IoT has become such a part of the vernacular that for many it’s become a catch-all acronym for every and any digital device on the market today. It’s easy to understand how that could happen. After all, in industries as far-reaching as consumer electronics, healthcare, energy and more data collection and analysis are delivering unprecedented business intelligence, driving operations, performance, and profitability. Solution providers are delivering network-based sensors and embedded systems across multiple sectors. In addition, users are relying on fixed and mobile devices to communicate with increasing trust that they will provide a safer, smarter world.
But before we go too far down that path, it’s important to discern what is truly IoT and what’s not. The newly released guidelines on IoT from the United States Department of Homeland Security’s Science and Technology (DHS S+T) Directorate are both significant and opportunistic for both IT and security professionals alike. They caution data-driven organizations rushing to capitalize on these data collection marvels to first distinguish between components that adhere to strict security standards and those that do not. Otherwise, they might be opening their networks to unexpected – and possibly devastating – vulnerabilities.
Primary functions of an IoT device
What actually defines an IoT device? There is a simple three-step test:
- Is the device capable of being remotely detected; is there the ability to know what IoT devices and components are connected to a given network or system?
- Can the device become trusted and authenticated on a network?
- Is the device able to be updated and upgraded to enhance features, deliver data and improve device security?
Let us see how two common devices fare against these criteria:
- Is a smartphone an IoT device? It can certainly be detected through location-based services as well as authenticated on a cellular or WiFi network. However, can it become a trusted device? Yes, it can with the right IT policies in place and use of the smartphone’s application management of digital certificates and multi-factor authentication methods. Can the device be updated and upgraded? Yes, it can, which can be both fortunate and, all too often, unfortunate as well!
- Is a network video camera an IoT device? It certainly can be detected on a network. Can it become a trusted device? That is only possible if the camera has the capability of handling digital certificates and authentication. Can the camera be updated and remotely upgraded with features, such as embedded video analytic processes? This is where a network camera with an embedded platform capable of running third-party applications securely, safely and without compromising performance wins the IoT classification. Those network devices in “closed” systems would not.
IoT Co-existence with Legacy Devices and System Architectures
So how will industry and DHS S+T work together in the future to secure the Internet of Things and yet co-exist with legacy devices? The introduction of small devices that meet IoT functionality for detection, authentication and updating are already occurring in many business sectors. These “bridge” devices can be low-cost, miniature computers no larger than a deck of cards that include embedded operating systems that meet IoT guidelines.
There are just two architectures to consider mobile and centralized. In both designs, theDetection and monitoring/management systems would need to map specific information about every device on the network: its location, its status and even whether it has
Detection and monitoring/management systems would need to map specific information about every device on the network: its location, its status and even whether it has important alarm or visual information to deliver. Both designs would need to be able to perform upgrades to the IoT devices to improve security and deliver features and valuable data.
Whether mobile or centralized, the network needs to be capable of differentiating between previously known and unknown devices, trusted and authenticated devices, as well as potentially “infected” or malfunctioning ones.
Imagine if light fixtures in a room were IoT devices, capable of running applications, being upgraded and able to transmit data. On entering the room, knowing if all devices were part of a tested and trusted network and free of rogue processes and malware would be a priority considering the loss of data from your own computing device. The network might look something like the illustration at the top of this story:
The gray “bulbs” have yet to be verified, the green ones are trusted, the yellow ones are in process and the red one has a rogue process running in it or is somehow malfunctioning. Although hypothetical, this illustration is very close to reality as LiFi devices currently use the visible light portion of the electromagnetic spectrum to transmit information at very high speeds, and manufacturers are in production with lighting fixtures that also deliver data, video, and audio.
The difference in architectures – mobile versus centralized – is simply the difference between a “human-portable” or wearable device and a centralized management solution. The mobile device is able to quickly detect and report on all IoT components connected to its specific infrastructure on demand and within proximity of the local IoT device network.
This distinction is also significant given the recent announcement of a new WiFi-IoT connectivity at CES in January 2016. The Wi-Fi Alliance, a global non-profit industry association, revealed the new Wi-Fi HaLow designation for products incorporating IEEE 802.11ah technology. With Wi-Fi HaLow offering low power while maintaining significantly longer ranges than previous networks, devices will be able to connect much more easily while conserving power. This will not only enable power-efficiency in smart homes but also crash prevention in connected vehicles and enhanced mobile-to-mobile communication between first responders working in industrial, retail, agriculture and Smart City environments. The new connectivity is all part of the IoT ecosystem supporting the Homeland Security Environment.
The world according to IoT
Our world is becoming ever more digital-centric with the convergence of mobile devices, information technology networks and connected sensors, appliances, and devices. Data is becoming more available and thus more transparent for decision-making. More transparency, in turn, leads to more informed decisions. More informed decisions based on accurate forensic video surveillance, for example, can generally result in a shorter path for investigations.
The number of possibilities for IoT to improve the outcome of life-threatening situations, in particular, are staggering. For instance:
According to AccuWeather, this winter’s El Niño will be one of the strongest over the past 50 years for North America, potentially bringing flooding and mudslides, especially problematic where rampant wildfires have charred millions of acres last year. First responders will be relying more heavily on connected devices than ever.
In Peachland, British Columbia, a fire-fighting sprinkler trailer capable of being monitored, controlled and updated remotely was recently deployed to protect a 1,200-home development. With the area near the fire’s front line fully evacuated, firefighters were able to leave the dangerous area and operate the system via mobile devices. Regulating continuous water flow helped prevent mudslides. Low power satellite/cellular transmitters, 360-degree communications and video surveillance combined to battle a fire that approached within 100 meters of the properties. As a result, not a single home was lost.
The importance of the aforementioned sectors to the nation’s economy, security and public health means that solutions to IoT device performance and security vulnerabilities are critically needed.
Over 150,000 attendees gathered this month at CES 2016, being noted that this is the year IoT “takes over.” For both consumer and industrial device deployment, there are new opportunities and vulnerabilities for service providers, infrastructure owners, and operators, enabling and potentially hindering intelligence, border and transportation security, law enforcement and disaster relief and recovery programs.
The Detect-Authenticate-Update guidelines from the DHS S+T Directorate will further our ability to differentiate between secure and untrusted, efficient and malfunctioning, updated and legacy and – most importantly – identify the IoT devices capable of providing valuable, often life-saving data and operations.
About the author:
Steve Surfaro is the Industry Liaison at Axis Communications. He is also Chairman of the Security Applied Sciences committee for ASIS International. He can be reached at [email protected].
