Safeguarding COVID-19 Vaccines with SSI - Part 1

DEFINING THE FUTURE OF IOT WITH DISTRIBUTED IDENTITY MANAGEMENT

frankk

Frank Kottler

Analyst @CHAINSTEP GmbH

IoT systems come in many colors and facets. From a seemingly simple smart home, where light sensors control your window blinds and your fridge places a one-hour grocery delivery order based on its contents and a recipe suggestion it pushed to your phone, to autonomous warehouses, to high-fidelity adaptive production systems, where lot size 1 and production-on-demand requires a constant modification of the production plan and input replenishment, all while the production process is being monitored by the customer – IoT will af-fect almost every industry. The widespread application of IoT devices makes them an attractive target for cyber-attacks, and IT network architects will quickly face operative challenges in securing their IoT networks due to the de-vices’ intrinsic properties.

In many cases, the problem underpinning IoT network security resembles the classic block-chain business case: to create trust – in this case, trustful data and message exchange – in a trustless environment. While the self-sovereign identity (SSI) concept resolves this problem in a specifically distributed manner, we want to explore current solutions, and compare their properties to distributed architectures, including SSI. Many desirable network proper-ties (throughput, simplicity, confidentiality, to name a few) are much easier implemented in conventional solutions – it will be exciting to understand how each approach can deliv-er value for IoT network security depending on the specific application.
For illustration purposes, we consider the fictitious logistics company VirGo, which has won a government contract to deliver COVID-19 vaccines. VirGo is a modern company, and the promise of 100% transparency, last-minute flexibility and zero faults is compelling to the government. Both parties are open to intensifying their partnership if the rollout is successful. VirGo relies on smart temperature and location sensors to safeguard the cooling chain, and operates various regional secure warehouses with granular and temporary ac-cess privileges. Can their IoT system support this challenge? Let’s take a look…

Known and unknown challenges for IoT networks

Compared to the conventional corporate IT infrastructure of the past decades, IoT networks exhibit three remarkable differences: they connect (1) many distinctly different devices that might all speak a different language (i.e., use different APIs), (2) almost exclusively wirelessly (which makes the connection easier to be intercepted), and the devices (3) are technologically constrained and not easily upgradeable to host more computing power or memory.

In VirGo’s concept, warehouse access is geofenced based on a truck’s location. Also, a cooling chain violation should automatically stop the transport and block any handover of the cargo. The thermometer must suddenly share information with the handheld scanner, and the location sensor, trucker badge and warehouse gate all need to find a common ground. False or falsified data, correct data from the wrong device, or incomplete data, could immediately endanger vaccine safety. Also, devices come from different manufacturers and were designed for a variety of use cases: the temperature sensor might as well be used on a production shop floor, and location sensors are just as useful in military applications. Keeping their firmware current and ensuring device interoperability become ever more complex tasks with each additional device. Granular access control to the different device data and functions increases complexity even more and aggravates the risk of outdated or orphaned access policies, while too general access policies solicit fraud, “vaccine inside jobs” or simply create another attack vector for (cyber-)crime of arbitrary motivation. The same is true when data streams can easily be overheard. In addition, existing devices are maintained and replaced, and new devices are onboarded, all while the network needs to be shielded from unknown and/or potentially malicious participants.

Attack model for VirGo’s IoT network

Attacks on sender and receiver

 

Sybil attack. The attacker spawns multiple fake devices in order to alter network voting power, message routing, resource allocation, or distributed data storages (51% attack).

Identity spoofing. The attacker pretends to be a known device in order to obtain its privileges. The attack can result in falsified data, injection of non-existent data and information loss.

(Distributed) Denial of Service. The attacker causes node outage by jamming its interface with useless packets.

Attacks on the message

Message alteration. The attacker intercepts and changes the transmitted messages, resulting in falsified data.

Message replay. The attacker retransmits a previous, valid message, causing falsified data and unaccountability.

Attacks on the route

Sinkhole attack. The attacker intercepts the communication (man-in-the-middle attack) and refuses to forward messages. This causes information loss and renders device communication unreliable.

Sniffing. The attacker eavesdrops on device communication and gains unauthorized access to restricted data, causing data leakage.

Jamming. Instead of a (D)DoS attack on a node, the attacker jams the network with useless traffic, causing package collisions, forcing data retransmission, and occupying network bandwidth. This results in energy drain on the sensor side and network unavailability.

Exhibit 1. Attack model for VirGo’s network.

In VirGo’s concept, warehouse access is geofenced based on a truck’s location. Also, a cooling chain violation should automatically stop the transport and block any handover of the cargo. The thermometer must suddenly share information with the handheld scanner, and the location sensor, trucker badge and warehouse gate all need to find a common ground. False or falsified data, correct data from the wrong device, or incomplete data, could immediately endanger vaccine safety. Also, devices come from different manufacturers and were designed for a variety of use cases: the temperature sensor might as well be used on a production shop floor, and location sensors are just as useful in military applications. Keeping their firmware current and ensuring device interoperability become ever more complex tasks with each additional device. Granular access control to the different device data and functions increases complexity even more and aggravates the risk of outdated or orphaned access policies, while too general access policies solicit fraud, “vaccine inside jobs” or simply create another attack vector for (cyber-)crime of arbitrary motivation. The same is true when data streams can easily be overheard. In addition, existing devices are maintained and replaced, and new devices are onboarded, all while the network needs to be shielded from unknown and/or potentially malicious participants.

Despite all these challenges, this kind of IoT magic is already up and running as of today, but for VirGo’s network administrator, Dylan, considering the properties of their application, it becomes evident that a secure IoT system must be capable of:

  • Ensuring access control (only permissioned users/devices may access sensor data),
  • Ensuring system availability,
  • Protecting from message alteration,
  • Protecting from identity spoofing (pretending to be a different device),
  • Protecting from eavesdropping,
  • Creating an audit trail: who did what in the system and when?
  • Simplifying device management,
  • Facilitating device interoperability.

While the latter exposes the system to exciting new applications (more about this in a future post), it is also a security requirement in the sense that the system must support enhancements as IoT technology progresses.

Network design requirements

Given the high profile of the vaccine delivery contract, Dylan the network administrator decides to revisit VirGo’s network architecture – perhaps they can even identify new service opportunities based on their security concept. Needless to say, the general topic of cybersecurity is much more complex than what we are discussing here. The not-for-profit technological consulting organization MITRE has released the industry-recognized ATT&CK framework of over 150 cyber-attack techniques, and its complementary D3FEND framework of cybersecurity countermeasures. In VirGo’s current production system, the network administrator has limited control over many potential attack vectors, especially device hard- and firmware security. This is why Dylan needs to focus on securing device communication all the more. For this reason, he focuses on potential attacks around Credential Access, Network Discovery, Data Collection and Impact as referenced in the ATT&CK framework. In this context, we also want to solely focus on preventive countermeasures, to be found in the Hardening section of the D3FEND framework.

A “communication event” in VirGo’s network consists of sender, receiver, the actual message/data (which includes a timestamp), and the route the message packet takes from sender to receiver. Consequently, Dylan analyzes these elements for possible threats based on their previous considerations, resulting in the attack model[1] in Exhibit 1.

To defend these attacks, Dylan derives the mitigating network design principles. They combine the implications of the attack model with the required capabilities identified in the previous step: VirGo’s IoT network needs to provide availability, scalability, message integrity, identity, mutual authentication, and confidentiality (see Exhibit 2). The design principle of identity requires that a device be able to acquire system-specific attributes and a history of its actions. For VirGo, this means their location and temperature sensors must be individually distinguishable in the network, so that a data stream can be allocated to the correct sensor in the correct truck (history of actions). It also ensures that VirGo can admit only those sensors and controllers to the network that have been configured and commissioned by Dylan and their colleagues (system-specific attributes).

Mutual authentication goes a step further and requires devices to prove their identity to their communication partners. In plain words, devices must securely prove they are who they claim to be. Identity without authentication does not make sense, as this state would render attribute and data allocation unreliable. Still, it deserves an extra mention as authentication is also a basic building block for properties such as non-repudiation and confidentiality (see below). Also, it is equally important for the sending device to verify the identity of the receiving device (mutual authentication), so to prevent information leakage.

Exhibit 2. How security considerations inform design principles, and their interplay.

Message integrity requires that message alterations or damages can be detected (in “blockchain speak”: messages are tamper-evident). For VirGo’s purposes, integrity also includes non-repudiation (the sender cannot deny to have sent a certain message), and data freshness (the messages received are current within an acceptable delay and not outdated).

Availability means all functions of the system are available to the devices when they need them, while confidentiality ensures that transmitted messages cannot be overheard by unauthorized devices. Finally, a scalable system can be easily expanded and devices can be securely added, managed and removed even when the number of managed devices is large. Also, the system throughput should support dynamic growth of the network.

Join us in the next post as Dylan discovers the available architectures to tackle their IoT security problem – do they deliver what they promise?

[1] Sakiz, F., & Sen, S. (2017). A survey of attacks and detection mechanisms on intelligent transportation systems: VANETs and IoV. In: Ad Hoc Networks, 61, 33-50. https://doi.org/10.1016/j.adhoc.2017.03.006;

Walters, J. P., Liang, Z., Shi, W., & Chaudhary, V. (2007). Wireless Sensor Network Security: A Survey. In Y. Xiao (Ed.), Security in Distributed, Grid, Mobile, and Pervasive Computing (pp. 367-409). Auerbach Publishing. https://doi.org/10.1201/9780849379253-20.

Sign up for industry trends.

You want to stay in touch with current blockchain industry trends outside cryptocurrency?

Sign up for the CHAINSTEP newsletter and receive valueble insights and news direclty into your inbox.