IoT Security Summit: Adopt, Adapt, Develop

IoT Security Summit

Lorna GareyIoT SECURITY SUMMIT — After opening remarks by moderator Chris Rezendes of Inex Advisors, a keynote lineup led by Dr. Reginald Brothers, undersecretary for science and technology at the U.S. Department of Homeland Security, and including Christopher Larkin, CTO at GE Healthcare; Esmond Kane, deputy CISO with Partners Healthcare; and Tom Stumpek, former CISO, CIO and CTO at General Electric; took the stage at this week’s IoT Security Summit in Boston.

Brothers highlighted the need for public/private partnerships to keep up with the pace of change in IoT. His team is actively reaching out to find – and fund – innovative ideas for agencies including FEMA and U.S. Border Protection.

“Most applied research is not funded by the government; it’s funded by industry,” he said. “How do we find those great ideas?”

Brothers cited a $3.5 million investment and collaboration between DHS, FEMA and the Lower Colorado River Authority to use IoT in a Flood Apex Program. The idea is to deploy low-cost sensor technologies to facilitate evacuations and flood monitoring by sharing real-time data with first responders and local officials so they can respond rapidly when a flood strikes. But beyond that, DHS is seeking to use data to make preventive investments in flood-prone areas.{ad}

Brothers says his office has a presence in Silicon Valley now and is looking to expand to cities including Boston, Austin and Chicago. The goal: Teach smart startups how to work with the federal government — not an easy task.

“We want to adopt, adapt, develop,” says Brothers, referring to a mantra on how to do IoT innovation without big R&D budgets. “We have a real affordability challenge,” he said.

Longtime government contractors won’t recognize the funding process: Startups fill out a 10-page application, one person at DHS vets the submission, and selected firms are invited to give a 15-minute presentation. They get a thumbs up or down within 30 days. The team’s record is providing funding in just 10 days.

“We’re trying to meet the tempo that small business needs,” says Brothers.

The initiative has been active since 2014. As of now, three of 18 participating startups are selling products and half have funding.

Brothers reflected on the intersection of physical and cybersecurity in IoT.

“We have a framework for actively extending the Safety Act framework,” he said. The concept of “security” versus “safety” is one addressed recently by Atif Ghauri, CTO of cybersecurity provider Herjavec Group. Ghauri predicts that in the next couple of years, there will be fatalities …


… from malware, and that will change the IoT game completely.

“‘Security’ will become ‘safety,’” he says. “And once ‘safety’ happens … you better have the budget; you better have the will.”

Health Care: IoT Security Proving Ground

GE Healthcare CTO Larkin (pictured, above) says he was inspired to get into health-care IoT by an unfortunate incident with sea-urchin spines. He’s now looking to encourage use of the GE Predix IIoT platform for applications including smart hospitals and sees health care as an $18.2 billion business for GE. Johns Hopkins is an early adopter and has found that it cannot only track current beds but predict patient load in six hours and adjust staffing accordingly.

GE recently moved its corporate headquarters to Boston.

“The data is getting bigger, and it’s getting more varied,” said Larkin. “Trying to move a genome to an analytic is actually harder than moving an analytic to a genome.”

Right now GE Healthcare’s security efforts are largely around de-identification of data so it can be used by partners, like pharma. But as data gets richer and more specific, securing it is getting more challenging.

“This keeps us up at night,” said Larkin.

The payoff is worthwhile, though. Precision medicine – a multi-enterprise endeavor that requires data be hosted in the cloud and accessed by many parties – is a major focus for GE Healthcare and has already yielded cures.

Larkin says the basics of good cybersecurity extend to IoT. GE’s program includes risk assessments, embedded controls, a secure SDLC and robust incident response and escalation.

A few security challenges are universal. A key concern: How to keep security from bogging down innovation. GE’s solution is to embed security pros in business units and put accountability right at the top.

“Business managers are wholly responsible for the security of their products,” said Larkin. It’s a simple but highly effective concept.

Next up, Partners Healthcare’s Kane asked the crowd of about 150 who would trust their HC data to the current IoT security landscape.

Not a hand went up.

“I have to be the wet blanket,” said Kane, citing …


… the recent IoT-based DDoS attack on Brian Krebs as proof that security is far from fully baked.

Kane zeroed in on IoT-enabled medical devices, including implanted systems such as pacemakers and an implant to treat depression.

Partners are mining “literally centuries” of data to provide clinicians with predictive data based on readings from health-care IoT devices such as insulin monitors — and training them on how to use and secure it.

“A well-educated doctor is your first line of defense,” said Kane.

GE’s Stumpek closed the Day 1 keynote lineup with insights on enterprise risk management as it relates to IoT. He reiterated the need to stick with security basics and provided some actionable advice:

  • Weight people, process and technology equally when it comes to security.
  • Adopt proven frameworks such as NIST or ISO27001/2 — and hold partners to the same standards.
  • Enforce data classification: Know what data you possess and ensure policies define classifications, ownership, access controls, encryption and handling rules.
  • Know your supply chain — it’s not just about your partners, it’s about your partners’ partners. The attack surface expands as the supply chain gets more complex. Stumpek points out that specialization in the IoT space resembles the traditional supply-chain model.
  • Manage relationships by subscribing to third-party security rating services and make them part of your vendor evaluation process. Tier vendors based on risk and compliance, and incorporate security SLAs.
  • Automate wherever possible, train all employees, do internal audits, establish cross-functional cyber-incident response teams and conduct tabletop exercises at least once per year.
  • In terms of IoT specifically, ensure that sensors and systems have embedded security that is updatable.
  • Know the “security cost of doing business.” Where will the IoT budget sit? Do you know your infosec spend by subcategory and benchmarked with peers, and more importantly, can you communicate that to stakeholders and decision-makers?

Follow editor in chief Lorna Garey on Twitter.

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 51973