Adrian WrightVP Research & Board - ISSA-UKCEO - Secoda Risk Management

The Internet of ThingsWhat should we start thinking about & planning now?

Enterprise & The Internet of Things

Hitchhikers Guide to the Thingiverse11

New World? Or just Hype?22

Technology Drivers, Enablers, Challenges33

44 Security & Privacy Issues

Summary & Questions55

Start with a good quote:

And some cynical humour for good measure:

Talk is everywhere - even if IoT isn’t yet

1. Anatomy of M2M

"The Internet of Things is not a concept; it is a network. The true technology-enabled Network of all networks". Edewede Oriwoh (bio: http://www.researchgate.net/profile/Edewede_Oriwoh/ )

More devices than people

Implications

• IoT = Future where everyday physical objects will be connected to the Internet and will be able to identify themselves to other devices

• IoT = Integration of the physical and virtual world

• IoT = Significant, as when a physical object is represented in the virtual world it can be connected to other virtually represented objects & data

• IoT = Object can be monitored & managed based on preset parameters

• IoT = Huge revenue opportunity to mobile operators. $1.2 trillion by 2020* Most profit coming from app devt rather than delivering connectivity

* GSMA report Oct 2011 with AT&T, Deutsche Bank, KT, Telenor Connexion, Vodafone & Machina Research. Link to Report here: http://machinaresearch.com/report-m2m-communications-service-provider-benchmarking-report-2013/

Projected growth

On the road to somewhere

When will it all happen?

Link to original paper: http://www.booz.com/media/file/Rise_Of_Generation_C.pdf

Gartner Hype Cycle

Link to image source: http://joemurphylibraryfuture.com/gartner-2012-hype-cycle-for-emerging-technologies/

M2M Your Life

Its already here…in places

However:

• Existing M2M solutions highly fragmented & typically dedicated to a single application (e.g. fleet management, meter reading, vending machines).

• Multitude of technical solutions & dispersed standardisation activities result in slow development of global M2M market.

• Standardisation is key enabler to remove technical barriers & ensure interoperable M2M services & networks

• M2M / IoT has huge potential but currently comprises a heterogeneous collection of established & emerging (often competing) technologies & standards (although moves are afoot here). This is because the concept applies to & has grown from, a wide range of market sectors.

Market example – smart parking

What is it?

• Once upon a time the Internet was about connecting people via their computers

• Then mobile allowed people to connect while on the move

• As simpler devices come equipped with IP connections, people have largely left the room leaving all sorts of devices talking directly to each other and to higher systems via the web, without human intervention or supervision

• By 2020 30-50 billion ‘things’ will be connected to the internet, from simple widgets like temperature sensors & domestic water meters to more critical devices like medical monitors, power plant telemetry & ATMs

• This is called M2M (Machine to Machine) communication, as distinct from H2H (Human to Human) & dubbed “The Internet of Things”* (IoT)

• Today 12 bn devices connected to the internet, incl 8 bn mobile devices

* Term initially used by Kevin Ashton in 1999 (About Kevin Ashton: http://kevinjashton.com/ )

Will it actually happen in Enterprises?

No

Yes

• No interoperability Standard(s):• We create an “Internet of Silos”• Privacy & Security Fears• Slow transition to IPv6• Big data analytics not evolved• Battery technology doesn’t outstrip

Moore's Law• No clear business benefits• We can’t manage it

• Interoperability & connectivity sorted• Standard(s) adopted• Security & Privacy issues contained• Large IP address ranges available• Data analytics scale to meet

challenges• Battery & solar technologies keep pace• Clear business benefits identified• Management supervisory systems &

standards emerge

PartiallyFragmented

Slower uptake

IoT Plans

Why bother now?

• Forrester say there’s low ‘connected world’ adoption among enterprise customers.

• 2013 networks & telecoms survey says “50% of companies have no interest and/or no plans to implement M2M or IoT capabilities, while just 8% tell us they have implemented”

• Lack of interest causes:– security concerns (37%);– costs (32%); – technology immaturity (25%);– integration challenges;– migration and/or installation risks;– regulatory issues.

• More pressing priorities• Your strategy might simply be to say, ‘let’s

wait and see.”

• Historically, when we try to play catch up – we never actually do

• Retrofitting costly & ineffective• Like early PCs, dot com, mobile

adopters – early pioneers were winners• If it takes off: You snooze – you lose!

CIO Viewpoint

Enterprise

Business/ Customer

Opportunity

EmployeesIoT

(BYOD)

InternalIoT

Implications for CIOs

• IoT in workplace will be another BYOD – IoT enabled personal devices• Bring-your-own-Cloud: already here but IoT brings tighter integration• Low-end infrastructure devices will start to appear IoT enabled• Privacy issues: blurring the line between private & business data• Liability questions: employee personal banking etc.• ISACA recommends five steps enterprises can take to be agile in the

Internet of Things era:– 1. Act quickly; enterprises cannot afford to be reactive– 2. Govern the initiative to ensure that data remain secure and risks are

managed– 3. Identify expected benefits and how to measure them– 4. Leverage internal technology steering committee to communicate

benefits to the board.– 5. Embrace creativity and encourage innovation.

CIO Challenges / Opportunities

• Technical debt (aka code quality) exposing creaking architecture to big data, customers, salespeople– Might want to start technical debt reversal sooner than later

• User driven and they’ll expect to just do things when the time comes– Connectivity is key

• In many cases IoT systems using firmware that’s hard or impossible to patch• Building automation is absolutely ripe for exploitation.• The trick is to resolutely deploy the hype shield & look out for information

content that will deliver real value to the organisation.

“Much of the value from the Internet of Things will come from the data, making Big Data analysis a cornerstone of the success of the Internet of Things and a clear reason for CIOs to be involved.”

Concepts & Jargon

• Things: Physical entities whose identity, state (or surroundings) capable of being relayed to an internet-connected IT infrastructure. – Anything to which you can attach a sensor — a cow in a field, a container on a cargo

vessel, the air-conditioning unit in your office, a lamppost in the street — can become a node in the Internet of Things.

• Sensors: Components of 'things' that gather and/or disseminate data– e.g. location, altitude, velocity, temperature, illumination, motion, power, humidity,

blood sugar, air quality, soil moisture - you name it.– Not ‘computers’ as such but have CPU, memory, storage, I/O, OS, app s/w– Key point is increasingly cheap, plentiful, can communicate via internet & other

internet-connected devices• Comms: (local-area) All IoT sensors require some means of relaying data to

the outside world. – Plethora of short-range or local area, wireless technologies available incl RFID,

NFC, Wi-Fi, Bluetooth, Wireless M-Bus + wired Ethernet

Concepts & Jargon (cont.)

Libelium's customisable Waspmote sensor/comms board (left) and the Waspmote Plug & Sense enclosure (right), with connections for sensors, antennas, a solar panel and USB PC connectivity

• Comms: (wide-area) links, existing mobile networks GSM, GPRS, 3G, LTE or WiMAX & satellite connections. – New wireless networks ultra-narrowband

SIGFOX & TV white-space NeulNET emerging specifically for M2M connectivity.

– Fixed 'things' in convenient locations could use wired Ethernet or phone lines for wide-area connections

• Server: (on premise) – Some M2M installations use local server to

collect & analyse data - both real time and episodically - from assets on the local area network.

– On-premise servers or simpler gateways usually also connect cloud-based storage & services.

Concepts & Jargon (cont.)

• Local scanning device: 'Things' with short-range sensors located in a restricted area but not permanently connected to a local area network– (RFID-tagged livestock on a farm, or credit-card-toting

shoppers in a mall, for example). In this case, local scanning devices extract data and transmit it onwards for processing

• Storage & analytics: IoT will require massive, scalable, storage & processing capacity– Will almost invariably reside in the cloud, except for

specific localised or security-sensitive cases. – Service providers will need access here to curate the

data & tweak analytics, but also for LoB processes such as customer relations, billing, technical support

• User-facing services: – Subsets of data & analyses from the IoT available to

users or subscribers, presented (hopefully) via easily accessible navigable interfaces on full spectrum of secure client devices

Network-level shift & challenges

• IoT data transfer patterns differ fundamentally from classic 'human-to-human'.

• M2M communications orders of magnitude more nodes than H2H– mostly low-bandwidth, upload-biased traffic.

• Many M2M applications need to deliver & process information in real time, or near-real-time. – Many nodes will have to be extremely low-power or self-powered (eg. solar

powered) devices.

• Requires billions of new IP addresses we currently don’t have. – IPv4 restricted to c. 4.3 billion addresses. – IPv6 required but it will have to be lightweight (likely with trimmed-down

security attributes)– APNIC has already run out of addresses. Reclamation of unused IPv4

address space. Markets in IP addresses - to buy back space. – Urgency on transition mechanisms IPv4 to 6

2. Big Security Questions“The world as we have created it is a process of our thinking.

It cannot be changed without changing our thinking."

Albert Einstein”

Privacy anyone?

What’s changed security-wise?

• Underlying principle of M2M communications isn't particularly new.– Similar technology has been used for decades at power stations, water utilities,

building control and management systems, usually in the more recognisable form of supervisory control and data acquisition (SCADA) systems.

• However these systems are typically custom implementations– Often running proprietary operating systems, and without any particular standard to

follow. Assumption is usually that they’re behind a firewall • CT scanners, MRI scanners, dialysis machines - they're on an internet.

– They talk IP, and they have massively vulnerable operating systems. They're running embedded versions of Windows

• Smart meters, ATMs, SCADA systems, rollout of patches and updates– Tends to be slower than you would normally have compared with your home PC,

where you get a normal update every week or so or every month– there's a lightweight version of IPv6 you can use on M2M type of communications, but

it's not full IPv6• Sheer scale and numbers of things to secure…

Control Maturity

Unconsciously Uncontrolled

ConsciouslyUncontrolled

UnconsciouslyControlled

ConsciouslyControlled

Unaware of what IoT isNo strategy / policyNo definitionNo deployment visibility or control

Some strategy & policySome definition & insightMaybe some standardsNo education & awarenessNo process for identifying , controlling & managing deployments

No strategy & policyNo definition & insightBut no deployments due to other reasons:Culture / fixed mindset / rigid command & controlTechnical, economic or other inhibitors

Its known & understood Well communicated strategy, policy, stdsGoverns appropriate useGood awarenessVisibility & control of all deployment programmes

Security FUD corner

• The security implications are obvious, where hackers might able to do anything from running up people’s electricity bills to shutting down an oil pipeline. – We’ve already had a preview of this with the Stuxnet SCADA story and M2M / The

Internet of Things will take us infinitely deeper into that territory…• Denial of service (DoS) could have new consequences.

– Many field-based devices will be powered from batteries. Hit them with long bursts of spurious requests and you’ll kill their power.

• Encrypting information tends to be a processor-intensive task– Meaning devices need to be selective as to what to encrypt, as opposed to the

web's trend toward full end-to-end encryption. – Unless nanotechnology and battery manufacturing increases as per Moore's Law,

it's going to be a huge issue.• You don't want to have devices with any kind of identification left lying around

– Need effective disposal or self-disposal processes built into protocols. Once decommissioned they'll need to ‘mission impossible’ – like, self destruct remotely

• Slow transition from IPv4 networks to IPv6 could harm M2M uptake.– With IPv4 addresses nearing exhaustion, networks simply won't have enough

addresses to assign to the explosion of devices unless they transition to IPv6

No security standard…anytime soon

• "It's either going to take a standard for the industry to agree on, or a very powerful vendor to make things work, so that everyone kind of says, 'Well, that works, so I'm just going to use that for the pure ease of use.' It might be completely proprietary, but all we really care about is that stuff works and stuff's secure, in that order, unfortunately."

• “It's entirely possible that despite the work by research groups, standards and possibly security could be circumvented entirely if a powerful enough company stepped up”

• "We can be sure of one thing: The lion’s share of IoT growth over the next 3-5 years is going to occur in market segments where the value is tangible – and these are almost wholly seen in the business-centric marketplace". Alex Brisbourne

Security forecast

• Information Security is often an afterthought for nascent technology & nearly always in catch-up mode, retrofitting, patching, firefighting.

• IoT presents a unique opportunity to build in security from the off• If IoT takes off as predicted, there won’t be opportunities to retrofit

security after the fact, due to sheer scale & technical issues• Whoever achieves market dominance over IoT could ultimately hold

the keys to securing civilisation – and might not do a good job of it!• Market fragmentation and resulting lack of standards major problem• Low-cost, mass-market devices from China or ?? What’s in them?• Western civilisation will be hugely more vulnerable than those who

might attack us. Critical infrastructure, privacy et al• In this future gold rush, will security be sacrificed for other gains?• PRISM, NSA, Orwell,1984 & Big Brother. When everything and

everyone can be tracked & monitored – who will police the police?

CIO Priorities - Gartner

Gartner analysts advise CIOs to do 3 things now:• Start taking a lead figuring out information needs the organisations has

from its own Internet of Things. – Information analysis drive business case, re efficiency, reduced costs &

increased revenue.• Create a team to become the experts on Internet of Things.

– Build knowledge, skills & partnerships.• Ensure big data efforts are aligned with your IoT strategies

– Data analysis is the driving force behind IoT, and should include the information you intend to get from your network of “things”

Things to ponder

1. Is this a new problem, or just a new take on an existing one?

2. Are there enough IP addresses available for these billions of 'things'? Or will we be forced into IPv6, carrier-grade NAT, or end up putting large numbers of devices behind each public IP address, and what are the security implications of those choices?

3. The dumber the connected device, the more basic the security attributes of the device are likely to be. So how will the billions of such devices be security-monitored and updated to maintain security in the face of emerging threats?

4. What are the implications for protecting critical infrastructure and cyber-warfare/espionage? Could hackers shut off all our water, drain our bank accounts, melt our ice cream and turn all the traffic lights to red?

5. Flooding market with low-cost, mass-market devices usually means buying from economies like China or Vietnam. With the Huawei debate escalating, how can we be certain of no hidden trapdoors inside these widgets?

6. Big Data: do we have the technologies to analyse massive amounts of data?

7. With the PRISM scandal, will Privacy become an obsolete concept?

Help!

Link to original work: http://farm2.staticflickr.com/1419/5159177886_1276e96f54_b.jpg

Get Involved!

We need to look ahead this time!

adrian.wright@issa-uk.orgadrian.wright@secoda.com t. 44 (0)8456 4 27001 m.44 (0)780 363 9704