IoT is just another network
TechFire hears while IoT needs careful consideration, its potential value far outweighs cost, security and complexity concerns
12 November 2019 | 0
Despites their challenges, Internet of Things (IoT) technologies represent an unprecedented business opportunity.
This was the overarching theme from the recent TechFire event, where security, integration and business value were discussed by a panel of experts, with the reassuring attitude of one experienced professional being “it’s just another network”.
Emphasising the need for device and sensor security, Gerhard Niederfeld, head of advanced development, ISTA AG, said that when devices are deployed in people’s homes, accessibility is an issue, but so is potential interference.
ISTA AG provides energy usage and monitoring services to homes and business in Germany, heavily leveraging IoT networks, which have transformed how this can be accomplished. As many of ISTA’s sensors contribute to billing information, they are liable to interference from certain quarters. According to Niederfeld, this combination of lack of physical access, combined with potential tampering, represent significant challenges for IoT deployment and management.
One of the most challenging things in IoT, said Niederfeld, in contrast to the human factors, is that the machines will not complain, and it will not necessarily show up if an issue occurs. Class breaking attacks in this field can be very harmful, too.
“We put a lot of effort into the devices to detect this kind of activity [tampering] and react in an appropriate way,” said Niederfeld.
Also, the devices are always very constrained, so carrying out updates is not very easy, if possible at all, he said. It is not an option to run firewalls or virus scans on those kinds of devices.
However, Niederfeld advised that these devices should never be connected directly to the Internet, as they will be lost in hours or minutes. He warned against the approach of having IoT devices that were what he termed ‘mini servers’, as this would make them particularly vulnerable to hacking and hijacking.
Security can be a threat to IoT project implementation, said Adrian Burns, president, IoT Solutions Division, Taoglas. A manufacturer of IoT equipment and infrastructure, Taoglas has worked with a broad spectrum of companies, from instrumented animal wear with Horsewear Ireland, to Glen Dimplex home appliances and healthcare vendors. Burns said that he was aware of major pilots where the security issues identified actually scuppered implementation.
However, Burns said that a rational approach to implementation and integration would, supported by a strong business case, usually allay security fears. It is complex, but he said that leveraging existing implementations such as databases, networks, enterprise resource planning (ERP) and customer relationship management (CRM) systems would allow organisations to achieve the benefits of IoT, without introducing unnecessary risk.
Alan O’Brien, director of Global Technology Services, Glanbia, opined that “IoT is just another network”.
From that perspective, he said, while there are unique elements to IoT systems, they require just the same protections, and can be integrated into enterprise systems without introducing unmanageable risk.
Speaking from long experience in IoT usage in Glanbia, O’Brien said that its trucks used hardware encryption on sensors and gateways, with VPN connections over the Three cloud, to encrypted API gateways, through a firewall and into the data centre, where encrypted databases received data, to supply an analytics engine.
“You need to look at that implementation piece, if you don’t have your own team, get independent help,” said O’Brien.
ISTA’s Niederfeld emphasised that all aspects of the security chain are already here.
The good news is that the technology is there, he said. “It is not a miracle, it is not a secret, it is doable, but it is just about doing it correctly.”
Hackers are not looking to break encryption or hack devices, what they are looking for is improper implementation, Niederfeld argued. It is all about quality, taking all the measures together, and doing it properly.
Proper key management is important for encryption protections, he added.
Burns echoed this, adding that security starts with the sensor manufacturers.
“It all starts in the manufacturing plant,” said Burns, “where the devices are made, putting a secure authenticator on the actual hardware, allows you to do not just encryption — the level one of security for the Internet — but also putting mutual authentication on it, so it knows it’s talking to the right cloud and the cloud knows it’s talking to the right device.”
“Beyond that, it transfers into various backend systems, such as CRM, databases and data lakes. But without that edge security from hardware up, the cloud will never know if it is an authenticated device that is talking to it, even if it is encrypted.”
Niederfeld pointed out that when it comes to cloud, it is the back end that is the really dangerous part.
“Typically, a cloud is connected to many IT systems, so the exposure and risk goes up,” he said. “Often, the greatest risk is from internal attack, which can then go out onto the cloud and out to other devices.”
“It is always a good idea to keep those device cloud separate, not to expose them to exploration attacks,” said Niederfeld.
When it comes to making a business case for IoT, Myles Gardiner, IoT sales manager, Three, said the simple approach was key, by clearly identifying the business problem that needs to be tackled.
“It is also about understanding needs, whether you are looking to cut costs, or drive revenues,” he said. “An IoT project will not fly if there isn’t a strong business case. You’ve got to identify the financial benefits.”
Responding to a question from the floor, Gardiner said that project size can be anything, from ‘mom and pop’ retailers, to enabling store chains and anything in between. Referencing Three’s Arranmore Island Project, Gardiner said that they had been able to provide a variety of implementations, from assisted living to commercial considerations in fisheries, demonstrating the breadth of capability possible, but also the scale, from single devices to networks of thousands.
Burns echoed this, with respect to cost of entry in particular. He said that pilots and projects can be tailored to meet specific needs, but that tens of devices and sensors made sense in some cases. He discussed cost structures too, illustrating that in certain aspects of implementation, such as sensors and supporting infrastructure, there were capital costs, but that in other areas, there were subscription costs, such as asset management solutions and cloud platforms. He said it was important to have an end to view of such cost structures to be able to properly assess the real cost of IoT, especially when it comes to expressing business value and return on investment.
Glanbia’s O’Brien said that a current pilot included just a few instances where a trial was being carried out with a new type of sensor for feed bin level monitoring on farms.
A show of hands from the audience indicated that about a third of organisations represented were already using IoT technologies, but less than 10% were in active evaluation before implementation.
The panel concluded on a more or less unanimous note that IoT can be successfully integrated with enterprise infrastructure, in a secure manner, to provide a data flow to solve real business issues, based on current knowledge, experience and technology.