Download to read offline
Uploaded byFraunhofer AISEC
40 Jahre Informatik Hamburg
1) The document discusses security and innovation in information technology and the future internet. 2) It outlines trends like cyber physical systems, cloud computing, and the internet of things that are driving new business opportunities but also increasing security threats. 3) The author argues that appropriate security measures are urgently needed to address growing attack surfaces and security risks posed by many innovations.
More Related Content
Similar to 40 Jahre Informatik Hamburg
40 Jahre Informatik Hamburg
- 1. 26.05.2012 Mit Sicherheit innovativ! Claudia Eckert TU München, Fraunhofer Institut AISEC 1 40 Jahre Informatik Hamburg 18.11. 2011 Universität Hamburg Outline 1. Motivation: Informatik formt Zukunft 2. Future Internet Informatik als Innovationsmotor 3. Security Threats Innovationen benötigen Sicherheit 4. Research Topics 2 Sicherheit benötigt Forschung Si h h it b öti t F h 5. Selected Examples @AISEC/TUM Mit Sicherheit innovativ! 6. Summary Claudia Eckert 2 1
- 2. 26.05.2012 1. Motivation Mainframes,Embedded, Smart Environments & CPS 5) Smart Environments & CPS 4) RFID-Tags Smart Grid Factory of Embedded the Future 90% of all 1) Mainframes CPUs are embedded 1User 8.5% growth 1 Computer 1 Computer Multiple Computers 17 Billion total Multiple Users 1 User M2M revenue Time Claudia Eckert 3 1. Motivation Trends in ICT Cyber Physical Systems (CPS) • Integration of physical environments and ICT systems (of systems) Characteristics: • Lots of Autonomous devices/sensors e.g. Smart Grid • Embedded systems • Heterogeneous networks • M2M‐communication Main tasks: • Controlling & monitoring complex systems often in real‐time • Collecting data, exchange data, trigger actions, …. Claudia Eckert 4 2
- 3. 26.05.2012 1. Motivation Trends in ICT Cloud Computing New style of computing where massively scalable IT‐enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies (Gartner 2008) Claudia Eckert 5 1. Motivation Trends in ICT 1. Internet of Things = Embedded Systems + Cyber Physical + Internet 2. Internet of Services/Cloud Computing = Business Software + new Business Models + Internet 3. Future Internet = Internet of Things + Internet of Services + Mobility + Improved Core‐Network + Internet of Knowledge & Content New Business Opportunities: e.g. • Smart Grid, Smart Mobility, Smart Health, Smart Cities, Factory of the Future, Smart Logistics, … • Challenge: Handling of “Big Data”: Data Acquisition, Analytics, Provisioning, … Claudia Eckert 6 3
- 4. 26.05.2012 Outline 1. Motivation: Informatik formt Zukunft 2. Future Internet Informatik als Innovationsmotor 3. Security Threats Innovationen benötigen Sicherheit 4. Research Topics 7 Sicherheit benötigt Forschung Si h h it b öti t F h 5. Selected Examples @AISEC/TUM Mit Sicherheit innovativ! 6. Summary Claudia Eckert 7 2. Future Internet Business Opportunities Mobile Application: Convergence private/business Consumerized IT! Loyalty Identity Payment Management Communicate Physical Pay Content Access Download Transact Identify y DRM Ticketing Device Configuration Claudia Eckert 8 4
- 5. 26.05.2012 2.Future Internet Business Opportunities Consumerized IT An increasing number of organizations take a strategic approach to Consumerization by providing IT support IT support for personal devices Quelle: bringyourownit.com/2011/09/26/ trend‐micro‐consumerization‐report‐2011/ Increased Efficency: Recent studies have shown that allowing employees to use innovative, state‐of‐the‐art devices and services of their own choosing can increase their efficiency. f th i h i i th i ffi i Reduced Costs: Reduced capital expenditures are likely as employees turn to their own personal devices to perform work, with the added benefit of lower device management and maintenance costs. Quelle: Booz & Company, Comsumerization of IT, 2010 2. Future Internet Business Opportunities Automotive Industry: Connected Drive, Web‐Services in Cars Intelligent Car Routing and Traffic info and Road Billing g Navigation N i ti web cams (Location based) Fleet Management web information GPS Street Inter Car Parking Communication Parking Slots Reservation Contactless Gas Mobile TV Station Use of Web Services will be common in the car Importance of protection against attacks from the internet will increase Claudia Eckert 10 5
- 6. 26.05.2012 2. FutureInternet Business Opportunities Smart Mobility: Internet within the vehicle • IP‐based communication: few and more complex control units • Value‐added services Business Apps cloud‐based services Value‐added services, Business Apps , cloud‐based services e.g. on‐board diagnostics, entertainment, e‐mobility Claudia Eckert 11 2. Future Internet Business Opportunities Smart Energy: from e‐Energy to eMobility eMobility ICT to manage and control energy‐grids • New pricing billing models New pricing, billing models Dynamic Management Power Consumption • New services, Solar cells when price is low e.g. AAI Private Households Office-facilities Outage Processors: Sensors: Controls Detection of Disruptions Storage Isolated Grid Wind-Farm Generators: Power plant Local energy Industrial producer plant 12 6
- 7. 26.05.2012 2. FutureInternet Business Opportunities Its all about Data, Information & Knowledge! Its is all about Security of Data: • Correctly identified person, service, device? Authenticity • Correct data, not manipulated? Integrity • No data leakages to unauthorized parties? Confidentiality • Is authorized access to data possible? Availability Security is essential Claudia Eckert 13 2. Future Internet Business Opportunities And ..... Appropriate Security Measures are urgently required Because .... • Attack surfaces grow • Lots of attacks that jeopardize the Security Claudia Eckert 14 7
- 8. 26.05.2012 Outline 1. Motivation: Informatik formt Zukunft 2. Future Internet Informatik als Innovationsmotor 3. Security Threats Innovationen benötigen Sicherheit 4. Research Topics 15 Sicherheit benötigt Forschung Si h h it b öti t F h 5. Selected Examples @AISEC/TUM Mit Sicherheit innovativ! 6. Summary Claudia Eckert 15 3. Security Threats Hardware Attacks Malicious Hardware • Physical Access to Hardware like Physical Access to Hardware like Sensors (e.g in cars): • Generate manipulated data, • Delete data, • Data leakages Manipulated Smart Meter in AISEC Lab • Product counterfeiting: • Forged hardware with low quality • Safety problems • Liability problems Forged break disc (left original) Claudia Eckert 16 8
- 9. 26.05.2012 3. Security Threats Software Manipulation Attacks Malicious Software • Vulnerable Software (Operating System, Web‐ ( p g y Application, Server) • Code Injection • Data access: manipulation, deletion • Session Hijacking • ID Spoofing • Denial of Service: Safety‐critical applications can be influenced as well! Claudia Eckert 17 ‚alltägliche‘ Angriffe 18 9
- 10. 26.05.2012 3. Security Threats Network based Attacks Vulnerable Networks • Heterogeneous Technologies (e.g. GSM/LTE, WLAN, SCADA) • Injection of false messages, • Message Replay , Sniffing, Spoofing • Drop messages • DDoS Example: Example: Stuxnet Attack 2010 Claudia Eckert 19 Hacken kritischer Infrastrukturen 10
- 11. 26.05.2012 3. SecurityThreats Example:Smart Grids Claudia Eckert 21 Current Look & Feel …. Future Internet will be a Security Nightmare Any Hope? What is required? Security Technology: Scalable, adaptable, seamless Built‐in Security: New Architectures Secure by Design Health‐Monitoring: New Services, Security as Service Secure during operation Security Culture: Education, Training, Awareness Claudia Eckert 22 11
- 12. 26.05.2012 Outline 1. Motivation: Informatik formt Zukunft 2. Future Internet Informatik als Innovationsmotor 3. Security Threats Innovationen benötigen Sicherheit 4. Research Topics 23 Sicherheit benötigt Forschung Si h h it b öti t F h 5. Selected Examples @AISEC/TUM Mit Sicherheit innovativ! 6. Summary Claudia Eckert 23 4. Research Topics Security Technology e.g. Scalable Hardware‐Security • Attack‐resistant Hardware modules • Reconfigurable hardware cores • Secure Object Ids for M2M authentication • Lightweight cryptography to support resource‐poor sensors Claudia Eckert 24 12
- 13. 26.05.2012 4.Research Topics Secure by Design e.g. Trustworthy Software‐Architectures: • Secure Programming: • Input Filtering etc. • Isolated execution environments • Controlled isolation of applications • Trusted Input/Output , trusted path • Security & integrity checks Security & integrity checks • Security check‐points , metrics • Detection of invalid system states • Rollback Claudia Eckert 25 4. Research Topics Secure by Design Example: next Generation Mobile Phones Mobile Payment Mobile Banking Mobile Ticketing Mobile Visa Mobile Health Mobile Public Services Services Trusted Applications Trusted Execution Environment 13
- 14. 26.05.2012 4. ResearchTopics Secure during Operation e.g. Security as a Service • Identity Management e.g. with nPA mobile nPA (not yet) • Health monitoring & Malware detection e.g. Improve detection and e g Improve detection and reaction methods Learn from observed attacker behavior Claudia Eckert 27 Outline 1. Motivation: Informatik formt Zukunft 2. Future Internet Informatik als Innovationsmotor 3. Security Threats Innovationen benötigen Sicherheit 4. Research Topics 28 Sicherheit benötigt Forschung Si h h it b öti t F h 5. Selected Examples @AISEC/TUM Mit Sicherheit innovativ! 6. Summary Claudia Eckert 28 14
- 15. 26.05.2012 5. Selected Examples@ AISEC/TUM Lightweight Cryptography Secure Remote Key-less Entry, RKE Problem: Many vehicle access systems possess intrinsic security weaknesses Symmetric cryptography for authentication often used Easy to crack! Solution: Lightweight implementation of ECC and PKI: strong cryptography Secure access protocols Claudia Eckert 29 5. Selected Examples @ AISEC/TUM New Concepts for Component Identification ‘Finger prints’ for Objects: Unclonable Material-Based Security Problem • Secrets can be extracted : spoofed component ID, insecure keys Solution • Physical unclonable function (PUF) • Object fingerprints, depend on variations of the of manufacturing process • M2M Authentication: Physical structure generates Challenge-Response-Pairs in an unpredictable way • Secure generation of cryptographic keys for standard protocols • No protected memory necessary Claudia Eckert 15
- 16. 26.05.2012 5. SelectedExamples @ AISEC/TUM Scalable Hardware Security Modules Automotive Environment Problem • Fl h Storage is insecure: not appropriate Flash St i i t i t for keys and sensitive data • Secure Storage within each ECU is very expensive Solution Central key manaegment using a dedicated Secure Hardware Element Benefit • Secure M2M authentication of components • Manipulation-resistant storage and cryptographic services • Basis for secure In-Car and Car2X communication Claudia Eckert 31 5. Selected Examples @ AISEC/TUM Secure by Design Smart Meter/Gateway Problem: • data leakages, privacy issues leakages Solution • Secure Smart Meter Compliant to BSI Protection Profile • Based on Hardware Security Module Display • Secure Handling of metering data: authentication, Access control, HSM data confidentiality (encryption) • Privacy by design: HSM data aggregation, filtering Claudia Eckert 32 16
- 17. 26.05.2012 5. Selected Examples@ AISEC/TUM Secure by Design Product Piracy Protection Problem C Copy, Re-Engineering Hi h T h Componentes R E i i High-Tech C t Solution Secure Element used as trust anchor for firmware Authentication between firmware und hardware Software Obfuscation for firmware Tight coupeling of firmware & hardware Claudia Eckert 33 5. Selected Examples @ AISEC/TUM Secure during Operation Monitoring of Cloud-Services Workflow Manager GRC Manager Problem Policy Metrics a age Manager a age Manager Cloud-user lose control over their data: where is the data (leakages?), who has access, … PLUGINS Solution Application Modelle Vorlagen KPIs to measure security Event Bus Application Server DSL Interpreter status of outsourced Appl. App Controller Complex Event Processing Dynamic controls to detect Java VM MONITORING FRAMEWORK misbehaviour, deviations Virtuelle Maschine Virtuelle Maschine Monitoring: e.g. Xen / KVM Hypervisor Data flows (where is my data), Log-files (who had access), Betriebssystem Events (IDS, …) Claudia Eckert 34 17
- 18. 26.05.2012 5. Selected Examples@ AISEC/TUM Secure during Operation New Approaches for Malware Analytics: Topic Models Latent topics in system Call traces E.g. Expert view: Tr1: graphics program Tr2: read and transmit file content Tr 3: receive and display a picture Expert reveals latent structures: clustering/classifying using semantic expert know-how Claudia Eckert 35 5. Secure during Operation Some AISEC/TUM Examples Improved Malware analytics: SST Supervised Topic Transition Using Machine Learning Techniques and Topic Modeling for clustering Improved ‘semantic’ Clustering and Classification of malware Claudia Eckert 36 18
- 19. 26.05.2012 5. Secure duringOperation Some AISEC/TUM Examples SST Supervised Topic Transition >70 topics: High accuracy, low false alarm rate, low missing rate! 37 Putting it all together: Example: Secure Smart Grids 19
- 20. 26.05.2012 Summary & TakeHome Message ICT driver of Innovations: • Huge amounts of data are collected, processed, distributed Innovation needs Security: • Data security, integrity, confidentiality is a MUST have Security needs Research: • Security Technologies: Scalable, adaptable • Built‐in Security & Health Monitoring: Architectures, Services Security needs Multidisciplinarity • Informatics, Engineering, Math: Architecture, SE, HMI, Networks • Business Administration, Law, Ethics,... Security needs Education: Security Culture Claudia Eckert 39 40 Jahre Informatik an der Universität Hamburg Herzlichen Glückwunsch! • Informatik formt die Zukunft • Informatik ist Innovationsmotor • Informatik an der Universität Hamburg Technologie & Gesellschaft Mit Sicherheit innovativ! Alles Gute für die nächsten 40 Jahre! Claudia Eckert 40 20
- 21. 26.05.2012 Thank you foryour Attention Claudia Eckert Fraunhofer AISEC TU München, Chair for IT Security E-Mail: claudia.eckert@aisec.fraunhofer.de Internet: http://www.aisec.fraunhofer.de Claudia Eckert 41 21