A variety of technical issues must be solved soon if the Internet of Things is to evolve as futurists envision, a group of government and commercial experts warned during a forum Thursday.
As wireless sensors and other devices become cheaper, more powerful and more universally deployed, that ubiquity will soon place overwhelming demands on the internet and put the nation’s infrastructure at risk if new technical new measures aren’t put in place, they said.
At the same time, government and industry must move faster to ensure that stronger security safeguards are baked into billions of devices expected to be added to the internet by 2020, along with systems capable of identifying and disconnecting devices that have been compromised.
“The basic problem is we’re going to put 20 billion more devices on the internet between now and 2020,” Stephen DiFranco, principal at the IoT Advisory Group, said during the forum, hosted by ImmixGroup, in McLean, Virginia.
To put the challenge in a larger context, DiFranco said, there are about 5 billion smartphones currently connected to the internet globally, about 3 billion PCs and about 2 billion tablets. “So there are going to be more IoT devices then there are everything else we’ve ever touched before and which we’ve done a lousy job securing.”
One of the primary problems in the IoT space is “the profit margins on those devices are designed, by their nature, to be very, very small … and you’re dealing with very, very small real estate on the device,” says Michael Mestrovich, a director of technical services within the federal intelligence community. “Probably the last thing you’re thinking of is, how do I ensure the security and integrity of that device.”
Another factor is that IoT devices are typically installed to monitor things, like lighting controls in buildings that are designed to last 10 or more years without anyone laying a hand on it, he said. “How do you maintain that going forward in this connected world where … any hacker could potentially take down a building?”
If IoT is to take off in government, “the manageability and the understanding of how do we deal with the security [of devices] from the long term perspective is something we need to focus on,” Mestrovich said.
DiFranco laid out a deeper problem facing the technology community: “We try to secure things at the network level, because that’s how we think, but the problem we have to solve is to start to do security at the metal, meaning the little radio inside the device. And that’s not going to come from any of the companies we currently have [working on network security],” but rather from companies “we need to reach out to and become part of this” and that understand how to develop security in these tiny spaces, he said.
Industry also needs to develop systems that recognize when devices aren’t behaving normally, similar to the way credit card companies can now quickly tell when activity on a credit card doesn’t match a predictable pattern, DiFranco said.
He argued that the federal government has a role to play working with IoT manufactures to develop security standards, “because this is a national security issue as much as a commercial issue.”
David Wollman, deputy director at the National Institute of Standards and Technology’s Smart Grid and Cyber-Physical Systems Program Office, said during the discussion that NIST is currently working to establish a “cyber-physical systems analysis framework” that reflects the “holistic concerns that stakeholders have and address them through the systems engineering process.”
Federal and state agencies, of course, have been actively using IoT technologies for many years, primarily for defense logistics, energy, health care, transportation, law enforcement and public safety applications. ImmixGroup senior analysts Mark Wisinger and Kevin Shaker estimate the federal government spent $2.5 billion on IoT sensors and related devices in fiscal year 2016, and it’s on track to spend $3 billion in fiscal 2018. Those figures do not include the network infrastructure that enables IoT. They noted, however, that investments in IoT are often rolled up into larger government IT projects and actual spending is probably higher.
Among them is the Department of Veterans Affairs, which has taken a leading role in working with industry, the Federal Drug Administration and others to bring greater security and interoperable security designs to a wide range of devices used in VA hospitals, according to Marc Wine, program lead, for an R&D team working within VA’s Office of Information and Technology.
DiFranco, however, outlined what needs to change if government and industry are to make meaningful headway if the long term benefits of IoT are to be realized.
“We’ve worked in a world where we have a phone, it talks to a router, or switch, and that goes up to a network, and there’s been some security at each of those layers. But it works really well because there’s been processing power at each of those places,” he said.
“Now we’re talking about a controller, or a medical device … that’s not going to have a lot of processing power, plus you don’t want it to be on very often; we want it to use very little power,” especially in remote locations,” DiFranco added.
“The other problem is, we can’t have 20 billion things messaging the internet all at the same time,” he said. That will mean developing new layers of technology, or gateways, will have to be added to the architecture of networks and which operate closer to the nodes used to gather signals and data from the devices.
“This kind of fourth layer is going to be the key to making 20 billion things be able to talk on the network without us having to completely rebuild the network,” he said.
He also warned that, “If we get to 20 billion things and don’t do the gateways, we will not have enough power generated in the United States to do the internet of things,” because of the immense amount of remote data processing that would be required to handle the data from all those devices. DiFranco said “we’ll have to build 4,000 new data centers a year, with 100,000 servers in each data center, each one pulling 40 megawatts of power,” to handle it all.