The Internet of Things has taken over our lives at home, even though we barely realise it. Connected devices such as ‘personal assistants’ / talking speakers, Smart TVs, video doorbells, internet enabled refrigerators, light bulbs, thermostats and coffee machines, to name but a few, are now present in a large number of homes.
And these things are great. I am a complete gadget geek and have a fair number of these items at home; a video doorbell that allows me to see and talk to anyone at my door if no one is at home (great for unexpected deliveries); a talking tube in my kitchen, (which is mainly used for humour and settling family disagreements via internet fact checks); and a coffee machine whose app starts grinding beans and making me a fresh pot of coffee as soon as I get within 10 minutes of home. We also have a couple of Smart TVs and a varied collection of streaming boxes or sticks that mean I don’t have to go out to buy movies or TV box sets, or store DVDs like a chump anymore.
If I want to watch something I don’t own yet, I can normally get to it in less than a minute. The digital storage space is infinite and thankfully, not taking up any room in my house, and the content is available on demand on any device with an internet connection.
It’s the 21st century dream. Aside from the fact that I don’t live in a floating dome in the sky, I am living the life of George Jetson.
The one thing we never saw on ‘The Jetsons’ was how they dealt with cyber attacks. Given our current experience with Internet Connected devices like these, it should have been present in every episode.
The Yang to these devices, that counters the Yin of enablement and automation, is that our current crop of Internet of Things devices represents a massive security vulnerability. All of the devices I have at home have NO hardware security or passwords; if you can connect to them, you can own them. All of their credentials are hard coded, so you can’t change their identity or obfuscate them in any way. Last but not least, every one of these also has an App that only requires a username and a password, (see any of our blogs on IDAM as to why this is a problem), to access their cloud-based control panel, make changes to settings and/or assume control of the device.
Not good.
More worryingly, they all also present a potential entry point to my home network, where I have lots of other devices that are more secure but also have much more valuable information on them that I don’t want to put at risk.
While not being able to see the courier stick my delivery in my ‘safe place’ or not having a pot of fresh coffee waiting for me when I get home are minor inconveniences, some of these IoT devices have purchasing power for media or anything from a well-known online store, which means they have access to payment credentials, and need to be kept as secure as possible.
Mitigating these risks at home took some careful planning; the devices that have to connect by Wi-Fi have their own dedicated network, firewalled off from everything else. The devices that can connect via a LAN cable do, and their Wi-Fi is switched off; these are safely on my secure network with firewalls and intrusion detection that only trusted devices get to connect to. There are still a couple of minor vulnerabilities here but overall, I am pretty happy with the level of hardening.
So, why am I writing a business blog about ‘My Connected Life’? Mainly because it’s the easiest way to frame the problem for Enterprise.
Sadly, for the most part, Enterprise IoT devices are exactly the same as the consumer devices I have highlighted above, with one main difference - very few of them (by volume) will connect via a LAN cable.
The vast majority of IoT devices out in Enterprise are sensors. These sensors could be reading temperature, speed, vibration, water levels, windspeed, flow or a number of other metrics. They could be on buildings, in fields, rivers, on boats or planes, in cars or at the side of a road.
For these devices to be effective, they need to be reliable, robust and power-efficient. This means keep the tech to the bare minimum to get the job done, with no extra circuitry because having to go out and repair or replace these things is a major cost factor in the delivery of the service. The more complicated they are, the more prone they are to failure.
The lack of security in our consumer IoT devices is actually a throwback from the Enterprise IoT devices which came along first, and the decision to not worry too much about security on the devices was partly a conscious one.
This conversation comes up in a number of settings, but it is most easy to explain in an IoT scenario. What is the point of securing the device when the data it transmits is not secret and we aren’t controlling the network it is transmitting on?
We could spend a lot of time or money securing the devices themselves, only to find that the remote sensor that is transmitting wind direction and speed from a field via 3G is then intercepted by a fake cell tower. We can’t control that, so is there any point in encrypting or securing this data? In reality, probably not. If you are in the ‘Selling Wind Data’ business, you probably need the input of thousands of sensors but your real money will be spent on the data lake where all this data goes, the predictive analytics which enable you to model what we can expect tomorrow based on current readings and the graphical interface that delivers smart diagrams or visualisations to your customers. The sensors themselves are a small piece of the pie. A potential competitor could benefit from your sensor data if they intercepted it, if they could invest and replicate the rest of your environment, but as this is where the main money is spent, its unlikely to give them much of a cost advantage, and they have a massive risk of you finding a way to cut them off from your sensors. Huge risk to the bad actor, not much of a risk to the rightful owner, not worth spending a lot of money to protect yourself against.
However, one unintended consequence of that is the ability for these sensors to be compromised by a threat actor and used to infect the eventual data source with malware. Inject a bit of malware in the data-stream via a compromised device and, left unchecked, it could infect the entire data lake. They could then hold your data to ransom or just drive your business to a halt for financial gain, competitive edge, or just for fun.
This is the presenting business challenge with a lot of the current IoT offerings in the marketplace today, specifically ‘Smart Building / Smart City’ type solutions. Typically, these are made up of a company that makes, configures, installs and services sensors in the field, coupled with a business that has datacentres and great BI skills. Transmitting the data sits at the edge of each of their offerings, so it ends up being a secondary thought. The requirement becomes about getting them to talk rather than getting them to communicate safely and securely. Sure, the solution works to start with, but it’s not secure, and that risks its long-term efficacy.
Core’s Connectivity Hub solution is designed to help customers manage IoT devices and mitigate the inherent risks of sensors and data transmission into your data repositories.
Devices are connected to the hub via your mobile data providers network, (or via an appropriate connection if the sensors are all connected to another service), and the data is passed through multiple firewalls where deep packet inspection ensures that the data stream is as expected and no potential threats are identified.
Data streams that are potentially dangerous are quarantined for further inspection, while the rest of the data is allowed to pass to ensure that the majority of data is populated as and when required.
The Hub has the ability to intelligently route the data to the most appropriate repository based on rules set about the source, data stream length, type and time. For customers using solutions where a geographical or other segregation of data is required, this is important.
The hub can also check that all of the IoT devices are alive periodically and provide a notification to the IoT Sensor Service provider if any device fails to respond on schedule, allowing almost pre-emptive service. You can take this one step further and use the log data to predict when devices will need a service event (this could be replacement, new batteries, cleaning of solar panel) by collating data on average lifespans, local variances, some very clever stuff.
This ultimately loops back to where we started with this blog; the Internet of Things is making automation of tasks and data available to us all and providing capabilities we never had before. The ‘cost’ of this, is a potential security issue if you don’t plan your deployment right. There is an industrial version of my home ‘burner’ network for IoT devices that will protect your infrastructure and data, while also providing all the operational benefits and structural cost savings we identified in the last blog on Connectivity Hub. In this case, though, we aren’t worried about protecting your payment information. This time, we are protecting your data, the life blood of your business.
There are some truly exceptional case studies from the effective use of IoT sensors. One of the best ones I have seen is Rolls Royce’s use of sensors in Airline engines that monitor a range of metrics and predict the peak time to replace consumable components. Through aggregated data over time, they have become able to very accurately predict the early signs of failure or reduced performance. They can then use their other digital services to assess where they have the parts, skills and time to service the aircraft based on its current schedule. This is helping them save a great deal of money in fuel costs and missed departure slots, but also in improving safety for passengers and reducing the environmental impact of air travel by ensuring all of their engines are always operating as efficiently as possible.
If you are looking at IoT solutions, or if you provide Internet of Things solutions to customers, and you want to learn more about how Core can help secure and connect your data streams, please get in touch with us. We will be delighted to tell you about our experiences in this field and how we can help you.