Thomas Fischer, global security advocate at Digital Guardian, assesses the role security will play in the IoT and argues that manufacturers must return to the drawing board to find a sustainable, long-term solution.
For a while now, the issue of IoT security has been a growing problem that few want to face up to. The technology industry is renowned for its fast pace and the advantages of being first to market can often be significant, so it’s no surprise to see new IoT products being released at a furious rate. Unfortunately, this rush to market can often result in products and devices that are vulnerable to cyberattacks.
For manufacturers, the IoT is a particularly difficult nut to crack. In addition to time pressures, the demand for user friendliness – combined with highly stringent cost controls – means that, even if the will is there, finding a fast, cost-efficient security solution can be a challenge.
One major problem is that many IoT devices still use extremely cheap processing units akin to something that would have been used several decades ago, only on a much smaller scale. These kinds of processors lack both the memory capacity and input mechanisms required to conduct the regular security updates and patches that would normally take place on PCs and mobile phones.
With the lifespan of some IoT devices now expected to exceed ten years, the security issue this presents is a growing cause for alarm. The threat landscape is a highly dynamic environment and devices that can’t be patched are vulnerable not only to the threats that are out there today but also to all threats that emerge after the device has gone to market.
A new approach to IoT security is needed
Fortunately, organisations are starting to take note. The IoT Security Foundation is driving the creation of new standards and enlisting companies to work together to improve the overall security of IoT devices from the ground up. Elsewhere, the GSM Association (GSMA) has recently produced a set of major guidelines around IoT security best practice.
But in order for businesses to make meaningful security improvements, changes must take place at the design phase, not as an afterthought prior to launch. Security must also be considered from a variety of different angles including software, hardware and the network if it is to be effective.
1) Secure software: Building new devices on a foundation of robust and secure software is critical. Best practice encompasses a variety design considerations including:
Proper and secure authentication for each individual device, so organisations can quickly confirm that any individual device is the one it claims to be The use of secure coding practices, focusing on QA and vulnerability identification as part of the development lifecycle in order to streamline security and mitigate risks Industry standard encryption of all data flowing between the IoT device and backend servers, meaning that even if the data is intercepted, it is meaningless without the correct encryption key Making provision for the deployment of new firmware on the device over time. Moving to more advanced and versatile processing units will allow device software to be […]
No leader wants his or her team to fail. But, in many digital transformation efforts, creating the conditions in which failure is an acceptable outcome might be key to success. As with Pixar Animation Studios, a subsidiary of The Walt Disney Co., which credits its blockbuster successes to all the storyboards that don’t actually make it onto film, effective digital initiatives often depend on a mix of experimentation, prototyping, and failure.
Creating a culture in which risk-taking is acceptable and giving employees a wide berth to learn from failure (and success) can be difficult challenges for leaders managing change. If the following behaviors aren’t part of your leadership repertoire, you may not be ready to lead a digital transformation.
The importance of these leadership behaviors appeared in a year-long study of a 450-person financial services function within Deloitte Services LP that was implementing a large-scale technology project to streamline reporting, budgeting, and analysis for the entire organization. If successful, many employees in the function would have more time to become trusted advisers to the business, rather than simply focusing on compiling and reporting numbers. The financial services function, however, was risk averse: The entire group was accustomed to complying with fairly stringent regulations and policies but was unaccustomed to voicing their opinions. Becoming advisers by effectively communicating a new way to do business would be a hurdle for much of the staff.
At the end of one year, the research had identified several distinctive characteristics of executives who were most effective at implementing the project: They fostered a culture tolerant of failure and embraced the following four behaviors.
1. Be clear about priorities. Leaders who were clear on shifting priorities and how success would be measured seemed to have much more engaged employees throughout the transition. Goal-setting was an important factor that enabled employees to track their progress and growth. Leaders also frequently reassessed goals and ensured that employees were well aware when priorities and needs shifted. Balancing clear communication of priorities with a willingness to adapt goals when circumstances dictated was important to engaging the workforce during a time of digital transformation.
Before launching the project, executives traveled to local offices to express their vision for the future and set the overarching mission for the finance function. They offered compelling reasons for the technology transformation and gave permission to local site leaders to shift priorities as needed throughout the change. This in-person executive visit was intended to empower local office leaders to tailor the implementation, while also connecting them back to a broader vision of the future.
2. Provide effective two-way feedback. The research findings appear to support the importance of creating psychological safety during check-ins with employees. It may not be enough simply to engage in project report-outs — leaders must also create a culture of psychological safety, giving employees freedom to express concern when things aren’t going right and feel they have the ability to take risks. Doing so allows employees to share new ideas and to believe they are being heard. Leaders in the study who engaged in these types of feedback sessions seemed to be able to get ahead of employee issues before they became a roadblock to the project’s ultimate success.
During the project, frequent pulse surveys were conducted to identify emerging employee pain points. Rather than keep information confidential, pulse survey results were shared broadly across local offices during monthly leadership feedback forums. Leadership teams would also invite team members to participate and provide further feedback on how the project was going. These transparent feedback forums allowed managers and employees to begin collaborating in newfound ways as they focused on overcoming shared challenges, while also identifying shared opportunities for success.
3. Recognize staff and support risk-taking. While extrinsic motivators have their place, we know from behavioral science that intrinsic motivators drive longer-term behavior change. Simply recognizing and acknowledging people for their hard work during times of change can go a long way. However, recognition also typically means sharing the success of a project. Our research found that one way to kill the momentum of a project was for leaders to take all the credit for its success. Leaders who shared responsibility for a project’s success with all levels of staff seemed to achieve much higher levels of employee engagement throughout the project.
One leader brought team members to a high-profile client meeting, allowing employees to see firsthand the impact they were making. Another leader brought their staff to a baseball game and invited the partner of the project to attend as well. As one manager remarked, “I have not only seen changes in my employees’ ability to interact and engage with senior leaders more comfortably, but also in identifying opportunities where they can gain more exposure. And, when they need my help with that exposure, they now ask me for that help.”
4. Engage in frank development conversations. The more effective leaders communicated how change would benefit staff, including how continuous education and training opportunities would help strengthen an employee’s skill set. In addition, these managers did not shy away from transparent conversations on where employees’ efforts were needed in order to move forward. An effective conversation card was developed to help leaders engage in these conversations on a monthly basis with their teams.
Additionally, the more successful project leaders worked with staff to identify development opportunities and engage in conversations beyond the project itself. One manager said, “I used to think if someone made a mistake, it was because they weren’t very strong. I now realize that is part of the learning process and people can change if I am willing to devote the time and attention needed to help their development.” In this manager’s region, employee engagement nearly doubled after leadership instituted monthly development conversations with staff.
Leaders who displayed these four behaviors reaped not only better performance, but greater engagement from their employees throughout the change. Employees were much more likely to report back higher levels of learning and growth, and greater meaning from their work. These four behaviors, which allowed employees to share ideas more freely and embrace taking risks, appeared to lead to higher-performing teams during this digital transformation. This was further evidenced by year-over-year manager effectiveness increases of over 10% once these behaviors became commonplace throughout the regions. Regions that once lagged the organizational average in managerial effectiveness, now led in many of the managerial effectiveness metrics.
Digital transformation may not be easy, but effective leadership can help bolster the chance of success. There is typically so much emphasis on the technology itself, establishing implementation road maps marked with important milestones, that the people part can easily be overlooked. Yet, we know from research that people are the lynchpin to a digital transformation’s success. Leaders who are able to actively engage their people are much more likely to experience not just success — but greater satisfaction throughout the change.
The UK Government is facing a ‘trilemma’; a struggle to provide secure, affordable and clean energy, all while preventing blackouts. This is a unique situation where the technology available to the sector is much more advanced than the infrastructure the industry is built on. But what can engineers do to modernise the infrastructure and ensure reliability?
Keep it location-independent
Many of the 400,000 substations scattered around the UK were not designed for today’s advancing energy industry, especially with the push from fossil fuels to renewable sources. To ensure the infrastructure is fit for purpose, we need to bring these run-down facilities back up to speed, says Martyn Williams, managing director of COPA-DATA UK.
Many substations are remote and unmanned. Despite this, some are yet to acquire a connected infrastructure, and instead rely on an energy control operator to manually visit the substation to monitor the condition and obtain the energy distribution data.
The disadvantage of this method is that data cannot be collected, monitored and analysed in real time. Essentially, this means that data collected is not up-to-date and the information gleaned from that data redundant. When the data is eventually analysed, it could be almost impossible for the operator to pinpoint the root cause of any problems.
A connected intelligent substation allows for a much more efficient asset that can be monitored and maintained in real-time. This also enables predictive analytics and maintenance, which greatly reduce the risk of downtime and vastly increase the lifetime value of the asset.
Intelligent software can even be integrated into existing equipment. For example, by using an industrial automation package like COPA-DATA’s zenon, the substation can become a part of an Internet of Things (IoT) led architecture. Substation data is stored in a centralised network, with real-time and historical insight, regardless of age or location.
Make use of data
There’s no advantage in collecting data if you are failing to analyse the information and make informed decisions. The right intelligent automation software should analyse the data and combine real-time information with historical reports.
This generates a comprehensive overview of each substation’s performance, enabling cross-site benchmarking for energy distribution. What’s more, using intelligent automation software, the data can provide insights into the lifespan forecast of the substation’s machinery and deliver predictive analytics to inform preventative maintenance.
With such widespread geographical locations for substations, an obvious solution is to store this data in the cloud. COPA-DATA’s zenon can be used in combination with Microsoft Azure for fast and easy access to the control centre.
Intelligent automation software gives operators an overview of the complete network at all times, meaning that any unusual or unplanned activity can be detected instantly. This method ensures information isn’t confined to one server, but is instead accessible from any location. This allows for rapid updates and real-time alerts.
Encrypt your data
Storing data in the cloud heightens concerns for cyber security and energy companies must now consider the risk of cyber attack. Cyber Security standards such IEC62443 ensure that intelligent software providers help minimise these threats.
Continuous vigilance provides one level of security, but COPA-DATA’s zenon […]
HM Power, a system integrator based in Sweden, provides smart metering and smart grid solutions to virtually all Swedish utilities. The company has an established customer base of approximately 650,000 smart meters and now has approximately 30% of the Ring Main Unit and advanced fault indication equipment market in Sweden. Following a Parliamentary Bill mandating hourly energy metering, the company needed to upgrade its communications capability in its smart meters to enable and manage the increased functionality required.
In 2012, a Bill was passed in the Swedish Parliament enforcing hourly metering – which would not be possible to achieve without the functionality of an Advanced Metering Infrastructure (AMI) smart metering solution.
Sweden was one of the first countries in the world to install smart meters and since 2009 customers have received monthly bills based on their actual consumption rather than an estimated annual bill. This early adoption strategy gave the country’s utilities the lead in delivering accurate customer billing and more information about actual consumption. Since the rollout, smart meters have enabled both financial benefits as well as improvements in service quality and customer satisfaction. However, in recent years Sweden’s infrastructure focus has switched to looking for next generation smart metering to support plans for smart grid technologies and IoT capabilities, leading to the requirement to upgrade its AMR infrastructure to AMI, to enable these facilities.
Omni IoT technology
HM Power selected CyanConnode’s Omni IoT technology because it is a robust, scalable and future-proof platform that offers flexibility as the Swedish market continues to evolve. CyanConnode’s communication platform enables machine-to-machine (M2M) communication from single applications, such as smart metering, to multi-application IoT networks. HM Power saw a major advantage in CyanConnode’s use of narrowband technology, as applications using narrowband consume considerably less power and are less spectrum-intensive than those using higher frequencies. In addition, narrowband RF networks enable significant growth in the number of connected devices which will allow HM Power’s customers to grow their networks economically and sustainably.
Based on IPv6, using licence-free, regulated narrowband technology CyanConnode provides HM Power with a flexible, cost effective communication platform that supports rapid innovation and integration with third party technology. The platform enabled by CyanConnode’s IPv6 LowPAN OmniMesh network is plug and play, self-configuring and self-healing and is designed to deliver a versatile solution with a low cost of ownership. Each device uses the most efficient route to its gateway every time, maximising the use of bandwidth whilst minimising power consumption and continually optimising and adapting the network.
In addition, CyanConnode’s partner ecosystem provides expertise for seamless integration of the end-to-end communication technology with HM Power’s preferred smart meter vendor and the utility’s Meter Data Management system, at every stage of the contractual implementation and milestones.
As the market evolves, HM Power is now well positioned to provide next generation smart meters and smart grid equipment in a comprehensive, end-to-end system. CyanConnode’s technology will support HM Power as its IoT network develops, enabling interoperability between any third-party device or technology, and alternative HM Power customer networks. HM Power will be able […]
In a contributed article for Internet of Business, Robin Kent, director of European operations at telco software company Adax, discusses how mobile network operators need to get their packet transport layers in order.
While IoT device manufacturers are bullish about the future of connected devices, those who must lay the infrastructure for these to work are more reserved. A recent industry report from Telecoms.com finds that the vast majority of telcos (more than eight out of ten, in fact) admit that they are not ready for IoT and only a few show signs of actual progress beyond this general state of unreadiness.
Despite its slow progress, IoT still promises to fundamentally reshape the telecoms industry. The reliability of connections, after all, is vital for the growth and success of the IoT revolution. And while many predict that 5G will go some way to supporting the vast number of connections needed, there are still likely to be problems with performance and reliability if the right solutions and network infrastructure aren’t implemented.
The huge scale of IoT adoption is a major challenge for network operators. Experts believe that network operators have the power to unlock the true capabilities of IoT, but speed is of the essence and the industry is frantically trying to keep up with end-user demands and expectations. In light of this, a key problem that needs to be addressed is the protocols needed to run IoT applications.
If IoT is to truly take off and its full capabilities realized, operators must be prepared to maintain enough capacity in the core network, and more importantly, manage the connections to keep a IoT-associated packet moving along, without creating bottlenecks.
Typically, GPRS Tunnelling Protocol (GTP) solutions have been able to handle up to 25,000 to 30,000 Packet Data Protocol (PDP) contexts per application, but operators now need to be looking towards coping with millions. By anticipating this huge surge, operators should prepare appropriately, rather than waiting for huge numbers of packets to turn up unexpectedly at their door.
Operators need to consider a GTP solution that enables traffic capacity to be increased by accelerating data paths and removing bottlenecks, which in turn, accelerates the GTP tunnels and packet filtering. This results in higher performance and vastly improves quality of service (QoS) and quality of experience (QoE) for the end user. Bandwidth throttling or rate-limiting is performed to guarantee QoS return on investment (ROI) via the efficient use of bandwidth.
Operators should also be prepared for the varying levels of service requirements across different applications. This will be vital when device numbers are massive; both the signaling and data plane throughout will be dependent upon good performance from GTP-U tunnels. The effective solution to low-latency tolerance is a control plane issue and requires good GTP-C tunnels and most importantly effective SCTP [Stream Control Transmission Protocol]. In other words, it’s basically an issue of using transport layer protocols to keep a packet moving to where it needs to be.
Another potential headache for mobile operators is that IoT applications have many additional security requirements, because of the nature of the endpoint devices and the potential high level of service criticality. In serving a high volume of devices, networks are exposed to signaling storms, and intentionally malicious denial of service attacks. Such attacks can have a serious detrimental impact on devices, and the quality of experience the end user expects and demands. In a bid to tackle such issues, operators should adhere to the GSMA’s IoT Security Guidelines for Network Operators.
These guidelines have been designed with the entire IoT ecosystem in mind, including device manufacturers, service providers, developers, and, where this topic of discussion is concerned, network operators. The GSMA describes the most fundamental security mechanisms as; identification and authentication of entities involved in the IoT service; access control to the different entities that need to be connected to create the service; data protection to guarantee the security and privacy of the information carried by the network for the IoT service; and the processes and mechanisms to ensure availability of network resources and protect them against attack.
It’s clear that IoT is only set to grow in adoption, so capacity and security must be an issue that operators address now or face falling behind competitors in delivering the high level of service customers have come to expect in the connected world. To ensure the capabilities of IoT can be embraced and implemented, network operators must take the lead and apply their own measures and protocols.
An effective packet core needs to be dimensioned for cost-effective deployment and operations, but it should also be able to expand rapidly to maintain reliable performance as the number of users, devices and packets keeps growing.