WMG’s Secure Cyber Systems Research Group has been shortlisted for a TechWorks R&D Excellence Award.

The R&D Excellence Award celebrates innovative R&D activity involving strong Industry and Academic collaboration. This category showcases world-class technology development that has the very high potential of being adopted by industry.

Professor Carsten Maple explained: “I am extremely grateful to all of the team for their huge effort and fantastic outputs. I am so pleased that their efforts have been recognised by a national awards panel.

“The awards recognise outstanding collaboration, and we have certainly made our case based upon the many successful projects, including BeARCAT, IoT-Tram, Capri and S-CAV, that we have delivered with multinational partners and SMEs.

“Being recognised as a finalist is a fantastic achievement and testimony to the hard work of everyone here at WMG.”

Winners will be announced at the TechWorks Gala Dinner and Awards Ceremony on Thursday 9th December, at the Leonardo Royal Hotel London St Paul’s.

Read more about WMG’s cyber security research here: Cyber Security (warwick.ac.uk)

Professor Tim Watson, Director of WMG’s Cyber Security Centre, has shared his expertise in a key parliamentary POSTnote focusing on Smart Cities.

A POSTnote helps members of the House of Commons and the House of Lords, and UK parliament staff navigate complex topics and research in science, technology and social sciences.

This POSTnote looks at smart city innovation in the UK and technologies involved. It considers the factors driving adoption of smart city technologies, and the potential benefits, barriers and risks associated with their implementation.

Professor Tim Watson explains: “Smart cities use data and digital technology to make better decisions and improve the quality of life of people in the community. Local councils and governments can get more comprehensive, real-time data to understand how demand patterns are changing. This data can then be analysed to help with better decision making.”

Throughout the UK cities are, using this data, adopting strategies to boost their economy following the pandemic, allowing them to ‘build back better.’

Read more about Smart Cities here: https://post.parliament.uk/research-briefings/post-pn-0656/

WMG’s cyber security research team, led by Professor Carsten Maple and Associate Professor Dr Gregory Epiphaniou, have been advising the Department for Digital, Culture, Media and Sport (DCMS) on new regulations designed to make ‘smart’ products – like televisions, cameras and household appliances that connect to the Internet – more secure for consumers to use.

The consumer sector is highlighted as being of immediate concern due to users’ security knowledge gaps, overwhelming evidence provided by researchers and media headlines highlighting industry poor practices.

The DCMS’s new regulation will include three major requirements:

1. Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates

• 2. A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often pre-set in a device’s factory settings and are easily guessable
• 3. Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

Carsten Maple, Professor of Cyber Systems Engineering explains: “As a member of the IoT Security Foundation (IoTSF) Executive Strategy Board, I welcome the announcement as a significant step towards ‘making it safe to connect’ to the Internet of Things. WMG are proud and active members of the IoTSF, and we have long championed the need for fit-for-purpose security across all market segments.”

Digital Infrastructure Minister Matt Warman said: “From the offset, we have been proud to offer industry a major role in the development of the government’s approach to boosting the security of smart devices. With IoTSF ‘s support, I am confident that both the wider industry and consumers will continue to welcome our proposals that will help the UK build back safer. I look forward to our further collaboration on this important issue.”

Read more about the regulation here:
https://www.iotsecurityfoundation.org/uk-government-update-on-plans-for-consumer-iot-security-regulation/

Smart infrastructure company Costain have just announced that they are joining I-Trace, a part-government funded project led by Cisco and involving a consortium of partners including WMG at the University of Warwick, BT and Senseon to conduct cybersecurity trials in real-world infrastructure settings.

WMG have already been working closely with Costain on an IoT (internet of things)-enabled Data across the Supply Chain (SIDS) project, which is funded by the WMG Centre High Value Manufacturing (HVM) Catapult. That project aims to develop a set of principles of cyber secure data sharing in a networking infrastructure, such as a manufacturing supply chain. The research team, led by WMG’s Professor Carsten Maple, hoped to allow businesses to take a risk-based approach to data sharing, encouraging industries to be more connected.

Professor Maple explains:

“The SIDS project is an integral component of our work in designing secure and resilient supply chains. Within a smart factory, you are in control of your own data. But if you start to add other parties into that, you need to understand what the risks are and how to mitigate them. For example, if you can turn your production system on via a mobile phone, you need to know the cyber security credentials of the network provider, the phone manufacturer, the app developer and so on.”

Professor Maple and his team at WMG at the University of Warwick have had a long-standing research partnership with Costain, to explore and apply the principles of secure data sharing.

Kevin Reeves, Director of IoT & Digital Twin at Costain, is an Honorary Research Fellow at WMG and he has been working with us to understand how digital manufacturing and production-based approaches can be applied to design and build activities in infrastructure projects as part of a digital transformation programme at Costain. Kevin explains:

“In production, it is all about repeatability. At Costain, we wanted to introduce a greater degree of standardisation into infrastructure projects. This will mean quicker mobilisation, fewer training costs, standard digital tools and services across the business. Doing this means integrating systems with suppliers and clients, which brings new challenges and the need for tighter security.”

Using the principles of secure data sharing developed in the SIDS project, Kevin has worked with WMG to create a digital blueprint of their enterprise system, so that they could assess their vulnerability to cyber-attacks, and shore-up their system, giving assurance to the entire supply chain.

This partnership with WMG has supported Costain in achieving the Cyber Essential Plus Scheme accreditation via the National Cyber Security Centre (NCSC), as well as the globally recognised cyber security international standard, ISO 27001. Costain have now created a specialist cyber security team to continue learning about new cyber threats as they emerge.

Kevin also noted that:

“Our clients increasingly require cyber security credentials before being willing to integrate their systems with ours. While this is a huge opportunity, data sharing and privacy is a massive challenge for industry, and it’s been exacerbated by the increase in remote working due to Covid-19.”

Professor Maple and his team believe one of the challenges for the future will be ensuring the right skills to support integration of supply chains in the future. While these practices offer huge opportunities for businesses to grow and increase competitiveness in the global market, the challenges are increasing in line. The threat landscape is always evolving, with remote working and increasing digitisation of infrastructure all becoming targets for hackers.

The new I-Trace project builds on this work. Tim Embley, research and innovation director at Costain said:

“The IoT is central to the fourth industrial revolution, which is seeing infrastructure delivery and operations become more data-driven, using insights gathered from connected devices, sensors, and telematics to inform long and short-term decision-making,” said “IoT security is a critical issue as cyber-attacks increase in both frequency and potency. There is a world of unseen potential when it comes to AI and blockchain in terms of increasing the resilience of IoT networks and better securing the integrity of IoT data that is so critical to driving safer, faster, greener and more efficient delivery and operations of infrastructure.”

I-Trace is a part-government funded, co-innovation project led by Cisco and involving a consortium of partners including BT, Senseon and the Warwick Manufacturing Group (WMG) at the University of Warwick. Costain has joined the i-Trace consortium to conduct cybersecurity trials in real-world infrastructure settings.

Using real-world data from live Costain project sites, the project will demonstrate how the unique i-Trace solution brings together two complementary technologies to secure critical data. Firstly, using machine learning systems to detect security threats on IoT devices via the network. Secondly, using distributed ledger technology (DLT) to guarantee that the data generated by these IoT devices is tamperproof and immutable, wherever it is in the network. These technologies will be deployed across Costain’s networks to secure M2M telematics, connected IoT sensors and monitoring equipment.

Peter Shearman, Head of Innovation, Emerging Technology and Incubation at Cisco UK and Ireland said:

“Securing IoT networks is a considerable challenge due to its scale and complexity, which has prevented organisations from maximising its use and taking their deployments to the next level,” added Peter Shearman, Head of Innovation, Emerging Technology and Incubation at Cisco UK and Ireland. “Our aim is to successfully trial a solution that offers end-to-end security of real-world IoT networks, which delivers the immutability and scalability required by commercial deployments, as well as being manageable and cost-effective. This has the potential to pave the way for IoT innovation that has never been seen before in the construction industry and beyond.”

The project will tap into the capabilities of the leading technology, security, and academic partners to prove the commercial viability of using these emerging technologies to secure the integrity of IoT data. i-Trace is part-government funded through Innovate UK and the UKRI’s Strategic Priorities Fund.

Read more about de-risking data sharing in the supply chain here.

The University of Warwick is one of eight trailblazing universities to have become the first in the UK to gain recognition for their commitment to cyber security education in a new initiative from the National Cyber Security Centre (NCSC) – a part of GCHQ.

Pioneering institutions in the UK have been recognised as the country’s first Academic Centres of Excellence in Cyber Security Education (ACEs-CSE) for delivering first-rate cyber security education on campus and promoting cyber skills in their community.

The ACE-CSE programme, led by the NCSC – a part of GCHQ – and the Department for Digital, Culture, Media and Sport, has recognised eight universities with gold and silver awards – with the next round of applications opening early next year.

Professor Tim Watson from WMG, University of Warwick comments:

"We are delighted to be recognised by the National Cyber Security Centre as an academic centre of excellence and to have been awarded a Gold Award for our cyber security education."

Chris Ensor, NCSC Deputy Director for Cyber Growth, said:

“I am delighted we can now recognise the first tranche of universities as Academic Centres of Excellence in Cyber Security Education, complementing our existing programmes which recognise high quality cyber security research and degree courses.”

“It is a testament to the continual efforts of academics, support staff and senior management that cyber security remains high on their agenda.

“We very much look forward to working with them over the coming years and strongly encourage other universities to work towards achieving similar recognition in the future.”

Seven universities received Gold awards in this first round of applications for demonstrating impressive approaches to promoting cyber security excellence. They are:

· Abertay University

· Lancaster University

· University of Southampton

· University of South Wales

· University of Surrey

· University of Warwick

· University of the West of England

Each of the successful Gold centres demonstrated they offer at least one NCSC-certified degree, deliver top cyber security training to staff and students from other specialisms within the university, work to improve the institution’s cyber resilience and carry out local outreach activities.

Digital Infrastructure Minister Matt Warman said:

“The UK has some of the brightest minds in the world working in tech and it's right we celebrate universities where so many people develop relevant and cutting-edge skills.

"We continue to work closely with academia to nurture the next generation of cyber security talent and I urge interested education institutions to apply for this recognition.”

Offering a NCSC-certified degree is necessary for receiving ACE-CSE recognition, as it demonstrates that an institution is already providing a high standard of education to students enrolled in cyber security disciplines.

However, successful ACE-CSE institutions go beyond this, offering cyber security education opportunities across the whole campus and to those in their wider community.

In the first tranche of award winners this included giving cyber security classes to those studying subjects such as Politics, Law, and Psychology and setting up work experience placements for local schoolchildren.

The next round of applications for ACE-CSE recognition will open in early 2021 to higher education institutions in the UK. More information about the initiative can be found on the NCSC website.

ENDS

15 DECEMBER 2020

NOTES TO EDITORS

The ACE-CSE programme plays an importance part in the NCSC’s ambition to create a regional cyber security eco-system which nurtures cyber security talent in local communities. In September, the NCSC announced 13 secondary schools in Gloucestershire and Wales had achieved CyberFirst Schools status for their excellence in cyber security education.

On the NCSC

§ The UK government is fully committed to defending against cyber threats and set up the National Cyber Security Centre (NCSC) as part of GCHQ.

§ The NCSC was created as part of the five-year National Cyber Security Strategy in 2016, supported through £1.9 billion transformative investment

§ The NCSC is the UK’s lead technical authority on cyber security and offers unrivalled real-time threat analysis, defence against national cyber attacks and tailored advice to victims when incidents do happen

§ If you have any additional questions, please contact pressoffice@ncsc.gov.uk.

FOR FURTHER INFORMATION PLEASE CONTACT:

Alice Scott
Media Relations Manager – Science
University of Warwick
Tel: +44 (0) 7920 531 221
E-mail: alice.j.scott@warwick.ac.uk

Smart home technologies are marketed to enhance your home and make life easier. However, UK consumers are not convinced that they can trust the privacy and security of these technologies, a study by WMG, University of Warwick has shown.

The ‘smart home’ can be defined as the integration of Internet-enabled, digital devices with sensors and machine learning in the home. The aim of smart home devices is to provide enhanced entertainment services, easier management of the home, domestic chores and protection from domestic risks. They can be found in devices such as smart speakers and hubs, lighting, sensors, door locks and cameras, central heating thermostats and domestic appliances.

To better understand consumer's perceptions of the desirability of the smart home, researchers from WMG and Computer Science, University of Warwick have carried out a nationally representative survey of UK consumers designed to measure adoption and acceptability, focusing on awareness, ownership, experience, trust, satisfaction and intention to use.

The article ‘Trust in the smart home: Findings from a nationally representative survey in the UK’ published in the top journal PlosOne reveals their results, with the main finding that the the business proposal of added meaning and value has not yet achieved closure from consumers, as they have highlighted concern for risks to privacy and security.

Researchers sent 2101 participants a survey, with questions to assess:

- Awareness of the Internet of Things (IoT)

- Current ownership of smart home devices

- Experiences of their use of smart home devices

- Trust in the reliability and competence of the devices

- Trust in privacy

- Trust in security

- Satisfaction and intention to use the devices in the future, and intention to recommend it to others

The findings suggest consumers had anxiety about the likelihood of a security incident, as overall people tend to mildly agree that they are likely to risk privacy as well as security breach when using smart home devices, in other words they are unconvinced that their privacy and security will not be at risk when they use smart home devices.

It also emerged that when asked to evaluate the impact of a privacy breach people tend to disagree that its impact will be low, suggesting they expect the impact of a privacy breach to be significant. This emerges as a prominent factor influencing whether or not they would adopt smart home technology, furthermore making it less likely.

Other interesting results highlight:

- More females than males have adopted smart home devices over the last year, possibly as they tend to run the house and find the technology helpful

- Young people ages 18-24) were the earliest adopters of smart home technology, however older people (ages 65+) also adopted it early, possibly as they have more disposable income and less responsibilities – e.g. no mortgage, no dependent children

- People aged 65 and over are less willing to use smart home devices in case of unauthorised data collection compared to younger people, indicating younger people are less aware of privacy breaches

- Less well-educated people are the least interested in using smart home devices in the future, and that these might constitute market segments that will be lost to smart home adoption, unless their concerns are specifically addressed and targeted by policymakers and businesses.

Dr Sara Cannizzaro, from WMG, University of Warwick comments:

“Our study underlines how businesses and policymakers will need to work together to act on the sociotechnical affordances of smart home technology in order to increase consumers’ trust. This intervention is necessary if barriers to adoption and acceptability of the smart home are to be addressed now and in the future.

“Proof of cybersecurity and low risk to privacy breaches will be key in smart home technology companies persuading a number of consumers to invest in their technology.”

Professor Rob Procter, from Computer Science, University of Warwick, adds:

“Businesses are still actively promoting positive visions of what the smart home means for consumers (e.g., convenience, economy, home security). However, at the same time, as we see from our survey results, consumers are actively comparing their interactional experiences against these visions and are coming up with different interpretations and meanings from those that business is trying to promote.”

The UK Government has announced that it will switch its contact-tracing app to a model based on technology by Apple and Google. Professor Carsten Maple, of WMG at the University of Warwick, discusses the impact that this might make to public confidence in the app.

Professor Maple is Professor of Cyber Systems Engineering and recently led research that showed that the UK public wants the NHS to be the controlling body in the Covid-19 contact-tracing app.

Professor Maple said: “The Government changing their stance on the architecture is a significant development. It is worrying that the Government feel they cannot create an app which could, by its own assessment, have a significant impact on controlling the pandemic, without relying on the support of the major tech companies. We should recall that the early versions of apps in other countries could not avail themselves of this Apple and Google capability, but were still effective in controlling the virus. It will be interesting to see how the Government will now attempt to gather the data that they said was so important to control the pandemic, and worth the privacy intrusions that arose in their abandoned version, now that they are taking this new route. This, in itself, could erode confidence in any app that is released."

Dashcams are vital for helping police investigate car incidents, however the way the footage is submitted to police, managed and processed can cause problems. A researcher at WMG, University of Warwick has assessed seven different types of dashcams’ SD storage systems to see how they help and hinder digital forensics.

Many cars now have dashcams, an in-vehicle mountable camera which records video and audio footage of journeys. They have significant evidential value in digital forensics as they provide GPS data, temporal data, vehicular speed data, audio, video and photographic images.

In the paper, ‘Dashcam forensic: A preliminary analysis of 7 dashcam devices’, published in the paper Forensic Science International: Digital Investigation, Dr Harjinder Lallie, from WMG, University of Warwick explores two aspects of dashcam evidence: the problems related to the management and processing of dashcam evidence, and an analysis of artefacts generated by dashcams.

The public have massive trust in the NHS, who should have control and access to data in the Covid-19 contact-tracing app, according to new research by researchers in WMG at the University of Warwick, and at the University of Birmingham.

Carsten Maple, Principal Investigator of the NCSC-EPSRC Academic Centre of Excellence in Cyber Security Research and lead for the Cyber Security Global Research Priority said:

"With all of the possible design choices for a contact-tracing app, many commentators and experts have argued which approach is in the best interests of the public. For example, some have argued that centralised apps create privacy invasions that are unacceptable; others have argued that to be effective the apps should be centralised. However, as yet, the opinions of the public have not been gathered and so we have undertaken a significant survey to elicit their thoughts. We have examined how important privacy is to them and how willing they are to engage and share information."

Dr Rebecca McDonald, lecturer in experimental economics from the University of Birmingham said:

"The first encouraging results of our study are that only 9.6% of the public always chose to opt out of using the contact tracing apps we described to them. We asked people to express a direct preference between controlling the pandemic or preserving privacy, and we found that over half (57.4%) of participants favoured prioritising controlling the pandemic over privacy, contrasting with around a fifth (20.1%) favouring protecting privacy over controlling the pandemic."

However the most powerful and important result from the survey was the contrasting degrees to which participants trust different agencies or individuals with their data, even when anonymised. The group least trusted to be given access to this data was other app users but by far the most trusted group or organisation was the NHS.

Professor Carsten Maple in WMG at the University of Warwick said:

"It is clear that the NHS enjoyed overwhelming trust in terms of access to personal data collected by such apps, even when anonymised. Surprisingly, respondents’ choices suggest they would be most concerned about the decentralised approach that protects from Government access to information and instead shares information among other app users. The results indicate that users want a centralised approach, like the one currently being adopted by NHSX.

"Our research clearly shows that the public is broadly supportive of the use of a COVID-19 contact tracing app and would download it in significant numbers, providing the app providers listen to their wishes on who should have access to their data. The NHS is by far the most trusted gatekeeper for that data."

The table below shows in percentage terms how much more willing people are to use an app when their data is shared with different organisations (as in a centralised approach), compared to when it is shared with other app users (as in a decentralised approach).

 The research highlights that people have a strong desire to understand the way a contact tracing app would work, and many respondents said they would need control over what data is shared about them, and who it is shared with, before they would be willing to download the app. Since widespread uptake is needed for the app to be effective, addressing these potential barriers has to be at the heart of any large-scale roll out of the contact tracing app. The appetite is there, but the public need transparency in order to trust, download, and use the app.

The research also found that public would also have concerns about linking proximity data to other data sources. (They were particularly concerned about the linkage of their shopping location from credit/debit cards data. Some also had concerns about practical things like the impact on their phone’s battery life, or the amount of data the app might need to use.

The researchers surveyed 2,171 members of the UK general population in a nationally representative sample and have published that research in a paper entitled “Speak for Yourself! Attitudes to contact tracing applications in the context of COVID 19: results from a nationally representative survey of the UK population” at: https://github.com/carstenmaple/SpeakForYourself.
NB the paper has not been peer reviewed but has been published now due to the urgency of the issues it examines.

ENDS

The Cyber Security for Connected and Autonomous Mobility (CAM) has been investigated in a series of projects funded by the Centre for Connected and Autonomous Vehicles (CCAV) and supported by Zenzic and InnovateUK (part of UKRI).

Out of seven projects, WMG, at the University of Warwick was involved in three:

1. Positioning, Navigation and Timing (PNT) Cyber Resilience: a Lab2Live Observer Based Approach

2. ResiCAV

3.BeARCAT

Each project was tasked with exploring innovative methods for measuring and monitoring cyber security, defining a set of requirements for a future Cyber Security facility/capability and understanding the commercial landscape for such a facility.

These 3 objectives were addressed across a number of different themes with Cyber for CAM: Monitoring, Threats to connected vehicle, networks, Threats to automated vehicles or Countermeasure and risk mitigation.

Dr Elijah Adegoke, from WMG, University of Warwick was involved in the PNT Cyber Resilience project. In collaboration with Spirent, key recommendations made to Government include that spoofing and jamming attacks on GNSS signals are capable of leading to severe loss of functionality and safety in CAVs; thus there is an urgent need to invest in independent facilities capable of seamlessly testing attacks on CAM PNT systems in both controlled laboratory and live environments.

Zenzic, the University of Warwick and Spirent now aim to work with standardisation bodies to guide the development of GNSS attack detection and GNSS resiliency assessment standards, and the responsible disclosure of information on threat actors and attack events.

Dr Adegoke commented: “To investigate jamming and spoofing in CAM PNT systems, a test facility needs to be able to quantify the resilience of a CAV against both radio frequency based and software attacks for diverse receiver operating systems and hardware architectures. Access to a drive-in anechoic chamber, such as WMG’s Communications and Sensors Lab in the Professor Lord Bhattacharyya Building, to allow the legal testing of over-the-air attacks is highly beneficial.”

Professor Carsten Maple, of WMG, University of Warwick, was involved in ResiCAV and BeARCAT.

ResiCAV was led by Horiba Mira, and highlighted how connected and autonomous vehicles (CAVs) and their associated infrastructure can develop real-time responsiveness to cybersecurity threats, and highlighted the ‘urgent need’ for a national road transport cybersecurity programme in order for the UK to safely support CAV adoption across the transport network. Professor Carsten Maple comments:

“The ResiCAV project has proven that the UK could become a world-leader in automotive cybersecurity and vehicle resilience, however this can only be done if there is a collaboration between industry and the shared use of testbeds. The project has shown that cyber resilience can only be effectively achieved by developing a new engineering methodology. We have, with partners, started the journey to formalising the methodology, and provide the tools and techniques for achieving resilience through manufacture and operation.

“I hope this next step after this project is to see funding for the development of the ‘UK Centre of Excellence for Road Transport Cybersecurity Resilience’ to thrust the UK to the forefront of automotive cybersecurity.”

Professor Maple was also involved in BeARCAT, led by Cisco the BeARCAT project highlights that with the high infrastructure set-up costs and extensive overheads in the management of a test facility for automotive cyber security, the most cost-effective course of action is for a UK CTF (Cyber Test Facility) to be collocate with the existing testbeds. He comments:

“We are pleased to have developed a Security Framework for cyber security testing in the CAV ecosystem, including coverage of security threat modelling and risk assessment. Working with our partners we have defined mechanisms for communications resilience and provide a blueprint, based on the security framework, for testing certification. We hope these contributions will be helpful to the Government as it seeks to establish a world-leading capability in developing and assessing cyber security for automotive systems.”

All three projects prove the UK could be pioneering Cyber Security in Connected and Autonomous Mobility if companies within the industry work together to share resources and testbeds, which could bring autonomous vehicles one step closer to our roads.

DOWNLOAD NOW: Cyber Resilience in CAM – Cyber Feasibility Report: http://zenzic.io/cybersecurity/

ENDS