Competition document: security for the internet of things

Updated 13 October 2015

1. Security for the internet of things

This Centre for Defence Enterprise (CDE) themed competition is on behalf of the UK intelligence agencies: The Security Service (MI5), Government Communications Headquarters (GCHQ) and the Secret Intelligence Service (SIS) (MI6).

This CDE themed competition is looking for proof-of-concept research proposals for innovative technologies to address security challenges presented by the internet of things (IoT).

Security for the internet of things

Your proposal must be received by CDE by 5pm on Thursday 29 October 2015. Submit your proposal using the CDE online portal.

2. Background

The Security Intelligence Agencies (SIA) are responsible for protecting the United Kingdom against threats to national security. Much of their work is about ensuring that technology is ‘Secure by Default’.

In a democratic society, it’s vital that SIA are well regulated by law and subject to rigorous oversight. There should be as much transparency as possible without compromising their operations.

The SIA operate within a well-defined framework of governance that regulates how they may counter threats to national security. Any proposal accepted under this competition will be subject to the SIA’s high standards as dictated by their legal and policy frameworks. These can be found using the organisational links above.

The IoT describes a world in which everyday objects are connected to a network so that data can be shared. This brings a new set of challenges due to the diverse range of technologies involved and where and how these are used.

In 2014, the Government Chief Scientific Adviser produced a cross-government report known as the ‘Blackett Review’. This report highlights some of the opportunities and challenges for the IoT.

We recognise that it may not be possible for you to provide a complete solution so we’re interested in proposals that address one or more aspects of the challenges below.

3. Technology challenges

For the security of the UK, the SIA must understand the threats from, and explore countermeasures to, networked technologies. The IoT includes a diverse set of technologies, use cases and sectors eg national, medical, home user, enterprise, automotive etc.

Looking ahead over the next 5 years the SIA are considering:

  • what are the most likely technologies that will affect everyday life; where and how will they be used?
  • what security and privacy concerns matter most with each type of use? eg availability and integrity may be more important in medical devices but privacy may be more important than availability with a microphone enabled light
  • what technologies, protocols and standards look most promising to support those sectors and what gaps exist that may need future investment?
  • what security and privacy principles should IoT devices and the vendors meet?
  • what alternative architectures might there be to the virtual and physical hub-based concepts that are currently emerging?

To help the SIA mitigate these issues, they’re looking for proof-of-concept proposals that provide solutions against the following 2 challenges.

3.1 Challenge 1: security of IoT devices

The SIA want to improve the security of devices and sensors that connect to one or more physical and/or virtual hubs in either a critical infrastructure or consumer environment. They also want to know when this security has been threatened and the impact this may have on the authenticity, integrity and availability of data.

The SIA want solutions that demonstrate:

  • how to manage the security of IoT devices
  • how to manage the privacy of data collected by devices

While enabling the management of systems and the protection of privacy of the data shared beyond the network, you should consider protocols that provide:

  • authentication
  • integrity
  • availability supervisory control

Solutions should only collect data for the purpose of protecting the device, not for gathering intelligence.

3.2 Challenge 2: linking and understanding IoT data

In a world of connected devices, the SIA want to understand what’s happening based on observations from apparently unrelated data. They want solutions to pull together and visualise data from a diverse, sensor-rich, loosely connected environment that operates across different protocols and standards.

Your solutions should demonstrate how, based on the data gathered, 2 or more events/users/devices could be linked and how to indicate a level of confidence in that connection.

You should demonstrate how you might identify malicious activities from the behaviour and/or performance of the network nodes themselves. Where wireless is used, you should demonstrate the vulnerabilities it presents and how this can be made more secure at the physical layer.

You should consider:

  • gaps in dissecting and analysing protocols
  • how value can be brought from auditing IoT devices
  • how data from IoT devices could be used to enhance existing security, eg the presence of an IoT device as an additional authentication factor, using sensor monitoring to build patterns of life to inform security decisions
  • how vulnerable to attack the IoT devices are in different markets, eg medical, financial, automotive etc
  • what value could be gained by attackers from IoT devices, eg payment details, location

To demonstrate your technologies you should use representative data that you have permission to use.

4. What we want

The SIA is looking for innovative proof-of-concept technology developments, at technology readiness level (TRL) 3 to 4 (for a description of TRLs, see in Acquisition System Guidance), that demonstrate the highest quality and align with the challenges stated above.

Phase-1 project deliverables must be completed by 31 March 2016.

A successful proposal will clearly demonstrate how the new techniques and methods could provide a more comprehensive solution.

Proposals should be for novel research and innovation that result in a demonstration and have a realistic exploitation route. Solutions can either be software or hardware.

5. What we don’t want

The SIA don’t want paper-based studies, consultancy work, proposals that aren’t innovative, or demonstrations of mature technologies, ie TRL 6 and above.

The SIA don’t want technologies that can only be used for gathering intelligence.

6. Exploitation

The SIA aim to take forward a number of the most successful outputs from phase-1 projects for phase-2 funding. Only bidders funded at phase 1 qualify for entry into the competition for phase-2 funding, where up to an additional £1 million will be available.

Phase-2 funding will be awarded on a per-project basis and may be contracted through Dstl (Defence Science and Technology Laboratory) or directly with the SIA, where the terms and conditions could be different from CDE standard terms and conditions for phase 1.

Proposals successful at phase 1 will be supported by technical partners from the SIA.

If you’re funded at phase 1 you shouldn’t discuss the project outside your business. If your work is successful at phase 1 and you progress to phase 2 you may be required to sign the Official Secrets Act and you may later be asked to go through security clearances.

7. Important information

This competition will be supported by presentations given at the CDE Innovation Network event on 1 October 2015 and at the webinar on 8 October 2015.

Proposals for funding must be received by CDE by 5pm on Thursday 29 October 2015 using the CDE online portal. You should submit in plenty of time as there can be delay between when you submit and CDE receives, especially when the portal is busy.

You must mark all proposals for this themed competition with ‘Security for the internet of things + challenge 1 or 2’ as appropriate as a prefix in your title.

It’s more likely that at phase 1 a larger number of lower-value proposals (ie around £60,000) will be funded than a small number of higher-value proposals.

The total funding available for phase 1 of this competition is £1 million.

Proposals should focus on a short, sharp, proof-of-concept phase and deliverables must be completed by 31 March 2016. Any proposals for phase-1 projects that complete after this date will be rejected and won’t be assessed.

Suppliers should note that the SIA won’t provide data or infrastructure to support the development, testing or refinement of proposed projects.

As a deliverable of the phase-1 project, successful bidders will be expected to produce a costed plan of recommended future work to be carried out.

Proposals can include a descriptive scoping for a longer programme of any duration but the proposal should be clearly partitioned with a costed proof-of-concept stage, which is the focus of phase 1 of this CDE themed competition. Proposals for further work beyond the proof-of-concept stage will only be considered after the proof-of-concept stage has delivered, using the understanding gained to make an informed decision.

Read important information on what all proposals must include. Proposals that don’t include the required information are unlikely to be successful.

Proposals may be assessed by subject matter experts from MOD and SIA (including contractors under non-disclosure agreements), using the MOD Performance Assessment Framework.

Deliverables from contracts will be made available to technical partners and subject to review by MOD and SIA. Proposals must sit within the legal framework for the SIA.

Advice and/or guidance will be available via the appointed technical partner throughout the project and provide the interface with MOD and wider government stakeholder community.

8. Dates

1 October 2015 Competition briefing at Innovation Network event
8 October 2015 Webinar
29 October 2015 Competition closes at 5pm
Early December 2015 Contract placement initiated
By mid-January 2016 Feedback provided
31 March 2016 Latest date for the delivery of phase-1 proof-of-concept research

9. Queries and help

As part of the proposal preparation process, queries and clarifications are welcomed:

Technical queries about this specific competition should be sent to:

General queries (including how to use the portal) should be sent directly to CDE:

Capacity to answer these queries is limited in terms of volume and scope. Queries should be limited to a few simple questions or if provided with a short (few paragraphs) description of your proposal, the technical team will provide, without commitment or prejudice, broad yes/no answers. This query facility is not to be used for extensive technical discussions, detailed review of proposals or supporting the iterative development of ideas. While all reasonable efforts will be made to answer queries, CDE and MOD reserves the right to impose management controls when higher-than-average volumes of queries or resource demands restrict fair access to all potential proposers.