Live Blogging from the IoT Global Summit

Keynotes:
Came in on end of presentation by Rep. Suzan DelBene, D-WA, co-chair of the House IoT Caucus and an IT industry vet. Her litany of federal inaction in the face of rapidly-evolving 2015_IoT_Summittech — especially regarding privacy protections, where  the key law was enacted in 1986 — was really dispiriting, although it’s good to know there are some members of Congress who are aware of the issue and working on it.

EU Ambassador to the US, David O’Sullivan: the IoT is a “quantum leap” because of combining digital and physical world, and will have huge implications.  Europe has created single digital market. Major investments in IoT & funding research on it.  Very open research projects.  Key is breaking down barriers within the economy. They’re doing research on every aspect of IoT. Priority must be overcoming vertical silos, such as cars and health care. Must balance regulation and innovation. Security and privacy: working on a new set of protections.

Dean Brenner, SVP for Gov. Affairs, Qualcomm: everything will need some form of connectivity. Will need new connectivity paradigm. 4G LTE gives solid foundation for cellular IoT growth.  5G will be fully-deployed by 2020.

Dr. Rakesh Kushwaha, Mformation (hmmm?) Business Leader, Alcatel-Lucent: securing IoT devices. Tech & standards that are already in place to secure mobile devices can be model for I0T devices: they worked with whole range of devices. Fundamental principle of the security: securely update through device/firmware update package.   Only about 40% of IoT will be cellular-based.  Alcatel securing vehicle-mounted devices using FW/SW updates. They will launch a project called IoT Connect.

Session 2: Security for the IoT

Dean Garfield, president & CEO, Information Technology Industry Council: think of security as a design feature, not afterthought. Have to think of it in global sense (including between vertical silos). Chinese government security demands are actually counterproductive. Security can be a differentiating feature.

Joseph Lorenzo-Hall, chief technologist, Center for Democracy and Technology: “IoT Spectrum of Insanity” — such as #IoT door locks, require protections be built in. Security by design. He thinks privacy is a bigger factor than security.

Stephen Pattison, vp of Public Affairs, ARM. Hacker only has to get it right once. You have to get it right every time!  Sensors will have to be very cheap ($5 or less), which will require real creativity.  Security will drive acceptability of IoT. Security breaches will be a major risk for IoT companies.

Chris Boyer, asst. vp, Global Public Policy, AT&T: different security concerns in each vertical domain. Functional classification determines the risk (for example, some affect interruption on critical infrastructure, or life risk). Virtualize security around the end device. Industry activities: application layers, service layer, network layer, access technologies. Looking 4 acceptable risk management levels.

Rory Gray, global head of sales, Intercede: “need world of trusted digital identities.” “Identity is the new currency.”

Government procurement standards may drive privacy and security by design.

Adam Thierer: are we overestimating how much people really care about IoT security (vs. the “cool” factor??).

Afternoon Privacy Panel:

Gary Shapiro, president & CEO, CSA: he disagrees that you should HAVE to give permission to have your info shared: cites all the benefits of sharing data. Thinks we went overboard with HIPPA & privacy. Announcing agreement on guiding principles for sharing health info from #QS devices. A sense that products will be unwelcomed if they create privacy or security issues: example of an Intel engineer who has vision problems. On a personal basis, his mother had terrible time with Alzheimer’s: he’s upset he won’t have access to a Google face recognition technology.

Rob Atkinson, president, Information Technology and Innovation Foundation: “privacy fundamentalists” argue really heavy regulation is way to protect privacy.  BUT, no empirical studies underlying that. Pew survey showed few people believe their landline or credit card data will be private, YET almost everyone uses credit cards or phones: i.e., no correlation between people’s belief in privacy of various technologies and their actual use of the technology.  Overly stringent privacy regulations will reduce their availability. Much of real value of IoT data is from secondary use of the data, which would be undermined by tough regulation. Way too early to put regulatory regime into place for IoT: too early.

Maneesha Mithal, assoc. director, Division of Privacy & Identity Protection, Bureau of Consumer Protection, FTC: two fairly controversial aspects of their 2013 workshop: minimizing data collection debate — said you shouldn’t collect all sorts of data forever, BUT, perhaps collect less sensitive data if they could still derive value. Second issue was “notice and choice.” Tried a middle ground: room for notice and choice,  Discussion of regulation: middle ground on regulation: shouldn’t have specific IoT regulation, but should have general, baseline privacy and security protections. We don’t bring “gotcha cases.”  Could have program that would provide incentives for self-regulation.

Gilad Rosner, Founder, Internet of Things Privacy Forum:  “notice & choice” has been the default privacy & security approach for Internet, but it “fundamentally places the burden of privacy protection on the individual.” A presidential group said the responsibility should rest with the provider, not the user.  Hallmark of a civil society is being regulated.

Day Two:

smart health panel:

You can access my “Smart Aging” presentation on Slide Share.

Peter Ohnemus of dacadoo, a Swiss company, gave an overview of IoT and healthcare and talked briefly about his company’s Health Score, a 0-1000 score assigned to participating individuals based on their real-time scores on factors including movement, nutrition, sleep and stress.

Chantal Worzala of the American Hospital Association gave an overview of issues such as information interoperability and new wellness incentives.

Robert Jarrin, senior director of gov. affairs for Qualcomm, talked about some of the policy issues. FDA now has dedicated staff for electronic devices, and they are now not requiring regulatory compliance for some basic devices.

Smart Home panel:

Hmm. Little actual focus on smart homes in this one…

Cees Links, ceo, Green Peak Technologies: they are a chip manufacturer, “wireless plumbers.” Shipped 1M Zigbee chips. “IoT is not about things, it’s about services.” “Smart Home should be called a butler.” Confusion about IoT standards: thinks ZigBee & Bluetooth will survive, proprietary standards won’t.

Ilkka Lakaniemi, chair, European Commission’s Future Internet Public-Private Partnership Program: working on smart cities strategies, esp. ones that are scalable. Working with NIST on common standards for the demo grants in US & EU. 61 cities involved.

Tobin Richardson, president & ceo, ZigBee Alliance. ZigBee, wi-fi & Bluetooth will form basis of a stable ecosystem. Dollar chip is the goal, getting there quickly.

Paul Feenstra, sr. vp of government & external affairs, The Intelligent Transport Society of America: evolution over last 5 years from car focus to a really varied multi-modal transportation industry. Shocking how we accept the high death rate & congestion on highways. 80% of crashes could be avoided by connected cars.

Business Models for the IoT:

Ana Sancho, Libellium: they manufacture sensor networks for the IoT. Solve problems from smart cities to agriculture & water resources. More than 90 different sensors. They just see very early testing the water with IoT on part of their clients: not widescale implementation.

 

 

 

 

 

 

 

I’ll Speak Twice at Internet of Things Global Summit Next Week

I always love the Internet of Things Global Summit in DC because it’s the only IoT conference I know of that places equal emphasis on both IoT technology and public policy, especially on issues such as security and privacy.

At this year’s conference, on the  26th and 27th, I’ll speak twice, on “Smart Aging” and on the IoT in retailing.

2015_IoT_SummitIn the past, the event was used to launch major IoT regulatory initiatives by the FTC, the only branch of the federal government that seems to really take the IoT seriously, and understand the need to protect personal privacy and security. My other fav component of last year’s summit was Camgian’s introduction of its Egburt, which combines “fog computing,” to analyze IoT data at “the edge,” and low power consumption. Camgian’s Gary Butler will be on the retail panel with me and with Rob van Kranenburg, one of the IoT’s real thought leaders.

This year’s program again combines a heady mix of IoT innovations and regulatory concerns. Some of the topics are:

  • The Internet of Things in Financial Services and the Insurance sector (panel includes my buddy Chris Rezendes of INEX).
  • Monetizing the Internet of Things and a look at what the new business models will be
  • The Connected Car
  • Connected living – at home and in the city
  • IoT as an enabler for industrial growth and competition
  • Privacy in a Connected World – a continuing balancing act

The speakers are a great cross-section of technology and policy leaders.

There’s still time to register.  Hope to see you there!

 

 

Share It (Data) and They Will Come: Crowdsourced Citywide IoT Network

I haven’t been as excited about anything for a long time as I am about a global revolution that began last week in Amsterdam!

Cities are rapidly becoming the very visible and innovative laboratories for IoT innovation, which is logical, because they’ve been in the forefront of open data — as I saw first-hand when I was consulting for Vivek Kundra when he opened up vast amounts of real-time data as CTO for the District of Columbia as part of its Apps for Democracy initiative in 2008 that was part of the larger democratizing data movement.

Now there’s an exciting new development in Amsterdam, that really is bringing power to the people: The Things Network, the first crowdsourced free citywide IoT district. Astonishingly, volunteers brought the whole system to launch in only four weeks!

So far, the creators are visualizing a wide range of uses, but I particularly liked a particularly local one for a city synonymous with canals:

“A pilot project to demonstrate the Things Network’s potential will see boat owners in the city (there are many, thanks to its network of canals) able to place a small bowl in the base of their vessel. If the boat develops a leak and starts taking on water, the bowl will use the network to send an SMS alert to a boat maintenance company that will come along and fix the problem.”

How cool is that?  It also illustrates what I think is one of the key intangibles about the IoT: when you empower everyone (and I mean that literally!) by opening up data, people will find more and more innovative IoT devices and services, stimulated by their own particular needs, desires — and sometimes, even pain (that’s why I think even the most optimistic views of the IoT’s impact will be dwarfed as it becomes ubiquitous!).

Even more exciting, the group’s goal is to bring the technology to every city in the world! That, my friends, will be an incredible global game-changer. Think of it: EVERY city will become an open laboratory for change.

The Things Network uses low-power, low-bandwidth LoRaWAN technology to create the network: ten $1,200 hubs covered the whole city!  Having been hiding under a rock, I must admit I’d never heard of LoRaWan. Here are the benefits:

  • don’t need 3G or WiFi to connect with the Internet — no WiFi passwords, mobile subscriptions
  • no setup costs
  • low battery usage
  • long range
  • low bandwidth.

The whole scheme reminds me of the old Andy-Hardy-it’s-crazy-enough-it-might-work thinking:

“Dutch entrepreneur Wienke Giezeman came up with the idea for the Things Network just six weeks ago when he came across a €1,000 ($1,100) LoRaWAN gateway device and realized that with 10 such devices, the whole of Amsterdam could be covered. He pitched his idea at an Internet of Things meetup in the city and received a positive response.

“Work then began to create a community-owned data network that developers could build on top of without any proprietary restrictions. Companies including The Next Web and accountancy giant KPMG have agreed to host gateway devices at their premises, and the City of Amsterdam local authority is enthusiastic about the idea.”

How’s this for a vision?

“Because the costs are very low, we do not have to rely on large telco corporations to build such a network. Instead, we can crowdsource the network and make it public without any form of subscription. Our mission is to enable a network by the users for the users.” (my emphasis)

Most important from a democratizing data standpoint, it will all be open source:

“Our goal is to make the network architecture as decentralized as possible. And avoid any points of failure or control. We already have a community of 10 developers writing network software and equipment firmware.”

Giezeman wants to cut the cost before launching his plan of making the concept worldwide. He will soon launch a Kickstarter campaign to fund production of a smaller, €200 ($220) LoRaWan (vs. the $1,200 current ones). He may offer consulting services to capitalize on the idea, but that’s not the current priority.

That kind of openness and lack of strings attached, IMHO, is going to really lead to incredible innovation!  We’re holding a Boston IoT MeetUp hackathon next month to try to bring similar innovation to The Hub, and wouldn’t it be wonderful if cities everywhere launched a virtuous competition to speed smart cities’ adoption (and, don’t forget: this has huge implications for companies as well: there’s nothing to stop smart companies from creating new products and services to capitalize on the shared data!).

I note Amsterdam is 84 square miles, and The Hub of the Universe is 89 sq. miles, so I suspect the costs would be similar here.  I’m throwing down the gauntlet: let’s make Boston the second IoT city!

Let a thousand neighborhoods bloom!

 

Give It Up, People: Government Regulation of IoT Is Vital

Could this be the incident that finally gets everyone in the IoT industry to — as I’ve said repeatedly in the past — make privacy and security Job 1 — and to drop the lobbying groups’ argument that government regulation isn’t needed? 

I hope so, because the IoT’s future is at stake, and, frankly, not enough companies get it.

I’m referring to the Chrysler recall last week of 1.4 million Jeeps for a security patch after WIRED reported on an experiment in which two white-hat hackers remotely disabled a Jeep on an Interstate from miles away, exploiting a vulnerable link between its entertainment and control systems.  Put yourself in the place of reporter Andy Greenberg, then tell me with a straight face that you wouldn’t be out of your mind if this happened to you:

“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek [one of the hackers] shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.”

OK: calm down, get a cool drink, and, when your Apple Watch says your heart beat has returned to normal, read on….

But, dear reader, our industry’s leaders, assumedly knowing the well-publicized specifics of the Chrysler attack, had the hubris to still speak at a hearing of the Internet Subcommittee of the House of Representatives Judiciary Committee last week and claim (according to CIO) that that government regulation of the IoT industry wasn’t needed.

CEA CEO Gary Shapiro said in calling for government “restraint”:

“It’s up to manufacturers and service providers to make good decisions about privacy and security, or they will fail in the marketplace….. Industry-driven solutions are best to promote innovation while protecting consumers.”

Sorry, Gary: if someone dies because their Jeep got spoofed, the survivors’ attorneys won’t be content with the company’s failure in the marketplace.

There are some important collaborative efforts to create privacy and security standards for the IoT, such as the AllSeen Alliance. However, as I’ve written before, there are also too many startups who defer building in privacy and security protections until they’ve solved their technology needs, and others, most famously TRENDnet, who don’t do anything at all, resulting in a big FTC fine.  There are simply too many examples of hackers using the Shodan site to hack into devices, not to mention academics and others who’ve showed security flaws that might even kill you if exploited.

One local IoT leader, Paddy Srinivasan of LoMein, gets it, as reported today by the Boston Globe‘s Hiawatha Bray:

“‘I think it is a seminal moment…. These new devices need a fresh approach and a new way of thinking about security, and that is the missing piece.'”

But it’s too late to just talk about self-policing.

Massachusetts’ own Ed Markey and his Connecticut counterpart, Richard Blumenthal, have called the associations’ bluff, and filed legislation, The Security and Privacy in Your Car Act (AKA SPY Car, LOL)  that would require the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy. It would also create a rating system — or “cyber dashboard”— telling drivers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. This comes in the wake of the Markey study I reported on last Winter documenting car companies’ failure to build in adequate cyber-hacking protections.

Guess what, folks?  This is only the beginning.  Probably the only thing I’ve ever agreed with Dick Cheney on (ok, we agree it’s cool to have been born in Wyoming and that Lynne Cheney is a great writer), is that it wouldn’t be cool for the Veep to have his pacemaker hacked, so you can bet there will be legislation and regulations soon governing privacy and security for wearables as well.

As I’ve said before, I come at this issue differently from a lot of engineers, having earned my keep for many years doing crisis management for Fortune 100 companies that bet the farm by doing dumb things that could destroy public trust in them overnight. Once lost, that trust is difficult, if not impossible, to regain.  Even worse, in this case, cavalier attitudes by even one IoT company, if the shock value of the results is great enough, could make everyone in the industry suffer.

So, if you’re arguing for no regulation of the IoT industry, I have just one suggestion: shut up,clean up your act and take a positive role in shaping regulations that would be performance-based, not prescriptive: the horse has already left the barn.

Now I have to check my Apple Watch to see when my heart rate will get back to normal.

 

Smart Cities: opportunity … and danger if security isn’t a priority

Smart cities are one of the Internet of Things’ most promising areas — as well as one of the most potentially dangerous.

As this list of smart city initiatives shows, The IoT can reduce energy consumption, cut operating costs, and improve the quality of life. However, if hacked, it could also potentially paralyze an entire city and plunge it into darkness and/or create traffic gridlock.

As in so many other IoT areas, which scenario wins out will rest increasingly on making security and privacy in smart cities an absolute priority from Day 1, not an afterthought.

A recent New York Times article brings the issue to the foreground again, through the work of Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, who showed what happens when idiots (so sue me…) decide not to make security a priority:

” (he) demonstrated how 200,000 traffic control sensors installed in major hubs like Washington; New York; New Jersey; San Francisco; Seattle; Lyon, France; and Melbourne, Australia, were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — because one company had failed to encrypt its traffic.

“Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.”

Even worse, Cerrudo found the same failure to bake in obvious security measures such as encryption in a wide range of other smart city devices and software.

The article goes on to cite a variety of very real cybersecurity threats to cities and critical infrastructure (don’t forget that about 85% of the nation’s critical infrastructure is in private ownership) including a break-in at a utility’s control network by a “sophisticated threat actor” that just guessed a password.

Among the measures Cerrudo suggests that cities take to reduce their vulnerability:

  • think of cities “as vast attack surfaces that require security protection just as a corporate network might.”
  • encrypt data, use strong passwords, and patch security holes
  • create computer emergency response teams (CERTs), for rapid response
  • restrict data access and monitor who does have it.
  • “Finally, he suggests that cities prepare for the worst, as they would for a natural disaster.”

He concluded:

“When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated — that the systems can be easily hacked and there are security problems everywhere — that is when smart cities become dumb cities.” (my emphasis)

Let me be blunt about it: whether in smart cities or any other aspect of the Internet of Things, if your attitude is “we’ll get around to security” after concentrating on product development, you’re irresponsible and deserve to fail — before your irresponsibility harms others.


BTW, here’s a great way for you to have a role in shaping tomorrow’s smart cities. IBM (who would have thunk it?  I suspect this is reflects Ginni Rometty’s change in direction and attitude at the top) has created People for Smarter Cities, a new site to crowdsource ideas for how to make cities smarter. It’s a great example of democratizing innovation, one of my IoT Essential Truths. I plan to contribute and hope you will as well!

FTC report provides good checklist to design in IoT security and privacy

FTC report on IoT

FTC report on IoT

SEC Chair Edith Ramirez has been pretty clear that the FTC plans to look closely at the IoT and takes IoT security and privacy seriously: most famously by fining IoT marketer TrendNet for non-existent security with its nanny cam.

Companies that want to avoid such actions — and avoid undermining fragile public trust in their products and the IoT as a whole — would do well to clip and refer to this checklist that I’ve prepared based on the recent FTC Report, Privacy and Security in a Connected World, compiled based on a workshop they held in 2013, and highlighting best practices that were shared at the workshop.

  1. Most important, “companies should build security into their devices at the outset, rather than as an afterthought.” I’ve referred before to the bright young things at the Wearables + Things conference who used their startup status as an excuse for deferring security and privacy until a later date. WRONG: both must be a priority from Day One.

  2. Conduct a privacy or security risk assessment during design phase.

  3. Minimize the data you collect and retain.  This is a tough one, because there’s always that chance that some retained data may be mashed up with some other data in future, yielding a dazzling insight that could help company and customer alike, BUT the more data just floating out there in “data lake” the more chance it will be misused.

  4. Test your security measures before launching your products. … then test them again…

  5. “..train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.” This one is sooo important and so often overlooked: how many times have we found that someone far down the corporate ladder has been at fault in a data breach because s/he wasn’t adequately trained and/or empowered?  Privacy and security are everyone’s job.

  6. “.. retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.”

  7. ‘… when companies identify significant risks within their systems, they should implement a defense-in -depth approach, in which they consider implementing security measures at several levels.”

  8. “… consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.” Don’t forget: with the Target data breach, the bad guys got access to the corporate data through a local HVAC dealer. Everything’s linked — for better or worse!

  9. “.. companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.”  Privacy and security are moving targets, and require constant vigilance.

  10. Avoid enabling unauthorized access and misuse of personal information.

  11. Don’t facilitate attacks on other systems. The very strength of the IoT in creating linkages and synergies between various data sources can also allow backdoor attacks if one source has poor security.

  12. Don’t create risks to personal safety. If you doubt that’s an issue, look at Ed Markey’s recent report on connected car safety.

  13. Avoid creating a situation where companies might use this data to make credit, insurance, and employment decisions.  That’s the downside of cool tools like Progressive’s “Snapshot,” which can save us safe drivers on premiums: the same data on your actual driving behavior might some day be used become compulsory, and might be used to deny you coverage or increase your premium).

  14. Realize that FTC Fair Information Practice Principles will be extended to IoT. These “FIPPs, ” including “notice, choice, access, accuracy, data minimization, security, and accountability,” have been around for a long time, so it’s understandable the FTC will apply them to the IoT.  Most important ones?  Security, data minimization, notice, and choice.

Not all of these issues will apply to all companies, but it’s better to keep all of them in mind, because your situation may change. I hope you’ll share these guidelines with your entire workforce: they’re all part of the solution — or the problem.

The #IoT Can Kill You! Got Your Attention? Car Security a Must

The Internet of Things can kill you.

Got your attention? OK, maybe this is the wake-up call the IoT world needs to make certain that privacy and security are baked in, not just afterthoughts.

Markey_IoT_car_reportI’ve blogged before about how privacy and security must be Job 1, but now it’s in the headlines because of a new report by our Mass. Senator, Ed Markey (Political aside: thanks, Ed, for more than 30 years of leadership — frequently as a voice crying in the wilderness — on the policy implications of telecomm!), “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” about the dangers of not taking the issues seriously when it comes to smart cars.

I first became concerned about this issue when reading “Look Out, He’s Got an Phone,!” (my personal nominee for all-time most wry IoT headline…), a litany of all sorts of horrific things, such as spoofing the low air-pressure light on your car so you’ll pull over and the Bad Guys can get it would stop dead at 70 mph,  that are proven risks of un-encrypted automotive data.  All too typical was the reaction of Schrader Electronics, which makes the tire sensors:

“Schrader Electronics, the biggest T.P.M.S. manufacturer, publicly scoffed at the Rutgers–South Carolina report. Tracking cars by tire, it said, is ‘not only impractical but nearly impossible.’ T.P.M.S. systems, it maintained, are reliable and safe.

“This is the kind of statement that security analysts regard as an invitation. A year after Schrader’s sneering response, researchers from the University of Washington and the University of California–San Diego were able to ‘spoof’ (fake) the signals from a tire-pressure E.C.U. by hacking an adjacent but entirely different system—the OnStar-type network that monitors the T.P.M.S. for roadside assistance. In a scenario from a techno-thriller, the researchers called the cell phone built into the car network with a message supposedly sent from the tires. ‘It told the car that the tires had 10 p.s.i. when they in fact had 30 p.s.i.,’ team co-leader Tadayoshi Kohno told me—a message equivalent to ‘Stop the car immediately.’ He added, ‘In theory, you could reprogram the car while it is parked, then initiate the program with a transmitter by the freeway. The car drives by, you call the transmitter with your smartphone, it sends the initiation code—bang! The car locks up at 70 miles per hour. You’ve crashed their car without touching it.’”

Hubris: it’ll get you every time….

So now Senator Markey lays out the full scope of this issue, and it should scare the daylights out of you — and, hopefully, Detroit! The report is compiled on responses by 16 car companies (BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo — hmm: one that didn’t respond was Tesla, which I suspect [just a hunch] really has paid attention to this issue because of its techno leadership) to letters Markey sent in late 2013. Here are the damning highlights from his report:

“1. Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.

2. Most automobile manufacturers were unaware of or unable to report on past hacking incidents.

3. Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.

4. Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all. (my emphasis)

5. Automobile manufacturers collect large amounts of data on driving history and vehicle performance.

6. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.

7. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.

8. Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.”

In short, the auto industry collects a lot of information about us, and doesn’t have a clue how to manage or protect it.

I’ve repeatedly warned before that one of the issues technologists don’t really understand and/or scoff at, is public fears about privacy and security. Based on my prior work in crisis management, that can be costly — or fatal.

This report should serve as a bit of electroshock therapy to get them (and here I’m referring not just to auto makers but all IoT technologists: it’s called guilt by association, and most people tend to confabulate fears, not discriminate between them. Unless everyone in IoT takes privacy and security seriously, everyone may suffer the result [see below]) to realize that it’s not OK, as one of the speakers at the Wearables + Things conference said, that “we’ll get to privacy and security later.” It’s got to be a priority from the get-go (more about this in a forthcoming post, where I’ll discuss the recent FTC report on the issue).

I’ve got enough to worry about behind the wheel, since the North American Deer Alliance is out to get me. Don’t make me worry about false tire pressure readings.


PS: there’s another important issue here that may be obscured: the very connectedness that is such an important aspect of the IoT. Remember that the researchers spoofed the T.P.M.S. system not through a frontal assault, but by attacking the roadside assistance system? It’s like the way Target’s computers were hacked via a small company doing HVAC maintenance. Moral of the story? No IoT system is safe unless all the ones linking to it are safe.  For want of a nail … the kingdom was lost!

IoT Security After “The Interview”

Posted on 22nd December 2014 in defense, Internet of Things, M2M, management, privacy, security, US government

Call me an alarmist, but in the wake of the “Interview” catastrophe (that’s how I see it in terms of both the First Amendment AND asymmetrical cyberwarfare), I see this as a clarion call to the #IoT industry to redouble efforts to make both security AND privacy Job #1.

Here’s the deal: if we want to enhance more and more parts of governmental, commercial, and private lives by clever IoT devices and apps to control them, then there’s an undeniable quid pro quo: we MUST make these devices and apps as secure as possible.

I remember some bright young entrepreneurs speaking at a recent wearables conference, where they apologized for not having put attention on privacy and security yet, saying they’d get to it early next year.

Nope.

Unacceptable.

Security must be built in from the beginning, and constantly upgraded as new threats emerge.  I used to be a corporate crisis manager, and one of the things that was so hard to convince left-brained, extremely rational engineers about was that just because fears were irrational didn’t mean they weren’t real — even the perception of insecure IoT devices and apps has the potential to kill the whole industry, or, as Vanity Fair‘s apocalyptic “Look Out, He’s Got a Phone” article documented, it could literally kill us. As in deader than a doornail.

This incident should have convinced us all that there are some truly evil people out there fixated on bringing us to our collective knees, and they have the tech savvy to do it, using tools such as Shodan. ‘Nuff said?

PS: Here’s what Mr. Cybersecurity, Bruce Schneier, has to say on the subject. Read carefully.

Global Warming: The IoT Can Help Fill Some of the Gap Due to Government Inaction

I won’t dwell on politics here, but  97% of scientists agree that global warming is real, and, according to the latest United National report this month, it is worse than ever (according to the NYTimes,

“The gathering risks of climate change are so profound that they could stall or even reverse generations of progress against poverty and hunger if greenhouse emissions continue at a runaway pace, according to a major new United Nations report.”). (my emphasis)

Thus, it should be noted that the chances of significant government action to curb global warming during the next two years have vanished now that Senator James Inhofe will chair the the Senate Environmental Committee (I won’t repeat any of the clap-trap he has said to deny global warming: look it up…).

While probably not enough to combat such a serious challenge, the Internet of Things will help fill the gap, by helping bring about an era of unprecedented precision in use of energy and materials.

Most important, the IoT is a critical component in “smart grid” electrical strategies, which are critical to reducing CO2 emissions.

According to the Environmental Defense Fund, “Because a smart grid can adjust demand to match intermittent wind and solar supplies, it will enable the United States to rely far more heavily on clean, renewable, home-grown energy: cutting foreign oil imports, mitigating the environmental damage done by domestic oil drilling and coal mining, and reducing harmful air pollution. A smart grid will also facilitate the switch to clean electric vehicles, making it possible to “smart charge” them at night when wind power is abundant and cheap, cutting another huge source of damaging air pollution.”

And then there’s generating electricity from conventional resources: GE, as part of its “industrial internet” IoT strategy, says that it will be able to increase its gas turbines’ operating efficiency (which it says generate 25% of the world’s electricity) by at least 1%.

Equally important, as I’ve written before, “precision manufacturing” through the IoT will also reduce not only use of materials, but also energy consumption in manufacturing.

In other important areas, the IoT can also help reduce global warming:

  • Agriculture: conventional farming is also a major contributor to global warming. “Climate-smart” agriculture, by contrast, reduces the inputs, including energy, needed while maximizing yield (Freight Farms, which converts old intermodal shipping containers into self-contained “Leafy Green Machine” urban farming systems, is a great example!).
  • IoT-based schemes to cut traffic congestion.  As The Motley Fool (BTW, they’re big IoT fans of the IoT as a smart investment opportunity) documents, “1.9 billion gallons of fuel is consumed every year from drivers sitting in traffic. That’s 186 million tons of unnecessary CO2 emissions each year just in the U.S. “

The Motley Fool concludes that, combined, a wide range of IoT initiatives can reduce carbon emissions significantly while increasing the economy’s efficiency:

“A recent report by the Carbon War Room estimates that the incorporation of machine-to-machine communication in the energy, transportation, built environment (its fancy term for buildings), and agriculture sectors could reduce global greenhouse gas emissions by 9.1 gigatons of CO2 equivalent annually. That’s 18.2 trillion pounds, or equivalent to eliminating all of the United States’ and India’s total greenhouse gas emissions combined, and more than triple the reductions we can expect with an extremely ambitious alternative energy conversion program.

“Increased communication between everything — engines, appliances, generators, automobiles — allows for instant feedback for more efficient travel routes, optimized fertilizer and water consumption to reduce deforestation, real-time monitoring of electricity consumption and instant feedback to generators, and fully integrated heating, cooling, and lighting systems that can adjust for human occupancy.”

It always amuses me that self-styled political conservatives are frequently the ones who are least concerned with conserving resources. Perhaps the IoT, by making businesses more efficient, and therefore more profitable, may be able to bring political conservatives into the energy efficiency fold!

It’s Time for IoT-enabled “Real-Time” Regulation

Pardon me, but I still take the increasingly-unfashionable view that we need strong, activist government, to protect the weak and foster the public interest.

That’s why I’m really passionate about the concept (for what it’s worth, I believe I’m the first to propose this approach)  that we need Internet of Things enabled “real-time regulation” that wouldn’t rely on scaring companies into good behavior through the indirect means of threatening big fines for violations, but could actually minimize, or even avoid, incidents from ever happening, while simultaneously improving companies’ operating efficiency and reducing costly repairs. I wrote about the concept in today’s O’Reilly SOLID blog — and I’m going to crusade to make the concept a reality!

I first wrote about “real-time” regulation before I was really involved in the IoT: right after the BP Gulf blow-out, when I suggested that:

The .. approach would allow officials to monitor in real time every part of an oil rig’s safety system. Such surveillance could have revealed the faulty battery in the BP rig’s blowout preventer and other problems that contributed to the rig’s failure. A procedure could have been in place to allow regulators to automatically shut down the rig when it failed the pressure test rather than leaving that decision to BP.”

Since then I’ve modified my position about regulators’ necessarily having first-hand access to the real-time data, realizing that any company with half a brain would realize as soon as they saw data that there might be a problem developing (as opposed to having happened, which is what was too often the case in the past..) would take the initiative to shut down the operation ASAP to make a repair, saving itself the higher cost of dealing with a catastrophic failure.

As far as I’m concerned, “real-time regulation” is a win-win:

  • by installing the sensors and monitoring them all the time (typically, only the exceptions to the norm would be reported, to reduce data processing and required attention to the data) the company would be able to optimize production and distribution all the time (see my piece on “precision manufacturing“).
  • repair costs would be lower: “predictive maintenance” based on real-time information on equipment’s status is cheaper than emergency repairs.
  • the public interest would be protected, because many situations that have resulted in disasters in the past would instead be avoided, or at least minimized.
  • the cost of regulation would be reduced while its effectiveness would be increased: at present, we must rely on insufficient numbers of inspectors who make infrequent visits: catching a violation is largely a matter of luck. Instead, the inspectors could monitor the real-time data and intervene instantly– hopefully in time to avoid an incident.

Even though the IoT is not fully realized (Cisco says only 4% of “things” are linked at present), that’s not the case with the kind of high-stakes operation we’re most concerned with.  GE now builds about 60 sensors into every jet, realizing new revenues by proving the real-time data to customers, while being able to improve design and maintenance by knowing exactly what’s happening right now to the engines.  Union Pacific has cut dangerous and costly derailments due to bearing failures by 75% by placing sensors along the trackbed.

As I said in the SOLID post, it’s time that government begin exploring the “real-time regulation” alternative.  I’m contacting the tech-savvy Mass. delegation, esp. Senators Markey and Warren, and will report back on my progress toward making it a reality!