Nigeria-born Edewede Oriwoh Engr, MSc, PhD, but now in UK, is an eminent cyber-physical security engineer with responsibilities to secure important digital infrastructures in some UK institutions. She is an enthusiast and evangelist in the world of cybersecurity covering cyber-physical security, the Internet of Things, Smart Homes and related areas. She spoke with Forensics Focus on this interview. Connect with Dr Edewede on LinkedIn.
Edewede, you spent some time as a post-doctoral researcher at the University of Bedfordshire. What was your area of study, and what first sparked your interest in it?
My research involved investigating security threats in Smart Homes (SH) and developing an anomaly detection framework and a presence detection model for Smart Homes. It was clear in the early stages of my research that security was (and this is sometimes the case with major technological developments) not quite prominent in discussions and developments around the IoT. In recognition of the importance of the security within SH, I developed the concept of a Cyber-physically secure “Happy Home” which is a baseline security model in which all the elements in a SH are at their most secure state. These elements are a set of attributes (or features) which can be used to build a “Happy Home” – or the equivalent for any other Cyber-physical environment. Deviations from this baseline can be used to identify anomalies in the overall SH system.
I also investigated the applicability of the Digital Forensics (DF) frameworks which were in existence during the period of my research into the Internet of Things (IoT) and analysed DF challenges for and within the IoT. I observed that a Digital Forensics (DF) framework which fully considered the atypical nature and features of smart, Cyber-physical – and in certain cases, autonomous – environments (such as Smart Homes) had not been developed. I decided to work on a DF framework for the IoT because I recognised that it was important to have a system which can be followed during investigations within such environments. A first draft of that framework (the Internet of Things Digital Forensics Framework) was developed. Alongside my work, there has since been some progress in this area from other DF researchers.
What does a typical day in your life look like?
A typical day involves working as a member of an E-Commerce Security Engineering Team at the office. I also try to keep abreast of goings-on in the Cyber-physical security world by researching, writing, holding security discussions with contacts both face-to-face and online and attending seminars/webinars.
I almost always end each day working on one or another of my hobbies.
Our lives are increasingly being lived online – what kinds of items are commonly included in Internet of Things forensics?
Within the IoT, devices which do not typically collect, store, analyse or disseminate data or information are being enabled to perform one or more of these functions through the use of sensors, actuators, networking and communications technologies, and local (onboard) or remote (e.g. cloud) storage, among other enablers. The IoT includes the Internet, all social media, apps and systems such as If This Then That (IFTTT), protocols such as Bluetooth and MQ Telemetry Transport (MQTT) and any interconnecting systems which link and enable communications between machines to machines, people to machines and people to people.
DF in the IoT is still in the very early stages however the items which can be expected to be found in IoT DF scenarios will include traditional, typical nodes such as Personal Computers, printers, laptops, mobile phones as well as atypical nodes such as kettles, cars, fridges, thermostats, pace makers, human and animal identification (ID) chips, and autonomous care assistants or systems including smart robots.
A recent paper of yours focuses on the need for responsibility modelling in the Internet of Things. Why is this so necessary, and what are some of the current challenges in this area?
Responsibility according to Ian Sommerville can be of a causal or a consequential nature. Causal responsibility relates to the actions which lead to an outcome or a set of outcomes and consequential responsibility applies to the effects of the actions and their outcome. In recognition of the inevitable transfer of duties to non-human nodes such as carers and self-driving (also widely referred to in literature as autonomous or driverless) cars, it is important to critically and explicitly identify the different players in the IoT ecosystem and the offload dynamics at play when tasks are handed over to non-independent and fully autonomous, self-deciding, non-human nodes and the party responsible for the actions and the consequences of the actions of these nodes.
It is risky to leave as an open-ended question the potential for accidents to occur with no method of clearly identifying a “subject” to attribute both causal and consequential responsibility to for the accidents. It also stands to reason that, in these early days of developing smart, autonomous systems to support humans with their day to day tasks, it is important to avoid a state of affairs where non-human nodes are expected to bear overall responsibility for their actions and, where this applies, any detrimental consequences for these actions.
It is now widely known that some self-driven vehicles are being programmed to seek to protect their occupants in the event of an impending accident with external parties to the vehicle not taking primary place in the car’s safety priority ranking. In the human-driven scenario, there is a possibility that the human might make an on-the-spot decision and decide to drive into a river, for example, in order to avoid running over pedestrians in their way.
There must be a framework to analyse the different factors which lead up to an “event” involving an autonomous system and the eventual decision taken by the system, even where the decision is hard coded. The option of saving a life and risking one’s own in the process is widely applied by humans. Is this done by instinct? If we will employ non-human nodes to support us with critical tasks such as transportation or hospital operations, we will need to be clear on why and how that previously described sacrificial humanity is being considered by, for instance, car manufacturers or AI developers or non-human agents.
The Trojan horse excuse is a well-known one in the field of cybersecurity. Within the IoT, it is imperative that through responsibility attribution models or frameworks, such excuses are avoided: “It was the car’s decision to run the victim over”; “I had nothing to do with the carer running her a bath that was too hot” are example scenarios which should spur the community towards a responsibility framework. The direct impact on human life in certain cases is very important and this subject should be part of the discourse around the IoT in all its manifestations. A non-human node may be the cause but cannot be allowed to be ultimately solely responsible for its decisions and actions.
In your opinion, where should the responsibility lie for connected items that are owned by members of the public?
Is this question about the responsibility for the actions of smart, autonomous items (Things) or the responsibility for the decisions which lead to the actions? Or both? Are decisions and actions the same things? Do these Things which you refer to make their decisions based on commands and instructions from their owners or independently of their owners based on their ability to consider the factors of different situations and their priorities, perhaps, as defined within their algorithms – or not – and/or based on previous and new knowledge/learning? Lastly, are these nodes free to choose between what their owners want and what is right? Or is right always equal to what the owners want?
Whether connected or not, some smart Things are designed to learn, act and improve (autonomous), some are designed to just act by following a set of explicit instructions (non-autonomous) and some are a cross between these two with some pre-configuration followed by independent learning and activity taking place in this third set. In some countries, a dog owner is responsible for keeping the dog and responsible for the actions and even the consequences of the actions of their dog. If it attacks a person or an animal, they are challenged for owning a dangerous breed or for not training it properly or for not keeping properly under control. In this scenario, the dog makes independent decisions but it is not dealt with independently of its owner. Consider a case where the owner unknowingly bought a dangerous dog: who then is responsible for its actions? Is it the owner, for not being knowledgeable enough to be able to identify a dangerous dog? The seller? The dog for doing what comes naturally?
In any case, with or without a responsibility model or framework (preferably with), humans who own autonomous smart Things and those who design and sell them will be responsible at different levels for the existence, the capacity and the actions of the Things. Regulatory bodies that do not set and monitor standards for their operations and acceptable conducts and degrees of operation may also be responsible.
What are some of the most common challenges facing those who investigate the Internet of Things, and how can these be addressed?
In preparing for forensic investigations, the following are some of the challenges.
The number of devices: The number of end nodes expected to be connected within the IoT varies, however whichever figure you look at, the potential for investigators to encounter PCs, laptops, phones, fridges, lighting systems, cameras and other typical and atypical nodes within domestic as well as commercial Cyber-physical environments exists.
The atypical nature: This refers to the variety of data, communication protocols and port types of some of the nodes in the IoT. The amount of information stored on them and the usefulness of that information also need to be considered.
Jurisdiction: A Body Area Network (BAN) with a pacemaker and an internal ID chip can present certain challenges and perhaps even deemed off limits by the person involved when compared with their Personal Area Network (PAN) which can consist of devices such as a mobile phone, a smart wristwatch and a laptop. In this case alternative sources of the required information may have to be considered; these can be network or remote storage containers. A not unreasonable alternative can be to ask the person involved.
Identifying the best sources of evidence.
Quantity of evidence: Due to the limited storage on some IoT nodes the data on these nodes may be too little to be useful (think sensors dispersed on farmlands and perhaps consider sink nodes as targets) or even too great to acquire (think Big Data and perhaps consider selective acquisition).
Access to cloud-stored evidence: In some cases, even end users are not given access to their own data by the smart system providers so a method of acquiring this data will need to be identified.
Encryption is a challenge which may hinder access to clear information.
Ownership. Permission and access to data stored locally, for instance, on a smart meter and data stored remotely with an energy provider will have to be acquired differently and these different approaches should be well defined. Ownership also applies to physical nodes and the algorithms which control them.
Privacy. This challenge is especially crucial to consider in environments such as Smart homes, hospitals, schools and BANs.
These challenges can be managed using a well-thought out, tested, hybrid, Cyber-physical forensics framework.
How far do you think the Internet of Things will grow? In the future, will there be any aspect of life that isn’t connected in some way?
There will be aspects of our lives which will not be connected: some aspects will remain unconnected be because we would not want to connect them. There are people today who live completely offline. In addition, I have met people who have asked me: “Why would I want to connect my fridge and communicate with it over the Internet”? These are not people who have no idea about the potential benefits of having a connected fridge. Some of them are either connection-fatigued or paranoid enough to think only about the potential pitfalls. Just to press home that last point: all the people who have asked me this question in fact are highly Cyber-physically security conscious!
Another reason why aspects of human life will remain unconnected is the same reason why many of us are still unconnected today: the absence of the infrastructure in certain countries, towns and villages as well as the cost of making the necessary infrastructure available. The traditional Internet has not penetrated certain parts of the world and without the baseline infrastructure of the Internet, the Internet of Things will either not develop in those countries or areas or will develop ineffectively as siloed environments e.g. a Smart home in which everything is interconnected but which the owner cannot control remotely because of the absence of an always-on Internet connection.
I think the IoT will continue to grow and expand especially within developed and rapidly developing nations. The benefits of the IoT in these countries will begin to be reaped especially in the areas of healthcare, services (hotel), retail (using fridges to order goods), transportation and smart cities enabling space management among other things.
The recent cyber attacks which have involved cameras, baby monitors, fridges etc. may be a cause for pause for some end users but I do not think it will slow down the uptake significantly. The onus is on Cyber-physical security professionals to educate end users on the precautions they can and must take when they consider buying smart IoT-connected nodes such as smart cars and thermostats. It would be unfair and unreasonable at this early stage of the IoT’s development to expect everyday end users to be highly security savvy and knowledgeable about what to avoid with their smart Things, without any prior information or support.
One of the most common concerns we hear about is the need for academia, law enforcement and corporations to work together to further the digital forensic field. In your opinion, how important is this, and how can we as practitioners help to make it happen?
In any field, a cooperative, joined-up approach between different parties and stakeholders is always important because it provides different perspectives on a subject matter and hopefully helps the different groups together reach as all-encompassing a solution as possible. With respect to DF, academia will be crucial in providing the tested theoretical background discussions as well as hands-on training and preparation for future DF investigators. Academia also researches relevant current and anticipated problem areas and tries to find solutions to these – they have the most important resources to do this: the human resource and the dedicated research programmes which can run into months or even years. It is important to highlight here however that these roles are not exclusively played by academic institutions.
The role of law enforcement will be invaluable to employing the services of DF graduates, being at the forefront of supporting the response effort and coordinating with legal frameworks and stakeholders to ensure successful preservation and presentation of evidence in court cases to enable acquittals or convictions as applies. Law enforcement can also serve as a channel for the input and interest of governments in supporting DF, especially where budgets and spending are concerned
In addition to employing the graduates and otherwise-trained DF professionals, corporations will also be employed in developing and marketing DF tools and solutions. Their services are equally crucial to DF: internal incident response and DF teams are not unheard of and as the first responders they are crucial to the overall process.
Practitioners can and should explore ways of bringing these different groups together by organising DF and Cyber-physical forensic events such as talks and workshops. It is crucial that students and Forensic enthusiasts be included in invitations to these events. At these events, the realities of requirements in the DF field can be addressed so that the theory is made to match the reality, and the policy recognises the challenges and the requirements for successful DF investigations to be carried out.
It is important to add here that a discussion must begin around how DF, forensic science and bio-technology professionals, autonomous system designers, etc. can work together to support an overall approach to forensics especially as the lines between these different fields begin to blur: if control of a prosthetic limb is taken over by a malicious party and no longer supports the owner, or a pacemaker malfunctions, different stakeholders will have to involved in the investigation and crucially the consequent discussion on how to improve the system for the owner. Security and forensics must now be part of different conferences which discuss bio-technology, forensic science, autonomous systems, sensors, etc.
I was at MEDICON 2016 last year and while it was an excellently organised and highly informative conference which presented ground-breaking research in medicine and technology, based on the programme and the presentations I attended, I believe I was the only speaker who was there to talk about Cyber-physical security. It is time to adjust this trend.
Are you working on any other pieces of research at the moment? What can we expect to see from you over the next year or so?
I am currently using different avenues to encourage end users to take ownership of and responsibility for their Cyber-physical security – online and in physical smart environments. I am especially concerned for those who are not well-informed about the threats that apply in these different spaces and for those who may not be able to help themselves e.g. the elderly who find themselves living alone in highly-interconnected Smart Homes and other such environments.
Finally, when you’re not researching, what do you like to do in your spare time?
When I am not researching the trends in Cyber-physical security and anticipating future Cyber-physical attacks and the methods that will be employed I try to take a few minutes a day to compose some new music or work on some of my unfinished compositions.
One of my compositions is going to be performed by the Vox Collective at Royal Festival Hall, Southbank Centre London, England on July 2nd 2017.