Today, the FCC voted 3-2 to roll back the previous administration’s net neutrality rulings. Most of the public conversations on this change to date have focused on consumer impacts — how will the changes affect how we consume Netflix and other streaming services, or what kind of media content will be free versus behind pay walls because the ISP and the media company are one in the same. These are valid concerns worth debating in the court of public comment. I hope all of you have made your opinions on the matter known to the FCC — even though that has proven to be really difficult lately.
We should also consider what IoT services look like in an environment where there isn’t a “neutral net” for bearing data from the more than 8.4 billion connected things that are in use today. I have my own opinions on the use of Title II to regulate net neutrality — you are welcome to read my post from 2015 to learn more about that. Regardless of the mechanics of net neutrality enforcement, we should explore the potential positives and negatives to the IoT market when there isn’t any.
Some potential impacts
First in my mind is the question regarding impact to critical and safety systems. Any lag introduced into services in smart cities, assembly lines or autonomous vehicles because of network re-prioritization could be serious and potentially life-threatening. Should we demand exceptions for these services the way we now have 911 call prioritization, etc.? What’s the cost of that, and who determines the going rate?
I expect another reaction might be the acceleration of edge service adoption and the resurgence of “on-premises” systems. These may help bypass concerns about cloud access becoming cost prohibitive and subject to the whims of large public providers. I am sure companies will be considering ways to mitigate the problems with private enterprise networks that allow for more control of their critical traffic. Some may also attempt to negotiate “most favored nation” style guarantees at premium prices. In either case, that’s more of the IoT investment dollars going into network and infrastructure costs, which means less dollars for innovations and new services.
Finally, I think there will be an even greater acceleration of the adoption of blockchain technologies, in part to counter the negative impacts that a “non-neutral” network will have on security and reliability. Distributed, peer-to-peer connections to exchange data will soften the impacts of any potential network throttling or paid prioritization rules that the major carriers may choose to implement.
Doing it for ourselves?
Given that the next administration (assuming a political party change) may reverse today’s ruling, and frankly, that we could see this hot potato of an issue bounce back and forth over the next coming decades, this decision to roll back net neutrality rules may not have any immediate direct effect on IoT. But I don’t suspect that the industry will wait to find out. I will be watching for changes in customer requirements and implementation plans as an indicator that the IoT market is solving for reliable, secure and unfettered data transmission on its own.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
As the IoT wave is taking over the globe, enterprises are keen to realize its power to stay competitive in this fast-paced digital marketplace. Gartner predicted that by 2020 there will be over 20 billion connected things. This is evident with the rapid transformation of our day-to-day lives with smart homes, connected cars, smart cities, manufacturing and farms facilities, and wearables. There are endless possibilities, and numerous companies have already started their IoT journey. However, many factors, like robust IoT platforms, data management and security, are of major concern while considering an IoT implementation. The aim of this article is to highlight some critical factors enterprises need to consider for a successful IoT implementation.
With IoT connecting things, enterprises should consider the security of the devices and communications as the top of the priority chain. Unauthorized intrusion or manipulation of devices through control logic or physical defects may result in serious damages. To avoid these issues, it is imperative to make the IoT system secure from the ground up, whether you are connecting simple pressure sensors or complex factory equipment with thousands of elements inside them. Microsoft developed a threat classification model called STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) that provides a mnemonic device for security threats.
According to IDC Research, 90% of organizations that implement IoT will go through an IoT-based breach at the back-end system before 2018. Keeping this in mind, enterprises should secure their IoT infrastructure, considering data security in the cloud, secure provisioning of devices, and protecting data integrity over public internet before an IoT implementation, as it becomes difficult to add safety features to the system later.
2. Data sensitivity
When it comes to handling data, one needs to be sensitive to its acquisition and usage. Enterprises need to have answers to difficult questions, such as what data does assets collect? Where do we store them? How is it accessed by anyone? Do we need to add identity access and security management layers on top of it? How will the other integrated system use the data?
Data sensitivity is a critical factor that needs to be considered carefully to make your IoT-based connected enterprise implementation successful.
As enterprises record growth, they will be adding in more machines, devices and data. Therefore, an IoT system has to be scalable to ensure that it can easily accommodate new machines/devices and handle the increasing data load without any glitches. Adding scalability capabilities after the entire IoT system is built would not be an efficient way to go about things. Many IoT platforms, like the Microsoft Azure IoT platform, provide auto-scalability capabilities to build a cost-efficient and robust IoT system, enabling enterprises to be ready to scale their machines and devices up or down as per the business need.
4. Intelligence capabilities
IoT implementation does not just mean connecting the devices and machines to the internet. Intelligence needs to be added to fully realize the true value of IoT. Enterprises should think of utilizing machine-generated data for actionable insights and to gain practical benefits. For instance, automatic shutdown of a smart water meter, once it exceeds a threshold value set for a day, would yield some real-world benefits. For a successful and powerful IoT implementation, connectivity isn’t just enough; enterprises need to consider adding a few new capabilities and functionalities like artificial intelligence or predictive analytics.
The majority of IoT systems fail because of a major communication challenge. The communication protocol between machine-to-machine and machine-to-IoT platform, especially in case of legacy assets, needs to be considered beforehand. This will help overcome the possible chances of an IoT system that is unable to fulfill the communication gap. Ensuring an IoT system being implemented is capable of communicating over a wide range of file transfer protocols, as well as various types of equipment, is a necessity.
The aforementioned points are critical for enterprises to avoid major pitfalls during the development and deployment of an IoT system. Companies are investing millions in IoT, but the majority of the revenue is resulting in no ROI due to persistent issues that plague the system for prolonged periods.
Azure IoT consulting partners can help enterprises successfully implement IoT, right from architecting the system to its deployment on Azure — with all these critical factors taken into consideration. For an example, read how a U.S.-based instrumentation giant adopted a scalable and cost-efficient IIoT platform to connect more than 100 enterprise gateways that handle more than 3,000 end devices and manage over 1 million data records per year to generate real-time analytics for end customers.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
IoT and smart automation are often portrayed as having high costs of entry that are only accessible to upper-income households or individuals. This is largely a result of home automation technologies only being marketed to homeowners, as opposed to renters, and to date, installing disparate devices that don’t communicate with each other has required buying even more devices, increasing already high costs for adoption. These challenges have permeated the smart apartment market, where developers and property managers think of class A urban high-rises as the only place where they can implement smart technologies. Class B and C assets, however, are often seeing the biggest benefits.
Sixty percent of the rental population consists of low- to moderate-income residents. And the majority of multifamily housing stock is class B and C. By not tapping this market, property management companies are missing the majority of their audience. Additionally, these residents are apt to benefit most from smart apartment integration, since they’re less likely to make the investment into owning smart technologies, especially in a rental unit.
Mid-level income residents have time and budget constraints, and smart apartment technologies provide conveniences and savings that benefit them greatly. These benefits can include anything from turning off lights remotely to playing automated stories designed to conserve energy. Smart apartment technology is asset agnostic and for a value-add strategy, or a straight retrofit, residents are willing to pay more rent for the convenience, control and savings. Our partners are achieving rent premiums for their smart apartments as low as $25 and as high as $200 depending on the market and many of them are able to retain more residents because of the “stickiness” of the smart lifestyle experience. According to Jim Dobbie with Hunt Investment Group, “We are seeing $40 pop in our value-add assets that feature IOTAS in our Beaverton, Ore., property.”
Regardless of income or asset class, apartment dwellers expect this type of technology, but they don’t want to pay to set up the infrastructure. After all, it’s an apartment. They want to bring their own devices and have things work without any effort. And once residents experience the digital lifestyle, they don’t want to leave it. For a relatively small investment (less than $1,000), again, for B or C class assets, this is an incredible opportunity to bring home automation to a class that otherwise might find it inaccessible.
Property managers of luxury apartments will always see increased value with smart technologies. Residents are coming to expect it and are ready to spend a premium on these services. However, the class B and C properties shouldn’t ignore the smart apartment revolution. They’ll see the biggest impact on revenues and will be setting themselves apart from competitors who automatically write off the smart apartment potential.
At the end of the day, education is key to understanding apartment home automation. Smart apartments are about the infrastructure and the digital ecosystem that enables apartments to function, learn and anticipate what residents want and need, not expensive devices. What you want versus what you need versus what’s feasible are vastly different across income classes. For instance, class B or C renters may not need a flashy thermostat, but they’ll certainly see the benefit in a smart-enabled heating and cooling system that allows them to save on their monthly energy bills — even if it means a slightly higher monthly rent.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Every day, more and more objects that make up our everyday lives have some sort of network connection; from coffee makers to security cameras, from air quality sensors to connected cars, there isn’t a single area of our life that won’t be touched by IoT devices in the next decade. In fact, IHS predicts there will be 75.4 billion connected devices by 2025.
Beyond IoT’s impact on products, it is also helping organizations develop stronger relationships with their customers. With IoT in place, companies can build incredibly detailed profiles — not just of customer segments, but of individuals by learning their name, preferences and habits so they can make relevant recommendations. In return, customers are getting a far more personalized experience than ever before. This new level of personalization is a welcome experience for consumers as it allows them to live a more connected, informed and controlled life. Consequently, it also opens security concerns and troubleshooting issues, leaving customer support teams on the frontline for handling such problems.
IoT and security
The sheer amount of data that IoT devices can generate is staggering. A Federal Trade Commission report titled “Internet of Things: Privacy & Security in a Connected World” found that fewer than 10,000 households can generate 150 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.
As a result, there’s huge anxiety that comes with IoT, but most consumers won’t forgo using these connected devices. It’s up to the brands and support departments to help and reassure their customers that it can be done in a safe and private way, and in their full control.
Brands should inform their customers on the steps they are taking to keep them safe and the precautions they can take themselves. Simple things like making sure passwords are strong and patches are up to date can help establish trust between the brand and customer. Transparency is also essential. The more companies are open with their customers, the further they will trust the brand for keeping their information safe.
However, the expertise and time required to successfully train customer support teams can be immense, and often difficult to provide in-house. As a result, many fast-growing companies outsource trust and safety operations to a partner company, allowing them to focus on core competencies.
Too many choices
IoT products are getting incredibly powerful, with numerous features incorporated into a single product. As a result, there’s more interplay between how these products work together and the choices we make about what we can do with them.
Take a company like Nest Labs, for example. The cameras can be set to be off when people are in the house, and when they leave, their phone’s and system’s geofencing functions know to turn the cameras back on. These choices can get increasingly complicated because they need to program which family members can have control of these settings, who can see the cameras, who can change the parameters of the product, who can change the temperature and to what extent. Consumers want total control and all these choices, but it can also overwhelm them because it’s probably more choices than they want.
Because of this, they’ll experience challenges and issues, and they’ll call customer support to ask why this is happening or why it’s broken. Chances are it’s not broken; it’s just a toggle switch they had on or off and didn’t know they could change.
Companies need to get a better understanding of how their technology transforms customer expectations and develop a plan to either modify the product or help customers understand it. Customer service agents are typically the first point of contact for users, so they have unparalleled insight into the challenges they face. Brands should use their customer support teams to understand the challenges consumers are facing with their products and arm them with the right information to educate them about the products.
If companies don’t have the right infrastructure to support education and user feedback, retaining customers will become a problem. This is one reason why scale-up companies turn to an outsourcing partner to handle their product expertise and customer insights initiatives. The insights that feedback through product support teams is highly valuable to product design and build teams.
Using customer support for IoT success
As IoT continues to grow, it’s vital for companies to have a strong customer service team to support customers throughout this journey. Whether that’s helping them understand security measures and precautions or troubleshooting a toggle on/off switch, the companies that provide strong customer support and experience will be the ones who ultimately reap the most benefits out of the lucrative IoT market.
The impact of the internet of things is not yet as big as many market participants were expecting. At least if you take a recent study sponsored by IBM and ARM into consideration. One of the major obstacles for IoT implementation executives are concerned with is the practical implementation. While high costs have proved a major hindrance, one might also ask if the way the IoT industry is selling its products and services could also be a problem.
If you’ve been to one of the many IoT conferences, you’ve probably heard that phrase that “data is the oil of the 21st century”. That is probably why manufacturers of IoT technologies think they should offer closed systems that rely on a cloud that nobody else can touch.
Let’s take a smart home system, for example. You’ll find many technologies for a “smart living” experience, ones for smart lighting, smart heating, smart gardening, smart kitchen, smart surveillance and so on.
Closed systems won’t be successful
Yet, while each solution provider might be an expert in his specific field with outstanding products, closed systems are not what customers want. They don’t want to install a new gateway for each system that talks to its own cloud and uses its own app. One for the lighting, one for the heating, the next for the robotic vacuum cleaner and probably another one for their home security system. That jungle of different systems makes IoT installations complex, inefficient and expensive.
One cloud to rule them all
Internet giants like Amazon and Google are now making use of that technological gap by combining these systems under another cloud: their own. By introducing smart voice assistants that have become so successful, vendors of IoT products and services can’t hide away anymore and must offer support for Amazon Echo, Google Home and even Apple’s Siri and Microsoft’s Cortana smart voice assistants.
Connected clouds are unsatisfying
However, with that one major cloud that connects all the other systems, smart home installations are still too complex to become a bestseller. And one major issue remains: If the network is down, the whole smart living experience is rendered dumb within a blink of an eye. Nobody seriously wants that.
Common standards that enable devices from different vendors to interact directly with each other on a local level are urgently needed. With or without an active online connection, windows need to be able to tell the heater if they are open or closed. Motion sensors still need to be able to contact the lights, shades or doors.
Devices need more ‘freedom of speech’
Making devices less dependent on their respective cloud won’t necessarily cost the solution providers a source of income in means of information. Since smart home systems will always be used for monitoring and remote-controlling purposes, that business segment won’t die.
What needs to change is that too much unnecessary data is being sent around the globe. Devices need to be enabled to talk “more freely” with other systems. A common standard that enables direct interaction will not just make IoT systems less complex, it will make them cheaper to install, easier to maintain, more secure and, last but not the least, better selling.
As IP-enabled technology for the home continues to increase, networks and security architectures are in dire need of change. Every IoT-enabled smart device inside the home needs to communicate with a server, which is typically located outside the home. The amount of data and frequency of communication between the device and the server varies, but even a single outbound connection increases vulnerability to security threats. The now infamous attack on Dyn, which was launched inside compromised IP video security cameras, is a prime example of the vulnerabilities currently existing in these connections.
How should networking evolve to allow smart home data to transport securely? The answer is actually minimally. This security lies in the network’s most basic building block: the router. IoT providers need to replace their basic access switches on-premises with increasingly smarter, session-stateful routers that can subscribe to registries of certified and authorized IoT services. By only recognizing the certified components, they should provide a secure route between a home and the IoT service while preventing any non-conforming traffic from being passed to/from the IoT device. This technique would essentially create a virtual private network between each IoT device and its server. With this approach, both the service and homeowners win; the service owner is ensured of the IoT device accuracy and location while the homeowner can now prevent any unauthorized outbound flows. Other benefits of this device-specific intelligent router would include clear end-to-end control, even through mid-network network address translations (NATs), such as NAT64 or carrier-grade NATs.
There are those in the industry that tout virtual customer premises equipment (vCPE) as a security technology for IoT. In actuality, vCPE just moves the security border from the customer edge to the service provider edge, meaning the same networking issues exist. However, by moving the problem from a customer edge to a provider edge, better systems for security and traffic analysis may be available in a cost-effective manner. Service function chaining of different types of deep packet inspection (DPI) or firewall technologies can also help. But sadly, the trend in IoT, as well as data exfiltration, is to use encryption. Encrypted packets that originate in a home and are intended for a service cannot be analyzed outside of their IP protocol headers. It seems unlikely that IoT devices can be forced to go through proxies, so this makes DPI and standard firewall technology less likely to work.
Intelligent IP routers that are service-aware, session-stateful and understand client/server directionality can have a huge impact on how we integrate smart home technology with larger networks in the future. These routers could add metadata to packets that are being routed between a home and a server to provide improved understanding of a customer’s identity, IoT device identity or service requirements.
Next time you get your annual physical, will the internet of things play a role in that checkup? Maybe. But what could that look like? IoT plays a role in a multitude of industries and verticals, we have heard how IoT will impact how John Deere helps farmers, how it impacts the way GE and Rolls-Royce manage their fleets of planes, and how ExxonMobile is using IoT to remotely monitor its facilities. The future of IoT has the potential for great influence on our personal wellbeing, but it will face some major hurdles.
First let us look at where IoT hold the possibility to impact our daily well-being.
IoT is bringing greater insights into what we consume and how it impacts our lives. OK, this might be a little too Big Brother for you, but the reality is our homes are becoming even more connected to the grid than before. This connectivity is moving well beyond devices such as the Nest thermostat or connected doorbells, with the increase presence of digital assistants in the form of Amazon Alexa or Google Home and the ever-increasing connectivity for appliances, such as our refrigerators, washing machines and even connected toilets. What this translates to will be homes that will be able to monitor our activity on an hourly basis. Your doctor has you on a low-cholesterol diet? Soon enough your doctor will be able to read data from the pantry and monitor whether you are truly cutting down on the potato chips and steak.
As we connect our homes and ourselves, we can do a better job tracking healthy lifestyles. By some estimates, there will be four times as many mobile devices as there are actual humans on the planet within the next few years. We have already witnessed the breathtaking pace of smartphone adoption. Now we are seeing the rise of wearables such as the Fitbit and Apple Watch. Soon, connected clothing will become more mainstream, as we see brands such as Under Armour, Adidas, Nike and New Balance putting more investments in the space. Technology giants such as Apple and Google have integrated health applications into their mobile operating systems. Many of these connected devices have leaned on gamification to incentivize us to allow them to track how fast we ran our 10k or how many steps we have taken daily. Companies such as Athos are even providing connected clothing to monitor and coach us when we are lifting weights. All this activity information is creating massive personal profiles that our doctors will be able to tap into, getting a much more accurate insight into our activities — and by extension, our health. And it is not just our doctors who might use that data to judge us. Insurance providers are starting to offer perks, such as lower premiums to customers who share fitness tracker data to prove they are living healthy lifestyles.
A more connected medical network
One of the biggest issues with our medical industry is in the timely and accurate exchange of vital information. Will IoT solve this issue? No, but it could begin to shine more light on a process that is otherwise in the dark. As our persons, homes, cars and appliances become more connected, these nodes will become integrated into a wider network that is connected to our medical network. The information flowing between the nodes will continuously provide a much richer and fuller picture of our environment, our activities and possible issues. All this data could be tied back into a connected medical network, where your primary care provider would gain a much richer and in-depth view of you and your well-being. The network would be a first line of digital information, pulling data together for yourself or your healthcare partners, insurers or even personal trainers to provide a single view of your overall health. It could help eliminate all the paperwork and repetitive discussions that take place between an individual and their many different providers, leading to better conversations about healthcare and ultimately producing better, more personalized outcomes.
The pitfalls and potential of IoT
This all sounds great, right? But what are the possible pitfalls? Privacy is the main area of concern. When it comes to connectivity, the closer it gets to our person; as the sensors get closer to us, the more sensitive we must be with regards to the consumers’ privacy. The data becomes more personal. While having greater connectivity can bring great benefits, there is also the risk of consumers having a backlash against the greater sharing of private information. Society is struggling with the balance between having access to more data versus privacy. What is the line that we are not willing to cross when it comes to more data versus less privacy? This might be determined on an individual basis, but the network must be ready to handle this question.
While the possibilities inspire hope for a healthier, more digitally connected future, there is still some work to be done for it to become reality. Many companies working within the IoT space are focused on one specific product and its use case in the home or as a fitness tracker. But it creates a challenging ecosystem of disparate data and systems that do not necessarily connect. As with many business models, we may eventually see a network emerge that brings all of the data from these connected devices onto one platform, acting as a translator for our providers (and ourselves) and helping to draw a single version of the truth. At that point, we can begin to realize the potential for these connected devices to truly make a difference in our long-term well-being.
The internet of things continues to be one of the hottest trends in the technology world these days. The technology has impacted all facets of tech development and, of course, the way that websites are designed and developed.
Web design and the internet of everything
There’s no denying the buzz about the internet of things, it is a notion that pretty much everything, from automobiles and refrigerators to industrial machines and environmental sensors to baby monitors and surveillance cameras can be equipped with circuitry, allowing them to connect to the internet, offering information continuously or on-demand. A lot of internet-connected devices are on the market already. In any case, each IoT device has to be accessed, managed, configured and manipulated at some point. Doing so requires a more familiar internet-connected device, like a smartphone or laptop. And this commonly means new web development and design techniques.
Design considerations for IoT interaction
A website design company should be aware and knowledgeable of the different considerations for design and IoT interactions. The following are some design considerations required to let users interact with IoT devices:
- Back end: To allow users to interact with IoT devices, a way of establishing communications among them should be established. Since each device has various commands, capabilities and data, it could transmit and receive exactly how to communicate device to device.
- User interface: A web-based UI for an IoT app should be clean, fast and intuitive. All the standard usability best practices would be brought to bear when it comes to designing the interface, which include meaningful feedback, good user assistance and logical flow. Keep in mind that many, if not most, usage instances involve mobile devices.
- Security and privacy: The downside of IoT is that it presents more opportunities for hackers. If one could unlock a web-connected front door, a hacker potentially could do the same and help himself to the contents of the home. Part of the privacy and security responsibility lies on the device designers, but a third-party web designer has to make security the main design consideration.
- Power management: A lot of IoT devices are battery-powered and wireless; excessive back-and-forth communications would prematurely drain the battery. Communications should be designed to minimize power usage.
- Speed: Unlike traditional websites, where requests go to a web server that sends back data, there’s another communications leg involved between an IoT device and web server. This possibly means more latency and the perception of slow response of users. Thus, design strategies for slow connections must be adopted.
- Testing considerations: Testing an IoT website is a bit more complicated than it is for a traditional site.
Many opportunities to make lives easier
The advent of the internet of things presents a lot of opportunities to build innovative, new and useful apps to make people’s lives easier. It is good to know that the IoT development landscape is improving, but the present ecosystem still is rampant with difficult-to-use and fragile devices, most of which come with disparate communication protocols and security flaws that prevent seamless integrations. Instead of squeezing embedded C to the web world, there are other web tools and technology that could be used.
Impact of IoT on web design
The growth of IoT already is beginning to exert influence on web design. The following are some considerations for businesses when building websites, as well as web-based user interfaces:
- Business sites should develop the growing sophisticated ability of responding to personalized data from web-enabled devices.
- With a business site, activities should interact more directly with IoT devices. For example, a surge in search queries or uptick in online purchases for a certain product could impact a machine’s activities immediately for both those companies that manufacture products and those that prepare them for distribution. A third-party vendor message on the availability of a new product could automatically and quickly lead to its promotion on the website.
- Flexible, clean user interfaces are imperative. Designing websites that look good on screens of various sizes is imperative. IoT has many demands of user interfaces and web design; people will not interact with various devices in the same manner. Rather, they will have different expectations for the information displayed on every device and how they could optimally engage with it. Intelligible icons and minimal text can make the most of small interfaces. There would also be an increase in the need for dashboards, which include apps that help people manage data from various devices.
The emergence of autonomous vehicles is radically changing the automotive business. This change is bringing in new revenue generation opportunities for the whole industry, but with it, also new risks — specifically cybersecurity. Since autonomous vehicles are completely dependent on connected software for all aspects of their operation, they are vulnerable to a broad spectrum of cybersecurity attacks. As we see in the news every day, even well-established sectors like the financial industry and government agencies are still struggling to deal with the same issues. Subsequently, the automotive industry will actually have to leapfrog existing approaches to cybersecurity to ensure that not only are all existing threats are mitigated, but also that future “unknown” threats are prevented. Automotive cybersecurity is much more than ransom, data breaches, stolen personal records, etc. — it is about the safety of our lives!
The recent sanction of an automotive-specific cybersecurity bill in the U.S. Congress, H.R. 3388 also known as the Self Drive Act, and the Senate’s advancements on the AV START Act have sent a clear signal that the automotive industry needs to get serious about cybersecurity. The immediate security risks to connected cars and long-term risks to autonomous vehicles must be addressed. The Self Drive Act outlines the cybersecurity plan for autonomous driving systems.
Traditionally, the automotive industry only adopts mature technology. Unfortunately, the rapid pace of software development requires the automotive industry to become more innovative with respect to how it views software. More importantly, the dramatic increase in cybersecurity attacks demands cooperation among OEMs, Tier-1 suppliers, software developers and cybersecurity firms at a scale that has never been reached before. Today’s automotive cybersecurity technologies in the marketplace are at best an afterthought. There are still many unanswered questions including how to safeguard internal vehicle systems from attacks and ensure data integrity while also providing data privacy and secure vehicle-to-cloud communications in millions of vehicles that each supports hundreds of ECUs, sensors, domain controllers, radars, LiDAR and ADAS. In order to deliver cybersecurity technologies to address these specific questions for connected and autonomous vehicles, a number of factors must be considered, such as scaling globally to a massive number of vehicles, detecting software tampering and malware, support an array of telematics, information and safety applications, enabling precision access control to vehicle software suppliers, and meeting regional safety, privacy and driving regulations.
Fortunately, there are two new emerging technologies, software-defined perimeter (SDP) and blockchain, that offer a path forward. SDP enables the provisioning of secure communications between the software process within the vehicle and cloud-hosted applications, while blockchain enables secure messaging. By combining the any-to-any connectivity of the SDP with the scale of the blockchain, an efficient cybersecurity model for connected and autonomous vehicles can be created.
In order to further provide secure connected and autonomous vehicles in a systematic manner and provide the required safety, a number of practices should be adopted:
- Incorporate an industry-wide automotive cybersecurity lifetime (from cradle to grave) compliance certification program. Make cybersecurity a mandatory part of a vehicle’s product development process;
- Establish a joint automotive cybersecurity taskforce that is responsible for proactive prevention, mitigation and correction of threats; and
- Provide regulatory agency access to vehicle metadata (non-personally identifiable information) for random cybersecurity compliance checks and validation.
What is a software-defined perimeter?
SDP is a new approach to cybersecurity that is designed to provide on-demand, dynamically provisioned secure network segmentation that mitigates network-based attacks by creating perimeter networks anywhere in the world, whether it is in a cloud or in a data center. The architecture comprises of three main components:
- Virtual gateway: An SDP virtual gateway is deployed in a cloud, data center or a connected gateway in the vehicle depending on the use case. This SDP virtual gateway combines the functions of a firewall, VPN and application-layer gateway in a single virtual appliance by only allowing approved software on authorized devices to connect to protected applications inside the vehicle as well as to the cloud.
- Client: To allow vehicle software processes to connect to protected applications, they must utilize the SDP client which can be embedded inside, e.g., an over-the-air (OTA) software management and data client. This SDP/OTA client has three distinct purposes. Firstly, it allows the automotive policy engine to determine the vehicle identity. Secondly, it allows the remote analysis of software and system processes to detect the presence of malware. And lastly, it provides a secure application layer connection between a software process or ECU inside the vehicle to a software process on a cloud application server.
- Controller: Tying the SDP/OTA client and gateway together is a controller. The SDP controller functions as a hub between the client and the gateway as well as external policy systems.
The SDP’s interlocked security controls protect software systems within a vehicle and their data from cybersecurity attacks. All SDP transactions are cryptographically certified to mitigate real-time tampering while the architecture scales to millions of vehicles supporting billions of software modules and ECUs.
What is blockchain?
Blockchain, also known as distributed ledger technology, is a decentralized database for ledgers and transactions. Bitcoin, also known as cryptocurrency, is one of the most famous and widely adopted global virtual currencies in the world and is based on blockchain. Users gain access to their Bitcoin balance using their private key.
Being immune to single-point-of-failure and security issues provides a lot of advantages to blockchain compared to traditional databases. The main advantages of blockchain are its immutability, scalability with data security, high data integrity, super transparency (all nodes have visibility into every messaging/transaction metadata) and its ultra-low cost per message/transaction, making it very suitable to for applications such as micropayments. Deployments of blockchain can be either public or private, where in a public blockchain (permission-less), any node on the internet can read from and write to the ledger with appropriate application, whereas in a private blockchain, all the nodes in the network are known and have explicit permission to read and write the ledger.
The above-mentioned blockchain characteristics make it ideal for automotive use cases, and OEMs could use a private blockchain as a platform to enhance their overall cybersecurity for vehicles, validate software bills of materials, enable cost-effective micropayments, strengthen identity management and improve data validation. Examples include pooling of data from vehicles, fleet management, optimization of business processes, and enabling peer-to-peer mobility-sharing capabilities that can all disrupt existing business models and improve overall operations.
Combining software-defined perimeter and blockchain for automotive
Blockchain enables secure messages that can carry a wide variety of payloads from the status of sensors to the delivery of private encryption keys, while an SDP provides secure in-vehicle and internet links. Thus, blockchain messages can be used by ECUs to signal management systems on their status. If a situation requires a secure bidirectional link, an SDP connection can be provisioned from a vehicle-to-cloud resource and, once set up, blockchain can be used to transmit messages between internal vehicle systems. The combination of SDP and blockchain technology creates a system that is very lightweight and scalable, and yet has the ability to create secure enclaves when required. In addition to supporting telematics and safety applications, this blockchain/SDP platform can also support multiple cryptocurrencies, such as Bitcoin or Ethereum, and thereby be a critical digital payment foundation for the automotive ecosystem.
A simple but powerful example of how short blockchain messages and SDP connections complement each other is the challenge of driving an autonomous vehicle in the snow. As an autonomous vehicle drives through a snowstorm, it can continuously send blockchain status messages to cloud-based safety monitoring systems. However, if the vehicle gets stuck in the snow and is unable to dislodge itself, a secure SDP connection can be provisioned which will backhaul all the vehicle image sensors to a specialized cloud application for processing.
Both SDP and blockchain represent the cutting-edge of technology. For example, Gartner listed SDP as one of the most important new technologies in 2017 to reshape the enterprise market. Similarly, blockchain is being adopted as a secure messaging protocol in a wide variety of applications due to its low cost and high scalability. The automotive industry could adopt both technologies as a foundation for secure OTA software/firmware/content updates, secure data exchange and autonomous driving communications. Both blockchain and SDP are open, license-free public domain standards, and both concepts are proven in large-scale critical deployments in areas such finance and telecommunication. This restriction-free model means that there is no barrier for the automotive industry to adopt and innovative on top of them.
With attacks rising every year, cybersecurity has become one of the most important focal points for the automotive industry. A disruptive approach must be incorporated to battle the threat of cybersecurity attacks that are becoming more sophisticated each day. With a blockchain-based SDP, OEMs have a unique system that can empower the global automotive industry to secure connected cars and autonomous cars with confidence.
This article was co-written by Junaid Islam. Junaid is the CTO and founder of Vidder, which provides distributed access control solutions to Fortune 500 companies. Prior to Vidder, Junaid founded Bivio Networks, which developed the first Gigabit-speed software-based security platform in the industry. Earlier in his career, Junaid helped create networking standards such as Frame Relay, ATM and MPLS at StrataCom and Cisco.
In addition to his work in the technology industry, Junaid has served at community and national levels as the Human Relations Commissioner of the Santa Clara County (Silicon Valley) from 2002 to 2009. Currently, Junaid is the co-chair of the Software Defined Perimeter research group, which supports a number of U.S. national cybersecurity initiatives.
Taking a smarter approach to creating “smart everything”
Making physical objects or systems “smart” is all the rage today. Terms like smart houses, smart cars, smart cities, smart grids, smart refrigerators and even smart hairbrushes pop up everywhere. But there’s something not smart in the way this trend is progressing. Securing smart systems is being often overlooked.
Cyber-physical systems and the smartification of our world
Smartification of our world depends on cyber-physical systems (CSP) — technologies such as the internet of things and industrial control systems (ICS), whose primary purpose is to sense and actuate the physical world.
The benefit of this is enormous. Think of all the cyber-connected objects in your life: recent model year cars have cyber-enabled safety features that help prevent accidents. Home management devices let you turn lights on or off in your home, adjust heating or air conditioning and much more simply by giving a voice command. Apps let you adjust functions of your home or car from miles away. Some can even alert you that someone has rung your doorbell — even if you are half a world away — and can show you who that person is.
CPSes also make distribution of essential services, such as power and water, more efficient. Sensors embedded in distribution systems detect imminent failures before they happen and dispatch repair personnel to the location to fix the problem before consumers are inconvenienced. Traffic control systems monitor traffic patterns and adjust traffic light timing to optimize traffic flow. Many other city services are cyber-connected, too, to maximize efficiency. These, too, are run by IoT or ICS.
Sensors in factory equipment monitor and take action to enhance productivity. Sensors even enhance how our food is grown; sensor-connected systems in the dirt of many large agricultural operations administer proper balance of water and nutrients in the soil.
These technologies play a role in healthcare, too. No one who has seen the high-tech equipment used to diagnose and treat patients in a hospital would be surprised to hear how much of it is cyber-enabled. Perhaps more surprising, though, is how frequently cyber-enabled devices are being implanted in people’s bodies. Cyber-enabled pacemakers, heart monitors, defibrillators and insulin pumps enable doctors to remotely monitor patients’ conditions and make adjustments as necessary. That makes each patient part of a smart cyber-physical system!
Cyber-kinetic attacks: The unintended consequence of smart technologies
There’s no debate that IoT provides many benefits. Yet, a downside exists to cyber-connectedness: the growing threat of cyber-kinetic attacks. Even though IoT and ICS technologies are very different in their implementation, from a security perspective they share many similarities. The physical layer common for both allows for attacks in which manipulation of physical processes is the target. Cyber-kinetic attacks hijack ICSes or IoT devices and use them to control physical elements of our world in ways that can hurt people or damage the environment. We better learn from ICS mistakes as we keep rapidly putting more and more of our physical processes under the control of IoT and keep opening ourselves up to increasingly devastating cyberattacks.
Consider the consequences of an attack that releases toxic chemicals into a region’s water distribution system or that disables the mechanism that prevents unsafe pressure buildup on a dam or that manipulates pressure in an oil pipeline so it explodes.
The attacks described above are real. Only the inexperience of the attackers and the quick work of responders prevented catastrophic damage.
Even in small-scale systems, the results of someone compromising the system are serious. A November 2016 attack on apartment buildings in Finland left residents without heat or water for days before technicians could undo the damage.
A bored teen took control of his city’s tram system and rerouted trains recklessly for his entertainment. His “game” of rerouting trains eventually caused a collision — with a dozen people injured.
A disgruntled former waste management contractor took revenge on the town that terminated him by manipulating the system to discharge more than 264,000 liters of raw sewage across town for months before he was caught. Environmental damage was massive, not to mention the nuisance experienced by those who lived near the discharge points.
Those attacks are only the tip of the iceberg as to what has been accomplished by attackers or demonstrated by researchers to be possible. Some researchers have demonstrated vulnerabilities that can allow a hacker to take partial control of cars that contain cyber-connected functions. Other researchers have demonstrated vulnerabilities in implanted medical devices that could allow an attacker to remotely kill the person in whom it is implanted. The list of vulnerabilities is endless. I have been tracking many key cyber-kinetic attacks and incidents. Other researchers track 1,000+ such incidents and attacks and claim to be able to link 1,000+ deaths to date to cyber-failures and vulnerabilities in cyber-physical systems.
Not-so-smart security practices and the vulnerabilities they cause
How did we reach this point where so many cyber-physical systems are poorly protected? It starts with benefits that people see in cyber-connecting our physical world.
In the rush to connect, security is placed in the realm of wishful thinking. This thinking goes, “Hackers are interested only in high-profile targets, like the Pentagon or government or major banks. With so many more attractive targets, why would they target us?” This rationalization leads to — at best — installing only basic security and trusting that their best defense is the obscurity of their system.
“Security by obscurity” is illusory, though. Ransomware attacks, one of the fastest-growing forms of cyberattacks, seek any system that has vulnerabilities rather than seeking predetermined targets. This makes the common argument of “who would want to target us?” not only irrelevant, but irresponsible. Vulnerabilities put any system that has them at risk.
The unique security challenges of IoT
Unfortunately, the nature and purpose of IoT complicates security further. Someone hacking a traditional information system generally wants to extract information. Someone attacking IoT devices generally wants to manipulate what they do. That expands the scope of attack vectors from protecting just data to protecting the myriad elements that an attacker could use to alter the underlying physical process. New approaches to IoT security need to be interdisciplinary and connect traditional engineering domains, wireless communications, systems engineering and cybersecurity.
In addition, not all traditional security testing processes can be used to test IoT devices. Penetration testing is designed to find system failure points. But with systems controlling critical physical processes that cannot afford interruption, such processes are worthless. Thus, security protocols and testing processes must be rethought and redesigned to meet the new reality.
Recognizing growing threats
The common approach of relying on the statistical improbability of a given IoT device being targeted is the same logic behind Russian roulette. And to make this approach even worse, the number of hackers is growing.
Nations are increasingly building armies of trained cyberwarfare specialists. Organized cybercrime groups are shifting their attention to IoT (and CPSes in general) for ransomware and other imaginative nefarious purposes. Terrorist organizations increasingly turn to cyberspace for targets that can disrupt the states they target. And many disaffected youths learn advanced hacking skills on the dark web.
Consider this sobering fact: When my research team assesses critical infrastructure systems in various countries for vulnerabilities, we rarely find one that hasn’t already been breached. We almost always remove some form of malware or backdoor that would let the hackers who placed them there return whenever they want to trigger them.
While the Russian roulette approach has worked for many vulnerable CPSes so far, the number of cylinders in the revolver is increasingly being filled with potential devastation. Ensuring that IoT is properly secured is essential.
Where do we go from here?
No one would suggest we go back to when our physical world and the cyberworld were separate entities. The benefits of connecting them are too great.
Cyber-kinetic attacks are real, though, and their numbers are growing. Wishful thinking is not a defense. Additionally, IoT technologies present new challenges that do not exist in traditional information systems.
To keep our increasingly smartified world safe, we must get serious about securing IoT technologies. Security must be addressed from the start of the IoT development — not left to chance, not patched on as an afterthought.
And security professionals must address the new challenges that IoT creates. Traditional security protocols and testing processes must be rethought and revised to catch up to current technologies. Only by securing the growing world of IoT can our smart technologies truly be as smart as they need to be.