Pervasive sensing: How it affects enterprise and IoT security
Pervasive sensing is a relatively new concept, but its security risks are well-developed. Expert Ernie Hayden explains this new trend and its associated security implications.
Imagine walking into a movie theater. Have you ever wondered how many sensors are in that space? Well, everyone with a smartphone essentially has a sensor in their possession. What about those with Fitbits and other sports monitors? Those are sensors, too. What about the sensors used for heating/ventilation and air conditioning controls for the movie theater? What about fire protection sensors?
We are progressively engulfed with sensor technology, and it is something a security professional may want to pay attention to.
What is pervasive sensing technology?
So, what is "pervasive sensing?" It is not a common term-of-art in security. However, it is beginning to gain traction -- especially in the industrial controls area. David Nagel of George Washington University wrote the first technical paper on the subject. In his seminal work in 2000 Nagel observed: "Pervasive sensing is taken here to mean the widespread, and possibly dense, deployment, and the continuous, either latent or real-time, employment of diverse sensors, networked to systems or people, for the gathering of information of practical use or mere interest…"
Nagel added that the "pervasive" use of sensors comes from the "rapidly increasing connectivity" of devices and the prevalence of sensors that offer low costs, low power requirements, and a small physical footprint.
In 2006 the RAND Corporation highlighted pervasive sensing in a report on the technologies expected by 2020. Its definition was more along the lines of an Orwellian 1984 perspective, stating that "Pervasive sensing is the presence of sensors in most public areas and the ability to network sensor data to accomplish real-time surveillance."
A more prevalent contemporary commentary on the subject of pervasive sensing comes from Emerson Process Management, a division of Emerson Electric Company that specializes in automation technology. Emerson's definition of pervasive sensing, according to this company blog post, is:
"Pervasive sensing is simply the use of sensors to capture data on anything in a plant that could affect its operation. It is driven to a large extent by the increasing availability of inexpensive sensors -- many of them wireless. Pervasive sensing comes down to use of multiple sensors everywhere, often (but not always) wireless."
The Emerson definition of pervasive sensing represents today's practice of adding sensors and rather than connecting them via wire and cables, using wireless sensor networks to take advantage of lower costs, ease of installation and added data about processes, systems and in some cases, even people.
This may seem like new science, but it is really another term for the Internet of Things (IoT), or the Industrial Internet of Things (IIoT) when applying this approach in an industrial environment like a factory relying on automation.
Why does pervasive sensing matter to security?
IoT security concerns have been highlighted by security researcher Bruce Schneier and even the U.S. Federal Trade Commission. But there seems to be more interest in the convenience of IoT and pervasive sensing rather than skepticism towards these new "lick and stick" sensor applications that literally can expand sensor arrays on thousands of devices.
In one of its marketing articles, Emerson Process Management reported that an Eastern European oil processing plant is deploying a fully wireless infrastructure to allow the addition of 12,000 pervasive sensing instruments -- up from 7,000 -- in order to improve energy efficiency, more closely monitor equipment and pipe corrosion, and reduce unplanned environmental releases. Consider how much larger the attack surface has become for this plant. The risk posture has increased substantially, but what security controls are being included or implemented to protect the systems, processes and data?
IoT security risks and pervasive sensing
Every sensor added to a plant process can be either a benign data point strictly used for indication, or it can be connected to a control system and ultimately operate an actuator like a valve positioner or a circuit breaker. It really depends on how it is attached to the plant systems and how configuration management is assured with all these devices. And, with new sensors being procured with corporate credit cards rather than a more disciplined purchase-order process, this can lead to some interesting unintended consequences.
So what are the risk implications with all these sensor arrays? The next part of this series will examine the primary implications of pervasive sensing that security professionals should keep in mind before deploying sensors throughout their enterprises.
About the Author:
Ernie is a highly experienced and seasoned technical consultant, author, speaker, strategist, instructor and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial controls security, cybercrime and cyber warfare areas. His primary work emphasis involves cyber and physical security of industrial controls, smart grid, energy supply, and oil/gas/electric systems and facilities with special expertise on industrial controls. Hayden holds certifications as a SANS Global Industrial Cyber Security Professional (GICSP Gold), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). Hayden is an Executive Consultant at Securicon, LLC and has held roles as Global Managing Principal – Critical Infrastructure/Industrial Controls Security at Verizon, held information security officer/manager positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light. In 2012 Ernie was named a "Smart Grid Pioneer" by Smart Grid Today. Ernie is a frequent author of blogs, opinion pieces and white papers. He has been cited in the Financial Times, Boston Globe, Energy Biz Magazine, and Puget Sound Business Journal. Many of his articles have been posted to such forums as SearchSecurity, Energy Central, Public Utility Fortnightly "SPARK," and his own blog on Infrastructure Security.
Hayden has completed his Masters in Infrastructure Planning and Management at the University of Washington and this article is based on his Masters Capstone work on pervasive sensing.
Learn why IoT security concerns remain even as the technology evolves and how best to approach IoT security challenges
How to plan for IoT security
Manufacturers look to IoT gateways for innovation