burgerlogo

Internet of Things Security: What To Know

Internet of Things Security: What To Know

avatar

IoT For All

- Last Updated: June 1, 2023

IoT For All

- Last Updated: January 1st, 2020

featured imagefeatured imagefeatured image

https://youtu.be/yzm9lV2ciOI

With 15 billion connected devices, Internet of Things (IoT) security isn't easy. Gil Dror, CTO at SmartSense by Digi, joins Ryan Chacon on the IoT For All Podcast to discuss what you need to know about Internet of Things security. They cover IoT security vulnerabilities, how companies can prioritize IoT security, how IoT security differs across industries, the impact of LLMs on IoT, edge computing incorporating AI, and neuromorphic computing.

Episode 293's Sponsor: Avnet Silica

The We Talk IoT Business Podcast is back! Explore best practices, IoT use cases, and formulas for success on your preferred streaming provider. Or visit avnet-silica.com/podcast.

About Gil

Gil Dror serves as the Chief Technology Officer for SmartSense and is responsible for leveraging advanced technology to propel business growth and expansion for customers. Dror has a demonstrated history of working with customers in the pharmaceutical industry and was previously the CTO for Human Care Systems, Inc. and CareMetx, LLC. For nearly two decades, Dror has been delivering business value through top-tier technology strategies and is skilled in IT Strategy, Cloud Computing, and Software as a Service (SaaS).

Interested in connecting with Gil? Reach out on LinkedIn!

About SmartSense by Digi

SmartSense by Digi, a business unit of Digi International (NASDAQ: DGII), is a leading global provider of Internet of Things (IoT) Sensing as a Service solutions that deliver dynamic and personalized asset monitoring, process digitization, and digital decisioning across key verticals. The company enables organizations to leverage the power of IoT automation, prescriptive workflows, and insightful analytics to ensure compliance, workforce productivity, brand loyalty, loss prevention, and reduction of waste and energy consumption. Combining new and innovative data-driven approaches with world-class IoT tools, SmartSense partners with enterprises to elevate their business outcomes and asset protection to new heights.

Key Questions and Topics from this Episode:

(01:06) Introduction to Gil and SmartSense by Digi

(02:27) Internet of Things security overview

(03:35) IoT security vulnerabilities

(06:33) How can companies prioritize IoT security?

(10:26) How does IoT security differ across industries?

(14:00) Impact of LLMs on IoT

(16:39) How will edge computing incorporate AI?

(19:13) What is neuromorphic computing?

(21:19) Learn more and follow up


Transcript:

- [Ryan] Hello everyone and welcome to another episode of the IoT For All Podcast, I'm Ryan Chacon. And on today's episode, we have Gil Dror, the Chief Technology Officer at SmartSense by Digi. They are a leading global provider of Internet of Things sensing as a service solution. In our conversation today, we're going to talk a good bit about IoT security, where the biggest vulnerabilities are in this space, how companies can prioritize IoT security.

We're also going to dive into LLMs and their effect on IoT, edge computing, and AI. A lot of good topics, I think you'll get a lot of value out of. Hope you enjoy this episode, but before we get into it, we have a quick word from our sponsor. The We Talk IoT Business Podcast is back. Explore best practices, IoT use cases, and formulas for success on your preferred streaming provider, or visit avnet-silica.com/podcast.

That's the We Talk IoT Internet of Things Business Podcast. If you want to check it out on the website, it's www dot avnet a v n e t dash silica s i l i c a dot com slash podcast.

Welcome Gil to the IoT For All Podcast. Thanks for being here this week.

- [Gil] Thanks for having me, Ryan.

- [Ryan] Yeah, it's great to have you. Let's kick this off by having you give a quick introduction and overview about your background, experience, who you are, and the company you're with.

- [Gil] Sounds good. So I'm Gil Dror. I'm the CTO for SmartSense. Been in the tech industry for probably over two decades primarily in healthcare. My background is actually in electronics. Started my career way back when in the Israeli Air Force. And I spent some time with IoT and some robotics, but mostly focused on enterprise software throughout my career.

So now with SmartSense, I'm back to a familiar place with hardware and software together, which is great. SmartSense is an IoT sensing as a service platform. Now I know when you say those two words together, people leave the room these days, IoT and platform. But we're more of a vertical platform than a horizontal one.

We start with really deep domain expertise. We focus on very specific verticals and we provide an end-to-end solution. So literally hardware to insight and everything in between. But we are also opening up our platform. So if the clients have their own sensors, their own investments, so it's bring your own device, we can connect it to our platform and deliver more value.

- [Ryan] So for our conversation today, we have some interesting topics. I know we wanted to talk about, and the first one is just around IoT security and just from your perspective, give our audience an overview of your current view of IoT security as a whole.

- [Gil] So it's funny as we think about IoT security, there are estimated over 15 billion connected devices. Just for reference, there are only like 1.4 billion cars, so we're talking a significantly higher number which is expected to double by 2030. So significant footprint. But overall I would say that the security attention to IoT is lagging, right?

There's not enough attention put into it. There's definitely not regulation. NIST is working towards a regulation for that, but very early stage. They haven't even agreed on what an IoT device is at this point. So a lot to be desired considering A, the capability of IoT these days and the scope.

- [Ryan] Yeah, it's a very interesting space to just follow in general when it comes to IoT security. What do you think or where do you think, I guess I should ask, along kind of, we take the whole IoT solution, where do you think the biggest vulnerabilities are or the biggest areas that really people should be paying attention to when it comes to thinking about how to protect their solution?

- [Gil] Yeah, it's a great question. I'd say before I answer this, I want to just put a little bit of definition on IoT just for the sake of this conversation. So in my mind, IoT really is any sensor that has good communication skills, right? So very broad, but it's a device that actually captures telemetry data and sends it somewhere.

And for the sake of this conversation, we will focus mostly on IoT for enterprise, right? We're not gonna be talking about some clock that's downloading the time from the internet. So in that context, first and foremost, as an enterprise solution, you're gonna be inheriting all the vulnerabilities from a typical cloud infrastructure.

So I'm not gonna go into that, but everything related to API, cloud access, port scanning, all of those vulnerabilities exist in the IoT world. In addition, you're gonna inherit a bunch- a few others as well. I'd say the biggest one is physical access to devices. IoT by definition needs to be where we are and where clients are.

So if you think about a typical hospital room, you go in, you have a sensor on the bed to measure the temperature of the bed. Then you have a CO2 sensor in the room. You have a wristband on the patient that tracks where they are and also tracks their temperature. So there's a variety of devices.

They're all accessible, and people can just reach out and grab 'em. And if it's a malicious actor, then they have full access to that device. They could take 'em home and take 'em apart. So I would say that's number one. Second is the communication from that device to a gateway, right? So typically in enterprise applications, you're gonna have some sort of short range protocol, Z-Wave, Zigbee, BLE and newer ones, LoRa, right? But you're gonna have some protocol that's taking the data from your local devices into some sort of gateway or router, and then that uploads it to the cloud. So the communication from the device to the gateway obviously is a big vulnerability space for jamming, for interception, if I'm sitting there with a sniffer, what can I do with that data? Can I change the data on the fly? Tons of vulnerabilities around that. The gateway itself is a vulnerability point. If you're using a gateway that's actually connected to your network through Wi-Fi or Ethernet, well now you may be exposing your own network to providing privileged access to your own network, right?

If you're using maybe a gateway that's cellular, that's a little bit safer, because now you're going directly through a carrier. But again, still, that device is sitting on site. Everybody has access to it. And all the communication both through IoT and through the cloud is a vulnerability area.

- [Ryan] And when you talk to companies or you interact with others or maybe for our audience who's listening to this and curious how do, or how can they prioritize IoT security amid all the increasing threats from, cyberattacks, data breaches, insider, just lots of different areas that attacks can come from.

How should people be prioritizing their IoT security and thinking about that?

- [Gil] Yeah, great question. I think it's some- there's a lot of misinformation and I think- people think IoT is some new invention and maybe we don't have the right protocols or the right approach to actually deal with its security. But the reality is that we've known what needs to be done for a long time, and it's really the same basic security principles that you're applying to your backend.

You just have to apply it to security there. So I would say there's really three levels. At the basic level, start with secure, first of all, secure protocols, right? How are these devices communicating with each other? Simple things. Update the firmware. Make sure that you have regular updates of the firmware with security patches.

That means you need some mechanism for updating the firmware, preferably over the air. You need to know what operating system it's running, what the capabilities are, what's the risk surface, surface of attack there. Follow a zero trust methodology. Just assume that the devices are malicious and then work back from there.

Don't assume the opposite. Use encryption. It's simple things like that. Just implementing those little things will get you very far. And probably beyond the capabilities of most common hackers. But if you think about taking it a step further, some of the devices now, especially ones that have better computing, could offer other things.

So there's some new technologies out there where you're actually running some secure memory space and it's actually running an agent that's observing how your device is operating. So as an example, if you have a sensor that's supposed to send a reading every 15 minutes, but somebody hacked it to use it as a DDoS attack and is all of a sudden sending a reading every five seconds, well that agent is gonna pick it up, and it's gonna shut down that sensor. Things like that, that's the next level I'd say, and probably not applicable to every device, but more common- it's becoming more common now with the computational power that's available.

- [Ryan] I think it's fair to also say when it comes to thinking about future threats, that's always something that scares people is how much time and money am I having to invest into this at the beginning. Is it too late if I'm already deployed and really didn't put that much emphasis on security or what happens in the future as my deployment's out in the field and there's problems or there's new threats that are attacking something that makes a vulnerability in my solution.

It's definitely a challenge, but something that I feel like from discussions I've had in the past and what you're saying is the earlier you can think about it, the earlier you can invest time in it, the more protection you're going to basically probably afford yourself as long as you do it correctly.

But it's definitely a unique space for sure to have to really keep your finger on the pulse to understand what to do and when to do it.

- [Gil] Absolutely. And I would say, even if you're already deployed, I would highly recommend they do some sort of risk assessment and basically try to identify the highest risk within that infrastructure and try to resolve that. And then there's multiple ways that you can still impact IoT even if they're already deployed.

And so I would highly encourage companies to explore that and not just immediately give up and say, okay, next version. There might be simple things that they can do right now.

- [Ryan] And when it comes to the approach companies take for IoT security, do you ever see it varying dependent upon, or I guess varying by industry? Do certain industries need to be paying more attention versus less attention? Is there different approaches that industries should take if they're, let's say the most, the common use cases are in one environment versus multiple environments, traveling in different environments?

Like how do you feel like it- I would assume it changes depending on use case, industry, that kind of stuff.

- [Gil] Yeah, no, that's a great question. I think, so I think there's certain things that all industries are gonna be looking at. Reliability, uptime, how are- how is the security gonna impact that, right? What kind of attack vectors are going to impact the reliability and uptime of the system?

Can somebody take off the system by pulling the power plug, which by the way happens a lot, right? If somebody sees a power outlet says, Hey, I need to charge my phone, boom, they disconnect. And what happens then? Okay, is your system going to have a redundancy to stay there? So security doesn't always necessarily have to be, Hey, I'm attacking your server and I'm gonna steal data. Security could also be loss of productivity or loss of system capacity. So I'd say definitely that's across the board. There probably are specifics. So if we're talking about healthcare, for example, there's always the big question, okay, what kind of device is this? Is this a medical device?

Is this a device that's handling PHI or PII? Is HIPAA going to be involved here? So that's a big question. There's a question on integration with existing systems, right? If I'm integrating with an EHR system, can I compromise that system now by allowing this connection for this foreign IoT network?

Another big thing that healthcare looks at specifically is the accuracy of your data and audit trail, right? So how likely is it that someone can compromise the integrity of your data? Because six months from now when the FDA comes in and says, Hey, pull all the logs for this log number, which happened six months ago, they have to be confident that that report is accurate, and it's actually presenting what the telemetry was at that time.

And anything that's gonna impact that is gonna be a big problem in this space. And of course, data privacy. Hey, you're collecting data. Are you broadcasting it? Who's getting the data? Where is it saved? Is it saved on the device? How? So there's a lot of those questions. When it comes to retail, I'd say- or warehousing or things like that.

They care probably more around the connectivity and coverage because there's just a lot more square footage that needs to be covered. They also have a much bigger staff slash customer access issue, right? So there are a lot more people that are walking next to your devices, touching the devices.

If you're a device in a fridge in a grocery store, you can literally pick up the milk and the device at the same time. Nobody will know. You're just walking out with it. So things like that, they're gonna be more concerned about from a security perspective. And I would say they also care about integration.

In their case, they're gonna be integrating maybe with task management systems or inventory systems. So again, we wanna make sure that connecting to this IoT platform isn't gonna compromise their existing system.

- [Ryan] So this is unrelated to the security side, but as we get into, and we see a lot of what's happening in the AI space right now and these large language models like ChatGPT and stuff, how do you feel like those LLMs are going to be affecting IoT or benefiting IoT or just playing a role in the space?

- [Gil] Great question. So, I know in general talking about this seems, in a lot of places I hear, oh, it's the next buzzword. I actually disagree with that. I do think it fundamentally represents a revolution in interacting with data. I would say it's equivalent in my mind to the jump we've had from Google, from Yahoo to Google, where we've taken a list of, a map of the internet and just expose a text box and say, Hey, just ask the question and we'll give you the list of pages.

Well, this is the next step after that that says forget the pages. I'll understand the context, and I'll actually give you an answer. What's more surprising to me about this technology is the adoption and how it's adopted by really common users. But if you think about something like blockchain, which was introduced 10 years ago, still today, if you ask someone on the street, Hey, what's blockchain, they're not gonna be able to explain it. They may tell you it's, oh, it's something with money. Hackers use it. But they don't really, they won't be able to explain it. When you ask them about ChatGPT, they'll tell you an example from their real life where they used it to actually gain value. Oh, I wrote a paper through it, or I wanted to read a book and it recommended the right book for me to read.

So tangible use cases. I guess what I'm getting at is this is a perfect partner to IoT. If you think about typical IoT interface, it's always driven by the vendor. We understand the domain. We build a UI or we build reports to try to visualize the data and expose the data to the users.

The users never had this raw access to the data through an intelligent interface where they can really ask contextual questions and get answers. So I think these models with IoT are a perfect match because it's gonna connect that interface to the physical world. So instead of just querying a list of articles online, I'm actually querying the area around me.

I can ask a question about the business, I can ask questions about the telemetry within my organization in a very intelligent way.

- [Ryan] Fantastic. Yeah, something we haven't touched on yet, so I appreciate you jumping into that. And one of the areas that is popular right now is obviously edge computing in IoT, but when we incorporate or when we think about incorporating AI, where do you see that going? What do you see the potential there for?

How's that gonna be done? Or what needs to be done to make those advancements? I feel like it's already being started. I know machine learning is happening at the edge a decent amount. But on the AI side, where do you see or how do you see that being done to benefit the IoT space and solutions that are utilizing edge computing?

- [Gil] Yeah. Great, great question. A great topic in general. So it's interesting. We can probably divide the world of edge computing into two. One is executing machine learning models and the other one is actually training a machine learning model on the edge. So I'd say for the first one, for the execution one, we're pretty far down into it, right?

There's plenty of devices out there specifically around image recognition, process control, security, there's plenty of them. Typically they're in IoT devices that have no problem with computing power or energy consumption. They have plenty of RAM and they can execute that.

We've also seen some innovation with things like TinyML where they're trying to take that concept and actually bring it down to battery powered devices, which I think is great because we're gonna be basically be extending that possibility and making these small devices even more intelligent. But that- but still that's still limited to the execution of the model.

It's not really taking data and training a model on the spot. That's where I think the next jump is gonna be, where we get to the point where edge devices can take input and train models directly on the spot without having to send the data anywhere, just doing that computation on the spot. Think about the potential of that.

Not just the time to action that you have from being able to absorb new information added to the model and actually take action immediately almost in the blink of an eye for a user. But also think about the computing capability that you have. Now, if you have a network of IoT devices, instead of trying to centralize all the processing on the backend, the processing is gonna happen where the data is.

And then be sent to the cloud after that. So it is just- it is a different paradigm. I don't think we could do it necessarily with the current chip architecture that we have. But that's a different story.

- [Ryan] One thing that came up in prior to us chatting was the term neuromorphic computing and that was something new to me. Can you just as to wrap this up just tell our audience what that is.

- [Gil] Yeah, absolutely. If you think about your typical chipset, it hasn't changed in eons. It's still the same binary, one, zero. And if you think about machine learning and their capabilities, they're basically relying on GPUs, right? So graphic processing, which can process a lot of things at the same time.

Lots of RAM, lots of power. The problem with these ingredients is they don't scale down very easily. They scale up very easily, but they don't really scale down very easily. So it's very difficult to take that and put it on a battery powered device that's sitting in the middle of a desert.

What neuromorphic chip design is trying to do, and by no means, I'm not an expert in that, more of a hobbyist, but what they're trying to do is really mimic how the brain works and try to convert that into a chip that can execute commands. If you think about the brain as a computing unit, it's actually very effective.

Because it uses a network, almost like a graph database to execute very complex computations, with very little battery, very little calorie consumption. So neuromorphic chips are basically trying to take that same concept and apply it to IoT. Now they're already companies in that space, like BrainChip that have proven that this is more than just a theory.

You could basically take that and execute it.

- [Ryan] Yeah, we actually spoke to somebody from BrainChip a number of weeks ago, yeah, it's a very interesting space for sure. But yeah, thank you for coming on and talking about a lot of these different topics, the security side, the LLMs, AI, all that kind of stuff that's going on.

Very exciting stuff to think about. Considering a lot of people out there that have their solutions out there, the security is something that I think everyone- would highly recommend you think about as early as possible and as frequently as possible. Glad you came on and shed some light onto that.

For our audience who wants to learn more, follow up, engage after this with you, the company, and so forth, what's the best way they can do that?

- [Gil] Sure they can go to smartsense.co or follow us on LinkedIn. Also feel free to reach out to me with any questions or comments. We'd love to hear from you. And thanks for having me, I really appreciate being here today. Thank you.

- [Ryan] Yeah, thank you Gil. It was great to have you and look forward to getting this out to our audience, and we'll be sure to get this out pretty quickly so our audience can benefit from this conversation. So thanks again.

- [Gil] Awesome. Thank you so much, Ryan.

Need Help Identifying the Right IoT Solution?

Our team of experts will help you find the perfect solution for your needs!

Get Help