The biggest hurdle in embracing the Internet of Things is likely to be making the most of the operational data while maintaining robust privacy and security measures, explains Martin Lee.
14 July 2014
Three forces are bringing the Internet of Things (IoT) to your environment: Improved chip design means that processors are becoming smaller and using less power; improved chip production techniques mean that these chips are costing less to produce; and wireless internet connectivity is ubiquitous and low cost.
Together, these forces are providing cheap computing devices as powerful as the desktop computers of the past 10 years. These devices can be connected to sensors to take measurements of the environment- data that can be sent through wireless networks to an operations centre where it can be collected and analysed.
On the basis of this analysis, instructions can be fed back to more computing devices, which are connected to actuators and can make changes to the environment.
This pattern of measurement, data analysis and instruction to change the environment can make a real difference to the issue of energy consumption.Buildings account for the majority of electricity consumption and energy costs are certain to keep rising. Connected devices can reduce power consumption by sensing their environment and selectively operating facilities based on a wider context. For example, facilities can be provided depending on the expected number of people in a building, the time of day or the local weather forecast.
Devices can be powered off when not required, vending machines can be switched off when no one will be around to use them, and all but one lift can be powered off when lift use can be anticipated to be light. The IoT can assist with ensuring that facilities are fully operational in advance of when they will be required, but provided at minimum levels - or not at all - when not needed.
All of this means that the operating costs of a building can be optimised and lowered. And if something can make a building more profitable, then you can be sure that landlords will install it. However, deploying IoT is not without risk. Devices that run software may contain bugs that can be remotely and maliciously manipulated and exploited to run attackers' software instead of - or in addition to - authorised software.
This is not science fiction. In April, a series of security cameras were found to have been compromised to run bitcoin mining software to make money for an attacker. This attack illustrates how hackers, who are able to run their own software on a device, can substitute fake information for genuine data and interfere with data sent by a device to control centres.
Indeed, this was the case for a traffic-jam alerting system. Concerned that traffic would impede them on a scenic coastal route to their destination, a group of students created fake user reports to simulate heavy traffic on their preferred route. The traffic reporting system reported the existence of the fictitious traffic jam, causing drivers to reroute their journeys. The students successfully reduced traffic on their chosen coastal route and avoided encountering any genuine jams.
The ability to poison IoT sensor data with fake readings, such as the students did, could mean new classes of denial of service attacks. For example, attackers may be able to switch off cooling and raise heating to a maximum by sending falsified low temperature readings. In environments such as data centres, where maintaining a controlled temperature is vital, this could cause serious damage to equipment and even corruption of data.
Protecting the IoT will require secure encryption to prevent data and instructions from being altered in transit, and to verify data as genuine. The recent Heartbleed bug demonstrated that software initially considered as being reasonably secure could contain vulnerabilities that provide attackers with a means of unauthorised access to devices. To remedy such issues, vulnerable software will need to be patched. But this will require devices to be actively managed and maintained. In a cost-conscious environment this is something that may be neglected.
The continued march of technology and the profit motive attached to increasing operational efficiency and reduction in energy consumption means that smart devices capable of sensing and altering the environment are almost certainly going to be deployed in buildings. If we have learned one thing from the past 15 years of cyber security, it is that computer devices need to be secured against attack.Computer devices will contain vulnerabilities that need to be patched. As these smart devices are installed in the buildings in which we live, work and operate, we will need to ensure that the security and management of these devices is considered long in advance of such problems becoming apparent.
The IoT will bring benefits to buildings and our environment. But we cannot overlook the risks and must expect attackers to find new ways to subvert devices for their own ends. By planning for attacks now and designing resistant network architectures, we can ensure that the Internet of Things is an Internet of Secure Things.
Martin Lee is technical lead, threat intelligence at Cisco