Monthly Archives: December 2017

Fixing the IoT problem

Being worried that my new fridge would unilaterally put me on a diet and, having read about criminals compromising cars’ keyless entry systems, plus having seen the video of that jeep being run off the road after its engine management system had been remotely compromised, I asked my vehicle’s manufacturer whether my car was firewalled?

The answer was no, but I need not worry because everything was encrypted. Ditto with the fridge, washing machine, central heating and my burglar alarm system. Well, if encryption were the answer, then we would not have suffered fridges being compromised to send spam, or cars being driven off the road. Before fixing a problem, you need to understand it!
Anything to do with IT security tends to be based around the CIA triage of confidentiality, integrity and availability. The internet of things (IoT) is no different. My house is effectively firewalled through my router and any internal devices connected to my private home network are behind this firewall.
Because it is a software firewall, it is not the best protection in the world and any weaknesses will be known to the hackers, but much like a burglar alarm, it may send them elsewhere where the pickings are easier. Likewise, my attached computing devices have their own firewalls, so access to them now requires the hacker to circumnavigate two firewalls. Nothing like a bit of protection in depth.
But what about my other devices, such the central heating, fridge, coffee machine and burglar alarm? Here the protection is less secure in that they are totally reliant on the firewall in my router, plus the standard one factor authentication at log-in. So, confidentiality is undoubtedly a problem, but what about integrity and availability? The compromised fridge sending spam emails illustrates the integrity problem.

Altered state
If code can be so easily amended, or overwritten, then almost any connected device can be altered to do whatever the hacker wants it to do. It is, after all, based on a general-purpose chip. The final part of the triage, availability, is a key factor for my central heating and burglar alarm. I can probably manage with the fridge, or coffee machine being disconnected from the internet, but not these.

Management techniques
Now that we know what the problems are, let us examine what the solutions may be. Basically, we need to apply risk management techniques, but with a skew towards the consequence part of the equation, rather than the likelihood.

Keeping it confidential
Having dealt with availability and integrity I now come to the problem of confidentiality, which is all about identification, authentication and privilege allocation. Most devices will be using a chip containing an operating system and an application. Control of the OS will provide control over the application, so protection here is paramount.

Future of speech tech

Systems like Siri and Cortana are now everyday helpers. But the apparent popularity of speech based interfaces belies the fact that comparatively few languages can be processed using current natural language processing technologies.

English, because of its popularity, and the fact its spoken by many academics, has led it to be the focus of most machine learning research. Millions of people, Dr Sharon Goldwater says, are missing out on the advantages speech tech offers and she hopes her research will redress this imbalance.

The 2016 Needham Lecture
Dr Goldwater is a Reader at the University of Edinburgh’s School of Informatics and the winner of the 2016 Roger Needham award – an award made annually for distinguished research contributions in computer science by a UK based researcher. Along with the award, the winner is given the opportunity to give a public lecture.
Dr Goldwater’s talk was called ‘Language learning in humans and machines: making connections to make progress.’ Explaining where she hopes her research will lead, she says: ‘There are languages in Africa that have millions of speakers, yet there’s zero language technology. Especially in areas with low literacy, developing speech technology would be very useful – users could call up on their mobile phone, ask a question and get a spoken response. Using current technology, that’s not possible.’

Fascinated by how words work
‘I’m interested in how computational systems can learn language,’ says Goldwater as she begins to explain her work. ‘And when I say computational system, it could be an actual computer or it could be the human mind – which I think of as a computational system too. It receives input, does some sort of computation and produces output.’
‘When you say you’re interested in language,’ she observes, ‘people always say “oh, so you want to be a writer or you’re interested in literature”. That’s not what I’m interested in. I’ve always been fascinated by the structural nature of language. What is it that makes Russian different from English? That’s what linguists are interested in – the scientific study of language.’

An everyday revolution
Natural language processing is something of a hot topic in the tech industry. With the arrival of Siri, Cortana and their cousins, people are becoming increasingly comfortable talking to their devices – in much the same way they became accustomed to touch based interfaces a few years ago. Of course, that’s not always been the case. ‘Not so long ago NLP was a very niche subject, ‘Dr Goldwater says. ‘If I tried to tell anybody what I was involved in – even if they worked in computer science – they had no idea what I was talking about’, she laughs. ‘Now the number of people turning up to conferences has increased massively.’

Make IT work

Business need drives software development; that’s why concepts like agile and extreme programming have become so popular; they allow development effort to be targeted towards what will really deliver business benefit.

And that’s great if you’re working on powerful servers, with mature platforms, using frameworks that have been developed and refined over years – you know that the security is already there from all that prior experience, even if the product is only at the ‘make it work’ stage.

But when we’re looking at IoT devices, with their small processing footprint, and myriad operating systems, there’s not always a lot of room for security, and the development focus tends to go on what customers pay for – functionality. At the moment, it’s enough that you can switch the light on with your phone.

The software running on many IoT devices right now certainly ‘works’, but is it ‘right’? What if others can switch your light on with their phones? As enterprise IT professionals implementing new technologies, these are the kinds of questions we’re more interested in. What risks are introduced by installing these devices in our infrastructure? And how do we handle those risks?

There are many different technologies in use in the world of IoT right now and in some cases IT departments may find they are simply not involved in an IoT implementation in their business. Hence, we need to arm ourselves with a practical, constructive approach to deal with common risk factors.

Are there standards we can make use of?
While international standards for an organisational approach to information security such as ISO27001 have been around for a good number of years now, a similar software-level standard has been more difficult to get in place. ISO 27034 (application security) may go some way to meeting this need but is currently incomplete.

Looking specifically at IoT devices, there are numerous frameworks and platforms to assist with interoperability – Apple’s HomeKit is probably the most well-known but this is targeted at the consumer market rather than business; all the usual players like Amazon, Google, IBM and Microsoft provide IoT integration frameworks; there are also many open source options.

Managing the risks
Many of us in IT won’t come near to the internal workings of IoT devices. But we’ve all got a duty to ensure we manage the risks facing our businesses, and make sure we, the manufacturers and vendors, don’t just ‘make it work’, we all ‘make it secure’.

Monetising the IoT

The internet of things (IoT) is exciting but simply adding sensors to every piece of equipment or every location, from shop floors to petrol pumps, is not going to change the world. While a predicted 20 billion connected devices will be in place by 2020, how many businesses yet truly understand how this connected world will drive new value and create new revenue streams?

The IoT conundrum
It is hard to find any piece of equipment that can’t be hooked up to the all-consuming IoT. The problem is that while these devices are low cost, they are also low value unless organisations find a way to capture and leverage the created data. And these devices, by their sheer number, are generating huge volumes of data.
How many organisations will have the required in house infrastructure to store or analyse this information? Or the people with the skills to determine how best to leverage this data to drive real business value? This IoT-enabled data revolution is not just about finding ways to drive business efficiency or improve customer service; it is about creating data streams that underpin new collaborative business models and can be actionably monetised.

Data driven experience
Of course, many organisations have been capturing machine data for years. Petrol stations, for example, have pump event logs that track every time a pump is picked up and how much fuel is used. Fuel, however, is just one part of the overall customer basket and represents a fraction of profitable revenue. It is the complete customer journey that is key – and linking pump activity to the rest of the customer basket can provide a chance to gain far more customer understanding and hence drive incremental sales.

Understanding value
Of course with so much potential IoT driven information and so many different areas to explore, it is tough for companies to prioritise and understand how best to derive value from this data. IoT is not a magic bullet; nor is big data analytics. And only a tiny minority of the very largest companies can justify a multi-million pound investment in the infrastructure, tools and analytics skills required to understand and prioritise the new business opportunities.

New data driven revenue streams
IoT is revolutionary, but not in the way perceived by many organisations today. According to Gartner, growing numbers of businesses will be able to use IoT analytics to drive significant revenue streams. Organisations that have never considered the chance to monetise their data now have the opportunity to mine these rich new data seems. Indeed, many of what have traditionally been core business processes could soon be superseded in value by the monetisation of IoT provided information.