Interview with Sarb Sembhi, Co-chair of smart built environment group at the Internet Of Things Security Foundation (IoTSF) and CTO & CISO at Virtually Informed

The IoT Security Foundation (IoTSF) is a non-profit international membership association with a mission to help secure the Internet of Things and make it safe to connect. As an expert resource for sharing knowledge, best practice and advise, the IoTSF is led by an executive steering board and consists of a number of specialised working groups. The largest of these working groups is the smart build environment groups and co-chairing that group is Sarb Sembhi.

Sarb is a renowned expert in the security world and writes and speaks widely about security, privacy and strategic issues in smart environments. He is also passionate about digital safety education for non-technical people and championing innovators and start-ups to help solve some of the world’s most challenging problems.

Sarb was integral to the reviewing of IASME’s IoT Security Assured scheme, working with us to ensure the scheme aligned to the IoTSF guidance. It is an understatement to say that Sarb is a busy man. We were lucky enough to pin him down for an hour to chat about the increasingly connected world we live in and the paradox of incredible opportunity and potential, coupled with serious and complex risks and limitations.

You are involved in many projects, can you talk us through what you have been doing over the last year?

Virtually Informed is a company that I set up in 2015, working with partners and supporters to provide education on the impact of rapidly changing technology. The motivation behind it was to provide useful and relevant information to individual groups of users. Over those six years, we’ve been fine tuning our content, creating some training courses, as well as a platform to support start-ups and innovators. In the last year, we re-designed our website and developed loads of content including three regular blogs.

The Security2live initiative was set up to provide cyber security awareness information for people in their home environment. We want to help enable the home worker to be the CTO of their home environment.

As co-chair of the smart build working group in the IoTSF, I feel we have been fortunate this year in having a fantastic group of volunteers to create several important guidance documents. One for building owners and occupiers, a second one for manufacturers, and a third one for facilities teams, (these are your physical security teams within an enterprise environment). These documents can get incredibly long and detailed, and we are mindful that we don’t want to put people off to the point that they don’t start at all. So, the aim is to break the guidance down in such a way that people will be happy to take on the challenge. So, they are likely to be broken down further providing about five guidance documents.

Within the newly formed UK Cyber Security Council I’ve been the work stream lead for thought leadership. We’ve held a series of online workshops which were think-tank type workshops at a UK wide level and there was some great input from some expert leaders from around the UK. It’s been a very interesting experience trying to do this all virtually.

Your area of particular expertise is smart buildings and smart environments. What is a smart built environment and why is it significant?

Smart buildings use sensors and microchips to control operating systems such as heating, ventilation, air condition, lighting and security and to collect data. A smart environment includes smart buildings but extends the definition to embedded systems and data analysis in manufacturing and out into the physical environment of a city. This might include transport management, street lighting, public transport, and rubbish collection.

About 15 years ago, I started to look at the vulnerabilities in network CCTV systems and I was amazed about how vulnerable these systems were. When I spoke to the vendors, they said that they left security to the network level. The fact is, security is not just one layer, it’s multiple layers and you need to respond to security within all those layers. Then I looked at heating, lighting, air conditioning, fire alarm and all of the things had exactly the same problems. This was in the days before these things were called IoT. A colleague of mine, James Willison, and I had been talking about converged security risk management which is where you look at risk management from a single perspective. When the bad guys attack you, they don’t separate the physical security from the cyber security, they have a single view of attack and do whatever they need to do to break in. Cyber and physical security managers need to look at security with a single view of risk and security, it applies to buildings, but it applies to everything. This subject has become very current recently, particularly in how security impacts smart environments.

You have been known to say, “If it ain’t secure, it ain’t smart”, what are the greatest risks the average person at home faces from their smart devices?

The risks vary so much from environment to environment. To give you an example, a couple of years ago, we had some building work done on our house and I said to my family, ‘I’m going to install every smart device that we can in our home if it meets two conditions. One is that it mustn’t take data out of our house because while the data is in our house, I can ensure it is secure. Secondly, there must be functionality that is built into the device and the system that actually helps secure it as opposed to just leave it open.’ After that, when we looked at trying to develop our smart home, we installed 0 devices.

Every device that you look at for your home wants to take data out of your house and if it doesn’t try to take data out of your house, it hasn’t got all the security controls built into it that it should have. The average home, especially over the last year, has been installing smart devices around the house, everything from CCTV through to refrigerators. Many of those devices are just like the applications on our mobile phones trying to steal our contact list, the devices that we are putting into our houses are doing the same thing.

Many of the devices owned by the big tech companies are collecting lots and lots of data, they are the ones that are adding unnecessary hidden functionality to devices. For example, Google released a smart thermostat the other year, it included a microphone, and when it was discovered, they said, ‘oh sorry, we forgot to document that functionality’. How can you forget to document a microphone? This is not unusual. It doesn’t matter whether it’s toys, or whether its door bells, all of these things are collecting personal information about us continuously and not giving us a choice of what happens with that data. Those that may offer us that choice, they build it in such a way, that the functionality for the product is dependent on your acceptance of their collection of your data, so there is not a way for you to refuse without the product becoming almost useless.

Can you tell us about some of the ways you promote innovative solutions?

We have also been filming a blog which has been 18 months in the making. We plan to go live with, it is called Sarb on Innovators. This project is about promoting good innovation, we do that by getting these start-ups in front of CISOs or decision makers and actually bringing them to the limelight. This is free and is for any business that we think has got a good innovative solution. We want to help them in as many ways as we can.

The big challenge that start-ups have got, is that many decision makers are reluctant to work with them, it is too risky. They might be worried that they will fail, that the solution might not be finished, the funding might not be there, or be unsure how they will deal with data. What we try and do, is help start-ups mature very quickly, to the point where they are able to give all the information that decision makers need, but at the same time provide a fresh idea. Decision makers are used to speaking to existing vendors, who get stuck in providing solutions that have been around for a while and looking at new threats with an old-world view. Start-ups understand the threat space in a new way because they are looking at it with a fresh perspective.

What was the journey that led you to where you are now?

My background was originally in the public sector, I started in social services as a project manager, worked for a while in mental health, and moved from there to being a management consultant. I then decided that I liked technology, so I re-trained and went into development projects which I did for about 7-8 years. Then I accidentally fell into security, and I’ve been in security for over 20 years now. When I was a management consultant, one of my specialisms was diagnosing organisational culture and that has been a big part in security because one of the biggest inhibitors to good security awareness is not understanding the culture. So often, the security of an organisation is determined by its culture.

I see your name is used to brand your new blogs, can you tell us about those?

I am lucky that my name SARB also stands for Security and Risk Blog. On the new improved website, we’ve got three new blogs:

SaRB for SMBs. We want to demystify risks and security for people with little or no security backgrounds, so in this blog, we aim to provide Digital Safety Skills for Small and Medium sized Businesses. It is a subscription service but we are making it available for some small business subscribers for free and you can read the first 850 words of every blog for free.

SaRB on innovators This is the blog we talked about that introduces innovative start-ups to enterprise decision makers. It will be freely accessible.

SaRB on smart environments This is a weekly blog that talks about the security and risk in smart environments. This will also be freely accessible.