The cybersecurity landscape is in a constant state of flux. One that has advanced rapidly as cyberattackers and defenders engage in a digital arms race. Historically, cybersecurity threats were limited to computer viruses; the motivations behind them ranging from geeks in the attic writing them simply because they could, to more malicious motivations focused on trying to take over other people’s PCs for monetary gain.
Today, however, the threat landscape is far more sinister, with highly targeted and socially engineered malware and phishing scams designed to trick, steal, ransom or simply destroy user data. What’s more, it’s all backed by increasingly tech savvy organizations, from nation-state actors to highly organized crime syndicates, offering out-of-the-box, turn-key attack packages, supported by 24/7 customer service, enabling even the hardiest of luddites to launch a cyberattack.
As if this wasn’t enough, the internet of things has greatly amplified the complexity of the cybersecurity threat landscape. One that has businesses around the world in a spin as they reevaluate the necessary people and service skills, structures and approaches to security, in an effort to shore up their defenses.
However, despite this apparent awareness around the potential risks IoT represents if not secured, the desire to innovate and compete seems to override much of this concern, with many business moving to adopt IoT technologies, regardless of the risks.
In fact, a recent AT&T Cybersecurity Insights Report, which surveyed more than 5,000 enterprises around the world, found that although 85% of enterprises are in the process of or intend to deploy IoT devices; only 10% of those surveyed felt confident that they could secure those devices against hackers.
The IoT security ecosystem
As with any industry, no single vendor can be solely responsible for IoT security. There are far too many technologies built to different standards and specifications by multiple vendors, making it impractical for one company to provide a holistic security solution alone.
This always-on, anywhere connected environment in which we live is no different. We rely on multiple technologies and services from multiple vendors that have access to some of the most personal aspects of people’s lives — from finance to healthcare information.
So how can businesses secure IoT?
Years past saw these vendors working in isolation, zealously protecting their IP in an effort to stay competitive. However, as it soon became clear how exposed this approach was leaving them and their end users to potential security threats, they understood that a more collaborative approach was required if they were going to secure IoT across the value chain, while safeguarding their technology, end users and brand reputations.
In short, they understood that delivering secure IoT services takes a village, and they need to work in closer cooperation with the other players in the security ecosystem. To do this, they had to break down traditional working barriers and silos, and move instead to a relationship of closer cooperation — enabling them to make connected experiences happen not just seamlessly, but securely.
This “village” took the form an ecosystem of interdependent players — ranging from device manufacturers to network service providers — all working together to proactively collaborate on their security developments, baking it in and aligning it at the foundational level to deliver a robust end-to-end IoT security capability.
This IoT security ecosystem typically includes:
- Device manufacturers — They produce hardware equipped with communications modules, sensors and software for a specific purpose, which can be embedded into the “things” to be connected (e.g., cars, home objects, industrial robots, vending machines, point-of-sale terminals, municipal sprinkler systems, even livestock). Internet connectivity enables the transfer of data to and from the device, bringing the IoT services to life. Security at the device layer is mission critical as it impacts so many other parts of the overall solution.
- Application developers — In-house or third-party partners providing software for a device, through which IoT services are delivered.
- Enterprises — The organization deploying connected devices needs security protocols to protect not only the data transmitted to and from devices, but also to safeguard their IT infrastructure interacting with and managing the devices.
- Network providers — There are many ways to connect devices — Wi-Fi, Bluetooth, satellite, mobile (cellular), low-power wide-area networks (LPWAN), etc. Protocols and safeguard procedures, whether encryption standards, firewalls or SSL VPN, depend on the type of connectivity being used.
- Cloud providers — There are a range of IoT software platforms used in IoT deployments. There are those that collect and process data from an enterprise’s deployed connected devices, and those that remotely monitor and manage the connectivity of deployed devices. Depending on the platforms and their intended use, providers need to implement stringent security controls to protect both the data and the enterprise customer.
- Security companies — Device software, cloud platforms and enterprise IT may also benefit from a protective layer with industry-leading security software from companies like Kaspersky or Symantec. While these solutions are effective in local environments, they’re only a small part of the overall security ecosystem required for running an IoT business.
- Standards bodies — Numerous national and international councils help drive recommendations and requirements for security protocols related to each layer. A well-known example in the payments space is the PCI Security Standards Council (for point-of-sale devices), which monitors threats and advocates standards to help businesses protect sensitive payment card data.
It’s only by having a joined-up approach to security across the entire IoT technology and value chain that IoT can truly be secured.
Remove just one of these players from the ecosystem and the potential risks are enormous. One weak link potentially exposes players across the entire chain. It is only by taking a “united we stand, divided we fall” approach to IoT security that will help ensure a robust IoT security policy succeed.
Mastering IoT security strategy
While the promise of IoT is astronomical, enabling every company to become a connected service business, companies need to make sure they can walk before they start to run in the IoT world. Today’s increasingly competitive market means that now more than ever companies will look at ways to increase margins, drive down costs and create new, previously untapped revenue streams to help them make their quarterly numbers.
To this end IoT represents the current golden goose of the IT world, and indeed it should as the earning potential it has to offer businesses is unparalleled. However, for others who do not proceed with the caution required, it represents the siren’s call, mesmerizing unsuspecting businesses and luring them into perilous waters.
But all is not lost, and for those businesses that are serious about adopting a successful and secure IoT strategy, there is an IoT security checklist from Cisco Jasper that businesses can follow to help set them up for success when it comes to implementing an IoT strategy.
The IoT security checklist:
- Evaluate the end-to-end identification and authentication of all entities involved in the IoT service (i.e., gateways, endpoint devices, home network, roaming networks, service platforms)
- Ensure all user data shared between the endpoint device and back-end servers is encrypted
- All “personal” and regulated data should be stored and used according to local privacy and data protection legislation
- Utilize an IoT connectivity management platform and establish rules-based security policies so immediate action can be taken if anomalous behavior is detected from connected devices
- Take a holistic approach that takes into account digital (firewalls, VPNs, encryption, two-factor authentication, etc.) as well as non-digital measures that reflect organization attributes like roles-based access, and audit trails.
For true end-to-end IoT security to take effect, all players in the ecosystem need to step up and take responsibility for their piece of the IoT pie. Only by ensuring they have a solid IoT security strategy and checklist in place can businesses set themselves up for success when it comes to deploying IoT initiatives.
But as enticing and innovative an opportunity as IoT represents to businesses, if not treated with the respect it warrants it could prove costly. The security threats posed by IoT today are very real and present issues that if left unresolved will dent the industry’s confidence. This could hold the value of IoT back from achieving its full potential.
Only by understanding and accepting that security concerns affect every player and every layer of the IoT ecosystem can IoT truly be an effective, innovative and secure revenue generating force that businesses need it to be.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Over a million new IoT devices are being connected to the internet daily. Experts predict that as many as 25 to 50 billon IoT devices and sensors will be deployed by 2020, for an average of 4.3 internet-connected devices for every man, woman and child on the planet.
Consumer IoT devices such as smart cars, phones, entertainment systems, appliances, watches and clothing are now available. Commercial IoT provides new inventory controls, device trackers and supply chain management. Medical IoT includes medicinal pumps, infusers and health monitors. And industrial IoT is delivering connected meters, flow gauges, pipeline monitors, sanitation systems, manufacturing robots and other types of connected industrial controls.
These devices aren’t isolated. They are being woven into our local, national and global infrastructures, creating a highly meshed and hyper-connected world that collects and shares data to allow devices to make semi-autonomous and autonomous decisions. Combined with cloud computing, ubiquitous broadband and data analytics, IoT has created a new digital economy, and its rapid innovation, new business models and emerging markets are driving explosive productivity gains and economic growth.
In smart cities, IoT solutions are being used to create hyper-connected environments of transportation systems, water, energy, emergency systems and communications, to improve public sector engagement and better, more efficient service delivery and resource allocation. Smart cars monitor road conditions, share positioning and traffic information, monitor internal functions and make split-second autonomous and semi-autonomous decisions. And healthcare, refineries, agriculture, manufacturers, chemical plants, defense, and local and national government agencies have integrated IoT devices to track, monitor, coordinate and respond to events, often without human intervention. Across these industries, data is being used to optimize processes for greater efficiency, safety and quality.
Redesigning the network
To keep up with the volume of data, transactions and orchestrated interactivity, network ecosystems are being redesigned. Software-defined networks automate the physical network to reduce configuration errors and management overhead, allowing data and resources to be accessed, moved and orchestrated on demand. And as the focus of IT becomes more outcome-based, new intent-based networks will automatically recognize and respond to changing business needs and user requirements, and translate business language into automated policy configurations. Infrastructure is becoming both highly flexible and temporary, allowing connectivity to be created on demand using owned, rented and even borrowed network resources, while innovation and automation is being accelerated by advanced data analytics and correlation.
It’s all very exciting. But how do you secure something like this?
Where does the firewall go? How do you protect dynamically provisioned workflows, temporary infrastructures, and data that are automatically shuffled between cloud domains? How do you span security across such a wide-ranging and constantly changing threat landscape? And how do you secure IoT devices that were never designed with security in mind?
IoT security challenges include weak authentication and authorization protocols, insecure software, firmware with hard-coded backdoors, poorly designed connectivity and communications, and little to no configurability. Many devices were developed around chunks of commonly available and largely untested code, compounding security vulnerabilities across thousands of devices sold through dozens of manufacturers. And to make matters worse, IoT devices are often “headless,” with limited power and processing capabilities. This not only means they can’t have security clients installed on them, but most can’t even be patched or updated.
One solution is to buy IoT-focused security. Security vendors have begun promoting authentication, key and credential management, access, posture assessment and monitors, trackers and orchestration tools to help organizations see and secure their IoT.
Unfortunately, the IT teams being asked to consume and integrate these new security tools already have dozens of devices from a variety of manufacturers deployed in their networks. New security tools need to be tested, integrated with the network architecture, updated, managed and monitored. Visibility and control is hampered by such challenges as separate management consoles and having to manually correlate threat intelligence between devices.
Like the networks being protected, security needs to be redesigned. It needs broad visibility to see what is happening across IT, OT and IoT networks, remote and mobile devices, and public and private cloud networks. And this needs to happen through a single console, in real time, so devices can be identified, risk levels assessed, traffic segmented and policies assigned.
Security also needs to operate at machine speed. By 2020, each of us will generate from one to three terabytes of data per day. When decisions involving such massive amounts of data need to be made instantly, security cannot get in the way. And soon, organizations will need intent-based network security that can automatically recognize network changes, anticipate threats, interpret and implement business language commands and respond to threats.
To do this, IoT has to be viewed in the context of your organization’s total digital transformation and risk management strategy. As IoT devices and data are woven into your hyper-connected network, isolating your IoT security strategy will increase your security overhead and complexity, and reduce visibility and control.
Weaving the fabric of security
A security fabric framework approach, however, enables a layered and collaborative defense for your distributed ecosystem. It provides visibility, detection and automated response to sophisticated threats and complex compliance requirements, adapts to distributed and changing networks, and provides the power needed to keep up with growing data and user demands. Open API integration standards combine next-generation detection and response systems, enable intelligent network segmentation and weave single-pane-of-glass management into a unified framework to synchronize threat intelligence and automate responses to security events in real time.
Such an approach also ensures that you are properly securing access, authenticating devices, assigning risk profiles, moving traffic to appropriate network segments or cloud environments and effectively monitoring traffic as a single, seamless stream of events.
And more importantly, a holistic risk management approach integrates with your larger IT and OT infrastructures to provide complete visibility and unprecedented span of control, allowing you to develop and deploy a critical, hyper-connected IoT infrastructure without compromising the security or integrity of your extended network.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
When it comes to IoT adoption in the industrial space, I’ve often found that operators worry about how they’re going to run before they can even walk. What this means is industrial operators let certain barriers to entry — primarily security and availability — keep them from even starting on their path to IIoT. In reality, there are certain key steps that industrial companies need to take well before they even attempt that transition. By getting this right, industrial operators can prepare their companies for a successful IIoT transition down the road.
So what is step one? It is guaranteeing serviceability above all else. And this is for a few reasons:
- Legacy systems can be inherently unsafe and insecure. This is because they were built for a different era and not designed for the more complex uses needed for IIoT;
- Most industrial operators are running a patchwork of old desktop hardware and software that is no longer supported or maintained with patches and updates. Integrating them into an IIoT-type ecosystem would introduce unnecessary vulnerabilities; and
- Assets that are easy to service and manage remotely need to become a priority. This is because as the networks of automated and connected systems expand outward, they will reach areas that likely will not have the same level of on-site IT support as more centralized locations.
So how can operations and IT managers overcome these infrastructure challenges to ensure serviceability? And once they do, how do they prepare for what lies ahead? Below are three critical steps they must consider as they make their IIoT investment decisions:
1. Modernizing legacy systems
Truly minimizing vulnerabilities and moving away from a “set it and forget it” mentality requires removing legacy equipment. Infrastructure must be updated for connectivity, reliability and simplicity and layered with virtualization of OT systems. IIoT implementations need to be built on properly serviceable pieces of equipment or an operation will be opening itself up to complications down the line as legacy technologies eventually meet their end of life.
2. Connecting devices and systems
Legacy environments often consist of isolated system “islands.” When implementing IIoT, however, data feeds become its lifeblood and connectivity becomes core to what industrial operators hope to achieve with IIoT. And beyond allowing data to flow uninterrupted throughout an entire operation, it becomes key to implement systems that support secure connectivity between industrial control systems and IT resources, including data warehouses, analytics engines and ERP systems.
3. Get IT and OT on the same page
With true connectivity, industrial operators then need to be looking at the personnel resources they have at their disposal (or need to hire) and make definitive decisions about who owns, manages and polices these various new sets of data and information. This trove of resources needs ownership, between either or both IT and OT, and managers must continually evaluate if they have personnel with the right skillsets to manage an optimized IIoT operation. This is absolutely essential as the next major leap is leveraging this information to make real-time decisions as operators begin implementing more advanced IIoT technologies using the assets and infrastructure they’ve just modernized and connected.
A long-term view of the goals of your industrial operation is certainly a necessity for strategic planning. However, operators should catch themselves before they allow that to keep them from taking steps today that can set them up for an IIoT future. Many operators may feel more comfortable making IIoT investments once various industry standards and security protocols have been finalized, but that could take years. It would be a mistake to allow that to keep them from taking initial steps now to prepare their company for an IIoT future. Serviceability needs to be this first step. This ensures that as infrastructure becomes more connected, industrial companies will know that they’re building on simple, reliable equipment that’s designed for these next-generation industrial environments.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
As businesses seek internet of things adoption to enhance the information supply chain for customer solutions, many security woes emerge. With increased devices and connections in the IoT and cloud ecosystem, chief officers (CXOs) must contend with internal and external transactions of information. As a result, business IoT networks are vast, interconnected, unplanned and driving many interdependencies for organizations, services and customers.
Investing in organizational security certifications such as ISO/IEC 27001:2012, FedRAMP and Controlled Unclassified Information (CUI) compliance is a good first step to create structure and security around IoT. However, CEOs may need to shift their mindset from focusing on the business insurance perspective to thinking about compliance as an enabler of their competitive advantage positioning.
With the CUI mandate for Federal Contractors looming in December 2017, IoT pilots or integration projects should begin quickly examining how IoT drives the data flow of their entity. IoT information and data will be collected, produced and shared in a variety of internal and third-party transactions including gateway devices, artificial intelligence engines, and other server and human supply chain links.
CXOs building and managing IoT ecosystems must map and address new obligations including all aspects of sensitive data compliance including the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), personally identifiable information (PII) and CUI/CTI data of the federal marketplace and any associated supply chain.
Organizations actively looking to reap the numerous benefits that come with IoT adoption need to incorporate near, mid-term and long-term strategies into their operational security practices today. Suggestions for CXOs and their staff preparing for IoT success include:
- Consider the volume and movement of data — Deploying IoT devices and gateways increases the volume of data that the business collects, stores or destroys. Meshed network and geo-fenced capabilities may have data and services functioning in unanticipated ways. Organizations that use on-premises technologies and data centers may need to address scaling capacity. On the flip side, organizations using cloud to scale efficiently may need to address costs and computational capabilities at the fog edge to be customer responsive. Small and mid-sized businesses are likely to benefit most from an IoT + cloud strategy to establish solution and sales proof points prior to incurring on-site IT storage costs or system overload.
- Know the responsibilities of incident response and data leakage — If you are looking to do business with the government or are currently holding prime contracts or subcontracts, you need to be compliant with Federal Acquisition Requirements (FAR) 52.204.21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 clauses and NIST 800-171, Revision 1 by the end of December 2017. The mandate outlines an extensive list of basic and derived requirements. Even the usage of traditional devices like security cameras or sensors will require adequate provisioning for authentication, encryption, and labelling and marking for use and dissemination. Hand-in-hand with understanding data leakage, organizations will need to think about their overall risk, responsibility and liability related to compliance with CUI, PII and EU-GPDR.
- Prepare to pivot — As IoT and IoT + cloud strategies are piloted and integrated into the current business practices, leaders and employees should be prepared to pivot security and IoT strategies toward newly learned efficiencies. Prior to adopting new compliance and security operation practices, CXOs should use initial implementations and periodic risk assessments to communicate what best practices bring the right balance of security, liability and opportunities to your organization. Understanding and performing risk-based impact assessments and crisis readiness for data protection and information leakage scenarios will help better prepare your organization to gain value from IoT.
Despite the hype, IoT is still in its infancy as enterprises incorporate cloud, compliance and new technologies like artificial intelligence, blockchain and virtual reality into growing sectors of the economy.
Think big! Begin to identify how you would change or evolve your technology infrastructure to support more external information transactions. Consider how and what information would help you compete and collaborate with your best partners as well as those you envy.
Whatever pilot or strategy you choose, compliance and security operations must drive your capabilities.
This year we will see more and more experiments where internet of things devices enter the human body for diagnosis and for treatment. With advancements in IoT in healthcare and miniaturization, along with leaps in IoT innovation, we are embarking on a journey of personal uber-connectivity that will spark many debates: tech implants in the human body.
I have always been fascinated with movies that show humans shrinking to microscopic size; like the 1966 sci-fi movie Fantastic Voyage. In the film, a submarine with a small crew is shrunken and injected into the bloodstream of a dying man. While this might have been seen at the time more like a psychedelic dream, nowadays it is closer to reality.
We are seeing more experimentation with IoT entering the body. Medical IoT implants can detect disease, manage pain, or even decode signals from the brain and relay them to other parts of the body to possibly cure paralysis.
Here are three other trends I see for IoT in healthcare and the connected body:
1. Implant communication
Medical devices with embedded IoT make direct communication with the implants possible. Pacemakers already have that capability, but ongoing advancements now allow for direct interaction with the neural network, opening up a whole world of possibilities. There was an experiment where a paralyzed monkey gets a brain implant that communicates with a computer, which decodes brain signals to move and sends the proper instructions to his lumbar spine. This type of experiment is now at the animal stage, but my gut feeling is that this will quickly evolve to human experiments.
2. IoT vs. Alzheimer’s
Another interesting area is the idea to fight Alzheimer’s, where the loss of memory will be compensated with uploading your thoughts to a computer.
Where will this leave us? Well for one the security debate will flame up, like in Homeland where someone was assassinated by hacking his pacemaker. And once we start fiddling with our brains, we will see serious debates popping up suggesting that we are creating something like the cybernetic Borgs in Star Trek (“Resistance is futile.” “You will be assimilated.”).
This trend will continue to spark debate, as some people are putting technology into their bodies for other than medical reasons. This has already been done for years with animals — dogs and cats get RFID chips for tracking. For humans, this is more a convenience (or personal style statement) than anything else. Near field communication digital wallet chips inserted into the body make it so you don’t have to carry credit cards around anymore. Other recent experiments include people embedding LED lights under the skin to light up their tattoos.
Although some of the medical innovations for IoT in healthcare are still decades away from mass adoption, I do see the potential of a new divide in society. Starting from a division of “haves and have nots,” we may be evolving into a society that is divided by something that I would call the “enabled versus the unaltered.”
The internet of things has become a dominant topic in both technology and consumer circles, and nothing manifests that trend better than the smart home. And for good reason — home automation technology is convenient, efficient and is being developed by many of the largest technology companies in the world. Not to mention, smart home technology is perceived as a major trend and there is some cachet to be derived from being ahead of the curve.
Smart home — and its more complex analog in the professional world, smart facility — is seeing incredible growth, with many vendors creating both devices and software, and a thriving maker community that is taking a DIY approach. Through our own personal experience, we’ve discovered that the type of person who is building their own smart home tools is also the type that oftentimes works in IT or a related field. Not surprising that technical professionals would also be DIY whiz kids, but in the case of smart home, there’s a number of reasons why it makes sense:
- Many providers are offering point solutions or partial solutions, not complete services
- Costs can run high for many devices
- Data generated by devices is often stored in a vendor’s cloud, which raises privacy and security concerns
- Data is also stored for a short time only and is inaccessible, leaving those who want to track and analyze data in the cold
The alternative approach involves makers utilizing many of the skills they have developed during their careers. Most smart home components can be built by someone with basic labor and electrical skills, and the commodity parts used to make them are often available for pennies. There is also a worldwide support community online that offers guidance and instruction on projects ranging such as gesture-controlled light dimmers. Add in an inexpensive 3D printer, either purchased or used at a “maker space,” and one can build professional-looking housings for sensors, switches and control devices.
Devices are one part of the equation — the second is control. This is where IT and the nascent smart home world collide — many systems administrators have a deep understanding of monitoring. They may have experience monitoring a smart facility in their work environment, but even if they don’t, they have still used monitoring tools to collect and analyze data on an IT environment. The smart home is the same, and in a DIY environment, makers can monitor everything without having to cut through proprietary hardware or software.
By taking advantage of freely available network monitoring software at home, DIY smart home users will be able to collect data on all devices, evaluate it, publish and share it on maker websites, and be alerted to any problems. For example, a user can collect and analyze data on electricity usage over time and set up an alert that sends a notification if usage exceeds certain thresholds. There are numerous possibilities, but when the entire system is built by the home owner, they can control and manipulate all of the data.
With some technical skill, free monitoring tools and a small amount of money in parts and equipment, most anyone can make their home “intelligent.” The DIY method is both tempting in price and control, but it also represents an opportunity for technical workers to hone skills and perhaps even develop new skills that they will bring into the work environment. And, of course, as with any other venture, there is always a sense of accomplishment that comes with doing it yourself.
IoT is the ability to connect everyday objects directly to the internet or smartphone whereby enabling these objects to send and receive data and interact with the user. Now, as often happens with hyped up new technologies, current products and innovations that aren’t playing within this space seem simply irrelevant. The natural progression has been to move from smart products for industrial, office, home and now for car usage scenarios, to more humanized smart products for the individual.
Most wearable products so far have taken the form of IoT bracelets and watches. These solutions need to be more accurate, wearable, personalized, actionable on an individual basis, and more meaningful than step counting. This allows for a more specific and interesting approach to reaching our own health and fitness goals. According to a study recently published by JAMA Cardiology, people should care about the accuracy of their wearable devices, specifically heart rate (HR) monitors. This is especially important when people rely on these monitors to stay within physician-recommended safe HR thresholds during rehabilitation or when exercising. Therefore, electrode-containing chest monitors should be used when accurate HR measurement is imperative.
The new study states, “While the accuracy of chest strap, electrode-based HR monitors has been confirmed, the accuracy of wrist-worn, optically based HR monitors is uncertain.” Some of the individual wrist-worn devices used in the treadmill study overestimated or underestimated heart rate by 50 bpm or more when, according to the electrocardiograph, heart rate was in the 120-130 bpm range. The objective of this study was to assess the accuracy of four popular HR wrist-worn devices: Apple Watch (Apple), Mio Alpha (Mio Global), Fitbit Charge HR (Fitbit) and Basis Peak (Intel). After recording 1,773 HR values across all four devices, the investigators found, when compared with an electrocardiogram, the HR monitors had variable accuracy. While the Basis Peak overestimated HR during moderate exercise, the Fitbit Charge HR underestimated HR during more-vigorous exercise. Broad variability was recorded across the spectrum of midrange HRs during exercise. The Apple Watch and Mio Fuse had 95% of values within -27 bpm and +29 bpm of the electrocardiogram, whereas Fitbit Charge HR had 95% of values within -34 bpm and +39 bpm, and the corresponding values for Intel’s Basis Peak were within -39 bpm and +33 bpm.
The authors of the JAMA Cardiology study found variable accuracy among wrist-worn HR monitors and determined that no wrist-based monitor achieved the accuracy of a chest strap-based monitor. This is one of the key reasons why some companies, including Sensoria where I work, have decided to embed quality electrodes directly into your t-shirt and sports bra and pair it with a high-quality Bluetooth Smart heart rate monitoring module. We have coined a term for this more-direct connection of body to network: “the internet of me,” or IoMe.
IoMe for sports and fitness
IoMe is about wearing biometric sensing garments that are comfortable and washable, and measure specific metrics that are important to the individual. These garments or accessories are utilizing embedded sensor technologies that provide health and fitness metrics to the end consumer in real time. These garments will replace plastics of wrist-worn wearable devices by becoming an ultra-personal, transparent wearable computer. Over time these sensors will become so small that they will disappear to the human eye and will become ubiquitous to the user/wearer. These new form factors will also make it easier to provide contextually relevant data and turn that data into wisdom for the user. As an example, if I am wearing a pair of ski boots or a pair of soccer shoes it is quite clear what activity I am embarking upon, making it easier to provide a more profound and meaningful user experience to the wearer and potentially user feedback to the brand that created that product.
The IoMe transformation
This is the level of personalization that is needed to truly transform the wearable industry. It begins with the notion that every single garment has the capability to become a computer. It is a big assumption, but it is happening today. It’s possible to couple a smart sock with an app that provides a graphical trend analysis on key metrics that are most important to a runner.
IoMe for healthcare
In terms of this sector, sensor technology is being utilized in a vast number of scenarios from cardiology to neurological disease progression and early detection.
As an example, it is estimated that at least one in 100,000 athletes are struck by exercise-related sudden cardiac arrest during a year. If there are no CPR trained bystanders and nobody knows the person is in real trouble, nobody can come and help, and definitely not within a few minutes. Ultimately, cardiac arrest makes the subject unconscious within a few seconds.
Nicola Gaibazzi, MD and Cardiologist at University of Parma Hospital in Italy, worked with a team of cardiologists and Sensoria to develop a patent-pending algorithm called Heart Sentinel™. This new technology constantly monitors the user’s probability of cardiac irregularities during exercise, offers a real-time alert countdown to confirm that he or she is still conscious, and alerts selected family or friends through text message, urging them to seek help or forwarding their GPS coordinates to the rescue team.
Sophisticated, differentiated wearables will also enable the monitoring of patients remotely, reducing costs and readmissions. There are many synergies between wearable solutions companies and pharmaceutical companies, research institutions and academia to mention a few. I am confident that we will see ground-breaking, cutting-edge collaborations between these different entities in the near future.
Cisco Jasper is solidifying its position in the LPWAN landscape with the addition of Narrowband IoT, making it one of the first IoT platforms to support the 3GPP standard, according to the company.
The company is no stranger to the LPWAN space — Sanjay Khatri, global head of platform product marketing at Cisco Jasper, said the company has been working with key operators in North America in particular deploying LTE-M. Now it has set its sights on NB-IoT.
The company announced at Mobile World Congress Tuesday it has completed live Narrowband IoT trials on its Cisco Jasper Control Center platform with Australian-based telecom Optus.
“Optus sees the evolution of LTE technology, to support dedicated IoT networks, as a critical step towards mass adoption of IoT solutions by both enterprise and consumers, and is excited to be part of this emerging market trend,” said Allan Burdekin, head of NCSi incorporating safe and smart cities at Optus, in a press release. “Incorporating Cisco Jasper into our NB-IoT plans allows us to provide a consistent user experience to our customers across both traditional cellular and NB-IoT, all on a single platform.”
A major difference between traditional cellular and what Khatri and Cisco Jasper call “massive IoT” is obviously deployment scale. “We’re going from 10s of millions to 100s of millions very soon — and we expect to end 2017 crossing the 100 million threshold,” Khatri said. According to ABI Research, Narrowband IoT is expected to increase the number of connected devices by more than 3 billion in the next six years.
Khatri also noted the changing monetization and business models with the growing IoT landscape.
“We know user-centric business models for operators are not going to be viable when you have devices that are consuming 10s of bytes, or at most 100s of bytes of data, as opposed to megabytes or even gigabytes in the case of connected cars,” Khatri said. “It’s got to be more of a value-centric model — what’s the value of connecting the trash can rather than how much data it’s actually using.”
Speaking of trash cans, one of the mass enablers of NB-IoT is expected to be the connected city. Smart cities are looking at how to connect things such as trash cans, connected lighting and smart sensors, Khatri said, and Narrowband IoT can help smart cities gain value while lowering overhead.
Robb Henshaw, head of global communications at Cisco Jasper, said adding Narrowband IoT into the Cisco Jasper platform will also help organizations deploy hybrid developments that include both cellular and LPWAN options.
Cisco Jasper partners with Honda, Korea Telecom, Jupl
Cisco Jasper also at Mobile World Congress Tuesday announced a partnership with Honda and telematics service provider Bright Box to extend the power of connected cars beyond just new vehicles purchased off the lot.
“A lot of OEMs do a lot of interesting things with embedded connectivity,” Khatri said. “It’s become part of their DNA now to build cars with connectivity. But this is a slight deviation in that Honda has taken the initiative to create a MyHonda service that is applicable to their installed base of cars, not just necessarily the new set of cars that are coming out with embedded connectivity.”
With Bright Box and Jasper, the MyHonda service allows consumers to get vehicle access from an app on their smartphone, allowing them to look at vehicle diagnostics, perform predictive maintenance, schedule maintenance when needed, and get insights and tips around their driving patterns among other features.
“This is something automotive OEMs have talked about in terms of wanting to address the larger scale of brownfield applications versus just greenfield,” Khatri said. “And we’re starting to see that take shape a little more concretely.”
Khatri expects the trend to take off.
“We’re introducing this in one of our first partner operator networks,” he said, “But clearly this is a model that can be replicated across many.”
Also at Mobile World Congress, Cisco Jasper announced the addition of Korea Telecom to its list of more than 50 service providers worldwide, as well as a collaboration with software creator Jupl to create a wearable mobile personal emergency response system and biometric and location monitoring services for the Samsung Gear S3 smartwatch.
“Smart edge” is Booz Allen’s term for an emerging trend in the internet of things — the shift to imbue sensors and devices in a contested environment with the ability to make smart, autonomous and coordinated decisions in a low-bandwidth or on an unreliable network. Smart edge operations depend upon data local to devices and from other coordinating devices and sensors in close proximity, and can work independently with no connection to the internet. Independently operating computing resources, such as cloudlets, are important enablers of the smart edge paradigm. A cloudlet is a mobility-enhanced small-scale data center that is located at the edge of the enterprise and is available for use by nearby devices. In this blog, we will cover cloudlets and their relevance as a smart edge enabler.
The half-life of IT has compressed, accelerating many technical evolutions. The abstraction evolution came in as we transitioned from mainframes to client server, and multitiered systems to web-based systems where infrastructure, business logic and user interface are decoupled. The commoditization of services and infrastructure has enabled the creation of the cloud, mobile computing and the internet of things, which has allowed for processing at the edge and the ability to do distributed computing. This will in turn enable the next wave of evolution — “chip as a platform” — which will unleash an era of explosive growth in the IT industry as it moves more and more to the edge. “Chip as platform” will bring both benefits and challenges. For example, in the DoD it will mean:
- Increasingly sophisticated sensors on UAVs and other platforms. This will drive the need for intelligent ISR and processing at the edge to short circuit the FPED cycle.
- Greater attack surface. The rapidly increasing number of sensors will continue to drive the importance of cyberdefense and resilience.
- Exponential collection of raw data. This will increase the need to shorten the cycle from “data to action.”
Edge computing will also be disruptive as we move from “dumb sensors” to connected sensors that are smart, self-aware and ubiquitous. Different integration and processing platforms will be required to enable the smart edge. Hub-and-spoke models allow devices to communicate with a tactically deployed central node, while mesh networks are based on a decentralized model where all devices are peers. Cloudlets support both of these models and can be key enablers of IoT and edge computing.
What is a cloudlet and how does it enable smart edge?
A cloudlet is a trusted, resource-rich computer or cluster of computers that may or may not be connected to the internet and available for use by nearby devices. A cloudlet supports resource-intensive and interactive applications and provides powerful computing resources to devices with lower latency. The term cloudlets originated in the mobile-edge computing industry initiative created by the European Telecommunications Standards Institute.
There are two main architectural approaches to cloudlets. The first is the transient cloudlet (Figure 1), based on a standard hub-and-spoke model, where mobile users access a nearby cloudlet over a wireless LAN/RAN. The transient cloudlet relies on a resource-rich computer infrastructure, providing data storage and computing service accessible to mobile devices through wireless networks, mainly cellular and WLAN.
The second type is the mobile cloudlet, where a set of resource-rich mobile device devices, referred to as cloudlet nodes, can connect to each other on a mesh network and provide and consume services. The mobile cloudlet relies on peer-to-peer mesh communication, whereby a group of nearby mobile devices can connect via secured Wi-Fi or Bluetooth. In this model, each mobile device shares computing service as nodes on the mesh, leveraging distributed computing principles.
Challenges and lessons learned
As part of our research into cloudlets, we encountered a number of challenges that each cloudlet implementation approach faces.
Transient cloudlet: This implementation model faces three main challenges, including: rapid (agile) provisioning to reduce delay and address the user mobility; VM handoff, to seamlessly migrate the offloaded services on one cloudlet to the next; and cloudlet discovery to enable distributed mobile devices to discover, select and associate with the appropriate cloudlet among multiple candidates before it starts provisioning.
Mobile cloudlet: Today, each virtualized system gets its own set of resources allocated to it and does minimal sharing. The majority of the resources required for VMs is taken up by the hypervisor and each guest OS, requiring a much larger footprint.
In addition, transient cloudlet implementations struggle with cluster management (distributed mesh), scaling, desired state reconciliation, multihost networking, service discovery, load balancing, security and rolling updates. Container technologies, such as Docker Swarm, provide many of these capabilities out of the box, as well as isolation of VMs, and share resources as reusable images (OS, database, application services, etc.), allowing them to be more efficient, faster and more lightweight. This is done in a distributed manner, where the platform enables “self-discovery” through a mesh network (Swarm). The container wraps a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools and system libraries. They start instantly and use less RAM. Images are constructed from layered filesystems and share common files, making disk usage and image downloads much more efficient. Some of the challenges this approach still faces includes cloudlet node discovery. Multicast DNS or Wi-Fi P2P can be used for remote provisioning and a secure REST service could be deployed on each cloudlet manager node.
Cloudlets are a key element to be considered as part of an IoT smart edge computing strategy, especially where the solution needs to provide:
- Low end-to-end application latency (real-time)
- Maximum transaction rate between device and local “cloudlet” for optimal compute results (interactive)
- Local communications to private networks for performance, privacy and security (secure)
- Real-time insights from data at the point of capture, minimum cloud ingress bandwidth (analytical)
- Rapid introduction of network and other functions in a radio area network (RAN) with dynamic filtering rules (distributed)
Careful analysis of these types of requirements will determine the best architectural approach (transient versus mobile cloudlet) to support smart edge solutions.
This article was co-written by Ki Lee, principal at Booz Allen Hamilton.
The United States Food & Drug Administration (FDA), which oversees approval of medical devices for the healthcare industry, recently published “post-market” guidelines for development of medical devices. These guidelines are merely “non-binding recommendations,” and are certainly not requirements, which has led some experts to ponder the usefulness of such guidance without an enforcement clause. Here at Independent Security Evaluators, we recently published security research that demonstrated how hackers could hurt or kill patients, and we also run an event series focused on hacking connected devices; so this topic is both one we care a great deal about and also is one we know a great deal about. So here is my analysis of the situation.
Fundamentally this debate comes down to the merits of regulation, and enforcing compliance with it. I am not a proponent of regulation as a security measure; it takes too long to develop, is outdated by the time it becomes enacted, is too riddled with compromise, and attempts to apply a uniform security model to organizations that are innovating and thus — by definition — are not uniform. Developing regulation and then requiring compliance to it would force device manufacturers to focus on satisfying compliance, rather than focusing on thwarting attackers.
Compliance only works if your enemy is the compliance auditor. Compliance has proven time and time again to be an ineffective approach to security. Consider an analogy from elsewhere in the healthcare industry: HIPAA has become the de facto security standard in the industry, yet it misses the mark, focusing only on patient privacy and not adequately considering patient health. Yet, because healthcare organizations must comply, they allocate most or all of their security resources to ensuring they are not in violation of HIPAA, and can’t or won’t allocate additional resources to focus on the much more important mission: protecting patient health.
Given all of that, guidance documents could still be simply ignored. However, even if some organizations ignore it, such guidance nevertheless continues to be useful for the industry overall, in that it helps align the various stakeholders — including device manufacturers, hospitals, patients and the government — as to what is important. It provides a common language around which the discussion of security can be centered. This fosters productive dialogue that empowers the purchasers of medical devices to ask the right questions and make well-informed purchasing decisions accordingly.
However, this only works if the guidance itself is useful, practical and valid. The importance of this condition cannot be overstated, and warrants a follow-up analysis of the effectiveness of the guidance itself. Although that analysis is beyond the scope of this article, a crucial takeaway is that the FDA post-market guidance is not inherently revolutionary; much of it focuses on already well-established security paradigms, now framed in a medical device context. It is from this perspective that it is critical to note that in many cases, the security challenges inherent with connected medical devices do not pertain to a new defense paradigm, but rather to the (in)effective implementation of an existing, well-documented, well-understood paradigm. Better adherence to secure design principles — the collection of well-established, universally accepted truths about how to build systems resilient against attack — would be very effective in reducing risk associated with connected medical devices. The primary challenge in the status quo is in fact attributable to the success or failure of adherence to those principles, and not to the lack of existence of an effective paradigm.
There is a common misperception in healthcare overall and in the medical device community in particular that the software elements of a medical device cannot be modified without going through a new lengthy and expensive FDA approval process, often slated at over 7-10 years. That is not true. The FDA allows for updates to the software elements for the very use case of patching for security updates. This empowers medical device manufacturers and the healthcare systems that deploy them to adapt over time as adversary techniques evolve, new attack techniques are invented, and previously unknown flaws with operating systems are discovered.
Overall, the publication of the FDA’s guidance is a good thing. It is getting the industry talking about a very real problem that is going to require a substantial amount of effort and time to address. However, the industry is very far away from a point where end users can be fully relaxed and confident in the security posture of medical devices.
I am optimistic that this will improve over time, but only with the continual commitment to pursuing this mission by all stakeholders across the industry. Device makers should build security into their own devices, perform regular security assessments, and should ensure they are utilizing a sufficiently rigorous methodology in the pursuit of those assessments. Device makers must consider their devices with the same mindset as malicious adversaries do. Hospitals also have a role in this, as medical device security is a shared problem. Hospitals need to invest resources, understand their own threat model, properly segment networks, have a firm inventory of devices they manage, and must be vigilant in managing user provisioning while also implementing least privilege. The FDA’s role should be to require device manufacturers to build security into the solution and ensure that they can articulate how they’ve done so and that it is sufficiently adequate; but the FDA’s role should not be to prescribe the specific controls manufacturers should deploy, nor develop regulation that manufacturers must comply with.
If medical device manufacturers and healthcare systems can together tackle this shared security challenge, they will be well on the way to creating a safer environment for patients, with or without guidance from the FDA. Which is to say, whether or not FDA guidelines are enforceable should be immaterial; if the root problem is proactively addressed in the design, implementation and ongoing maintenance phases of medical device rollout, patients will be well safeguarded, and both medical device manufacturers and hospitals will be well positioned to pursue their respective security missions.
PS — For further reading, CSO Magazine recently wrote a compelling analysis on this topic, for which I provided one of the expert opinions. Read the article here.