https://www.excelacom.com/resources/blog/securing-the-future-how-communications-providers-can-master-iot-technology/

Feb 24, 2015

Securing the Future: How Communications Providers Can Master IoT Technology

By David Krhut

In the words of acclaimed speculative fiction author William Gibson - "The future is already here –­ it's just not very evenly distributed." The highlights of this year's CES certainly proves him right.

If some of the proposed and less crazy schemes work out, we will be in for the age of IT induced "magic." In the reasonably near future, you could be able to remotely control a squadron of gardening drones through a VR helmet, and eat custom-made 3D printed granola bar all while being a passenger in a self-driving car. You could live in a house that adjusts the living room temperature, and prepares fresh orange juice right before you step through the door.

This brief extrapolation of things already, but mostly separately, possible portrays the latest gains in the IT sphere. This progress would be impossible without the slowly simmering, but gradual evolution and junction of main cornerstones of IT world - computing power, miniaturization, mobility and ever-present (Internet) inter-connectivity.

All of these elements combined are finally bearing the fruit in the form of the next major iteration of the IT revolution, and we can only expect that our daily lives will become more interesting and influenced by ever-present, interconnected and "cyborgized" things.

This Internet of Things will be the live-blood of today's mobile and cable companies. Let's try to evaluate what kind of impact the IoT phenomenon might have on communications and media providers and others now and in the near future.

More and more “digitized” home appliances, cars and other equipment are already a reality.

The IoT is a trend to empower previously "dumb" things with computing abilities using chips, memory, and sensors. Although we are still far away from the "Nutrimatic Drinks Dispenser" mentioned in a great book by D. Adams, more and more "digitized" home appliances, cars and other equipment are already a reality; some lucky people are already living in those proclaimed intelligent houses.

iot-01

The most classic example of the IoT could be the touchscreen refrigerator connected to the Internet. This smart fridge is able to track whether your eggs are still fresh or not (and would not open its door between 11pm – 5am ;-)). For example, you should be able to connect to it directly from your Walmart and see what is missing or what is close to the final date of consumption.

More complex devices are composed of interlinked sensors –­ hubs connecting sensors together or with other devices. Aggregation gateways connect all of this to The Internet, and subsequently private, public, or embedded clouds that would provide additional computing and analytical power.

Generally, from the IT point of view, most of the technical/SW pieces of this grand IoT puzzle are already available. We are able to manufacture all kinds of tiny sensors, and there is no problem putting a miniaturized IT technology into something as commonplace as a shoe.

From the network point of view, the general trend is pointing towards an all-IP approach for the system control. There are already several groups working on the IoT specific protocols (6LoWPAN, CoRE) that unfortunately still do not always see eye-to-eye with the TCP/IP Internet protocols, usually because of IoT specialization. With recent progress in fielding the LTE and related pico-cells technology, the network capacity of mobile networks should be generally ready for the flood of small in size, but numerous (and very important!) messages are being produced by our juicers

But the winner of this IoT race will be not a company that has best Big Data analysis or tiniest or most sensitive sensors, but the company that will be able to orchestrate all this together into one smoothly working and secure end-to-end package.

But the winner of this IoT race will be not a company that has best Big Data analysis or tiniest or most sensitive sensors, but the company that will be able to orchestrate all this together into one smoothly working and secure end-to-end package – generally the same way Apple did for the smartphone industry.

And that might be the biggest challenge of the IoT.

The makers of the IoT appliances should probably get themselves into the mindset of the military-grade UAV manufacturer. While I understand that some of their actual usage is highly questionable from the moral point of view, these devices still represent great technological achievement from the IT point of view.

During every UAV sortie over the enemy territory, the manufacturer must expect that the device might be completely lost or fall into the enemy hands with not only all the gathered data, but also all the hi-tech technology that is powering the UAV.

The UAVs must be also able to operate independently if the control signal is lost or under straining weather conditions – generally speaking, the UAV team must plan for the worst.

But when I recently asked some sales representatives that were offering me remotely controlled home appliances and furnishings about the security of their IoT ware, I was met with blank stares or in "better" case very hollow assurances of how good the security of their devices really is.

This lack of explanation means two things – customers are probably unknowing of even basic level of IoT security, and the companies did not sufficiently consider the security angle in their IoT devices (or at least in the 1st batch of those). For example, if the military didn't encrypt the video feed broadcasted from their early generation drones, where would that leave the non-military sector?

Due to the rapid expansion of IoT and the rising threat of security breaches, IoT companies must focus a large portion of their energy in insuring network safety, and fostering a transparent relationship with their customers.

As customers, we should make our voices heard. We should insist that the producers of IoTs disclose more detailed information about the security of their products, how they manage the gathered data and what the procedures are if something goes wrong.

001Hacker

Also, whereas the car manufacturers are probably able to tightly control what will be in and what can be connected to their smart cars, the very heterogeneous world of home appliances is much more difficult to guard.

Anecdotal evidence still proves that it is not easy to pair on first try some of the pure IT devices, as anyone with something with Bluetooth can attest. For example, homes that will try to connect IoT devices from various not-IT companies may face similar problems (but with much graver consequences).

Due to the rapid expansion of IoT and the rising threat of security breaches, IoT companies must focus a large portion of their energy in insuring network safety, and fostering a transparent relationship with their customers. Information about the applied framework, encryption and protocols should be also freely available, and preferably part of the device leaflet manual.

One thing that all the recent hacking scandals proved is that once something is connected to the great informational superhighway, it might get hacked, hijacked or just completely obliterated for whatever reason – getting sensitive information, need for another bot in botnet for DDoS attack, or just simpleminded fun. One of the not so distant examples is the case of network switches apparently hijacked in order to facilitate an attack on the Xbox and PSN networks during this Christmas holidays.

This hack might not be such a tragic situation in the case of your PC/gaming console. In the worst case scenario, you would take it to your IT shop next door where they would check/clean/reformat it. However, if your IoT-enabled home heating pump unit would get hacked – assuming you would be able to recognize that it was hacked - then you cannot just simply disconnect it and take it somewhere for maintenance; it might get severally damaged before any technician would have time to arrive.

As the IoT has possible impact on almost any sphere of human world, managing the evolving IoT ecosystems will be not a simple matter.

An important factor in this debate is also surely the cost/security/paranoia ratio. With enough funds, expertize and anxiety, you could turn any coupling of sensors and devices into almost impenetrable IT fortress. Unfortunately, in most cases, the cost of running and maintenance of such solution would be exorbitant.

In the old traditional "analog" times it was somehow "easy" to avoid most of the criminality and its negative impacts. If you follow basics of personal security, avoided certain areas, people, or questionable activities, then you would be reasonably safe. The security features of your physical doors and windows were clearly visible and available for tactile inspection.

However, with all of these IoT "black boxes" from unknown manufacturers with unknown security implementations, you are practically inviting the crime (in the form of possibly easy-to-compromise devices) into the heart of your living room.

So what can we as consumers and also as companies do about it?

As the IoT has possible impact on almost any sphere of human world, managing the evolving IoT ecosystems will be not a simple matter. It should also be noted that state-approved legislation always reacts too late to this kind of "disruptive" technology, thus making it even longer for the bureaucratic apparatus to try to formalize this domain and establish some basic ground legislation rules.

Going bottom-up – even the most simplest and generic IoT device should be able to operate in full capacity in the following technical/lifecycle areas:

  • Booting/bootstrapping – for example, the imprinted digital signatures must be checked.
  • Access control and device authentication – even the IoT enabled washer should have login credentials. Its device based access should have as least privileges as possible to limit the damage control.
  • Network security and encryption – the network over which data is transmitted between the sensors, devices, hubs and clouds needs to be secure.
  • Patches/updates – IoT devices have very limited bandwidth and connectivity; some multi-GB patch would simply kill/incapacitate most of the IoT sensors or devices.
  • OS – the soul of all the devices.

Any of these points is crucial for every IoT device if it wants to survive in the current, not-so-much evolved environment.

Interestingly – the IT companies and the communications and media providers have already at their disposition powerful tools that can address some of the threads/challenges that are (re-)introduced with the IoTs.

To facilitate the evolution, there are already established IoT workgroups that will tremendously help to fulfill all of these technical requirements. The workgroups will provide the certifications and frameworks covering the rules, processes, protocols and APIs so that smaller companies do not have to re-invent the IoT wheel (well, many will surely try anyway).

Another aspect that should be considered is the push for strong communication encryption and the possibility of "dumbing down" most of the fielded IoTs. There will be probably no huge discussion about the implementation of strong encryption algorithms in this domain. Of course, some low-key devices will not have enough logic power to implement it at this time, but future advances in the miniaturization should close this gap.

"Dumbing down" IoT is one of the possible ways to approach the hacking/hijacking problem. If the sensors/devices/hubs contain mostly minimal/no logic, and all of the decision logic is performed in Cloud-based control centers, then the impact of some security breaches, sensor losses, or hijacks could be fairly limited and mitigated. However, all of the brain-logic in the cloud could represent a single point of failure, so the overall approach should be multilayered and consider all possible scenarios.

Interestingly – the IT companies and the communications and media providers have already at their disposition powerful tools that can address some of the threads/challenges that are (re-)introduced with the IoTs.

For example, while mobile operators and IT companies cannot do much about certain aspects such as the booting or access control, some tools already fielded for many years in their OSS/BSS stack might be useful in tackling other IoT challenges such as network tools, over-the-air (OTA) facilities for patching/updating of devices, mediation/ETL systems for processing of the IoT-originated messages, complex CRM systems to keep track of all the customers and inventory systems for registering the multi-level hierarchy of their myriad IoT devices, Revenue Assurance and Business Intelligence tools for advanced analytics, and the processing power of Cloud and Big Data facilities – to name the few.
Additionally – the IoT might also create new billing schemes, but current telco billing platforms (including Excelacom's Billing for Cloud Services) should be more than enough powerful to handle this part.

We at Excelacom are ready to help you with all these newly arising ferocious challenges. We have deep knowledge of current and future communications and media providers and IT technologies (whether through our architecture consultancies or direct implementation cooperation with our customer), and our numerous ranks of skilled business athletes always strive to prepare for our customers' smooth passage through the vicious and dark IT jungle! For more information, email us at marketing@excelacom.com

 
comments powered by Disqus

Innovation meets performance.