Research

Our research combines power systems and control system knowledge with emerging network security techniques. Our envisaged solutions provide threat management, threat detection and threat avoidance, therefore covering the breadth and width of cybersecurity. They include:

  • Stateful firewalls to impose traffic restrictions in mission-critical networks (like smart grid).
  • Intrusion detection and prevention systems (IDPS) for wired and wireless networks (e.g. NIPS and WIPS) based on protocol verification, stateful analysis, correlation of temporal data, packet payload inspection and network behaviour analysis.
  • IDPS for encrypted networks.
  • Host-based intrusion prevention systems (HIPS).
  • Honeypots / Honeynets for M2M networks.
  • PKI-based authentication protocols for secure end-to-end device communication.
  • X.509 compliant and compressed device certificates for memory-constrained embedded devices.
  • FIPS 140-2 compliant PKI as SaaS for IP and non-IP based networks with fully customer-integrated RA and VA.
  • Cryptographic libraries (with particular focus on ECC) for resource-constrained hardware.
  • Security information and event management systems (SIEM).
  • Consultancy in all aspects of cybersecurity for control systems.

To date we have the following deliverables:

  1. A compressed device certificate architecture suitable for resource-constrained devices or bandwidth-restricted M2M communication. Among other things these OSNA certificates contain (industry- or deployment-specific) device attributes and can be linked back to X.509 certificates.
  2. A CA hierarchy that provides manufacturer autonomy (e.g. in-house generation of certificates on-the-fly) and that controls  inter-vendor compatibility (e.g. enables communication restrictions between devices from different vendors).
  3. A CA backend software (prototype) based on 2. to create / manage the above certificates.
  4. A complementary bandwidth-optimised and stack-independent end-to-end authentication protocol (similar to TLS) for OSNA certificates. The protocol has already been deployed on top of a 802.15.4 stack (e.g. on layer 2 / 3), but can likewise operate on transport or application layer.

All the above offerings provide a self-contained PKI suitable for isolated M2M communication networks. The cryptographic components are based on ECC and uses standard curves as defined by NIST.