Did you receive this newsletter as a forward? Subscribe here
|
|
What does the invasion of Ukraine mean for IoT security? |
|
By Stacey Higginbotham |
With the Russian invasion of Ukraine, we've heard a lot about the threat of cyberattacks. In the lead-up to the war, which started on Feb. 24, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) published its Shields Up guidelines. Written for organizations of all sizes, it includes recommendations for those who lead them. And this week, three tech companies joined forces to offer a free suite of products to help keep smaller enterprises safe, under the umbrella of the Critical Infrastructure Defense Project.
But in order to figure out the real risks associated with this conflict, it's worth distinguishing among the potential types of attack. As of this writing, for example, executives should be worrying less about Russians directly interfering with our water treatment plants and focus more on the potential that ransomware gangs will shut off access to IT networks. Yes, all this could change, but for now, IT networks are likely the weak link. |
|
— The war in Ukraine is a wake-up call for protecting your network. |
|
|
Bryson Bort, CEO of Scythe and an expert on cybersecurity for industrial control systems, told me on the podcast this week that he views concerns about Russia attacking U.S. infrastructure through operational technology (OT) attacks as unlikely. As he noted, OT attacks on actual infrastructure can have health and safety ramifications — they can cost lives. In that case, we'd likely see a physical response by the U.S. not just a U.S. cyberattack.
It's unlikely Russia is ready to take that step. What he does caution executives and government officials about is ransomware.
There are several known Russian ransomware gangs, and it's not hard to imagine them trying to amp up attacks to generate money for their country, which is being gradually cut off financially, an act that could also be seen as patriotic. While yes, ransomware attacks can impact the physical world — compromising a company's IT systems could lead it to shut down its operations — it's a different scale of attack compared to an attack on OT networks.
Ransomware attacks, such as the one that hit Colonial Pipeline, forcing the company to stop delivering oil to the East Coast, or those that hit hospitals and can lead to stalled surgeries or tests, can disrupt operations, but they can be managed. Instead of a catastrophic equipment failure that poisons the water supply or causes a chemical explosion, when ransomware affects operations it tends to lead to a somewhat controlled shutdown.
Businesses and governments that want to avoid such attacks have options to help protect themselves. This is where the CISA Shields Up recommendations come into play. They include a number of best practices, such as requiring users to have multi-factor authentication in place, ensuring that organizations don't leave open ports on their network, and making sure that if they use third-party services, those services practice good cyber hygiene.
In addition to hardening their infrastructure, businesses and governments need to monitor it. For those that have operations in Ukraine or are working with Ukrainian organizations, CISA recommends taking extra care to monitor, inspect, and isolate traffic from those organizations, and closely review access controls for that traffic.
All businesses and governments should have a plan in place to deal with an attack, including having a pre-selected team ready with the resources they need to respond to one. Such resources will be different for an IT attack than they would be for an OT attack. They will moreover need a resiliency plan to ensure that if there is an attack, their operations will be able to continue and their data will not be lost. And that plan should not just be created, but tested.
That means they should have data backups and isolated networks to where they can shift their operations. Businesses in industrial settings, meanwhile, should conduct manual tests of all controls to ensure critical functions stay stable.
Ideally, it wouldn't take one country invading another for organizations to create, implement, and test such plans. But here we are. And efforts like the Critical Infrastructure Defense Project can help. Under the umbrella of that project, Cloudflare, Ping Identity, and Crowdstrike have teamed up to offer many of these elements as part of a packaged suite of services. The services will be free for at least the next four months, which should help more organizations harden their cyber defenses.
Given how interconnected our digital society is today, it's important that everyone does what they can. It only takes one weak link to set off a cyberattack that can cause millions or even billions of dollars in damages. |
|
|
|
Smart shading that plays well with others SPONSORED |
|
|
Homes all over the world are getting smarter, and that creates demand for cohesive, comprehensive, user-friendly smart home systems. Somfy powered smart shading works with a wide variety of smart home products like Amazon Alexa, Google Assistant, Samsung SmartThings, Brilliant, Philips Hue, IFTTT, Control4, Crestron, and more. This gives you the flexibility to create the fully automated smart home of your dreams.
Learn more about how smart shading by Somfy can help bring you a more convenient, connected life.
|
|
|
|
Everything Set tries to offer smart home security as a service |
|
The average home now has 19 connected devices. This includes tablets, computers, printers, smart TVs, lightbulbs, smart speakers, and myriad other items that can range from the practical (cameras) to the ridiculous (egg-counting storage bins). But the more we bring into the home, the more we have to manage these devices and their security.
Ask most people what their video doorbell sends to the cloud or how much data their smart oven sends to its manufacturers, and they will have no idea. Most will probably wonder why their oven sends any data at all. But I'd argue that it's essential for consumers to understand what data their devices gather and where they send it, and a startup called Everything Set wants to provide a way to do so. |
|
— Everything Set monitors your device traffic and provides a safety score to tell you how gadgets behave on your home network. Image courtesy of Everything Set. |
|
|
David Knudsen, a co-founder of the company, is taking a page from products like Firewalla and the Circle Router which monitor the traffic from devices on home networks. They can identify device behavior, see where device traffic gets sent — even quarantine a device that's behaving strangely. They're useful both for people who want to ensure that their off-brand connected camera isn't sending data to random entities or those simply wondering how devices behave on the network.
Everything Set seems fairly similar to the existing monitoring options such as Firewalla and Circle, except it has a different business model. When someone buys Everything Set, they'll end up paying for a monthly subscription that costs $100 a year. The subscription gets consumers a device that sits on their home network to monitor traffic, and an app that helps the consumer track network activity.
Another product differentiator, according to Knudsen, is there's a greater focus on using AI to identify trends and bad behavior. Users of Everything Set will get an overall security score between 1 and 10 based on how all of the devices on their network behave.
Everything Set launched Thursday and has a program for early adopters that will let a few thousand users sign up and get a year of the service, and the box, for $10. I signed up to test it out, as I already have a Firewalla and think this is a space where the industry could use some innovation. My hunch is that most people don't want to pay extra or do anything different when it comes to managing their home networks. And yet, as those networks become more complex, consumers are being forced to become baby network engineers.
Roughly eight years ago, mesh routers started popping up on the scene in response to homes needing more comprehensive and consistent coverage throughout all of their nooks and crannies. And consumers were waking up to the risks that so many connected devices posed. More people were trying to see what was on their networks and began offering easy-to-access guest networks to keep kids and visitors off their primary networks.
Eero, Securifi, and others started adding mesh networking and easy-to-implement guest networks in response to the needs of home Wi-Fi devices. Now, as we continue adding products and security becomes more of a worry, it's clear that consumers will need even more features.
Knudsen believes that Everything Set is easier for consumers to implement as compared to some of the other options. He also said that the AI the company plans to implement around device behavior is where Everything Set will differentiate itself. He may be right, but I think Everything Set will evolve to become just a feature as part of an overarching Wi-Fi service provided by a router maker or an ISP. We already see companies like Comcast and Eero providing hardware and additional services on top of their routers.
Knudsen acknowledged that this is an option, but for now he's focused on getting early adopters to sign up. From there, it's possible the technology ends up as a feature or that companies pay for aggregate data from thousands of customers. I know from my chats with device makers that they are always looking for data on how their products perform in the field, especially in conjunction with specific routers or other smart home devices.
So there's an opportunity here. What I don't know is if it's something mainstream consumers will shell out for as they embrace the smart home. But I sure will. |
|
|
|
Rapid software delivery for IoT SPONSORED |
|
|
Managing the rapid growth of applications and services at the edge in a world of connected IoT devices is still a stretch for many whose development processes have changed little over the years. Embedded devices need to be secure, they need to be up to date and must also continuously offer new and innovative functionality.
Learn how Pantacor helps manage IoT firmware and software with zero overhead on any embedded Linux distro. Simplify embedded Linux development with portable and modern technology like containers and automated CICD pipelines.
Download our whitepaper to learn more. |
|
|
|
Episode 362: IoT security after Russia invaded Ukraine |
|
This week’s show spends a lot of time on security in everything from an Amazon Echo to an infusion pump. But before we get to security stats, we offer a quick overview of Apple’s latest announcements. Then we pivot to discuss the Critical Infrastructure Defense Project, a series of free services enterprises can use to help protect their operations from attack. We also outline some vulnerabilities found in PTC’s Axeda remote management software and research showing that many infusion pumps have existing vulnerabilities. Finally, we discuss research showing that some popular consumer devices might be using vulnerable OpenSSL encryption technology. Then we talk about the end of another French unlicensed low-power wide area network and Space Force adding wearables to ensure the members of Space Force are fit. We also talk about a new predictive maintenance service from Xerox PARC called Novity.
|
|
— Space Force Guardians will wear wearable devices to track their physical fitness. Photo taken by Airman 1st Class Samuel Becker and provided by the U.S. Space Force. |
|
|
Our guest this week is Bryson Bort, CEO and founder of Scythe, a cybersecurity firm. Bort is a former U.S. Army officer and a co-founder of the non-profit ICS Village which addresses security issues in industrial control systems. He is on the show to discuss the risks that Russia’s invasion of Ukraine could pose for U.S. enterprises and industrial players. He tackles topics such as how much executives should worry about their OT or IT risks and how they should address any concerns. We also address the age-old divide between OT and IT security and explain why it’s so difficult to reconcile their differences. You’ll learn a lot.
|
|
This week on the IoT Podcast Hotline we answer a listener question about getting rid of your old IoT devices while respecting your friends and the environment.
The hotline this week is brought you by The LoRaWAN® World Expo, this year’s can’t-miss IoT event! Taking place July 6-7 in Paris, the Expo is the only official LoRaWAN event and will bring together the entire ecosystem to showcase why LoRaWAN is the only LPWAN that is scaling massively.
Learn more about the expo and how to register today. |
|
|
|
|
News of the Week |
|
MWC was about the emergence of private 5G: Mobile World Congress (MWC) was held in person this year following a two-year slough caused by the pandemic. Attendance was about 60% of 2019 levels, but the trends were similar. The author of this article proposes that while there was a lot of talk about 5G and its impact on industrial and enterprise IoT, the real 5G adoption is still a couple of years out. He also stresses that the connectivity itself is just one small bit of the infrastructure story associated with 5G and digital transformation, and that the real fight will be around such infrastructure and software design for edge computing. I will say the story is a little hard to follow (it's clear the author is in a hurry), but it reads as a smart take on the show as well as on trends around edge computing, telcos, and digital transformations. (Enterprise IoT Insights) — Stacey Higginbotham
Cooksy is the next kitchen gadget to try: Look, y'all know I am a sucker for kitchen tech. One of the biggest areas where IoT and AI can assist the average person is by helping them quickly achieve expertise at a skill. In the enterprise, that might entail using sensors to monitor a complex process or AR glasses to learn how to repair equipment. In the home, it often means learning how to cook. Cooksy is a thermal sensor that sits above a stove to track the temperature of the food in a pan. It uses this information to help users better cook whatever is in the pan, ensuring things get to the appropriate temperature but also making sure they don't burn. I think I like this approach better than the heavy and finicky Hestan Cue pans I wrote about last week. The $299 device launched last month, and I can't wait to try it out. (Cooksy) — Stacey Higginbotham
A fresh perspective on designing connected products: The folks at Sonos have published a really great blog post detailing how they designed and tested the Swap feature of its speaker system. With Swap a user can tell the Sonos app to move the audio playing on one speaker to a different speaker closer to the user. Basically, this is the start of the context-aware smart home that I am so eager to see come to fruition. The post describes how the company is using ultrasonic sensing to figure out what room someone is in so the app can move audio around. It also shows how much stuff needs to be developed in tandem when it comes to connected products. (Sonos does user testing while a feature is in development.) Best practices dictate that companies should also be putting security in by design, so suddenly we're talking about a development process that involves a lot of different teams. (Sonos) — Stacey Higginbotham
RF sensing gets another use case: I'm really stoked about the promise of using RF for sensing, whether it's radar for fall detection or Wi-Fi for motion detection. This article shows how companies can use radar as a mechanism to boost energy efficiency in a home or business. Yes, it's written by an Infineon staffer who is trying to sell Infineon's radar chips, but some of the use cases are pretty compelling. The least novel one is that of using radar chips inside common household devices to better manage sleep and wake cycles, as it's more power efficient to use radar to detect presence and then wake up the device. I'm more interested in cooler use cases such as using radar sensors to turn off lights in unoccupied rooms or lowering temperatures when no one is around. Other options, such as using radar to track where to send audio in a room, are also cool. (EETimes) — Stacey Higginbotham
Build your own whole-home energy monitor: Got a Raspberry Pi, around $30, and some time to spend on a DIY project? If so, you can build your own whole-home energy monitoring sensor. Even for non-electricians, this looks to be a safe project since you’re just using a sensor clamp around the wires in your electrical panel. A low-cost microcontroller reads the electrical data and sends it to the free Home Assistant software on your Pi, creating a nice energy dashboard. With it, you can see both real-time and historical energy usage over time. I may just tackle this one myself! (MakeUseOf) — Kevin C. Tofel
Apple Studio Display could become a better smart screen: We noted on the IoT Podcast that this week’s Apple event was a bust. But did we overlook something? Maybe. Our former employer, Om Malik, wrote a thought-provoking piece on this topic that’s worth reading. By including its own A13 Bionic silicon inside, Apple made a monitor that’s more than a monitor. That 12-megapixel ultrawide camera paired with a powerful processor enables Apple’s Center Stage feature, following you as you move around on a video call, for example. Add in the chipset’s neural capabilities and a three-microphone array and you get closer to a smart display of sorts. And that makes this product line worth watching to see what develops in the future. (On my Om) — Kevin C. Tofel
Nvidia invests $10M to back robots: Now that its multibillion-dollar ARM deal is kaput, Nvidia likely has money to burn. This week, the chip designer set its sights on robotics for the first time, investing $10 million in Serve Robotics, which was spun out of Uber. This isn’t a big money deal, of course, but it’s worth noting as it’s Nvidia’s first financial foray into the sidewalk delivery robotics market. Serve Robotics builds autonomous delivery bots that currently navigate neighborhoods in Los Angeles and San Francisco. The robots already rely on several Nvidia technologies to do this on their own, but now Nvidia could get more real-world data to improve its own neural net chips. I’d say the relatively low-cost investment is worth it. (TechCrunch) — Kevin C. Tofel
An early look at Magic Leap 2 AR glasses: You can’t buy them yet and we don’t know how much they’ll cost, but the next iteration of Magic Leap’s AR glasses got an early preview this week. I’m less intrigued by the hardware and more by the experiences of AR and VR — even for businesses, which is the target audience here, though that experience can be limited by the hardware. This time around, you’ll get a much wider field of view, automatic lens dimming (similar to photochromatic sunglasses), spatial audio, and a new AMD processor that sounds more powerful than the phone-centric chips used in similar devices. The big downside? You can’t wear glasses under the Magic Leap 2, so prescription lenses will add to the cost for those that need them. Oh, and this time Magic Leap didn’t create its own proprietary software; this set of goggles runs the open source version of Android. (CNET) — Kevin C. Tofel
Want to support this newsletter and my podcast? We have some upcoming advertising opportunities. Request a media kit for more details. Thanks!
|
|
|
|
|
|
|
|
|