How Disruptive secures its sensors against hackers

Tarjei Vassbotn, product lead at Disruptive Technologies, one of the most advanced manufacturers of sensors to monitor building condition, explains the firm’s approach to avoiding attack from cyber criminals.

“Security has been top of my mind for the last seven years,” he explains, referring to five years he spent at Google leading IoT relationships with Intel and other partners, developing Google Home and Google Assistant.

Vassbotn, whose formal job title is VP of engineering, likens an IoT attack to having your house broken into. “The big difference is the magnitude of impact – a criminal online can get into thousands and millions of houses at once and the attack can be automated and remote. It is hard to know who is doing it and how to stop them.”

Disruptive has shipped 20,000 units since mass production of its award-winning products – named best property innovation at MIPIM 2018 – began in autumn last year. Prior to that, its sensors were handmade at the company’s base in Norway. The one production line now turning out units, at a secret location in Germany, has capacity to make 20,000 a month. The lines can be replicated as many times as the firm wants, says Vassbotn, meaning potential capacity to supply could be endless.

Temperature sensor on a heating and ventilation system

Uses range from monitoring whether windows and doors are open or closed to temperature monitoring, helping asset managers in critical predictive maintenance.

It is early days for managing buildings by sensor but the first Disruptive clients, such as Integral, a JLL company, and Prescriptive Data, an affiliate of New York developer Rudin Management, are seeing “massive savings…profound” from running their buildings in a smarter way, says Vassbotn.

He said: “My hunch is we are only just getting started and we will see a steady acceleration of sales in the next year.”

Indeed, IoT is moving into our homes through Alexa and smart light switches, energy controls; public authorities are testing city-scale IoT in smart traffic lights; and industries such as hospitality are fitting sensors for food safety in restaurant kitchens.

As take-up of innovation in real estate grows, so too is the discussion around security. And Disruptive has been preparing for this from the outset. “It’s a constant battle. Disruptive has so far not suffered an attack but,” says Vassbotn, “We expect to be attacked.” He continues: “Most companies we surveyed at Google used unencrypted security, leaving themselves vulnerable.

“We think about security as not something you do once. Building security into our products is fundamental – it is not something we could bolt on afterwards.”

On Disruptive’s production line, robots in the factory touch sensors sending an encrypted message about the state of the chips and make-up of the sensor to the cloud for testing and get a test value before being approved or rejected. This happens three times. The firm offers clients free transport of content over cellular on a private network.

Need to know which windows and doors are open? Sorted

Every layer of the Disruptive sensing solution is secure, end to end, from the individual sensors to the applications processing the data. Measurement and sensor identity data is encrypted within the sensors themselves. The data stays encrypted through radio transmission, cellular or Ethernet forwarding over the Internet until it reaches Disruptive’s secure cloud. The data is then passed to customers’ applications via encrypted protocols. When it is manufactured, each sensor is assigned a unique asymmetric encryption key. Key generation is managed by a tamper-proof certified hardware security module. The public part of the asymmetric encryption keys is exchanged with Disruptive’s cloud via encrypted channels. Encryption keys allow sensors to communicate securely with the cloud, regardless of how communication packages are routed through different cloud connectors or how they are connected to the internet.

Disruptive has completed two independent security reviews, conducted by global safety company UL and security expert Lars Lydersen. Customers control access to projects and their organisation by granting roles to users and service accounts.

Vassbotn believes proptech is now leaving the “honeymoon” or “hype period” in the ‘Gartner hype cycle’ and entering the productivity phase; companies are waking up to what’s actually possible and how it could actually work.

For property companies wanting to guard their systems as they begin installing sensors in their assets, Vassbotn advises against standard off-the-shelf security checks. “Old certification such as ISO are from a previous age and not relevant. Do your own interviews [with product suppliers], hire ethical hackers to penetrate test – try and break in to your systems and buildings – it will work out cheaper than an off-the-shelf certificate that goes wrong.”

IoT industry certificates are emerging but there is no consensus yet on the industry standard, he adds.

“There’s a strength in not knowing everything. It is quite cheap, and you will get more out of it if you get a safety consultant to test your assets for you.”

• Read Disruptive’s white paper on security in IoT