Navigant Research Blog

Businesses Say Bring On IoT Regulations

— November 28, 2017

Most businesses do not seek new regulations from governments or regulatory agencies. They already have enough rules to play by. But when it comes to the Internet of Things (IoT), many take a different tack and are quite open to strong regulations since they are acutely aware of the many reported hacks or known vulnerabilities in things like webcams, baby monitors, and cardiac devices.

A new survey underscores this sentiment. 96% of business respondents saying there should be IoT security regulation, according to the study of 1,050 global IT and business decision makers conducted by Gemalto, a global digital security vendor based in the Netherlands.

Not only do business people see the need for enhanced IoT security, consumers do as well. The same Gemalto survey finds that 90% of consumer respondents (out of 10,500) believe there should be IoT security regulation. 65% of the same consumers are concerned about a hacker controlling their IoT devices.

Challenges Businesses Face

The leading challenge for companies trying to secure IoT products or services is the high cost of implementation (44%), according to the survey. That means companies either bite the bullet and invest in greater security for products or services or cut corners. The latter is obviously not a wise approach. It leaves customers too vulnerable to shoddy security in the IoT products or services they purchase. If spending remains a barrier, it could spell trouble for the emerging IoT market as a whole. With no baseline of security, IoT technology buyers will remain leery and unlikely to make purchases.

Another concern the study revealed is that only 6 out of 10 businesses encrypt all the data they capture or store via IoT devices. That means 4 out of 10 (or 40%) businesses do not, a major red flag. Not all data flowing from IoT devices is that valuable; the number of times someone turns on or off a connected light bulb is minor. But health records or personal financial details is another matter altogether.

Energy Sector Relatively Secure, So Far

So far, the energy sector has a fairly good record of thwarting attacks against devices, with some exceptions. Things like smart meters, substations, and other grid assets have remained safe for the most part. But there are many attempts to penetrate the grid, like earlier this year when nuclear facilities came under attack. Those attempts are likely to increase as more things connect to the grid through distributed energy resources and behind-the-meter devices like smart thermostats or EV chargers. Without stronger rules and incentives, the risks will rise significantly.

One can understand the desire for more stringent regulations for the IoT. The number of things connecting to the grid and other systems is growing exponentially, and so too the number of potential threats. A strong set of standards throughout the IoT value chain is needed to keep data, systems, and people safe. Strong rules will force vendors to devote the needed resources and money to make it happen sooner rather than later.

 

Cybersecurity Threats Mount, but Overall Picture Not So Bleak

— November 16, 2017

Cybersecurity threats keep mounting against the grid, corporations, and individuals. The known attacks and security holes revealed in the past year are real and cause for serious concern. The whole picture, however, might not be as bleak as it first appears if utilities focus on getting ahead of cybersecurity threats. The good guys are in this fight and they have solid tools to keep us safe. Among grid-related threats, at least three incidents stand out as examples of how grim the situation could become if utilities do not proactively address cyber attacks.

It was revealed in August that a foreign power had compromised the state-owned Irish power grid company EirGrid, according to a report by Ireland’s Independent newspaper. When the hack was first discovered, experts said the breach occurred more than 2 months beforehand. At the time, the newspaper’s sources said it was still unknown if any malicious software had made its way into EirGrid’s control systems. Though it is unclear which foreign power was involved, the hackers used Internet Protocol (IP) addresses sourced from Ghana and Bulgaria.

In July, US officials revealed that hackers had penetrated computer networks of companies operating nuclear power stations, other energy facilities, and manufacturing plants. Wolf Creek Nuclear Operating Corp.’s power plant near Burlington, Kansas is one of the nuclear facilities specifically named. The nefarious activity caused the US Department of Homeland Security and the US Federal Bureau of Investigation to issue an amber warning, which is the second-highest rating level. It turns out the hackers were unable to hop from victims’ computers into control systems, and officials said there was no sign of a threat to public safety.

In mid-October, millions of people found out that nearly all Wi-Fi devices were at risk of hijack and eavesdropping because of a bug known as KRACK that exposes a flaw in the common security protocol WPA2. If exploited, a hacker could use a skeleton key to access any WPA2 network without a password. Patches for thwarting the threat have been made available from some vendors, while others are still pending.

Grid Cybersecurity

So, how high are the overall risks? Potentially rather high, but perhaps not as high as one might think for the grid in particular. According to Philip Propes, chief security information officer for the Tennessee Valley Authority (TVA), the situation is not doom and gloom in the electric utility sector. During a recent webinar, he said officials in the utility industry are well aware of cybersecurity issues and many have taken appropriate steps. In TVA’s own case, he says his team is moving from a reactive approach to a proactive approach around security and getting ahead of attacks before an event occurs.

Furthermore, private experts and researchers at the US Department of Energy’s national labs are working on new methods to reduce the threat from cyber attacks. One project at Oak Ridge National Laboratory would set up a private communications and control system for the grid, called darknet, that would operate separately from the public internet. Also, the use of quantum encryption capabilities could add enhanced security for the grid.

Cybersecurity risks should not be taken lightly, but there is no reason to panic. There is a growing sense of urgency among experts and officials to collaborate on robust solutions and progress is being made quietly, despite the mounting threats. For a more in-depth look at how utilities are responding to these threats, check out Navigant Research’s Cybersecurity for the Digital Utility report, written by my colleague Michael Kelly.

 

Dell, Others Make Bold Moves in IoT Market

— November 10, 2017

Dell made a splash in the Internet of Things (IoT) market recently, announcing a $1 billion investment over 3 years to set up a new IoT division of the company and to fund new IoT-specific products, labs, and a partner program. The goal is to prod customers into speeding up the deployment of its IoT projects. This move follows a quiet 2-year period during which Dell honed its strategy. Dell’s new IoT division will be helmed by Ray O’Farrell, executive vice president and CTO at VMware.

Dell Is Not Alone

Others are also pushing hard to drive IoT adoption across multiple sectors, including energy, mining, manufacturing, and smart cities, to name but a few. Some of the other recent IoT-related moves include:

  • Apple and General Electric (GE) announced a partnership in mid-October to produce “powerful industrial apps designed to bring predictive data and analytics from Predix, GE’s industrial IoT platform, to iPhone and iPad.” The companies also released a new Predix software development kit for iOS, which developers can use to make their own industrial IoT apps.
  • Germany’s Dialog Semiconductor announced its plans to acquire California-based Silego Technology for as much as $306 million in a move to help Dialog fortify its position in the IoT market.
  • Also in Germany, business software provider Software AG recently said it would form a new IoT cloud unit in January 2018. It also set up a new strategic alliance with a group of manufacturers that will focus on new industrial applications for IoT and Germany’s Industrie 4.0 digitization initiative.
  • In Dubai, Sheikh Mohammed bin Rashid, the vice president of the United Arab Emirates and ruler of Dubai, launched an IoT strategy aimed at preserving the emirate’s digital wealth and setting the foundation for a smart lifestyle transformation process for its people.

More of these of investments and strategic moves related to IoT are expected as competition heats up among vendors trying to seize early market momentum and as the trend moves well beyond the hype phase. This should be good news for those companies seeking to leverage IoT technologies for their business processes. Customers should derive benefits as IoT solutions vendors invest more in their products, channeling engineering horsepower into solving complex industrial problems. For a window into what the industrial IoT market could look like over the next decade, see Navigant Research’s report, Industrial Internet of Things.

 

As Security Threats to IoT Grow, So Do New Solutions and Regulations

— October 10, 2017

Good reasons abound for concerns about the vulnerability of the electric grid to cyber attacks. Likewise, enterprises must confront serious security risks as a growing number of firms adopt industrial IoT (IIoT) technologies. Consumers risk potential hacks as they install IoT gadgets such as smart thermostats or voice-activated devices like Amazon’s Echo in their homes.

Scary Stories

Recent stories paint a dark picture of these risks. A story about Industroyer—a modular malware likened to the notorious Stuxnet worm—sends a sobering message. The story’s author, Robert Lipovsky, says, “Industroyer poses a big threat to industrial systems because it doesn’t exploit any vulnerabilities,” and that its four payload components “are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.” Also, the malware can be reconfigured to attack other energy infrastructures and other industries like manufacturing or transportation.

In the broader realm of well-known Bluetooth technology, the story is much the same. An IoT security firm called Armis has uncovered critical flaws in Bluetooth implementations that could affect up to 5.3 billion devices. The Armis researchers have named this threat vector BlueBorne. So far, nothing untoward has been reported in terms of hacks, and Armis is working with Apple, Microsoft, Google, and Linux developers to quietly coordinate the release of patches to stop potential attacks. But left unchecked, attackers could theoretically take over Bluetooth devices or commandeer their Internet traffic.

Products to Protect against Threats

Despite these ominous stories, technology vendors have new products aimed at reducing security threats. Intel, for example, has a new process called Secure Device Onboarding to ensure a more secure deployment of connected devices for enterprises. The idea is to help industrial customers safely and quickly install IoT devices, such as lighting, sensors, and gateways. The company is working across the ecosystem to help push this new level of security and boost IoT adoption.

Similarly, Cisco is touting enhanced routers for utility customers with security at their core. Executives from Cisco report that security is top of mind for utility and other enterprise customers in the face of the latest cyber threats, and the company is responding to this this demand.

Policy Adaptation

Elected officials in the United States also see the threat to IoT devices, and are pushing new legislation. A bipartisan group of senators has proposed a new IoT Cybersecurity Improvement Act of 2017, which is still working its way toward approval. The law, if enacted, could be one more key driver toward a safer IoT and IIoT world.

In the face of potential IoT-related threats, it might be easy to see only the dark side. To be sure, connected devices are more vulnerable than non-connected ones. Nonetheless, leading IoT vendors, their customers, and even legislators are taking real steps to hinder harmful attacks. This means that the situation has a bright side, too.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Transportation Efficiencies, Utility Transformations

By Author


{"userID":"","pageName":"Neil Strother","path":"\/author\/neilstrother","date":"12\/15\/2017"}