Six Questions for IoT Security Expert Dan Lohrmann

Whether you're instrumenting your factory with sensor networks or designing a consumer product that leverages Internet of Things technology, Security Mentor's chief security officer says you need to set your security strategy early.
By Mary Catherine O'Connor
Jul 08, 2015

Dan Lohrmann has nearly 30 years of experience in cyber security, including stints at the National Security Agency and as the first chief security officer for the state of Michigan. Lohrmann currently serves as chief the strategist and chief security officer at Security Mentor, which provides companies with security awareness training. We asked him a few questions about data security and privacy issues that end users (or potential end users) of IoT technologies might want to think about regarding their upcoming projects.

IOT Journal: The IoT has such a massive range of applications, including consumer-facing exercise and health-care aids, predictive maintenance systems embedded in factory equipment, intelligent lighting and safety systems that are part of smart city projects. From a security point of view, what applications or sectors do you feel require the most attention?

Dan Lohrmann
Dan Lohrmann: I recommend approaching this from a data-centric viewpoint. If sensitive data—and just a note that some prefer using the term personally identifiable information (PII) over sensitive data—is being collected, stored or transmitted in an application, those IoT apps and devices require the most attention.

The difficulty comes if IoT devices that process less-sensitive data can become "back-doors" into networks that contain more sensitive data. For example, could a Wi-Fi-connected kitchen appliance provide a trusted connection to a PC with tax information on it?

Another tricky topic is geolocation, especially when it comes to consumer devices. While some people may not care if their heart rate or number of steps is revealed via a smart wristband app, does that wristband also report where you are jogging? That data can cause privacy concerns that affect safety issues. The question becomes: Who can legitimately see this data?

IOT Journal: The government is an important player in the emerging IoT ecosystem, and we've reported on a number of smart city deployments around the world. In the United States, the public-private partnership U.S. Ignite held a major summit this summer and is really pushing to instrument city infrastructure with sensor networks in order to improve transportation, utility services and environmental health. In smart city deployments, what are the top security issues and vulnerabilities? What safeguards should cities and vendors—and even citizens—take?

Lohrmann: I like to use the simple categories of people, process and technology to describe smart city deployment issues and security solutions. I would start with a series of questions to complete project plans. The difference in new smart cities technologies is that they often lack the access controls, logs and other security features built into more traditional infrastructure platforms.

On the people side, determine what data are you collecting and storing. Why? What are you using the data for? Who has access? Is your staff trained? What is the privacy policy? Can citizens see their data, or "cleanse it," if needed?

On the process side, do you have a clear concept of operations? How are IoT devices and capabilities integrated into your wider government operation centers? What do you do if something goes wrong? Is there an incident-management plan? Are different scenarios tested, and are the actions required of staff clear and repeatable in an ongoing way? For example, what do you do if sensors fail or an emergency situation occurs? Even if everything is working correctly, what actions are required to ensure proper ongoing functions are maintained, such as monitoring logs and responding when appropriate?

The technology issues revolve around the platforms being deployed and the security controls that are available and are in place by the vendor. Ask if you are running the highest or appropriate level of security controls available. Where is your data stored? Is the data encrypted at rest and in transit? What about patches and upgrades? Does an ongoing operational and budget plan address using the technology in the long-term, and not just for a few months or a year? In government budgeting, "one-time money" is sometimes used to purchase the latest innovative devices, but when the funds run out, equipment can quickly become out of date or no longer be covered under warranty for needed software or firmware upgrades, etc.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations