• No results found

The Internet of Things (IoT) Opportunities and Risks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The Internet of Things (IoT) Opportunities and Risks"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Session No. 744

The ‘Internet of Things’ (IoT)–Opportunities and Risks

David Loomis, CSP

Risk Specialist

Chubb Group of Insurance Companies

Brian Wohnsiedler, CSP

Risk Specialist

Chubb Group of Insurance Companies

Introduction

With recent developments in connectivity, technologies have spurred the adoption of internet-connected “smart” devices for remote sensing, actuating, and intelligent monitoring using advanced analytics and real-time data processing, often referred to as the ‘Internet of Things’ (IoT). The Internet of Things has the power to streamline our jobs, our lives, and ultimately save our company’s and society money, but it also brings with it new operational exposures ranging from privacy to property protection. Gartner, Inc. estimates that the IOT, which excludes PCs, tablets and smartphones, will grow to 26 billion units installed in 2020 representing an almost 30-fold increase from 0.9 billion in 2009.1

Stuxnet, a 500-kilobyte computer worm that infected at least 14 industrial sites in Iran, was the wakeup call for many on the potential vulnerabilities associated with connected technologies. However, recent incidents have demonstrated that vulnerabilities still exist, in a world that is more connected than it was in 2010. A German steel factory in 2014 experienced a cyber-attack initiated after system information was obtained as a result of spear phishing, resulting in numerous systems failures that led to the improper shutdown of a blast furnace, causing extensive property damage. Google’s Sydney, Australia office building management system was successfully attacked by security firm Cylance, giving Cylance the ability to control all building systems. Consumer products, such as baby monitors, have frequently been the target of attacks, providing access to both voice and video to the cyber attacker.

Risk management is a core business activity of all enterprises, large and small. Safety professionals are often directly responsible for operational risk management or are consulted on operational issues by senior management. Therefore, the modern safety professional must be educated on emerging hazards, the ‘Internet of Things’ being foremost among them. The safety professional must be able to work with “the business” and IT to understand, assess, and manage the risks associated with the Internet of Things.

1

(2)

Internet of Things – Breadth and Depth

The Internet of Things is more than just a buzz word; it is a transformative blending of

technology, systems, sensors, connectivity and users. A common technical definition of the IoT is the networking of physical objects through the use of embedded sensors, actuators, and other devices that can collect or transmit information about the objects. The IoT system has the ability to amass data from these devices that can be analyzed to optimize products, services, and operations.

One of the earliest and best-known applications of connected technology has occurred in energy optimization, with sensors deployed across the electricity grid to help utilities remotely monitor energy usage and adjust generation and distribution flows to account for peak times and downtimes. Today, the list of devices and systems that leverage the IoT is substantial and growing, to include:

Connected Homes

Wearables Industrial Systems

Municipalities Transportation Medical

Smart thermostats Fitness bands Real time analytics Smart meter technology Collision avoidance systems Pill shaped micro-cameras Smart appliances Smart watches Factory automation Smart traffic lights Vehicle diagnostics Connected implantable devices HVAC systems Smart glasses

Robotics Smart parking meters Information and navigation Vital signs monitoring Smart lighting Action cameras Supply Chain Efficiency Electric vehicle charging Fleet management Security systems Fitness bands Real time analytics

From consumers to industry to municipalities, connected devices and systems have become an necessity of modern society.

A very useful way to further refine our thinking about IoT applications is to break them down into two broad categories, Information and Analysis and Automation and Control.2 Under those broad categories, there are 3 subcategories that further refined the understanding of the application.

2

McKinsey Quarterly, The Internet of Things, March 2010,

(3)

Source: http://www.mckinsey.com The IoT holds great promise, and appears poised to transform our society, but caution is warranted as there are many potential security legal and societal pitfalls to consider.

Internet of Things – Risks

A report was recently released by HP Research found substantial security and privacy concerns with IOT sensors and other devices. The findings included:

• Privacy concerns: Eight of the 10 devices tested collected and retained some personal data. • Insufficient authorization: 80 percent of IoT devices tested, including their cloud and

mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as “1234.”

• Lack of transport encryption: 70 percent of IoT devices analyzed did not encrypt communications to the internet and local network.

• Insecure web interface: Six of the 10 devices evaluated raised security concerns. • Inadequate software protection: 60 percent of devices did not use encryption when

downloading software updates.

System Security

By definition, product and systems that leverage the IoT are connected, not just to their various components, but to the networks and IT infrastructure of their users. This connectivity very often provides a possible connection pathway that is outside the control of the user, either through the internet or through a vulnerable means of transmission such as wireless. Recent security failures, such as the German steel factory incident in 2010, highlight the complexity and urgency of security in an IoT world, as this incident included combined social engineering and security exploits.

(4)

Security, regardless of the complexity of the systems, comes down to the same basic fundamentals:

Culture of Security – You should expect imperfect users, but the user base can be

improved and ‘hardened’ through training and enforced security procedures.

Assess the Risk – Understand what sensitive data and systems are vulnerable and the

consequences if the security of those systems is compromised. Evaluate the

vulnerabilities in your system and the potential breach pathways.

Defense in Depth – Security measures should be implemented at multiple levels.

Audit – Utilize both internal and external resources to evaluate the adequacy of your

system security. This could include intrusion detections systems, patch management

systems, data flow analysis and external penetration testing.

Product Design

The Federal Trade Commission (FTC) recently released a booklet directed at manufacturers of connected consumer products, titled ‘Careful Connections: Building Security in the Internet of Things’. The fact that a federal government agency released this booklet should be considered a clear indication that there are widespread security problems with IoT devices, that the federal government is looking at regulations to address these problems, and that the legal community is also aware of the issues. There have been numerous documented ‘IoT’ consumer product

security failures, from BMW’s remote entry system to Foscam’s baby monitor. The FTC booklet provides solid general guidance worth repeating:

• Start with security fundamentals

• Design your product with authentication in mind

• Protect the interfaces between your product and other devices or services • Consider how to limit permissions

• Test the security measures before launching your product • Select the secure choice as your default setting

• Use your initial communications with customers to educate them about the safest use of your product

• Establish an effective approach for updating your security procedures • Keep current on changing security environment.

Privacy

As the IoT exponentially expands the number of devices gathering, storing, transmitting and analyzing information about us, there is a predictable increased interest in the privacy issues surrounding the security, use and misuse of this data. Smart meters store information on electricity usage, smart watches store and transmit personal health and fitness information and smart retail surveillance systems incorporate a facial recognition system to recognize and track shoppers, all creating data streams that could be used to violate the privacy of someone if not secured. The ubiquitous data collection and the unexpected use of consumer data has drawn the attention of the FTC, with the FTC suggesting the following:

• Security by Design – Incorporate the security measures suggested in the FTC booklet ‘Careful Connections: Building Security in the Internet of Things’.

(5)

• Data Minimization – Collect only the data that is needed, and maintain strict protocols for deletion after use. In the era of big data and cheap data storage, it is likely that the opposite will occur.

• Notice and Choice for Unexpected Uses – Provide the consumer the opportunity to limit the unexpected use of their data, for example selling smart meter information to a marketing firm.

Privacy in the workplace can also present a challenge, as employees are both wearing smart devices by choice (Google glasses recording other employees) or are required to wear smart devices (badges with wireless sensors) for the purpose of improving efficiency and production. Human Resources and IT will need to develop new policies and procedures, in conjunction with legal, to address properly address the privacy concerns.

Conclusion

The Internet of Things (IoT) is impacting every aspect of our society, bringing with it improvements in life style, productivity, efficiency and situational awareness. The IoT also introduces new risks as connected systems and products are exposed to a host of cyber security threats. The safety professional, armed with a basic understanding of the IoT, is in a unique position to assist their company in understanding and evaluating the risks.

Bibliography

Federal Trade Commission (FTC), 2015. “Careful Connections: Building Security in to the Internet of Things” (http://www.ftc.gov/system/files/documents/plain-language/pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf)

References

Download now ( PDF - 5 Page - 202.78 KB )

Related documents

One Hope United Mentoring Program

The director of the mentoring program recruits mentors at community meetings, by meeting with people who have expressed an interest in helping One Hope United and who seem

Hazard v. Risk in EU Chemicals Regulation

It follows that if downstream legislation restricts the marketing or use of a product based solely on the intrinsic properties of a chemical found in that product, rather than on

Aalborg Universitet. Published in: Arthritis. DOI (link to publication from Publisher): /2015/ Publication date: 2015

Sauvageau, “AB0458 Better retention rate at 5 years of anti-TNF agents used in conjonction with methotrexate over time in patients with rheumatoid arthritis: real-life data

RNA Binding Protein Regulation and Cross-Talk in the Control of AU-rich mRNA Fate

Abbreviations: AREs, AU-Rich Elements; ARE-RBPs, RNA Binding Proteins that recognize AU-Rich Elements; AUF-1, AU-binding Factor 1; c-fos, Finkel- Biskis-Jinkins murine

Evaluation of microalbuminuria in patients with systemic sclerosis as an indicator of early renal damage and increased morbidity

In contrast, there was neither a significant correlation between creatinine clearance and the different indices of the SAQ nor a significant difference between SSc patients with

Technical Writing - Userid and Account Retention Requirements

The data flowchart below describes what happens when a person enters the SU community. The appropriate organization enters the requests. The end result is a userid for him/her

The existence and exponential behavior of solutions to stochastic delay evolution equations with a fractional brownian motion

In order to capture the stochastic- ity of such retarded systems, stochastic differential delay equations driven by the standard Brownian motion have been proposed and

Banco Santander (Brasil) S.A. São Paulo, March of 2010

1) Demand Deposits + Time Deposits + Savings + Debentures + Real Estate Credit Notes (LCI) and Agribusiness Credit Notes (LCA) 2) Includes Assets Under Management.. 3) Customers