Posted by j.laird on 11 August 2021 - 10:00am

By 2021 RSE Fellow Domhnall Carlin.

Cross-posted from the RSE website.

I'm Dr Domhnall Carlin and I had the privilege of being one of the successful 2021 RSE Fellows. This is a huge achievement for Queen’s University Belfast (QUB), as it is the first time this Fellowship has been awarded not only to the university, but in Northern Ireland, and I was one of two recipients from QUB.  

I’m based at QUB’s Centre for Secure Information Technologies (CSIT), which was established in 2009 as an InnovateUK/EPSRC-funded Innovation and Knowledge Centre for Cyber Security. It holds a prestigious Regius Professorship, is currently an EPSRC/NCSC Academic Centre of Excellence in both Cyber Security Research and Education and was awarded a Queen’s Anniversary Prize for Higher and Further Education in 2015. CSIT is home to a Cybersecurity Lab and Cyber Range, which provide the infrastructure for large-scale cybersecurity experiments. This fellowship will enhance this provision with additional functionality, allowing a greater range of training and investigation by researchers, students and industry.

My Fellowship is entitled “CyReSE: Cybersecurity Research Software Engineering” and has three key aims:

1. promote a sustainable approach to research software development within the field of cyber security, by building and supporting robust research software for critical cyber security projects;
2. develop both hard and soft Software Engineering (SE) skills in researchers who write code, but have no formal SE training and; 
3. promote RSE as a career path within CSIT, QUB, and the UK and Ireland as a whole. 

This will be achieved through four key objectives, mapping to the aims of CSIT and the four pillars of RSE [1].

• Improve the maintainability, sustainability and robustness of key research software artefacts by applying core software development expertise to cutting-edge research. The key research focus of this Fellowship is the rapid and accurate mitigation of Internet of Things (IoT) threats.
• Create and promote an RSE community not only within QUB, but also establishing an RSE Chapter in NI encompassing public and private organisations, to further develop the benefits of the RSE discipline.
• Improve overall software standards in research groups in QUB by delivering dedicated SE skills training across faculties to PhDs, researchers and academics.
• Advocate for the RSE career path through outreach and policy initiatives in QUB and NI.

Computers are no longer noisy white boxes. They are light bulbs, door locks and security cameras, all connected as part of the Internet of Things. IoT is a broad definition of inexpensive embedded devices that are connected to a network. However, the evolution of a global network of internet-connected consumer devices, previously the preserve of computers, has rapidly outpaced security considerations. The IoT ecosystem allows low-powered mini-computers, such as kettles and doorbells, to become hyperfunctional, for the end user and prospective hacker. As networks are only as secure as their weakest links, insecure IoT devices are low-hanging fruit for attackers trying to gain a foothold into a network, whether in the home, enterprise or industry. 

The key project within CyReSE will support urgent research into the cybersecurity of the IoT ecosystem, which allows consumer products to become connected. A key question from the National Cyber Security Centre (NCSC) Open Problem Book is ‘how vulnerable is the UK to 'zero day' software exploits against the commodity technology platforms in use across the country, in a wide variety of applications?’ This Fellowship seeks to support research to address this question, by providing a dedicated RSE attached to key cyber security research fields. The cornerstone project directly tackles the question of commodity technology by taking a device security approach to IoT consumerware. 

The global IoT market, worth $250.72 billion in 2019, is projected to grow to $1,463.19 billion by 2027 [2], with leading silicon manufacturer Arm expecting over a trillion devices to be using its processors. Security of these devices is still an immense challenge. Symantec reported an average of 5,400 monthly attacks targeting IoT devices in 2019 [3]. In the same year, Avast demonstrated a honeynet of 500 fake IoT devices over four days, with 23.2 million potential attacks attempted [4]. This trend is escalating, with IoT devices now responsible for 32.72% of all infections observed in mobile networks, up 100% from 2019 [5].There is an urgent need for novel research on increasing the security posture of such devices, and in providing solutions capable of being implemented in light-weight contexts against future and emerging attacks. As Panasonic state: “Even with security activities that cover the product lifecycle from threat analysis to incident response, these challenges remain” [6].

This Fellowship will support a key research project into software-based approaches for IoT attack mitigation. It will establish a novel IoT testbed, including a set of intentionally vulnerable honeypots (a honeynet) to attract the latest attacks for analysis, and consumer devices to test processor-level software-based mitigations to threats. 

This testbed will also be employed for multi-disciplinary collaboration with Dr Leonie Maria Tanczer from University College London into IoT-based tech-abuse. This will extend CyReSE by employing the testbed to replicate known attack scenarios deployed by Intimate PArtner Violence (IPV) perpetrators, which are typically UI-bound. This will increase the meaningful impact of the research facilities developed as part of CyReSE by investigating new risk vectors and possible mitigation strategies, suitable for non-technical end-users, but especially for high-risk individuals. 

A final key aim of this Fellowship is to establish an RSE presence within the university, promoting RSE as a career pathway to attract and retain high level engineers. This has the potential to be the nucleus of the first RSE Chapter in Northern Ireland and significant time will be committed to outreach and citizenship activities, both within the university and externally, meeting aims of the Society of Research Software Engineers, and of the Fellowship.

References

[1] J. Cohen, D. S. Katz, M. Barker, N. P. Chue Hong, R. Haines and C. Jay. (2020) "The Four Pillars of Research Software Engineering," in IEEE Software, doi: 10.1109/MS.2020.2973362.

[2] Fortune Business Insights (2020) IoT Market Size, Share & Covid-19 Impact Analysis. https://www.fortunebusinessinsights.com/industry-reports/internet-of-things-iot-market-100307

[3] Symantec (2019) Internet Security Threat Report 2019. 

[4] A. T. Intelligence, “When big fish get caught with big bait,” (2019) [Online]. ’https://blog.avast.com/millions-of-attacks-on-fake-iot-devices’ 

[5] Nokia (2020) Threat Intelligence Report Oct 2020. Available: https://onestore.nokia.com/asset/210088

[6] H. Y. Lin and Y. Osawa, (2019) “Understanding the IoT threat landscape and a home appliance manufacturer’s approach to counter threats to iot".