We enjoy a connected world with a fascinating array of devices and applications at our fingertips, if not on our wrists or before our eyes. In just a few years, home networks have gone from supporting a few smartphones, tablets and laptops to scores of devices. Tomorrow’s average home could soon have more online connections than today’s small to medium-sized business. It seems everyone is now in the “IoT tech” business.
On the one hand, creating a hyperconnected, wonderfully ubiquitous internet offers extraordinary convenience and productivity; on the other, this expansion breeds complexity and broader security vulnerabilities that can impact ourselves and infrastructures.
To meet this challenge, we must pursue two parallel but related paths:
- Standards and policy: Tech industry leaders and government policymakers must collaborate to set security standards and policy roadmaps that advance and not inhibit innovation; and
- Consumer awareness: Often the weakest link, consumers need to be aware of their responsibilities, while technology innovators should be aware not to shoulder too much responsibility on consumers.
Today’s connected consumer has to do more than just install antivirus software and a firewall to reduce security risks. A connected lightbulb, toaster or washing machine could be an online fugitive’s weapon to commit a cybercrime that can disrupt or bring down networks. Home networks are only as secure as the gadget with the weakest security connected to it.
The same can be said for enterprise networks. Company and government networks employ sophisticated security capabilities. Yet, it can take just one unknowing employee to click a hyperlink or open a document and subject an entire enterprise to a spear-phishing attack, which remains the major source of breaches inside enterprise networks. Here too, the weakest link rests with a consumer-level user.
Yes, we have met the enemy — and it’s often us.
New technologies may be a game changer
The fragmented yet vast IoT landscape and lack of consumer understanding are already causing communication issues as brands attempt to lock users into their ecosystem. But the problems are much bigger than an LG toaster not talking to a Samsung smart refrigerator. When purchasing a smart TV, have you ever read the fine print in the instruction manual to understand how the software inside the TV is updated or how security patches will be applied? What’s the security risk to you when the manufacturer abandons software updates four years from now?
Cyberattacks on IoT devices and networks will continue to expand and evolve. If 1930’s bank robber Willie Sutton were alive in 2017, he might be asked, “Willie, why do you hack the internet instead of robbing banks?” Willie would almost certainly reply, “Because that’s where the money (or information) is.”
There is an explicit need for industry guidelines and standards to drive better compatibility and use of security around the devices used at home and at work. As a major user of IT, the federal government should facilitate dialogue and collaboration within industry to drive at better cyberstandards, particularly those that reduce complexity, if not responsibility, for the individual consumer. Adopting “secure by design” principles and increasing breach prevention capabilities, for example, can help close the risk aperture, but we need more to not only defend but apprehend.
Artificial intelligence and the machine learning that comes along with it offer much promise to advance a more preventive posture. On the inside, for example, we can more rapidly detect potential incursions through user and entity behavioral analytic capabilities and perhaps pattern of life analysis. By employing these and other big and dynamic analytics outward into the OS and dark web, we can identify threats before they hit our turf.
The way forward
As a kid who grew up with transistor AM radios, analog black-and-white TVs and rotary phones, I’m quite amazed by the fascinating technology we use at work and at home. My generation survived with four TV channels, and “Amazon” to us was a river with dangerous fish in Brazil. And as we watched Walter Cronkite, the most precious asset of the 21st century — the internet — was being designed.
Just as we have not fully grasped the internet’s potential, so too have we not grasped its security implications. Yes, we’ve become more aware, but lately, I fear we’re becoming desensitized to cyberattacks around us at a time when we as individual users hold more responsibility for preventing them. Most of us have experienced the inconvenience of a breach, yet most people don’t believe cyberthreats are their problem. Yes, technology can and should reduce the cyber-risk factor of the individual consumer, but there will always be risks that remain our problem … and it starts with education and awareness as part of a personal and enterprise mosaic of security.
In the time I was turning the analog dial on our family TV, the federal government led a comprehensive public awareness campaign to reduce litter and pollution, which included a famous ad featuring a crying 17th century Native American in the foreground. It worked. We cleaned up our country immeasurably. Industry also responded with more recyclable products. We took a similar course to the hazards of cigarette smoking.
A similar approach is needed to “clean up” our “cyber streets and cities,” beginning with focused campaigns to increase awareness and improve personal and organizational hygiene in our nation. At the same time, industry and government needs to do their part with public policy and standards that result in innovations that help us meet the threats and mitigate them substantially.
If we don’t deal with this effectively, we may never have to confront the tokenized “Cyber Pearl Harbor,” but we might feel a “cyber-erosion of confidence” that could be every bit as paralyzing to our lives, businesses and governments.
Security has always been everybody’s business. Just now, more so than ever.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The volume of highly sensitive personal and IP data is growing exponentially with the rapid adoption of the internet of things. In a recent survey of enterprise IT development and architecture professionals by Database Trends and Applications, 44% of respondents report adoption of IoT, ranging from proof-of-concept stage, to use in one or more lines of business, to IoT being “part of our ongoing business strategy.”1
The IoT trend in turn is a major driver of the exploding growth of the Hadoop data lake where most IoT data lands. According to a TDWI report2 on a survey of 252 enterprise respondents worldwide, 53% have deployed a data lake on Hadoop and 24% have deployed on Hadoop in combination with a relational database management system. Top use cases include advanced analytics (data mining, statistics, complex SQL, machine learning), and data exploration and discovery. While the data lake is becoming more common, barriers to adoption include lack of security for Hadoop, lack of governance and risks of breach and data privacy compliance posed by exposure of personal data in analytics.
On first glance, the requirement to protect data privacy might seem in conflict with objectives to enable big data analytics that could increase data exposure risk, which often involve digging into user behavior, customer transactions, detailed consumer demographics and processing in untrusted environments such as Hadoop. Data privacy regulations mandate specific guidelines on the classes of data to be protected including personal data, protected health information and financial data. IoT sensor data, geolocation codes, vehicle identification numbers (VINs) and IP addresses, along with many other data elements, qualify as sensitive personal data under the General Data Protection Regulation (GDPR).
GDPR: A game changer for usable protected data
The GDPR establishes the most stringent regulations to date to protect EU citizens and residents from privacy and data breaches. Multinational firms around the world, whether they have operations in the EU or not, are realizing that they process EU personal data and this regulation therefore applies to them. The GDPR recommends pseudonymization and encryption as two mechanisms that can be used to protect personal data, but it must support two requirements: 1) the ability to decrypt the data when necessary, and 2) the ability to continue to run business processes on the encrypted data.
Format-preserving encryption (FPE), an innovation pioneered by HPE to protect data while maintaining its structure and context for application usability and which persists with the data, is a trustworthy and comprehensive data-centric approach to address the risk of inappropriate data exposure to users and applications. FPE is able to protect data independent of the underlying platforms that rely on a “system-centric” security controls approach which doesn’t extend or scale outside of that IT system. To the point where FPE enables analytics in the data lake, while at the same time, data privacy is maintained for compliance with the GDPR.
Case in point: A top automotive manufacturer
To address data privacy compliance for its customers, while enabling safe analytics on IoT-generated data in its Hadoop data lake, a major auto manufacturer is using FPE at a field level to protect in-car sensor data, VINs and geolocation data streaming from customers’ cars. The data is used for multiple purposes, including vehicle quality control. Engineers look at sensor data to identify potential problems in specific components or groups of vehicles, while data scientists run thousands of reports against vehicle data for internal research purposes. The company’s volumes of real-time data are predicted to grow to around 20 petabytes within just a couple of years. Data is protected by FPE prior to ingestion into the data lake (Hadoop and Teradata EDW). With FPE, this leading auto manufacturer is enabling analytics on vast amounts of data in its protected form, thus safely providing broader access for analytics, not only to its data scientists, but also to engineers, developers and other employees as BI objectives dictate.
The benefits of using the field-level encryption technology deployed by this manufacturer include:
- Referential integrity, with encrypted data which retains its characteristics such as length and data type, requiring no changes to applications and systems for use;
- The ability to perform almost all analytics on encrypted data with no requirements to re-identify data to its original form, mitigating exposure of personal data and breach trigger notification requirements; and as a result,
- Enabling compliance with multiple data privacy regulations, including GDPR, but also within other systems and platforms.
All of this is achieved with a single enterprise-grade, scalable platform to protect sensitive personal and IoT data not only in the Hadoop data lake, but also across other systems and platforms.
The best of both words with usable security
The need to comply with data privacy regulations worldwide is driving organizations to adopt FPE to protect customer personal data at the field level, using a data-centric approach so that analytics can be performed on the data in its protected form, with context maintained, in order to extract value from the data in the form of analytic insights. Recent advances in FPE enable enterprises to deploy highly scalable data protection for environments such as the Hadoop data lake, as well as their other vulnerable systems and applications deployed across cloud. This technology provides an organization with a template to roll out data protection across other applications, platforms and systems, enabling a framework that adapts to rapidly hybrid IT environments.
1 “Internet of Things Market Survey” by John O’Brien, CEO Radiant Advisors, with Database Trends and Applications
2 “Data Lakes: Purposes, Practices, Patterns, and Platforms” by Philip Russom, Senior Research Director for Data Management, TDWI, The Data Warehousing Institute
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
In part one of this article, Anthony Giandomenico described how cybercrime has become not only a business, but a big business, designed to generate revenue with predesigned attacks focused on attack vectors that are easy to exploit: IoT devices.
Opportunity is also the land of innovation
Because cybercriminals are focusing more on attacks that target critical infrastructure based on new, interconnected technologies, they don’t have to spend enormous resources and development cycles on figuring out how to break into these systems using complex zero-day attacks. Instead, they can spend more of their resources on making their exploits more difficult to detect, more effective by introducing things like worm capabilities to spread infections further and faster, adding multivector capabilities in order to run exploits on a wider range of vulnerable systems, and developing intelligent, multilayered malware that provides a lot of options for stealing data or compromising systems.
The recent WannaCry and NotPetya ransomworm exploits were remarkable not only for how fast they spread, but also for their ability to target a wide range of infrastructures and industries. But the dirty little secret about these attacks is that they could have been entirely prevented if IT folks simply practiced good network hygiene. That’s because these attacks targeted a vulnerability for which a critical patch had already been issued months earlier. Most organizations that were spared from these attacks had one thing in common: They had simply applied the security patch from Microsoft when it was released.
Here at Fortinet, we refer to these sorts of attacks as “hot exploits.” Cybercriminals know from experience that many organizations simply don’t have the time, resources or initiative to patch vulnerable systems. So they build effective exploits and they wait. WannaCry proved that. And NotPetya proved that even after a large attack managed to exploit a well-known vulnerability, far too many organizations were still unlikely to patch their systems. Catch me once, shame on you. Catch me twice…
Our FortiGuard threat analysis team sees this all the time. Nearly every week we record several attacks successfully targeting vulnerabilities for which patches have been available for months — and often, even years. In fact, our latest quarterly threat report showed that the average age of a known vulnerability that is successfully targeted by an exploit because it wasn’t patched is five years. Seriously.
Everything is connected to everything
And now, as infrastructures becomes more interconnected and begin to adopt new, cutting-edge technologies, the risk is being compounded. Windmills and unpatched operating systems are just the tip of the iceberg. Smart cities are beginning to interconnect energy grids, traffic control, emergency response systems and other critical infrastructure resources and services into a giant, integrated web. Smart cars are run using onboard computers that are increasingly able to make split-second, autonomous decisions. But they are also soon going to connect your car to your financial system in order to automatically pay for things like fuel, tolls, onboard Wi-Fi and streaming entertainment. Smart buildings managed by huge property management conglomerates are being designed with automated heating and cooling systems, lighting, secure access doors and smart elevators that can recognize tenants and deliver them to the appropriate floor. And building supervisors will manage all of this remotely.
The list goes on and on: smart homes, smart appliances, interactive gaming and entertainment systems, online security systems and monitors, interactive and intelligent mall kiosks, online medical consultation and even surgery using remotely controlled tools are all either here now or just over the horizon.
Security isn’t just a good idea — it may soon be the law
Because many of these manufacturers have failed to implement necessary security into their devices, it’s like we have handed the cybercriminal community our ATM cards and PINs because they don’t have to figure out how to bypass security or crack open a hardened operating system. Instead, in the rush to push out new technologies to enterprises and consumers — and even critical infrastructure systems — with little to no security attached, that job has been done for them.
While security devices and strategies can go a long way towards protecting organizations and individuals, security developers can’t solve this problem alone. IoT manufacturers have a role to play, and unfortunately, many have traded responsibility for expediency. The clock is ticking, however. The next step will be to hold manufacturers accountable for selling solutions that can be easily exploited.
Recently, U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, introduced a new bipartisan bill known as the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” This bill prescribes that devices purchased by the U.S. government must meet minimum security requirements, and that vendors who supply the U.S. government with IoT devices have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed and are free of known security vulnerabilities, as well as other basic security requirements.
California’s recent Senate Bill 327 would go much further by codifying the State of California’s ability to bring enforcement complaints against companies that do not build adequate security safeguards into their devices. This law has teeth, and because California is such a massive economy, its passage could significantly impact the entire IoT industry.
Such regulatory scrutiny and legislative action targeting the data security of IoT devices is likely to continue to grow, because the alternative is to continue to feed the growing cybercriminal economy. IoT device manufacturers need to prepare now to either develop security standards or conform to legislation in order to avoid massive market disruptions and consumer mutinies. Because the digital economy will continue to move forward, with or without them.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
For centuries, humankind regarded the wild as something to be tamed and conquered. Not so much these days. In recent decades, society has changed course and turned its attention to protecting the environment rather than trying to beat it into submission and bend it to better suit our narrow purposes.
This shift in thinking is nothing short of a revolution. With the biosphere in a precarious state thanks to generations of careless disregard, we’re now enlisting the same mighty force that devastated nature to come to its defense. Of course, that force is human technology.
Historically, technological advancements have been driven by industry and fed by the increased dominion over and exploitation of nature. For thousands of years, “progress” for the human enterprise meant more culling of wildlife, more land to clear, more domestication of the “wild,” and more poorly disposed waste. Indeed, for most of human history, nature was regarded as something crude — as something to be battled, overcome and refined in the service of man.
This view can be traced all the way back to the ancient Greeks (circa 400 BCE) who saw nature, to a large extent, as an obstacle on the path to human greatness. This perspective dominated Western thinking until Jean-Jacques Rousseau (circa 1750 CE) popularized his view of civilization as a corrupting factor and nature as the symbol of raw innocence and good. (This theory gave rise to his conception of the “noble savage” as an idealized, though derivative, version of man who is one with nature and not ruined by human society.) Since then, momentum has slowly built in favor of a more Rousseauian view. This has been a long but steady journey that has only in the last decade culminated with the wide-scale adoption of a kinder and more stewardly approach to nature.
In this article, I will look at some of the ways in which technology today — specifically, the internet of things — is working to preserve and revitalize our planet.
A relationship redefined: Prophecies of human evolution
At the current rates of global consumption, even without allowing for any growth to the population, we would need 1.6 Earths to achieve a sustainable carrying capacity. Holding aside the issues of climate change, this fact alone is enough to place sustainability among the foremost concerns for human society. Given the extent of the damage done, and how close we currently stand to the red line, it’s not enough for civilization to simply reform — we must find some way to turn back the clock and undo at least some of the damage we’ve done. And that’s where advanced technology comes in.
As sustainability takes center stage, new and emerging technologies are being put to work to save nature, becoming an integral part of the battle to reduce dependence on non-renewable energy sources, stop pollution and clean up the mess left behind from generations of exploitation.
It’s a fascinating development and in some ways it’s the realization of biblical prophecy — or perhaps more accurately, biblical paradox. In the first chapter of Genesis, Adam and Eve are placed on Earth and told to both “conquer” the land and “assert dominion” over the animals. (It is worth noting that Adam in the original Hebrew is “אדם,” which literally means “man” and is derived of the word “earth.”) In the second chapter of Genesis, a slightly different version the story is recounted. In this version, Adam was commanded to “tend to and protect” the Garden of Eden. The Bible seems to capture an internal conflict in the archetypical human’s relationship with nature. And it’s a conflict that we’ve seen play out over the course of human history.
I mention this because this dichotomous relationship with nature seems somehow inherent to the human condition and it’s that same dichotomy that makes the idea of engineered inventions as the best hope for environmental salvation simultaneously absurd, wonderful and romantic.
Putting IoT to work saving nature
As we enter chapter two of the human story, we’ll require more than a change in attitude to fulfill our mandate. We’ll require breakthroughs. The internet of things is one of the most promising technologies we have at our disposal. A self-communicating and largely self-managing system of interconnected devices, IoT is in many ways the technological embodiment of sustainability.
This smart network can collect an incredible amount of information from the real world, information that can be used to make existing processes profoundly more efficient or do the legwork and lay the foundations for entirely new operational models. But it’s not just about the data collected by these IP addressable devices, it’s about how that data is instantly communicated up and down a chain of purpose-specific terminals, ensuring that relevant information is always in the right place to be intelligently acted on.
In many ways, IoT represents a blank slate for companies, scientists and inventors seeking solutions to open up new frontiers or begin tackling hard-to-isolate problems entrenched deeply within normal processes.
From conservation efforts and cleantech to tracking environmental conditions and reducing electricity usage, every imaginable angle in the quest to save nature is being explored anew through the lens of IoT. While I cannot cover each and every instance of IoT being used to better the environment, I’d like to turn your attention to three such examples that I believe demonstrate the potential of such applications.
1. IoT ushers in a more circular manufacturing economy
In the circular economy, waste is reduced, repurposed and eliminated entirely from the manufacturing cycle. IoT technologies are central to evolving the economy from the “make, take, throw away” model that’s created environmental headaches and heartaches around the world. The idea here is to keep as much as possible out of landfills by extending the life of both the items being manufactured and the equipment used to make those items. (There is also a lot of great work being done, it should be noted, to transition from a material discard model to a component retrieval model once products outlive their usefulness.)
IoT’s role in the circular economy manifests through improved operational insight. This insight comes through IoT sensors that empower manufacturers to better manage people, processes and assets. The tighter the feedback loop, the more “leaks” are caught and the more quickly they can be “patched.” This applies to supply chain management, human resources, digital systems and really anything that contributes to production.
Consider, for example, the effect that IoT sensors are having on the realm of asset performance management. These sensors are empowering managers to more intelligently maintain equipment, leading to substantially extended asset lifecycles (preventing unnecessary and wasteful asset requisitions) and improving the efficiency of performance over the course of that lifecycle (preventing wasted input).
2. Managing traffic in real time, IoT technologies reduce carbon emissions
While the popularity of electric cars is increasing, non-electric (and even electric cars powered by non-renewable energy forms) still impose massive environmental costs.
Close to 30% of carbon dioxide emissions are caused by cars, with up to 45% of those emissions occurring around intersections managed by traffic lights. City planners have set their sights to tackling the problem right at the intersections where they occur by installing IoT-enabled traffic controls that respond to real-time conditions instead of preprogrammed timers.
With IoT technology, traffic lights can detect asymmetric strains on the transportation infrastructure and intelligently adapt to optimally manage traffic flow. Instead of cars idling at lights for one, two or even three minutes when there’s no traffic coming in the opposite direction, traffic lights can safely change from red to green according to the number of cars at an intersection and the traffic flow occurring at that exact moment.
Estimates claim that this technology can cut the equivalent of 35 million vehicles’ worth of carbon emissions over the next five years.
3. IoT-enabled sensors monitor water and air quality from afar
Normally, water and air quality are monitored by collecting and analyzing specimens, a laborious task made more difficult in far-flung places. Imagine if scientists and environmental officials could monitor polluted rivers, contaminated soil and brownfields in remediation without having to waste time and resources visiting the site.
Thanks to IoT technologies, that entire monitoring process could be done remotely. IoT-enabled devices collect data about the environment around them and push that information to a server where officials can review and parse the information as needed.
Air quality monitoring devices use a laser light in conjunction with sensors to detect particles in the air, while water quality sensors could be attached to a buoy and deployed into whichever body of water needs monitoring. However it’s set up and collected, the central goal is the same: to quickly assess changes in the environment so officials can act faster when a pollutant or other unwanted chemical is on the rise.
Technology and nature working towards a symbiotic tomorrow
Nature is a powerful force. And so it seems is humankind. Earlier generations might have believed these two forces at odds, but the fact is that we’re destined to coexist or to co-perish.
The original humans sought to conquer nature and took of it without a second thought. For this, they were driven from their Earthly paradise. We must not repeat the same mistake. We know better. We’ve come to realize that it is our duty to tend to and protect nature with everything we have. And what we have is human creativity, human innovation and human technology. The internet of things is just one aspect of that technology, but it’ll be an important one as we move towards a more sustainable, more symbiotic tomorrow.
When people think about the internet of things, they often think about the common “things” they use in their day-to-day lives such as laptops, smartphones and fitness trackers. These things can also include devices that are part of the connected home — for example, a smart thermostat, baby monitor or even a connected egg tray (OK, maybe that last one is less common). However, what most don’t realize is the prevalence of IoT in the enterprise — and, in tandem, the risks it presents.
The internet of things brings enterprise organizations strategic economic value and innovation. Yet as we’ve recently seen with the Mirai IoT botnet that “took down” many businesses, enterprise IoT is becoming a popular doorway for hacking. For example, a cybercriminal could manipulate a smart camera by hijacking the device’s credentials to obtain full privilege into the device. From there, they can use the device as a proxy to connect to the network and cause greater harm.
More things, more enterprise risk
Daily, new smart devices are unknowingly being connected to corporate networks with little regard to their level of risk. Although these IoT devices are intended to improve productivity, security considerations are usually an afterthought.
According to industry analysts, by 2020, there will be over 20 billion devices connected to enterprise networks. Each device has the potential to serve as an enterprise entry point. That’s 20 billion open doors for a hacker to perform any number of nefarious acts. Given these devices are ubiquitous, the inability to run sophisticated security software and, of course, network access through the connected devices makes them a perfect target for hackers who want an easy entry point into a company’s systems.
What’s more, when employees connect a device to their enterprise network, they are unknowingly surrendering private data to these devices. If a hacker were to find just one device that was not properly secured on the network, injecting a few lines of malicious code could grant access to the data on that particular device as well as all data stored on the network.
What devices make your network vulnerable?
The short answer: Everything. Your trusted employee badge scanner, conference room scheduling system, connected printers, smart lighting, security cameras, smart TVs, voice over IP, video teleconferencing system, Wi-Fi and even big power generators. Anything that is connected to your network is vulnerable.
Attackers are naturally going to target the weakest link in a network, which is increasingly IoT. On average, we find at least four connected devices for every enterprise employee. And, we expect that number to double over the next three to four years. That equates to an incredible number of vulnerable entry points for a hacker to gain network access to steal and expose private data.
How to reduce your IoT risk
Security begins with knowing what’s on your network. In the age of IoT, visibility and control of devices is a must-have, not a nice-to-have. Businesses need a technology that can discover network infrastructure, physical and virtual systems, managed and unmanaged endpoints as well as IoT and rogue devices.
Once businesses have full visibility of what’s on their network, the next step is to control the devices. A viable security product must provide continuous monitoring, be able to immediately determine device behavior, automatically set policies, and understand the context of the network environment and device posture. What’s equally as important is a scalable technology that can work across heterogeneous platforms (on-premises, cloud, data center, etc.) without compromising security as the number of connected devices continues to grow. Only then can an organization achieve a truly comprehensive security stance and keep stealthy hackers at bay.
Imagine a city where a person in a wheelchair can chart a route to the local park using curb cuts and avoiding barriers. She can then connect to the park’s Wi-Fi, receive upcoming events notifications and take e-lessons about the trees and flowers in bloom.
These aren’t pipe dreams. They are smart city products and services in action — aspiring to use technology to put people first. And the sooner we can realize these aspirations, the better. In the top 100 metropolitan areas of the United States, nearly 25% of citizens are over the age of 65 or living with disabilities.1 The internet of things can help advance more inclusive, accessible cities so our aging population can enjoy a better quality of life.
There are four keys to unlocking smart cities to advance more equitable and positive outcomes for people who are aging and people living with disabilities:
- Engage partners and stakeholders: It goes back to the old adage of walking a mile in someone else’s shoes. We must listen first to learn from our aging communities and those living with disabilities. Incorporating their perspectives and expectations into smart city planning will help ensure solutions align with their needs.
- Design for inclusion: We need to consider the citizen experience at every touch point within the city. For example, how will people with disabilities and aging citizens interact with websites, mobile apps, self-service kiosks, smart meters and other emerging devices? Designing smart city technologies for equitable, flexible and intuitive use will help ensure inclusion for these communities.
- Promote adoption of technology: Providing technology access alone isn’t enough. We must also look at ways to help encourage, educate and expand technology adoption. Without adoption, we’ll fail — and there is a real risk that the benefits of smart city technologies will be limited because of adoption barriers. By offering training programs — both online and in person — we can start breaking down the digital divide that often prevents those who are aging or living with disabilities from realizing the benefits of this technology.
- Foster the entrepreneur ecosystem: The next big smart cities breakthrough is still on the horizon, and entrepreneurs and innovators are our city’s new heroes. Beyond enhancing the accessibility of city infrastructure and services, there are opportunities for city governments to directly support innovation and entrepreneurship to benefit these communities. Publicly funded incubators and open data portals are just two examples of how city governments are already doing this.
From the private and public sectors to civil organizations, community groups and social entrepreneurs, we all play a vital role in advancing an inclusive vision for smart cities. By integrating aging and accessibility considerations from the ground up, we can build more inclusive cities that allow us all to connect to good.
To learn more about the keys to unlocking inclusive smart cities, download AT&T’s “Smart cities for all: A vision for an inclusive, accessible urban future.”
1 BSR Calculation based on U.S. Census Bureau, 2014 American Community Survey: One year estimates of metropolitan areas in the U.S. https://www.census.gov/
Why protecting ‘secrets’ is fundamental for good security
Today’s IT manager is responsible for a vast amount of data, and keeping it secure needs to be one of his highest priorities. Financial records, customer details and sensitive documents must be kept safe while also accessible to those who need them.
Often the best approach involves encryption. Even if stolen or compromised, encrypted data is of no use to a criminal without the key that unlocks it. But therein lies another challenge for the IT manager: The encryption key itself then becomes a “secret” that needs to be kept from unauthorized eyes.
Another type of security secret is the certificate used by a web server for authentication. These ensure visitors to a site can be confident that sight is legitimate and not a fake designed to trick them into parting with passwords or credit card details. Keeping these certificates secure is also a priority.
A long-term task
Proper management of security secrets is no small task with many remaining in use for extended periods. Management revolves around sharing them with authorized people and protecting them from everyone else.
It’s also important to ensure people’s access to them is revoked if their circumstances change. A staff member may shift to a different role in the company or leave altogether. Their access to security secrets needs to be carefully reviewed and changed as required. Regular audits of access are vital.
Maintaining security around the storage of security secrets is also important. There’s little point in locking up your house if you then leave the key on the front doormat.
A classic example occurred in a U.S.-based business called Sally Beauty. Back in 2014, the company was approached by law enforcement officials who told management that credit cards used by customers had appeared on the black market. On investigation, it was found that the laptop used as the entry point to the company’s network was adorned with a sticky note showing the username and password to the account. This had given an unauthorized person access to every single point-of-sale system in the business. This made it easy to scrape details of credit cards as they were used.
A growing challenge
Today, organizations are taking wildly different approaches when it comes to secret management. For some, it’s almost a case of head in the sand. For others, it’s the deployment of sophisticated protection mechanisms which can reduce the likelihood that secrets will fall into the wrong hands.
The importance of effective secret management is going to grow as trends such as the internet of things evolve in the business world. As more and more devices are connected to the internet, the need to ensure their credentials are secure at all times becomes paramount.
Industry commentator Jack Singleton, software developer at ThoughtWorks, explained, “It all means more keys and more things to manage, which will vastly increase the overhead and the strategies that we need to employ in order to manage all of this. IoT devices are often in the hands of customers, not sitting in a safe data center somewhere. It also complicates the management of the strategies that you have in place to provision new software; to roll out new deployments become really key.”
Examples of ineffective management of IoT devices are already appearing. One involved a flaw in internet-connected lightbulbs which allowed hackers to take over their operation. It seems every bulb was using the same key for authentication so, if one is compromised, hackers can access them all.
Awareness is the key
IT managers need to be mindful that their infrastructures are now perimeterless. The old days of protection by firewall are long gone.
It’s critical to have in place the tools and techniques needed to keep security secrets safe. For these to be effective, they must be simple to deploy and, often, automated to reduce the need for ongoing maintenance.
As Singleton explained, “Usability in general, will be critical. People don’t use tools that make them go out of their way in order to use them. They will work around them. We do this all the time. We need to get things done and we work around things that stop us from getting things done. We’re going to need to start seeing tools that enable people rather than making them jump through hoops and hoops and hoops. If they have to jump through seven different hoops every time they have to access a secret, what’s going to happen is they’re going to ignore that tool and they’re going to write it on a sticky note, or they’re going to keep it in a spreadsheet. At the same time, better support for end-to-end encryption in regular applications will lessen the importance of secrets that administrators need to track in order to protect that data.”
Security secrets will remain at the very heart of IT infrastructures, and their effective protection and management is critical to an organization’s ongoing operations.
How secure are your secrets?
According to Accenture, the industrial internet of things could add $14.2 trillion to the global economy by 2030. There is a disconnect, however, between the availability of these technologies and capitalizing on their full potential by applying them effectively within organizations. For many executives within the manufacturing industry, IoT, smart factories and intelligence in the cloud are little more than fancy buzzwords proclaiming to one day transform the way your industry will work.
Unfortunately, when you’re in the thick of it, it’s hard to think in context of what’s real and achievable in your existing manufacturing environment. After all, automation associations have a 30+ year history of relentlessly pursuing interoperability standards. However, thanks to the OPC Foundation’s Unified Architecture, suppliers are finally able to realize the promise of IIoT for manufacturing applications.
The future of manufacturing is here
Although technology is quickly changing, your goals as a manufacturer likely haven’t. You still aim to please your customers by delivering quality products, while increasing productivity and profitability. Yet, new and unprecedented innovations will potentially impact all aspects of the execution of those goals at the operational level. Smarter connected devices that use open IoT protocols are rapidly penetrating factories. At the same time, the Industry 4.0 trend is showing how people, connected devices and artificial intelligence can work together to make factory automation more efficient and effective. To remain competitive, you must quickly adapt.
Upgrading your legacy systems
A survey of more than 1,400 C-suite decision-makers revealed that while 84% believe their organizations have the capability to create new income streams from IIoT, 73% confess that their companies have yet to make any concrete progress. While your current manufacturing environment is likely driven by legacy technologies that have been around since the late ’90s, such as SCADA, PLCs and OPC, you’re keenly aware that the rapidly evolving technological landscape will require you to understand the impact of new technologies and be ready to embrace those that can deliver measurable advantages. But technological progress always comes at a cost. Be careful not to rush into throwing out all your legacy automation infrastructure, as entirely upgrading your factory to the latest IIoT sensor technologies may be both impractical and unnecessary. Instead, manufacturers should consider technologies that provide a graceful transitional path to the smart factory of the future.
Transitioning to IIoT
While Industry 4.0 is the grand IIoT nirvana manufacturers dream about reaching, many find themselves stuck within the limitations of OPC/SCADA technologies. OPC Classic presented quite a few limitations, including being exclusive to the Microsoft Windows platform, being notoriously unfriendly to modern enterprise security architectures, offering limited scalability and being plagued by frequent configuration issues. On the other hand, OPC Unified Architecture (UA) — a modern standardized communication protocol that enables secure industrial IoT and Industry 4.0 technologies — solves all those problems. OPC UA can be used with any software platform, can scale from small embedded controllers to huge cloud infrastructures, offers robust native security and provides connectivity without context. As a result, OPC UA serves as an ideal bridge between the legacy and next-generation factory automation capabilities. It is the glue that allows you to seamlessly take your existing factory automation infrastructure and tie it into a cloud-connected, artificial-intelligence-powered world. With OPC UA, you can go into an existing factory and enable it for IIoT without buying a bunch of new PLCs. You can experiment immediately with developing cyber-physical systems, realizing the benefits incrementally one production line or factory at a time.
At the end of the day, the goal of evolving your factory toward an Industry 4.0 model is to deliver meaningful improvements in your operational performance. Whether it is by providing more interoperability and decentralized intelligence associated with your machines, or a better contextual control and an understanding of how the data generated by those machines can inform the people who make your business decisions, manufacturers can now focus more on optimizing outcomes and less on the technologies or operational obstacles that have, so far, hindered their progress. Advanced business and operational analytics (including machine learning and predictive intelligence) is the next frontier. Manufacturers are beginning to employ the power and intelligence of AI algorithms in the cloud to detect anomalies, predict failures and advise on the optimal remedial actions that will deliver value to business. Self-service advanced analytics toolkits are now capable of delivering unparalleled insight (using the data from both legacy and IIoT devices) and placing control directly in the hands of domain experts within the business. The latest IIoT human machine interfaces allow real-time visualization of factory systems — using virtual representations often called “digital twins” — to dramatically improve information transparency. These technologies can place the smart factory of the future well within the reach of even midsize or small manufacturers.
Ultimately, there is no right path toward Industry 4.0; it varies for every manufacturer. For those that have the means to jump headfirst into the world of IIoT, by all means go for it. However, for those manufacturers who don’t have the resources to make the leap overnight, not to worry, you don’t have to replace everything you own. You can simply upgrade to an OPC UA IIoT architecture, tie it into your existing factory automation infrastructure, feed your factory data to the latest cloud-based advanced analytic tools, and immediately begin taking advantage of all Industry 4.0 has to offer.
The electronics manufacturing services provider designing and assembling IoT printed circuit boards must have a comprehensive understanding of today’s electronics that contribute to an IoT device’s security.
Certainly, a great number of software vendors are supporting the IoT products businesses with their versions of security software. However, from a hardware point of view, chipmakers are going down that same road and also providing software support. Many name-brand microcontroller (µC), microprocessor (µP), system-on-a-chip (SoC) and field-programmable gate array (FPGA) vendors have embedded security circuitry in their chips.
In both cases — software and hardware — it’s important for the electronics manufacturing services (EMS) provider to keep up to date on the latest security technologies so it can work together with the IoT product customer to assure that the final product has top-notch security embedded in it. It’s equally important that OEM IoT product customers collaborate with EMS providers to closely investigate and analyze the many design and assembly tradeoffs involved in producing that product.
From a hardware point of view, in a lot of cases, the µP and its vast processing power may be overkill in an IoT device application. Here’s where a µC with the right level of processing power at a cost-effective price comes in handy.
An example of today’s offerings is the ARM Cortex-M µC. It’s supported by the company’s mbed operating system, software specifically designed for IoT devices. According to ARM literature, it “brings a comprehensive suite of security elements and connectivity making creation and deployment of IoT solutions possible at scale.”
This ARM µC is just one of many similar products on the market today for IoT applications. Therefore, it’s important for both OEMs and partner EMS providers to fully understand all the specifications and, most importantly, the nuances a specific IoT µC presents.
From a broad perspective, there are several key IoT design considerations to take into account, too many to detail in this small space. However, suffice it to say that the first question you have to ask yourself is: Does your IoT application require the more powerful µP with embedded security, a security co-processor linked up with a conventional µP, a less powerful µC, a SoC or an FPGA, each with embedded security?
This question is especially apropos simply due to the limited IoT rigid board real estate. And, by the way, the rigid portion of an IoT’s circuitry is where this heavier device or devices must be placed for stability. In some cases, auxiliary components — including through-hole devices — associated with the µC can be placed on the flex circuit side. However, given a choice, it is best to have it placed on the rigid section of the rigid-flex board.
As far as device packaging, the most often used for these devices include micro BGAs, CSPs and QFNs. Micro BGAs, for example, measure in the range of 13 x 13 millimeters or 33/64 x 33/64 inches, or basically ½ x ½ inch to a larger 35 x 35 mm or 1 3/8 x 1 3/8 inches. CSP and QFN packaging have similarly small measurements. You have to consider how much area you have on the rigid circuitry to properly place it along with associated devices.
The µC’s processing power generates a certain amount of heat that must be dissipated from a small area of real estate in IoT devices. The µC also draws a certain amount of current. To save battery power in an IoT product, it’s best to select a µC that requires the smallest amount of current possible to run the application’s required electrical functionality.
Protocols also have to be part of the consideration mix for both the IoT product OEM and the EMS provider. Protocols like Zigbee, Bluetooth, USB, Laura and others have different hardware devices and different security requirements.
If it’s Bluetooth, embedding security will require a different architecture type versus Zigbee versus Laura. If it’s a military IoT application, slight compromises may need to be made on the power side to make the IoT product is more robust since it will be used in harsh conditions.
Here I’ve touched on several important IoT PCB design and assembly points associated with embedded security. There are numerous other considerations that can best be answered once IoT product customers collaborate in depth with their EMS providers.
Hardware goods fall victim to the slim margins of commoditization. Fortunately for IoT providers, value-added software enhancements can significantly extend the use of devices and increase monetization options. The rise of the subscription economy means that revenue streams shift from customers’ capital expenses (Capex) to their operating expenses (Opex). In the next few years, IoT product monetization will change fundamentally and provide producers and their customers with more flexibility. Producers will profit from increased recurring revenue, while customers will benefit from paying only for what they need and want.
Capex dominates, while Opex offers greater long-term opportunity
Innovative IoT providers are experimenting with subscription or value-and-outcome-based monetization models. But traditional Capex monetization models — revenue based on one-time sales of devices or software — still prevail in industrial IoT applications, such as medical and manufacturing devices. Before considering subscriptions and Opex monetization streams, providers prioritize achieving operational efficiencies, such as reducing physical product lines, changing software capacity and capability from an IoT gateway, and providing new value through updates. However, the greatest revenue opportunity lies in flexible monetization models, like subscription or pay-per-use, that offer more flexibility as well as upsell and cross-sell opportunities with feature sets that are tailored to customers’ needs.
Early adopters are achieving a competitive advantage by moving to subscription and service-based models that trigger recurring revenue. Software-driven connectivity and security features are driving Opex monetization models for companies developing IoT devices for networking, industrial automation, medical devices, and smart home and building technologies. Subscription- and usage-based revenue streams require business systems that can securely track and manage the install base, while delivering a stellar customer experience that drives renewals rates. Software IoT components enforce the terms of the subscription — including enabling/disabling features — and log usage events often with corresponding data points.
What does feature monetization look like?
Offering features on demand and connecting them to tangible business value generates significant upselling and cross-selling opportunities during the lifecycle of the IoT devices and software applications. Consider the many features that a home gateway — such as the wildly popular Amazon Echo and Google Home — can offer. Software subscriptions can control connected devices such as window shutters, alarms, entertainment and other services. Complementary mobile applications can extend even more service and flexibility to customers. Cloud-based monetization offerings can govern entitlements and usage rights for IoT software services and mobile apps.
Feature management enables producers to offer unprecedented product agility and significant operational efficiencies through producing fewer physical parts and rebalancing features between devices. Instead of manufacturing dozens of different models of a product — a significant manufacturing cost — an IoT company can use secure digital monetization capabilities to reduce the number of physical product lines and use software to create different versions.
Data collection reveals new value streams
Massive amounts of data are now available thanks to increased connectivity, coupled with low-cost powerful computing and storage capabilities. This data opens monetization opportunities for:
- Usage-based revenue models, like pay-per-use or pay-for-overage
- Product usage analytics that can help producers optimize product packing, future direction and business models
- Instrumentation data that can support more complex contracts or sharing of devices
- Performance data that can drive services, like predictive and preventive maintenance
Data services will be a critical element to selling technologies. Medical device makers, for example, can use big data to provide better diagnostics based on segmenting national, socio-economic or ethnic characteristics of an overall population pool. Auto manufacturers can equip their cars with every feature and upgrade available — and simply turn the feature on or off via software and licensing, based on what the customer has purchased. In addition, industrial automation companies can monitor systems for preventive and proactive maintenance. In these scenarios, device makers can make strategic decisions about offering complimentary features as a competitive advantage or delivering features via a subscription or usage-based operating expense.
The future is in Opex revenue models
In last-generation IoT devices, providers were fairly limited in terms of monetization options. Their primary revenues derived from the sale of hardware devices and, perhaps, maintenance revenue associated with the purchase. The next big IoT revenue opportunity shifts this capital expenditure to an operating expense by using IoT software to deliver coveted and customizable features as a subscription or pay-per-use revenue model. Examples like Amazon Echo and Google Home only scratch the surface of the new possibilities for adding customer value.
But this trend doesn’t stop with consumer IoT. Manufacturers of industrial IoT devices are quickly adopting new business models that are based on subscription models for devices and data-driven services that create added value, like product-usage insight or new opportunities to bill customers based on their actual consumption. Moreover, data collection and analytics capabilities pave the way for radically new and important services for scientific advancement and preventive maintenance. Strategic IoT companies are building these options into their devices with cloud-based feature management applications, in order to create sustainable new Opex revenue streams.