With TfL proposing widespread IoT sensor deployment for relieving congestion, the prpl Foundation comments on the need for device security at the hardware level.
The Internet of Things has been thrust back into the spotlight this month, with reports surfacing that Transport for London is looking to solve London’s congestion issues with the help of IoT sensors. TfL’s Chief Information Officer Steve Townsend has said they are currently looking at data from IoT and how they could use it to work differently in London. This would include the possibility of solving congestion problems, maintaining their fleet of vehicles better, using digital monitoring for maintenance in a more efficient way, and how they can utilise their internal data from IoT.
TfL is also looking at how it could deploy sensors to capture data on passenger behaviour, including lifts and escalators. Townsend believes that by adding sensors they will have the ability to predict when the lifts and escalators are going to malfunction and use them for proactive maintenance.
Although it is commendable that TfL is looking into alternative ways to help with congestion within London, Cesare Garlati, chief security strategist for the prpl Foundation is concerned about the greater safety and security issues that may arise.
“While it is exciting that TfL is looking to IoT sensors and the data they provide to help improve congestion for commuters, it must not overlook wider security and privacy implications this will have on the City of London. IoT, although growing at an enormous pace, is still very much in its infancy – with people eager to get their hands on the latest and greatest connected devices and manufacturers rushing to get them to market – security is often an afterthought,“ Garlati said.
“If we don’t take steps now to improve security within devices at the development level, the results could be catastrophic, especially when used to capture data on passengers and whole cities as suggested by TfL’s CIO, Steve Townsend. At best, people’s privacy and civil liberties are affected and at worst, poor security controls will mean terrorists will have access to a whole host of information they can use for surveillance or other nefarious purposes when security controls aren’t properly addressed.”
Created on the principle of portability, the prpl Foundation is an open-source, community-driven, collaborative, non-profit foundation that targets and support MIPS architecture. Focusing on enabling next-generation datacentre-to-device portable software and virtualised architectures, prpl represents those in the technology industry investing in innovation in efficiency, interoperability and compatibility for the good of the community.
“The Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken,” Garlati continued. “But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualisation.”
For this reason, the prpl Foundation has provided guidance on how to create a more secure Internet of Things that advises manufacturers and developers to adopt an open source, hardware-led approach that sees security embedded from the ground up. The guidance focuses on a new hardware-led approach to create stronger security for embedded systems, with three general areas of guidance: Addressing fundamental controls for securing devices, using a security by separation approach and enforcing secure development and testing.
By embracing these initial areas of focus, developers can create a secure foundation for IoT which companies like TfL can then put in place to benefit the greater community – but security has to be at the core.