Scanning the field for threats: Is the environment sector ready for the IoT?

Is the environmental arena ready for the Internet-of-Things? asks Envirotec

Cyber-security should be more of a consideration during the installation of home appliances like smart meters

It does feel like the Internet-of-Things is becoming a real thing – a phenomenon you might encounter in everyday life. The release of the new Samsung Family Hub fridge appears a decisive moment: Having a camera in your fridge seems unnecessary, but it sounds undeniably handy for those supermarket moments when you can’t remember if you’ve already bought milk. And if it doesn’t add noticeably to the cost of a fridge then why not?

This, more or less, is the rationale offered by Kevin Curran, Professor of Cybersecurity at Ulster University, and senior IEEE member, when explaining why the IoT is now really happening – and why we need to prepare ourselves.

The environmental arena presents many situations where it would be helpful if remote sensors or monitoring devices could be internet-connected, and this has already led to some memorable projects.

Wood from the trees

One of Curran’s favourites is Invisible Tracck, the name of a cellular communications device fitted to trees in the Amazon rainforest to help prevent illegal logging, in a 2013 project of the same name. An accelerometer in the device detects any substantial movement of the tree and alerts officials at the Brazilian environmental protection agency (IBAMA).

And then there’s the BigBelly solar trash cans, which have saved expense for waste management firms in Boston in the US, eliminating the need for unnecessary trash-can pick-ups, by keeping a central office alerted to the fullness status of networked trash cans.

Networked sensors and machine-to-machine communication look likely to have an impact with addressing a huge range of environmental challenges, from managing water resources to the fight against urban air pollution. But at a time when the cyber-threat to national infrastructure and utilities seems particularly acute, are we ready to embrace the IoT?

On that score, Curran believes there is work to be done.

DoS upsurge

He gives the example of one common form of disruptive cyber intrusion, the denial-of-service (DoS) attack, where a website is bombarded with so many digital packets that it stops functioning. Up until around two years ago, he said, there was little or no financial incentive to undertake this form of crime. Most of the big incidents were purely for show – for demonstration purposes, you might say – or were politically motivated.

With Bitcoin and the rise of cryptocurrency, he says, DoS attacks became “suddenly lucrative”. And this is evident from an apparent upsurge in their popularity. Many of the victims are financial firms with little attendant publicity, for understandable reasons. But all kinds of firms and systems are vulnerable.

It’s not so bad for big companies, who can afford to pay a lot of money to the likes of Google or Cloudfare, and the DoS protection they can support for paying clients. But for small firms, he says, “there’s almost nothing you can do.”

Perhaps one reason for DoS’s popularity is the ease with which one can be set up. It requires very little tech ability and “there’s no kudos in it”, says Curran.

In computer networks, IoT devices present the outside world with a particularly vulnerable point at which to mount an attack. And this is something that the tech industry needs to urgently address – and about which users need to become informed.

The Invisible Tracck project uses sensors and cellular communications to monitor illegal logging activity

IoT devices have become increasingly easy to locate using online resources like the SHODAN search engine.

These kinds of devices usually have restricted memory resources, so can’t run lots of encryption, for example. And very often they are installed by people without technical ability – Curran cites the examples of Webcam or baby cam devices now appearing in many homes.

The manufacturers of these devices have had little incentive to issue frequent security patches and updates. At best, some manufacturers will issue patches intermittently, but not with anything like the timeliness and responsiveness that has become the norm in the computer arena. This is becoming an urgent matter, says Curran, because these devices are an easy target for attackers looking to penetrate a network. Rather than trying to get into your computer, an intruder will go for one of these devices, from which it’s easy to get the IP addresses of computers on the network. “I know how to get in from there,” says Curran.

So manufacturers of networked devices need to become more accountable and responsible, with ensuring a healthy life cycle for security patches. There needs to be something like GDPR or the equivalent for the wider variety of networked “things”, he suggests.

Where home networks are concerned, one important ingredient might be a requirement that plumbers, electricians and the like – the people who install devices like smart meters – have some kind of cyber-security training.

The UK Government appears to be alive to the problem, says Curran, and in March released a policy paper, Secure
By Design
, advocating a shift in approach with IoT products, moving the burden of security away from consumers and users.

In the environmental sphere there are also signs that sector-specific guidelines are starting to appear, to address cyber threats, such as those issued by Water UK last year. Watch this space.