Hybrid IoT Cyber Range.

The use of IoT devices has increased rapidly in recent times. While the development of new devices is moving quickly, and as prices are being forced down, the costs of developing such devices also needs to be reduced. IoT devices are now trusted with more critical tasks, and it is important that they behave as intended and that the information they process is protected. It is not always the IoT device itself that is the target of a cyber attack, but rather, it can be a tool for another attack. Home consumers, in particular, expect these devices to be easy to use and set up. However, to reduce costs, complexity, and time, security measures are often cut down. To increase awareness and knowledge in IoT security, education, awareness, demonstrations, and training are necessary. Small changes may result in significant security benefits. With increased awareness and knowledge among developers, manufacturers, and users, they can make choices that can improve security. To increase knowledge and awareness in IoT security, a proposed solution is a training ground for IoT security, an IoT cyber range. Cyber ranges have received more attention lately, but not as much in the IoT field, at least not what is publicly available. As the diversity in IoT devices is large with different vendors, architectures, and components and peripherals, it is difficult to find one solution that fits all IoT devices. To some extent, IoT devices can be emulated, but it is not feasible to create emulators for all types of devices. To cover all needs, it is necessary to combine digital emulation with real hardware. A cyber range with this combination is called a hybrid cyber range. This work surveys the requirements for a hybrid IoT cyber range and proposes a design and implementation of a range that fulfills those requirements.

Automatic Verification and Execution of Cyber Attack on IoT Devices.

Internet of Things (IoT) devices are becoming a part of our daily life; from health monitors to critical infrastructure, they are used everywhere. This makes them ideal targets for malicious actors to exploit for nefarious purposes. Recent attacks like the Mirai botnet are just examples in which default credentials were used to exploit thousands of devices. This raises major concerns about IoT device security. In this work, we aimed to investigate security of IoT devices through performing automatic penetration test on IoT devices. A penetration test is a way of detecting security problems, but manually testing billions of IoT devices is infeasible. This work has therefore examined autonomous penetration testing on IoT devices. In recent studies, automated attack execution models were developed for modeling automated attacks in cyber ranges. We have (1) investigated how such models can be applied for performing autonomous IoT penetration testing. Furthermore, we have (2) investigated if some well known and severe Wi-Fi related vulnerabilities still exist in IoT devices. Through a case study, we have shown that the such models can be used to model and design autonomous penetration testing agents for IoT devices. In addition, we have demonstrated that well-known vulnerabilities are present in deployed and currently sold products used in IoT devices, and that they can be both autonomously revealed through our developed system.

UIOT-FMT: A Universal Format for Collection and Aggregation of Data from Smart Devices.

Information Technology (IT) has become an essential part of our lives and due to the emergence of the Internet-of-Things (IoT), technology has encompassed a majority of things that humans rely on in their daily lives. Furthermore, as IT becomes more relevant in daily lives, the need for IT to serve public emergency services has become more important. However, due to the infancy status of IoT, there is a need for a data consortium that would prove to be best used in servicing policing in a technological driven society. This paper will discuss the plausibility of creating a universal format for use in carrying out public services, such as emergency response by the police and regular law maintenance. In this research we will discuss what the police requires in their line-of-duty and how smart devices can be used to satisfy those needs. A data formatting framework is developed and demonstrated, with the goal of showing what can be done to unifying data from smart city sensors.

Implementation of a secure and interoperable generic e-Health infrastructure for shared electronic health records based on IHE integration profiles.

INTRODUCTION: The ubiquitous availability of medical or care data for authorized clinicians and nurses is expected to increase quality while reducing costs in the health care sector. The standardized, distributed provision of medical or care data is capable to support the vision of patient centered shared electronic health records (SEHRs). A main contribution to cross-institutional data exchange is provided by Integrating the Healthcare Enterprise (IHE). However, holistic implementations of IHE based eHealth infrastructures for SEHRs are currently rare and security and privacy regulations are not fully covered by existing IHE Integration Profiles. This work aims to point out our experiences and lessons learned from five years of development and the implementation of IHE compliant products. METHODS: Cross-Enterprise Document Sharing (XDS) describes the base components for exchanging medical or care data. A unique patient Identification is described by the Patient Identifier Cross-referencing (PIX) and the Patient Demographics Query (PDQ) Integration Profile. All interactions are logged in an "Audit Record Repository" deployed once per Affinity Domain and defined in the Audit Trail and Node Authentication (ATNA) Integration Profile. RESULTS: Based on the IHE Integration Profile XDS and other Integration Profiles high-level components for eHealth infrastructures and applications, supporting a holistic, secure concept and, based on these concepts, software products for a technical cooperative care infrastructure, has been developed. The products are practically evaluated in a project for setting up an IHE XDS Affinity Domain in the Austrian district of Tyrol and a number of lessons have been learned.

Meeting EHR security requirements: SeAAS approach.

In the last few years, Electronic Health Record (EHR) systems have received a great attention in the literature, as well as in the industry. They are expected to lead to health care savings, increase health care quality and reduce medical errors. This interest has been accompanied by the development of different standards and frameworks to meet EHR challenges. One of the most important initiatives that was developed to solve problems of EHR is IHE (Integrating the Healthcare Enterprise), which adapts the distributed approach to store and manage healthcare data. IHE aims at standardizing the way healthcare systems exchange information in distributed environments. For this purpose it defines several so called Integration Profiles that specify the interactions and the interfaces (Transactions) between various healthcare systems (Actors) or entities. Security was considered also in few profiles that tackled the main security requirements, mainly authentication and audit trails. The security profiles of IHE currently suffer two drawbacks. First, they apply end point security methodology, which has been proven recently to be insufficient and cumbersome in distributed and heterogeneous environment. Second, the current security profiles for more complex security requirements are oversimplified, vague and do not consider architectural design. This recently changed to some extend e.g., with the introduction of newly published white papers regarding privacy [5] and access control [9]. In order to solve the first problem we utilize results of previous studies conducted in the area of security-aware IHE-based systems and the state-of-the-art Security-as-a-Service approach as a convenient methodology to group domain-wide security needs and overcome the end point security shortcomings.