All of these positions are focused on fundamental research in privacy and security and applications of advances in these areas to health information systems. The following, which are drawn from the recent HealthSec call for papers, provide a partial list of privacy and security fundamentals that are of interest for application to health information systems:

• Access control and consent management systems
• Techniques for analyzing and securing audit logs
• Architectures for large-scale health information systems and health information exchange
• Medical devices and body area networks
• Mobile devices and their use with health and fitness devices
• Home and assisted living monitoring systems
• Threat models: formal descriptions and analysis
• Privacy enhancing technologies such as de-identification and differential privacy for electronic health records generally or specific types of data such as images or genomic data
• Usability and human factors
• Regulatory and policy issues
• Authentication and identification techniques
• Cryptographic protocols.

The available positions are associated with the Strategic Healthcare IT Advanced Research Projects on Security (SHARPS). See http://sharps.org for an overview of the project. Illinois Security Lab supports research and teaching in security at UIUC and manages the SHARPS project. See http://seclab.illinois.edu/ for more details.

PhD and MS Students: Please apply to the appropriate programs in the Department of Computer Science of the University of Illinois at Urbana-Champaign. Financial support is available through research assistantships and teaching assistantships. Both foreign and domestic applicants are welcome. See http://cs.illinois.edu/graduate for details on how to apply. The deadline for applications is December 15, 2011.

MD/PhD Students: Students should apply to The Medical Scholars Program. This demands simultaneous admission to three competitive programs (MD, PhD, and the MD/PhD program itself), but offers significant benefits like a waiver of medical school tuition and opportunities for research assistant support in the PhD program. This program is only available to US citizens. Send send email to Tony Michalos (michalos@illinois.edu) to learn more.

Postdoctoral researcher: This is a position for people completing their PhD in a relevant area of expertise. The position requires relocation to the Urbana-Champaign area and pursuing a research program that contributes to SHARPS.  Please send email to Carl A. Gunter (cgunter@illinois.edu) to learn more.

Research programmer: This is a position for a college graduate with demonstrated programming skills to work on technologies emerging from the SHARPS. The position is an academic hourly and is available for full time or part time work. We are looking for someone living in the Champaign-Urbana area. Please send email to mailinfo@sharps.org to learn how to apply.

Technologies like the Trusted Platform Module (TPM) enable remote attestation, but rely on a dedicated co-processor to perform the necessary integrity assumptions. Applications like Advanced Meter Infrastructure (AMI) in which electric power meters contain computers, communicate over digital networks, and are able to accept remote software updates, cannot easily provide remote attestation based on TPMs because of constraints like the cost of having a co-processor, which are considered excessive for this type of embedded processor application. However, advances in the design of security kernels and processors can address these challenges effectively.

Michael LeMay, a PhD student at the University of Illinois, has demonstrated a series of strategies for providing integrity guarantees based on technologies ranging from mote-sized coprocessors to compact software kernels to new hardware that supports integrity functions directly. The first work along these lines showed, for the first time, how to use security technologies to address the challenge of privacy for AMI. The idea was to use a TPM to assure integrity of the calculations on the meter so that demand response calculations could be done there as opposed to sending potentially sensitive data back to the meter data management agency. Utility companies that saw this work were generally accepting of the basic idea of giving them an integrity assurance for the software while keeping the data on the meter for privacy protections, but were skeptical of the use of the TPM. A second generation of work showed how similar assurances could be obtained with an inexpensive co-processor, and then, in a third generation of effort, how it could be done by implementing an integrity kernel on processors with a basic memory protection unit. A fourth generation of effort, embodied in LeMay’s dissertation, showed how features like the architectural support for the integrity aware kernel could be generalized to an integrity aware architecture in which the hardware is designed to explicitly support integrity functions in a compact set of extensions.

Dr. LeMay defended his dissertation in June of 2011. Here is a link to his home page.

• Compact Integrity-Aware Architectures, Michael LeMay. Doctoral Thesis, University of Illinois at Urbana-Champaign, August 2011.
• Enforcing Executing-Implies-Verified with the Integrity-Aware Processor, Michael LeMay and Carl A. Gunter. 4th International Conference on Trust and Trustworthy Computing (TRUST ’11), Pittsburgh, PA, June 2011.
• Cumulative Attestation Kernels for Embedded Systems, Michael LeMay and Carl A. Gunter. European Symposium on Research in Computer Security (ESORICS ’09), Saint Malo, France, September 2009.
• Unified Architecture for Large-Scale Attested Metering, Michael LeMay, George Gross, Carl A. Gunter and Sanjam Garg. IEEE Hawaii International Conference On System Sciences (HICSS ’07), Waikola, HI, January 2007.

• PCAST Workgroup Letter to the National Coordinator, Paul Egerman (Chair), Bill Stead (Vice Chair) and the PCAST Workgroup Members, Office of the National Coordinator for Health and Human Services Health Information Policy Committee, April 2011.

Recently the FCC has authorized the use of unused “white spaces” in the radio spectrum.  There are two primary strategies for determining whether spectrum is unused.  One of these is to produce a map of the geographic locations and frequencies that are claimed to be in use; the other is to use sensing technology in cognitive radios to collect reports dynamically.  The latter has some notable advantages, including the ability to do crowdsourcing of radio telemetry in which all willing sensors contribute data.  However, this type of data collection must be robust against malicious nodes that might vandalize spectrum by falsely reporting that it is not in use or exploit spectrum by falsely reporting that it is in use.

A University of Illinois PhD student, Omid Fatemieh, working with myself, Ranveer Chandra from Microsoft Research, and other PhD students, has demonstrated a range of techniques to limit the damage that can be caused by malicious misreporting of radio spectrum telemetry.  This work demonstrated the effectiveness of three primary strategies.  First, when sensing is done in small geographic cells it is possible to compare results from neighboring cells to corroborate reports and detect cells in which a majority of reports come from malicious sources.  Second, with suitable experimental data it is possible to use machine learning based on Support Vector Machines (SVMs) to create a classifier that can detect anomalies without the need for a specific radio propagation model.  Third, there are systematic ways to incorporate data from nodes that builds confidence in their trustworthiness such as remote attestation.  Fatemieh’s project included evaluations using TV transmitter data from the FCC, terrain data from NASA, and house density data from the US Census Bureau for areas of central  Illinois and southwestern Pennsylvania.  He conducted studies that demonstrated applications of the technology for advanced meter infrastructure in rural areas and for providing Internet access for public schools.

Dr. Fatemieh defended his dissertation in February 2011.  Here is a link to his home page.

1. Reliable Telemetry in White Spaces using Remote Attestation, Omid Fatemieh, Michael LeMay, and Carl A. Gunter, ACSAC ’11.
2. Assuring Robustness of Ratio Spectrum Telemetry Against Vandalism and Exploitation, Omid Fatemieh. Doctoral Thesis, University of Illinois at Urbana-Champaign, February 2011.
3. Using Classification to Protect the Integrity of Spectrum Measurements in White Space Networks, Omid Fatemieh, Ali Farhadi, Ranveer Chandra and Carl A. Gunter, NDSS ’11.
4. Low Cost and Secure Smart Meter Communications using the TV White Spaces, Omid Fatemieh, Ranveer Chandra and Carl A. Gunter, ISRCS ’10.
5. Secure Collaborative Sensing for Crowdsourcing Spectrum Data in White Space Networks, Omid Fatemieh, Ranveer Chandra and Carl A. Gunter, DySPAN ’10.

Smart grid technologies have introduced a variety of capabilities to electric power substations to link Intelligent Electric Devices (IEDs) through digital substation Local Area Networks (LANs) based on Ethernet. Such substations use multicast to send data and control commands between IEDs. At the same time, these substations have become increasingly connected to external systems and hence to threats of malicious attacks. This make it desirable to provide for secure multicast communications in which messages are authenticated and possibly even encrypted. Ideally one could use off-the-shelf security technologies such as the Internet Security Protocol (IPsec) to address this need, but there are two problems: (1) increasing complexity of substation configurations and the complexity of IPsec configuration make automated support of security configuration critical and (2) the latency requirements of substation communications must be respected by security protocols.

Research by Jianqing Zhang, a PhD student at the University of Illinois, and I has shown how to address these problems through the use of an extension of the Substation Configuration Language (SCL) called SecureSCL and a proper application of IPsec Group Domain of Interpretation (IPsec GDOI). Zhang’s technique adds annotations to SCL configurations and uses them to generate IPsec configurations. We produced a mathematical model of the configuration that supports basic tests of correct configuration. One of the most interesting aspects of the project was the discovery that a naïve application of point-to-point IPsec using a hub-and-spokes model is not efficient enough to maintain substation latencies. We did a experiments with various sizes of emulated substations on the DETER test bed and found that scalability depends on effective use of the underlying parallelism of the switches. Zhang used the TVA Bradley substation as a guiding test case for the studies.

The work is described conference and journal articles as well as his thesis. Doctor Zhang is now a research scientist at Intel Labs in Santa Clara where he works on the security of smart grid technologies for home appliances. Here is a link to his home page.

1. Application-Aware Secure Multicast for Power Grid Communications, Jianqing Zhang and Carl A. Gunter. International Journal of Security and Networks (IJSN), volume 6, number 1, 2011.
2. Application-Aware Secure Multicast for Power Grid Communications, Jianqing Zhang and Carl A. Gunter. IEEE International Conference on Smart Grid Communications (SmartGridComm ’10), Gaithersburg, MD, October 2010.
3. Secure Multicast for Power Grid Communications, Jianqing Zhang, Doctoral Thesis, University of Illinois, September 2010.

The following illustrations depict the typical architecture of an advanced electric substation LAN and the SecureSCL system respectively.

One strategy for getting load reductions during periods of peak demand is for Energy Service Providers (ESPs) to maintain direct control over a class of consumer loads.  This has tradeoffs against allowing indirect control by a consumer through means like variable pricing.  Direct control has the advantage that the ESP has better knowledge of how and when to shed loads, but direct control assumes the existence of appliances that can be relied upon to receive, and act on, load shed commands from the ESP.  This introduces a problem with the trust the ESP can place in consumer appliances.  Approaches that place trust in appliances, like relying on special chips that enable ESP access, make direct controls more expensive and difficult to deploy.  On the other hand, consumer “free riders”, who accept discount programs for direct control but fail to respond to load shed signals, make enforcement problematic if there is no ESP technical control.

I worked with a team that includes students from the TCIPG project and Andrew Wright from N-Dimension to develop a technique for direct control that is based on a “trust but verify” technique called Non-Intrusive Load Shed Verification (NILSV).  The idea is to use Non-Intrusive Load Monitoring (NILM) on smart meters to monitor power usage and from this to form an estimate of whether load shed instructions are being respected by consumers.  The main novelty required by the technique was a form of distributed NILM (dNILM) which does heavy-weight NILM calculations at the ESP backend while doing light-weight monitoring on the smart meter.  We did some preliminary tests of the technique to show general feasibility using monitoring of appliances in homes.

The over-all approach for NILSV is described in an article in an IEEE Pervasive special issue on smart energy systems [1], and details of the dNILM algorithms were presented at ISGT [2].

1. Non-Intrusive Load Shed Verification, David C. Bergman, Dong Jin, Joshua P. Juen, Naoki Tanaka, Carl A. Gunter and Andrew K. Wright. IEEE Pervasive Computing, Special Issue on Smart Energy Systems, volume 10, number 1, pages 49-57, 2011.
2. Distributed Non-Intrusive Load Monitoring, David C. Bergman, Dong Jin, Joshua P. Juen, Naoki Tanaka, Carl A. Gunter and Andrew Wright. IEEE/PES Conference on Innovative Smart Grid Technologies (ISGT ’11), Anaheim, CA, January 2011.