IoT Security Summit: Adopt, Adapt, Develop

IoT SECURITY SUMMIT — After opening remarks by moderator Chris Rezendes of Inex Advisors, a keynote lineup led by Dr. Reginald Brothers, undersecretary for science and technology at the U.S. Department of Homeland Security, and including Christopher Larkin, CTO at GE Healthcare; Esmond Kane, deputy CISO with Partners Healthcare; and Tom Stumpek, former CISO, CIO and CTO at General Electric; took the stage at this week’s IoT Security Summit in Boston.

Brothers highlighted the need for public/private partnerships to keep up with the pace of change in IoT. His team is actively reaching out to find – and fund – innovative ideas for agencies including FEMA and U.S. Border Protection.

“Most applied research is not funded by the government; it’s funded by industry,” he said. “How do we find those great ideas?”

Brothers cited a $3.5 million investment and collaboration between DHS, FEMA and the Lower Colorado River Authority to use IoT in a Flood Apex Program. The idea is to deploy low-cost sensor technologies to facilitate evacuations and flood monitoring by sharing real-time data with first responders and local officials so they can respond rapidly when a flood strikes. But beyond that, DHS is seeking to use data to make preventive investments in flood-prone areas.{ad}

Brothers says his office has a presence in Silicon Valley now and is looking to expand to cities including Boston, Austin and Chicago. The goal: Teach smart startups how to work with the federal government — not an easy task.

“We want to adopt, adapt, develop,” says Brothers, referring to a mantra on how to do IoT innovation without big R&D budgets. “We have a real affordability challenge,” he said.

Longtime government contractors won’t recognize the funding process: Startups fill out a 10-page application, one person at DHS vets the submission, and selected firms are invited to give a 15-minute presentation. They get a thumbs up or down within 30 days. The team’s record is providing funding in just 10 days.

“We’re trying to meet the tempo that small business needs,” says Brothers.

The initiative has been active since 2014. As of now, three of 18 participating startups are selling products and half have funding.

Brothers reflected on the intersection of physical and cybersecurity in IoT.

“We have a framework for actively extending the Safety Act framework,” he said. The concept of “security” versus “safety” is one addressed recently by Atif Ghauri, CTO of cybersecurity provider Herjavec Group. Ghauri predicts that in the next couple of years, there will be fatalities …

{vpipagebreak}

… from malware, and that will change the IoT game completely.

“‘Security’ will become ‘safety,’” he says. “And once ‘safety’ happens … you better have the budget; you better have the will.”

Health Care: IoT Security Proving Ground

GE Healthcare CTO Larkin (pictured, above) says he was inspired to get into health-care IoT by an unfortunate incident with sea-urchin spines. He’s now looking to encourage use of the GE Predix IIoT platform for applications including smart hospitals and sees health care as an $18.2 billion business for GE. Johns Hopkins is an early adopter and has found that it cannot only track current beds but predict patient load in six hours and adjust staffing accordingly.

GE recently moved its corporate headquarters to Boston.

“The data is getting bigger, and it’s getting more varied,” said Larkin. “Trying to move a genome to an analytic is actually harder than moving an analytic to a genome.”

Right now GE Healthcare’s security efforts are largely around de-identification of data so it can be used by partners, like pharma. But as data gets richer and more specific, securing it is getting more challenging.

“This keeps us up at night,” said Larkin.

The payoff is worthwhile, though. Precision medicine – a multi-enterprise endeavor that requires data be hosted in the cloud and accessed by many parties – is a major focus for GE Healthcare and has already yielded cures.

Larkin says the basics of good cybersecurity extend to IoT. GE’s program includes risk assessments, embedded controls, a secure SDLC and robust incident response and escalation.

A few security challenges are universal. A key concern: How to keep security from bogging down innovation. GE’s solution is to embed security pros in business units and put accountability right at the top.

“Business managers are wholly responsible for the security of their products,” said Larkin. It’s a simple but highly effective concept.

Next up, Partners Healthcare’s Kane asked the crowd of about 150 who would trust their HC data to the current IoT security landscape.

Not a hand went up.

“I have to be the wet blanket,” said Kane, citing …

{vpipagebreak}

… the recent IoT-based DDoS attack on Brian Krebs as proof that security is far from fully baked.

Kane zeroed in on IoT-enabled medical devices, including implanted systems such as pacemakers and an implant to treat depression.

Partners are mining “literally centuries” of data to provide clinicians with predictive data based on readings from health-care IoT devices such as insulin monitors — and training them on how to use and secure it.

“A well-educated doctor is your first line of defense,” said Kane.

GE’s Stumpek closed the Day 1 keynote lineup with insights on enterprise risk management as it relates to IoT. He reiterated the need to stick with security basics and provided some actionable advice:

Follow editor in chief Lorna Garey on Twitter.