PORTSMOUTH — As the internet of things, known as IoT, becomes more a part of our daily lives – and the security and privacy issues it brings with it – a local expert says a balance is needed between how much the industry polices itself and how much government regulates it.
“I think there’s a balance in those interests,” said Dave Kjendal, chief technology officer at Senet (https://www.senetco.com/), a Portsmouth company specializing in connectivity solutions and software for IoT networks. “I think there are certain things the industry can do very well by itself, and one of those things is to develop technologies that are secure.”
IoT is a broad term applied to a network of connected objects – or things. These things are embedded with sensors, software and other technologies in order to connect and exchange data with other devices and systems over the Internet or some other kind of network.
IoT is being used these days for home appliances – washing machines and refrigerators, for example, to tell you through an alert on your smartphone that the load of clothes is done or that you need more eggs. IoT is also used for home security systems, wearable health monitors, smart factory machines, autonomous farm equipment, and a host of other uses.
Among Senet’s products and services is providing the technology for smart meters, such as a device attached to a home’s underground propane fuel tank that monitors fuel consumption and sends an alert not only when fuel is getting low, but if there might be a leak.
IoT devices need a network over which to connect. In the case of a lot of home-related devices, that network is WiFi.
For Senet, the network is something called the Low-Power Wide-Area Network (LPWAN) using LoRaWAN, a networking protocol designed to wirelessly connect battery-operated “things” to the internet in regional, national or global networks. Senet has a device that is the shape of a small Rubik’s cube with enough battery power to last up to 10 years, according to Kjendal, with transmission capability of some eight miles or more.
WiFi-connected IoT devices can become a target of mischief. Personal information collected and stored with these devices — your name, age, health data, address, etc. — can aid criminals in stealing your identity. Devices might be hacked to, say, disable a security system to abet a break-in.
It’s more the WiFi devices, and less the LPWAN devices, that need the security and privacy attention, according to Kjendal.
“Part of that is actually understanding what a device is capable of doing,” he said. The cube device that Senet uses, for example, “is not capable of doing all that much, frankly, which is a good thing,” he added. “It’s designed specifically for a specific purpose. It doesn’t have extra baggage that comes along that opens it up to additional security problems.”
On the other hand, a home security camera attached to a home WiFi, is open to a security breach.
“The weak link is almost always not the WiFi network; it’s actually the software running on the security camera and the way that it connects to the Internet, and that opens it up to attack,” said Kjendal. “That attack then can make that device do things that you don’t want it to do and its manufacturer didn’t want it to do, and that can include things like spying on you, taking those video feeds and sending them someplace else. But it can also take that device and it can turn it into an agent of destruction on other networks, on your WiFi network on the Internet at large.”
IoT security has the attention of U.S. Sen. Maggie Hassan, D-NH.
During last year’s session of Congress, a bill she co-sponsored that ultimately passed and was signed by then President Donald Trump requires baseline security requirements for IoT devices purchased by the federal government.
“So many of our day-to-day devices are connected to the internet, which is why I am glad that the President signed our bipartisan bill to help better secure these devices,” Senator Hassan said of the Internet of Things (IoT) Cybersecurity Improvement Act.
“This bipartisan law will require that the federal government only purchase devices that meet a minimum cybersecurity standard, which will go a long way to prevent hackers from stealing sensitive information that could undermine public safety, and also in pushing manufacturers to improve the safety of internet-connected devices in our homes,” she added.
Among its provisions is a requirement that the National Institute of Standards and Technology (NIST) make recommendations that address the secure development, identity management, patching and configuration management for IoT devices.
“That’s a good initial first step,” said Kjendal. “I would call it hygiene, describing what good practices are.”
Kjendal last year was named to the LoRa Alliance board of directors. The alliance is a global association of companies backing the open LoRaWAN standard for low-power wide-area networks. Kjendal joined Senet in 2014 and, besides currently serving as CTO, is also its chief operating officer.
Security of these networks, according to Kjendal, is a priority of the alliance. “It’s one of the critical vectors that we’re always paying attention to,” he said. “We have a dedicated working group that focuses on nothing but security. At the board of directors level, security of the solution, how we market the security of the solution, how we address attacks – that’s always been a big part of what it is that we’re focused on.”
And this is where the balance between industry self-policing and government regulations comes into play.
As an industry that has the support of the alliance, he said, “We have to make a secure protocol, and we believe that we’ve already done that. The second step is that we need to provide recommendations and guidance to the developer community. We’re building solutions on top of those specifications on how to make sure that they remain secure.”
Governments, both here in the U.S. and elsewhere in the world, can help on a couple of levels, according to Kjendal.
“I think the federal government and the multinational government bodies can help with education of the consumers of all different kinds, both in industry and government as well as individuals about what is important about security,” he said.
Additionally, he noted that IoT devices used by the federal government – with the protocols prescribed in the Hassan legislation – might serve as a testing ground before introduction into the civilian market.
“They may play a role in terms of potentially testing, verifying, providing guidance about products that are known to be secure. Maybe those are ones that have passed the requirements to be used by the federal government,” he said.
He doesn’t believe that regulation should get down into the nitty gritty of how a device should be specifically built in order to make sure it’s secure.
“One of the things that’s really important in the IoT space – particularly this part of it that we’re focused in – cost is critical,” he said, noting that Senet’s device is low cost and can last up to 10 years. “We can’t lay on top of that a huge amount of regulatory burden for testing and for certifications and things like that. There needs to be a balance.”