It seems I hear about a new security breach every day. Hackers stealing credit cards, breaking into building automation systems, compromising data centers, phone records - the list is endless. I also find myself in an elevator nearly every day. What if hackers chose to go after the company that creates or support those elevators? What if they maliciously attacked an elevator I was riding in?
These thoughts occurred to me while attending Embedded World 2015 in Nuremberg, Germany, this week. Embedded World showcased the growing maturity of the Internet of Things (IoT). However, this conference also provided an interesting glimpse into some of the persistent challenges faced by those in the embedded marketplace.
On Tuesday morning, Silica - an AVNET company - presented one of the conference break-out sessions. The presentation centered on Thyssenkrup – a global supplier of elevator systems. During the presentation, AVNET documented how Thyssenkrup uses Microsoft’s Azure Cloud along with Power BI for Office 365 and HD Insight to predict when elevators around the world will need maintenance and service.
In a video, a Thyssenkrup employee told us that 3 billion people live in cities. Those cities need skyskrapers. Those skyscrapers need elevators. Apparently, those elevators are connected over the Internet to technicians in a Thyssenkrup call center thousands of miles away. All of this is done with Microsoft products. The presentation was great. Microsoft’s products looked good and their new slogan “The Internet of Your Things” is compelling. Thyssenkrup seemed cutting edge and cool.
Then, on Tuesday evening, I stepped into an elevator. What if hackers chose to go after the Thyssenkrup call center? What if their preventive maintenance data is intercepted and my elevator is stuck between floors or is tricked into plummeting to the basement?
The next day at the conference, I noticed that very few of the vendors were promoting “security” in their booths. I began asking conference attendees about security and how they achieved secure, remote access to their embedded devices? The responses fell into one of two approaches, and frankly, both are inadequate.
The first approach is simply hoping for the best. Vendors and end users want good security. They each assume - they hope - the other party is providing what they need. Vendors hope users are putting security precautions in place. Users hope the solutions they purchased are secured by the vendor. Leaving your security up to someone else and then hoping it’s good enough is a bad idea. Security is a shared responsibility.The more connected our devices are, the more reliant on each other we become. If you aren’t actively working to improve security, the vendors, users and service providers you connect with are at risk.
The second approach to security is isolation. Many organizations believe by completely isolating their devices they are safe. It’s hard to disagree with them. If the device has no connectivity to the outside world, compromising that device is difficult. However, by completely isolating devices, these organizations also isolate themselves from the value IoT provides. Embedded devices are more intelligent, efficient and valuable when they can communicate outside of their local area network.
Thinking of elevators again, predictive maintenance powered by cloud enabled machine learning sounds great; but it can only work with internet connected devices. Of course, plunging into the basement because a hacker breached someone's network may be an extreme example, but we've certainly seen more troublesome scenarios presented by insufficiently secured remote access.
Secure remote access into networked devices needs to be a priority. Embedded World 2015 has convinced me that IoT is not a futurists dream, but is happening now. My hope for Embedded World 2016 is that remote access security becomes a bigger topic of conversation.
Given the frequency of cyber security breaches – and the frequency of my elevator rides – I don’t think that is asking too much.