717 research outputs found

    Cyber security of smart building ecosystems

    Get PDF
    Abstract. Building automation systems are used to create energy-efficient and customisable commercial and residential buildings. During the last two decades, these systems have become more and more interconnected to reduce expenses and expand their capabilities by allowing vendors to perform maintenance and by letting building users to control the machines remotely. This interconnectivity has brought new opportunities on how building data can be collected and put to use, but it has also increased the attack surface of smart buildings by introducing security challenges that need to be addressed. Traditional building automation systems with their proprietary communication protocols and interfaces are giving way to interoperable systems utilising open technologies. This interoperability is an important aspect in streamlining the data collection process by ensuring that different components of the environment are able to exchange information and operate in a coordinated manner. Turning these opportunities into actual products and platforms requires multi-sector collaboration and joint research projects, so that the buildings of tomorrow can become reality with as few compromises as possible. This work examines one of these experimental project platforms, KEKO ecosystem, with the focus on assessing the cyber security challenges faced by the platform by using the well-recognised MITRE ATT&CK knowledge base of adversary tactics and techniques. The assessment provides a detailed categorisation of identified challenges and recommendations on how they should be addressed. This work also presents one possible solution for improving the detection of offensive techniques targeting building automation by implementing a monitoring pipeline within the experimental platform, and a security event API that can be integrated to a remote SIEM system to increase visibility on the platform’s data processing operations

    Strategies for Implementing Successful IT Security Systems in Small Businesses

    Get PDF
    Owners of small businesses who do not adequately protect business data are at high risk for a cyber attack. As data breaches against small businesses have increased, it has become a growing source of concern for consumers who rely on owners of small businesses to protect their data from data breaches. Grounded in general systems theory and routine activity approach, the focus of this qualitative multiple case study was to explore strategies used by owners of small businesses to protect confidential company data from cyber attacks. The process used for collecting data involved semistructured face-to-face interviews with 5 owners of small businesses in Florida, as well as a review of company documents that were relevant to strategies used by owners of small businesses to protect confidential company data from cyber attacks. The thematic analysis of the interview transcripts revealed 4 themes for protecting business data against cyber attacks, which are security information management strategy, organizational strategy, consistent security policy, and cybersecurity risk management strategy. A key finding is that owners of small businesses could develop an organizational strategy by incorporating procedures used to protect from and respond to cyber attacks. The implications for positive social change include the potential to increase customers’ confidence and businesses’ economic growth, as well as stimulate the socioeconomic lifecycle, resulting in potential employment gains for residents within the communities

    PERSONAL DATA PROTECTION RULES! GUIDELINES FOR PRIVACY-FRIENDLY SMART ENERGY SERVICES

    Get PDF
    Privacy-friendly processing of personal data is proving to be increasingly challenging in today’s energy systems as the amount of data grows. Smart energy services provide value creation and co-creation by processing sensible user data collected from smart meters, smart home devices, storage systems, and renewable energy plants. To address this challenge, we analyze key topics and develop design requirements and design principles for privacy-friendly personal data processing in smart energy services. We identify these key topics through expert interviews, text-mining, and topic modelling techniques based on 149 publications. Following this, we derive our design requirements and principles and evaluate these with experts and an applicability check with three real-world smart energy services. Based on our results and findings, we establish a further research agenda consisting of five specific research directions

    Nation-State Attackers and their Effects on Computer Security

    Full text link
    Nation-state intelligence agencies have long attempted to operate in secret, but recent revelations have drawn the attention of security researchers as well as the general public to their operations. The scale, aggressiveness, and untargeted nature of many of these now public operations were not only alarming, but also baffling as many were thought impossible or at best infeasible at scale. The security community has since made many efforts to protect end-users by identifying, analyzing, and mitigating these now known operations. While much-needed, the security community's response has largely been reactionary to the oracled existence of vulnerabilities and the disclosure of specific operations. Nation-State Attackers, however, are dynamic, forward-thinking, and surprisingly agile adversaries who do not rest on their laurels and are continually advancing their efforts to obtain information. Without the ability to conceptualize their actions, understand their perspective, or account for their presence, the security community's advances will become antiquated and unable to defend against the progress of Nation-State Attackers. In this work, we present and discuss a model of Nation-State Attackers that can be used to represent their attributes, behavior patterns, and world view. We use this representation of Nation-State Attackers to show that real-world threat models do not account for such highly privileged attackers, to identify and support technical explanations of known but ambiguous operations, and to identify and analyze vulnerabilities in current systems that are favorable to Nation-State Attackers.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/143907/1/aaspring_1.pd

    "Surveillance vs. Privacy: Assessing the Implications of CCTV Cameras for Crime Prevention on the Right to Privacy in the UK"

    Get PDF
    openThe right to privacy is recognized as a fundamental human right in international human rights law, and is crucial to the protection of personal autonomy and dignity. The concept of privacy has been a long-standing issue in society, and its importance has increased with the advent of new technologies that allow for the collection and analysis of personal data on an unprecedented scale. Technological advancements have led to significant changes in the way privacy is perceived and protected. AI-powered surveillance systems have made it possible to monitor people's movements, activities, and behavior. While these technologies considerably help public and private agencies identify criminals and safeguard public order, they may violate people's privacy in relation to their communications, actions, and other elements. This research study examines the impact of using CCTV cameras for the purpose of crime prevention on the right to privacy in the United Kingdom. With the growing implementation of surveillance technologies, such as CCTV cameras, there is a need to critically assess their implications on individual privacy rights. This research focuses on understanding the balance between enhanced security measures and the potential infringement on privacy rights

    Katz and Covid-19 How a Pandemic Changed the Reasonable Expectation of Privacy

    Get PDF
    COVID-19 spread to 189 countries and infected tens of millions of people in the matter of months. Organizations, including governments and employers, turned to health surveillance technologies to slow the spread and combat the disease. Protected health information and personal information are required for the proper and effective functioning of the health surveillance technologies. The collection, use, and dissemination of protected health and personal information raised data privacy and security concerns. But under the current data privacy and security regime—based on the reasonable expectation of privacy standard—protected health and personal information is not protected to the extent that it needs to be. Unlike other scholarly work, this article presents deeper analysis into the technologies, the data that powers them, and the applicable legal standards. The objective is to provide a better understanding of (i) the data privacy and security risks, and (ii) whether the current data privacy and security regime in the United States provides sufficient protections for individuals. This article explores two health surveillance technologies (contact tracing applications and health monitoring platforms), presents three categories of data (user-inputted, queried, and autogenerated data), and describes the data supply chains that power technology and organizations. I discuss the benefits and risks of collecting the protected health and personal information in response to the pandemic. I explore the current legal standards and jurisprudence, and I propose the Privacy Continuum to explain how the pandemic shifted the reasonable expectation of privacy. I present a case study to synthesize the foregoing, and I conclude by proposing a new legal standard—the right to control—and other reforms to effectuate true data privacy and security protections. Only then can we reclaim our right to privacy

    Privacy, Mass Intrusion and the Modern Data Breach

    Get PDF
    Massive data breaches have practically become a daily occurrence. These breaches reveal intrusive private information about individuals, as well as priceless corporate secrets. Ashley Madison’s breach ruined lives and resulted in suicides. The HSBC breach, accomplished by one of their own, revealed valuable commercial information about the bank and personal information about HSBC customers. The employee responsible for the breach has since been convicted of aggravated personal espionage, while third-party news outlets have been free to republish the hacked information. Some information disclosed in data breaches can serve a public purpose. The Snowden disclosures, for example, revealed sensitive government information and were also crucial to public policy debate, a significant amount of disclosed information is destructive to individuals and companies alike, and often has little, if any, public value. The conflict between publicly important disclosures and disturbing private intrusions creates a direct confrontation between freedom of expression and privacy. A full analysis of this confrontation requires assessment of the specific circumstances of breach—from the vulnerabilities present beforehand to the aftermath when the media, companies, and individuals all must cope with the information exposed. This analysis begins by evaluating the importance of information in modern society. Big data is now an inescapable part of our culture. A data breach may contain intimate details about medical conditions or national security secrets. The disclosure of either has its own kind of devastating effect. Examples of the impact of a mass data breach include the hacking of Target Corporation, Yahoo! Inc., Home Depot, Inc., Sony Corporation, Anthem Inc., HSBC Private Bank (Suisse), SA, and AshleyMadison.com. A dissection of these breaches reveals a common theme—the ineffectual legal system, which provides little protection or remedy for any party involved. Several factors—including the anonymity of hackers, outdated legal remedies, and free speech protections for third-party publishers—together create an uncertain and uncharted legal landscape. After evaluating the available statutory and common law remedies, this Article posits that reinvigorated private causes of action can be a starting point for developing stronger legal remedies for those damaged in a breach. The right facts and legal arguments can create new remedies out of existing legal doctrines. Further, public values on protecting privacy are in flux. More protective policies in the European Union demonstrate that privacy and free expression can coexist. Some EU policies may provide examples of legislative options. Corporate entities and individuals are at risk and are suffering real harm in a world with daily data breaches and ineffective laws. The need for new perspectives is urgent

    The Future of HIPAA in the Cloud

    Get PDF
    This white paper examines how cloud computing generates new privacy challenges for both healthcare providers and patients, and how American health privacy laws may be interpreted or amended to address these challenges. Given the current implementation of Meaningful Use rules for health information technology and the Omnibus HIPAA Rule in health care generally, the stage is now set for a distinctive law of “health information” to emerge. HIPAA has come of age of late, with more aggressive enforcement efforts targeting wayward healthcare providers and entities. Nevertheless, more needs to be done to assure that health privacy and all the values it is meant to protect are actually vindicated in an era of ever faster and more pervasive data transfer and analysis. After describing how cloud computing is now used in healthcare, this white paper examines nascent and emerging cloud applications. Current regulation addresses many of these scenarios, but also leaves some important decision points ahead. Business associate agreements between cloud service providers and covered entities will need to address new risks. To meaningfully consent to new uses of protected health information, patients will need access to more sophisticated and granular methods of monitoring data collection, analysis, and use. Policymakers should be concerned not only about medical records, but also about medical reputations used to deny opportunities. In order to implement these and other recommendations, more funding for technical assistance for health privacy regulators is essential

    Digitising the Industry Internet of Things Connecting the Physical, Digital and VirtualWorlds

    Get PDF
    This book provides an overview of the current Internet of Things (IoT) landscape, ranging from the research, innovation and development priorities to enabling technologies in a global context. A successful deployment of IoT technologies requires integration on all layers, be it cognitive and semantic aspects, middleware components, services, edge devices/machines and infrastructures. It is intended to be a standalone book in a series that covers the Internet of Things activities of the IERC - Internet of Things European Research Cluster from research to technological innovation, validation and deployment. The book builds on the ideas put forward by the European Research Cluster and the IoT European Platform Initiative (IoT-EPI) and presents global views and state of the art results on the challenges facing the research, innovation, development and deployment of IoT in the next years. The IoT is bridging the physical world with virtual world and requires sound information processing capabilities for the "digital shadows" of these real things. The research and innovation in nanoelectronics, semiconductor, sensors/actuators, communication, analytics technologies, cyber-physical systems, software, swarm intelligent and deep learning systems are essential for the successful deployment of IoT applications. The emergence of IoT platforms with multiple functionalities enables rapid development and lower costs by offering standardised components that can be shared across multiple solutions in many industry verticals. The IoT applications will gradually move from vertical, single purpose solutions to multi-purpose and collaborative applications interacting across industry verticals, organisations and people, being one of the essential paradigms of the digital economy. Many of those applications still have to be identified and involvement of end-users including the creative sector in this innovation is crucial. The IoT applications and deployments as integrated building blocks of the new digital economy are part of the accompanying IoT policy framework to address issues of horizontal nature and common interest (i.e. privacy, end-to-end security, user acceptance, societal, ethical aspects and legal issues) for providing trusted IoT solutions in a coordinated and consolidated manner across the IoT activities and pilots. In this, context IoT ecosystems offer solutions beyond a platform and solve important technical challenges in the different verticals and across verticals. These IoT technology ecosystems are instrumental for the deployment of large pilots and can easily be connected to or build upon the core IoT solutions for different applications in order to expand the system of use and allow new and even unanticipated IoT end uses. Technical topics discussed in the book include: • Introduction• Digitising industry and IoT as key enabler in the new era of Digital Economy• IoT Strategic Research and Innovation Agenda• IoT in the digital industrial context: Digital Single Market• Integration of heterogeneous systems and bridging the virtual, digital and physical worlds• Federated IoT platforms and interoperability• Evolution from intelligent devices to connected systems of systems by adding new layers of cognitive behaviour, artificial intelligence and user interfaces.• Innovation through IoT ecosystems• Trust-based IoT end-to-end security, privacy framework• User acceptance, societal, ethical aspects and legal issues• Internet of Things Application
    • …
    corecore