that the transaction complies with the structure that is given in the context.
In TELEMETRY, several contexts are defined to accommodate the different data transaction contents from various tools, e.g., a context for network anomaly reports or a context for vulnerabilities that have been identified based on offline software testing. Each tool that sends data will format its transactions in compliance with the context that is meant for this type of transactions. This also allows the consumers of those data, such as the risk or trust assessment tools, to query based on context to receive all transactions that have been seen for that specific context. This query functionality also enables operator dashboards to fetch information for an overview of the system’s current health. Last but not least, it provides the interface to retrieve all transactions for auditing purposes.
Conclusion
DLT is an enabling technology that comes with key features for reliable sharing and auditable recording of cybersecurity testing and monitoring results. It enables the TELEMETRY project to collect and record the outputs of various tools and store them on a trustworthy ledger that satisfies auditability requirements. Further, it allows the sharing of these data among the tools for further analysis. Hence, DLT is a key element in the overall TELEMETRY architecture, facilitating interoperation within the suite of TELEMETRY tools.
* Bernd-Ludwig Wenning is a Research Fellow at Munster Technological University (MTU) in Cork, Ireland. He holds Dipl.-Ing. and Dr.-Ing. degrees in electrical engineering and information technology from the University of Bremen, Germany.
In 2012, he joined the Nimbus Centre at MTU. Since then, he has worked on several national and EU funded projects. His research interests include mobile and wireless networks and protocols, IoT and cyber physical systems. Throughout his research career, he has authored or co-authored more than 50 publications.