IoT, FM and security
With the IoT set to reshape business, there are significant benefits and challenges for the FM sector, writes Richard Newell.
The Internet of Things (IoT) is basically a network of wireless connected devices, communicating via a central management hub. Researchers believe that the total number of such devices will reach 40 to 50 billion by 2020. That’s a huge leap ahead from the perhaps 10 billion we have today.
The dramatic rise of IoT devices over the last few years can be directly related to a set of enabling technologies that have allowed the concept to become reality. Business adviser EY, in a cybersecurity report, singles out these factors:
- the size and cost of wireless radios has dropped tremendously
- IPv6 (Internet Protocol version 6) makes it possible to assign a communications address to billions of devices
- electronics companies are building Wi-Fi and cellular wireless connectivity into a wide range of devices (e.g. billions of wireless chips)
- mobile data coverage has improved significantly with many networks offering broadband speeds, and
- battery technology has improved significantly, and solar recharging has been built into numerous devices.
The relevance and power of IoT technology to the FM sector is becoming clear. Being able to manage every aspect of a building by using smart devices has obvious advantages. Smart buildings research company Memoori, in its report ‘The Internet of Things in Smart Buildings 2014 to 2020’, describes a variety of areas where smart devices can add value in the built environment, including HVAC (heating, ventilation and air-conditioning), security, energy utilisation, occupancy, asset performance and fault management.
A sensor placed next to an asset can continuously collect performance data and monitor asset condition, sending out an
alert to the IWMS (integrated workplace management system) when any changes are identified. If the change requires immediate action, an engineer can automatically be alerted to attend to the asset. But in any case the IWMS system will retain the information in its history files, providing a basis for ongoing assessment of performance as well as input to predictive maintenance regimes.
This, combined with data gathered from other sensors, on doors, lighting and desks, for example, provides opportunities for new, more efficient customer service, greater cost savings and a more people-focused workplace – especially where the IoT links into the facility’s powerful IWMS database.
But whatever the application, these devices are increasingly dependent on cloud technology to communicate with each other, as well as the variety of applications that support them. This is predominately done without the need for any human involvement – and, as such, there can be an inherent security risk.
THE BIG ISSUE OF IOT SECURITY
A McKinsey report in 2015 on the total impact IoT will have on the world economy by 2025 highlighted a variety of key industries where smart connected devices would add huge value. These range from human health and fitness (via wearables and ingestibles, for example) through to autonomous vehicles, and from smart manufacturing to improve operational efficiencies on to the management of our cities’ infrastructure. A potential economic impact of $3.9 trillion to $11.1 trillion per year in 2025 easily masks the ongoing outstanding risk and security questions that still need to be addressed.
It is hard to miss the press coverage around the lack of security – from headlines such as ‘Hackers can hijack Wi-Fi Hello Barbie to spy on your children’ to ‘Hotel pays bitcoin ransom after guests are locked out of rooms by ransomware infection’.
At the 2016 Structure Security conference in San Francisco, Scott Montgomery from Intel Security presented a talk aptly titled ‘Preparing for the Security Tsunami of the Internet of Things’. He described an “enormous tug of war between convenience and privacy” in IoT with device manufacturers clearly not doing enough to pull on the privacy end of the rope.
Cars being hacked and taken over is a far less likely scenario than the potential proliferation of the already common ransomware attacks.
In 2015 technology consultancy Beecham Research published an IoT Threat Map to highlight the key areas where problems are likely to originate. This points to a number of specific internal and external threats inherent in the IoT ecosystem.
When it comes to sensors and devices, the challenge is largely around identification, authentication and authorisation to ensure a level of trust and avoid risks such as application hijacking. There is also the threat of physical intrusion. “Using Differential Power Analysis (DPA), it is well-known that by ‘listening to’ very small changes in power consumption when different calculations are performed in a chip, it is possible to work out an encryption key,” explains Professor John Howes, technology director at Beecham.
The risk is widely recognised, of course. Earlier this year, big technology companies including AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic announced the formation of an IoT Cybersecurity Alliance. The group plans to research and raise awareness of ways to better secure the IoT ecosystem. At this stage, however, they are not looking to try and impose standards.
But standards may be coming. In January, the OTA (Online Trust Alliance) released an update to its IoT Trust Framework. The IoT Trust Framework includes 37 principles, segmented into four key categories: security; user access and credentials;
privacy, disclosures and transparency; and notifications and related best practices. The OTA, supported by over 100 organisations, see this framework as the foundation for future IoT certification programs.
While it is clear that IoT security is still immature, AT&T says that in the past three years there has been a 3198 percent increase in attackers scanning for vulnerabilities in IoT devices. However, there are best practices that can be applied today to help protect systems. These include:
- device authentication – both the device software and hardware should be authenticated when accessing a network app access controls – restrict which applications access a device and monitor data transmitted via standard mechanisms such as firewalls and IPS (internet provided security)
- life cycle management – devices should ship with current software versions and be able to receive timely updates to both software and firmware via automated safe and secure methods
- user access controls and credentials – apply access controls and password policies to limit user access; include strong authentication with unique generated passwords or use secure certificate credentials, and
- data – all personal identifiable data in transit and in storage should be encrypted using up-to-date security and cryptography protocols and standards.
The reality today is that the majority of connected devices are still unsecured – and that number is growing daily. So, for FM, the prospect of introducing IoT systems to enhance data collection and service delivery holds great appeal, but the advice for the moment should be: proceed but with safety and security in mind.
Richard Newell is CIO at IWMS provider, Service Works Global.
This article also appears in the October/November issue of Facility Management magazine.
Lead image: prykhodov © 123RF.com