CSO Roadshow 2018: How do we build a secure IoT?

The Internet of Things (IoT) poses a significant challenge to IT security teams. Suddenly, instead of having users in control of the majority of end-point devices, the devices will out-number people by a factor of seven to one if analyst predictions are accurate. That means we need to think about how we secure our networks and these devices in new ways.

Dr Hugh Bradlow is the President of the Australian Academy of Technology and Engineering, having spent over two decades in senior roles at Telstra including CTO, Head of Innovation and Chief Scientist. He gave the keynote address at the 2018 CSO Roadshow where I spoke to him.

We explored how the IoT works and how it could be secured. His model looks at the interaction between devices, networks and applications. These are underpinned by a fourth element, the cloud which binds the all.

“The way I characterise it, rather network is about moving the data from A to B. The cloud are all those software systems that are common to all applications that collect the data, and then the APIs that you use to connect to devices and the APIs that applications use to get information from devices and the cloud platform,” explained Bradlow.

For example, a security camera might detect motion and send that via an API to a cloud service. That service will then tell an application, via another API to send a text message notifying someone about the motion.

“The opportunities, in a generic sense, are to measure the physical world and use that measurement to analyse and act and to control the physical world with actuators. It’s sensors, analysis, intelligence, actuate,” he said.

This will allow us to do health intervention such as quickly acting on an acute episode such as the cardiac condition atrial fibrillation, or conducting ongoing monitoring rather than episodic review so we can better execute preventative medicine.

There are some challenges though. Bradlow noted that we have to know if a device is reliable. This starts from when a device is first procured and commissioned and throughout its working life. And there’s a need to confirm ongoing service assurance. So devices will need to self-monitor or support some other method to ensure operations are normal.

There’s also the question of power. Devices will need to work for extended periods while consuming very little energy. In his keynote presentation, Bradlow discussed a contact lens that could monitor blood sugar levels. It was powered by collecting ambient RF radiation.

Looking ahead, the challenge will be to identify where the best opportunities are available for using IoT systems and then developing a solution that securely delivers on the business outcomes. It’s likely that while many different network systems are in development, cellular data networks will be favoured as they are ubiquitous and understood.

Different industry verticals will look for specific solutions that work for them – there won’t be a “one size fits all” application. Rather, different companies will look for low hanging fruit and sue IoT where it’s the most effective solution in those situations before engaging in wide-spread deployments.

Bradlow noted that it is still early days. There are many competing standards on the network, application and platform fronts. In time, there will be a consolidation as specific platforms that address the balance between function, security and cost will win out over others. That’s land grab is still in progress. And while Apple, Amazon and Google are at the forefront, particularly in the consumer space, Bradlow said Microsoft shouldn’t be discounted as it has shown in the past that it is able to adapt and thrive even though it doesn’t always enjoy the first mover advantage.

There are still some threats to deal with. Much of the IoT benefit is tied in with the efficacy of AI which is still an evolving area. Driverless vehicles can be thrown off-course by graffiti on street signs. And many devices are still being released with security added as a afterthought, if at all, rather than by design.

What’s clear from listening to Bradlow is that we are still in the early days and exciting, but challenging, times lie ahead.