Mikko Kiviharju's research delves into the cybersecurity of critical infrastructure

What is your research about?

My research is focused on applied cybersecurity for logistics and critical infrastructure. This covers cybersecurity as life cycle thinking, the vulnerabilities in the internet of things and machine learning in cybersecurity.

How would you describe the impact of your research?

My main focus is on systems that are already in use, or directly available for use to protect critical infrastructure. Hence, societal impact is largely built-in to my line of research. I hope it will also be channeled into practical impact through collaborations with our partner organisations. From a scientific perspective, I think machine learning in our field is still in its infancy and there’s plenty of ground to cover with new research.

How has the information security of critical infrastructure evolved over the past two decades?

Stuxnet was a wake-up call for cybersecurity awareness in critical infrastructure. It was also a turning point. It’s been 13 years since its discovery, and I’d argue that situational awareness about security in different parts of critical infrastructure has improved dramatically. Yet, the questions of how we improve the security of these various parts, and when, are very different. Operational technology (OT) systems – the technology that helps to run and manage machines, plants, and equipment in various industries – are usually detached from the regular cycle of information systems, so there’s plenty of work to do. On the other hand, the security of critical information infrastructure has made some very positive strides in the past decade.

What are the highlights of your career, so far?

Regardless of its serious real-world effects, cybersecurity engineering is like a game. One party tries to protect systems and information while the other party attempts to break them or gain access to them. The attacker’s role is often more rewarding because success often feeds big and fast rewards. Personally I’ve engaged in some reverse engineering in, for example, figuring out the workings of an undocumented program. For example, revealing vulnerabilities in a highly protected protocol is rewarding – one such experience is when I managed to reverse engineer a security protocol in Microsoft’s fingerprint reader.

What are you excited about in your field currently?

Machine learning is entering real-world systems real fast, including logistics. They’re very different in technical terms, although security practices and security goals will stay more or less the same. It’s interesting to study how technical information security which has been tailored for machine learning technologies can fulfill traditional security goals.

What are common misconceptions about information security?

Information and cybersecurity are often seen only through products, although they are an integral part of organisational strategy and risk analysis. Integrity has many dimensions – hacking is a good measurement of systems integrity, while the integrity of function and processes is built on various parts.

Where do you find beauty in information security?

Information security theory is mostly applied mathematics. In mathematics, simple principles and inferences that have far-reaching implications have meaning and are considered beautiful. In this vein, the Shannon entropy – meaning theoretical uncertainty in information – is a concept and theory I find beautiful.

Who is your worst and best critic?

My worst critic is me, of course. Who else would know better if I actually tried my hardest! My best critic is a tough one – what makes someone a good critic? Perhaps someone who can provide a relevant context for your work, who has an idea of where you’re at and where you’re going an someone who can enable you to exceed yourself. My PhD supervisor, emerita professor Kaisa Nyberg was very good at this.

What do you do on your spare time and how do you relax?

I have my hands full with maintaining my 30-year-old house and garden! I also do carpentry and woodcraft – I build shelves, tables and ornaments. For sports, I've found that cross-country skiing, running and rollerblading work best for me.

Mikko Kiviharju has worked with information and cybersecurity at the Finnish Defence Research Agency, most recently as a research manager in cryptographic systems. His main areas of competence are information security and applied cryptography in access control and network security. Kiviharju has started as a professor of practice at Aalto University’s Department of Computer Science in May 2023.