Security in IoT for Smart Grids

The leading goal of «Security for the Internet of Things - IoTSec» is to develop, extend and apply security and privacy models for IoT, and apply them to the Smart Grids and Smart Home as a part. Though the potential of digital services is overwhelming, we see security and privacy challenges that hinder wider adoption of IoT, and as such in need to be addressed. Applications related to Smart Grid operations include automated meter reading (s.a. currently widely deployed in Norway), remote control of home devices (known as Smart Home Energy Management Systems), alarm services, or virtual fall detection service, to name a few. Given the successful attacks on electricity networks seen internationally, protecting the Norwegian grid with all its components is of fundamental interest. The power supply grid is vulnerable, both due to varying load, but also due to natural forces like water, ice and storms. Intelligent decisions in the network and at the edge of the network can reduce the vulnerability of the network and help that basic services like energy provision are still available. IoTSec works on two directions: (A) building a robust research team with academic experts in the area and (B) creating an industrial ecosystem of actors interested or in need for security in Smart Grids. As such, IoTSec started with 11 Norwegian partners, and has grown to more than 20 partners nationally and internationally, as well as attracted considerable new funding including the European Horizon 2020 project FLEXGRID and established physical lab environments for this purposes including the CPS Lab at the University of Oslo and the Cyber Security Lab in Halden. The project has attracted renewed interest both from inside Norway (e.g. joint MSc supervisions with NVE on Smart Meter security) as well as from abroad (e.g. several summer internship projects done within the IoTSec by French students associated to industry actors like Bosch or RTE the French Electricity Transmission Operator). Besides the academic work on enhancing security, three new methodologies have been developed: (A) The Smart Grid Security Methodology based on the French government's ANSSI methodology for helping designers of critical infrastructures to make correct decisions regarding security functionalities for their systems, (B) Privacy Labeling methodology that enhances the European EuroPriSe methodology with measurability of the usability of privacy, thus offering both regulators and users a way to go beyond GDPR compliance seal into a scaled and layered visualization of the degrees of privacy achieved by an IoT product or service, and (C) A method based on psychology techniques for doing predictions of stakeholder behavior regarding security, given limited access to subjects people s.a. CEOs or CSOs, thus enhancing the classical CIRA method of risk analysis. The project has also developed low-level techniques for programming and modeling in a secure manner and in a GDPR compliant manner with respect to some aspects of privacy. We have used these techniques in several use case including the modelling of IoT systems in: (i) Smart Homes, (ii) Smart Meters, and (iii) Advanced Metering Infrastructures.

IoTSec outcomes and results highlighted: 1) Developed a framework for modelling security and privacy of IoT systems, with tools for analysing properties s.a. GDPR compliance. (See UiO papers at https://IoTSec.no) 2) Established Smart Grid Security Centre to advise about the risks and vulnerabilities of smart grid systems. Established the Cyber Security Lab in Halden on smart-home/building/grid, and their security. (Available through partner Smart Innovation Norway) 3) Launched the new Cluster for Applied AI, receiving Arena status, promoting advanced AI technologies and IoT Devices in the Norwegian industry and society. 4) Developed SGAM-H: Smart Grid Architecture Model Extended with the Human Layer for construction of human motivational profiles for risk analysis. (See NTNU papers) 5) Developed the LightSC security classification tool for DevSecOps, available open-source at https://lightsc.azurewebsites.net 6) Multiple H2020 grants, 8 obtained by Smart Innovation Norway alone.

IoTSec aims at creating a robust research team being a top international player for security in the Internet of Things with special focus on Smart Grid infrastructures. Academic partners being UiO, Simula Research, UNIK, NR, HiG have established a close collaboration with Smart Innovation Østfold, eSmartSystems, Fredrikstad Energi, EB Nett, and Movation to extend the IoTSec project into an outstanding cluster of projects for impact driven research. The expected outcome is foreseen along four axes being (i) the robustness of the research cluster with a total of 14 Professors/senior researchers and 15 PhDs, (ii) the scientific outcome with more than 12 journal articles, 25 conference papers and 9 workshops, (iii) a cluster of at least 12 national and international projects, and (iv) the industrial impact with the creation of the industrial security centre for Smart Grid, based on the framework and the security models developed through the cluster. The envisaged focus areas for the research address system description, security modelling, evaluation and industrial applicability. The system description is driven by the requirements of applications, the measurability of security, and the threat modelling based on anomaly and attack detection. The expected outcome is a semantic description of the infrastructure, services, privacy and security functionality as well as attack surface. Components of IoT security models focus on adaptive security models being privacy-aware. Through semantic modelling we will address formal methods for semantic provability of system of systems. The application-driven system versus goal analysis will be driven by a Multi-Metrics approach, taking into account security usability and the human/technology interface. Applicability of the security models and modules will be implemented in the security lab hosted by NCE Smart and drives the development of the framework components.