Navigant Research Blog

IoT Cybersecurity Clouds

— May 4, 2017

The dark Internet of Things (IoT) cybersecurity clouds keep hanging around with the latest news about malware that can wipe data from infected devices. Researchers from Palo Alto Networks discovered malicious software called Amnesia that can infect digital video recorders. If Amnesia senses it is running in a virtual environment, it can wipe critical directories from the file system. The researchers say this is a new capability in malware aimed at Linux-based embedded devices—which include smart TVs, wireless routers, switches, set-top boxes, in-vehicle entertainment systems, navigation hardware, industrial automation equipment, and medical instruments. This potential threat goes beyond consumer devices and could affect the electrical grid. Several other threats against IoT devices have surfaced as well:

  • University of Michigan researchers demonstrated they could hack into sensors on smartphones, automobiles, and IoT devices using a $5 speaker. They targeted microelectromechanical systems, or MEMS accelerometers, which measure speed changes in three dimensions. Using acoustic tones, they deceived 15 different accelerometer models into registering movements that never happened.
  • Engineers at Israeli firm Argus Cyber Security remotely shut down a car engine using a smartphone app, a Bluetooth connection, and a $75 dongle, which insurance companies install frequently to monitor driving. The engineers triggered a signal that disabled a car’s fuel pump, something that would only happen after a collision, according to a Wall Street Journal report.
  • A doll named Cayla was investigated by regulators in Germany for being a security threat. The doll does not link directly to the Internet, but can be accessed via Bluetooth to any mobile device that has the doll’s dedicated app. Researchers found the dolls recorded voices and sent data to a third party specializing in voice recognition.

Security Is Top Concern for Developers

Among developers who write software for IoT devices, security concerns remain high. Nearly 47% of developers who responded say security is their top concern and has remained number one for 3 years, according to an annual survey (see slide 16) by the Eclipse Foundation. The situation does not seem to be getting much better in terms of the potential threats posed by IoT devices. However, beyond the negative headlines, there is some positive work taking place:

  • The prpl Foundation is making progress on efforts to reduce threats to IoT devices. Members of this open source and community-driven foundation are focused on enhancing the security and interoperability of embedded devices.
  • Two industry groups joined forces to improve Internet security. The Online Trust Alliance (OTA) has partnered with the Internet Society to improve security and data privacy. For several months, the OTA has promoted a new framework for securing the IoT, supporting multiple built-in security measures for devices from the beginning, and advocating strong security through the entire IoT product lifecycle.
  • The National Institute of Standards and Technology (NIST) continues to push a broad set of initiatives to create a safer marketplace through its Cybersecurity for IoT program.

Will the Clouds Part?

So where do we stand in this process to create a more secure IoT world? In short, there is progress taking place. One thing to keep in mind: the IoT security threat is not going away anytime soon. That said, key stakeholders need to stay focused on providing stronger security measures for IoT devices and services. Otherwise, IoT market opportunities (see Navigant Research’s Emerging IoT Business Models report) will be lost or needlessly delayed. We are in for cloudy skies for the next several years, so get used to a blend of bad news about breaches coupled with positive steps to thwart them.


IoT and Millennials

— March 24, 2017

The much studied Millennial generation has some issues with Internet of Things (IoT) devices. A new survey says this cohort of young American adults—ages 18 to 29—is the least likely to own an IoT product. This trend presents a challenge for utilities attempting to promote programs like demand response that can link to IoT products such as smart thermostats, air conditioners, or appliances.

According to the study conducted by the Association of Energy Services Professionals and strategic marketing firm Essense Partners, 85% of Millennial respondents do not own IoT devices. The percentage of non-IoT device owners in the other age groups is as follows: 79% for ages 30-44; 81% for ages 45-59; and 84% for the 60 and older group. The study was conducted among 2,700 consumers.

Among respondents who do own IoT devices, the Millennials also represent the least likely cohort to take part in utility programs. They participate at half the rate of those in the 30-44 and 45-59 age groups, and almost a third of the rate compared to the 60 and older set.

Of course, the main reason for lower ownership of IoT devices among Millennials is they are less likely to be homeowners. Therefore, they are not as likely in the market to buy IoT devices that can help manage energy usage.

But there is another reason lurking around the edges: they are worried the most about the devices being hacked. In a survey conducted by KPMG, 74% of Millennials say they would use more IoT devices if they had more confidence that the devices were secure. Among the other age groups, 63% of Generation Xers hold the same view about device security and nearly half of Baby Boomers (47%) say the same.

Part of the Solution: Device Security Standards

One way to boost confidence among consumers and drive adoption of IoT devices is for industry stakeholders to agree on security standards. An effort that has surfaced recently is being spearheaded by Consumer Reports (CR), which is promoting a digital consumer protection standard, along with its cyber expert partners (digital privacy tools provider Disconnect; privacy policy researcher Ranking Digital Rights; and Cyber Independent Testing Lab). The CR privacy standard has four key features: products should be built to be secure; products should preserve consumer privacy; products should protect the idea of ownership; and companies should act ethically. The full standard is in its first draft, and CR expects stakeholders to help shape and improve it going forward.

The need is evident for IoT device security standards such as CR’s and others like NIST’s Cybersecurity for IoT program and UL’s Cybersecurity Assurance Program. Navigant Research applauds these efforts to create standards, as noted in its report, Emerging IoT Business Models. Utilities would be wise to get behind these efforts as well to ensure that their customers, including skeptical Millennials, gain the confidence to adopt devices like smart thermostats and feel more willing to take part in demand-side management programs.


It Happened Again: Another Leak

— March 10, 2017

A major cybersecurity vulnerability has happened again. A bug in the code of Cloudflare, a provider of content delivery networks, Internet security services, and distributed domain name services, appears to have leaked encrypted, private data from some of the company’s 4 million clients.

According to security researcher Tavis Ormandy, “private messages from well-known services, [personally identifiable information] from major sites that use Cloudflare, and even plain text application program interface requests from a popular password manager” were included in website code generated by Cloudflare’s ScrapeShield feature.

Intelligent and Vulnerable Buildings

There is no reason to believe the bug in Cloudflare will present a vulnerability to any intelligent building. Cloudflare is used for websites, not buildings. But this incident is a reminder of how easily data can leak onto the Internet, even with the best of intentions. An increasing amount of building data is being collected and stored using the Internet. Indeed, large datasets have the potential to improve energy and operational efficiencies. In Navigant Research’s Data Integration for Intelligent Buildings report, the market for the incorporation of data from commercial buildings to develop analytics platforms is forecast to grow by an order of magnitude over the next decade.

With more gateways necessary for data collection, more points are available for cyber attacks to occur. Attackers seeking entry into corporate networks look for the path of least resistance. This could be an unpatched or improperly configured gateway for a building management system. But—perhaps the more pervasive threat (as demonstrated by the Cloudflare vulnerability)—is that data stored anywhere could be leaked. The very reasons why building data promises better business operations can turn sinister in the wrong hands.

Retailers, for instance, can analyze occupancy data to create consumer heat maps to optimize store layout. But that same data could be used to estimate financial performance based on customer footfall; this non-public information could be used to boost a trader’s position on the retailer’s stock. Moreover, the same occupancy tracking could be used to facilitate theft, stalking, or even terrorism in a variety of commercial facilities, including offices, healthcare, or education buildings. Despite these potential risks and the inherent difficulty in keeping data secret, the improved energy and operational efficiencies created by better connected buildings promise to change commercial buildings for the better.


Tech Companies Signal Important IoT Infrastructure Moves

— February 24, 2017

Several influential high technology companies have recently announced new strategies and partnerships as they build out the foundations for the expanding Internet of Things (IoT). These moves are likely to have important implications for the energy sector as utilities and their customers adapt to and adopt emerging IoT technologies.

The recent announcements cover a range of IoT areas, including smart grid, security issues, industrial use cases, and payment management. Oracle and Huawei extended their cooperative smart grid efforts by signing a memorandum of understanding dubbed a power IoT ecosystem partnership. The new deal calls for both parties to promote and sell an end-to-end advanced metering infrastructure solution aimed at helping utilities improve customer experience, increase operational efficiency, save energy, and reduce emissions. For its part, Huawei will provide tools for managing smart meters, communications networks, and headend systems; Oracle will leverage its meter data management software, smart grid gateway, and related solutions for utilities.

Cybersecurity and the Industrial IoT

AT&T, IBM, and Nokia have formed a new alliance to beef up IoT security. The new group, IoT Cybersecurity Alliance, will not set standards, but will instead focus efforts on conducting research, educating consumers and businesses, and influencing standards bodies or policymakers. Symantec, Palo Alto Networks, and mobile security company Trustonic are also founding members of the alliance.

Meanwhile, Nokia, Qualcomm, and GE Digital announced the successful demonstration of a private LTE network aimed at the industrial IoT market, specifically targeting companies operating in remote locations or sites where connectivity can be difficult. This would be a good fit for some utilities or companies engaged in energy exploration. Live field trials of the private network are expected to continue throughout this year.

Nokia separately introduced its worldwide IoT network grid (WING) in a bid to boost the IoT market. The IoT grid as a service offering is aimed at enterprises seeking a one-stop-shop for IoT needs across multiple geographies.

Visa and IBM have established a new partnership that will utilize IBM’s Watson IoT platform for extending digital payments to wearables, connected cars, and other devices. The idea is to enable commerce from any connected thing. From a connected car perspective, this could be useful for EV owners who need to charge their vehicles and pay for the electricity in a more seamless way and from a variety of suppliers.

Signs of a Wider Trend

On their own, these moves might not amount to much. However, when seen as part of a larger IoT trend, they represent another milestone along the road toward a much more connected and automated world. For utilities and other stakeholders in the energy industry, it pays to stay abreast of these IoT moves, as many are likely to have an impact on both sides of the meter.


Blog Articles

Most Recent

By Date


Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Transportation Efficiencies, Utility Transformations

By Author