Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, consumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

The Internet of (Secure) Things – Embedding Security in the IoT

We’re seeing a glimmer of the future – the Internet of Things (IoT) – where anything and everything is or contains a sensor that can communicate over the network/Internet. The underlying technology enabling IoT is Machine-to-Machine (M2M) communications. Your running shoe tracks your workouts, sending the data to a mobile app. Your wristband tracks your daily activities, including sleep patterns. Your smartphone controls your television. Your tablet displays recorded videos from your home DVR, anywhere in the world. Your refrigerator tracks your food consumption and contacts a nearby grocery store to restock (someday delivered by drones!) Your car self-tunes and in the future may self-drive and be aware of your schedule (so will self-start and adjust the environment when it’s time to go to work). These are examples of consumer-oriented sensors and devices, but that has occurred in parallel with business, professional, infrastructure, government and military applications. Here are some examples…

 

Healthcare: Think of medical devices and how they’ve progressed – pin pricks for testing blood sugar to diabetes pumps to contact lenses that can monitor your blood sugar. Pacemakers can report statistics on your heart to doctors and hospitals.

 

Homes/Offices: Companies and utilities are building sensors into major appliances and HVAC systems. You can opt-in to smart metering so that a utility can load balance energy distribution. That capability is starting to reach into the home, with NEST thermostats and smoke detectors for example. Security alarm systems have communicated with operations centers and police for a long time, but now allow monitoring and control from your smartphone. These smart home technologies are also being applied to smart office buildings. Sensors throughout a building monitor power demand, air temperature and moisture, light levels and external factors (e.g. weather reports). That data is integrated with the building control system and room schedules to optimize energy consumption.

 

Transportation: For automotive vehicles, there are speed and red-light cameras, EZ Pass toll payments, bridge stress sensors, and traffic management systems outside the vehicle. Inside, there are diagnostic monitors, heads-up displays, adaptive cruise control, and integration with smartphone or in-vehicle GPS/mapping systems. Similar sensor systems exist for rail, sea and air transportation.

 

Agriculture: GPS-directed combines and sensors on everything from sprinkler/irrigation systems to soil/fertilizer quality are connected via a mesh network to optimize production and quality (thanks Ray Van Houtte for your graduate work in the 1970’s!)

 

Military: Sensor systems are being used to improve operations from logistics to the battlespace. By tracking the details of every item, the supply chain can be dynamic and more easily optimized. Sensors on drones and robots – air, land and sea – communicate to human operators, analysts and soldiers in the field to improve situational awareness and tactics. There’s even an Android app that leverages M2M communication to a scope to enable a sniper rifle to hit the target every time, regardless of the shooter’s expertise.

 

 

Last year, there were over 10 billion connected devices, and estimates predict this number to climb to anywhere from 30 to 50 billion by 2020. In terms of sensors, HP Labs estimates that we’ll hit 1 trillion before too long. To leverage the data and information across a number of these areas, HP Labs is working on a project called CeNSE (Central Nervous System for the Earth):

  http://www8.hp.com/us/en/hp-information/environment/cense.html#.UuQmw00o7IU

 

CeNSE intends to deploy billions of nanoscale sensors that detect and communicate information across all five human senses. The goal is to better understand our world in order to improve resource management and predict dangers to safety and security in the physical world.

 hp_cense_globe2.jpg

 

 

With these burgeoning capabilities, there needs to be some focus on cyber security. In my previous blogs, I wrote about continuous monitoring. In today’s current environments, attempts to continuously monitor enterprise security are challenged to track their current assets, which for large organizations number in the hundreds of thousands. The IoT will multiply those assets by a million or more. Today those assets are built on a variety of platforms and operating systems; the software is rarely patched and their communications are not secured. We’ve already seen examples of exploits of these systems – automobile telematics, pacemakers, smart TVs, and more. Science fiction depicts the worst of these scenarios in movies like “Terminator” or “The Matrix”, with machines taking over the world. In the latest of these, Ray Kurzweil’s idea of the singularity moves to the dark side, with a human intelligence taking control of the IoT in “Transcendence”:

http://www.transcendencemovie.com/

 

Things aren’t necessarily so dire. The need to embed security in the IoT, from sensors to mobile apps to back-end infrastructure, is recognized and there are a number of efforts working to address the issue.

 

In private industry, there are companies using their expertise in cybersecurity to provide solutions in this space – QNX, acquired by Blackberry, and Mocana. QNX is a mature Unix operating system that over the years has built the most secure real-time operating system (RTOS) for embedded systems, Neutrino. It’s being used in automobile systems, home appliances, and to secure M2M communications.

http://www.qnx.com/products/neutrino-rtos/index.html

 

Mocana is working on a new type of product code called AtoM (App-to-Machine) that will allow different users to manage and control devices securely, depending on their authority. In addition, they have built a Device Security Framework that provides end-to-end security for any device, based on US Government standards and regulations

https://www.mocana.com/for-device-manufacturers/device-security-framework/

 

On the open source side, there is an effort to build common communication platforms and interfaces for the IoT called AllJoyn that simplifies device information and configuration, onboarding, notification, control, and audio streaming.

https://www.alljoyn.org/

 

Similarly, the AllSeen Alliance expands AllJoyn’s framework to multiple manufacturers and communication fabrics.

https://allseenalliance.org/

 

By enabling the integration of the variety of devices to communicate and connect, these initiatives will provide a common framework to secure and monitor the IoT. It's something we have to build in to the IoT ecosystem now. If we wait, we'll be playing catch-up, just like we are in Internet security - but at a much larger scale. Of course, with billions and trillions of devices and sensors, the accumulation of this information leads to a discussion of big data and big security data, which I will address next time.

Comments
Lukas Hatala(anon) | ‎03-10-2014 08:05 AM

Hello,

 

I am alredy working on this inciative for a longer time. I alredy evaluated the best technology patform for connecting sensors and machines into M2M/IoT (IEC 62541) and identified the best way how to integrate into HP infrastructure.

The possibilities are many more times bigger that you described here IMHO.

 

You can see littbite in my innovation what i logged for this topic:

https://garage.brightidea.com/D18908

 

In case that you will be interested in how to connect shop-floor(ISA-95 model levels 0-3) into top-floor(ISA-95 model level 4) in an relativelly simple way do not hesitate to contact me.

 

Best Regards,

 

Lukas

Michael Holdmann(anon) | ‎06-07-2014 04:43 PM

This is already done, the protocol is XMPP, it is mandated by DoD for real time communication- Voice, Video, Chat, Messaging and Presence. Coversant has been certified by DISA and placed on UC APL.

 

Coversant, Inc. IoT-SB (an HP partner) uses TLS, SCRAM SHA-1 PLUS SASL EXTERNAL with channel binding mitigating man in middle attacks close all incoming ports on firewall, whitelist/blacklist directly on server. the platform does 240,000 concurrent at 60,000 1k messages/second on HP servers with 2x4core 16gh and 2x10gb NICS, tested in HP labs.

 

Currently used for RDM for HVAC in 200,000 building network 125-1500 devices per building, RDM for 1,000,000 set top box cable network with 100% real time anonymous user activity delivered to ratings agency securely. Publisher authorizes who gets data, not subscriber, as well as what data they get based on clearance level.

Everyone needs to stop trying to reinvent XMPP and start to use the GW-Cloud secure bi directional event driven protocol.

 

mholdmann.wordpress.com

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Manage cyber engineering & architecture team developing security services, security reference architectures, big data security, mobility, cl...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.