The Internet of Things plays an important role in today’s life, affecting a plenty of businesses and changing the way we work, live, and entertain. Coming up with workflow automation, remote equipment monitoring, inventory tracking, and real-time data collection, IoT promises to bring innovation in various industries.
Understanding high IoT potential, companies and corporations invest in IoT projects, startups, and initiatives. According to New IDC Spending Guide, the worldwide IoT spending is predicted to reach nearly $1.4 trillion in 2021. What’s more, Gartner research expects the number of IoT-enabled devices will be about 21 billion by 2020.
Though IoT provides many advantages and opportunities, there remain IoT security risks and challenges, that now are of the highest concern. Since today almost everything can be hacked, businesses have to look for and integrate new security mechanisms allowing to ensure data and device protection.
The main IoT security risks
1. Data Leaks
Smart devices collect and transmit various data that may involve such important information as credit card numbers, zip codes, customer locations, camera images, IP addresses, and much more. A leakage of private/personal/business/financial data can lead a company to money and reputation losses, and harm people’s lives.
2. User verification
Misconfiguration and default passwords use are common reasons for the appearance of device/data vulnerabilities. That’s why engineers should implement the ability for customers to create their own passwords while establishing the highest level of password reliability that all users have to follow.
3. Lack of regulations
Unfortunately, there are often no regulations for IoT devices. The creation of a standards-based approach to security should be a top-priority task for companies, organizations, and even governments.
4. Unknown surveillance
Often unprotected IoT devices can be accessed by any remote user or at least can be easily hacked. The consequences can be poor: for instance, streaming and selling private videos and images (including those from stores, shopping centers, etc.).
IoT security recommendations
1. Focus on data traffic monitoring. Imagine a cloud IoT solution, that monitors both inbound and outbound traffic, traces all suspicious activities, blocks unsafe communications, instantly alerts users and the central system about potential problems, and prevents data leaks.
2. Implement end-to-end encryption in your application, the most reliable way to protect user data. Famous mobile messengers WhatsApp and Viber added the support of e2e encryption long ago. If your project implies many data/user communications, you can use this approach too.
3. Use reliable tools that help ensure data confidentiality and privacy as well as build a secure and scalable data storage. Integrate a feature of suspicious activity and malicious code monitoring. For example, today we can see an increasing use of AI technology for real-time security monitoring.
4. Focus on testing activities. When developing an IoT solution, pay a lot of attention to the testing/QA process. It’s much better to prevent any security issues at the pre-release stage than waste time for bug fixing after.
5. Integrate a Blockchain decentralized approach. Since Blockchain is based on cryptographic algorithms, it helps protect and manage data. Blockchain has all transactions (interactions) recorded, so the history of smart devices will be also recorded. At the moment, the use of Blockchain for securing the Internet of Things is one of the emerging and most promising trends.
As you see, there are really good ways to minimize IoT security vulnerabilities. Here I should note that one of the best recommendations for developing a successful IoT project is to apply to a reliable IT company that would focus on security and data privacy issues. Also, when choosing the company, pay attention whether it meets the GDPR requirements, which will be especially important from the regulation enforcement on May 25, 2018.
Consider the normal hospital or home care scenario today. A patient—your patient—is receiving different therapy intravenously. That IV fluid is being administered using a pump known as an infusion pump.
Today those infusion pumps are connected to a network of devices on a hospital’s internet network.
Now consider the ramifications of an outsider hacking into the network and controlling all of the devices on that network, as well as being able to access all of the medical records on the network and to create a serious danger to the hospital and all of the connected patients. It’s a threat that is invisible and one that you don’t really think about but the potential is there.
It’s a scenario that is more than plausible, it’s actually taken place. There have been insulin pumps hacked multiple times. Johnson & Johnson became the first company to warn their users about the potential for hacks in their insulin pumps.
Billy Rios wrote about it for Bloomberg and even the FDA has taken notice, very recently stating that they knew that there were problems with medical devices and that sufficient security in those devices was probably not in place. They said that the current regulations and the current controls were not enough.
Recently the FDA released a set of guidelines that were designed to assist in this conundrum. They are encouraging all medical device manufacturers to make their cyber-security stronger and to ensure that clients and patients could not be damaged by hacks to products.
This was in response to Executive Order 13636 and Presidential Policy Directive 21,but it was also a response to the many cyber-security experts who have written directives and voiced their concerns about the problems inherent in connected medical devices.
There are dozens of problems with IoT medical devices and their ability to be hacked, but it isn’t just medical devices that are used directly for patient treatment. Other problems have been found in devices such as x-ray machines and MRI machines that allow them to be breached and require a fix in order to ensure patient safety.
Despite actual white hat hacks and security concerns voiced by experts, many legal experts say that the harm caused or the potential to harm is pure speculation. Reed Smith partner Steven Bornian believes that no medical device will ever be completely secure and that no IoT or medical device risk may be completely eradicated. That means legislating the security for them simple is not feasible, but still that seems to be the way that governments are heading.
The FDA has, for now, focused their approach to this problem on encouraging companies to offer workarounds for the user and temporary fixes if there is a breach. They believe this may be better than trying to regulate or legislate companies to prevent the breaches entirely, which many experts say may be impossible.
That isn’t going to be a long lasting solution because even as we discuss it, things are changing. Countries are seeking the right legislation for use in protecting the data and the patients who use medical devices. Having an on-board cybersecurity specialist is going to be imperative for any company offering connected devices in the near future. Is your company ready?
Here's Wishing you a Very Happy, Smart, and Innovative New Year!
Internet of Things (IoT) has been revolutionizing the world with its millions of innovations. In 2017 IoT reached its milestone by creating several break-throughs with significant technological advancements. All of these technologies, products, and solutions saw the limelight at the world's largest and the most powerful technology event, Consumer Electronics Show (CES) 2018 at Las Vegas, a Catalyst for Innovations.
The vision of the Internet of Things (IoT) is to transform the way individual lives, work and communicates with one another. These innovations are meant to simplify by offering products and solutions that are simple, affordable, easy to use, efficient and productive for building a Smart, Safe and Connected world.
With these above IoT goals in mind, I am personally impressed to highlight some of these mind-boggling innovative products and solutions that was unveiled last week at the CES 2018.
1. Forever Batteries: The battery maker Ossia launched its AA-sized batteries that suck power out of the air using its IP technology called Cota. Ossia has developed a means of wireless power transmission which Ossia claims can keep the AA battery charged up or provide power to a smartphone that either incorporates Cota's technology natively or uses specific charging case. However, Ossia hasn't revealed much about the working of their Cota technology. This irreplaceable battery will eliminate the spending expenditure 'Forever'.
2. Byton's $45,000 Gadgeted Electric Smart Car: Chinese Start-up unveiled its first and futuristic real smart electric car. The name refers to 'Bytes on Wheels.' Former BMW and Apple Engineers created it. It has the hardware on board to enable full self-driving mode. The vision behind Byton is to be the company to bring to the market the first real 'Smart' car. Inside the car, the drivers and passengers can interact with the huge display panel. Byton aims to merge an individual's life outside the car with the experience inside the vehicle. Everything will be controlled via the touch, and certain aspects will be controlled via voice (voice recognition by Amazon's Alexa) and gesture control. The key is customisation. When the car is in drive mode, specific features will be disabled. It will not allow watching videos for instance. Byton aims to build a platform where, when there is autonomous driving all occupants of the car including the driver can interact. Some of the features of Byton will be fully-disabled until we live in a world of fully autonomous driving. Fierce competition to Tesla and from my perspective it is redefining life. But the one challenge that might stump Byton is the lack of fast-charging stations. Another major competitor to watch for will be Fisker's EMotion a luxury smart autonomous sports sedan. Although Fisker is not a competition concerning the price factor; however, is a competitor to watch for its technology and new solid-state battery which they filed for a patent. The battery is expected to provide the Electric Vehicles with a range of over 500 miles on a single charge and will take only one minute for recharging.
3. Razer's SmartPhone Laptop - Project Linda: Razer brings you a disruption in the world of gaming with its Project Linda which is a concept of ultraportable laptop design powered by the Android-based Razer Phone. The docked phone serves as an intelligent touchpad, bridging the gap between handheld entertainment and laptop convenience. The Razer Phone's display, performance, and dual front-firing speakers combine seamlessly with Linda's keyboard, larger screen, and battery to provide ultimate mobile hybrid setup for creativity, gaming, and productivity. Although the Project Linda feels like a product from a Sci-fi world or a future that might not see the daylights after the CES 2018. However, the prototypes like a concept car for gadgets is both sensational and aspirational. Razer hasn't confirmed if it plans to make the smartphone project Linda for a go-to-market next year.
4. Google Voice Assistant: Google creates a whirlwind at the CES 2018 with its Voice Assistants and predicts to dominate the future homes. Lilian Rincon, Google director of product management, reckons customers making their home “smart” by using the Assistant to turn on lights, boil the kettle and do other tasks could save 15 minutes from their morning routine. Google's Voice Assistant is eroding the well established Amazon's Alexa, a fierce competitor for its voice assistant. Google has already discussed partnerships with various Industry verticals for integrating their Voice Assistant in realizing the goal of "Smart and Connected World." In my opinion, I see this as the most significant breakthrough as Google is not charging the end-user but is working with all its third-party vendors to integrate the voice assistant into their products and solutions. Google showed off a plethora of new Voice Assistant-enabled devices from companies like Lenovo, Sony and LG, featuring “smart displays” that displays information like the schedules, things-to-do, cooking recipes, and other bits of visual accoutrement whenever we ask the Assistant for something. Also, you'll find Assistant integration inside more televisions, headphones — even in new cars, thanks to Android Auto, which is already available in more than 400 car models. The Assistant integration eliminates the need for having an independent device and allows you to manage everything from your one device - 'The SmartPhone.'
5. Smart Hearing-Aids EARGO Max: Technology for healthcare and especially the elderly is something I am very much interested though tech for elderly-care is still a growing area. The ageing population is a growing business opportunity, and EARGO Max might be the airpods of hearing aids. The hearing-aids have a collection of useful features, the most stand-out of which is a complete lack of need for expensive replaceable batteries. The set of hearing aids includes Dynamic Noise Reduction, with Eargo tech which allows the devices to vary noise reduction based on environment. When the environment gets louder, noise reduction ramps up. These devices also change based on user preference. The "Flexi Fibers" hold the hearing aids in place, while the domes “increase the amount of ambient bass sounds and eliminate feedback. I understand very well how useful and life-changing these features are since my mother suffers from major hearing loss and will benefit her tremendously. However, the one road-block I see is the cost factor. Currently, Eargo Max is priced at $2,500 which I believe is quite too high and defeats the purpose of providing cost-effective and affordable products. Hoping to see the Industry ramping up to address this gap.
To summarize, CES 2018 was a curtain raiser for millions of products, solutions, and technologies which created hope for a future that is beyond imagination. In my opinion, there is still a long way for the Industry stakeholders to meet the primary objectives of IoT which will redefine this entire universe. The one vertical which has gone mainstream is the Autonomous Vehicles or the Self-driving cars. The major tech giants such as Cisco, Nvidia, Intel, Amazon, Google, Tesla, Apple, GM, Toyota, and many others made announcements focusing their investments in this sector.
The ‘digital oil field” is growing dramatically. In 2011 the market was about 18.7 billion. By 2014 it had grown to 24.6 billion dollars and at this rate of growth it is projected to be at 33 billion by 2022.
There are myriad benefits to the digital oil fields. Speed, efficiency and lower cost are but a few. Today, control rooms, devices used to manage the production plants, refineries, pipelines and even oil producing substations as well as the wells themselves are digital. They are using high speed data links, video technology and even digitally managed drilling rigs to bring us the energy that we need.
Still further upstream, we’re seeing drilling resources, computer assisted well fracturing and preventive maintenance seen on the wells. Each of these areas has the capacity to be hacked or breached in some way and untold damage done to our energy supply as well as many other things.
According to the Journal of Petroleum Technology, the offshore oil fields can create more than ¾ of a terabyte of data every single day. Oil fields and reserves are becoming much more rare. Companies are literally scrambling in order to keep ahead of their competition.
IHS CERA says that digital oilfield implementation means that companies may achieve more than 25 percent savings in the cost of operation using digital technology and they may see about 8-10 percent higher production. As oil fields become much rarer, the production boost will make the difference between having enough energy and an energy shortage.
The National Grid and the utilities that we depend on every day are dependent on computers. It’s a given that anything that is reliant upon computers can be vulnerable to very significant threats from hackers and other nefarious creatures.
The oil and gas companies around the world are increasingly dependent on computers and that means they are a big target. The oil and gas fields today are so reliant that it’s become a source of great concern for regulatory bodies as well as those who rely heavily on the production.
Multiple attacks against oil and gas have already taken place.In July of 2014, A Russian hacker group targeted energy companies with Energetic Bear Virus. Physical systems were disabled and energy consumption monitoring took place.
Other attacks include DDoS attacks and even ransomware. ABI Research did a study that predicted that by 2018, just a year from now that attacks against the oil and gas sector will drive nearly 2 billion dollars in security spending.
What other kinds of attacks could take place using the oil and gas sector? How can we halt this and what will it take to prevent problems from taking place. It is imperative that gas and oil develop the capacity to protect against cyber attacks and to prevent major risks?
Do you believe legislating cybersecurity -forcing companies to secure their devices is the right answer or or is there a better way to accomplish that?
A few days before Christmas holidays, I received an email from a customer that said “... I want to tell you that I have really appreciated your help, your professional approach and your “human touch”: they are as important as knowledge is …”.
Moved by the Christmas spirit that surround us these days, made me change my priorities of publishing the next articles and I decided to dedicate a few lines to what I consider a very important issue: What is the human touch value of the CEOs in the IoT?
I do not intend to convert this article into an analysis of the types of CEOs, or a list of the best CEOs of IoT companies (for that there will be time).
My objective today is in making IoT´s CEOs aware, especially those of large multinationals, of their responsibility to print a human touch on their actions and decisions. Not only will the stability and quality of work of millions of people depend on them, but also the conservation of our planet in favourable conditions for future generations.
The Human touch of IoT´s CEOs to save the World
Global Warming is very real. Even if greenhouse gas concentrations stabilized today, the planet would continue to warm by about 0.6°C over the next century because of greenhouses gases already in the atmosphere. Its effects are already so visible that no one doubts its catastrophic consequences.
We know that the IoT can help in many ways to monitor and control Global Warning, and there are many great stories of how companies are making use of IoT technology to help save water, money … and the planet.
In the article “3 ways businesses can use the internet of things to save the environment“, Jayraj Nair - Global Head of IoT, Vice President Wipro-, suggest a few steps that business leaders could take to lessen the effects of these barriers and set their companies on the right path to become champions of a more sustainable and connected future.
1. Emphasize digital citizenship and individual responsibility
2. Share knowledge and resources across departments
3. Collaborate to create guidelines for tech development
We should reward those IoT´s CEOs who follow the slogan “ We develop the IoT that Save the World!..
The Human touch of IoT´s CEOs to build ethic AI
When I wrote “Internet of Things – Kings and Servants” I gave great importance to the CEOs visionaries of the companies that were destined to change the world of the 21st century. CEOs like Sundar Pichai (Google) or Satya Nadella (Microsoft) have been responsible from conceptual shift for their companies, moving from “mobile strategy” to “cloud and artificial intelligence”.
Could we avoid psychopath and sociopath robots? CEOs of the Tech Giants companies need to influence in developers of AI the human touch. We do not want to live with fear surrounding by not ethic AI machines and robots.
IoT´s CEOs involved in Artificial Intelligence must believe that machines and robots will help us to be better people. They need to boost the challenge in our future society and make sure that their Robots and Artificial Intelligence not only pursue productivity and profit but also other values eg justice, opportunity, freedom, compassion.
The Human touch of IoT´s CEOs to ensure democracy
We cannot conceive democracy today without the free use of technology. Technology, on the other hand, that is more difficult to control by citizens. Is it possible to democratize the technology, not only the Internet of Things? Could we avoid that a handful of companies come to dominate the Technology? and therefore our Democracies.
The temptation of the power is great in the IoT´s CEOs of the companies that manipulate huge amount of data of the people, of the intelligent devices at their whim.
I thought at some point that the Countries could prevent the creation of these monsters, but their powers already transcend the States. I fear that the fight of egos, in the heights in which these CEOs live, give priority to the Highlander philosophy "Only one can be left!" And drag the dormant democracies for their technology into the vacuum of complacency.
Today more than ever, we need CEOs with a human touch that ensures the health of our democracies.
The Human touch of IoT´s CEOs to ensure equality of job opportunities
Which IoT companies have a culture that allow dissent between the CEOs and the employees? IoT´s CEOs need to understand that people are not going to do what they want them to do unless I engender equal commitment and passion on their part.
I have worked for many years in different technology companies, and I have regrettably proved that their business cultures, far from differentiating themselves, are more and more similar.
We all know cases of companies, including those of IoT, that abuse salaries of interns or inexperienced employees, but the problem of overqualification when applying to a new job is no less true. Many of us have heard numerous times: Sorry, you are overqualified. Not sure I can manage you.
I am convinced that a human touch on the part of the CEOs would help to correct these endemic problems of the current business culture. What are you waiting for?
The Human touch of CEOs to ensure a dignified life for the elderly
I was wondering a few years ago with the Smart Cities hype, How will be our life as retired workers in the Smart Cities we are building?.
In light of what I'm seeing, there are currently not many IoT´s CEOs that are worrying about the elderly. Of course, because, they consume less, they produce less, they do not understand the technology created for millennials or the digital native, the generations that is going to change the world.
Considering that all IoT´s CEOs, or at least that's what I want, will also be older people, a human touch in the investment of technology for the elderly will now make their lives more dignified in a few years.
In a time where digital premium on the physical, where business results are required not every quarter, but every day, in a time of robots, cryptocurrencies, virtual reality it is not easy to be a CEO with human touch. But to save the World, to make sure we build ethical AI, to ensure democracy in the technology, to ensure equality of job opportunities, to ensure a dignified life for the elderly, we need their human touch.
Thanks for your Likes, Comments and Shares
It’s no secret that data breaches are on the rise. In fact, there have been more data breaches than ever before. Medical data breaches are proven to cost more than any other type of breach, costing about 400 dollars per record.
Data breaches are rising dramatically putting them on the agenda for most C-suite and corporate boards. Customer information is being lost, trade secrets are being sold and confidential assets being breached can significantly lower customer loyalty and trust as well as definitely lower the reputation of those companies which were breached. They can also give the competition a significant advantage.
These aren’t the only things that companies have at stake. The many different types of cyber-security risks make cyber-security a vastly complicated problem. In fact attempting to protect the many different frameworks and CMS and private networks is fraught with other complications to layer on top of the complexities.
Today, governments are seeking ways to stem the tide of breaches and break-ins by creating new legislation that provides for specific levels of security and best practices for companies.
This tidal wave of governments and new cybersecurity regs and recommendations make additional problems in and of themselves. The United States government alone has proposed more than 200 bills (actually 240 at last count.) This includes legislative proposals for ways to deal with cyber-security. This number of mandates and proposals have taken place in just the past three years alone and the number continues to rise.
The proposals fall into a wide range of categories. In some cases the proposals are that companies implement direct requirements for protection. One example of this is that companies in the critical infrastructure arena are going to be facing requirements for security in the US and in the UK and EU as well. They will have specific requirements for risk assessment, control and for personnel training. The question is how can a country legislate a level of security when that level cannot be guaranteed by any company. There are even “trade secret” protection laws in the works that require companies to take “reasonable steps” in order to keep information about the programs and devices safe from cyber threats—though what those steps are is another unknown.
In addition to legislating the devices and services that are being legislated, share holders are becoming more demanding that companies safeguard medical and technical information. That means that securities laws as they relate to new IoT devices and services are also being legislated. In the United States, some measure of shareholder litigation as well as SEC proposals and enforcement are already launched and seeing some effect.
With all of the changes and the advances in technology, it’s no surprise that legislation will follow. Is your company ready for the changes that are being made in IoT and internet services?
According to Brink News, “The rising tide of cybersecurity regulation and recommendations complicates the landscape for companies.”
The National Institute of Standards or NIST, offers one of the most comprehensive tools for managing the risks involved in information security. Even the federal government agencies of the US are embracing it wholeheartedly. In a survey undertaken by Dell, more than 80 percent of professionals in the security arena are using the NIST framework for improving their own security, which makes it a great place to start for companies which are trying to come into line and ensure their compliance to the expected new regulations.
According to the experts, the NIST method and framework may well be the guideline that the courts and legislators will use to determine whether companies in the IoT and IT business are doing their best to secure devices and provide for data security.
There are other standards that are entering into play such as the ISO 27001 which is being used by many companies. The standard is different structurally than the NIST Framework though NIST makes reference to the ISO requirements in their own framework.
What is your company doing to secure their data and IoT devices? How are you set up to come into line with the regulations and legislation that is sure to be just around the corner?
Every company should be taking steps now to implement some type of protection to meet the ever changing threats as well as the ever changing cyber-security regulations.
A new strain of the famous Mirai IoT malware surfaced recently, with the discovery by Chinese researchers of exploit code targeting networking equipment. Previously, Mirai was known for having infected thousands of webcams, security cameras, and DVRs, and then using those devices to launch DDoS attacks. The exact aims of the new variant are still unknown, but it’s another reminder of the very serious security issues presented by the IoT.
Last month, a Gemalto survey took a closer look at those issues and people’s perceptions of them. An overwhelming 90 percent of consumers reported that they lack confidence in the security of IoT devices. Their most common fear (65 percent of respondents) is that a hacker could gain control of their devices, while 60 percent worry about their data being stolen via connected devices. In spite of such concerns, over 50 percent of consumers now own an IoT device (on average two) but only 14 percent believe that they are extremely knowledgeable when it comes to the security of these devices.
The survey also set out to discover how IoT companies addressing these concerns. The survey found that IoT device manufacturers and service providers spend just 11 percent of their total IoT budget on securing their IoT devices. These companies do, however, appear to recognize the importance of protecting devices and the data they generate or transfer, with 50 percent of companies reportedly having adopted a “security-by-design” approach.
Two-thirds of organizations reported that encryption is their primary method of securing IoT assets, with 62 percent encrypting the data as soon as it reaches their IoT device, and 59 percent encrypting as it leaves the device. Encouragingly, 92 percent of companies said they see an increase in sales or product usage after IoT security measures have been implemented. Also encouraging; businesses are realizing that they need support in understanding IoT technology and are turning to partners to help, with cloud service providers (52 percent) and IoT service providers (50 percent) reported as the favored options.
While these partnerships may encourage adoption, most organizations (67 percent) admitted they don't have complete control over the data that IoT products or services collect as it moves from partner to partner, potentially leaving it unprotected.
Stakeholders on all sides are looking to the government for guidance. The survey found that almost every business organization (96 percent) and consumer (90 percent) is looking for government-enforced IoT security regulation.
As new malware continues to exploit gaps in the IoT ecosystem, both consumers and businesses are justified in their lack of confidence in service providers and device manufacturers. The EU is demonstrating with its GDPR law that it recognizes the importance of this issue and that effective legislation is possible. Here in the U.S., each of the groups involved in the IoT ecosystem – manufacturers and cloud service providers, not to mention the government – should adopt a 'security-by-design' philosophy.
There is a lot of talk, and, indeed, hype, these days about the internet of things. But what is often overlooked is that the internet of things is also an internet of shared services and shared data. What’s more, we are becoming too heavily reliant on public internet connectivity to underpin innovative new services.
Take this as an example. Back in April, Ford Motor Company, Starbucks and Amazon announced and demonstrated an alliance that would allow a consumer to use Alexa to order and pay for their usual coffee selection from their car. Simply saying, “Alexa: ask Starbucks to start my order,” would trigger the sequence of events required to enable you to drive to the pickup point and collect your already-paid-for coffee with no waiting in line.
Making that transaction happen behind the scenes involves a complex integration of the business processes of all the companies involved. Let’s be clear: this is about data protection. For this series of transactions to be successfully handled, they must be able to share customer payment data, manage identity and authentication, and match personal accounts to customer profiles.
Because all of that critical data can be manipulated, changed or stolen, cyberattacks pose significant data protection risks for nearly any entity anywhere. The ambition of some of these consumer innovations makes an assumption that the “secure” network underpinning this ecosystem for the transfer of all that valuable personal data is the public internet. And that’s the point – it’s not secure.
As we’ve talked about previously on Syniverse's blog Synergy, the public internet poses a systemic risk to businesses and to confidential data. In short, when we are dealing on a large scale with highly sensitive data, the level of protection available today for data that, at any point, touches the public internet is substantially inadequate.
And this alliance between Ford and Starbucks is just one example of the type of innovation, across many different industry and consumer sectors, that we can expect to see a lot of in the very near future. These services will connect organizations that are sharing data and information about businesses and about consumers – about their purchase history, their preferences and requirements, and also about their likely future needs. This is potentially a very convenient and desired service from a consumer’s point of view, but at what cost?
We need security of connectivity, security from outside interference and the security of encrypted transfer and protection for our personal and financial data. And we need to be able to verify the protection of that data at all times by ensuring attribution and identity – both concepts we’ll explore more deeply in an upcoming blog post. And that’s a level of security that the public internet simply cannot provide.
Last month, an internet-based global ransomware attack took down systems and services all over the world – affecting sensitive personal healthcare data in the U.K. in particular.
Whether it is personal health records, financial records, data about the movement of freight in a supply chain, or variations in energy production and consumption, these are digital assets. Businesses, institutions and government bodies all over the world have billions of digital assets that must be constantly sent to and from different parties. And those assets require the type of high-level data protection that is not currently possible because of the systemic risk posed by the insecure public internet.
As mentioned in my last blog post on Synergy, there is an alternative. Some companies using private IP networks were able to carry on regardless throughout the high-profile cyberattacks that have been capturing headlines in the last year. That’s because those companies were not reliant on the public internet. Instead, they were all using what we are beginning to term “Triple-A” networks on which you can specify the speed and capacity of your Access to the network while guaranteeing the Availability of your connection. What’s more, on a Triple-A network, Attribution is securely controlled, so you know who and what is accessing your network and the level of authority granted both to the device accessing the network and to its user.
The public internet cannot provide or compete with a Triple-A level of security, and nor should we expect it to. It cannot live up to the stringent data protection requirements necessary for today’s critical digital assets. We cannot remain content that so much infrastructure, from banking, to transport and to power supplies, relies on a network with so many known vulnerabilities. And we must consider whether we want to carry on developing an industrial internet of things and consumer services on a public network.
We will continue to explore these issues on this blog, to highlight different approaches, and examine the requirements of the secure networks of the future. And in the process, we’ll take a look at the work being done to build more networks with a Triple-A approach.
In IoT ecosystem, gateway security is of prime importance since it is the key piece of data collection in the connected system. But how to ensure security of IoT gateways? Read this blog to find different ways to secure IoT gateways.
Along with many technological, environmental, and economic benefits, the rapidly moving connected world also represents an array of growing attacks like side-channel attacks, fault attacks, physical tampering, etc. Considering these risks, ensuring security and robustness of IoT becomes inevitable, in which IoT gateways play an important role.
IoT Gateways are undoubtedly the heroes of whole IoT paradigm, as they are the key piece of data collection in the connected system. In IoT ecosystem, security is the key aspect, in which, IoT gateway security is of prime importance since a secured gateway enables robustness of the entire IoT environment. If there are no sufficient security measures, there are chances of potential risks like malicious threats, spoofing, man-in-the-middle (MITM) attacks, data snooping, etc. If you lose a gateway in the middle of the communication chain, it will jeopardize the entire IoT ecosystem as gateway act as a gate or bridge between the edge devices and cloud.
So how do you know whether your IoT gateway is secure or not?
Listed below are some common questions related to the security of IoT gateways. If your concern matches with any of the below questions, then there is the need to consider gateway security for your IoT ecosystem:
- How can edge device sense and prohibit unsecured gateways, or vice versa?
- How can peripherals ensure their data are successfully relayed in the face of gateways?
- What happens if someone snoops the data from the gateway?
- What if the gateway is located in a remote location and is sending incorrect information to the cloud? In this case, how can gateways help in reverting information?
- Is it possible for gateways to build and demonstrate reputation-based trust?
Trustworthiness of gateway is the key aspect in the IoT ecosystem. To overcome the security concern, let’s explore some of the key hardware security aspects that can be implemented to secure IoT gateways.
TPM (Trusted Platform Module)
What is TPM?
It is a microprocessor that integrates with system hardware on a gateway to perform crypto operations, such as key generation, key storage and protects small amounts of sensitive information, such as passwords, measurement data for boot software and cryptographic keys to provide hardware-based security.
How does it work?
TPM is often built into a system to provide hardware-based security. It is a combination of hardware and software to protect credentials when they are in unencrypted form. TPM is based on a trusted execution environment (hardware root of trust) that provides secure storage of credentials and protected execution of cryptographic operations. It is isolated from the main CPU and implemented either as a discrete chip, a security coprocessor or in firmware.
- Microprocessor scans the firmware and validates the key. If the key is valid, then the processor begins executing the firmware, but if not then, processor halts.
- The TPM is used to store platform measurements that help ensure that the platform remains trustworthy. It contains a set of registers that comprise of RTM measurements for launch modules of the boot software.
- The computing platform must have a root of trust for measurement (RTM) that is implicitly trusted to provide an accurate validation of the boot code modules. The TPM provides the root of trust for reporting and a root of trust storage for the RTMs. The TPM stores a set of “known good” measurements of boot components that are securely generated and stored.
Hardware Root of Trust/Chain of Trust: It is the fundamental part of secured computing. The secure boot process is utilized to implement a chain of trust.
- Bootstrapping is a secure system or device that involves a chain of steps, where each step relies on the accuracy and security of the previous one. At the end of the chain, you assume or verify the correctness of the last step – this step becomes the Root of Trust (RoT). The Root of Trust is provided by hardware services, including cryptographic support, secure key storage, secure signature storage, and secure access to trusted functions. This allows the creation of a trusted module forming the basis, or root, for validating other components within the system. The chain of trust begins with the bootloader. From this boot loader, the OS is validated, and from the OS, the applications are validated, creating a chain of trusted elements.
TEE (Trusted Execution Environment)
What is TEE?
The TEE is an insulated and secure area of the main processor providing security functionality for application integrity and confidentiality. The TEE differentiates between security functionality and operational functionality.
How does it work?
- It mainly consists of three parts: Trusted OS, internal micro-kernel, and APIs. Used for security check parallel to standard OS.
- Common security functions include isolated execution of security operations, the integrity of code loaded and data stored and confidentiality of data stored in the TEE. It protects data-at-rest and data-in-use within the TEE.
- It also provides higher performance and access to a large amount of memory.
Security properties that TEE can achieve
- Isolated execution
- Secure storage
- Device identification
- Device authentication
- Platform integrity
All the above security properties can be achieved using the measured boot, secured boot, and attestation.
- Secured Boot: It is a security standard verified by the trusted OEMs that ensures authenticity and integrity of a device’s boot. When the first boot happens, only the validated code from the device OEM is allowed to run to verify and validate the authenticity of software present in the gateway. This prevents attackers from replacing the firmware with versions created to perform malicious operations. It provides the APIs required for code signing, code validation, and secure firmware updates.
- Measured Boot: Measured boot is generally used for integrity protection. As anti-malware software has become better at detecting runtime malware, attackers are also becoming better at creating rootkits that can hide from detection. Detecting malware that starts early in the boot cycle is a challenge. At this time, measured boot measures each block, from firmware up through the boot start drivers, stores those measurements on the hardware, and then makes a log that can be tested remotely to verify the boot state of the client.
- Attestation: In cloud computing scenario, attestation is an essential and interesting parameter, often rooted in having trusted hardware component to build trusted system. It is basically used in the process of validating integrity in terms of software and information for securing embedded systems. Attestation uses cryptography identity techniques that confirm the identity and authentication credentials of remote devices, without revealing the devices and their own identities.
IoT gateways are crucial to addressing the inherent complexity. By using the pre-ensured hardware building blocks like TEE and TPM, you can secure the whole communication chain from the connectivity of legacy devices, data storage on a gateway, secure data transmission as well as the fast deployment of data on the cloud to perform intelligent analytics. There should be some programmable architecture that ensures confidentiality and integrity against specific attacks. So, layered IoT gateway security is essential.
For more information on our security capabilities, visit: From edge to cloud: A comprehensive look at IoT device security
Let’s just say it: The public internet is great, but it’s an unfit, wide-open place to try to conduct confidential business.
More and more, the public nature of the internet is causing business and government leaders to lose sleep. The global ransomware attacks this year that crippled infrastructure and businesses across Europe clearly shows the concern is not only justified but also growing.
As a result, internet and privacy regulations, like GDPR and PSD2, are front and center as governments around the world increasingly look at the web and how it’s being used. This is creating competing and contradictory objectives.
On the one hand, governments want to protect consumer privacy and data; on the other, they want to be able to monitor what certain folks are up to on the internet. And in both cases, they can at least claim to be looking to protect people.
Regardless of the difficulty of the task, there is no doubt the big governments are circling and considering their options.
Speaking in Mexico in June, Germany Chancellor Angela Merkel touted the need for global digital rules, like those that exist for financial markets, and that those rules need to be enforceable through bodies like the World Trade Organization.
From a business perspective, I can applaud the ambition, but it does seem a little like trying to control the uncontrollable. The truth is that the public internet has come to resemble the old Wild West. It is an increasingly dangerous place to do business, with more than its fair share of rustlers, hustlers, and bandits to keep at bay.
The public internet connects the world and nearly all its citizens. When it comes to connecting businesses, national infrastructures, and governments themselves, trying to regulate the Wild West of the public internet simply isn’t an option. Instead, it’s time to take a step back and look for something different.
We believe organizations that want to conduct business, transfer data, monitor equipment and control operations globally – with certainty, security and privacy – should not be relying on the public internet. The sheer number of access points and endpoints creates an attack surface that is simply too wide to protect, especially with the increased trending of fog and edge networks that we’ve discussed on previous Syniverse blog posts.
Just last week, the online gaming store CEX was hacked. In an instant, around two million customers found their personal information and financial data had been exposed. Consumers in America, the U.K. and Australia are among those affected. As I said, the public internet presents an ever-widening attack surface.
Recently on the Syniverse blog, we’ve been talking about the need to develop private, closed networks where businesses, national utilities and governments can truly control not just access, but activity. Networks that are always on and ones where the owners always know who is on them and what they are doing. Networks that are private and built for an exact purpose, not public and adaptable.
Trying to apply or bolt on rules, regulations and security processes after the fact is never the best approach. Especially if you are trying to apply them to a service that is omnipresent and open to anybody 24/7.
When we look at the public internet, we see fake actors, state actors, hackers and fraudsters roaming relatively freely. We see an environment where the efforts to police that state might raise as many issues as they solve.
Instead, it’s time for global businesses to build a new world. It’s time to leave the old Wild West and settle somewhere safer. It’s time to circle the wagons around a network built for purpose. That is the future.
This infographic takes a look at the number of devices, incidents and vulnerabilities in medical devices.
In my recent interview with Sam Shawki, the founder and chief executive officer of MagicCube, I wrote about getting a new Ram Truck and noted that it was a beast not just in size and towing power, but a beast of electronics and connectivity. According to Intertrust Technologies, the percentage of new cars shipped with Internet connectivity will rise from 13% in 2015 to 75% in 2020, and that in 2020, connected cars will account for 22% of all vehicles on the road. That number is sure to grow. More stats in the infographic below.
Not far from San Francisco International Airport, San Bruno is a quaint middle-class residential suburb, yet underground in San Bruno was a gas pipeline controlled by SCADA software that used the Internet as its communications backbone. On Sept. 9, 2010, a short circuit caused the operations room to read a valve as open when it had actually closed, spiking the readings coming from pipeline pressure sensors in different parts of the system. Unbeknownst to the families returning home from ballet and soccer practice, technicians were frantically trying to isolate and fix the problem. At 6:11 pm, a corroded segment of pipe ruptured in a gas-fueled fireball.
The resulting explosion ripped apart the neighborhood. Eight people died. Seventeen homes burned down. The utility, PG&E, was hit with a $1.6 billion fine.
The accident investigation report blamed the disaster on a sub-standard segment of pipe and technical errors; there was no suggestion that the software error was intentional, no indication that malicious actors were involved. “But that’s just the point,” Joe Weiss argues. “The Internet of Things introduces new vulnerabilities even without malicious actors.”
Joe Weiss is a short, bespectacled engineer in his sixties. He has been involved in engineering and automation for four decades, including fifteen years at the respected Electric Power Research Institute. He has enough initials after his name to be a member of the House of Lords—PE, CISM, CRISC, IEEE Senior Fellow, ISA Fellow, etc., all of which speak to his expertise and qualifications as an engineer. For instance, he wrote the safety standards for the automated systems at nuclear power plants.
The problem, Weiss claims, is using the internet to control devices that it was never intended to control. Among these are industrial systems in power plants or factories, devices that manage the flow of electricity through the energy grid, medical devices in hospitals, smart-home systems, and many more.
Continue reading this article on Quartz.
Threat actors have weaponized the Internet of Things (IoT) and connected devices.
They’re using unsecured IoT devices and creating botnets to launch catastrophic distributed denial of service (DDoS) attacks. This has given rise to the DDoS of Things (DoT).
LEARN MORE IN THE DDOS OF THINGS INFOGRAPHIC
Additional information here.
Blockchain is a form of technology that had over $1 billion invested in it in 2016 alone. While this technology is far from new, it is one that grew in popularity thanks to Bitcoin. With it, a digital ledger is created that allows online records to record transactions, and ensure that all information is verified by another source to confirm accuracy. The network created by blockchain scans a number of computers within the same network. With each transaction, the size of the database grows and the number of users that access and manage the transactions increases.
Unique software is required for a blockchain to be run. When it is created, it is near instantaneous, and that means there isn’t the ability to alter transactions before they become recorded. This cuts down on the risk of fraud in most sectors which makes it appealing. It is also encoded and hashed in batches, so that the blocks of several bits of data create a chain. This allows for validation to occur at the same time, and protects the security of the system running it. Each time a transaction takes place, a unique transaction number is encrypted that show everything that took place in the transaction. Since several computers make up the different portions of the blockchain, it is nearly impossible for fraudulent activity to occur.
While Bitcoin and virtual currency is still where the bulk of blockchain is used, many companies are searching for ways to add it to their own applications beyond currency. This would help to reduce conflicts that are the results of disputes and even things like land rights, or legal items could be verified and the accuracy and lack of fraud would ensure that sensitive items such as these would constantly have more authenticity and reduce many legal woes.
However, not everyone is on board yet. Some companies are still concerned that since this technology is still in a relatively infancy, there is a need for proven transparency and someone to remain accountable for the data that is obtained. Since the process is also labor intensive, there would need to be dedicated users who solely work on the blockchain that is being handled. This would need to be people who have a basic understanding of IT and the way that it would be used for blockchains.
Another concern is the amount of resources it would take. There would need to be high end machines that handled the resource intensive nature of the software. Additionally, companies would need frequent access online to continue update and building the information. With more countries blacking out sections of the internet, this could prove to be a problem.
Blockchains are destined to become a more significant part of our industry. It is important that the technology is continued to be advanced, so more companies have a chance to benefit from it. After all, it is the technology that will help to boost security and ensure that there is something in place we can depend on. With Bitcoin showing it is already possible to succeed with this technology, there is little doubt that success will be had.
About Bill McCabe/ Internet of Things Recruiting - Executive Search/ Retained Search for the Internet of Things/ Machine 2 Machine/ Big Data Markets
IBM IOT Futurist - see you at #IBMInterconnect - March 19-23 Las Vegas
Top 50 IOT Authority on Twitter - per IoT Central
Need Help finding your next Big Data or IOT Employee or If you require the top 5% of IOT talent let’s talk. Drop me a line or use this link to schedule an IOT Search Assessment Call Click Here to Schedule
OR Contact me at 303-337-7871
Note: this page contains paid content.
Please, subscribe to get an access.
Note: this page contains paid content.
Please, subscribe to get an access.