Securing the machines

29 April 2015

The UK’s first IoT network is nearing completion and uses Arqiva’s nationwide sites and hardware from French IoT specialist SigFox. It also connects to the international IoT network that SigFox has created in other countries such as Spain and the Netherlands.

The UK’s first IoT network is nearing completion and uses Arqiva’s nationwide sites and hardware from French IoT specialist SigFox. It also connects to the international IoT network that SigFox has created in other countries such as Spain and the Netherlands.

People are throwing around the term ‘Internet of Things’ these days, but what do they really mean? In case you’ve been meaning to ask, here’s what you need to know: The Internet of Things (IoT, also known as machine-to-machine or M2M) includes everything that connects to the internet, encompassing an ever-expanding variety of devices such as fitbits, home security systems, biochip transponders on animals, heart monitoring implants, RFID tags on inventory items, automobiles with built-in sensors, and more. 

The connection of these devices with the internet and their interconnection with each other is likely to enable advanced applications and unforeseen advances in virtually every industry. The IoT can offer new levels of adaptability, new top line revenue, and unprecedented velocity. 

The market predictions are huge. According to Gartner, there will be nearly 26 billion devices on the IoT by 2020; analysts at IDC expect IoT spending will be $7.3 trillion by 2017, while Cisco’s John Chambers recently blogged that he believes it could be as large as $19 trillion by 2020. 

But this opportunity comes wrapped in a huge challenge: the number of identities you need to manage quickly proliferates beyond anything that most identity platforms can handle. 

Back in the day, a company might have had an identity access management platform (IAM) that could manage 10,000 identities, totally covering every employee and up to 2,000 partners (one device each, remember). But now that each employee or partner uses three or more devices (their PCs, tablets, and smartphones) that IAM isn’t performing so well. And it becomes completely obsolete when you consider today’s digital transformation in the age of the customer.

To manage millions of identities and dynamically engage users while protecting their privacy and your business, you need something radically different.

So while all the speculation of the IoT’s economic promise means it’s too good an opportunity for businesses to pass up, it’s time to temper the information-everywhere enthusiasm with the privacy protection that organisations and individuals demand. Without it, the IoT will only be a shadow of its potential. 

Even more importantly, the technology that provides user privacy is also the technology that unleashes the possibility of transformative, personalised IoT services. 

Delivering transformative IoT services

It’s no surprise that the IoT is resulting in a new category of cybercrime. A recent example is the smart LED light bulbs that leaked Wi-Fi passwords. You may recall a report last year about how experts from Context Security showed how easy it was to hack into the Wi-Fi network of LIFX brand bulbs and control the lights remotely via a smartphone. The manufacturer has since fixed the flaw, but what does a hack of such a device mean? We haven’t seen one with devastating consequences – yet. But even relatively minor hacks can cause inconvenience for the user. Worse, these vulnerabilities break the customers’ trust and tarnishes a company’s reputation which can irreparably damage a business. 

Digital identity that factors in context, is modular, highly scalable and flexible, is the key to protecting organisations and users while at the same time delivering transformative services in the era of the IoT. Identifying who’s who and what’s what has never been so complex, and without the right identity model in place, your organisation could be at risk of making your data – and your customers’ – openly available to the bad guys. 

But identity that factors in context and scalability for the proliferation of users, devices and the IoT are beyond what traditional IAM products can deliver. They were designed for a much more restricted environment, and their perimeter approach, with data behind a firewall, is obsolete. Plus, they were designed to handle multiple thousands of identities – in the era of the IoT you need to manage millions. Static and portable devices need to communicate with each other and there’s also human-to-machine and machine-to-machine identification and interaction to take into account.

To embrace the IoT and leverage it for a competitive edge, approach the challenge of identity services from a new angle. 

First, with so many external users, you’ll need to drop the classic ‘castle defence’ mentality. Instead of sitting behind the firewall, identity systems need to manage information beyond the wall at internet scale. And they need to do more than toggle simple ‘yes/no’ authorisation or denial of access. Start looking for identity systems that are business enablers, facilitating relationships between each ‘thing’ and its user. Such systems should provide agility, flexibility and scalability to adjust the services offered in response to context such as geographical location, time of day, and multiple other factors.

Recognising the inadequacy of IAM, organisations of all sizes are abandoning it for Identity Relationship Management solutions. IRM is designed to help businesses manage user and thing identities and keep services secure and readily available. It does so by delivering dynamic identity management that is based on the following four key attributes: 

Modularity: IRM platforms need to be modular, and preferably designed as an integrated, cohesive stack that is purpose-built to handle the complexity of multiple users, devices, access points, and privileges. At the same time, they need to be able to encompass legacy applications and services. Modular, open platform solutions are well suited to connecting with virtually any device or service while supporting old and new versions of each device or application. 

Internet scalability: digital businesses work at internet scale which means that the number of users can expand exponentially from thousands to millions worldwide. The identity system needs to be scalable and dynamic enough to deal with these changes and serve content regardless of location – while being aware of the difference location might make in the type of services available and the way they are delivered.

Borderless services: the IoT is connecting everywhere, all the time. IRM needs to provide ‘borderless’ and secure access to applications wherever they are stored – on premises, in the cloud or both – from any internet-connected device, anywhere.

Context awareness: context was barely a consideration with traditional IAM but it is a critical differentiator for companies delivering digital services. IRM can help you better engage with stakeholders based on context and behaviour. As such, it needs to be intelligent enough to evaluate different circumstances and make the best judgment, for example, by using adaptive and multi-factor authentication when a user logs in from a typical device or region.

The IoT will be everywhere, including your home. For example, the Nest learning thermostat shown here programmes itself, turns itself down when the house is empty, and can be controlled from anywhere via a smartphone, tablet, or laptop.

The IoT will be everywhere, including your home. For example, the Nest learning thermostat shown here programmes itself, turns itself down when the house is empty, and can be controlled from anywhere via a smartphone, tablet, or laptop.

Connecting your mindset

IRM provides open, evolving and confidently secure identity solutions for customers, partners, and other important stakeholders both inside and outside of a company. The ideal platform should include all aspects of identity lifecycle management, encompassing identity administration, access management and identity data stores, and should also be capable of defining and establishing relationships between all those identities. 

In this way, attributes, context, and behaviour can all be analysed – both for security purposes and to improve customer engagement, as well as to create new revenue-generating opportunities. As a recent Gartner survey found, CEOs have “growth” among their top three business priorities and are heavily investing in their digital business to achieve this goal, and IRM is playing an increasingly significant role. Yes, it’s a new way of thinking and acting, but is one that will protect your business and help it grow. To ensure security in the era of the IoT, the following should be considered:

Think external, not internal: it’s not just about keeping a close eye on what devices employees are connecting to the network. You need to authenticate external contacts and clients. Each user could potentially want to access your systems with multiple devices and expect an experience that is tailored to how, when, and where they are accessing your services. 

Use a unified identity platform: this will provide a simple, repeatable way to protect a growing number of devices. Trying to duct-tape architectures or protect access on a device-by-device basis is not going to work effectively (if at all).

Use open standards and technologies: the identity platform needs to be reachable in a standardised way, whether the communication comes via a human or a machine. If your platform supports open standards and technologies, use them.

Analyse real-time behaviour and context: ensure data is being encrypted and authenticated when it’s communicated between IoT devices. Check the location, time and device to ensure requests to connect are valid, warranted by legitimate business need, and consistent with past behaviour.

Savvy organisations will make it a priority to lay the technical foundation to accommodate the rapid growth of the IoT and exploit it for business advantage. IRM should be a key part of that foundation,
especially as more organisations are exploring ways to address digital transformation. 

With IRM in place, you can readily identify and authenticate the exploding number of devices connecting to your networks – and as a result, ensure user security, improve user experience, protect valuable data, and learn more about how users interact with your services to identify new opportunities.


Arqiva powers ahead with UK’s first IoT network

The IoT looks set to become an inevitable part of the UK landscape, as ABDUL MONTAQIM discovers.

Arqiva has almost completed the creation of the UK’s first nationwide IoT network. The company began the project in May 2014 after signing a deal with French IoT specialist SigFox, which already has several M2M networks in other countries. (Also see News, Dec 2012).

While Arqiva has the sites and the infrastructure in the UK, SigFox provides the equipment – such as base stations and antennas – as well as the radio transmission technology needed to securely transport data. SigFox also connects the UK IoT network to its IoT infrastructure in France and beyond.  

Arqiva’s plan was to initially connect 10 of the country’s largest cities to the IoT. The cities it has been stitching together include Birmingham, Bristol, Edinburgh, Glasgow, Leeds, Leicester, Liverpool, London, Manchester and Sheffield. 

“We’re making excellent progress in deploying the network across the 10 major cities in the UK,” says Sean Weir, business development manager at Arqiva. “Work is ongoing to cover around 90 per cent of every one of those cities. That’s the first phase of implementation of the network and we’ll complete that over the next couple of months.” 

While Arqiva has now decided which cities it will hook up next, it refused to name them. However, Weir did point out that “Wales could do with an IoT network”. 

The firm was also reluctant to reveal how much the network has so far cost to build. Weir says it will take six months to a year to determine whether some of the projections in the company’s business plan are realistic or not. 

He believes the IoT will become an inevitable part of the UK landscape, and will expand quickly in the next few years once businesses realise there are billions to be saved by using it. 

Arqiva is currently looking at using the network with large facilities management companies to monitor industrial premises and turn them into “intelligent buildings”. 

“There’s a range of applications that we are discovering now for putting simple devices into buildings that don’t have more sophisticated building management systems. At the moment, they employ a manual workforce. At night, for example, security people go around to see if all the lights are off, check the car park to see if the cars are there or not there, and they’re under obligation to check the hot water coming out of the taps to see that it’s the correct temperature,” says Weir. 

Again, he declines to be specific about which companies Arqiva is talking to because of various non-disclosure agreements. But he does say that the devices the firm is developing include ones that can not only monitor the conditions inside buildings, but can also be used to change and maintain them. 

Can cyber criminals hack the IoT network and even control the machines? While it’s impossible to stop the most determined, tech-savvy and well-financed criminals, the IoT could possibly prove a tougher nut to crack. Thomas Nicholls, SigFox’s head of marketing and communications, says: “The main point to note about the security aspect of [our] network is that we do not understand the data that we transport. Someone who wants to get access to data being sent to and from devices running on the SigFox network would never, in no way, be able to get that sort of information. 

“Each individual customer will do their own encryption, their own data format, and they do not share that with us. We give each customer a ‘container’, if you like, and they put their encrypted data in that container. We then take that container and put it in our own container (the SigFox protocol) on our network, and these are secured by us using encryption.” 

Weir is also keen to point out the security strengths of Arqiva’s IoT network. “One of the key things about security on an ultra-narrowband network is that when you’re only sending 12 bytes of data over our network, it’s a small packet of data, and it’s extremely difficult to intercept that data. 

“The network also has additional security features. There’s authentication, it doesn’t replay messages, and it does what’s called ‘frequency hopping’. So one message is sent on one frequency and then hops to another frequency, which means it’s very difficult to keep on finding which frequency you should be on in order to intercept the messages. That also makes it extremely difficult to jam the network.”