lolloj - Fotolia

Security and privacy need to be core to IoT design, say industry leaders

The best way of tackling security and privacy concerns around the internet of things is to focus on both from the design phase, say industry leaders

Large companies such as Bosch and General Electric (GE) are exploring the huge potential benefits of technologies enabling an internet of things (IoT), but they agree that security and privacy are important elements.

“We are convinced we need security and privacy by design, and that we must do this from end to end,” said Rainer Kallenbach, chairman of the executive board, Bosch software innovations.

“Back-end security is no good if your devices are not protected and vice versa, so you must do this in an integrated chain, which is something my company is pursuing intensively,” he told Computer Weekly at PTC LiveWorx Europe 2015 in Stuttgart, Germany.

As the number of intelligent systems increase in people’s lives, there will be more data available that criminals will want to access.

“We need to prepare for that and build privacy into the design to ensure people can make choices about what is happening with their data,” said Kallenbach.

Paul Boris, CIO of advanced engineering at GE, said that while building security in from the design phase is essential, it also provides an opportunity to raise the level of security.

“If we design systems to track data so we can understand how data is consumed, we can compare it against a standard profile to detect anomalous behaviour,” he said.

Jim Heppelmann, president and chief executive of PTC, said that because security is always a function of a particular deployment, the way it is handled will differ from case to case.

However, he views IoT security as being analogous to datacentre security, where the same principles and technologies apply.

“Security is an issue, but the difficulty for IoT is simply a continuation of the security problem for the datacentre – it is not fundamentally different. Just as you can make a datacentre secure to differing levels depending on how much money you want to invest, you can make connected products secure to varying levels,” he said.

Intranet offers first level of security

Computing systems can be made very secure, but it takes resources, money, talent and know-how, according to Heppelmann.

“It is like insurance. You gauge the risk, and the more risk there is, the more you insure yourself against that risk,” he said.  

In some cases, said Heppelmann, organisations seeking to tap into the benefits of IoT are solving many security challenges by connecting only to the Intranet rather than the internet.

“Most factory automation projects are not connected to the public internet, they are connected only inside a virtual private network and that is the first, most important level of security because the network is protected,” he said.

As far as PTC is concerned, Heppelmann said the company has many security projects on an on-going basis to ensure that the software it provides is as secure as possible.

Security partners

The company also partners with other organisations, typically system integrators, who specialise in security in the context of a specific deployment.

“If a business wants to purchase our software to manage a fleet of trucks, and connect it to the cloud, we would bring in a system integrator with the appropriate technology and expertise,” he said.

PTC is also a member of the Industrial Internet Consortium, which was set up in 2014 to bring together the organisations and technologies necessary to accelerate the growth of the industrial internet by identifying, assembling and promoting best practices.

“This includes security and interoperability, and we are working with other companies such as GE and Bosch, which will deploy our technology in the context of their end-to-end systems, which they want to ensure is secure, and similarly with GE, mostly in the factory setting,” said Heppelmann.

“The problem is very diverse – we have many partners who are using our technology in many different types of systems in many different infrastructures. There is no single answer for how everybody is solving the security challenges,” he said.

While standards are useful and good, Heppelmann said that – such as with security for datacentres – security technologies and attack types typically change faster than standards, so there is no single standard or set of standards that will meet all the challenges of securing IoT-enabled operations.

“We’ll have to be careful. We’ll have to fight the good fight, and we will have to continue to evolve our tactics as the tactics of the attackers continue to evolve as well,” said Heppelmann.

Read more about IoT security

Read more on Privacy and data protection