Hardening the Industrial Internet of Things
Privacy Plus+
Privacy, Technology and Perspective
Hardening the Industrial Internet of Things. This week, we consider privacy and security broadly across the consumer and industrial Internet of Things.
The Internet of Things (IoT): The IoT is a network of connected devices that share data and communicate using a cloud. Well-known consumer IoT devices include thermostats (e.g., Nest), smart TVs (e.g., Samsung), and voice assistants (e.g., Alexa). These devices usually work independently of each other, but there is an even more advance version of IoT known as Industrial IoT.
The Industrial Internet of Things (IIoT) refers to industrial devices networked together with industrial applications. These are increasingly common in the energy, healthcare, manufacturing, commercial real estate, and other industries. Sensors – temperature, pressure, proximity, capacitive, ultrasonic, infrared, image, motion, optical, and more – are good examples of capabilities used through IIoT networks. When coordinated together, IIoT can become a distributed control system that can help optimize lighting based on workday activities across an office, be used for advance agricultural applications (such as automated vertical farming), and much more.
The IoT/IIoT Technology Stack: While we typically only see the physical devices themselves, hardware is only one layer of the IoT/IIoT “technology stack,” which must also collect data, push it to a network, and share it with an array of other connected devices. The IoT stack includes the device hardware, device software (known as firmware), network communications (to communicate with local networks), a central platform (either hosted locally or in the cloud), and the software that runs the central platform. The IIoT technology stack extends this with more advance platform software.
Take just one example from the consumer IoT environment. A Nest doorbell camera collects audio and video streams that are sent through your local network to the Nest cloud network where the data is recorded, analyzed, and transmitted back through the Internet to your phone or other connected devices. Nest’s cloud network includes artificial intelligence that alerts you when someone comes to your door, recognizes faces, and even makes predictions about things such as package delivery. It also allows you to communicate through your phone to speak to someone who is at your front door.
The “layers” that underlie IoT and IIoT products make them more complex than average products -- which also means that they have a much higher risk of security breaches. In fact, privacy and security risks infuse each layer, any of which can represent a vulnerable entry point. (In fact, it is widely thought that some of the worst data breaches have resulted not from direct penetration into a network’s data, but rather indirectly from initial penetration of a building’s HVAC or other IIoT system. This vulnerability exists because these devices are often misconfigured on local networks, providing an insecure entry point.) Further, the IIoT technology stack, because its goal is to inject decision controls and “intelligence,” often includes data analytics and artificial intelligence (AI) tools that derive “insights” into the data that flows it. These tools, and the service providers that collect and process data from them, represent an additional layer of privacy and security risk.
Recognizing the IoT/IIoT Privacy and Security Issues: IoT/IIoT is becoming pervasive, yet many organizations seeking IIoT solutions focus narrowly on the data analytics and AI tools that are often packaged with the IIoT solution. For example, an organization may be drawn to using cloud-based platform that offers a data-visualization tool to analyze trends gleaned from data flowing through sensors on a pipeline or transportation grid. Often, we find that organizations may not adequately consider the privacy and security issues associated with the underlying IIoT stack that provides the data harnessed by those tools. But when connected to the Internet, that IIoT stack can create backdoors into an organization’s network, siphon the organization’s data, or worse.
This means that adoption of an IIoT-based solution requires careful attention to the entire IIoT stack, and especially privacy-and-security-by-design. IIoT users must develop procedures to bake in privacy and cybersecurity from the beginning of a project, devoting thought, time, staffing, and funding to data-governance, data privacy, cybersecurity standards and policies, device and system interconnectivity and vulnerability testing and patching, employee training, and due diligence related to the entire IIoT Stack. They should never willy-nilly contract for any IIoT technologies, even when they doubt the use of an IIoT device(s) or sensor(s) really have the potential to compromise critical networks or infrastructure.
Back to our example of the Nest doorbell – what privacy implications come for facial recognition of anyone that approaches your home? What about considerations for audio recording someone without their consent or your participation in a conversation with them? And, of course, without adequate security, could someone use this technology to gain entry to your home by accessing automatic door looks or merely monitoring your Internet traffic?
Where data analytics and AI are also involved, organizations should understand exactly how data flows to, through and even beyond every data analytics provider. They should also ensure that their contracts adequately protect their data from being used by the provider to gain a competitive edge or otherwise commoditize that data without any benefit to the organization or at expense of others’ privacy.
We have seen this happen and are now telling everyone who will listen:
It is time to harden your organization’s IIoT stack.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.