This blog outlines the asvin’s research project selected and funded under the NGIAtlanctic.eu 3rd Open Call. It is a short project with duration of 3 months.

Introduction

Bootstrapping and maintaining fleets of IoT Devices requires automated and secure procedures to process the Identity of Devices, add them to domain controllers and define the trust level in operations. New concepts for bootstrapping of IoT devices are needed due to the weakness of existing procedures in the context of large scale deployments and industry specific constraints by edge operations. Centralized legacy systems and internet protocols are often failing by security, trust and scalability when they are applied to IoT bootstrapping problems. These failures open the door to multiple attack vectors and expose a broad attack surface beginning from spoofing IoT device identities, to compromising device authentication protocols and to weakening zero trust domain management control systems. For IoT to meet its true potential, new methodologies, architectures and protocols are needed for managing IoT device fleets on secure, trustworthy and scalable edge infrastructure and services. In line with the NGI scope, this experiment will test new decentralized architectures and protocols on large scale distributed networks to fix the challenges of secure bootstrapping, identification and management of IoT devices at the edge. The experiment is using US/EU BRIDGES and Fed4FIRE+ Virtual Wall testbed infrastructure and is addressing the call topic on Discovery and Identification technologies in the area of industrial IoT cybersecurity solutions developed by the SME asvin.

The experiment will set up and stress test new IoT bootstrapping procedures based on decentralized network topologies and protocols:

  • Beginning on secure identification of IoT devices by using physical unclonable functions (PUF) to determine a unique Identity for even IoT devices with identical hardware construction and software properties
  • Generating unique Identifier (ID) for an IoT device based on PUF characteristics and bind the ID to a cryptographic hash properties
  • Store ID and hash properties decentralized to provide distributed identity ledger, which can be operated on edge scenarios
  • Bootstrap IoT devices, add them to device management systems and assign trust levels based on the ledger identity in automated processes.

In the experiment, this process will be tested under real cross atlantic conditions using the US BRIDGES testbed for stressing the architectures and protocols by variable network connections (bandwidth, connectivity, package loss rate) and variable conditions for IoT endpoints and nodes. The BRIDGES testbed, funded by the Office of Advanced Cyberinfrastructure (OAC), International Research and education Network Connections (IRNC) (Grants: 202922, 202918) is a particularly good fit for this test because it intrinsically meant to facilitate transAtlantic research collaboration, it provides both transport and edge-computing resources and it offers the flexibility to dynamically adjust the testbed based on needs.

The experiment will be executed in 3 stages to validate the novel IoT bootstrapping process through a scaling stress test:

  • Initial setup with 100 IoT devices and 2 ledger nodes. Devices will be emulated by digital Twins of IoT devices via Docker containers on asvin cloud infrastructure.
  • Mid Scale experiment by automated bootstrapping of 1,000 IoT devices on a network
  • Large Scale experiment by 100,000 IoT devices

Results will be used for iterative optimization of nodes and device settings to improve scalability, reduce latencies and remove points of failures for the automated IoT Bootstrapping process based on PuF identification and distributed processing. asvin will publish results under open science (cc) licence and open source.