As a university-based competence centre, KASTEL's main objective is to develop methods and concepts for secure IT systems of the future. The holistic approach and the application reference are in the foreground. This is achieved by bundling the outstanding capabilities of twelve working groups in the field of IT security in one centre.
In order to ensure the practical relevance of the developed solutions and to ensure technology transfer, an exchange with companies from the Karlsruhe Technology Region takes place. Technology transfer in the security sector is intended to strengthen the region economically.
The work of KASTEL pursues two major goals:
The first major objective is to investigate the impact of increasing networking on IT security of systems. To this end, various aspects of smart environments are first of all examined, which are characterised by a variety of networked sensors and actuators. Networked production (Industry 4.0) is also regarded as an application in the economy. Furthermore, the security of networked critical infrastructures, such as decentralized power grids (Smart Grid), will be investigated.
The second major objective is to link theory and practice. Inspired by the experiences of the first funding period, methods and tools will be further adapted and extended by functions that allow an approximation to the requirements and complexity of real systems.
Security and Privacy for Future Energy Grids
Our energy systems will be fundamentally rebuilt in the future. Renewable energies, such as solar and wind energy, are produced locally and decentralized. This makes reliable planning difficult. Only through the intensive use of IT it is possible to reconcile production and demand.
This widespread use of IT systems simultaneously brings new threats to the economy and society: the power consumption data collected for network control allow conclusions to be drawn both on private habits and production processes in industry. At the same time, additional IT systems increase the attack area; manipulation can lead to disruptions, damage and long-term, large-scale power outages. This makes IT security an important prerequisite for the Energiewende (energy transition). The power grid must be considered as a whole in order to be able to integrate the concepts and methods of computer science and electrical engineering in a suitable way. In particular, data protection and the legal framework of regulation also require a close involvement of jurisprudence. KASTEL develops interdisciplinary solutions for the security and privacy of the power grids of the future. A particular challenge is to reconcile the seemingly contradictory requirements for functionality, real-time capability, privacy protection and robustness against attacks and disruptions. Distributed energy systems should not only have a secure IT infrastructure, but also be robust as a whole, since attacks cannot be completely avoided. KASTEL researches the security and robustness of real systems in the Energy Lab 2.0 of the Helmholtz Association and in the IT Security Laboratory for the Production of the Fraunhofer IOSB.
Security and Data Protection for the Future Living- and Working-Environment
The far-reaching integration of IT technology into the world of life and work enables a multitude of innovative applications and services. In so-called Smart Environments, networked sensors and actuators form the basis for automating everyday processes, providing greater convenience and making efficient use of resources such as energy or water. However, the ubiquitous collection, storage and processing of data that goes hand in hand with this also affects the core area of personal life. The collected data can be used to identify activities, interests and preferences of individuals or processes in organisations. One of the major challenges for Smart Environments is therefore the protection of the privacy of individuals and the business secrets of organisations.
Security in Smart Environments encompasses various interlinked aspects, which as such are also investigated together in KASTEL. On the one hand, the protection of privacy in the collection, storage, processing and visualisation of data. On the other hand, the protection of this data from unauthorized third parties during each of these steps. Secure procedures and communication protocols form the basis for this. In addition, it also deals with related legal issues, such as data protection, in each of these areas.
Security and Data Protection for Future Production Systems
Modern production facilities are highly networked. Embedded systems communicate with each other independently, planning systems from the cloud calculate order steps and machine occupancy, plant operators monitor and control from a distance, maintenance personnel access resources worldwide and perform configuration changes. In the networked world, the protection of production facilities no longer ends at the factory building or the company grounds. The network connections allow adversaries to intrude and manipulate the systems, malware infections can completely paralyze large areas of the system, causing immense physical damage to the system and danger to the population. Not only since news about Stuxnet, Duqu, Flame and Havex has it been clear that production facilities are easy targets for cyber attacks.
Industry 4.0 is increasingly dissolving the previous separation of traditional IT networks and production networks in order to be able to operate communication and data exchange across all network hierarchies. Network components in production are clearly different from the components used in traditional IT. In its development, which is designed for a service life of several decades, networking and the associated data security have so far played little role. Historically, production lines are separated from each other and from other IT systems. This separation was enforced physically, by separate communication networks and also logically, by different protocols. In the course of Industry 4.0, these systems will now be connected to the network systems of traditional IT. The industry hopes that this will result in more flexible and efficient production processes. However, the production systems are also exposed to many hazard scenarios of traditional IT systems, which makes IT security an important aspect of industrial systems. In order not to jeopardise the success of industry 4.0, the use of new technologies must not become a security risk.
Provable Security for Complex IT-Systems
Security in modern and complex systems can only be reliably guaranteed if the requirements placed on a system are consistent from design to implementation and quality assurance of the system. Practically observable attacks on systems are usually due to a lack of security concepts or to errors that only arose during implementation, since the security design was not consistently implemented. That's why we at KASTEL are researching a system theory for the continuous adaptation to strategic, evolving adversaries, as well as tools and methods that take a holistic view of security from design to the last line of code, making it possible to implement and verify it throughout. Experts from the most diverse disciplines of computer science therefore work closely with experts from the legal sciences in order to further develop familiar methods for the documentation and analysis of systems and programs and to make them usable for use in the security-critical environment.