It is a cliché to declare how fast Moore's law is changing our technology-rich world and how connected our devices, social networks, even bodies, cars, and other objects are becoming.
A useful way to think of IoT technological progression is what happens when the network extends not to the last mile or last inch endpoint but to the last micron, where virtual and digital become physical. Whether the network extends to a motor servo controller, temperature sensor, accelerometer, light bulb, stepper motor, washing machine monitor, or pacemaker battery voltage monitor, the effect is the same: the information sources and sinks facilitate monitoring and control functions between our physical and virtual worlds. In the case of the IoT, the physical world is a direct component of the digital information, whether acting as subject or object.
IoT technology is being rolled out across many industries today. In Europe, for example, the Alliance for Internet of Things Innovation(AIOTI) (see https://aioti.eu ) has designed a set of pilot projects that focus on demonstrating real-world use cases of the IoT in action. These pilots are described in the following table and show the reach and potential impact of the IoT on our daily lives. The IoT is much more than consumer toys connected to the internet. IoT systems are progressing towards making a real difference in the well-being of the population and increased productivity in the business environment:
The impact that the IoT is having on the transformation of industry capabilities is significant. It becomes clear that, as we begin to rely on these technological improvements, the impact of denying or tampering with these services becomes substantial. Each of these systems must be developed with security and resilience in mind. Next, we discuss additional IoT ecosystems that are beginning to add value to our everyday lives.
Fast disappearing are the days of utility companies sending workers out in vans to read electric and gas meters mounted to the exterior of your house. Homes today include an array of Distributed Energy Resources (DER) that can communicate demand and load data with the distribution grid. Within the distribution grid, smart devices are able to collect and analyze data to identify anomalies and instabilities. These devices are then able work together to identify measures for correcting the instabilities and avoiding costly brownouts and blackouts.
Additional IoT technology insertions are modernizing business processes across energy operations. For example, after a natural disaster, operators might deploy Unmanned Aerial Systems (UAS) to survey damage to power lines. As aviation authorities begin to evolve regulations on the use of UAS platforms around the world, autonomous flight operations will begin to allow for rapid fault identification and service restoration.
As EV charging begins to strain the electrical grid, new approaches to distributed energy generation must also be considered. Clean energy solutions, such as solar, allow individual consumers to become energy generators and participate in energy transactions with their peers and the utility. Consider the concept of a microgrid. Microgrids are self-contained energy generation and distribution systems that allow owner-operators to be heavily self-sufficient. Microgrid control systems not only rely on data captured from edge devices such as solar panels and wind turbines, but also require data collected from other internet-based services. The control system may capture real-time energy pricing data from a web service, enabling the system to determine the optimal time to generate, buy, or sell back energy from the utility.
The same control system may incorporate weather forecast feeds to predict how much energy their solar panel installations will generate during a certain period of time. Maturing microgrid models are allowing innovative neighborhood microgrids to emerge such as the LO3 implemented in Brooklyn, New York. The LO3 implements a blockchain-based neighborhood microgrid (https://lo3energy.com/) that allows neighbors to sell excess solar energy directly to each other, connecting each neighbor as an IoT node in a larger IoT system.
IoT connectivity has already transformed the transportation industry and promises continued innovations. Companies such as Bosch and Continental have invested heavily in building semi-autonomous driver assistance tools while other companies such as Mercedes Benz and Audi are working on Level 4 and 5 fully autonomous vehicles. These vehicles and tools rely upon sensors that collect and feed data back to Electronic Control Units (ECUs) within the vehicle. Connected Vehicle (CV) technology is rapidly maturing through multiple CV pilots around the world, the largest being the 8,000+ vehicle New York City Connected Vehicle Pilot Deployment (note: the author, Drew Van Duren, is a security consultant to this deployment). General Motors has also fitted some vehicles with CV technology. The 2017 Cadillac CTS, for example, operates Vehicle-to-Vehicle (V2V) technology on the 5.9 GHz spectrum to share vehicle location, speed, and traffic conditions with peer vehicles on the road. V2V technology supports sharing of vehicle data including latitude, longitude, heading angle, speed, lateral and longitudinal acceleration, throttle position, brake status, steering angle, headlight status, wiper status, turn signal status, and vehicle length and width.
Intelligent Transportation Systems (ITS) promise to optimize traffic across smart cities. For example, queue warnings will let vehicles and drivers know whether a backup is forming. Vehicle navigation systems can then quickly route around the backup, easing traffic congestion. Applications such as these are aided by connected roadside equipment, known as Roadside Units (RSUs). RSUs communicate using protocols including Dedicated Short Range Communications (DSRC) to collect, proxy, and transmit data across the vehicle ecosystem, including with the local roadside (traffic signal controllers, dynamic message signs, and so on) and Traffic Management Centers (TMCs).
The term Industry 4.0 is used to describe CPSes that enable smart factories through automation and data exchange. Sensor data is fused and processed by data analytic systems, and machine learning algorithms are trained on smart manufacturing use cases such as remote monitoring and control, smart energy consumption, predictive maintenance, and human-robotic collaboration. These capabilities provide business value through the minimization of downtime or the optimization of processes and reduction of costs. For example, a Jeep Wrangler production facility in Toledo, Ohio, introduced connectivity for over 60,000 IoT endpoints and 259 robots on the assembly line (source: https://customers.microsoft.com/en-us/story/the-internet-of-things-transforms-a-jeep-factory). This implementation provides flexibility to modify manufacturing plans on demand, based on real-time data collected from sensors. The result is cost reduction and profit increase.
Industry 4.0 is also leading the way toward the adoption of robotics within manufacturing. There are many types of robotic platforms, including vision-capable robots, that can capture and analyze video streams in real time, and collaborative robots that can be guided by humans toward accomplishing a task. Robotic systems rely on many types of sensors, including motion sensors, accelerometers, temperature sensors, pressure sensors, and proximity sensors. These platforms can incorporate computer vision capabilities and make use of complex algorithms that support guidance and path planning.
According to the Smart City Tracker 2018 report by Navigant Research (https://www.navigantresearch.com/news-and-views/navigant-research-identifies-355-smart-city-projects-in-221-cities-around-the-world) over 221 cities worldwide implemented at least one smart city project in 2018. The city of Chicago, for instance, implemented the Array of Things project that resulted in the installation of over 500 multifunctional sensors on lampposts within the city. Sensors measure temperature, barometric pressure, light, vibration, carbon monoxide, nitrogen dioxide, sulfur dioxide, ozone, ambient sound intensity, pedestrian and vehicle traffic, and surface temperature (source: https://arrayofthings.github.io/faq.html). Smart cities are also now embracing the concept of open data, providing citizens with access to data collected through IoT sensors. Amsterdam, for example, provides citizens with the ability to look up all open data projects across the city.
Other examples of smart city innovations include networked LED street lights and clean and efficient buildings. The city of San Diego, for example, created the Smart City Open Urban Platform (SCOUP) to track and reduce greenhouse gas emissions across the city's real-estate portfolio (https://www.sandiego.gov/sustainability/smart-city).
Smart Cities represent a complex IoT example as they bring together systems of systems to meet numerous goals. Organizations such as Securing Smart Cities (https://securingsmartcities.org/) have sprouted up to provide guidance to city officials on how to choose and securely implement technologies.
While the majority of this book is devoted to IoT security, the aforementioned IoT use cases clearly emphasize the increasing world demand for cross-disciplined security engineers. We struggle to find it covered in academic curricula outside of a few university computer science programs, network engineering, or dedicated security programs such as SANS. Most security practitioners have strong computer science and networking skills but are less versed in the physical and safety engineering disciplines covered by core engineering curricula. So, the cyber-physical aspects of the IoT face a safety versus security clash of cultures and conundrums:
- Everyone is responsible for security
- The IoT and CPS expose huge security problems crisscrossing information computing and the physical world
- Most traditional core engineering disciplines rarely address security engineering (though some address safety)
- Many security engineers are unaware of core engineering disciplines (for example, mechanical, chemical, and electrical engineering), including fault-tolerant safety design
Because the IoT is concerned with connecting physically engineered and manufactured objects, this conundrum more than any other comes into play. The IoT device engineer may be well versed in safety issues, but does not fully understand the security implications of design decisions. Likewise, skilled security engineers may not understand the physical engineering nuances of a device to ascertain and characterize its physical-world interactions and fix them for security deficiencies. In other words, core engineering disciplines typically focus on functional design, creating things to do what we want them to do. Security engineering shifts the view to consider what the thing can do and how one might misuse it in ways the original designer never considered. Malicious hackers depend on this. The refrigeration system engineer never had to consider a cryptographic access control scheme in what was historically a basic thermodynamic system design. Now, designers of connected refrigerators do, because malicious hackers will look for unauthenticated data originating from the refrigerator or attempt to exploit it and pivot to additional nodes in a home network.
Security engineering is maturing as a cross-discipline, fortunately. We can argue that it is more efficient to enlighten a broad range of engineering professionals in baseline security principles than it is to train existing security engineers in all physical engineering subjects. Improving IoT security requires that security engineering tenets and principles be learned and promulgated by the core engineering disciplines (originating in their academic curricula) throughout their respective industries. If not, industries will never succeed in responding well to emergent threats. Such a response requires appropriating the right security mitigation techniques at the right time when they are the least expensive to implement (that is, the original design as well as its flexibility and accommodation of future-proofing principles). For example, a thermodynamic process and control engineer designing a power-plant will have tremendous knowledge concerning the physical processes of the control system, safety redundancies, and so on. If they understand security engineering principles, they will be in a much better position to dictate additional sensors, redundant state estimation logic, or redundant actuators, based on certain exposures to other networks. In addition, they will be in a much better position to ascertain the sensitivity of certain state variables and timing information that the network, host, application, sensor, and actuator security controls should help protect. They can better characterize the cyber attack and control system interactions that might cause gas pressure and temperature tolerances to be exceeded with a resultant explosion. The traditional network cybersecurity engineer will not have the physical engineering background on which to orchestrate these design decisions.
Medical device and biomedical companies, automotive and aircraft manufacturers, the energy industry, even video game makers and broad consumer markets are involved in the IoT. These industries, historically isolated from each other, must learn to collaborate better when it comes to securing their devices and infrastructure. Unfortunately, there are some in these industries who believe that most security mitigations need to be developed and deployed uniquely in each industry. Standards organizations frequently promote this thinking as well. This isolated, turf-protecting approach is ill-advised and short-sighted. It has the potential of stifling valuable cross-industry security collaboration, learning, and development of common countermeasures.
IoT security is an equal-opportunity threat environment; the same threats against one industry exist against the others. An attack and compromise of one device today may represent a threat to devices in almost all other industries. A smart light bulb installed in a hospital may be compromised and used to perform various privacy attacks on medical devices. In some cases, the cross-industry link is due to intersections in the supply chain or the fact that one industry's IoT implementations were adopted into another industry's systems. Real-time intelligence as well as lessons learned from attacks against industrial control systems should be leveraged by all industries and tailored to suit. The discovery, analysis, understanding, and sharing of how real-world threats are compromising ever-present vulnerabilities need to be improved for the IoT. No single industry, government organization, standards body or other entity can assume to be in control of threat intelligence and information sharing. Security is an ecosystem.