Towards a safe and secure smart world (conference)

A summary of my key take aways from January's conference.

Towards a safe and secure smart world (conference)

I kicked off 2020 with a conference in Canterbury, organised by the Cyber Innovation Hub of Canterbury Christ Church University.  Unlike previous years I was able to attend the whole conference, while also being invited to speak.

The conference looked at the Internet of Things, smart homes and cities and medical technology.  I had the honour of chairing the final session, including the panel Q&A which made up the last activity of the day.

Drone usage (forensics and medical transport)

I found this talk, by Dr Yijun Yu, really interesting and Dr Yu covered a number of points.  The most harrowing one was that the aeroplane wreckage from Malaysia Airlines flight MH370 has still not been found almost six years on.  The problem of traditional "black box" flight recorders is that you need to actually find the device in order to access the data.  Dr Yu discussed the possibility of continually streaming this data, albeit costly as satellite uplinks would sometimes be needed.  By streaming the data it's possible to conduct some flight incident forencsics before the craft is found, aiding in the rescue effort.

Drone usage then came into the presentation, particularly when it comes to the use of drones for medical transport.  Considering London traffic, having an organ at one hospital that's needed for transplant in another hospital presents challenges as journey time can be long, even over a short distance.  London is generally a drone no fly zone although it is possible to obtain exemptions from the Metropolitan Police, granting the pilot a specific corridor to fly in.  Drones are being investigated as a means to fly organs between hospitals.

The problem is, some (I wasn't sure if it was "all") drones have a hard-set instruction that when the battery reaches 10% remaining charge, the drone must attempt to land.  In the right conditions (wind, distance) it would be possible to complete the journey, but under current configuration the drone would be forced to land.  If the drone lands in the Thames then the organ is lost.  Dr Yu's research looked at how reducing the location reporting when the drone is at certain locations (over the Thames vs over buildings) can assist in preserving battery charge.

Running secure workloads in insecure environments (Enarx)

This presentation was really engaging.  In summary, Enarx is a container running inside a Trusted Execution Environment (more details here).  By compiling your code into WebAssembly, the Enarx runtime will then execute your code in an Enarx Keep environment.

Keep is set up in the Trusted Execution Environment and is then interacted with via the Enarx Agent.  The agent itself is not a trusted component, but the interactions between the Keep environment and your management workstation are encrypted in such a way that the agent acts merely as a broker, unable to tamper with the application you're deploying.

Traditional stack showing what you need to trust in order to trust where your application runs.
Traditional stack showing what you need to trust in order to trust where your application runs. [1]

Looking at the traditional stack (above), Enarx ("middleware") sits below your application meaning that you only need to trust your application, Enarx and the CPU / management engine.  Traditionally you would need to trust the remaining items shown in the white box on the diagram above, meaning your hardware / cloud provider had a lot of control - with Enarx they cannot see inside your environment, so cannot tamper with it.

Importantly, the project is open source and hosted on GitHub.  I know the team would really appreciate assistance, either with the Enarx code itself, the documentation or just in discussion.  They're a friendly bunch.

Internet of Medical Things

Andy Bridden, an Internet of Things expert at PA Consulting, took the audience through our last keynote of the afternoon, looking at the IoT in the medical industry.  The ability to log data through lower cost equipment (e.g. heart rate monitoring) that can provide information to medical professionals can be invaluable in determining a diagnosis.  That said, there's clearly a challenge to protect that data while also making it accessible to the right people.  Further, network connected medication pumps, implants and pacemakers prevent risks that could directly impact the physical wellbeing of an individual.

Medical devices are historically well regulated, due to the risk of injury or death, and this regulation needs to apply to the Internet of Medical Things too.  The difficulty for the manufacturer comes in ensuring the equipment does the job, whilst being developed at a low enough cost to make profit, while not endangering life.  Andy supported a multidisciplinary approach to achieving this goal.

IoT: Are you safe after a breakup?

I spoke on the human aspect of the Internet of Things, and how IoT, like all technologies, is dual purpose.  While IoT can be used for good, the sad fact is that IoT is also being used for domestic abuse.  Feedback on my talk was positive, which is always nice, and the topic certain prompted people to think if the conversations I had afterwards were anything to go by.

Me presenting at the conference.
Me presenting at the conference (photo by Tim J, with thanks).

A slight technical issue (the "blank" button on my presenter remote) did cause a momentary blip in the presentation, as the screen went black.  I'm pleased that besides commenting "what happened there then?", that I was able to continue my presentation while I fixed the issue - as seamless as I could make it.  A few years back I'm not sure I'd have dealt with that situation as well.  I might unsolder that blank button!

My slides are published here.

IoT in smart buildings

The final talk before the panel Q&A was presented by Roberto Papara and discussed IoT advances in smart buildings.  By connecting devices together it's possible to manage the building better, leading to cost savings.  For example, only heating the shared spaces at times that historical data shows they're likely to be in use.  Additionally, by being able to contact residents it would be possible to notify them all that a fault with the lift, for example, had been reported and was being reviewed.  This reduces the need for multiple contacts with the organisation, keeping customer services costs down.

This concept can be extended to include sensors that detect leaks, reporting them automatically, or integration with larger systems such as boilers.  Roberto commented that while the additional data from people's apartments would be useful in reducing costs further, both for the tenant and the building owner, such data would also begin to infringe on an individual's privacy.  Careful handling of such a scenario could mitigate concerns but the benefit should be to the individual.

Conclusion

This was an interesting conference to attend, and certainly provided food for thought.  I've not covered all of the talks in this post but have touched upon those that gave me the most to think about.

It was clear from the conference that there are talented people keeping an eye on the IoT and security spaces; all that's needed now is strong vendor adoption to protect everyone's interests.


Banner image: The conference graphic.

[1] Modified graphic showing the layers in a traditional environment.  Original by Mike Bursell, taken from https://aliceevebob.com/2019/05/07/announcing-enarx/