Ready or not, you need to be planning how to deal with the internet of things (IoT); simply ignoring it is not an option. You may be able to delay its infiltration of your lab, but that will rapidly become an unfeasible option as more manufacturers incorporate the IoT into their instruments. A much wiser course is to embrace the IoT, but in a controlled process to reduce the risk of security breaches.
So, what is the IoT? One of the characteristics commonly cited is that it is focused on machine-to-machine (M2M) communication. Beyond that, it generally refers to any device, virtual or physical, that can be connected, either directly or indirectly, to the internet. Gartner has projected that by the year 2020, the IoT will consist of approximately 2.08 x 1010 discrete devices, far outnumbering the internet’s human users.
Unfortunately, while the big picture of the IoT can be presented fairly simply, when you are in the middle of deciding how to implement and configure it, things can get pretty dirty, at least during this “frontier” period of its development. I recommend you check out some of the online glossaries for descriptions of IoT-related terms. These are available in both nontechnical1 and more detailed versions2.
Approaches to the IoT
There are several approaches to implementing IoT devices. Currently, the most commonly used one is to implement a standard TCP/IP stack in the IoT unit and have it communicate like any other network device. The advantage to this is that it uses a technology familiar to most IT groups. The drawback is that the cost of integrating the hardware and software to make this possible drives up the cost of the individual sensor devices. However, it does allow handshakes between devices, so that you can confirm that a message was received.
An alternate approach is to use multiple inexpensive sensors incorporating a much less expensive simplified or lightweight communication protocol. This uses an extensible opensource structure comprising private data fields and validated with a simple checksum, referred to as Chirps3. For devices reporting small amounts of data, using Chirps to transmit these readings significantly reduces the amount of overhead in the packet structure. The trade-off is that no confirmation regarding the receipt of these Chirps is transmitted. The philosophy being that due to the low cost of the sensors, multiple redundant sensors can be distributed, so that if one reading is lost, it doesn’t have any impact on operations.
Whichever approach is taken, you still need to receive the data. This requirement can be addressed in two ways. The classic approach would be to incorporate code into your applications, such as a laboratory information management system (LIMS) for an analytical laboratory or a supervisory control and data acquisition (SCADA) for a process control system. However, this approach requires custom modifications of the system for each sensor that you add. In most situations, it is much more pragmatic to use a Web of Things gateway, which could consist of a middle ware software layer in your network or a physical hardware module. The purpose of this gateway is to aggregate the data from IoT devices, filter out the unneeded information, transform it into a format that your laboratories’ instruments and applications can understand, and deliver it to them. There are a number of proprietary gateways being developed by vendors. However, the basic operation of these gateways can be illustrated by the open gateway for the internet of things being developed by Mozilla4.
Benefits of the IoT
The IoT promises a major paradigm shift in the way we work and think about our equipment. The magnitude of this change is suggested by these devices being referred to as “Enchanted Objects.” The inference is that they are more intuitive to use, not requiring you to learn a new set of commands and procedures for each device. While many benefits will be common to all labs, some may be particular to the specific type of laboratory you manage.
Consider the range of analytical, process control, clinical/hospital, and other laboratories. Common illustrating applications might include:
- Monitoring chemical/reagent inventories, and automatically reordering.
- Monitoring controlled environments, such as server rooms or reagent storage areas, for over/under temp conditions.
- Monitoring equipment for regulatory or operational compliance. This could range from monitoring incubators or freezers to ensure that they remain within their optimal temperature range.
- Safety tracking and remote communication with employees.
- Monitoring sample temperatures, whether collected internally or externally, to ensure that there are no excursions outside of the regulatory temperature storage range. Possibly even capturing the actual sample collection point.
Other laboratories will have more unique requirements, with highly variable degrees of overlap. These are illustrated by:
- Monitoring the identity, location, and condition of patients.
- Allowing notes and observation entries, as well as treatment orders via smart pens.
- Capture of data from freestanding instruments.
- Monitoring the status and location of employees in lone operator situations via wearable devices.
At this point in time, we’ve only scratched the surface regarding the impact of IoT-enabled devices. In the future, there will be an ever-expanding range of uses, limited only by our imagination.
The dark side of the IoT
As with most technologies, there is a potential dark side to IoT devices. Some of these issues are due to errors in device design or programming. Other issues concern the privacy and confidentiality of the data collected.
However, the above is minor in comparison to active attacks on the IoT. So far, the main objective is to subvert the IoT for criminal purposes. Some of the largest denial-of-service attacks encountered so far have been launched using perverted internet security cameras and other IoT devices. In some instances, this co-opting of devices has been managed by breaching the devices’ security by brute force attacks, though in the majority of cases the exploit was frequently due to the owners not changing the default password on the devices.
This is not the only risk, as once the security of a single device is penetrated, that can be leveraged to launch attacks against other components in the network. Depending on the intentions of the perpetrator, they can use this penetration to capture internal data, inject erroneous data, or actively sabotage equipment, as the Stuxnet virus did. With some IoT devices, there might be little physical risk, but if the IoT devices in question control valves and heaters in a production chemical process, they could be used to generate a massive explosion.
Unfortunately, as we are basically on the frontier of the IoT, many of the current crop of IoT devices were not designed with security in mind. Many devices already installed can be easily subverted and the cause of resulting issues can be hard to detect. For instance, if an attacker has compromised one device and used it to launch attacks on another, the only obvious misbehavior may be on the second device being attacked.
Part of the reason for this is that manufacturers, whose engineers are not used to thinking in terms of security, rush products to market without realizing how they have increased the potential attack surface of the overall network. To some extent, this is understandable, as the design requirements for safety are not the same as those for security. In some instances, it is impossible to optimize both, so you have to determine the best balance to minimize overall risk.
Things are not hopeless though; new security best practices for both the design and implementation of IoT devices are being pursued by a number of different groups. There are a number of steps that you, as the laboratory manager, can do to minimize this risk, ideally working closely with your organization’s IT group. Some of these steps are relatively simple, but someone needs to take responsibility for ensuring that they are done.
- Change the default password on all IoT devices before installation. If the manufacturer has a fixed password that cannot be changed, go with a different vendor.
- Ensure that any unused ports and protocols on the device are disabled.
- Ideally, all data transfers should be encrypted, with each device using a different encryption key, even if IT must set up a public key infrastructure (PKI) from scratch.
- Where possible, purchase equipment that supports over-the-air (OTA) firmware updates.
- Don’t purchase equipment with known security issues, even if you must forfeit some features. Money talks and can drive security development.
- Security practices are different for IoT systems and traditional networks, so IT personnel will potentially be unfamiliar with the differences. While probably not in a position to ensure that proper procedures are followed, you can stronglysuggest that your IT support personnel read through a good book on the subject, such as the one by Russell and Van Duren5.
- Ensure that a compliance monitoring program is set up for the IoT, to ensure that your security remains in compliance.
We have seen how an IoT implementation can revolutionize your laboratory operations, but that it does have risks. Particularly as manufacturers and IT support teams explore this new paradigm, it is not unlikely that at least some of the IoT devices already inside your organization have been compromised, so you need to coordinate with IT to ensure that all devices have been locked down, both to ensure the security of your operations and to remove potential legal liability. Approached proactively, the IoT allows you to reengineer many processes, improving both data quality and productivity.
1. Gates M. IoT Glossary: 55 Terms You Need to Know. dzone. com. 2017; published online Nov 9. https://dzone.com/articles/iot-glossary-terms-you-need-to-know (accessed Jan 24, 2018).
2. Poynder R. Glossary of terms and expressions used in connection with The Internet of Things with a final section of related “Standards.” Haverhill: The Internet of Things Association (IoTA), 2016.
3. daCosta F, Henderson B. Rethinking the Internet of things: a scalable approach to connecting everything. Berkeley, CA: Apress Open, 2013 http://www.apress.com/us/book/9781430257400.
4. Dillet R. Mozilla announces an open gateway for the internet of things. TechCrunch. 2018; published online Feb 6. https://techcrunch.com/2018/02/06/mozilla-announces-an-open-framework-for-the-internet-of-things/ (accessed Feb 20, 2018).
5. Russell B, Van Duren D. Practical internet of things security: a practical, indispensable security guide that will navigate you through the complex realm of securely building and deploying systems in our IoT-connected world, First. Birmingham B3 2PB, UK.: PACKT Books, 2016 https://www.packtpub.com/hardware-and-creative/practical-internet-things-security (accessed Jan 23, 2018).