The Internet of Things (IoT) provides extensive opportunities for cities to improve their infrastructure, but IoT also presents security and privacy challenges, according to Carl Piva, VP of strategic programs for the TM Forum .
Bad actors can hack into networks, and data privacy can be put at risk by the use of inexpensive, vulnerable IoT sensors. In part one of this Q&A, Piva explained TM Forum's program to create "a recipe, cookbook-style model" detailing how communities can manage their growth into smart cities. In part two, Piva, who leads the TM Forum's Smart City Forum, told Telco Transformation that there may be some security challenges ahead as IoT-based smart city networks go through an aggressive development cycle. (See TM Forum's Piva on Creating a Common Smart City Framework.)
Telco Transformation: How has the explosion of IoT research and development changed the smart city vision?
Carl Piva: I think it opens up a number of possibilities, along with a new number of challenges that weren't really seen before. In terms of the IoT, it enables a much more granular view of what is going on in the city and a much more connected way of understanding how people, assets and technology are really connected in a city context.
When you get that additional level of detail, then it almost automatically leads to new levels of possibilities when it comes to doing things like analytics, or profiling, or any other kind of commercial or social endeavor. So I think the IoT as a whole has certainly opened up a number of possibilities, but it also poses a number of quite serious privacy concerns that really are still unaddressed.
TT: IoT sensors have to be very low power and are in places that are impossible or very difficult to reach. On top of that, security is not a revenue-generator, so it can be bypassed. What's your perspective on these two big challenges for IoT?
CP: Many of these IoT sensors are quite rudimentary. They are designed to consume very little energy, have a very small footprint. They therefore can't have the most elaborate trigger points to actually be completely secure. They need to be connected in a simple way to other things.
It's probably not the one sensor network that poses the largest threat, I would say. It is when you start combining data sources from different parts. If you get the piece of the puzzle from a one-sensor network, then you get another piece of the puzzle from a social network, and a third piece of the puzzle from another open data source. At some point, somebody's going to pull these pieces together and figure out how these pieces of the puzzle fit together. And then there's going to be an image appearing that will tell a much broader, much more serious story about the user that is going to cross several privacy boundaries.
My perspective is that perhaps it's not the individual network that will create the problem, or the individual sensor. It is when you get this combined effect of having many of these things pulled together that in the end will create a number of scenarios where, I think, we are going to be exposed to a number of challenges. Those challenges will turn into disasters that will force us to reevaluate how we view security. And I think this will drive toward a much more rigorous view on privacy.
TT: It sounds like you wouldn't be surprised if there were some security threats to occur in the near term.
CP: I'm convinced we're going to see a number of those things. And it might not be seen as too difficult in the beginning. It might not be that there is death or injury involved, but it could simply be that we are targeted for various commercial reasons. It could be that our insurance premiums rise for reasons we don't understand. But it will be because somebody managed to get a better understanding of who we are, what we do, and how we act simply by pulling together [information from] sensors that are all around us.
TT: Are you more concerned with bad actors amassing profiles of people and creating a threat to data privacy than with the possibility of hackers taking control of the network?
CP: It probably is going to happen at some place, at some point. You can hack anything if you throw enough resources at it. Nothing is foolproof. Should we be worried on a more societal scale? Perhaps we should be worried that somebody could actually do something quite serious. I certainly think that risk is not decreasing over time.
TT: Why aren't the security issues being addressed in developing these IoT sensors, for example, if the industry is aware of these issues?
CP: I think it's partly because you have to compete in this world, and if you want to compete you have to be fast, and when you're fast, you're bound to make some mistakes. When things mature, when technology matures, then usually the errors are being rooted out, and you can actually address some of the problems you had.
[Working] a bit behind-the-scenes, maybe you could fix things that weren't that great from the beginning. But since the IoT revolution is such a multi-parallel activity, people don't have time to stop and engineer things perfectly from the beginning, nor do they necessarily know exactly how to do that, considering the amount of integration points that are required. It is a challenge we are going to have to learn to live with. I think, personally, that it might actually start with personal privacy issues.
— Carl Weinschenk, Contributing Writer, Telco Transformation