SP2I

Recent years have seen the proliferation of Intelligent Infrastructures (IIs) in domains such as the Internet of Vehicles, Industrial IoT, Cyber Manufacturing, e-Healthcare, Smart City services, Smart Grids and Smart Home applications. Intelligent Infrastructure services consist of layers that capture, exchange and analyze data as well as invoke autonomic responses sometimes supported by emerging Artificial Intelligence (AI) systems. The goal of Intelligent Infrastructures is a higher level of convenience for mankind, but with those promises have come privacy and security issues and concerns. Therefore, increasing security and privacy in Intelligent Infrastructures by designing new efficient solutions is an important research direction. Moreover, quantum-resistant security and connecting privacy with the law are also important research topics nowadays. The SP2I 2024 workshop1 aims to collect the most relevant ongoing research efforts in the field of privacy and security in Intelligent Infrastructures. This workshop also welcomes submissions that deal with interdisciplinary research connecting privacy to law, formal modeling, policy, and data privacy management. The SP2I also serves as a forum for relevant research projects to disseminate their privacy and security-related results and boost future cooperation.

The workshop is supported by the European Union under Grant Agreement No. 101087529 CHESS a nd the Ministry of the Interior of the Czech Republic under grant VJ03030014 under program IMPAKT 1. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.

Keynotes:
On value of large-scale blackbox analysis of software and hardware cryptographic implementations
Assoc. Prof. Petr Svenda, Ph.D., Masaryk University, Czech Republic

Abstract: The security analysis of cryptographic implementations is vital for building secure systems atop core hardware components. Yet, it is also frequently more challenging to assess due to the general closeness of the hardware industry. The resulting black box analysis is typically more complicated to set up, execute, and interpret the observed results. If analyzing only a single device, the likelihood of ending empty-handed is high -- the situation not favorable for academic researchers, further decreasing the pool of people motivated to perform independent security analysis. The talk will present lessons learned from large-scale analysis of cryptographic smartcards, Trusted Platform Modules, cryptographic libraries, and cryptocurrency hardware wallets performed over the past decade, which resulted in several high-profile, responsibly disclosed vulnerabilities against RSA and ECC implementations. Such an analysis approach increases the likelihood of a successful attack being found and provides realistic inputs for designing new attack methods. Additionally, the results obtained from all devices can be used to reason about the situation and weaknesses of the whole ecosystem instead of just reporting a single vulnerable device.

Petr Svenda is an associate professor at Masaryk University, Czech Republic. He first touched the domain of cryptographic implementations in 2002 while working on side-channel analysis and has kept his passion for cryptographic smartcards ever since. His team systematic analyses of (mostly) black box implementations resulted in the discovery of a range of real-world vulnerabilities like ROCA or Minerva, as well as a suite of tools to support developers of more secure cryptographic implementations.

IoT Discovery as the fundamental basis for AI guided penetration testing
Heribert Vallant, JOANNEUM RESEARCH, Graz, Austria

Abstract : Industrial IoT (IIoT) is an essential element in the context of Industry 4.0, with the aim of making the best possible use of machine operating times for a wide range of production batch sizes along the entire product engineering process. The cyber threat landscape associated with IoT is diverse, rapidly evolving, and has an enormous impact on the security of production facilities and the protection of corporate know-how. A major challenge for the definition of effective security measures in the IoT environment is the high level of complexity, which results from the variety of application areas for IoT. Identifying the assets to be secured in a complex system can be performed manually, using e.g. threat modeling, which aims to identify potential threats and vulnerabilities based on the architecture of the IT/OT system in question. Nevertheless, the dynamic and agile development in the manufacturing domain makes it challenging to secure industrial automation and control systems throughout their lifecycle. Penetration testing, a key mechanism for improving resilience preparedness usually involves manual procedures in the process. In order to answer to new challenges, automated testing using machine learning methods have become a rapidly emerging field, which puts this kind of testing to the next level. This talk focuses on the challenges related to complex and dynamic IIoT environments and automated solutions for new devices discovery and AI guided pen testing in such an environment, based on the current status of system at a given time - just a snapshot - not all (IoT) components of the CPS may be up and running.