Q: What are the challenges in implementing the IoT on a large scale?
A: Technical challenges include government regulations with regard to spectrum allocation, security, battery issues, cost and privacy. Security, standards and overburdening the network are three requirements that need to be focused on before implementing for mass adoption in the modern business place.
Q: What are the little things that we easily overlook when dealing with the IoT scenario?
A: Good throughput is important for the IoT, but there will be trade-off between data speed and battery life. Although it is still a concept, 5G has some wonderful attributes – not the least of which – conservation of battery life, which may transform the IoT in the future. Multiple-input multiple-output (MIMO) technology is set to be a key part of these efficiency measures. Existing IoT sensors, however, are not equipped to take advantage of 5G technology. Samsung, LG Uplus and Huwaei are already playing with new 5G technologies. New devices may need to have multiple antennae for fewer dropouts. Current devices can house no more than two antennae.
Q: With everything connected to everything, how do we tackle privacy issues?
A: The challenge, especially in the United Kingdom (UK), with the ubiquity of closed-circuit television (CCTV) cameras, is the need to be aware that privacy issues can arise due to data collection mechanisms that may lead to user profiling and identification of individuals in unforeseen use case scenarios. Utmost care needs to be taken when deploying data collection devices with regard to their lifecycle, data collection mechanisms and overall security protocols.
It is crucial that information security, privacy and data protection be addressed comprehensively at the design phase. We need to start training our graduates in best practice aggregation and anonymity of data. Yes, by all means, collect data that benefits the society but we need those who do so to know how to first scrub individual identifying information that might invade privacy. One of the next steps now is for governments to engage more with the public through workshops on privacy and data collection. If we leave it for too long, it may be too late to put the genie back in the bottle.
Q: The availability of actuators connected to the IoT could result in virtual and coding attacks having real world effects. What are your comments on this?
A: Security must be a priority. Take for example, an early success of the IoT in some countries like the UK – the introduction of ‘smart meters’. These are network-connected meters that ‘broadcast’ our power usage to the power company. There is, however, a real possibility that unscrupulous individuals can commit a crime by manipulating the data captured by the meter. A hacker, for instance, could compromise a smart meter to find out about a home owner’s peak usage times to learn when they are likely to be out. On a larger scale, however, there is a threat whereby smart meters that are connected to smart grids could be attacked, leading to complete failure of the system. In fact, it is an ideal attack from rogue nations or terrorist organisations as once the electricity is cut-off, pretty much every aspect of life in that region is affected.
The installation of smart meters controlled from a single head-end is one of the most critical deployments to be properly designed in a secure manner. If an attacker was to compromise on such critical infrastructure and send commands to multiple meters to stop or modify the charging, then the public backlash will be significant. It is serious because people can simply die when power gets cut off. This is not a threat scenario dreamed up by futurists. We actually know that Chinese authorities have done extensive reconnaissance of western energy networks. So, it is a real possibility that a nation state might launch such an attack during a time of international tension. Of course, indigenous terrorist groups can also launch similar attacks. Attacks can be conducted in ransom-like manners as
Q: Are we equipped to handle this?
A: Many industrial IoT roll-outhave neglected the end-to-end security aspect. We know that a core reason for this is that many of the embedded devices do not simply have enough computing power to implement all the relevant security layers and functionality necessary. There is then the actual heterogeneity of devices and the lack of industry or de facto standards for connecting the IoT. A large number of smart objects are battery-operated; thus, a critical aspect in this case is the power consumption. IoT deployments can be impeded for physical reasons (e.g., lack of network connectivity), technical reasons (e.g., lack of technical standards) or legal reasons (e.g., lack of intellectual property rights to share data).
Q: What is the present scenario when it comes to standardisation?
A: We are still a long way from creating scalable solutions where products from different vendors can communicate with each other. Industrial verticals might be the first to achieve some form of integrated IoT solutions because business value (e.g., costs, preventative maintenance, better equipment efficiencies etc) can be measured and quantified.
Q: Are there any leading standards presently?
A: One attempt to standardise is the AllSeen Alliance (www.allseenalliance.org). They are an IoT industry group to encourage interoperability among connected devices, regardless of their manufacturer. Its members include the Linux Foundation, LG, Panasonic, Qualcomm, Sharp and HTC. The group’s software will be based on AllJoyn, which is Qualcomm’s open source IoT software. AllJoyn allows app developers to decide what level of security to build into a product and whether or not to encrypt data transferred from say, a smart toothbrush, to a corresponding smartphone app.
Newcomers to this alliance include Automatic, which connects to your car’s computer and sends its data to your smartphone, to give you a picture of how efficiently you are driving. Nest and its smart thermostat with a smoke and carbon monoxide detector called Nest Protect are members. Microsoft Research’s Lab of Things software also attempts to simplify the monitoring, automating and controlling of all kinds of smart devices in homes. There are many other smaller players such as OpenRemote’s open source software that can connect and automate all kinds of devices. You can use its software to design a custom device controller. The iPad app controls multiple lights, ceiling fans, television and stereo. Pressing a single button within the app can shut off all the lights and gadgets. They eventually hope to establish a common platform that manufacturers can use to make all kinds of home-automation products simpler to set up and use and to allow devices from different makers to work together smoothly.
Device-making tips, skill sets and big data…
Q: What is your advice to IoT device manufacturers?
A: Manufacturers of devices that will contribute to the IoT need to consider the correct forms of cryptographic algorithms and modes needed for IoT devices. There is an international organisation for standardisation/ international electrotechnical commission (ISO/IEC) 29192 standard that was devised to implement lightweight cryptography on constrained devices. There was a need for this as many IoT devices have a limited memory size and battery life, along with restricted processors. Traditional ‘heavy’ cryptography is difficult to deploy on a typical sensor, hence the deployment of many insecure IoT devices. Regulations for the IoT need to address issues of ‘minimum specifications’ for IoT devices.
Q: What about the skill-set needed for handling these devices?
A: It will be difficult to hire the skills required to manage IoT deployments as the actual devices, communications infrastructure and back-end platforms grow in complexity. Even now, it is difficult to recruit staff with good experience in some of these areas. Imagine when the IoT takes over the recording of most parts of the society. New challenges will arise. For instance, engineers need to be able to predict loads on their infrastructure accurately. They need to estimate proper wireless coverage; over-provide and they waste an organisation’s money. Specialist jobs in this area will become high-paying. Related is the challenging area of testing performance. Application performance needs testing. There will also be a need to be able to work out if sensor data spikes are being dealt with effectively. In general, network performance monitoring will often be the primary source of highlighting problems.
Q: How does one handle big data?
A: An IoT scenario deals with big volumes of data due to the large number of sensors involved. There
are three main problems that must be solved: resolution, sensitivity and reliability. Compressed sensing refers to the method used to reduce the number of samples collected in an IoT wireless sensor network. Thus, it is possible to create standalone applications that require fewer resources. While the demand for higher capacity storage has always been there, the IoT accelerates this by producing ever-increasing volumes of data, both on the consumer and enterprise ends.
Handling security and classifying risks
Q: What is your advice for IoT companies?
A: Companies will have to pay more attention to the secure storage of data collected via the IoT as legal repercussions creep in and the data being collected increases. This data is generally stored in the cloud. Therefore, all recommended practices applicable to securing data in the cloud equally apply here. Companies, in particular those with large data sets, should pay extra attention to the data lifecycle phases and ensure that aspects such as data destruction are provided and auditable as part of the service, due to the multi-tenant nature of a cloud platform. The fact that any company is allowing confidential datasets to reside outside the company network should lead them to examine how they can robustly protect that data and the answer can be simply a layered security strategy. The core principle to be followed here is the encryption of data.
Ultimately, it is critical that they implement a layered security strategy regarding cloud services, as their data is more exposed than previously. It is critical to get buy-in from upper-management. More so than ever, security breaches can greatly affect their reputation. There are numerous examples in the last 12 months, e.g., Skype, Adobe and Sony. Cybercrime is on the rise. Therefore, we should think about security in terms of process, people and technology. This will involve creating security policies with internal departments, performing audits, implementing physical security control and classifying.
Q: What are the risks involved from an organisation’s perspective?
A: The implementation of Internet-based services and rapid connectivity to external parties has led to increased risks to an organisation’s internal assets. Information that is more valuable than ever before is more accessible and easier to divert. Organisations that fail to address the broader security issues that accompany this change will have insufficient controls in place to minimise risks. These risks could lead to significant financial, legal difficulties and reputation risk for these organisations. Appropriate preventive, detective and corrective controls in the form of policies, standards, procedures, organisational structures or software/technology functions and monitoring mechanisms are therefore required to minimise the risks associated with the confidentiality, integrity and availability of information assets within an organisation. These aspects of security should be the underpinnings of any IoT regulation policy.