Image courtesy: Pixabay

I recently attended one of a significant Cyber-security@ Internet of Things event which featured keynotes, speeches and presentations from CTOs/SVPs-Tech/VPs of major IT firms. Attending these presentations sometimes give you a feeling of being in literature or a rhetoric club where instead of hearing context oriented speeches you get to listen to a bunch of fairy tales with almost every sentence including overused adjectives like “trust”, “motivation”, “responsibility” and so on.  An SVP of a major IT player was asked about the measure (technical) her company takes to ensure data integrity and prevent cyber-attacks. Interestingly, her answer to this was the statement that “they maintain a culture of trust in and around the company”. To me, it is like standing in front of a hungry lion and telling him that you believe in non-violence. Today in the age of internet and IoT, we have to deal with thousands of cyber criminals (hungry lions) who are waiting to penetrate the system and make most out of it. To keep them out you need a lot more than just “trust”.  

On the same event, I had an opportunity to talk to many cybersecurity experts and companies, and I confronted them with a question of mentioning at least one relevant cybersecurity norm/standard/certificate pertinent for each major component in an IoT stack. Unfortunately, most of these discussions turned into some sales pitch. The question one can raise at this point is that is it so challenging to mention at least one “state of the art” cybersecurity measure for every IoT component? Or just that the topic is underestimated? 

This blog is just an attempt to name a relevant security standard/certificate or measure for every major element in IoT stack (see below) without going deep into the details of each and very standard/norm or certification. 

For this sake, we will assume a simple IoT stack as illustrated below :

Fig.1: IoT stack of a simple use case

In this use case, an industry sensor collects the physical parameters (temperature, pressure, humidity etc.) and transmit the values via Bluetooth/Wifi/wired connection to the gateway or edge device. The gateway device, depending on the type (simple or edge) perform a certain minimal calculation on the received data and push it into the cloud via a Wifi/4G connection. The cloud collects the data and uses this data to feed desired micro-services like analytics, anomaly detection etc. Cloud also offers an interface to the existing enterprise and resource planning (ERP) system to synchronize the running process with the current one as well to provide product /service related information over the IoT platform to the end user. What the user sees on his screen is then the dashboard of IoT use case which is a graphical representation of the micro-services running in the background. 

As we can see, there are four to five main stages and at least three interfaces (sensor-gateway, gateway-cloud, cloud-user) in a typical IoT use case. These stages and interfaces are on the target of cybercriminals who try to hack into the system with the intention of either manipulating or hi-jacking the system. Safeguarding just the components is not adequate. The underlying IoT communication layer (Bluetooth/Wifi/4G etc.) need to be secured as well.  Also, organisations running or involved in such IoT use cases must ensure safety and integrity of the process, technical as well as user data through a certain information security management system (ISMS) in place. 

To sum up, we need security measures at a component, communication-interface and organisational levels. Now if I have to write state of the art or “best in class” security measure (excluding cryptography) next to each stage, communication type and interfaces in the diagram above, then the resulting picture might look like the one below. 

Fig.2: IoT stack with relevant cyber-security measure

What, in your opinion, could be included/excluded or replaced in this diagram? Feel free to share your opinion.

Image courtesy: Pixabay

Bitcoin topics are being on the front page of finance or tech newspapers almost every day and they do not necessarily deal with investment. With bitcoin transactions getting expensive and taking longer to get approved, investors are now sceptical about bitcoin and its future. One can argue that there are troubles wherever the money is in play. But is it really the money (in our case bitcoin) or the underlying technology which is the root cause of these problems?

There are lots of reports mentioning the use cases of blockchain in various industries and sectors. However, none of them hints upon how exactly it works in terms of architecture, a division of roles and responsibilities etc. If we still assume that whole would work more or less in a way it works for bitcoin, then there are certain questions which need to be addressed before one decides for blockchain. We should not only keep the implementation but also the long-term application and maintenance of blockchain in let say a manufacturing environment. 

Let’s assume we have an OEM (X) who purchases the equipment parts from supplier A, B till E which in turn depend on their raw material supplier A1, B1..E1 respectively. X decides one day to implement blockchain in order to achieve transparency and better control on processes. In order to achieve this, he asks A..E and their respective supplier to join the network. Moreover, X would like to invite his logistic partner, service partner as well as bank and end customer to join blockchain. The issue which he might face later within his blockchain environment are as follows:

Example of a blockchain in manufacturing

Available IT infrastructure: Blockchain demands decentralized ledger/transaction record made available to all of the nodes/parties involved. The size of the ledger/transaction record will grow with the increase in number transaction with a period of time. What kind of information influx we are talking about can be understood by the fact that every new purchase order will trigger hundreds of manufacturing and supply chain related events with all of this information need to be monitored in the blockchain. Here, for example, A demands stock availability and shipment status from A1 and would like to update his block accordingly. This block will then be made available to X will, in turn, provide the updated information to his logistics partner and the customer. Now in real life, it is more one-to-many or many-to-many kinds of communication. Moreover, when we talk about data then it does not only mean excel sheets or pdf files but it can be anything from an image to a video. The question here, does all of the parties involved are capable of dealing with this load of information/data volume in terms of IT infrastructure? Just to give an idea, the size of bitcoin blockchain increased from merely 620 MB in 2012 to 150 GB in 2018 (ref. blockchain.info). 150 GB of just transaction list, user profile and hashtag info. No way we can compare it to data (design, CAD files, photos, videos, manuals etc.)  generated or need to be stored in a manufacturing environment.

Consensus: Every transaction made need to be approved thus creating a new block in the chain. The approval process is quite tedious and requires checks, calculations and creation of hashes (unique ID per block). In case of bitcoin, this task is taken over by miners who select transactions to approve based on the fee offered to them for that. The logic here is simple: a miner chooses to approve a transaction which offers a better fee. The whole idea here is to encourage a party, by means of incentive, to approve a transaction. How this will work in our scenario and who will take over the role of a miner? With no incentive involved, it will be difficult to convince any single party to take over this role especially if creating a block (approving transaction) comes at a cost of high resources consumption.

Transaction approval rate: The other issue with block creation is that the blockchain algorithm limits the creation of new block to 1 block per 10 minutes. Moreover, more transaction will demand more minors to approve them. How does a logistics company shipping hundreds or thousands of packets per hour will cope with this rate?

Openness: In a distributed ledger technology the digital ledger/database is shared and synchronized across the network and is made public to all the parties. This prevents data or record manipulation since each party owns a copy of this ledger and any change or attempts will be reflected within seconds.  A very powerful feature of a blockchain to avoid fraud and cyber-attack but with a flaw. What if in our scenario A does not want to share his shipping details to rest of the suppliers of X, or what if X does not want to disclose his dealings with Bank to his customer? Again considering one-to-many or many-to-many kinds of transaction, one has to define a lot of exceptional cases in which one party can satisfy its need of dealing with a certain number of partners.

There is no doubt in the capability of blockchain to revolutionize the digital world. It worked (at least until now) quite well in case of bitcoin but maybe because there was an idea of incentive behind that. Each party involved wanted to make the most out of it (profit for an investor, an incentive for miners) which kept them involved in the system. Will there be the same degree of involvement in the business world and what would be the gain here?

This certainly does not mean that blockchain technology is questionable in every case. The blockchain is a best available solution for sectors where the data security, avoiding data mishandling or manipulation, availability and transparency are the utmost goals. An example here could be government sectors, NGO, hospitals, banks or financial institutes, certification services and so on. There are certain use cases available where certain banks and government institutes have implemented blockchain within their network in order to achieve above-mentioned goals along with ease of business. Again, the information influx in these sectors cannot be compared to that of in a manufacturing environment. Soon or late there will be a solution overcoming the mentioned issues. Or do we already have one?