top of page


IoTSec Australia held the third of it's Cyber Forum series on December 2th themed on Connected Transport/Autonomous vehicles at BDO in Brisbane. IoTSec Australia Director Mike Younger introduced proceedings and the first keynote was delivered by Dr Miranda Blogg, Director of Co-operative Transport/Autonomous Vehicles at Department of Transport & Main Roads Queensland.

Dr Blogg gave an update on the departments strategy for Queensland's transport system "Creating a single integrated transport network accessible to everyone" in light of the movement to a connected transport infrastructure (Co-operative Intelligent Transport System or C-ITS) globally. Congestion, road and pedestrian safety were the key themes covered by Dr Blogg assisted by both infrastructure to vehicle and vehicle to vehicle intelligence. A C-ITS is currently being conducted with Ipswich City Council with feedback used to plan a larger pilot. Not surprisingly the global trends lead by the US and EU are being mirrored in Australia with both NSW and Queensland fairly advanced in strategy and planning with pilot's moving ahead.

Dr Andry Rakotonirainy, Deputy Director Centre for Accident Research & Road Safety at the Queensland University of Technology delivered the second keynote, focusing on the safety aspect of infrastructure to infrastructure and vehicle to infrastructure applications of C-ITS. Dr Rakotonirainy spoke on the security issues with autonomous vehicles but believes that currently, software failure presents more of a security challenge than hacking of vehicles.

Lastly IoTSec Australia Executive Director, Lani Refiti facilitated an expert panel consisting of Jamie Smith, Connected Transport Lead from Telstra, Stuart Allen-Keeling, Principal Security Specialist from Department of Transport & Main Roads Queensland and Dr Andry Rakotonirainy. The panel was more focused on the security aspects of autonomous vehicles with a lively discussion around current PKI based measures for infrastructure to vehicle security being deployed internally to secure CAN traffic to ECU. Possible applications using blockchain to ensure validity and authenticity of CAN traffic was encouraging but needed further testing and development.

Thank you to all our speakers and participants and in particular our sponsors BDO and Cisco Systems for contributing to a successful event.

IoTSec Australia is excited to announce an initiative in collaboration with IoT Alliance Australia to co-author an executive guide titled Cybersecurity for Cities 4.0 - An executive guide. The guide is intended to advocate for a secure by design approach and security as a founding and guiding principle when initiating a Smart City project.

Cybersecurity for Cities 4.0 will be launched at the Cities 4.0 conference in 2017.

This article was submitted for IoTWorldNews publication

“The same intelligence that enables devices to perform their tasks, must also enable them to recognise and counteract threats.” - WindRiver

IoT adoption is growing at pace as organisations discover more efficiencies, develop new revenue streams and business models as the number of connected things grow. A recent Gartner research note showed that 29% respondents were currently using IoT with an additional 14% planning to deploy projects in 2016 and 21% planning to implement post 2016. In 2016 alone we will see a 50% growth in adoption rates globally according to Gartner. This is juxtaposed against a recent Microsoft study showing that security is the biggest hurdle for enterprise IoT adoption in 2016 and will remain so in 2017.

In the previous two articles I covered off security as a guiding principle for the IoT ecosystem and the need for a holistic, architecture based approach encompassing people, process and technology. In this article we delve deeper into three crucial capabilities that will underpin a secure approach to IoT security. These capabilities are by no means exhaustive but for organisations looking to deploy IoT projects they are simple and achievable pillars as part of their overall security architecture strategy.

1. Visibility

There is an old adage in security and that is “you can’t protect what you can’t see”. Visibility is crucial in any cybersecurity ecosystem, to know what assets you have and the ability to manage those assets is a prerequisite for securing those assets and the data that is either stored, processed or transmitted. But when we deploying IoT at a rate of 3 million things per day, reaching 100 billion by 2025, exactly how is this achievable? To complicate matters there are multiple competing communications protocols for both short distance (6LowPAN, Zigbee, Z-wave, Bluetooth LE) and wide area (Symphony, SigFox, LoraWAN, NB-IoT) and an estimated 300 IoT platforms currently deployed.

The ability to discover devices and if applicable the user entity associated will be key and this is where the network and IoT platform layers will assist greatly. As devices are provisioned, the entity (user mapping to device) needs to be shared to a common repository which is dynamically updated as devices respond to heartbeat/keep alive requests from the gateway/platform. Due to the size and dynamic nature of the data, this repository will need to be distributed across the IoT ecosystem encompassing both datacenter and edge analytics. This IoT data lake can then be mined and correlated for threats and/or malicious or suspicious activity. Has there been a spike in CPU on the sensor? Has there been irregular amounts of keep alive packets? Has the device exceeded it’s baseline of data? IoT analytics is in early adoption with IBM’s Watson IoT, SAP Hana and Cisco Fog computing just some of the options from the mainstream technology vendors. In the near future, the developing field of Artificial General Intelligence applied to IoT will help to analyse and identify threats from the massive amounts of data that the IoT will generate.

2. Automation

In an ideal scenario sensors are deployed, switched on and self-provision usually by having a certificate pre-installed and “calling home” to an update server to download it’s configuration. This process is automated else we could not scale effectively. An example is a sensor which tracks telemetry for fleet vehicles in the field. As the sensor is powered on it would update it’s factory settings by collecting the VIN, license plate and unique identifier for the vehicle it’s tracking. Ideally, in the same manner as the device has automated the provisioning process, it should also then ensure the key exchange process is secure, have the ability to boot into a secure known good state and be updated over the wire with new firmware and security updates as they become available.

We can build upon this scenario by building whitelisting capability into the sensor. During boot phase it checks it’s known good state against a defined whitelist of processes it can execute and if there is suspicious activity have the ability to fail gracefully and reset itself to a known good state. If our analytics platform detects anomalous or suspicious activity then the device is quarantined into an unroutable VLAN or a dynamic ACL pushed to the gateway the device is connected to. Other options could be traffic from the device(s) routed differently through the network to another inspection device where machine based learning or sandboxing technology is implemented. Unfortunately what I’ve just described is mere hypothesis at this stage of IoT maturity. The emerging field of Blockchain within IoT is a promising development to deliver a de-centralised and resilient IoT ecosystem.

3. Orchestration

If Visibility and Automation are the two key pillars of a secure IoT ecosystem then Orchestration is the glue that holds it together. If we explore best practice in terms of a device being provisioned into an IoT ecosystem;

  • Provisioning & authentication

  • Configuration & control

  • Monitoring & analytics

  • Firmware & security updates

Overlaying a secure architecture over this best practice approach;

Figure 1 - Proposed security architecture, Cisco Systems

We can quickly ascertain that in a secure ecosystem there are a lot of moving parts from secure provisioning and authentication through to post installation firmware and security updates. The only effective means to ensure coherence in this secure IoT ecosystem is having the capability to orchestrate components in an automated fashion. Using the example in Automation, Orchestration enables the device to self-provision, self-authenticate and ensure it has a known good state when it connects. From the edge network (Fog network) orchestration enables the device to be assigned the relevant resources in the data centre/cloud layer and also revokes this if suspicious or anomalous activity is detected by the analytics platform. This revocation can be in the form of certificate or network access using Network Access Control. Organisations who have the ability to orchestrate these functions also maintain Visibility into their IoT ecosystem and are able to automate security at scale.


VAO (Visibility, Automation and Orchestration) are three crucial capabilities organisations need to develop to ensure secure practices within the IoT ecosystem. These capabilities are largely people and process focused with technology as an enabler. VAO does not operate in isolation either and is only effective as part of a holistic, architecture based approach to security in the IoT ecosystem.

bottom of page