Article

The term “Internet of Things” (IoT) has been around for a while. It was coined in 1999 by Kevin Ashton, who used it in a presentation at Proctor & Gamble to describe how physical objects in the company’s supply chain can be accurately tracked by integrating two technologies: Radio Frequency Identification (RFID) and the Internet (Ashton, 2009).

Today, IoT is used to describe the myriad Internet-connected devices, such as home security monitors, utility management systems, kitchen appliances, smart televisions, baby monitors, fitness trackers, personal health monitors at home and in hospitals, and smart sensors on the roads and connected automobiles.

An IoT system that monitors energy usage in a home, for example, will allow the home owner to change the thermostat setting, turn the lights on or off, and transform windows from transparent to opaque, all from a distance using a smart phone. An IoT home security system that connects to the Internet will likely be able call the police and alert the homeowner, when it detects an intruder. Recently, Samsung Electronics demonstrated a refrigerator that sends pictures of the food inside and then orders groceries automatically with input from family members (Mawad, & Nichola, 2016).

In industry, connected devices, employed in diverse areas such as manufacturing, mining, agriculture and utilities, are often included under the IoT umbrella (Accenture, 2015).

The military, with its use of Network Centric Warfare (NCW) (Alberts, et al., 1999), has been employing the concept of IoT well before that term was invented. As with IoT, in NCW, military personnel and various war and intelligence machineries (“things”), such as ground sensors, reconnaissance planes and drones, and aircrafts, are fitted with communication and networking capabilities.[1] A battle can be fought more successfully with the information superiority that results from connecting these machineries and soldiers. NCW enables shared awareness among all participants, increased speed of command, and thus greater lethality and increased survivability.

The “How” of IoT

The very basic concept of the Internet of Things is that physical objects (things) have a way to communicate with other physical objects and humans and receive instructions dynamically to change their behavior using the Internet. For this to work, the following must be embedded in a physical object:

• A mechanism to communicate through the Internet or to a hub that, in turn, communicates through the Internet
• One or more sensors to understand a specific environment, such as a smart thermostat in a power management system or a motion detector in autonomous vehicles
• A computer with software to process data from its specific environment, integrate and consolidate data from other units, and process user commands[2]
• One or more actuators to control the object

An IoT device or object, in short, is an embedded computer device. Because IoT devices are connected among themselves and with human operators, they can share information and make dynamic decisions on their own or assist humans to make the decision. This Internet connectivity better allows for decision making that is more integrated and symbiotic than decision making by individual devices or objects that lacks such coordination.

One can view IoT devices working together as real-time, distributed computing. We have devices with small computers embedded in them with software running on them that sense the environment, exchange data and status with other devices, and react to the data they sense and receive from other devices to control their own devices. We have been doing distributed and embedded real-time computing for quite some time.

So, what is the big deal about IoT?

Quite simply, the pervasiveness and scale of IoT resulting in major structural changes in a variety of industries should be a cause of concern from a labor/workforce perspective. The host of security, safety and privacy challenges it gives rise to should also be a cause for concern. Let’s look more closely at them to understand the challenges better and how to address them.

Pervasiveness and Scale

IoT devices, by their very definition, can be any physical object embedded with sensors, actuators and computers that shares information using the Internet. That includes ranges, refrigerators, washing machines, HVAC equipment, TVs, medical devices at home and hospital such as blood pressure monitors, insulin pumps, and MRI machines.

A 2015 Gartner, Inc. report forecasted there would be 6.4 billion IoT devices worldwide in 2016, up 30 percent from 2015, with the total projected to reach 20.8 billion by 2020 (See Table 1). The 2016 growth would have required more than 4 million new devices be connected to the Internet each day.

Internet of Things Units Installed Base by Category (Millions of Units)

Source: Gartner, Inc., 2015

The revenue estimated by Gartner, according to the same report, is even more astounding, with 2016 projections reaching $235 billion for IoT services, for design and operation of the devices. IoT equipment purchases for consumer applications were projected at $546 billion for 2016, while the use of connected things in the enterprise were projected to reach $868 billion.

This massive and rapid upscaling is bound to produce a lot of new players and even stronger existing players. For example, Nest, in the smart sensor arena, which was bought by Google for $3.2 billion; Wi-Next in edge computing; big data giants Amazon and Microsoft; and integration specialists NTT Data and Wipro. It is also going to be massively disruptive to existing businesses. There will be less need for assisted living homes, for example (Kavis, 2016). This pervasiveness, moreover, has profound implication for developing trustworthy, secure software.

Safety and Security

“Give the Internet hands and feet, and it will have the ability to punch and kick.”

— Bruce Schneier, Security Technologist (2017)

Software and integration of IoT devices are no longer in the hands of a few large computer, device, software and integration vendors such as IBM, GE, Hitachi and Microsoft that all know how to develop secure software and software for embedded systems. Many of these devices lack standardized operating systems, middleware, data store, and so forth to facilitate dependable, reliable computing on them. Architecture, middleware and standard components and services for IoT systems are at best evolving, and many tools and platforms for IoT software development are currently proprietary.

An embedded system, by its very nature of being embedded in the device it is trying to control, is resource-constrained. CPU, memory and other computing resources are at a premium, and the market incentive is to devote resources to functionality to keep the cost low. Other considerations such as weight, power consumption and heat dissipation weigh heavily. The bottom line is that giving due importance to information security will be a challenge for many of today’s IoT vendors.

Many of today’s embedded systems are not Internet-enabled; so, compared with IoT devices, information security is of less concern. Critical embedded systems, such as avionics software, are developed by well-trained software engineers with assurance and verification techniques supporting the development process. Scarce, well-trained software engineering resources were expended to develop such systems. Can we scale that type of application of assurance techniques in the development of millions of IoT devices? This is a question that begs an answer.

The most notorious attack on IoT so far was a massive denial of service (DoS) attack on the Internet in October 2016 using the devices as cheap bots. This distributed DoS attack exploited a vulnerability in a stripped-down version of Linux used in IP-enabled video cameras, WiFi routers and other IoT devices, and it was targeted at a Domain Name Service that, in turn, caused outages in Twitter, Reddit, Netflix and PlayStation Networks.

It’s no exaggeration that IoT safety and security could be a matter of life and death. The software in IoT devices controls the functioning of physical devices. If the software is hacked, then the safety of the device can be compromised. For example, an insulin pump may be hacked so that it fails to inject insulin at the right time, or a braking system in a car could be disabled. Recently, a cybersecurity vulnerability was shown to exist in a St. Jude’s implantable cardiac device. No longer are viruses on your laptop deleting your files or Trojan horses monitoring your web browsing activities. A hack into a device can be a matter of life and death.

Privacy

As IoT devices invade our home and healthcare, privacy could become a major issue. Device vendors, such as Samsung, and service providers, such as Pepco, in the pretense of making their devices more efficient or making our lives more comfortable or our operations more efficient, are in a position to collect information about our health and lifestyle and share that information with third parties.

Vizio, a smart TV maker, was recently fined $2.2 million for snooping on our TV watching habits. Potentially they could sell that data to advertisers or show producers (Wired, 2017). As discussed earlier, Samsung Electronics Company demonstrated a refrigerator that sends statistics and pictures of the food inside the refrigerator so you may order groceries remotely, say from work. The contents of your refrigerator—perhaps only beer and cured meat and no vegetables—can certainly be of value to your health insurance provider in determining your premium!

In general, IoT vendors and service providers may mine the information they collect and may share the raw and mined information with third parties, such as advertisers and health insurance providers. We may need government organization, such as the FTC, to help set industry-specific (e.g., health monitoring, energy usage) privacy standards for vendors on their disclosure and notice to owners on the following items:

• What functionality they intend to support through their data collection
• What data and data types they need to collect to support those functions
• The third parties they will be sharing the data with
• Mechanisms available for the owner to correct erroneous information in the vendor’s records
• How the vendors will protect the information collected
• Dispute resolution mechanisms for the data being collected, stored and shared
• Opt-in and opt-out choices on the information collected (FTC, 2015) (Truste, 2004)

Where do we go from here?

The biggest impact of IoT will be on changing the computing paradigm. Currently, IoT is mostly viewed as a convenience or efficiency-improving technology. Humans can make decisions from a distance and more holistically by integrating information from multiple devices whether at home, in an automobile, or on a battlefield. Instead of thinking of IoT as objects with sensing, computing and sharing information capabilities, why not think of IoT as many distributed computers with connections to physical objects with sensing and actuating capabilities?[3]

To quote Bruce Schneier (2017), with this mindset, “a car is no longer a mechanical system with embedded computers inside it, the car is a distributed system with hundreds of computers with wheels and an engine.” Instead of computers assisting fuel injection, traction control and braking with humans still in control, we now see the emergence of self-driving cars where a human may intervene. So, the IoT technology is leading to very powerful automation with artificial intelligence as the “driving force” for sensing, fusing intelligence and coordinating the behavior of various types of physical entities.

In these cyber-physical systems, “cyber” has started playing a more important role than the “physical” aspects of the systems. Machine learning and artificial intelligence is becoming the sought-after skill. This paradigm shift is changing the dynamics and players in various industries. Apple and Google are now in the automotive industry!

How well this paradigm takes off or how well IoT deployment continues to grow will ultimately hinge on answering the following fundamental questions to the satisfaction of consumers and other users: Are IoT devices safe? Are they secure? Are they trustworthy? Are they watching me? Are they tracking me?”

The number of IoT security breaches will only increase. To successfully address the current challenges we face with the proliferation of IoT, we will need to train a generation of experts who can develop secure real-time software and implement secure and trustworthy machine learning and other artificial intelligence techniques that will allow the above paradigm shift to take hold. Information security needs to be baked into IoT life-cycle, from requirements to design to implementation to testing to deployment and configuration. Consumers and home owners need to be educated on the data being collected about them and they need to be vocal about their concerns through groups such as patient rights advocacy groups.

Balakrishnan Dasarathy is collegiate professor and program chair for Information Assurance at the Graduate School of the University of Maryland University College.

References

Accenture (2015). Driving Unconventional Growth through the Industrial Internet of Things. Retrieved from: https://www.accenture.com/us-en/_acnmedia/Accenture/next-gen/reassembling-industry/pdf/Accenture-Driving-Unconventional-Growth-through-IIoT.pdf.

Alberts, D.S., Garstka, J.J. and Stein, F.P. (1999). Network Centric Warfare: Developing and Leveraging Information Superiority, 2^nd Edition, Retrieved from: http://www.dodccrp.org/files/Alberts_NCW.pdf.

Ars Technica. (2016). Double-dip Internet-of-Things botnet attack felt across the Internet. Retrieved from: https://arstechnica.com/security/2016/10/double-dip-internet-of-things-botnet-attack-felt-across-the-internet/ & https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/.

Ashton, K. (2009). That 'Internet of Things' Thing. RFID Journal, Retrieved from: http://www.rfidjournal.com/articles/view?4986.

Federal Trade Commission (FTC). (2015). Internet of Things: Privacy & Security in a Connected World. Retrieved from https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

Gartner. (2015). Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015 [Press release]. Retrieved from http://www.gartner.com/newsroom/id/3165317.

IBM. (n.d.). Watson Internet of Things. Retrieved from: https://www.ibm.com/internet-of-things/platform/watson-iot-platform/.

ISO. (2016). IoT Reference Architecture. Retrieved from: https://www.w3.org/WoT/IG/wiki/images/9/9a/10N0536_CD_text_of_ISO_IEC_30141.pdf.

Kavis, M. (2016). Forbes. Investor's Guide to IOT Part 2 - Understanding The IOT. Retrieved from: https://www.forbes.com/sites/mikekavis/2016/02/investors-guide-to-iot-part-2-understanding-the-iot-vendor-landscape/2/?ss=cio-network#61df4409373.

Mawad, M. & Nichola, S. (2016). Your Kitchen Appliances Are Watching You, Security Expert Warns. Retrieved from: https://www.bloomberg.com/news/articles/2016-09-01/your-kitchen-appliances-are-watching-you-security-expert-warns.

Microsoft.(2016). Microsoft Azure IoTReference Architecture. Retrieved from: http://download.microsoft.com/download/A/4/D/A4DAD253-BC21-41D3-B9D9-87D2AE6F0719/Microsoft_Azure_IoT_Reference_Architecture.pdf.

RT Insights.com. (n.d.). Solving IoT Integration: Vendor Landscape. Retrieved from: https://www.rtinsights.com/industrial-iot-companies-integration-platforms/.

Schneier, Bruce (2017) Schneier on Security. Retrieved from: https://www.schneier.com/blog/archives/2017/02/security_and_th.html, Feb. 1, 2017.

Sethi, P. & Sarngi, S.R. (2017). Internet of Things: Architectures, Protocols, and Applications. Volume 2017 (2017), Article ID 9324035, 25 pages. Retrieved from: https://www.hindawi.com/journals/jece/2017/9324035/.

TRUSTe. (2004). Your Online Privacy Policy.  Retrieved from: https://learn.umuc.edu/content/enforced/190519-M_013959-01-2168/Session%203/Truste_WriteAGreatPrivacyPolicy.pdf?_&d2lSessionVal=LDP2imSs3UtKWHJtNkvxFusZ3&ou=190519.

U.S. Food and Drug Administration (FDA). (2017). Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. Retrieved from: https://wayback.archive-it.org/7993/20201222110135/https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-identified-st-jude-medicals-implantable-cardiac-devices-and-merlinhome.

Wired. (2017). How To Stop Your Smart TV From Spying on You. Retrieved from: https://www.wired.com/2017/02/smart-tv-spying-vizio-settlement. Feb. 7, 2017.

[1] The networking is not using the public Internet, and using a technology known as mobile ad hoc networking that does not require fixed networking infrastructure such as routers.

[2] Although the term, Internet of Things, is really the physical objects, the sensors and actuators are known as the IOT of things, whereas the objects are known as physical entities in IoT reference architecture documents (ISO, 2016). However, we will use the term IoT to refer to the physical objects themselves that have connectivity to the Internet, since we assume sensors, actuators and computing elements are embedded in them in our nomenclature.

[3] An extension to this concept is that the computing power does not have to be all embedded. Some or even all processing and storage capabilities can exist in a remote cloud.