When they came to market, fitness trackers and other wearables were the darlings of the IoT future, but they have since lost much of their sheen.
While the wearable market is growing according to IDC, even market-leader Fitbit faces decline in shipments, and there is little improvement in the abandonment rate — many users stop wearing their device after six months of use. The ability to wear a device is what sparked interested in the category, but has also become the barrier for IoT growth and adoption.
While wearables need to be worn to be useful, another technology can provide comparable activity data without suffering from the high abandonment rates. Interaction with devices in the home can be connected to healthcare and other business and government verticals. This collected data can be analyzed by healthcare professionals, family members, insurers, neighborhoods, cities and states for societal and homeowner benefit.
The human body has four to six clinically accepted vital signs which indicate overall condition, four of which are quantified regularly by today’s wearables: blood pressure, pulse, respiratory rate and temperature. The fifth and sixth vital signs aren’t as frequently used because they are subjective or discipline-dependent, such as pain or glucose level for diabetics. These metrics and others about bodily functions, such as sleep and menstruation, may one day be clinically considered among the others, but have limited application outside of healthcare, offering little insight for population-sized, big data analytics for IoT.
By contrast, the average smart home has many vital signs which, when quantified, produce remarkably rich data depictions — not only of human activities, but also habits, preferences, risks and changes to living patterns. This domotic data — the biometrics of the home — can be gleaned from smart home devices such as environmental sensors locks, and lights, whose metrics apply to more than just healthcare. Verticals such as security, energy, insurance, senior living, consumer products and public safety can collect smart home data, or are beginning to explore its opportunities.
There are two primary obstacles for domotic data use in IoT analytics. For one, the global smart home market is still in its growth period, with an estimated 21.8 million of U.S. households owning a smart device of some sort. As homes take on more devices, domotic data will become a de facto metric in assessing market-relevant activities and behaviors.
The second reason why domotic data isn’t being used can be attributed to the understanding of how to use it, and how it can translate into usable, scalable, IoT data. Third parties, such as businesses and government agencies, are developing uses and benefits from this data analysis, rather than by consumers themselves.
The next step for deeper IoT domotic data adoption would be a standardized lexicon, categorized into intelligent inferences scalable by time and population sizes to be customized for specific verticals. The smart home industry is still at the early stage of development, where the medium is the message. The information of door status from a smart lock has been typically understood as the data at this point, but to be useful to IoT, analysis to move beyond isolated events and device status. It needs to begin to interpret how events over the course of time become behavioral information, and then how they can be used for beneficial purposes.
Consider the ordinary smart lock, and the related devices that comprise a home security system — the most common smart home scenario. The device status of an open or closed door or window can signal departures and arrivals in the home, which is useful only to the homeowner. This simple, static information is currently only useful to residents in home monitoring and safety; but when analyzed on a larger scale, this data can play a part in larger impacts.
When examining these same conditions through industry-specific lenses, the domotic data can be used by home insurers. For example, if a family has digital codes as electronic keys for a smart lock, the assignment of additional new keys can indicate when a relative visits or a new caregiver gets access to the house. Other conditions, like habitual visitors, and other renting scenarios, such as Airbnb, can affect home security and its insurance equation.
Additional inferences can be made using the same domotic data to identify a morale hazard — a habitual inattention that incurs risk, indicated by a garage door that’s often left open. Homeowners who frequently forget to lock doors or shut off the backyard water valve during the winter fit this profile, which naturally impacts an insurance premium.
If the same data is scaled to a local region to recognize a pattern, inferences can be made about neighborhood safety, where leaving windows and garage doors open isn’t seen as risky behavior. This finding could impact insurance premiums and local policing; and at the state, above the municipal level, this data could help allocate public safety budgets more effectively. In this way, simple status notifications seen at scale have the potential to impact larger populations.
Other domotic data could yield similar external insights and commensurate responses for local and regional energy usage patterns, water consumption, residential safety risks, structural vulnerabilities in streets and buildings, senior activity and services, and more. Since its market entry more than a decade ago, Z-Wave technology has been dedicated to making these possibilities mainstream, through an interoperable, brand-agnostic approach, which creates the world’s largest ecosystem of smart home devices, functions and data generation. By providing a platform for consumers to build up their smart home with devices of their choosing, the interoperability can push smart home adoption and bring the market closer to these IoT data applications.
As the smart home market matures and both residential and commercial dwellings are outfitted with sensors, cameras and other monitoring and automation technologies, the biometrics of the home can start to make an impact.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
In 2015, Gartner’s Earl Perkins discussed using an “identity of things” to manage interactions among the different components of an IoT environment. Yet, today’s IoT strategies are often device-centric, where individual products are deployed without a clear plan of who, how, when and where they’ll interact with other entities.
To understand how identity and IoT correlate, first consider the value of identity in the enterprise. Identity management, as a discipline, has been around for a very long time, initially focused on simply provisioning access to software and services. Over the past few years, however, attention has shifted to behavior monitoring in order to quickly identify when a device, or person, starts to do something “bad.” This has enabled enterprises to keep information under control and stay secure by focusing on presenting the identity context of interactions and activity.
We can use these proven strategies for IoT management. From a security perspective, simply protecting and hardening IoT devices themselves is not realistic for the scale at which IoT environments will evolve. It’s like stopping car crashes by making safer roads; focusing on the infrastructure can only make so much of a difference. The workload of keeping patches up to date is clearly already exceeding our collective ability to get the job done, even with today’s enterprise non-IoT environment. However, applying the principles of identity management will enable organizations to form the foundation upon which to build a workable security strategy. Understanding what each device is, how it normally behaves and what other devices (and people) it interacts with arms organizations with a baseline to measure against.
Once this baseline identity is established, enterprises will be much more prepared to get ahead of potential security issues. When normal interactions change, when the level of data exchange shifts, when the hours of activity become unusual or when something looks odd, then we have the best chance of spotting an attack before the real damage is done.
For example, imagine an office building filled with smart lights. If those lights suddenly start chatting with each other in an unusual way — yes, smart lightbulbs are hackable — then maybe they are under attack by someone with an IoT worm. If we don’t know the devices are lights and can’t tell who or what they are talking to, the traffic alone may not trigger an alarm until it’s far too late.
Understanding the identities of those lights may, on the other hand, give us the warning we need. We already know that attackers are looking at poorly secured IoT devices as both a pool of untapped compute resources for truly massive distributed denial-of-service attacks and the quickest way to breach corporate networks. And when potentially dealing with billions of devices, many of them of questionable heritage and security status, it’s clear that using an identity framework may not only be the best choice, but the only choice.
We should be under no illusions that the internet of things will be chaotic and potentially a security nightmare. Identity management — or identity of things — alone will not solve all security issues with the growing world of IoT, but it will significantly influence the IoT worldview. The best hope to keep that chaos to manageable levels is to at least understand the interactions of the identities involved, whether those are devices, services or regular old human beings like you and me.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
As the internet of things continues to shake up different industries, businesses are being forced to interrogate and evaluate their recruitment strategies to make sure they have strong teams in place that can develop and maximize IoT technologies. The sheer scale and scope of IoT means that there are a whole range of skills that could be required depending on the nature of a project. This makes recruitment a real challenge, particularly as the skills required today may not be the same ones that businesses need in a couple of years’ time.
This challenge means that organizations need teams that are multifunctional and thus generalists by nature. However, they also need employees to cover a number of specialisms across the entire software stack from low-level embedded code to machine learning capabilities both at the edge and in the cloud. Inevitably some of these will be commonplace already, but IoT will also increase the need for skills that weren’t previously required.
To this point, our research has revealed that 68% of IoT professionals are struggling to hire employees with IoT skills, with the hardest one being data analytics and big data (according to 35% of IoT professionals). This skill is critical to gathering, analyzing and potentially monetizing the vast amounts of data produced by IoT devices.
It’s not just cloud development talents that are required. When asked what skills they deemed necessary to be an IoT expert, after data analytics (at 75%), software development skills were found to be the most needed skill, according to 71% of IoT professionals. In one sense this is surprising, as embedded development is by no means a new discipline. But when considering the fact that hardware is rapidly commoditizing, with monetization and differentiation increasingly coming from software, it is natural that businesses invest in building up their embedded software development capabilities. Unfortunately, 33% are struggling to hire employees with this particular skillset.
The IoT jobs of the future range from CIoTOs and IoT business designers, to an increase in demand for chief data officers, IoT architects and security consultants. However, in an industry as demanding and fast-changing as IoT, most companies are not in a position to hire at scale. Fixed costs become too prohibitive, especially for those in the early adoption stage of IoT where the value and ROI to be derived is still questionable or has not had chance to prove its full worth.
Therefore, once an organization has identified the skills they require, consideration needs to be given as to whether some or all of these skills are better outsourced at least in the short term. In addition to overhead advantages, there is also the benefit of bringing in expertise from individuals, consultancies or system integrators who have significantly more IoT experience to aid the implementation while sharing knowledge throughout the business.
Above all, though, businesses must adopt an iterative and agile approach when it comes to deciding on the right people, skills and team to take them forward into their internet of things world. It is unlikely that what is decided upon today will remain the same in even one or two years, so constantly being in a position to evaluate what requires changing and being able to execute this quickly is a must if businesses are to thrive in the IoT gold rush.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
In the 13th century, Marco Polo set out with his father and uncle on a great voyage across uncharted territories. They traveled across the vast continent of Asia and became the first Europeans to visit the Chinese capital. For 17 years, Marco Polo explored many parts of world before finally returning to Venice. He later wrote about and mapped out his experiences, inspiring a host of new adventurers and explorers to travel to the exotic lands of the East.
We are all on a voyage similar to Marco Polo’s, navigating the uncharted ocean of IoT big data — seeking those elusive use cases. As we navigate this complex ocean of industrial IoT data, we need two things:
- Maps (industry-specific use cases)
- Meta patterns (common across industries)
These would help other “Data Marco Polos” avoid the potential minefields we have encountered.
We have abstracted and distilled common big data use cases in industrial IoT that pass the business case test. These are based on real-world projects executed across energy and heavy engineering industries in the U.S. and Japanese markets. Here are the seven core IoT big data use cases that we mapped out:
1. Creating new IoT business models
We worked with a customer that used our IIoT big data technology to restructure the pricing model of field assets based on ultra-specific usage behavior. Before adopting the IIoT analytics product, the customer had a uniform price point for each asset. Deploying the IoT analytics technology helped them transition from a uniform pricing model to executing usage-based dynamic pricing that resulted in improved profitability.
2. Minimize defects in connected plants
The client was a process manufacturing plant located in the Midwest, manufacturing electrical safety products. The quality of its electrical safety product could mean life or death for folks working in the power grid. This customer had sufficiently digitized the manufacturing process to get a continuous real-time stream of humidity, fluid viscosity and ambient temperature conditions. We used this new, rich sensor data pool to identify drivers of defect density and minimize them.
3. Data-driven field recalibration
Many assets come with default factory settings which are not recalibrated resulting in suboptimal performance. We worked with an industrial giant charged with shipping a crucial engineering asset to stabilize the power grid. These assets were constantly inserted into the network ecosystem with default parameter settings. One powerful question we asked was, “Which specific parameter settings discriminate the failed assets from the assets performing well?” Discriminant analysis revealed the parameter settings that needed to be recalibrated along with the optimal band setting. By putting this simple intervention in place, we were able to dramatically impact the number of failure events in the system.
4. Real-time visual intelligence
This is probably the most widely adopted use case, where the platform answers the simple question of “How are my assets doing right now?” This could be transformers in a power grid, oil field assets in a digital oil field context or boilers deployed in the connected plants context. The ability to have real-time “eyes” on industrial field assets streaming in timely state information is crucial. The reduced latency combined with the visual processing of out-of-condition events using geospatial and time-series constructs can be liberating for hardcore engineering industries not used to experiencing the power of real-time field intelligence.
5. Optimizing energy and fuel consumption
For many moving assets like aircraft, fleet trucks and ships, fuel cost is a significant line item in operations. Cost sensor data mashed with location data collected from mobile assets can help optimize fuel efficiency. We worked with a major fleet owner to reduce fuel consumption by 2%, which led to millions of dollars being shaved off the company’s operational expenses. The customer was able to reallocate the funds to a major project it had been putting off due to budget constraints.
6. Asset forensics
As assets become increasingly digitized, businesses can get a granular, 360-degree view of their health spanning sensor data pools, ambient conditions, maintenance events and connected assets. One can confirm an asset failure hypothesis and detect correlations from these new rich data pools. This would be much richer intelligence than the current existing processes would provide today to diagnose asset health.
7. Predicting failure
Once there is a critical mass of signals, multivariate models can be built for scoring an asset on failure probability. Once this predictive failure probability crosses a certain threshold, it can automatically trigger a proactive ticket in the maintenance system (like Maximo or other systems) for an intervention, such as replacing a part, recalibration of a machine or an examination of a machine for closer inspection. Many companies are looking towards predictive maintenance models versus time-series-based maintenance programs to be more efficient in their operations. We have a customer that was able to restructure its entire maintenance program based around real-time streaming signals from its machines. This company has been able to provide a more efficient maintenance program for its customers based on the actual performance of the equipment.
As Marcel Proust said, “The voyage of discovery is not in seeking new landscapes, but in having new eyes.”
Good luck with your IoT big data voyage!
The U.S. federal government is proving increasingly vulnerable to cyberattacks, and seemingly every week we learn of more stolen federal employee identities, Russian election digital meddling and pentagon hacks.
These attacks can cripple the U.S. government if systems remain unsecure, according to the “2017 Internet Security Threat Report.” Desperate to secure government systems, the new “Internet of Things (IoT) Cybersecurity Improvement Act” legislation will require connected devices purchased by government agencies to be patchable, and would ban devices that are shipped with hard-coded passwords.
Could there be other solutions to this problem that have been overlooked?
Since IoT requires connectivity, it is this area in the solution stack which presents the most vulnerabilities. Connectivity comes in two basic flavors: wired and wireless. Wired is most common on the factory floor, often using proprietary industrial protocols, such as Profinet and Modbus. It is these systems which have never really been designed to be exposed to the internet, and it is these types of systems which Industry 4.0 promises to create huge advancements in productivity, predictive maintenance being one of the most popular discussion points today.
Due to the volume of devices to be connected in coming years, wireless IoT connectivity will be the most advantageous and where cybersecurity experts are most concerned.
With the industry promoting a raft of different IoT connectivity options, some are appropriate for federal government applications, whereas others are not.
For example, in a recent article, the Business of Federal Technology introduced the IoT Cybersecurity Improvement Act, which will require vendors of internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords and do not contain any known security vulnerabilities.
For devices to be patchable, a worthy two-way communication link between a device and an IoT platform is required. Some wireless connectivity options aren’t developed for two-way communication, certainly not for updating firmware.
LTE (Cat-1M and NB IoT) and LoRa are the frontrunners in the emerging wireless connectivity area, the key word being “emerging.” Networks are being deployed, devices are on their way and bandwidth will be plentiful, however:
- The average price for a connected device subscription will be around $2.00
- New LTE/LPWAN hardware will be expensive in early years
If the federal government requires a few hundred million (or more) connected things, the bill is going to be high, the rollout slow and the security no better than most of today’s wireless connectivity options. The new cybersecurity bill points out that the Office of Management and Budget will develop alternative network-level security requirements for devices with limited data processing and software functionality. Considering this point, no real benefit will be derived from adopting emerging tech. If anything, it will slow things down as developing alternative network-level security requirements on new technologies — which aren’t yet ubiquitous — will take time.
One practical alternative is to use existing ubiquitous secure wireless protocols such as MQTT-SN over USSD. The USSD messaging protocol, baked into GSM networks requires no TCP-IP. If you remove the internet from IoT, the paradigm shifts completely and you guarantee the quality of service between device and IoT platform to create a very secure and reliable bidirectional communication protocol which is available not only across the U.S., but the world — today!
We enjoy a connected world with a fascinating array of devices and applications at our fingertips, if not on our wrists or before our eyes. In just a few years, home networks have gone from supporting a few smartphones, tablets and laptops to scores of devices. Tomorrow’s average home could soon have more online connections than today’s small to medium-sized business. It seems everyone is now in the “IoT tech” business.
On the one hand, creating a hyperconnected, wonderfully ubiquitous internet offers extraordinary convenience and productivity; on the other, this expansion breeds complexity and broader security vulnerabilities that can impact ourselves and infrastructures.
To meet this challenge, we must pursue two parallel but related paths:
- Standards and policy: Tech industry leaders and government policymakers must collaborate to set security standards and policy roadmaps that advance and not inhibit innovation; and
- Consumer awareness: Often the weakest link, consumers need to be aware of their responsibilities, while technology innovators should be aware not to shoulder too much responsibility on consumers.
Today’s connected consumer has to do more than just install antivirus software and a firewall to reduce security risks. A connected lightbulb, toaster or washing machine could be an online fugitive’s weapon to commit a cybercrime that can disrupt or bring down networks. Home networks are only as secure as the gadget with the weakest security connected to it.
The same can be said for enterprise networks. Company and government networks employ sophisticated security capabilities. Yet, it can take just one unknowing employee to click a hyperlink or open a document and subject an entire enterprise to a spear-phishing attack, which remains the major source of breaches inside enterprise networks. Here too, the weakest link rests with a consumer-level user.
Yes, we have met the enemy — and it’s often us.
New technologies may be a game changer
The fragmented yet vast IoT landscape and lack of consumer understanding are already causing communication issues as brands attempt to lock users into their ecosystem. But the problems are much bigger than an LG toaster not talking to a Samsung smart refrigerator. When purchasing a smart TV, have you ever read the fine print in the instruction manual to understand how the software inside the TV is updated or how security patches will be applied? What’s the security risk to you when the manufacturer abandons software updates four years from now?
Cyberattacks on IoT devices and networks will continue to expand and evolve. If 1930’s bank robber Willie Sutton were alive in 2017, he might be asked, “Willie, why do you hack the internet instead of robbing banks?” Willie would almost certainly reply, “Because that’s where the money (or information) is.”
There is an explicit need for industry guidelines and standards to drive better compatibility and use of security around the devices used at home and at work. As a major user of IT, the federal government should facilitate dialogue and collaboration within industry to drive at better cyberstandards, particularly those that reduce complexity, if not responsibility, for the individual consumer. Adopting “secure by design” principles and increasing breach prevention capabilities, for example, can help close the risk aperture, but we need more to not only defend but apprehend.
Artificial intelligence and the machine learning that comes along with it offer much promise to advance a more preventive posture. On the inside, for example, we can more rapidly detect potential incursions through user and entity behavioral analytic capabilities and perhaps pattern of life analysis. By employing these and other big and dynamic analytics outward into the OS and dark web, we can identify threats before they hit our turf.
The way forward
As a kid who grew up with transistor AM radios, analog black-and-white TVs and rotary phones, I’m quite amazed by the fascinating technology we use at work and at home. My generation survived with four TV channels, and “Amazon” to us was a river with dangerous fish in Brazil. And as we watched Walter Cronkite, the most precious asset of the 21st century — the internet — was being designed.
Just as we have not fully grasped the internet’s potential, so too have we not grasped its security implications. Yes, we’ve become more aware, but lately, I fear we’re becoming desensitized to cyberattacks around us at a time when we as individual users hold more responsibility for preventing them. Most of us have experienced the inconvenience of a breach, yet most people don’t believe cyberthreats are their problem. Yes, technology can and should reduce the cyber-risk factor of the individual consumer, but there will always be risks that remain our problem … and it starts with education and awareness as part of a personal and enterprise mosaic of security.
In the time I was turning the analog dial on our family TV, the federal government led a comprehensive public awareness campaign to reduce litter and pollution, which included a famous ad featuring a crying 17th century Native American in the foreground. It worked. We cleaned up our country immeasurably. Industry also responded with more recyclable products. We took a similar course to the hazards of cigarette smoking.
A similar approach is needed to “clean up” our “cyber streets and cities,” beginning with focused campaigns to increase awareness and improve personal and organizational hygiene in our nation. At the same time, industry and government needs to do their part with public policy and standards that result in innovations that help us meet the threats and mitigate them substantially.
If we don’t deal with this effectively, we may never have to confront the tokenized “Cyber Pearl Harbor,” but we might feel a “cyber-erosion of confidence” that could be every bit as paralyzing to our lives, businesses and governments.
Security has always been everybody’s business. Just now, more so than ever.
The volume of highly sensitive personal and IP data is growing exponentially with the rapid adoption of the internet of things. In a recent survey of enterprise IT development and architecture professionals by Database Trends and Applications, 44% of respondents report adoption of IoT, ranging from proof-of-concept stage, to use in one or more lines of business, to IoT being “part of our ongoing business strategy.”1
The IoT trend in turn is a major driver of the exploding growth of the Hadoop data lake where most IoT data lands. According to a TDWI report2 on a survey of 252 enterprise respondents worldwide, 53% have deployed a data lake on Hadoop and 24% have deployed on Hadoop in combination with a relational database management system. Top use cases include advanced analytics (data mining, statistics, complex SQL, machine learning), and data exploration and discovery. While the data lake is becoming more common, barriers to adoption include lack of security for Hadoop, lack of governance and risks of breach and data privacy compliance posed by exposure of personal data in analytics.
On first glance, the requirement to protect data privacy might seem in conflict with objectives to enable big data analytics that could increase data exposure risk, which often involve digging into user behavior, customer transactions, detailed consumer demographics and processing in untrusted environments such as Hadoop. Data privacy regulations mandate specific guidelines on the classes of data to be protected including personal data, protected health information and financial data. IoT sensor data, geolocation codes, vehicle identification numbers (VINs) and IP addresses, along with many other data elements, qualify as sensitive personal data under the General Data Protection Regulation (GDPR).
GDPR: A game changer for usable protected data
The GDPR establishes the most stringent regulations to date to protect EU citizens and residents from privacy and data breaches. Multinational firms around the world, whether they have operations in the EU or not, are realizing that they process EU personal data and this regulation therefore applies to them. The GDPR recommends pseudonymization and encryption as two mechanisms that can be used to protect personal data, but it must support two requirements: 1) the ability to decrypt the data when necessary, and 2) the ability to continue to run business processes on the encrypted data.
Format-preserving encryption (FPE), an innovation pioneered by HPE to protect data while maintaining its structure and context for application usability and which persists with the data, is a trustworthy and comprehensive data-centric approach to address the risk of inappropriate data exposure to users and applications. FPE is able to protect data independent of the underlying platforms that rely on a “system-centric” security controls approach which doesn’t extend or scale outside of that IT system. To the point where FPE enables analytics in the data lake, while at the same time, data privacy is maintained for compliance with the GDPR.
Case in point: A top automotive manufacturer
To address data privacy compliance for its customers, while enabling safe analytics on IoT-generated data in its Hadoop data lake, a major auto manufacturer is using FPE at a field level to protect in-car sensor data, VINs and geolocation data streaming from customers’ cars. The data is used for multiple purposes, including vehicle quality control. Engineers look at sensor data to identify potential problems in specific components or groups of vehicles, while data scientists run thousands of reports against vehicle data for internal research purposes. The company’s volumes of real-time data are predicted to grow to around 20 petabytes within just a couple of years. Data is protected by FPE prior to ingestion into the data lake (Hadoop and Teradata EDW). With FPE, this leading auto manufacturer is enabling analytics on vast amounts of data in its protected form, thus safely providing broader access for analytics, not only to its data scientists, but also to engineers, developers and other employees as BI objectives dictate.
The benefits of using the field-level encryption technology deployed by this manufacturer include:
- Referential integrity, with encrypted data which retains its characteristics such as length and data type, requiring no changes to applications and systems for use;
- The ability to perform almost all analytics on encrypted data with no requirements to re-identify data to its original form, mitigating exposure of personal data and breach trigger notification requirements; and as a result,
- Enabling compliance with multiple data privacy regulations, including GDPR, but also within other systems and platforms.
All of this is achieved with a single enterprise-grade, scalable platform to protect sensitive personal and IoT data not only in the Hadoop data lake, but also across other systems and platforms.
The best of both words with usable security
The need to comply with data privacy regulations worldwide is driving organizations to adopt FPE to protect customer personal data at the field level, using a data-centric approach so that analytics can be performed on the data in its protected form, with context maintained, in order to extract value from the data in the form of analytic insights. Recent advances in FPE enable enterprises to deploy highly scalable data protection for environments such as the Hadoop data lake, as well as their other vulnerable systems and applications deployed across cloud. This technology provides an organization with a template to roll out data protection across other applications, platforms and systems, enabling a framework that adapts to rapidly hybrid IT environments.
1 “Internet of Things Market Survey” by John O’Brien, CEO Radiant Advisors, with Database Trends and Applications
2 “Data Lakes: Purposes, Practices, Patterns, and Platforms” by Philip Russom, Senior Research Director for Data Management, TDWI, The Data Warehousing Institute
In part one of this article, Anthony Giandomenico described how cybercrime has become not only a business, but a big business, designed to generate revenue with predesigned attacks focused on attack vectors that are easy to exploit: IoT devices.
Opportunity is also the land of innovation
Because cybercriminals are focusing more on attacks that target critical infrastructure based on new, interconnected technologies, they don’t have to spend enormous resources and development cycles on figuring out how to break into these systems using complex zero-day attacks. Instead, they can spend more of their resources on making their exploits more difficult to detect, more effective by introducing things like worm capabilities to spread infections further and faster, adding multivector capabilities in order to run exploits on a wider range of vulnerable systems, and developing intelligent, multilayered malware that provides a lot of options for stealing data or compromising systems.
The recent WannaCry and NotPetya ransomworm exploits were remarkable not only for how fast they spread, but also for their ability to target a wide range of infrastructures and industries. But the dirty little secret about these attacks is that they could have been entirely prevented if IT folks simply practiced good network hygiene. That’s because these attacks targeted a vulnerability for which a critical patch had already been issued months earlier. Most organizations that were spared from these attacks had one thing in common: They had simply applied the security patch from Microsoft when it was released.
Here at Fortinet, we refer to these sorts of attacks as “hot exploits.” Cybercriminals know from experience that many organizations simply don’t have the time, resources or initiative to patch vulnerable systems. So they build effective exploits and they wait. WannaCry proved that. And NotPetya proved that even after a large attack managed to exploit a well-known vulnerability, far too many organizations were still unlikely to patch their systems. Catch me once, shame on you. Catch me twice…
Our FortiGuard threat analysis team sees this all the time. Nearly every week we record several attacks successfully targeting vulnerabilities for which patches have been available for months — and often, even years. In fact, our latest quarterly threat report showed that the average age of a known vulnerability that is successfully targeted by an exploit because it wasn’t patched is five years. Seriously.
Everything is connected to everything
And now, as infrastructures becomes more interconnected and begin to adopt new, cutting-edge technologies, the risk is being compounded. Windmills and unpatched operating systems are just the tip of the iceberg. Smart cities are beginning to interconnect energy grids, traffic control, emergency response systems and other critical infrastructure resources and services into a giant, integrated web. Smart cars are run using onboard computers that are increasingly able to make split-second, autonomous decisions. But they are also soon going to connect your car to your financial system in order to automatically pay for things like fuel, tolls, onboard Wi-Fi and streaming entertainment. Smart buildings managed by huge property management conglomerates are being designed with automated heating and cooling systems, lighting, secure access doors and smart elevators that can recognize tenants and deliver them to the appropriate floor. And building supervisors will manage all of this remotely.
The list goes on and on: smart homes, smart appliances, interactive gaming and entertainment systems, online security systems and monitors, interactive and intelligent mall kiosks, online medical consultation and even surgery using remotely controlled tools are all either here now or just over the horizon.
Security isn’t just a good idea — it may soon be the law
Because many of these manufacturers have failed to implement necessary security into their devices, it’s like we have handed the cybercriminal community our ATM cards and PINs because they don’t have to figure out how to bypass security or crack open a hardened operating system. Instead, in the rush to push out new technologies to enterprises and consumers — and even critical infrastructure systems — with little to no security attached, that job has been done for them.
While security devices and strategies can go a long way towards protecting organizations and individuals, security developers can’t solve this problem alone. IoT manufacturers have a role to play, and unfortunately, many have traded responsibility for expediency. The clock is ticking, however. The next step will be to hold manufacturers accountable for selling solutions that can be easily exploited.
Recently, U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, introduced a new bipartisan bill known as the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” This bill prescribes that devices purchased by the U.S. government must meet minimum security requirements, and that vendors who supply the U.S. government with IoT devices have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed and are free of known security vulnerabilities, as well as other basic security requirements.
California’s recent Senate Bill 327 would go much further by codifying the State of California’s ability to bring enforcement complaints against companies that do not build adequate security safeguards into their devices. This law has teeth, and because California is such a massive economy, its passage could significantly impact the entire IoT industry.
Such regulatory scrutiny and legislative action targeting the data security of IoT devices is likely to continue to grow, because the alternative is to continue to feed the growing cybercriminal economy. IoT device manufacturers need to prepare now to either develop security standards or conform to legislation in order to avoid massive market disruptions and consumer mutinies. Because the digital economy will continue to move forward, with or without them.
For centuries, humankind regarded the wild as something to be tamed and conquered. Not so much these days. In recent decades, society has changed course and turned its attention to protecting the environment rather than trying to beat it into submission and bend it to better suit our narrow purposes.
This shift in thinking is nothing short of a revolution. With the biosphere in a precarious state thanks to generations of careless disregard, we’re now enlisting the same mighty force that devastated nature to come to its defense. Of course, that force is human technology.
Historically, technological advancements have been driven by industry and fed by the increased dominion over and exploitation of nature. For thousands of years, “progress” for the human enterprise meant more culling of wildlife, more land to clear, more domestication of the “wild,” and more poorly disposed waste. Indeed, for most of human history, nature was regarded as something crude — as something to be battled, overcome and refined in the service of man.
This view can be traced all the way back to the ancient Greeks (circa 400 BCE) who saw nature, to a large extent, as an obstacle on the path to human greatness. This perspective dominated Western thinking until Jean-Jacques Rousseau (circa 1750 CE) popularized his view of civilization as a corrupting factor and nature as the symbol of raw innocence and good. (This theory gave rise to his conception of the “noble savage” as an idealized, though derivative, version of man who is one with nature and not ruined by human society.) Since then, momentum has slowly built in favor of a more Rousseauian view. This has been a long but steady journey that has only in the last decade culminated with the wide-scale adoption of a kinder and more stewardly approach to nature.
In this article, I will look at some of the ways in which technology today — specifically, the internet of things — is working to preserve and revitalize our planet.
A relationship redefined: Prophecies of human evolution
At the current rates of global consumption, even without allowing for any growth to the population, we would need 1.6 Earths to achieve a sustainable carrying capacity. Holding aside the issues of climate change, this fact alone is enough to place sustainability among the foremost concerns for human society. Given the extent of the damage done, and how close we currently stand to the red line, it’s not enough for civilization to simply reform — we must find some way to turn back the clock and undo at least some of the damage we’ve done. And that’s where advanced technology comes in.
As sustainability takes center stage, new and emerging technologies are being put to work to save nature, becoming an integral part of the battle to reduce dependence on non-renewable energy sources, stop pollution and clean up the mess left behind from generations of exploitation.
It’s a fascinating development and in some ways it’s the realization of biblical prophecy — or perhaps more accurately, biblical paradox. In the first chapter of Genesis, Adam and Eve are placed on Earth and told to both “conquer” the land and “assert dominion” over the animals. (It is worth noting that Adam in the original Hebrew is “???,” which literally means “man” and is derived of the word “earth.”) In the second chapter of Genesis, a slightly different version the story is recounted. In this version, Adam was commanded to “tend to and protect” the Garden of Eden. The Bible seems to capture an internal conflict in the archetypical human’s relationship with nature. And it’s a conflict that we’ve seen play out over the course of human history.
I mention this because this dichotomous relationship with nature seems somehow inherent to the human condition and it’s that same dichotomy that makes the idea of engineered inventions as the best hope for environmental salvation simultaneously absurd, wonderful and romantic.
Putting IoT to work saving nature
As we enter chapter two of the human story, we’ll require more than a change in attitude to fulfill our mandate. We’ll require breakthroughs. The internet of things is one of the most promising technologies we have at our disposal. A self-communicating and largely self-managing system of interconnected devices, IoT is in many ways the technological embodiment of sustainability.
This smart network can collect an incredible amount of information from the real world, information that can be used to make existing processes profoundly more efficient or do the legwork and lay the foundations for entirely new operational models. But it’s not just about the data collected by these IP addressable devices, it’s about how that data is instantly communicated up and down a chain of purpose-specific terminals, ensuring that relevant information is always in the right place to be intelligently acted on.
In many ways, IoT represents a blank slate for companies, scientists and inventors seeking solutions to open up new frontiers or begin tackling hard-to-isolate problems entrenched deeply within normal processes.
From conservation efforts and cleantech to tracking environmental conditions and reducing electricity usage, every imaginable angle in the quest to save nature is being explored anew through the lens of IoT. While I cannot cover each and every instance of IoT being used to better the environment, I’d like to turn your attention to three such examples that I believe demonstrate the potential of such applications.
1. IoT ushers in a more circular manufacturing economy
In the circular economy, waste is reduced, repurposed and eliminated entirely from the manufacturing cycle. IoT technologies are central to evolving the economy from the “make, take, throw away” model that’s created environmental headaches and heartaches around the world. The idea here is to keep as much as possible out of landfills by extending the life of both the items being manufactured and the equipment used to make those items. (There is also a lot of great work being done, it should be noted, to transition from a material discard model to a component retrieval model once products outlive their usefulness.)
IoT’s role in the circular economy manifests through improved operational insight. This insight comes through IoT sensors that empower manufacturers to better manage people, processes and assets. The tighter the feedback loop, the more “leaks” are caught and the more quickly they can be “patched.” This applies to supply chain management, human resources, digital systems and really anything that contributes to production.
Consider, for example, the effect that IoT sensors are having on the realm of asset performance management. These sensors are empowering managers to more intelligently maintain equipment, leading to substantially extended asset lifecycles (preventing unnecessary and wasteful asset requisitions) and improving the efficiency of performance over the course of that lifecycle (preventing wasted input).
2. Managing traffic in real time, IoT technologies reduce carbon emissions
While the popularity of electric cars is increasing, non-electric (and even electric cars powered by non-renewable energy forms) still impose massive environmental costs.
Close to 30% of carbon dioxide emissions are caused by cars, with up to 45% of those emissions occurring around intersections managed by traffic lights. City planners have set their sights to tackling the problem right at the intersections where they occur by installing IoT-enabled traffic controls that respond to real-time conditions instead of preprogrammed timers.
With IoT technology, traffic lights can detect asymmetric strains on the transportation infrastructure and intelligently adapt to optimally manage traffic flow. Instead of cars idling at lights for one, two or even three minutes when there’s no traffic coming in the opposite direction, traffic lights can safely change from red to green according to the number of cars at an intersection and the traffic flow occurring at that exact moment.
Estimates claim that this technology can cut the equivalent of 35 million vehicles’ worth of carbon emissions over the next five years.
3. IoT-enabled sensors monitor water and air quality from afar
Normally, water and air quality are monitored by collecting and analyzing specimens, a laborious task made more difficult in far-flung places. Imagine if scientists and environmental officials could monitor polluted rivers, contaminated soil and brownfields in remediation without having to waste time and resources visiting the site.
Thanks to IoT technologies, that entire monitoring process could be done remotely. IoT-enabled devices collect data about the environment around them and push that information to a server where officials can review and parse the information as needed.
Air quality monitoring devices use a laser light in conjunction with sensors to detect particles in the air, while water quality sensors could be attached to a buoy and deployed into whichever body of water needs monitoring. However it’s set up and collected, the central goal is the same: to quickly assess changes in the environment so officials can act faster when a pollutant or other unwanted chemical is on the rise.
Technology and nature working towards a symbiotic tomorrow
Nature is a powerful force. And so it seems is humankind. Earlier generations might have believed these two forces at odds, but the fact is that we’re destined to coexist or to co-perish.
The original humans sought to conquer nature and took of it without a second thought. For this, they were driven from their Earthly paradise. We must not repeat the same mistake. We know better. We’ve come to realize that it is our duty to tend to and protect nature with everything we have. And what we have is human creativity, human innovation and human technology. The internet of things is just one aspect of that technology, but it’ll be an important one as we move towards a more sustainable, more symbiotic tomorrow.
When people think about the internet of things, they often think about the common “things” they use in their day-to-day lives such as laptops, smartphones and fitness trackers. These things can also include devices that are part of the connected home — for example, a smart thermostat, baby monitor or even a connected egg tray (OK, maybe that last one is less common). However, what most don’t realize is the prevalence of IoT in the enterprise — and, in tandem, the risks it presents.
The internet of things brings enterprise organizations strategic economic value and innovation. Yet as we’ve recently seen with the Mirai IoT botnet that “took down” many businesses, enterprise IoT is becoming a popular doorway for hacking. For example, a cybercriminal could manipulate a smart camera by hijacking the device’s credentials to obtain full privilege into the device. From there, they can use the device as a proxy to connect to the network and cause greater harm.
More things, more enterprise risk
Daily, new smart devices are unknowingly being connected to corporate networks with little regard to their level of risk. Although these IoT devices are intended to improve productivity, security considerations are usually an afterthought.
According to industry analysts, by 2020, there will be over 20 billion devices connected to enterprise networks. Each device has the potential to serve as an enterprise entry point. That’s 20 billion open doors for a hacker to perform any number of nefarious acts. Given these devices are ubiquitous, the inability to run sophisticated security software and, of course, network access through the connected devices makes them a perfect target for hackers who want an easy entry point into a company’s systems.
What’s more, when employees connect a device to their enterprise network, they are unknowingly surrendering private data to these devices. If a hacker were to find just one device that was not properly secured on the network, injecting a few lines of malicious code could grant access to the data on that particular device as well as all data stored on the network.
What devices make your network vulnerable?
The short answer: Everything. Your trusted employee badge scanner, conference room scheduling system, connected printers, smart lighting, security cameras, smart TVs, voice over IP, video teleconferencing system, Wi-Fi and even big power generators. Anything that is connected to your network is vulnerable.
Attackers are naturally going to target the weakest link in a network, which is increasingly IoT. On average, we find at least four connected devices for every enterprise employee. And, we expect that number to double over the next three to four years. That equates to an incredible number of vulnerable entry points for a hacker to gain network access to steal and expose private data.
How to reduce your IoT risk
Security begins with knowing what’s on your network. In the age of IoT, visibility and control of devices is a must-have, not a nice-to-have. Businesses need a technology that can discover network infrastructure, physical and virtual systems, managed and unmanaged endpoints as well as IoT and rogue devices.
Once businesses have full visibility of what’s on their network, the next step is to control the devices. A viable security product must provide continuous monitoring, be able to immediately determine device behavior, automatically set policies, and understand the context of the network environment and device posture. What’s equally as important is a scalable technology that can work across heterogeneous platforms (on-premises, cloud, data center, etc.) without compromising security as the number of connected devices continues to grow. Only then can an organization achieve a truly comprehensive security stance and keep stealthy hackers at bay.