Liveblogging from Internet of Things Global Summit

Critical Infrastructure and IoT

Robert Metzger, Shareholder, Rogers Joseph O’Donnell 

  • a variety of constraints to direct government involvement in IoT
  • regulators: doesn’t trust private sector to do enough, but regulation tends to be prescriptive.
  • NIST can play critical role: standards and best practices, esp. on privacy and security.
  • Comparatively, any company knows more about potential and liabilities of IoT than any government body. Can lead to bewildering array of IoT regulations that can hamper the problem.
  • Business model problem: security expensive, may require more power, add less functionality, all of which run against incentive to get the service out at lowest price. Need selective regulation and minimum standards. Government should require minimum standards as part of its procurement. Government rarely willing to pay for this.
  • Pending US regulation shows constant tension between regulation and innovation.

             2017 IoT Summit

Gary Butler, CEO, Camgian 

  • Utah cities network embedding sensors.
  • Scalability and flexibility needed. Must be able to interface with constantly improving sensors.
  • Expensive to retrofit sensors on infrastructure.
  • From physical security perspective: cameras, etc. to provide real-time situational awareness. Beyond human surveillance. Add AI to augment human surveillance.
  • “Dealing with ‘data deluge.'”  Example of proliferation of drones. NIST might help with developing standards for this.
  • Battery systems: reducing power consumption & creating energy-dense batteries. Government could help. Government could also be a leader in adoption.

 

Cyber-Criminality, Security and Risk in an IoT World

John Carlin, Chair, Cybersecurity & Technology Program, Aspen Institute

  • Social media involved in most cyberwar attacks & most perps under 21.  They become linked solely by social media.
  • offensive threats far outstrip defenses when it comes to data
  • now we’re connecting billions of things, very vulnerable. Add in driverless cars & threat even greater. Examples: non-encrypted data from pacemakers, and the WIRED Jeep demo.

Belisario Contreras, Cyber Security Program Manager, Organization of American States

  • must think globally.
  • criminals have all the time to prepare, we must respond within minutes.
  • comprehensive approach: broad policy framework in 6 Latin American countries.

Samia Melhem, Global Lead, Digital Development, World Bank

  • projects: she works on telecommunications and transportation investing in government infrastructure in these areas. Most of these governments have been handicapped by lack of funding. Need expert data integrators. Integrating cybersecurity.

Stephen Pattison, VP Public Affairs, ARM

  • (yikes, never thought about this!) cyberterrorist hacks self-driving car & drives it into a crowds.
  • many cyber-engineers who might go to dark side — why hasn’t this been studied?
  • could we get to point where IoT-devices are certified secure (but threats continually evolve. Upgradeability is critical.
  • do we need a whistleblower protection?
  • “big data starts with little data”

Session 4: Key Policy Considerations for Building the Cars of Tomorrow – What do Industry Stakeholders Want from Policymakers?

Ken DiPrima, AVP New Product Development, IoT Solutions, AT&T

  • 4-level security approach: emphasis on end-point, locked-down connectivity through SIM, application level …
  • deep in 5-G: how do you leverage it, esp. for cars?
  • connecting 25+ of auto OEMs. Lot of trials.

Rob Yates, Co-President, Lemay Yates Associates

  • massive increase in connectivity. What do you do with all the data? Will require massive infrastructure increase.

Michelle Avary, Executive Board, FASTR, VP Automotive, Aeris

  • about 1 Gig of data per car with present cars. Up to 30 with a lot of streaming.
  • don’t need connectivity for self-driving car: but why not have connectivity? Also important f0r the vehicle to know and communicate its physical state. Machine learning needs data to progress.
  • people won’t buy vehicles when they are really autonomous — economics won’t support it, will move to mobility as a service.

Paul Scullion, Senior Manager, Vehicle Safety and Connected Automation, Global Automakers

  • emphasis on connected cars, how it might affect ownership patterns.
  • regulatory process slow, but a lot of action on state level. “fear and uncertainty” on state level. Balance of safety and innovation.

Steven Bayless, Regulatory Affairs & Public Policy, Intelligent Transportation Society of America

  • issues: for example, can you get traffic signals to change based on data from cars?
  • car industry doesn’t have lot of experience with collaborative issues.

How Are Smart Cities Being Developed and Leveraged for the Citizen?

Sokwoo Rhee, Associate Director of Cyber-Physical Systems Program, National Institute of Standards and Technology (NIST)

  • NIST GCTC Approach: Smart and Secure Cities. Partnered with Homeland Security to bring in cybersecurity & privacy at the basis of smart city efforts “Smart and Secure Cities and Communities Challenge”

Bob Bennett, Chief Innovation Officer, City of Kansas, MO

  • fusing “silos of awesomeness.”
  • 85% of data you need for smart cities already available.
  • “don’t blow up silos, just put windows on them.”
  • downtown is 53 smartest blocks in US
  • can now do predictive maintenance on roads
  • Prospect Ave.: neighborhood with worst problems. Major priority.
  • great program involving multiple data sources, to predict and take care of potholes — not only predictive maintenance but also use a new pothole mix that can last 12 years 
  • 122 common factors all cities doing smart cities look at!
  • cities have money for all sorts of previously allocated issues — need to get the city manager, not mayor, to deal with it
  • privacy and security: their private-sector partner has great resoures, complemented by the city’s own staff.

Mike Zeto, AVP General Manager, IoT Solutions, AT&T

  • THE AT&T Smart Cities guy. 
  • creating services to facilitate smart cities.
  • energy and utilities are major focus in scaling smart cities, including capital funding. AT&T Digital Infrastructure (done with GE) “iPhone for cities.”
  • work in Miami-Dade that improved public safety, especially in public housing. Similar project in Atlanta.
  • privacy and security: their resources in both have been one of their strengths from the beginning.

Greg Toth, Founder, Internet of Things DC

  • security issues as big as ever
  • smart city collaboration booming
  • smart home stagnating because early adopter boom over, value not sure
  • Quantified-Self devices not really taking hold (yours truly was one of very few attendees who said they were still using their devices — you’d have to tear my Apple Watch off).
  • community involvement greater than ever
  • looming problem of maintaining network of sensors as they age
  • privacy & security: privacy and security aren’t top priorities for most startups.

DAY TWO:

IoT TECH TALKS

  • Dominik Schiener, Co-Founder , IOTA speaking on blockchain
    • working with IoT version of blockchain for IoT — big feature is it is scaleable
    • why do we need it?  Data sets shared among all parties. Each can verify the datasets of other participants. Datasets that have been tampered are excluded.
    • Creates immutable single source of truth.
    • It also facilitates payments, esp. micropayments (even machine to machine)
    • Allows smart contracts. Fully transparent. Smart and trustless escrow.
    • Facilitates “machine economy”
    • Toward “smart decentralization”
    • Use cases:
      • secure car data — VW. Can’t be faked.
      • Pan-European charging stations for EVs. “Give machines wallets”
      • Supply chain tracking — probably 1st area to really adopt blockchain
      • Data marketplace — buy and sell data securely (consumers can become pro-sumers, selling their personal data).
      • audit trail. https://audit-trail.tangle.works
  • DJ Saul, CMO & Managing Director, iStrategyLabs IoT, AI and Augmented Reality
    • focusing on marketing uses.

Raising the bar for federal IoT Security – ‘The Internet of Things Cybersecurity Improvement Act’

  • Jim Langevin, Congressman, US House of Representatives
    • very real threat with IoT
    • technology outpacing the law
    • far too many manufacturers don’t make security a priority. Are customers aware?
    • consumers have right to know about protections (or lack thereof)
    • “failure is not an option”
    • need rigorous testing
  • Beau Woods, Deputy Director, Cyber Statecraft Initiative, Atlantic Council
    • intersection of cybersecurity & human condition
    • dependence on connected devices growing faster than our ability to regulate it
    • UL developing certification for medical devices
    • traceability for car parts
  • John Marinho, Vice President Cybersecurity and Technology, CTIA
    • industry constantly evolving global standards — US can’t be isolated.
    • cybersecurity with IoT must be 24/7. CTIA created an IoT working group, meets every two weeks online.
    • believe in public/private partnerships, rather than just regulatory.

Session 9: Meeting the Short and Long-Term Connectivity Requirements of IoT – Approaches and Technologies

  •  Andreas Geiss, Head of Unit ‘Spectrum Policy’, DG CONNECT, European Commission
    • freeing up a lot of spectrum, service neutral
    • unlicensed spectrum, esp. for short-range devices. New frequency bands. New medical device bands. 
    • trying to work with regulators globally to allow for globally-usable devices.
  • Geoff Mulligan, Chairman, LoRa Alliance; Former Presidential Innovation Fellow, The White House
    • wireless tradeoffs: choose two — low power/long distance/high speed.
    • not licensed vs. unlicensed spectrum. Mix of many options, based on open standards, all based on TCP/IP
    • LPWANs:
      • low power wide area networks
      • battery operated
      • long range
      • low cost
      • couple well with satellite networks
    • LoRaWAN
      • LPWAN based on LoRa Radio
      • unlicensed band
      • open standards base
      • openly available
      • open business model
      • low capex and opex could covered entire country for $120M in South Korea
      • IoT is evolutionary, not revolutionary — don’t want to separate it from other aspects of Internet
  • Jeffrey Yan, Director, Technology Policy, Microsoft
    • at Microsoft they see it as critical for a wide range of global issues, including agriculture.
  • Charity Weeden, Senior Director of Policy, Satellite Industry Association
    • IoT critical during disasters
    • total architecture needs to be seamless, everywhere.
  • Andrew Hudson, Head of Technology Policy, GSMA
    • must have secure, scalable networks

Session 10: IoT Data-Ownership and Licencing – Who Owns the Data?

  • Stacey Gray, Policy Lead IoT, Future Privacy Forum 
    • consumer privacy right place to begin.
    • need “rights based” approach to IoT data
    • at this point, have to show y0u have been actually harmed by release of data before you can sue.
  • Patrick Parodi, Founder, The Wireless Registry
    • focus on identity
    • who owns SSID identities? How do you create an identity for things?
  • Mark Eichorn, Assistant Director, Division of Privacy and Identity Protection, Federal Trade Commission 
    • cases involving lead generators for payday loan. Reselling personal financial info.
  • Susan Allen, Attorney-Advisor, Office of Policy and International Affairs, United States Patent & Trademark Office 
    • focusing on copyright.
    • stakeholders have different rights based on roles
  • Vince Jesaitis, Director, US Public Affairs, ARM
    • who owns data depends on what it is. Health data very tough standards. Financial data much more loose.
    • data shouldn’t be treated differently if it comes from a phone or a browser.
    • industrial side: autonomous vehicle data pretty well regulated.  Pending legislation dealing with smart cities emphasis open data.

Give It Up, People: Government Regulation of IoT Is Vital

Could this be the incident that finally gets everyone in the IoT industry to — as I’ve said repeatedly in the past — make privacy and security Job 1 — and to drop the lobbying groups’ argument that government regulation isn’t needed? 

I hope so, because the IoT’s future is at stake, and, frankly, not enough companies get it.

I’m referring to the Chrysler recall last week of 1.4 million Jeeps for a security patch after WIRED reported on an experiment in which two white-hat hackers remotely disabled a Jeep on an Interstate from miles away, exploiting a vulnerable link between its entertainment and control systems.  Put yourself in the place of reporter Andy Greenberg, then tell me with a straight face that you wouldn’t be out of your mind if this happened to you:

“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek [one of the hackers] shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.”

OK: calm down, get a cool drink, and, when your Apple Watch says your heart beat has returned to normal, read on….

But, dear reader, our industry’s leaders, assumedly knowing the well-publicized specifics of the Chrysler attack, had the hubris to still speak at a hearing of the Internet Subcommittee of the House of Representatives Judiciary Committee last week and claim (according to CIO) that that government regulation of the IoT industry wasn’t needed.

CEA CEO Gary Shapiro said in calling for government “restraint”:

“It’s up to manufacturers and service providers to make good decisions about privacy and security, or they will fail in the marketplace….. Industry-driven solutions are best to promote innovation while protecting consumers.”

Sorry, Gary: if someone dies because their Jeep got spoofed, the survivors’ attorneys won’t be content with the company’s failure in the marketplace.

There are some important collaborative efforts to create privacy and security standards for the IoT, such as the AllSeen Alliance. However, as I’ve written before, there are also too many startups who defer building in privacy and security protections until they’ve solved their technology needs, and others, most famously TRENDnet, who don’t do anything at all, resulting in a big FTC fine.  There are simply too many examples of hackers using the Shodan site to hack into devices, not to mention academics and others who’ve showed security flaws that might even kill you if exploited.

One local IoT leader, Paddy Srinivasan of LoMein, gets it, as reported today by the Boston Globe‘s Hiawatha Bray:

“‘I think it is a seminal moment…. These new devices need a fresh approach and a new way of thinking about security, and that is the missing piece.'”

But it’s too late to just talk about self-policing.

Massachusetts’ own Ed Markey and his Connecticut counterpart, Richard Blumenthal, have called the associations’ bluff, and filed legislation, The Security and Privacy in Your Car Act (AKA SPY Car, LOL)  that would require the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy. It would also create a rating system — or “cyber dashboard”— telling drivers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. This comes in the wake of the Markey study I reported on last Winter documenting car companies’ failure to build in adequate cyber-hacking protections.

Guess what, folks?  This is only the beginning.  Probably the only thing I’ve ever agreed with Dick Cheney on (ok, we agree it’s cool to have been born in Wyoming and that Lynne Cheney is a great writer), is that it wouldn’t be cool for the Veep to have his pacemaker hacked, so you can bet there will be legislation and regulations soon governing privacy and security for wearables as well.

As I’ve said before, I come at this issue differently from a lot of engineers, having earned my keep for many years doing crisis management for Fortune 100 companies that bet the farm by doing dumb things that could destroy public trust in them overnight. Once lost, that trust is difficult, if not impossible, to regain.  Even worse, in this case, cavalier attitudes by even one IoT company, if the shock value of the results is great enough, could make everyone in the industry suffer.

So, if you’re arguing for no regulation of the IoT industry, I have just one suggestion: shut up,clean up your act and take a positive role in shaping regulations that would be performance-based, not prescriptive: the horse has already left the barn.

Now I have to check my Apple Watch to see when my heart rate will get back to normal.

 

FTC report provides good checklist to design in IoT security and privacy

FTC report on IoT

FTC report on IoT

SEC Chair Edith Ramirez has been pretty clear that the FTC plans to look closely at the IoT and takes IoT security and privacy seriously: most famously by fining IoT marketer TrendNet for non-existent security with its nanny cam.

Companies that want to avoid such actions — and avoid undermining fragile public trust in their products and the IoT as a whole — would do well to clip and refer to this checklist that I’ve prepared based on the recent FTC Report, Privacy and Security in a Connected World, compiled based on a workshop they held in 2013, and highlighting best practices that were shared at the workshop.

  1. Most important, “companies should build security into their devices at the outset, rather than as an afterthought.” I’ve referred before to the bright young things at the Wearables + Things conference who used their startup status as an excuse for deferring security and privacy until a later date. WRONG: both must be a priority from Day One.

  2. Conduct a privacy or security risk assessment during design phase.

  3. Minimize the data you collect and retain.  This is a tough one, because there’s always that chance that some retained data may be mashed up with some other data in future, yielding a dazzling insight that could help company and customer alike, BUT the more data just floating out there in “data lake” the more chance it will be misused.

  4. Test your security measures before launching your products. … then test them again…

  5. “..train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.” This one is sooo important and so often overlooked: how many times have we found that someone far down the corporate ladder has been at fault in a data breach because s/he wasn’t adequately trained and/or empowered?  Privacy and security are everyone’s job.

  6. “.. retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.”

  7. ‘… when companies identify significant risks within their systems, they should implement a defense-in -depth approach, in which they consider implementing security measures at several levels.”

  8. “… consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.” Don’t forget: with the Target data breach, the bad guys got access to the corporate data through a local HVAC dealer. Everything’s linked — for better or worse!

  9. “.. companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.”  Privacy and security are moving targets, and require constant vigilance.

  10. Avoid enabling unauthorized access and misuse of personal information.

  11. Don’t facilitate attacks on other systems. The very strength of the IoT in creating linkages and synergies between various data sources can also allow backdoor attacks if one source has poor security.

  12. Don’t create risks to personal safety. If you doubt that’s an issue, look at Ed Markey’s recent report on connected car safety.

  13. Avoid creating a situation where companies might use this data to make credit, insurance, and employment decisions.  That’s the downside of cool tools like Progressive’s “Snapshot,” which can save us safe drivers on premiums: the same data on your actual driving behavior might some day be used become compulsory, and might be used to deny you coverage or increase your premium).

  14. Realize that FTC Fair Information Practice Principles will be extended to IoT. These “FIPPs, ” including “notice, choice, access, accuracy, data minimization, security, and accountability,” have been around for a long time, so it’s understandable the FTC will apply them to the IoT.  Most important ones?  Security, data minimization, notice, and choice.

Not all of these issues will apply to all companies, but it’s better to keep all of them in mind, because your situation may change. I hope you’ll share these guidelines with your entire workforce: they’re all part of the solution — or the problem.