External Verification of SCADA System Embedded Controller Firmware

Critical infrastructures such as oil and gas pipelines, the electric power grid, and railways, rely on the proper operation of supervisory control and data acquisition (SCADA) systems. Current SCADA systems, however, do not have sufficient tailored electronic security solutions. Solutions available are developed primarily for information technology (IT) systems. Indeed, the toolkit for SCADA incident prevention and response is unavailing as the operating parameters associated with SCADA systems are different from IT systems. The unique environment necessitates tailored solutions. Consider the programmable logic controllers (PLCs) that directly connect to end physical systems for control and monitoring of operating parameters -- the compromise of a PLC could result in devastating physical consequences. Yet PLCs remain particularly vulnerable due to a lack of firmware auditing capabilities. This research presents a tool we developed specifically for the SCADA environment to verify PLC firmware. The tool does not require any modifications to the SCADA system and can be implemented on a variety of systems and platforms. The tool captures serial data during firmware uploads and then verifies them against a known good firmware baseline. Attempts to inject modified and/or malicious firmware are identified by the tool. Additionally, the tool can replay and analyze captured data by emulating a PLC during firmware upload. The emulation capability enables verification of the firmware upload from an interface computer without requiring modifications to or interactions with the operational SCADA system. The ability to isolate the tool from production systems and verify the validity of firmware makes the tool a viable application for SCADA incident response teams and security engineers

Co-Creation of E-Services Enabled by the Digitalization of Physical Products

: With the advent of digitalization, e-services are now enabled by embedded digital technologies in physical products such as vehicles, elevators, construction equipment. In spite of numerous instances of e-services enabled by the digitalization of physical products, little research has been carried out to investigate the characteristics of co-creation of such e-services. This paper attempts to fill the gap by reporting from a three-year long research project with a vehicle manufacturing company. Using the translation phases from the Actor-Network theory (ANT) as a theoretical lens, this paper presents three propositions that characterize the co-creation of e-services enabled by the digitalization of physical products. The propositions highlight the role of physical products, establishment of trust and setting priorities about digitalization

FrameProv: Towards End-To-End Video Provenance

Video feeds are often deliberately used as evidence, as in the case of CCTV footage; but more often than not, the existence of footage of a supposed event is perceived as proof of fact in the eyes of the public at large. This reliance represents a societal vulnerability given the existence of easy-to-use editing tools and means to fabricate entire video feeds using machine learning. And, as the recent barrage of fake news and fake porn videos have shown, this isn't merely an academic concern, it is actively been exploited. I posit that this exploitation is only going to get more insidious. In this position paper, I introduce a long term project that aims to mitigate some of the most egregious forms of manipulation by embedding trustworthy components in the video transmission chain. Unlike earlier works, I am not aiming to do tamper detection or other forms of forensics -- approaches I think are bound to fail in the face of the reality of necessary editing and compression -- instead, the aim here is to provide a way for the video publisher to prove the integrity of the video feed as well as make explicit any edits they may have performed. To do this, I present a novel data structure, a video-edit specification language and supporting infrastructure that provides end-to-end video provenance, from the camera sensor to the viewer. I have implemented a prototype of this system and am in talks with journalists and video editors to discuss the best ways forward with introducing this idea to the mainstream

Digital platform development: A service-oriented perspective

The traditional view of value is largely rooted in the material properties of physical goods. However, service-dominant logic tells us that value is not imbued in goods, but derived in its judicious application. A contextually bounded nature of value is highly relevant for the study of digital platforms given the reprogrammable nature of digital technology coupled with a necessity to serve several different stake-holders and applications. This paper applies servitization as a theoretical framework for illustrating the subjective and transitory value propositions that influence platform development. Based on a case study of a firm that has transitioned from product supplier to provider of a platform for digital services, it is evident that value propositions are ambivalent, yet vital components in the evolution of platforms. Furthermore, we may discern that platform providers are faced with value propositions that are multidirectional, multidimensional, and offered from a variety of sources

Confronting the digital:Doing ethnography in modern organizational settings

Digital technologies pervade modern life. As a result, organizational ethnographers must contend with informants interacting in face-to-face and digitally mediated encounters (e.g., through email, Facebook Messenger, and Skype). This overlap of informants’ digital and physical interactions challenges ethnographers’ ability to demonstrate authenticity and multivocality in their accounts of contemporary organizing. Drawing on recent theorizing about the nature of digital artifacts and two cases of ethnographic fieldwork, we argue that digital artifacts afford ethnographers different modes of being co-present with research participants: digital as archive and digital as process. We offer guidelines to researchers on how to deploy these modes of co-presence in order to improve authenticity and multivocality in ethnographic studies of modern organizations. We also explore the implications for methodological concerns such as ethics, analytical choice, and reflexivity

The role of digitalization in the internationalization process of a traditional SME

The emergence of digital technologies and the on-going digital transformation accelerated by the Covid-19 pandemic has presented also traditional SMEs opportunities to exploit the advantages of digitalization in their internationalization process. Although, digitalization and its connection to entrepreneurship have been studied by various researchers, there are few studies examining the phenomenon from the perspective of an SME and even less focusing on the traditional SMEs. The objective of the study is thus, to fill the research gap and extend the research to examine the role of digitalization in the internationalization process of a traditional SME. The term traditional SME is used in this study to describe a small and medium -sized enterprise trading consumer goods and services that exist in the physical dimension. The research was conducted in a form of a qualitative case study consisting of three Finland-based companies. The study was further supported by a literature review focusing on theoretical research around digitalization, internationalization, and the relationship between those two topics. The study’s aim is to answer the research question “How can digitalization advance the internationalization process of a traditional SME?”. The study’s findings show that digitalization has an enabling role in the internationalization process of a traditional SME. According to the results, digitalization can advance the internationalization process in terms of decreased risks related to foreign market selection, increased reach of wide audiences in a cost-efficient manner, and possibilities to swiftly implement data-based marketing decisions to support revenue creation. Additionally, remote operations enabled by digitalization create new international business opportunities and allow traditional SMEs to generate direct international sales. Lastly, digitalization enables resource-efficient internal and external value creation. The findings further emphasize the significance of the companies’ entrepreneurial orientation towards digitalization, appropriate capabilities, and sufficient resources in order to benefit from the opportunities presented by digitalization.Digitaalisten teknologioiden kehitys ja meneillään oleva Covid-19-pandemian kiihdyttämä digitaalinen transformaatio ovat luoneet mahdollisuuksia myös perinteisille pienille ja keskisuurille yrityksille (pk-yrityksille). Yksi näistä mahdollisuuksista on digitalisaation hyödyntäminen pk-yritysten kansainvälistymisessä. Digitalisaatiosta ja sen yhteydestä yrittäjyyteen on tehty lukuisia tutkimuksia, mutta ilmiötä ei ole juurikaan käsitelty pk-yrityksen saatikka perinteisen pk-yrityksen näkökulmasta. Tutkielman tarkoituksena on laajentaa aikaisempaa digitalisaation tutkimusta ja selvittää digitalisaation roolia perinteisten pk-yritysten kansainvälistymisprosessissa. Tässä tutkielmassa termillä “perinteinen pk-yritys” tarkoitetaan pieniä ja keskisuuria yrityksiä, jotka toimittavat fyysisessä muodossa olevia tuotteita ja palveluita. Tutkielma suoritettiin laadullisena tapaustutkimuksena, joka koostui kolmesta suomalaisesta yrityksestä. Tämän lisäksi tutkielma hyödyntää digitalisaatiota, kansainvälistymistä ja näiden kahden aiheen suhdetta käsittelevää teoreettista tutkimusaineistoa. Tutkielman tavoitteena on vastata kysymykseen “Miten digitalisaatio voi hyödyttää perinteisen pk-yrityksen kansainvälistymisprosessia?” Tutkimustulokset osoittavat, että digitalisaatiolla on avustava rooli tutkimuskohteiden kansainvälistymisessä. Tulosten mukaan digitalisaatio voi hyödyttää kansainvälistymisprosessia usealla tavalla: vähentäen ulkomaan markkinavalintaan liittyviä riskejä, kasvattamalla kustannustehokkaasti suurten yleisöjen saavutettavuutta, ja mahdollistamalla nopeiden dataan perustuvien markkinointipäätösten implementoinnin tuloksen kasvattamiseksi. Lisäksi digitalisaation mahdollistamat etätoiminnot luovat uusia kansainvälisen liiketoiminnan tilaisuuksia sekä antavat perinteisille pk-yrityksille kyvykkyyden kansainvälisten suorien tulovirtojen muodostamiseen. Kaiken tämän lisäksi digitalisaatio toimii alustana resurssitehokkaalle sisäiselle ja ulkoiselle arvon luomiselle. Tulokset korostavat lisäksi organisaatioiden digitalisaatioon suuntautuvan yrittäjämäisyyden, soveltuvien kyvykkyyksien ja riittävien resurssien merkitystä digitalisaation tuomien mahdollisuuksien hyödyntämisessä

Security Analysis of the Consumer Remote SIM Provisioning Protocol

Remote SIM provisioning (RSP) for consumer devices is the protocol specified by the GSM Association for downloading SIM profiles into a secure element in a mobile device. The process is commonly known as eSIM, and it is expected to replace removable SIM cards. The security of the protocol is critical because the profile includes the credentials with which the mobile device will authenticate to the mobile network. In this paper, we present a formal security analysis of the consumer RSP protocol. We model the multi-party protocol in applied pi calculus, define formal security goals, and verify them in ProVerif. The analysis shows that the consumer RSP protocol protects against a network adversary when all the intended participants are honest. However, we also model the protocol in realistic partial compromise scenarios where the adversary controls a legitimate participant or communication channel. The security failures in the partial compromise scenarios reveal weaknesses in the protocol design. The most important observation is that the security of RSP depends unnecessarily on it being encapsulated in a TLS tunnel. Also, the lack of pre-established identifiers means that a compromised download server anywhere in the world or a compromised secure element can be used for attacks against RSP between honest participants. Additionally, the lack of reliable methods for verifying user intent can lead to serious security failures. Based on the findings, we recommend practical improvements to RSP implementations, to future versions of the specification, and to mobile operator processes to increase the robustness of eSIM security.Comment: 33 pages, 8 figures, Associated ProVerif model files located at https://github.com/peltona/rsp_mode

Key technologies for safe and autonomous drones

Drones/UAVs are able to perform air operations that are very difficult to be performed by manned aircrafts. In addition, drones' usage brings significant economic savings and environmental benefits, while reducing risks to human life. In this paper, we present key technologies that enable development of drone systems. The technologies are identified based on the usages of drones (driven by COMP4DRONES project use cases). These technologies are grouped into four categories: U-space capabilities, system functions, payloads, and tools. Also, we present the contributions of the COMP4DRONES project to improve existing technologies. These contributions aim to ease drones’ customization, and enable their safe operation.This project has received funding from the ECSEL Joint Undertaking (JU) under grant agreement No 826610. The JU receives support from the European Union’s Horizon 2020 research and innovation programme and Spain, Austria, Belgium, Czech Republic, France, Italy, Latvia, Netherlands. The total project budget is 28,590,748.75 EUR (excluding ESIF partners), while the requested grant is 7,983,731.61 EUR to ECSEL JU, and 8,874,523.84 EUR of National and ESIF Funding. The project has been started on 1st October 2019