This article is broadly based on a panel discussion on security threats in the IoT paradigm, conducted during IEW 2018.
Just as tech entrepreneurs jumped onto the app-development band wagon a couple of years ago, the Internet of Things (IoT) device development became the new startup mantra. Yet, with all the frenetic activity in this domain, has the cart overtaken the horse? Of what use are thousands of innovative devices if these are not secure? In fact, IoT adoption itself is severely hampered by people’s concerns about security.
The words that keep cropping up in every discussion on the IoT are heterogeneous and exponential. A smart city best illustrates the heterogeneity of the IoT. It requires service providers from diverse industries offering electricity supply, sanitation, waste management, healthcare, transportation and the all-pervasive Wi-Fi to interact with each other. Typically, these industries work in isolation, but now these need smart and secure interfaces to communicate with each other.
At India Electronics Week (IEW) 2018, during a panel discussion on IoT security, Binoy C.S., director of digital transformation practice (ICT) at Frost and Sullivan (F&S), gave the audience a sense of the exponential growth in IoT devices. F&S has been tracking the IoT for over eight years. Currently, the firm believes that, there are 12.5 billion connected devices globally. By 2020, the figure is expected to go up to 20 billion and by 2024, to 80 billion—adding up to 10 devices per human.
At this point, it is important for us to remember that a smart city is very much a work in progress. And its eventual realisation hinges on a number of factors—the most important being security.
In 2017, Forbes reported in a survey it conducted in the US, related to the IoT, that 98 per cent of respondents believed that security breaches would go up as devices proliferated. But monitoring devices and interfaces is only possible with globally-accepted standards. At the moment, those standards do not exist.
Just how daunting this task of standardisation is, was pointed out by Sunil David, regional director, AT&T, in the following comparison. After the PC market matured, it was driven by about five major manufacturers.
So is the case with telecom. A few big players like Vodafone, AT&T and Airtel operate across the globe. Therefore arriving at standardisation involves working with fewer players. Forming consortiums for standards and security is relatively simple. But in the IoT universe, we already have over 10,000 companies jostling for space. And these are all operating in diverse industries.
Where does one begin with standards
So who should take the lead? Is it governments or firms like Intel, ARM and AMD, whose components go into the billions of electronic products churned out every day, along with telecom giants like AT&T, Vodafone and Airtel?
This is an important consideration because there are two aspects of security, often in conflict with each other. On one hand is personal privacy and security. These concerns were brought into focus when several private parties moved Indian courts because of their worries about how safe citizen data is, with Aadhaar.
Then, there is the issue of national security. In 2017, Wikileaks leaked documents purportedly demonstrating how the CIA (US’ Central Intelligence Agency) hacks smartphones, computer operating systems, messaging apps and Internet-linked televisions to spy on people—its own citizens as well as those from other countries. So how do governments that spy on each other collaborate on standards for the IoT ecosystem?
At the IEW panel discussion on IoT security, David lauded the Indian government’s efforts in trying to bring about standardisation within the IoT space. In 2017, Telecom Regulatory Authority of India (TRAI) presented Department of Telecommunications (DOT) with its recommendations on Security by Design principles to be followed by IoT device makers.
Another panellist at the IEW talk, Tulika Pandey, director, Computer Emergency Response Team-India (CERT-In), MeitY, spoke of another government initiative—the opening of four centres of excellence for the IoT. The first one came up in Bengaluru and spawns over 22 IoT startups, four of which are fully-operational.
Talking about the importance of standards to support security, she also highlighted CERT-In’s Reference Architecture for Smart Cities that IoT firms and independent designers should follow. She went on to invite stakeholders to interact with the government on the upcoming Data Protection Act.
Are standards being developed in silos
The world is now a village, particularly when it comes to tech. The latest smartphone launched in, say, South Korea, is available in the remote corners of India, and operates seamlessly on Indian telecom networks. So IoT security standards being developed need to be global to ensure security at every level. Yet, it seems that there is no single concerted global effort—something that ought to be driven by the UN, IEEE or the EU, or a combination of the three.
There is IoT Security Foundation, a UK-driven body with representatives from British Telecom, Vodafone, Cisco and others. This body has worked closely with the UK government on developing standards and best practices focussing on security. But it is still evolving and, at the moment, inviting participation from senior management in big telecom and component manufacturing firms, particularly from the US and Far East, which are under-represented in this forum.
Meanwhile, National Institute of Standards and Technology (US Department of Commerce) is working separately on IoT standards, with members from the US telecom and manufacturing sector. With all these disparate, disconnected efforts, are we heading from a proliferation of devices to a proliferation of standards?
In his talk, Binoy mentioned that, according to F&S’ analysis, for IoT revenues of, say, US$ 200 billion, the actual value that the IoT would deliver could be pegged at US$ 7.2 trillion. This would accrue from higher efficiencies, improved productivity, quicker time-to-market, improved logistics and so on. But this computation is again based on assuming a level of seamlessness and assured security levels.
The flip side to this calculation is trillions of dollars in losses, if IoT devices result in data breaches, car accidents (vehicles will soon have over 200 sensors), flight delays, mistimed deliveries and the like.
Starry-eyed projections on how big the IoT market can grow also depends on factors that have not been resolved yet. Globe trotters know that airport shops sell chargers and converters—a necessary evil because devices manufactured for India, most parts of Asia and all of Europe cannot be plugged into US sockets, and US devices can only work in other parts of the world with the help of converters.
So economies of scale, possible when manufacturing for a truly global market, are negated by the need for the same device to be manufactured differently, to meet different countries’ electricity specs.
Sivakumar Natarajan, global practice head – digital, manufacturing and technology business unit, Wipro, highlighted the fact that companies have moved beyond delivering products or devices. Rather, they now offer platforms. Taxi aggregators like Ola and Uber do not own cabs but make money on their platforms. Swiggy does not own restaurants but monetises others’ assets via a smart service offered over a platform. Airbnb owns no hotel rooms but offers accommodation across the world from its site.
Hence, with the arrival of platforms, seamless and secure integration of devices, interfaces and networks are even more important. Natarajan referred to this as the ecosystem economy. In such an economy, interoperability depends entirely on widely-accepted standards. And the more globally accepted the standards are, the closer the ecosystem economy will get to realising the true value of the IoT, which F&S has pegged at US$ 7.2 trillion (on revenues of US$ 200 billion).
Reasons for optimism
A healthy note of optimism was struck by Deepu Chandran, technology manager, LDRA Tech, another IEW speaker. He reminded the audience about how the aerospace industry evolved. In this high-stakes, mission-critical domain, standards evolved in the early 1990s. These standards, which mandatorily get implemented at the planning and requirement stages, have led to security becoming intrinsic to design and manufacturing in aerospace. This is in contrast to the extrinsic security widely practiced in the IoT space—security being addressed at the final stage of the product development cycle, rather than earlier.
Standards also enabled a brand like Airbus to evolve, in competition with Boeing. Airbus began as a consortium of European firms in the 1970s, before evolving into its present form, being wholly-owned by European Aeronautic Defence and Space organisation. Currently, it manufactures across locations in Europe, China and the US.
Chandran also highlighted how standardisation has worked across the auto industry and, hence, can act as a blueprint for IoT evangelists.