Cyber Continuum; towards a security engineering framework incorporating legacy systems
Lead Research Organisation:
University of Oxford
Department Name: Computer Science
Abstract
Mark is looking into privacy and security of Internet of Things devices, and their wider infrastructural landscape. Current work includes a privacy and security analysis of connected cars through the examination of the data- gathering systems of a production vehicle, to ascertain some of the privacy-related threats to which such systems give rise.
Future work: With the lifecycle of an average car being approximately nine years, a connected car has a longer lifespan than the typical IoT device. In addition, it is significantly more likely to be re-sold over its lifetime. When looking at embedded devices across the IoT spectrum, more and more devices are falling outside traditional consumer devices such as speakers and home security, increasingly being used within city infrastructure, and in private and commercial transportation such as cars, the need for security management over longer lifecycles becomes more apparent.
The high-level research objectives are as follows;
1. What is the current state of the literature on the management of legacy embedded systems, and their associated infrastructure?
2. What is the current state of manufacturers providing security updates to their products?
3. What would a theoretical framework incorporating the long-term management of legacy IoT devices look like?
This research project is linked to the EPSRC Cyber Security Research theme
Future work: With the lifecycle of an average car being approximately nine years, a connected car has a longer lifespan than the typical IoT device. In addition, it is significantly more likely to be re-sold over its lifetime. When looking at embedded devices across the IoT spectrum, more and more devices are falling outside traditional consumer devices such as speakers and home security, increasingly being used within city infrastructure, and in private and commercial transportation such as cars, the need for security management over longer lifecycles becomes more apparent.
The high-level research objectives are as follows;
1. What is the current state of the literature on the management of legacy embedded systems, and their associated infrastructure?
2. What is the current state of manufacturers providing security updates to their products?
3. What would a theoretical framework incorporating the long-term management of legacy IoT devices look like?
This research project is linked to the EPSRC Cyber Security Research theme
Planned Impact
It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
Organisations
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/P00881X/1 | 01/10/2016 | 31/03/2023 | |||
| 1939093 | Studentship | EP/P00881X/1 | 02/10/2017 | 30/09/2021 | Mark Quinlan |