Navigant Research Blog

US Government Struggles with IoT Vision, but Opportunity Exists to Get It Right

— December 21, 2016

CodeThe US government needs to up its Internet of Things (IoT) game, according to a new report that calls efforts so far uncoordinated and lacking a strategic vision. I tend to agree. The report, produced by the Center for Data Innovation, does, however, credit the government for having initiated an array of activities in support of IoT action in the private sector.

Report authors Daniel Castro and Joshua New note the many potential benefits of IoT technology across a variety of economic sectors, such as manufacturing, agriculture, transportation, and healthcare. Noticeably absent, however, is energy (which could be a mere oversight). Nonetheless, the authors characterize current government IoT projects as relatively small scale and one-off.

The report joins a growing number of voices opining about what should be done by government in the wake of the October 2016 Mirai botnet attack. A letter from Senator Mark Warner (D-Va.) to outgoing Federal Communications Commission Chairman Tom Wheeler raised legitimate concerns surrounding wirelessly connected consumer devices. (Warner is a cofounder of the Senate Cybersecurity Caucus.) Wheeler’s response points out the need for postponing next steps until the Trump administration is in place.

Security experts like Bruce Schneier have also told Congress of the imminent need for oversight of the IoT because of the potential for serious dangers if left unchecked. Schneier said the recent botnet attack illustrated the catastrophic risks involved, and he has urged action now while there is time to make smart decisions.

Blockchain to the Rescue?        

Others are suggesting Trump and his advisors consider blockchain technology. The idea would be to leverage the consensus mechanism inherent to blockchain that enables all of the computers in a system to agree on which new data is valid and which is a threat. My colleague Stuart Ravens explored the blockchain concept for distributed energy in a recent report, and the technology could be useful for multiple industries.

While there is ample evidence to be concerned about the federal government’s role in regard to the IoT, officials are at least struggling with the issues and are not clueless to its significance at this point. They see the economic value of IoT technologies and the opportunity to get it right with regulations, especially with a new team in place come January. There is reason to believe the IoT will get the attention it deserves in the coming years, or they could blow it. But at least they are on notice to seize the chance to provide a framework for success, from both a security and an economic perspective.


Automakers Will Have To Adjust to Lifetime Software Support

— February 16, 2016

male hand using navigation system on car dashboardOver the past several years, as automakers have rolled out new infotainment and connectivity features, they have frequently referred to new cars as smartphones on wheels. Unfortunately for those marketers, that concept is becoming more true than they may have ever hoped. Heading into an era of ever more connected and automated vehicles, automakers are coming to terms with having to maintain and update the software in those vehicles for as long as they are on the road.

Prior to the 2007 introduction of the Apple iPhone, when consumers bought a cell phone, updates to the software that the phone shipped with were almost nonexistent. Wireless companies would sell customers a phone and then (aside from billing) forget about it until it was time to offer them a replacement when the contract was up.

The auto industry hasn’t been much different. Typically, the only time automakers update vehicle software is if something is found to be out of compliance with a regulation or if there was a substantial functional problem. Apple overturned that paradigm by issuing major annual software updates and periodic smaller updates to correct bugs and add major functionality to any of its phones with the hardware capable of supporting the features.

Lifetime Support

Until today, if car buyers wanted to add functionality that did not come from the factory, they would either have to look to the aftermarket or buy a newer model. To date, the only automaker to follow the smartphone model on a large scale is Tesla, which has delivered regular updates to the Model S since it went on sale in 2012. In 2015, Tesla even delivered an over-the-air software update that enabled semi-autonomous autopilot capability. Ford has done this on a smaller scale with updates to its SYNC infotainment system, but these changes have been much more limited in scope.

Navigant Research’s Autonomous Vehicles report projects that 85 million vehicles with some degree of autonomous capability will be on the road by 2035. The Navigant Research Connected Vehicles report projects 80 million vehicles with some degree of vehicle-to-external (V2X) communications by 2025.

With the creation of many new vehicles that can communicate with the outside world and take on some or all of the driving functionality, a ship-it-and-forget-it attitude is no longer viable. These new capabilities can provide increased convenience and (potentially) major safety and efficiency improvements to customers. However, they also significantly increase the potential of cyber-attack vectors. This may open the door for bad actors to track people, steal information, or—in the worst case scenario—take remote control of the vehicle, causing injury or death.

Importance of Security

Fortunately, manufacturers have recognized the importance of cyber security and are moving aggressively with new design, development, and validation processes in order to improve the resilience of in-vehicle electronics. However, doing a better job out the door is only the beginning of the process. In addition to developing new vehicles, engineers will now need to track information coming in through responsible disclosure programs and the (Automotive Information Sharing and Analysis Center) Auto-ISAC, and also provide security updates potentially for years after a vehicle is no longer in production.

With the current average age of vehicles at 11.4 years in the United States and many staying in service for 20 years or more, this will put a major new strain on engineering resources. Remote cyber-attacks against vehicles are still a non-trivial problem, but a major incursion is probably not imminent. However, the window of opportunity to find solutions is closing fast.


Physical Security Threats to the Transmission and Distribution Grid, Part 1

— February 8, 2016

Idea for problem solvingWhile popular media continues to feature the ongoing cyber security threats to the electric utility transmission and distribution (T&D) grid across the globe, with recent cyber attacks in Eastern Europe, another T&D grid threat is looming on the horizon. Over the past 6 months, there have been repeated physical security attacks on utility T&D infrastructure in Eastern Europe and Southeast Asia. The unfortunate truth is that substations and power lines on the electric transmission system are particularly vulnerable to physical attacks, where large, high-voltage transformers are typically located in exposed outdoor conditions, and transmission towers can be seen stretching to the horizon.

Incidents such as the Metcalf Transmission Substation gunshot attack in 2014 and the recent transmission tower attacks in Eastern Europe have received significantly less attention in the media. However, they have been serious enough that the North American Electric Reliability Corporation (NERC) in 2014 released and revised Critical Infrastructure Protection-14 (CIP-014) regulations that require utilities to secure their infrastructure from physical and cyber security threats, as well as to identify and strengthen weaknesses in key substations.

Equipment Initiatives

In 2015, a group of eight U.S. transmission system operators (TSOs) announced a new initiative to speed their response to major physical attacks or other equipment failures on the transmission grid by establishing regional warehouses and inventories to long lead-time critical replacement technologies. Participants include American Electric Power, Berkshire Hathaway Energy, Duke Energy, Edison International, Eversource Energy, Exelon, Great Plains Energy, and Southern Company. These companies have committed to a memorandum of understanding to develop Grid Assurance, a limited liability company that will stockpile the critical equipment necessary to shield utility customers from prolonged transmission outages in multiple locations across the nation. Grid Assurance will own and provide participants and subscribers with timely access to an inventory of emergency spare transmission equipment that could otherwise take months to acquire.

Since the release of the NERC CIP-014 regulations in 2014, utilities are significantly more aware of potential threats and vulnerabilities in the grid. Aging infrastructure, natural disasters, and coordinated attacks on key substations are all major issues. Unfortunately, on the transmission grid, a single major attack or breakdown can have long-term regional or national effects on the United States. A recent 2015 industry survey looked at initiatives that over 200 TSOs have taken since the NERC ruling. Findings included:

  • 49% of utilities have identified threats and vulnerabilities to critical assets, though 28% haven’t taken further action
  • 42% of utilities surveyed have already developed physical security plans to address potential threats
  • 40% have not taken any hardening measures to limit or prevent damage to critical assets in the last 2 years

While it is clear that TSOs are vulnerable to both physical and cyber security threats, the obstacles they face in terms of timely service restoration are daunting, to say the least. I’ll discuss these obstacles in Part 2 of this blog series on physical security.


Automotive Cyber Security Is Finally Progressing

— February 1, 2016

CarsharingstandortWhen I first joined Navigant Research as an analyst in August 2014, the very first entry I wrote for this blog came on the heels of the annual Black Hat and DEF CON security conferences in Las Vegas. Up to that time, automakers had been conspicuously quiet on the subject of security. Fortunately, in the past 18 months the industry has awoken to the very real problem of automotive cyber security and is taking steps to ensure that increasingly connected and automated vehicles will remain safe.

Over the past several years, security researchers have demonstrated a series of increasingly sophisticated hacks of vehicles. Back in 2010, we were seeing hackers connect to vehicle internal networks by way of wireless tire pressure sensors or from a back seat via a thick bundle of wires connected to a diagnostic port. In the first half of 2015, we saw cars from two different automakers remotely controlled after researchers were able to wirelessly connect to the telematics modules from a safe distance and take control of the brakes, acceleration, and steering.

White Hat Help

In that first blog I wrote, I called on automakers to embrace white hat hackers and security researchers who were trying to invade automotive electronic systems. Today, both Tesla and General Motors (GM) have official responsible disclosure programs where researchers can submit any vulnerabilities they discover. The automakers review those submissions and work to remediate the flaws to help keep customers safe. Tesla launched its program in mid-2015; GM followed suit in January 2016.

Unlike Tesla (and many technology companies including Google, Facebook, and Microsoft), GM is not currently offering any rewards in its program—though it has not ruled out doing so in the future. The GM program is administered through an online portal run by a San Francisco startup called HackerOne. HackerOne provides the disclosure portal free of charge and makes money by taking a percentage of any rewards paid out for verified vulnerabilities.

Industry Response

Another important step forward for the industry was the establishment of the Automotive Information Sharing and Analysis Center (Auto-ISAC). ISACs are now increasingly common in a wide range of industry verticals including utilities, healthcare, financial services, and more. The Auto-ISAC currently includes most major automakers from North America, Europe, Japan, and South Korea; its goal is to provide a platform to share information about cyber security threats and vulnerabilities that put both the general population and auto-industry at risk. The Auto-ISAC began operations in late 2015 and is likely to become a very important tool in the effort to prevent malicious attacks on the transportation ecosystem.

The mobility business is changing. Navigant Research’s Autonomous Vehicles report projects that there will be almost 85 million autonomous-capable vehicles on the world’s roads in the next 20 years and far more vehicles that will have some level of connectivity. Road safety is already a difficult issue to tackle without the problem of malicious attackers intruding from a distance. Fortunately, the industry is now tackling the issue head-on on numerous fronts via improved system architecture, more robust software development processes, and collaboration with anyone willing to step up and help.


Blog Articles

Most Recent

By Date


Building Innovations, Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Finance & Investing, Policy & Regulation, Renewable Energy, Transportation Efficiencies, Utility Transformations

By Author

{"userID":"","pageName":"Cyber Security","path":"\/tag\/cyber-security","date":"7\/16\/2018"}