The Attributer’s blog – Smart Secured

It is always the goal of this column to keep up with the times and the changes that follow, applying SABSA thinking to new situations and evolving new Business Attributes. In this issue we shall examine a recent concept that is about to be launched into reality – the Internet of Things (IoT). These ‘things’ are of course ‘smart things’ that the home of the future will embrace. Here is a short list of examples: smart home security and fire protections systems; smart domestic appliances, smart heating, lighting and energy management systems, smart technology integrated into cars, and, just to show the extensiveness of this concept, smart children’s toys.

The technology architecture to realise this concept is fairly straightforward. Each ‘smart thing’ will have an embedded processing and memory chip, a power source (battery or mains) and a communications interface (probably wireless). Each home will have a local server to communicate internally with the ‘smart things’ and a communications hub connected to the server and to the Internet. Users will then have apps on their smart mobile devices that allow them to control their ‘smart things’ remotely. Each smart mobile device becomes a remote control for almost everything on the house or car (and probably the boat too if you own one). There are essentially two modes of operation – ‘home’ and ‘away’. Maybe one day there will be robots to take stuff out of the smart fridge and put in into the smart oven, but not in the first wave. However, the smart fridge will probably soon be able to influence the online food shopping to re-stock items that are running low.

As with all new digital technology applications there needs to be a business driven approach to risk and security. The application of these technologies in this context brings with it a whole new range of operational risks – opportunities to improve the quality of life at home, but also a number of threats to the stability and comfort of that newly controlled, highly integrated, hi-tech lifestyle.

One commentator talks of the ‘malicious teddy bear’ as an attack vector, bought perhaps at a market stall, the provenance of the internal software untrusted, manufactured in a foreign country, and potentially containing malware that could be used to steal family bank account details, private health records and other sensitive private information. Another attack scenario might not be aimed at the family, but at the critical national infrastructure. Malware that could increase domestic demand for electricity in every smart home at exactly the same moment would threaten the stability of the national energy grid and perhaps cause power outages. There are many such attack scenarios that need some modelling tools to explore fully the potential risks.

Huge opportunities exist for industry and commerce too, with many new business applications of the IoT being developed in the future. Take for instance the ability to link incubators protecting premature babies to powerful analytics engines to monitor baby health in real time and recognise patterns that suggest a baby may be in distress. There will be many other patient monitoring possibilities too, which will transform health care efficiency. Security will be needed to protect the lives of people at risk.

There has been talk of the need for a new security standard to protect these new smart applications from a wide variety of threats, but as usual the talk is being led from the technology viewpoint, taking only a technical view. There are also commentators warning of too much focus on safety and security being a block to innovation. This is an area where SABSA can bring a lot of value to the table. It is essential that the threat scenarios be properly modelled so that the potential attack vectors and motivations can be identified. It is also essential that the true risk/reward balance be achieved through innovative risk management models. Only then will the industry be able to develop appropriate technology controls and enablers that fit with the actual risk profile of this smart landscape.

The Attributer

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.