The Internet of [Security] Things
How do you eat an elephant? It is an old joke, but when it comes to the Internet of Things — or the IoT — and its potential impact on security, it’s an apt analogy. The IoT is a concept so large and amorphous that even experts have trouble defining it, much less being able to say when it will be here in the security space. Opinions vary from the IoT being mostly hype right now, to it is already here and has been for years under the integration umbrella. But there is one thing virtually everyone agrees on: No one can afford to ignore this growing trend in the consumer space.
Frost and Sullivan’s research on smart buildings predicts the sensor market alone will reach nearly $4 billion by 2018, eclipsing both software and controllers combined. (See chart, pg. 56) And a recent study by Juniper Research, “The Internet of Things: Consumer, Industrial & Public Services 2015-2020,” predicted connected devices will reach $38.5 billion in 2020, up from 13.4 billion in 2015: an increase of more than 285 percent!
Much of this growth is happening on the consumer side of the market, with everything from connected refrigerators to Internet-connected cooking sensors to connected home (including DIY) products that include both security and other lifestyle products like lighting controls. But on the commercial security side of the fence there is plenty to talk about regarding the IoT. As security systems age and new IP and mobile technologies continue to advance, along with the increasing use of cloud storage, the IoT will increasingly include the Io “S” T (Internet of Security Things) as well.
“What we have right now are new and old devices that once did not communicate that can now be accessed online and provide data,” says Jeremy Brecher, vice president of technology for electronic security, Diebold Security, Canton, Ohio, featured on this month’s cover. “There is more technology at the edge coming online. Anything from a car to a Fitbit, to smartphones and smart refrigerators are all part of the IoT. But the bigger piece for security is there are more and more devices coming online to provide information. We also have a combination of elements like cloud technology and APIs that allow us to take these devices and make them into something that can look at that data.”
In addition, data is cheaper than ever, cellular networks more pervasive and the cost of the sensors themselves are coming down all the time, he adds.
“We are seeing an explosive implementation of devices that are Internet connected,” says consultant Shayne Bates, CPP, principal consultant, Stratum Knowledge LLC, Austin, Texas. “I have seen numbers between 25 and 50 billion devices by 2020. Fifty billion in the next five years is an enormous number.”
Rob Martens, futurist and director of connectivity platforms, Allegion, Carmel, Ind. says a combination of factors are contributing to the IoT push. “It is all speculation, but whether it is 30 or 100 billion, that is an unbelievable amount of data. In addition, since 2010 sensor costs have come down by 50 percent; the bandwidth or pipe needed to transmit that data is down by 40 percent; and processing is down 60 percent. What does that all mean? The cost of obtaining and transforming all this data into a useable, clean format is now a reality. Just two years ago this looked like chaos.”
All of these connected “things” will definitely be a market disrupter, no matter what market you are in. But for the security market in particular, there is an onus to “get it right,” particularly regarding the cyber security implications of all of these devices talking to each other.
“In the rush to bring cyber widgets to the [consumer] market, it would seem that the lessons from the early boom in the Internet would have already been learned, but the market demands innovation and there are people today who want to wade into the waters even though there may some sharks,” says consultant Howard Belfor, president, Belfor and Associates LLC, Black Mountain, N.C. “Wait a minute. Your washing machine can now send emails but Gawker is driving Jeeps off the road? I love the IoT and am smitten by the changes; but I am also aware of the possibility that things can go sideways.”
The IoT is a new frontier, says Ron Lander, owner, Ultrasafe Security Specialists, a consulting and integration firm based in Riverside, Calif. “IoT is so new, even on the residential side. There are going to be bugs. ‘Wild West’ is how I would describe the IoT right now.”
What is happening in the commercial security space around IoT today is a lot of talk, planning and development of products and solutions, so now is the time to start learning about what it may mean for the security industry as a whole and the integrator’s business in particular, experts say.
“Anybody who doesn’t think this is coming is fooling themselves,” Martens says. “This is coming. It will absolutely be an expectation of the millennial generation; and it is important to start working on it now because we want the people who understand physical security to be the ones figuring out how to apply this technology to our industry. We need people with the real knowledge.”
IoT and the Security Industry
What is the potential impact of the IoT on the security industry overall and the integrator in particular? Is IoT a new and scary concept to get your mind around, or simply a name for the next step in the direction the industry was already going?
“Something we have been talking about is the idea that the security industry may actually be one of the first pioneers of the Internet of Things,” says Joe Gittens, director of standards for the Security Industry Association (SIA), Silver Spring, Md. “There are integrators doing this already, taking various devices and connecting them to a system, whether they are connected to the Internet or not. I think the increased urgency in the discussion is the fact that now they are being connected to outside networks for increased value and functionality. That is where it becomes dangerous and integrators need to understand how they can leverage that and still have a secure system.”
Shawn Welsh, vice president of marketing and business development, Telguard, Atlanta, sees IoT as a very natural extension of what many in the security industry are already doing. “I think IoT has been there all along. An individual lock may not have been separately monitored before, but people like us have been around for more than 25 years providing wireless technology. Sensors talking to networks triggering alerts is not new. Calling that chain of events IoT is just a recent term for doing that.
“Why this concept is getting more attention now is because costs have come down to embed sensors and communications technology into smaller and smaller things, so the cost curve has made it more ubiquitous. But it has always been there.”
Within the security space itself, many point to video as an example of an industry that is already doing IoT-type solutions, particularly with the emergence of analytics technology.
“I think we were an IoT company long before that terminology existed,” says James Marcella, director of technical services, Axis Communications Inc., Chelmsford, Mass. “For the physical security industry, the IoT to me is all about edge devices or sensors that provide specific information based on what those sensor types are. That information can then hopefully be used by security professionals to get a better situational awareness of what is happening.
“A lot of the technologies we are using today are repurposed from IT and consumer electronics. Trends in those spaces typically make their way into our industry in a short period of time. We did the same thing with cloud. I do think there is real value in what IoT stands for, but that value has always been there around edge devices and the proliferation of IP. We are just attaching a name to it now.”
Brecher agrees. “Some of the foundational concepts are already living in the security space. One of the pillars of the IoT is that you have all these devices sending information back and you are doing something with it. That is security. That hierarchy and concept have been ingrained in this space forever, so it is not a far stretch.”
One big difference between IoT security and what integrators are already doing, Brecher says, will be in the architecture. “Today we are all about connecting devices to a single point. You have motion detectors, access control devices, etc. all connected to a control panel. Nowhere around our space is there a peer-to-peer architecture. For the IoT to really work for the masses like everyone is talking about we will have to have a more distributed data model and way to talk.”
In fact, manufacturers of panels tend to agree that the IoT movement will come from the edge devices and peripherals like locks and switches. The IoT is essentially a very large concept made up of billions of very small things.
“At the end of the day what the IoT means for our industry is how it will impact all the little devices,” says Christopher Sincock, vice president, security business, DAQ Electronics, Piscataway, N.J. “If my magnetic door contacts and PIRs are all IP-enabled and can communicate directly to my software, that is great. It may eliminate some hardware requirements along the way and maybe you don’t even need the panel at some point.”
Security manufacturers of these peripheral products are indeed working on IoT products. In the access control arena, one of the main new developments that will directly tie in to the IoT in security is the IP lock that can be opened remotely or even at the door using a mobile phone. However, increasing intelligence is only half the equation. ASSA ABLOY, New Haven, Conn., has an IoT product called Hi-O (Highly Intelligent Opening), says Martin Huddart, president, Access and Egress Hardware Group, ASSA ABLOY.
“These are real products that we’ve engineered that are designed to look similar to their dumb cousins,” Huddart says. “But these guys went to university and they’re smart. These devices all have some level of awareness around their states and level of efficacy. For example, the mortise lock has temperature sensors to detect if it is overheating, which is a sign the lock is about to fail. It can send warnings out just like a car might do with an overheating engine.”
Allegion, too, is introducing IoT products in the form of their NDE locks that are Bluetooth-enabled. “We are one of the primary touchpoints for the IoT in security,” Martens agrees. “That process kicks off when you touch that door and we become a gateway for different stuff. But when you can put a little formula together and take that security and energy piece and inject a little convenience in, all of a sudden you are delivering a much better experience that can be tailored and holistic. We are very excited about it.”
Io ‘S’ T Opportunities
Because of the panel architecture approach to much of the security world, some think the first true commercial security IoT applications will actually be in those environments where the traditional systems haven’t been the best fit. Much like cloud, which lends itself well to the small and medium sized businesses that want a hosted or managed solution, IoT will be a logical fit for these markets.
“We see in the long run that everything will be connected to the network, but we also believe that maybe you will see more movement in the IoT for sites without traditional access control,” says Phil Montgomery, chief product officer, Identiv Inc., Freemont, Calif. “This a trend there will be no stopping and the opportunity for the integrator is not just to replace what they are doing today but to offer something new to people they couldn’t sell to before because it was too expensive or not the right technology. For example, you don’t see electronic access in a national chain of coffee shops today because it is too expensive. But when you can do it over the network, using the cloud, include cameras and replace time and attendance as well, then allow employees to use an app on their phones, now you have value. You can let in the delivery guy at midnight using your phone remotely.”
Steve Turney, security program manager for Schneider Electric, Dallas (Pelco’s parent company), sees the same thing happening on the video side. “I don’t see the IoT applying to large enterprise corporate customers with tens of thousands of camera devices in the near future. The sheer bandwidth to store that video would be too expensive. But this will open up new markets for dealers, manufacturers and integrators. Those end users that have had to have independent systems because they couldn’t afford the massive front end equipment to bring them together will benefit.”
There are also those that feel the IoT will come to the security industry from the top down. Enterprise customers are already doing similar things using complicated integrations; they have the money and the business case to make it happen.
“They might have compliance or operational issues, Brecher says. “They are trying to give their people in the field more access to information. But the other thing is, if you have more data to pull together, no loss prevention team is going to triple their size to handle that data. And they can’t leave all the decision making to the head end.”
Diebold is one integrator working on these types of solutions as well as ones that marry legacy systems with the new technology to bring them slowly into the IoT sphere.
“Three or four years ago when we were looking at the Machine-to-Machine (M2M) space we realized there will be new devices out there that will become part of the ecosystem, but at the same time there are a lot of legacy systems out there,” Brecher says. “No one is going to rip out their entire investment. We created a platform called SecureStat, based on IoT technology and API’s that will connect to legacy hardware. We can now combine old and new technology into a single platform for our customers. We went out and built this on our own. We are not a manufacturer. We are an added value integrator and we saw that as our role in this.”
SecureStat has been deployed since 2013 and Brecher sees it growing exponentially as more and more IoT sensors are brought on board in the security sphere.
“We have customers we have used SecureStat to integrate systems that are 10 years old and one week old to combine workflow functions,” he says. “We thought of a way to take old technology and IoT technology and normalize them so they can work together. We will really bear fruit as this starts to take hold with early adopters.”
Martens describes the IoT as a large symphony of players. The integrator has the opportunity to be the conductor.
“There are all these smart products that have sensors and they all play a note,” he says. “Everybody likes to play their note. We really like to play our note, too, but you need a conductor to put all those notes in the right order and make them perform something meaningful as well as personalized and beneficial for the people in a facility.”
While this analogy works on all levels of IoT, there are certain elements unique to security that need to be considered. “In my business the key term is intent,” Martens adds. “We need to understand that the person that has the permission for that door really wants that action to take place. What we need to understand is that the Star Trek piece where the door just opens as you walk up to it is a nightmare in the minds of security professionals.
“Integrators and consultants are in the eye of the hurricane right now,” he adds. “We are looking at real convergence on the commercial side of the security business, but it is only going to move as fast as architects and consultants demand it and as integrators can provide it.”
Io ‘S’ T Challenges
When will the Internet of Things truly become the Internet of Security Things for our industry, and how can the integrator prepare today for what is coming tomorrow (or in five years or even 10)?
If you are a dealer on the residential security side, the IoT is here now and growing fast with connected home products that are proliferating from both security manufacturers as well as the communications and Internet companies.
But if that experience is any indication there are definitely bumps to be expected for the integrator. On the residential side the DIY market is proving both a challenge and an opportunity as dealers strive to find ways to capitalize on a side of the industry that would seek to leave them out. Commercial integrators don’t face that problem, but they will have another one to contend with: the sheer numbers of sensors and products becoming available from outside the security industry will have to be integrated into what has historically been a closed environment and in a safe and secure way.
While the applications may be similar, they are on a different scale, Belfor says. “It is a personal castle versus an industrial castle. If you put a smart lock on the front door, that is not much different than cloud-based access for business in terms of functionality.”
But one area that has the potential to slow the adoption of IoT is the ongoing problem of cybercrimes and hacking. “I think we will see more and more of this in the news,” Belfor adds. “The weight of it all is now beginning to sink in and I think there may be a backlash in the consumer world and it will also happen in the commercial space if there is a lack of confidence in these products. That will slow down the acquisition of goods and services. When integrators go to sell IoT products, they will have to be able to demonstrate that this is not a risky device and it can be fixed or patched if there is an issue.” (See 10 Tips for Cyber Security, pg. 70)
Brecher points to three main issues that have the potential to impact IoT adoption: cyber security and making sure that is done right; Interoperability or standards (see sidebar, pg. 64); and the fact that there is still not a clear way of being able to manage the massive volumes of data in real time, without a failure rate.
“The problem is in knowing what to do with that data,” Huddart says. “In the Internet of Things, the doors can already be smart. But who is listening? It is a chicken and egg problem. We have devices now that can say stuff, but we haven’t been able to find anybody willing to listen to that data and create something useful in North America.” But he acknowledges that even in Europe where the Hi-O product is currently available, it is in the “concept car” stage.
“With the IoT you have to keep in mind one important thing that is absolutely key,” agrees Konkana Khaund, principal consultant, energy and environment, Frost and Sullivan, Mountain View, Calif. “The IoT comes together with the connection of sensors and machines, but all that information that is gathered isn’t worth anything unless there is an infrastructure in place to analyze it. All this vast data needs processing and analytics. How they are doing it is still questionable to the users.”
Frank Gasztonyi, CTO, Mercury Security, Long Beach, Calif., says the infrastructure simply isn’t quite there yet. “The difficulty we will run into as IoT devices proliferate is the limitation of network bandwidth. When networks were designed they were intended to connect computers. Then we started to add other things and now we are at the peripheral and lower end devices. All of that will heavily tax the network and the infrastructure will have to adjust. That is one aspect of the IoT that is often overlooked. There is this expectation that the network is 100 percent reliable, available and free. Professional IT managers cringe when they hear that.”
However, Brecher points out that these issues are likely to be resolved quickly when they need to be. “People are consuming data at faster and faster rates. Our whole economy is being driven on a connected future. Anything like a problem with the Internet or bandwidth is going to be short-lived.”
Adding intelligence to sensors also increases the cost, Sincock says. “The challenge with sensors right now is that if they are going to be quasi-intelligent, that device has to have power, either battery or externally or through PoE. Now you are adding more cost.”
Huddart says the cost of sensors depends on their purpose. “In an old switch you have two metal leaves that come together. Our device has microprocessors and sensors that might cost three to five times what their dumb cousin costs, whereas the operator, which already has power may only be five percent more expensive.” Overall, the Hi-O solution is currently about 20 percent more per door than a non-intelligent opening, he says.
Preparing for the IoT
For integrators, the key take away about all of the talk around the Internet of Things is that it is coming and that if you aren’t prepared, you may get left out.
“It’s clear this momentum is not going away,” Bates says. “It is not a question of whether to embrace it. You need to understand how to play in this market. Right now there is nobody blazing that trail. There are a lot of people running the race, but no one has crossed the finish line. And the tape keeps moving as well.”
Identiv’s Montgomery compares the process to that of the phone industry 30 years ago. “That went to VoIP, network and ultimately it became part of IT. Security integrators working on traditional panels and readers need to start learning about the technologies that underline the IoT if they haven’t already, especially networks.”
Those who can latch on to this concept have the potential to grow their business in new and exciting directions.
“It is very important for dealers and integrators to understand that the IoT is here, it is going to continue to come and they need to have a good, strategic plan to grow,” says Brad Paine, general manager of Lyric Connected Home platform, Honeywell Connected Home, Honeywell Security, Melville, N.Y.
“There is a business book that talks about blue oceans and red oceans,” Montgomery says. “A red ocean is very competitive, especially on price. Blue oceans are about creating new markets, untapped potential and creating business where there was none before. I think smart people will realize IoT is not about fighting each other over a small percentage of buildings we know will have access control; it is about figuring out how to appeal to the other 98 percent.”
Schneider’s Turney believes the IoT will have more impact on the security industry than even the transition from analog to IP technology. “That was about video. The IoT will impact and touch every aspect of the security industry. From an overall market perspective we see it as an enabler to bring in more business than most integrators have gotten today. It will grow their business, and ours. Don’t go into this kicking and screaming like a bunch of kids. Get training. Educate yourself and your teams on the jargon, nomenclature, terminology and the implications, even if it means hiring the right talent instead of doing it organically. If we don’t, as an industry we will have a black eye and we will watch that business go somewhere else.”
Because this concept is still not cemented in most users’ minds, many integrators may find that they are talking about solutions with their customers that are IoT, but not using that term.
“None of our commercial customers are asking about IoT,” Lander says. “We have to bring it to them by talking about capabilities.” In many cases he is preparing them, whether they know it or not, so they will be ready to expand when they want to.
Brecher agrees. “Very rarely does someone mention it to us directly. More than anything it is about us bringing them solutions coming out of that space rather than them asking for it by name. But they are asking about new, cheaper solutions from the residential space, about mobile phones. Or they say ‘I saw this on Amazon and it does that. Why can’t I do that?’
“People who are creating the solutions know it is IoT, but when it comes down to it, the conversation is about what it provides. The cloud has caught on, for example, but people even today aren’t really talking about cloud. They don’t necessarily realize they are using the cloud when they do their online banking.”
Even manufacturers are just beginning to sell solutions labeled IoT. For example, Axis has one product — a new sounder — that they are promoting as an IoT product and Honeywell has many products on both the residential and commercial side that most would call “IoT.” But they aren’t labeling them that way. Yet.
“We are still waiting on the market,” says Marcus Logan, senior manager, product marketing for Honeywell Security. “We have products that fit that need in a proprietary way, but we are not out there waving a flag that says ‘This is an IoT solution.’ We are saying that we have solutions that work together.”
Welsh advises not getting too hung up on letters. “The world hasn’t really gotten that much different. Don’t get lost in the letters ‘I’ ‘O’ ‘T.’ Know that you have a problem and if the solution involves networks, sensors and delivering data, when you deploy that solution, then you have deployed IoT. But the right solution may or may not involve IoT.”
And that is OK, Gittens says. “It would be foolhardy to go through an all or nothing approach,” he says. “Internet of Thing-izing one portion of the business may be the logical way to go. If that works, then you can use the data you are getting from those types of implementations to see where else you can leverage it.”
Martens adds, “Integrators have to decide, ‘what am I going to be an expert in? Everything? HVAC as well as security?’ They are going to find there is a great opportunity to carve out what their niche is, not unlike what they have already done today. Integrators will have to decide where they want to invest their time and money for education and the onus is on manufacturers like us who are those ‘first seat musicians’ in the IoT orchestra, to provide really good programs and a changed management path to people who historically might not be comfortable with connected devices.”
Or, to finally answer our first question, you eat an elephant one bite at a time. When it comes to the IoT, you don’t have to eat it all at once. Small bites are just as effective as large ones.
SIDEBAR: What Exactly Is the IoT?
Ask 50 people to describe the Internet of Things and you will get 50 different answers. If you are in the consumer world, it involves mobile devices and convenience. The residential security market centers the description on the connected home. Others say it is a “catch-all” term that can mean many things. In fact, Internet of Things is not the only term being floated out there right now. Some call it Machine-to-Machine (M2M) and others the Internet of Everything.
“I don’t like the term IoT,” says Phil Montgomery of Identiv. “The Cisco term is the Internet of Everything and it really is bringing the value of connected anything and having this connectivity to all devices. It means being able to scan a bottle of wine to check if it is genuine or fake — an Internet-enabled wine bottle that provides extra value.”
Diebold’s Jeremy Brecher defines the industrial IoT as a space that takes operational technology (OT) and tries to merge it with IT.
“I have been working in the IoT space for four years now,” Brecher says. “I have been tracking that space. Just like cloud, the Internet of Things is a catch-all term for everything. Five years ago we talked cloud and 10 years ago it was convergence. Both of these terms at the time meant 10 million things to 10 million people. IoT kind of falls into that realm right now. But there are clear examples everywhere you look of devices talking that wouldn’t have talked before. Coffee makers are shipping connected. But all of that is useless unless you can do something with it, and that requires a network connection to make it all work and meaningful. People are confused about what it all means. Personally I think IoT is impossible without cloud and APIs and Web services. There are strong dependencies.”
Joe Gittens of SIA explains the role of the cloud in IoT: “All these buzzwords like IoT, Big Data, cloud and mobile can all be connected and work on top of each other. Because we have all these separately connected devices that are sensing things and creating data, we have all this data that needs to be analyzed in order to help with situational awareness. More and more, the easiest way to store that is on a public or private cloud.”
Tom Kerber, director of research, Parks Associates, Dallas, says his firm has been tracking trends in several markets, including the residential security market. “The term Internet of Things has several interpretations, but for the purpose of [our reports], things are devices that are connected to the Internet and have an accompanying virtual object in the cloud. Synchronized with the real-world object, the virtual object represents the current state of the end device — whether it is on, the current settings, which mode of operation it is in, battery charge level, etc. The virtual object also retains historical information on the device’s operation. Devices may be static objects that simply report their properties, sensors that measure physical conditions or status, actuators that perform operations, or any combination of these. Consumers are able to manipulate this virtual object through an interface such as a smartphone, tablet, or computer that remotely operates the connected device. In addition, the data from smart devices can be integrated with external data to create value-added services.”
For a real world example, consultant Shayne Bates points to a project he did in his own life. He and his wife decided to go mobile — in every sense of the word. They purchased a top-of-the line RV and fitted it with sensors, security systems and gadgets worthy of the IoT label by any definition. “When I decided to get this high-end RV I wanted to do a good job on the integration and automation using smart IoT devices,” he says. He has a self-monitored alarm and home automation system along with an Internet portal that reports the status of all the devices.
He even has an Internet-enabled cooking sensor that allows him to try his hand at Sous Vive cooking, a method that requires immersing a piece of meat into 131 degree water for 72 hours. The key is precise temperature control. “I have this amazing little device that has a heating element, thermostat, Bluetooth interface and a smartphone app for cooking,” he says.
Allegion’s Rob Martens says people tend to over think when it comes to defining the IoT. “The IoT is just a moniker that refers to a grouping of many devices that combine to provide us a better experience. That experience could be in the commercial, residential, car or city environment.” In fact, he says there are five main markets right now that are currently using the IoT and three required elements that make it IoT: It’s embedded; it’s anticipatory; and it’s personalized.
“Where people get wrapped around the axel is they want to compartmentalize it,” Martens says. “There are five categories that comprise the IoT today: The connected home, smart car, wearables, M2M (industrial) and smart cities. You can break it into those five categories today, but by its very nature it defies a bit of convention.”
And with the explosion of sensors predicted, it’s not likely to stay confined in these five realms for long.
One of the biggest benefits of IoT solutions is something that has been a traditional challenge for the security market: open architecture. While there are several standards bodies attempting to come up with consistency in the security industry, from PSIA’s PLAI to OSDP and ONVIF, it may be that none of these are what will be needed to make IoT solutions work.
“The [security] standards bodies tend to be more about interoperability at the syntax level,” says James Marcella of Axis Communications. “The Internet of Things is going to throw a lot of different sensor types out there that some integrators may want to put into their systems and I don’t see ONVIF or PSIA chomping at the bit to go after lighting controls or HVAC or other building automation type things.”
Other organizations, like the Consumer Electronics Association (CEA) are working on the language, processes and best practices needed specifically related to IoT.
“Our focus is residential and light commercial,” says Ian Hendler, director of business development, Leviton, Melville, N.Y., an active member of the working group tasked with this. “There is a lot of overlap between consumer, light commercial and enterprise markets. It may be the same device, but different purposes. We can learn from each other in many cases.”
When it comes to the security industry, standards have proved a challenge, but it is one they are going to have to meet if IoT is going to take hold. “The theory of ‘open’ and security are somewhat contradictory,” says Steven Turney of Schneider Electric. “Other than video with ONVIF, our industry has been reluctant to adopt any type of standardization for a protocol. But the concept of allowing sensors and devices to talk to each other implies some sort of open architecture that everybody adheres to.”
If the security industry doesn’t do their own, they may find themselves eclipsed, says Marcus Logan of Honeywell Security. “Right now what standards are out there are relatively weak. To get the full functionality and capability of a device you need to go beyond the standard and get into unchartered waters. Or you have to get back to proprietary protocol to get all the functionality. We are going to continue to have these few standards bodies try to set these standards, but ultimately it will follow the money. If someone comes out with something and it is successful, it will become a de facto standard. Google is trying to create a broader infrastructure, which is a bit of a play into the Internet of Things. It may turn some of our models on their ear in the security space.”
The security industry needs to look to their own “house” first, adds SIA Director of Standards Joe Gittens. “We have to clean up our own house before we get involved with the IoT. Most of the efforts now are happening with IP communications in mind. Then we can start more easily conforming to the IT standards in the lead that are governing the IoT. Most people are in favor of that because it makes the next step of engaging with IT and building standards that much easier.
“But there are areas where security is security and will always be security. Whether or not we use standards created in the security industry, we need to get out and speak to the leading IT standards that govern the way our technology is being used. There are nuances in security that elevate it, and it can’t be lumped in with things that are fun and cool for the consumer space. We need to make sure those types are clearly defined in anything we do, whether we are making the standards or informing those that are.”
At SIA, they have created a new subcommittee on cloud, mobility and the Internet of Things, which is currently being chaired by Diebold’s Jeremy Brecher.
“SIA Standards created the subcommittee out of a working group we established to discuss cloud and mobility,” Gittens says. “As those two technologies grew we realized that the Internet of Things is another term or buzzword in the business structure that fits nicely within this subcommittee.”
The subcommittee is currently working on two projects. First is a checklist of strong procedures for security devices that are meant to link to the IoT and the second is a collection of use cases or case studies. SIA hopes to have both complete by ASIS.
“We don’t believe we are in a position to generate these standards,” Brecher adds. “Clearly, the IoT is still a maturing space. There are all kinds of standards being created right now. If you think about it, today we [in security] do have standards, but as a whole we lag behind the rest of the technology world. These movements will drive new standards that we will need to look at. I think we in our space could tremendously benefit from standards and IoT because a lot of our standards are device driven. There is a huge effort from the Googles and Ciscos on how to create device standards.”
Brecher sees standards as a potential stumbling block for the security industry. “Today I believe in the security and IoT space our biggest challenges are getting people to see the value of standards and embrace them. It is a huge roadblock for growth not having standards and interoperability already. In our space we have standards, but even the most advanced only work to the bare minimum. They are very much ‘I have to play nice,’ versus ‘I believe in it.’”
SIDEBAR: Get Educated at ASIS
If you want to learn more about the impact of the IoT on commercial security, you might want to attend one or both of these educational sessions, being offered at ASIS this month in Anaheim, Calif.
1. What: The Researcher’s Guide to the IoT Galaxy
When: Wednesday, September 30, 2015 1:45 p.m.-2:45 p.m.
Why: Understand the threats posed by IoT devices in the corporate network; describe the behavior of IoT devices; effectively identify and analyze IoT communications within the network.
2. What: Internet of Things Security Assessment — Frameworks, Skills and Controversy
When: Wednesday, September 30, 2015 11:00 a.m.-12:00 p.m.
Why: Apply the top IoT security assessment frameworks to their organizations; understand which areas of IoT assessment are most in flux; prepare to retrain existing application security and network security resources to be more efficient.
3. What: Hacking the Internet of Things: Now Everything is Hackable
When: Wednesday, September 30, 2015 3:30 p.m.-4:30 p.m.
Why: Understand how malicious attacks may affect you personally and how to mitigate the associated risk; better communicated how hacking may affect your employers in the future and how to prepare.
10 Tips for Cyber Security
Even though many inside and outside of the security industry are still working on standards, checklists, procedures and best practices around IoT security and nothing is set in stone yet, there is still a lot of common sense advice you can follow. Here are some tips from industry experts.
- Don’t allow default passwords. The Internet or network border is generally pretty robust, but in the case of these hacks like Sony or Target, they all started by somebody clicking on something they shouldn’t have and getting the user name and password. They didn’t go over the mote, they basically walked in. If someone can walk into an IoT ecosystem, you are done. — Jeremy Brecher, Diebold.
- Choose your friends carefully. Your mom and dad always told you was you are who you associate with. We are all part of the chain in IoT. If something gets hacked you will be involved. You have to evaluate each provider on the level of data security they are providing. Just because someone wants to connect doesn’t mean it is a mature and safe product. Being first isn’t everything or even always a good thing. — Rob Martens, Allegion.
- Be careful of incorporating legacy systems and products. The IoT is just a conduit powering things on the ground that have already been in existence for some time. Because they have the ability to make themselves more intelligent they are now part of the IoT world. But these are still traditional technologies that were never sold to market with cyber security in mind. There are no standards in the industry today that certify those as “cyber secure.” — Konkana Khaund, Frost and Sullivan.
- Pay close attention to your vulnerabilities. Try to measure how broadly the standard any device you are about to specify is supported, since we don’t have any dominant IoT standards on the market yet. In the automotive industry with the Jeep hack, they didn’t pay close enough attention to guarding against hackers and the need for data security. That was a case where an industry didn’t pay enough attention to their vulnerabilities. Our industry cannot afford to make that mistake. — Frank Gasztonyi, Mercury Security.
- Make sure mobile security is super tight. With the increased convenience of data portability and accessibility from anywhere there comes tradeoffs. If you can get to it, so can the bad guys, from anywhere. — Christopher Sincock, DAQ Electronics.
- Understand the risks. Attacks happen all the time. This is where the new frontier is. All of these technologies are intended to have exciting capabilities, but at the end of the day they carry with them a risk. No one is doing things deliberately wrong, but no one is doing them deliberately right, either. We put ourselves at unintended risk by not having a stronger understanding of how things can be misused. — Howard Belfor, Belfor and Associates.
- Leave the client with a strong password. If a product does come with a default password, change it to a secure one. We have seen Wi Fi programmable thermostats with guides that are 68 pages long. No one is going to read all that, especially the part about registering it properly and getting a good password. When you walk away from a job take a picture of the control panel and the setup screen on the computer. — Ron Lander, Ultrasafe Security Specialists.
- Follow simple security protocols. No one wants to be on the front page of the news for a breach in their network. Some simple security protocols such as strong passwords as well as not allowing source code to be embedded into the device so it can be changed or repurposed can help. — Joe Gittens, SIA.
- Focus on the network. Wireless networks are where much of the risk is. You want to make sure the wireless technology you are purchasing has gone through robust standards. Is it public or private? Is it well tested and vetted? Then if it is a standard and does have a security model as part of it, make sure the technology you are purchasing employs that security model and research the model itself to see if has any known flaws you should be aware of. — Shawn Welsh, Telguard.
- Trust, but verify. When you are working with a reputable manufacturer you have a general acceptance that this thing is going to be sure, but that is not always the case. For example we offer four different levels of information security within our cameras. They range from a simple password to device level encryption. Very rarely do we have people asking us about authentication encryption. It is not a well-used feature set, even though we have it available. — James Marcella, Axis Communications.