ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when...

18
88 www.elevatorworld.com October 2019 FOCUS ON EMERGING TECHNOLOGY ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation by Guneet Bedi e benefits of undertaking a digital transformation for building-transportation professionals are well-known and cannot be overstated. From enhancing operational efficiency and predictive maintenance, to creating new revenue streams, implementing technologies like the Industrial Internet of ings (IIoT) has the power to significantly improve the way one does business. By now, most people know what the IIoT is in the abstract, and many companies are moving to implement it. While building-transportation suppliers and maintenance organizations can see real benefits from these technologies, it’s not as simple as setting up some sensors and pushing a button. In fact, deciding to undertake a digital transformation is just the first step of the process. Before any sensors or technologies are in place, one must first define the desired business outcomes for their organization, as well as identify return on investment (ROI) expectations. To Buy or Build? One of the first questions a business should reflect on is if it should buy or build the solution. In other words, does the business have the time and resources to build it in-house, or should it work with an experienced third-party partner? According to a Forbes “Insights” report, it took businesses, on average, 1.25 years longer to develop and deploy IIoT platforms than those that worked with expert partners. And, unfortunately, many companies realize they require additional expertise during the development phase, when it’s more difficult to pivot. To fully understand the elements needed for successful implementation, there are four key areas to evaluate during the decision-making process: 1) Do I have the time to undertake the project internally? Regardless of the size, any IIoT implementation takes time and planning for how it will impact your business in the short and long term. Beyond the orchestration of the technologies, there will also be ongoing support and maintenance of systems. Be sure to take all of this into account, along with how you would manage staff-training expenses and possible glitches or setbacks along the way. 2) Does my team have the necessary skills and expertise? From pilot programs to full transformations, you’ll need a dedicated team from the start to ensure functionality and stability of your technology. is includes solution architects and soſtware and hardware teams, all the way to the technicians installing technologies in shaſts or buildings. Aſter installation, you’ll also need a team to ensure the security of your infrastructure and

Transcript of ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when...

Page 1: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

88 www.elevatorworld.com • October 2019

FOCUS ON EMERGING TECHNOLOGY

ENSURING LONG-TERM IIOT SUCCESSWhat to know and ask when considering digital transformation

by Guneet Bedi

The benefits of undertaking a digital transformation for building-transportation professionals are well-known and cannot be overstated. From enhancing operational efficiency and predictive maintenance, to creating new revenue streams, implementing technologies like the Industrial Internet of Things (IIoT) has the power to significantly improve the way one does business.

By now, most people know what the IIoT is in the abstract, and many companies are moving to implement it. While building-transportation suppliers and maintenance organizations can see real benefits from these technologies, it’s not as simple as setting up some sensors and pushing a button. In fact, deciding to undertake a digital transformation is just the first step of the process. Before any sensors or technologies are in place, one must first define the desired business outcomes for their organization, as well as identify return on investment (ROI) expectations.

To Buy or Build?One of the first questions a business should reflect on is if it should buy or build the solution. In other words,

does the business have the time and resources to build it in-house, or should it work with an experienced third-party partner? According to a Forbes “Insights” report, it took businesses, on average, 1.25 years longer to develop and deploy IIoT platforms than those that worked with expert partners. And, unfortunately, many companies realize they require additional expertise during the development phase, when it’s more difficult to pivot.

To fully understand the elements needed for successful implementation, there are four key areas to evaluate during the decision-making process:1) Do I have the time to undertake the project internally? Regardless of the size, any IIoT implementation takes

time and planning for how it will impact your business in the short and long term. Beyond the orchestration of the technologies, there will also be ongoing support and maintenance of systems. Be sure to take all of this into account, along with how you would manage staff-training expenses and possible glitches or setbacks along the way.

2) Does my team have the necessary skills and expertise? From pilot programs to full transformations, you’ll need a dedicated team from the start to ensure functionality and stability of your technology. This includes solution architects and software and hardware teams, all the way to the technicians installing technologies in shafts or buildings. After installation, you’ll also need a team to ensure the security of your infrastructure and

Page 2: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 89

that the cloud connectivity and edge solutions are functioning correctly.

3) Do I have the resources on staff to conduct the project (and can I afford to take those resources off current initiatives driving business results)? While the IIoT can have transformative results, many companies underestimate its complexity. Even if your team has the technical skills to build, install and maintain your IIoT infrastructure, be sure to consider if you have the bandwidth to pull them away from their regular responsibilities at the core of your business.

4) Can my IIoT solution scale and keep up with ever-evolving technology? IIoT solutions are never truly finished. It’s crucial to build your solution so you can adapt it to new advancements over time, as well as scale it throughout your organization. This is especially true for elevator management and service providers; implementations typically involve retrofitting elevator cars and shafts with highly technical sensors intended to detect even the slightest anomalies in noises, vibrations, luminosity, temperature and power supply. As new buildings are erected, and technology advances, it’s vital your solution is flexible enough to keep up.For companies that specialize in inspections and long-term

management of elevators across hundreds — if not thousands — of locations, it can be difficult for an IIoT infrastructure computing on the edge to continue supporting one protocol as the number of connected lifts increases. In addition to ensuring compatibility, middleware sustainability and network limits, unless one has the required resources, most do-it-yourself solutions can’t accommodate the sheer amount of data produced and the resulting complexity.

How Long Should Digitization Take?One of the biggest concerns for businesses on the

cusp of implementing the IIoT is the risk factor. Not only does the IIoT involve significant time and financial investments, but for many in the building transportation industry, it also represents uncharted waters. Some companies are OK with a total transformation and completely switching their business models; others prefer to mitigate presumed risks by taking smaller, more incremental steps.

While there are insurance-backed solutions and warranties that act as a safety net to guarantee your desired business outcomes, the IIoT isn’t “one-size-fits-all” and takes into account many variables specific to a company. Whether you press the reset button and shift quickly, or roll out changes in phases, consider breaking down your business objectives into micro-goals. This offers a case-by-case basis to reassess, measure progress and make any adjustments, if needed. It also allows companies to show success to internal stakeholders.

To establish the most practical micro-goals for implementation, one must start by determining the critical elements needed to help them reach their business objectives. This will be a roadmap, which can be used to plot out specific milestones.

For example, let’s say a business maintains a variety of elevator models and units that are all in different conditions and across several locations. The desired business outcomes are to increase revenue by predicting maintenance needs so the business can deploy service teams as needed. When deployment starts, however, what works in one location, or with a different type of unit, may not have the same results in another building. By including micro-goals in a timeline, one can account and pivot for these types of hiccups.

Starting the JourneyThe benefits for building transportation companies to connect

existing units to be able to identify problems and necessary maintenance issues in advance are clear. But it’s important to remember that this is not just bringing on a tool or a quick fix; this is the beginning of a journey. Implementing IIoT can be a complex and time-intensive process that requires many resources. Therefore, it’s essential to approach any IIoT implementation from all angles and be sure to ask the right questions from the beginning.

Guneet Bedi is vice president global sales, general manager – Americas at relayr, which supplies complete solutions for risk-free digital transformations. He oversees the company’s sales, business-development and revenue-generation efforts. Bedi can be reached at [email protected].

Not only does the IIoT involve significant time and financial investments, but for many in the building-transportation industry, it also represents uncharted waters.

Page 3: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

90 www.elevatorworld.com • October 2019

FOCUS ON EMERGING TECHNOLOGY

INSIDE THE MIND OF A HACKERThese days, computer misdeeds are most often

perpetrated in a businesslike manner.

by Mark Hearn

This article was first presented at the 2018 International Elevator & Escalator Symposium in Istanbul. For more information on December 3-4, 2019’s event in Las Vegas and to participate, visit www.elevatorsymposium.org.

“Inside the Mind of a Hacker” sounds a bit like the title of a psychological thriller. You can picture the main character as a lone wolf, up in the early hours of the morning, crafting the perfect hack to wreak havoc across the world. Reality, however, is very different. Criminal hackers work like any other business, as part of commercial — albeit illegal — networks, with clear business models. We have come a long way from the lone hacker stereotype.

The hacker business is booming. It seems there is not a day that goes by without reports of private data leakages, botnets, ransomware attacks and zero-day vulnerabilities being discovered. There are many factors at play, which together form the perfect storm:1) Increased connectivity between a multitude of devices, ranging from cars to pacemakers, is creating more

opportunities for hackers to get in. In many cases, internet connectivity was simply added to these devices without much thought for the security risks — either to the device or ecosystem in which it operates.

2) Along with this increased connectivity is the proliferation of devices outside a traditional information technology (IT) security infrastructure. These devices make up the edges of the Internet of Things (IoT) networks but are easy for hackers to gain access to. Once in the hands of the attacker, they have lots of time to apply their tools and techniques and find a scalable attack into the device.

3) Networks such as the dark web, or even just the internet, have become a platform for hackers’ businesses, because they remove the complexity of mounting an end-to-end attack. Instead, cybercriminals can specialize in a part of the value chain, such as creating a botnet and selling it to the highest bidder.

4) Standardization of common chipsets or platforms, such as Linux and Android, allows hackers to use their tools against many products, often against targets in vastly different markets. This makes their hacks scalable and transferable between countries, industries, devices and cloud platforms.Given all these changes, it’s surprising that we’re still approaching software security the same way we did 20

years ago: ♦ There is still a heavy focus on network or perimeter security, aimed at preventing access to software from

outsiders. But, this is directly at odds with the unstoppable push to have everything connected; at a certain point, there will be no such thing as an “outsider.”

Page 4: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 91

♦ There is still a goal of making something “fully secure” from the outset with little thought to evolving that security. But this model misses one of the greatest advantages of software: it is easily updatable.In today’s connected world, you need a different approach, one

that focuses more on what criminal hackers are trying to accomplish, one that starts from the premise that our software runs in an accessible, and, therefore, hostile environment. You need to identify your most valuable assets, explore why they are of interest to someone else, figure out how they could be attacked by someone with privileged access, then apply defenses that will make those attacks unprofitable. You need to start thinking like a hacker.

The Business of HackingOnce we recognize that criminal hackers are operating like a

business, we see they are driven by the same goals as any other business — maximize revenue and minimize costs.

RevenueA hacker will go after targets that have the most value for

them. Is there intellectual property (IP) or a proprietary algorithm that could be obtained? Personal data that can be sold on the dark web? A safety system that can be compromised? Is there a way to paralyze a system or damage a company or brand to extort a ransom? Or, more directly, are there money streams that can be manipulated? The more valuable the asset, the bigger the payoff. Also, the more common the weakness, the more revenue that can be made.

CostThe quicker an attack can be set up, the lower its cost, so

hackers tend to go for the path of least resistance. Imagine a burglar — he will not try to break the robust security of the front door or get through the ground floor windows that have sensors installed. He will spot the shed with the cheap padlock to access a ladder and then break into the floor above. As with a house, software will never be completely impenetrable, but anything that makes hacking too time-consuming or a one-shot attack — and, therefore, too costly — will encourage the hacker to move on to an easier target.

Asset and Threat IdentificationThinking like a hacker starts with asking yourself a basic

question: “What do I have that a hacker wants?” These are the assets that must be protected. As above, this could include IP, digital content, personal data and more.

For each asset, you then ask, “What can a hacker do with this?” More specifically, “How will they leverage the asset to drive revenue?” These are the threats, and they are ever-present. For example, a criminal hacker may lift valuable IP from your application and use it to make a competing product without repeating your significant R&D investment. This threat — theft of IP — will exist for as long as your product is active.

One way of categorizing threats is the STRIDE model, developed by Microsoft. STRIDE stands for a way of classifying threats into six categories:

1) Spoofing — impersonation of a person or process2) Tampering — modification of an asset3) Repudiation — denying an action took place4) Information Disclosure — revelation of a secret5) Denial of Service — affecting the availability of a system6) Elevation of Privilege — unauthorized access

Such a model is useful for encouraging a more holistic consideration of threats. What if, instead of stealing IP to sell a competing product (Information Disclosure), criminals offered a service to disable license checks in your software (Tampering), allowing it to be freely pirated? What if the criminal is looking to embarrass your company to profit from shorting your stock price? Or, what if the criminal is not actually interested in attacking your company, but rather sees your product as a large-scale attack vector against all of your customers? Each of these is a completely different business model for the hacker, but all are equally damaging for your business.

Attack IdentificationNow that you’ve identified what hackers want and what they

want to do with it, you move on to the next part of thinking like a hacker: “How will they get to my assets?” These are the attacks against your software. It’s very important to be thorough when identifying attacks, because this is a hacker’s main advantage: they only need to find one attack, whereas you have to defend against all attacks.

This article focuses on software attacks, because this avenue is so often overlooked, but attack identification must also consider hardware attacks, protocol attacks, database attacks, network attacks, cloud attacks and more.

Attack PhasesIt’s very important to understand that almost all attack

development goes through predictable phases:1) Reverse Engineering — analysis of code and data, looking for

assets and vulnerabilities (paths to an attack)2) Modification — static or dynamic tampering of code or data to

realize a threat3) Automation — allowing the exploit to be done automatically

and repeatedlyFor certain attacks (e.g., IP theft), step 2 might not be

necessary. But, step 1 is critical, and step 3 is what allows criminals to turn an isolated attack into a scalable business.

Why is this so important? Because this is your main advantage. Criminal hackers must execute all phases of an attack to realize their business objectives. You can put up defenses at every phase and thereby increase the hacker’s costs. With enough barriers, the attack is no longer cost-effective, and the hacker looks elsewhere. We will return to this idea of “defense in depth,” employing multiple techniques to make every phase of the attack more difficult.

Attack TechniquesFollowing, we describe several attack techniques for each

phase. A successful attack generally combines one or more techniques from each category.

Continued

Page 5: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

92 www.elevatorworld.com • October 2019

1) Reverse Engineering

Attack Technique DefinitionRuntime memory inspection The act of copying the contents stored in volatile random-access memory onto a

hard disk so it can be analyzed later. Attackers can also analyze the memory contents after power off. Targets include secret data, such as unprotected cryptographic keys.

Disassembly The act of translating from binary code into assembly language, making it more readable to attackers

Differential attack The act of comparing two variations of the same software and/or data. By detecting binary differences, attackers can identify and target code to which security enhancements have been applied.

Collusion An attack tactic whereby two or more attackers work together in an agreed-upon fashion to improve the chance of a successful attack.

Reverse control flow The act of tracing a program’s execution on an instruction level to identify locations of function calls, loops and conditional branches

Interactive debugging The act of using an interactive debugger to execute targeted software in a controlled manner to breach the software’s security

Process snooping All of the reverse engineering that can be performed without interrupting an existing process. During startup, possible targets include “call home” functionality, unexpected licenses and user data checking.

2) Modification

Attack Technique DefinitionData lifting The act of extracting data from a static section of an application and linking it or

loading it in a different application

Code lifting The act of extracting code from a static section of an application, either by explicitly pointing to a section of memory where specific code resides (in-place code lifting), or by decompiling one section of binary and recompiling it into another binary (out-of-place code lifting)

Modifying control flow The act of changing the original behavior of a computer program. This involves altering the computer instructions by composing alternate instructions to gain access to functionality not originally intended.

Data file replacement The act of replacing original data files that correspond to limited access or execution privileges with new data, allowing an attacker to gain privileges that were not originally accessible.

Program file replacement The act of replacing a dynamically loadable executable, which was intended to be used by the author, with a file that may have malicious side effects. Potential attack goals include extracting premium protected media content or bypassing a license check.

Instruction replacement The act of adding, modifying or removing binary instructions

Branch jamming The act of changing the Boolean result of a condition so that the branch target of the condition taken at runtime is reversed

Page 6: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 93

Attack AnalysisThe attack analysis process involves working backward from an

identified threat against an asset, which can be seen as an attacker’s end goal, and determining all the attacks that could take the attacker to that end goal. This is repeated for every threat against every asset to build out a full view of where attacks might occur and, thus, where defenses need to be applied. This will give the owner of the targeted system a set of security requirements to build into its products’ architecture and design.

Frustrating HackersNow that you’ve thought like a hacker and identified which

attacks can be launched and how they will proceed, you are ready to systematically deploy defenses to frustrate the hacker’s efforts. There’s no perfect solution that will shut out an attacker for all time; instead, there’s a multilayered and dynamic approach that raises costs and lowers revenue for the hacker. By hitting criminal hackers where it hurts — their business model — you make yourself a far less attractive target.

An analogy we sometimes use is this: if you are trying to reach a destination, are you going to choose the straight path with clear visibility or the treacherous path in the fog? Most people will choose the easy path, and so do most hackers. By applying the right layering of defenses in the right way, your software becomes the treacherous path for hackers trying to reach a destination of revenue, and they will go elsewhere.

The SPIDER ModelA good defense in depth approach should act like a web — the

different parts should be mutually strengthening with no single point of failure. We call our particular approach the SPIDER model to reinforce this image of a web of protection. SPIDER stands for Software Protection: Integrity, Diversity, Entanglement and Renewability. Let’s look at each of these properties in turn:

♦ Integrity: Integrity verification will ensure your software hasn’t been tampered with. Like silk, it gives the web of software protection its strength. It is useful at loading time but is enhanced when it is dynamic: checking software integrity throughout the execution of the software. A reliable and robust/tamper-resistant integrity verification capability is an important element to establishing a software root of trust, especially when hardware anchors are not available. Philosophically, integrity verification can happen throughout each component of software protection; for example, see “Entanglement,” below.

♦ Diversity: It has been understood for quite some time that a security solution needs to be renewable and diverse to support a proper security lifecycle. In software protection, diverse instances of software can frustrate a hacker’s efforts to understand what is going on, especially when a simple change to a random seed can create diversity in the algorithmic code and data cloaking such that the instances have very good separation between each other. In the world of the spider, the web will vary over time, as well, typically due to an attack, capture of a bug or other external events. Also, spider webs are very diverse but are built in a repeatable algorithmic way — just like good software protection.

♦ Entanglement: Entangling code and data as part of software hardening is an effective technique that can help reinforce the software’s protection. Entanglement can be applied algorithmically at the source level such that nothing can be modified without affecting the control flow of the program. This is another good example of how software protection is like a spider web — the web is very sensitive to disturbances of bugs landing on the silk.

♦ Renewability: Since effective software protection has a measurable impact on hacker productivity, it is feasible to anticipate the “time to hack” and use renewal of the software protection to deliberately frustrate the hacker’s progress midstream. When a breach in security is detected, new, diverse instances can be created in combination with the application of a different set of protections for an effective renewal cycle. This latter point is very similar to a spider web in that, once breached, it remains mostly intact and is easily repaired.

Software Protection: It’s More Than Just Software

We believe a complete software protection strategy must have a significant component that is software-based. There is an obvious reason for this: if the software itself has been modified to make it harder to attack, there is no layer that can be peeled away to get at the original software. The other major reason to have software-based defenses is renewability. As argued above, renewability is an essential of software protection, and a pure hardware solution is just too slow and too costly to renew regularly. This is why the defenses enumerated here are software-based.

That said, when the goal is preserving your business, you can and should use every tool at your disposal. If your platform has a trusted execution environment, using it will significantly raise the

Attack Technique DefinitionAutomatic exploits The act of automatically modifying the application to cause the changed behavior

Redeployed data files The act of redistributing an entire system to decrypt content once an attacker understands what is required to decrypt the content

Dynamic library exploits The act of taking advantage of vulnerabilities in a dynamic library

Unauthorized invocation The act of launching or executing software by an unlicensed party

3) Automation

Continued

Page 7: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

94 www.elevatorworld.com • October 2019

bar against reverse engineering. If you have access to a true random-number generator, this closes the door against attacks that tamper with random data. Cryptographic co-processors can improve both the security and performance of your critical cryptographic operations. A hardware-anchored secure boot can be leveraged to provide ongoing integrity verification.

The best software protection comes from a combination of software- and hardware-based defenses working in tandem. Again, defense in depth is the name of the game.

Components of the SPIDER model

Our SPIDER web has three anchors:1) Code Transformation and Obfuscation is performed by the

Transcoder, a source-to-source tool that makes software harder to reverse engineer and tamper with without altering functionality.

2) Whitebox Cryptography provides white-box attack-resistant implementations of standard cryptographic algorithms, providing specialized protection to one of your most critical assets, cryptographic keys and data.

3) Integrity Verification and related technologies use application programming interfaces (APIs) to create links between program functionality and ongoing security checks, ensuring your software resists both static and dynamic attacks.Importantly, all these pieces work together, both to protect

each other and provide defense in depth. Moreover, each technology is highly data-driven, allowing for considerable diversity and renewability, controlled simply with two random seeds.

Code and Data Entanglement

Data and Data Flow Transformations

Data transformations are recommended against runtime memory inspection, interactive debugging, process snooping, data lifting and automatic exploits. They work by encoding atomic pieces of data using mathematical formulae, thus protecting the original values. This process can be iterated to protect complex data structures such as files and arrays, dynamically allocated memory and linked structures with potential aliasing.

Data flow refers to the ordinary movements and computations involving data in a program. It includes arithmetic operations, Boolean operations, assignments and more. The objective of data flow transformations is to keep the data in a protected state throughout the data flow by hiding basic operations behind complex mathematical transformations and a high degree of additional uncertainty or entropy. Variables, constants and operations are all diffused into the program flow, making the original computations and data extremely hard to determine.

Even simple encoding provides a degree of protection. For example, consider an original variable x transformed to x’ = sx + d, and an original variable y transformed to y’ = ty + d. To transform the computation z = x + y, we perform a transformed addition of x’ to y’, giving z’, as z’ = vx’ + wy’ + b, where v, w and b are constants computed based on the underlying data transformations. Even in this simple example, the combined transform space for the computation is over 100 bits. Data flow transformations available in practice go well beyond the above simple linear transformation and may combine multiple mathematical domains.

Page 8: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 95

Control Flow TransformationsControl flow is recommended against disassembly, reverse

control flow, interactive debugging, modifying control flow and branch jamming. It refers to the execution path followed as programs run and transfer control to various blocks of statements. Control flow transformations aim to make it extremely difficult to recover the original control flow of the program, which vastly increases the cost to the attacker attempting to reverse engineer the application.

The most fundamental control flow transformation employed is “control flow flattening.” Control flow flattening changes all control flow in a function (“if ” statements, loops, jumps, etc.) into a single switch statement, which allows the value of a variable or expression to change the control flow of program execution via search and map. This alone significantly reduces the program flow information available to an attacker.

Additional transformations build on top of control flow flattening, adding dummy branches (paths based on values the switch variable will never take) and history-dependent coding, which makes the switch variable dependent on the history of the application control flow and requires correct navigation through conditionals for proper execution of the application. This capability inhibits both analysis and tampering attacks, because any attempt to bypass a branch will have an unpredictable impact on the rest of the control flow.

Branch ProtectionBranch protection is recommended against modifying control

flow and branch jamming and a targeted anti-tamper defense for conditional statements (ifs, loops, etc.). Attackers typically try to jam or bypass important branches in the code to sidestep security checking, or to modify the original flow of the program. Branch protection prevents branch jamming by adding code that causes the program to behave incorrectly if the branch is jammed. By analyzing the condition in the branch, certain properties are derived that hold if the condition is true but do not hold if it is false. Based on these properties, branch protection creates mathematical dependencies between the conditions and existing code. This ensures the program will be in an incorrect state if an attacker jumps to a specific branch.

String TransformationsString transformations are recommended against data lifting

and automated exploits. This special type of data transformation works on string literals. Their goal is to render all literal strings in the application meaningless. Special handling is needed, because there is no “string flow” analogous to data flow in an application. Thus, extra code is generated to properly decode literals when needed, so they can be properly rendered in error messages and the like.

API ProtectionAPI Protection is recommended against code lifting and

dynamic library exploits.

Function Signature TransformationsFunction calls represent a clear boundary that can be exploited

by an attacker to get considerable insight into your program. In

particular, looking at the parameters passed to a function can provide information about that function’s purpose. Function signature transformations disguise function parameters by inserting them into a type-masking array intermixed with dummy parameters. The result is that all function calls look similarly ambiguous.

Function MergingFunction merging takes advantage of the uniform signatures

described above to create new functions by merging the bodies of two or more functions together. This creates a false dependency between disparate parts of the program, thereby frustrating an attacker’s attempt to understand functionality.

Function IndirectionFunction indirection exploits the simple fact that function

pointers are harder to trace than function calls. It works by creating function pointers and replacing standard calls with indirect calls through pointers.

Secure InliningThe secure inlining function allows you to merge separate

logical sections of code within a file before transforms are applied. It is like standard function inlining, but its purpose is to remove function boundaries and combine operations to obscure program logic. Secure inlining may increase code size, yet it often improves performance.

Secure inlining is most powerful when used in conjunction with function signature transformations, function merging and function indirection. The overall result is a significant manipulation to a program’s function boundaries.

Whitebox CryptographyAlmost every application related to security will use

cryptography, whether for authentication, confidentiality, integrity, non-repudiation, or a combination thereof. The strength of a cryptographic implementation is directly related to the secrecy of critical security parameters, most notably cryptographic keys. These keys can be protected in storage and in transit, but in a software environment, under the control of an attacker, the keys are especially vulnerable in use. In this so-called “white-box attack context,” attackers can observe execution and lift keys, completely negating the security of the system.

Our “whitebox cryptography” libraries are designed specifically for the whitebox attack context, keeping keys protected even when in use. It is recommended against data lifting and unauthorized invocation. With a full set of cryptographic primitives, including AES encryption, RSA encryption and signing, ECC encryption and signing, SHA2 hash, HMAC message authentication code, and cryptographic strength PRNG, these implementations can be used as a secure alternative to standard libraries like OpenSSL.

Since producing the first practical whitebox-attack-resistant AES implementation in 2002, Irdeto has continued to advance its technology to stay ahead of the latest threats. Today, its whitebox implementations are protecting keys in well over a billion devices.

Continued

Page 9: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

96 www.elevatorworld.com • October 2019

File Encryption and Secure StorageAs well as protecting data in transit, whitebox cryptography is

also useful for protection of local data at rest. This can be done with file encryption, providing static protection of other files that form part of the application. It, with Irdeto’s Secure Storage library, is recommended against data file replacement and unauthorized invocation. The library provides a straightforward interface for the persistent storage of arbitrary data. In both cases, whitebox cryptography ensures the keys will never be exposed.

Integrity VerificationIntegrity verification is recommended against code lifting, data

file replacement, program file replacement, instruction replacement, redeployed data files and dynamic library exploits. It is a secure method of validating the integrity of an application, and it can also ensure the integrity of external modules interacting with that application. Integrity verification ensures that software cannot be tampered with, either statically or dynamically, without detection. This significantly raises the bar in tamper resistance, because an attacker must not only reverse engineer a program and make modifications to the binary; he must also defeat the integrity checking, as well. Irdeto offers two variations of integrity verification.

The company’s Buildtime IV component is a more secure variation of code signing that ensures trust on an untrusted host. The customer signs modules at build time, storing an encrypted hash of the target module with the final application. At runtime, we compare a runtime hash of the target module with the encrypted hash from build time. Also, because the Buildtime IV library is statically linked into the application and signed, it continually monitors its own integrity.

Irdeto’s Runtime IV component is appropriate for environments where the application binary is not finalized at build time, such as iOS bit code. Runtime IV uses defense in depth to create a window of trust where application signatures can be computed at runtime; thereafter, it is functionally equivalent to Buildtime IV.

Both Buildtime IV and Runtime IV are integrated into the application using callbacks. Each IV call takes a function pointer called the success callback. If the check passes, the success callback is invoked, and execution continues normally. If the check fails, the callback is not invoked, meaning tampered programs do not follow the correct program flow.

Anti-DebugDebuggers are an invaluable tool in the hacker’s arsenal,

allowing them to execute a program step by step and to watch data as it flows through the application. As such, anti-debug technologies are an excellent way to frustrate reverse engineering attacks. Recommended against interactive debugging, they have three variants:1) Timing-based anti-debug (TBAD) works by comparing the

actual time taken to execute a series of instructions with a predetermined expected time. Because stepping through instructions using a debugger is orders of magnitude slower than executing them at full speed, these timing checks will fail in a debugger environment. Negative timing checks (ones that

are expected to fail) can also be used to prevent the attacker tampering with the system clock.

2) Signal-based anti-debug is available in user mode for Android and embedded Linux environments. It works by intercepting all signals from the application and invoking special handlers to process those signals. An attached debugger will process the signals differently and will thus modify application behavior.

3) Ptrace-based anti-debug is available for iOS systems only. As soon as the application starts up, the ptrace system function is called to attach a monitoring process. This prevents any other process, including a debugger, from attaching to the application, so the debugging session cannot even start.

Anti-HookMany of the modification attacks listed above are facilitated

using “hooking.” Generically, hooking is an attack technique that instruments and modifies program flow by modifying APIs. We offer specialized techniques to frustrate hooking. They are recommended against program file replacement, instruction replacement, automatic exploits and dynamic library exploits.

Jailbreak and Root DetectionAttackers wishing to gain full control over mobile devices as a

precursor to application analysis and tampering will take advantage of one of several public tools for jailbreaking (iOS) or rooting (Android) the device. (For simplicity, we will use “rooting” as a blanket term in the following.) With each new operating system release, some tools are defeated, others are updated, and new tools appear.

Irdeto thus employs an ever-evolving suite of techniques for detecting that a device has been rooted. This includes looking for binaries that are part of popular rootkits, checking the behavior of certain system functions and more. As with anti-debug and integrity verification, callbacks are used to make sure these checks are done as part of correct program flow.

Hooking DetectionOn mobile devices, hooking is accomplished using a hooking

framework such as Cydia Substrate. Irdeto’s hooking detection technology looks for the presence of these frameworks, with callbacks used to determine the appropriate application response.

FingerprintingRecommended against redeployed data files and unauthorized

invocation, fingerprinting is the process of collecting attributes from a given device to uniquely identify that device. The attribute values are coalesced into a value called the fingerprint; the intention is that any other device would have a different fingerprint. Irdeto provides a library that allows users to choose which system and application attributes they want to gather. It combines that data to produce application-specific fingerprints. Moreover, using a variation on secret sharing to protect the fingerprint computation, Irdeto can support advanced m of n schemes, where some of the queried attributes can change without affecting the computation of the fingerprint.

Fingerprinting on its own is an identity feature that can be very useful in frustrating automation attacks. When combined

FOCUS ON EMERGING

TECHNOLOGY

Page 10: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 97

with other program data, it can be used for “node locking,” ensuring that data is usable only on the given device and cannot be shared with others.

Diversity and RenewabilityImagine your defenses as a maze you are making the attacker

navigate to reach the prize (a successful attack) at the center. A maze can be fiendishly complex (defense in depth), but, with enough time and effort, the attacker will be successful — that is, unless the maze keeps changing. This is renewability — the option to change the specific defenses with each software update, forcing the attacker to start their efforts from scratch. What’s more, all the time spent navigating one maze does not make navigating a second maze easier. This is diversity — the option to have multiple variants of your software, vastly increasing the effort required to launch a widespread attack. Along with renewability, it is recommended against differential attack, collusion and automatic exploits.

With Irdeto’s technology, creating diverse protected instances of your program is easy: simply decide how many copies of the software you want, and the tools do the rest. Renewability between updates can be achieved by providing different seeds to the internal PRNG; the result will be different data transformations, control-flow transformations, function transformations and key protections. Where necessary, transformation information can also be ported from one version to the next to facilitate backward compatibility.

Overlapping and Interacting ProtectionsWhile each of the techniques above is effective on its own, the

full threat mitigation comes when they are used together. Some examples:♦ All of Irdeto’s library code is protected using the Transcoder,

making it harder to reverse engineer the security techniqueitself.

♦ Buildtime and Runtime IV make use of whitebox cryptographyto protect the verification operations.

♦ Hook detection increases the difficulty of working around anti-debug.

♦ Anti-debug makes it harder to manipulate callbacks to defeatintegrity verification.

♦ Integrity verification thwarts attempts to modify the binaryand strip out root detection checks.

ConclusionCybercrime is a hot business in which hackers have the

advantage. To combat the rising trend, all companies

participating in the ecosystem must be on top of their game. If you develop connected devices or software, you need to choose wisely where to spend your time and budget. “Thinking like a hacker” will help shift your focus from trying to defend the perimeter (since it doesn’t exist) and from trying to make software impenetrable (not possible), to a strategy that targets cybercriminals where it hurts them most: by breaking their business models.

Multilayered software protection makes hacking your applications too time-consuming and expensive and can therefore be an incredibly valuable part of your cybersecurity arsenal. The Cloakware suite of tools, as characterized by the SPIDER model, gives you a powerful, robust and renewable way of making your software unattractive to hackers.

Mark Hearn is director of IoT security at Irdeto. He is responsible for leading Business Development strategies to secure organizations’ IoT applications and connected devices. Hearn has been with Irdeto since 2003, through Irdeto’s acquisition of Cloakware. Hearn is a product-management executive with 20 years’ experience bringing technology and business requirements together to solve market problems, particularly within the media entertainment and security markets. In addition to being a product leader in the private sector, Hearn has also provided business analysis security consulting to the Canadian government and has spoken at security conferences. He holds a Bachelor of Computer Science from Acadia University in Wolfville, Canada, and has received certifications in product management, technical marketing and strategic marketing.

Cybercrime is a hot business in which hackers have the advantage. To com-bat the rising trend, all companies participating in the ecosystem must be on top of their game.

Page 11: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

98 www.elevatorworld.com • October 2019

FOCUS ON EMERGING TECHNOLOGY

THE FUTURE IS NOWThis Product Spotlight describes passenger conveyance

management systems with IoT from IDS/Lift-Net.

by Winslow Soule and Ricky Williams

Modern building management requires real-time information collection (and, sometimes, emergency control) of passenger conveyance systems. This data is essential for passenger safety, building security and equipment reliability. Not only do we need to know the position and current real-time status of all equipment, in many instances management also needs to have certain controls. These data-access and control functions are often provided on workstations local to a particular building and, increasingly, over a wider area. With networked Internet of Things (IoT) devices, this capability extends to an entire campus, or even an entire portfolio, encompassing a large geographical region. Management is also expecting conveyance systems to integrate with other building automation and management systems (BAMS), such as Maximo, to document operations and automate work-order generation and other management functions. This technology has been previously available in certain systems, though typically only to large manufacturers. Emerging systems are now making its features available even to smaller contractors.

Traffic and Fault Analysis and ReportsInteractive management systems can provide a traffic-predictive environment by monitoring and controlling

functions such as parking, zoning and other similar functions. These can be adjusted manually or automated in a timer-based schedule to accommodate anticipated traffic patterns.

Interactive management systems can provide a fault-and-maintenance-predictive environment by monitoring, recording and analyzing fault occurrence and duration. This data can provide timeframes for more efficient maintenance schedules by anticipating the need for maintenance before a breakdown requires it.

The modern monitoring and management system will track, record and report on up-to-the-minute movement, status changes and faults. This data is stored and can be recalled, exported and replayed as desired for any arbitrary time and date. Specific events can be analyzed, even well after the fact. The system will provide immediate and historical statistics on traffic, car/group service, handling/carrying capacity, wait times, distribution and traffic summaries. Customizable report types, including graph and spreadsheet formats, allow system overview and performance at a glance.

Page 12: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 99

Control FeaturesBuilding management is now requesting standard control

features and customized functions, such as flood/hurricane service, jail service, judge’s car, baby abduction, secured lobby, riot control, active shooter and secured hall and car calls. These features allow management to customize operation and predetermine how the equipment reacts under various conditions, sometimes simply for convenience, but also for emergency operation and response.

Integration With Building Automation and Security

Conveyance management systems are expected to send a subset of the conveyance equipment real-time data to external third-party BAMS and other automated work-order systems. In addition, conveyance systems must have increasingly complex integrations with security-control systems, often using emerging biometric authorization and cameras.

Integrated Display Systems (IDS)/Lift-Net™ strives to rapidly make IoT technologies available to the passenger conveyance industry. This information can be local to a building, networked around a campus or made available on secured connections anywhere over the internet.

Lift-Net communicates with most manufacturers’ elevators, escalators or moving walks using prearranged serial data communication protocols. The Lift-Net serial protocol, which was developed and published by IDS specifically for this purpose, is used most frequently. Other data protocols as desired by the OEM are sometimes used. The communications may be implemented over a variety of physical media, including rs232, rs422/485 over twisted pair, and Ethernet or Token-Ring via TCP/IP or UDP connections. Lift-Net hardware-interface panels may also be used to connect older relay-based equipment on a point-to-point basis. Lift-Net communicates with various third-party building automation and security systems using OPC, BACNet TCP, Modbus and other standard BMS protocols. Custom database integrations are often required, as well.

Because such a wide variety of information and features is available from the system to all users with the correct authority,

even at remote locations, the return on investment of a Lift-Net system should be realized faster.

Figures 1 and 2 are display images available from standard Lift-Net workstation screens.

Lift-Net Web ServicesMany Lift-Net installations are implemented over very high

security — so-called “air gap” networks. In these installations, such as in airports and military, transit and government facilities, no chance of outside infiltration can be tolerated, and internet

Continued

Figure 1: Workstation screens in lobbies, management offices and security rooms in a multiple-high-rise building complex

Figure 2: Typical airport or transit installation sectional screen showing elevators, escalators and moving walks: workstations are in the elevator service office and operations command and security rooms

Page 13: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

100 www.elevatorworld.com • October 2019

connection to the outside is prohibited. As we move forward, however, with better tools and more robust protocols, more of our customers are recognizing the very real benefits of having the appropriate personnel be in touch with their conveyance systems, regardless of their physical location.

Those using Lift-Net web and IoT services are provided a special login on our secure HTTPS website. The Lift-Net computer on a web customer’s site will open a secure outbound connection using a special encrypted tunnel developed by IDS to our leased servers on the internet. The secure leased server will then send the real-time, service-mode and fault data to the

customer’s individual pages on the Lift-Net website to be viewed using their secure login.

The web-services information is displayed on standard web browsers and is implemented with provisions for smartphone and tablet screen sizes, as well. Java and other plugins are not required to view the information. Data obtained from a wide variety of equipment is “normalized,” so all equipment appears standard to the user. Modern web tools (such as a Structured Query Language database) and display devices (such as dashboards and other drill-down devices [Figures 4 and 5]) are provided. Complete scalable Global Positioning System mapping display (Figure 6), including fault indication, is also provided.

Figure 3: Simplified schematic of a LiftNet web and IoT services installation

Figure 4: The dashboard menu structure allows easy fault indication of each building.

Continued

Our name is Otis and service is our signature

In 1861, Charles Otis signed his name to our first maintenance contract and we’ve been committed to personalized service ever since. Today, we’re amplifying our commitment with the Internet of Things to continue to set the standard for service.

33300324_Otis 2018 Print Ads_ElevatorAD_R2_V2.indd 1 4/2/18 3:26 PM

Page 14: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

102 www.elevatorworld.com • October 2019

Figure 5: Drill-down to view real-time operational status of all units

Figure 6: Geographic location display of units allows instant notice of faults and statuses of both groups and individual units.

With its mouse-over feature, Lift-Net will identify each device and operating and fault status simply by moving the mouse over the specific device. Finally, all levels of interaction to the system are controlled by password access. Specific profiles allow various levels of access and control. This allows user tracking to specific time and date, while limiting access to features to authorized personnel.

www.liftnet.com

Winslow Soule founded IDS/Lift-Net to “bring the IoT revolution to vertical and horizontal conveyance systems.” A VT engineer, he has many years’ experience in the Chicago-area high-rise elevator market.

Ricky Williams is vice president of Business Development at IDS/Lift-Net. Based in the New York City area, he is skilled in negotiation, budgeting, operations management, technical sales and engineering support. He holds a BS from the New York Institute of Technology, with a focus on Electrical and Electronics Engineering.

Page 15: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

104 www.elevatorworld.com • October 2019

FOCUS ON EMERGING TECHNOLOGY

THE BIG PICTUREThis Product Spotlight highlights a lifelike virtual elevator window

system designed to transform the passenger experience.

by Aleksey Gorilovsky and Kirill Knyazev

The elevator cars we’ve been using are more like closed transportation boxes than elements of architectural experience. With their lack of visual stimulation, a ride in a conventional elevator is often an awkward interruption of an otherwise enriching experience offered by the architecture of public and residential buildings. A glass-walled elevator car provides an ideal solution to that disruption but is not feasible in most instances and often entails extra costs. As a result, the floor indicator, supplemented in some advanced cases with cartoons, has become the typical feature used to inform passengers of their current position.

A lifelike virtual elevator window system, designed to transform the passenger experience, was released six years ago at Interlift and gradually found a niche in sophisticated elevators for upscale buildings. The technology relies on the precise calculation of every pixel and offers a real-time picture of the outside view, combined with augmented reality and contextual information. Modern trends of visualization employed in elevator cars, including virtual windows, vary in degrees of image quality, positioning accuracy and lag. The LiftEye, Ltd. Real Time Virtual Window provides user-friendly elevator design with promising advertising potential and an almost universal navigation tool for visitors of public buildings. It offers real-time picture technology in a recently emerged and rapidly growing family of virtual windows and video walls in elevators all over the world.

New Typology and the Virtual Windows BoxThe dramatic progress in design, feasibility and

availability of widescreen displays in recent years led the industry to widespread implementation of monitors in elevator cars. Let us refer to these large flat screens in elevator cars as “virtual windows.” This type of installation enables visual stimulation of passengers by offering entertainment content, advertisement videos, emergency announcements, news feeds and, last but not least, navigation cues. Well-known showcase boxes, which may still be found in some hotel elevators, became the early predecessors of virtual windows, while small displays built into the operating panels were their immediate precursors. Figure 1: The Virtual Windows Box

Page 16: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

October 2019 • ELEVATOR WORLD 105

Numerous examples of virtual-window-equipped elevator cars constitute an original elevator typology in which the visual stimulation of passengers is a primary distinction. To compare known cases of virtual windows, the LiftEye team introduced a 3D diagram called the “Virtual Window Box”[1] (Figure 1). The cases are aligned in space with axes X, “Actual Environment Reflection Degree”; Y, “Adjustment to the Height Position” (i.e., adjustment of the viewer in the elevator car to the actual height position to the performed perspective); and Z, “Time Lag 1/τ” (inverted scale of time lag, τ). You may come across various cases, from still patterns/pictures on elevator car walls (or just painted ones), to animated cartoons depicting fictional environments displayed on walls (or the ceiling), all the way up to real-time virtual windows mounted on car walls or doors.

The location of the conventional car with non-transparent walls (“still pattern”) and the panoramic “glassy car” are in Figure 1 marked as yellow ovals. The glassy car represents a case in which an elevator passenger can view the actual environment with an accurate perspective and in real time (τ = 0). The visual stimulation in the glassy car seems almost perfect.

The obvious disadvantage of panoramic elevators is their limited feasibility due to building structural issues and, thus, relatively high associated costs. Those limitations force the developers to opt for video walls (One World Trade Center (WTC) in NYC) and ceilings (The Shard in London) in lift cars paired with non-real-time content.

The majority of known virtual windows offer little to no reflection of the outside reality. On the chart, those installations

remain a horizontal surface at bottom (τ = ∞). In most cases, the performance of those virtual windows depends on the actual position of the car (Y-axis): “The Ceilings of London” (The Shard); “The History of New York” (One WTC, NYC); and, the multiscreen show (Lotte Tower, in Seoul, South Korea). The content of those virtual windows (or ceilings) does not reflect the outside world “as it is.” We believe those virtual windows are fitting for one-time visitors but not for residents. It is hard to believe someone would enjoy the same content over and over again.

A real-time picture (τ ≥ 0) offers the solution to overcome the one-time visitor experience as described in U.S. Patent No. 9,571,798 (Figure 2). The proposed device renders a live image with the correct height perspective. A working prototype of that

device, with one wide high-definition (HD) display, was introduced in October 2013 in Augsburg, Germany (Figure 3).[2 &

3] Only two HD cameras were utilized to provide the real-time feed. They were mounted on the outer wall of the building with the elevator as shown.

When a real-time feed becomes available from cameras set in other locations, elevator users may switch the image to that feed. This feature might be attractive for such businesses as hotel chains and office buildings.

At the “Virtual Windows Box” (Figure 1), a real-time virtual window is presented as case A, placed very close to the “glassy car” point at the rear, right-hand top corner. The proximity of “A” to “glassy car” is limited by the time it takes to process the real-time image feed and may be further affected by a lag in the communication channel between the main building and the source.

The basic requirement for the software is to exclude delays in computing the vertical position, especially during acceleration and deceleration, to prevent motion sickness. The ability to render virtual window pictures in high resolution is paramount. The feedback from the 2013 Augsburg LiftEye installation confirmed that passengers, being close to the walls, didn’t find full HD/1080p (1920 X 1080) displays comfortable due to the relatively large size of the pixels.

Ultra-high-definition, or UHD-1/2160p (3840 X 2160, also known as 4K), displays are preferable in this case. The overall cost of the system is higher because of the higher price of UHD cameras and higher computational requirements (both hardware and software).

Continued

Figure 2: U.S. Patent No. 9,571,798

Figure 3: (l-r) Cameras used in 2013 introduction of a real-time feed; visitors watch a demonstration of the system.

Figure 4

Page 17: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

106 www.elevatorworld.com • October 2019

The temporary installation of a UHD real-time virtual window (Figure 4) in London (May 2015) became a trial of UHD cameras, software and display as a set.[4]

LiftEye introduced elevator car doors with real-time virtual windows in 2015. (Figure 5). This system is equipped with four wide UHD displays.[5] The door is compatible with EN 81-20 and suitable for new lifts, as well as for the replacement of car doors of any brand. A detailed comparison of LiftEye (Figure 1, Case A) and the installation in One WTC (Figure 1, Case C) is provided in Figure 6.

Both LiftEye car-wall and door installations received positive feedback from the international press, with such comments as it “makes it look like the walls are made of glass”[6] and “You can get a view of the . . . New York skyline in Berlin.”[7 & 8] LiftEye was also nominated for the Council on Tall Buildings and Urban Habitat Best Tall Buildings Innovation Award.[3]

Wawelberg Bank Building ProjectA recent LiftEye real-time virtual window project is designed

for one of the new elevators in the Wawelberg Bank Building in downtown St. Petersburg, Russia. This historic building is now under renovation and is scheduled to open next year as a luxury hotel. The scheme, shown in Figure 7, illustrates the allocation of LiftEye hardware in the building. The system is equipped with two sets of UHD cameras. Each set of three cameras looks in opposite directions along the main city avenue, Nevsky Prospect.

The UHD video feed collected from the cameras is transmitted via a video hub to the video-processing unit for calculation of a 3D, real-time panorama. The information is transmitted via an elevator traveling cable into the final processing unit on the elevator car roof, where the picture is finally modified by actual-height position data and displayed on three UHD monitors on the car walls.

At the special request of the building owner, outdoor cameras are utilized for this particular project, instead of the typical LiftEye indoor units. Their cases are individually manufactured to meet strict requirements of the City Committee for Preservation of Historical and Cultural Monuments (Figure 8).

The outstanding location of the building (upper right, Figure 9), right around the corner from the Winter Palace, a former residence of the Russian royal family and today home of a world-class art collection of The Hermitage museum, is the perfect place to engage LiftEye’s featured augmented reality, smart advertising and news feed. This includes not only the weather report and forecast (essential for anyone about to walk outside with the often-unpredictable heavy rains), but a

Figure 5: LiftEye’s elevator car door with a real-time virtual window.

Figure 6: Real-time versus time-lapse feed

Figure 7: The allocation of LiftEye hardware in the Wawelberg Bank Building

Continued

Figure 8

Page 18: ENSURING LONG-TERM IIOT SUCCESS · ENSURING LONG-TERM IIOT SUCCESS What to know and ask when considering digital transformation ... financial investments, but for many in the building

108 www.elevatorworld.com • October 2019

connection to the city itself. The elevator is equipped with three UHD monitors, and the design of the car provides protection for monitors, effective heat emission and easy maintenance and cleaning.

LimitationsPrivacy issues in many countries may prevent installation of

real-time virtual windows in any form, so specific measures, such as blurring of human faces and car license plates, should be taken. Data channel capacity limitations between the lift and a distant location, from where the real-time feed must be transmitted, may dramatically reduce the overall performance of real-time virtual windows. Some quasi-real-time solutions are known and may be employed.

ConclusionWe believe virtual windows and real-time image feeds will also

prove to be a prime navigational tool for future lifts with linear motors, which move people vertically and horizontally.

The lifelike real-time virtual elevator window system is designed to transform the passenger experience by providing user-friendly elevator design with visual stimulation — the

“big picture” of what is currently available in the recently emerged and rapidly growing family of virtual windows and video walls in elevators all over the world. Your authors hope readers will repeat the phrase from the U.K. band London Grammar: “Now I see the big picture.”

References[1] Gorilovsky, Aleksey and Gorilovsky, Dmitry: “Elevators: Continuity &

Enrichment of Architectural Experience in Times of Fictional Architecture,” Connecting the City. People, Density & Infrastructure. Abstracts of the CTBUH 2017 International Conference 29 October-3 November, 2017 Sydney, Melbourne & Brisbane. Editors: Antony Wood, Helen Lochhead, Philip Oldfield & Jason Gabel, Chicago: Council on Tall Buildings and Urban Habitat, p.223, ISBN 978-0-939493-58-6.

[2] Gorilovsky, A., Gorilovsky, D., and Langley, P.: “Elevators: Continuity and Enrichment of Architectural Experience.” CTBUH Shanghai Conference, p. 864-870 (2014).

[3] CTBUH. “Innovation Award Nominee: LiftEye,” Best Tall Buildings: A Global Overview of 2014 Skyscrapers. Editors: Antony Wood, Steven Henry and Daniel Safarik, IIT, Tongji University and Routledge/Taylor & Francis, Chicago, p. 224-225 (2014).

[4] Giving Lifts a Live Virtual Window: BBC Click’s Dave Lee Reports, bbc.in/1S0eKK9, (May 18, 2015); last accessed August 15, 2019.

[5] www.youtube.com/watch?v=0awDzIZyUT4; last accessed August 14, 2019

[6] en.wikipedia.org/wiki/Elevator; last accessed August 14, 2019.[7] www.ribaj.com/products/multi-national-multi-storey; last accessed August

14, 2019.[8] www.fastcoexist.com/3028539/this-elevator-might-make-you-forget-

youre-stuck-in-a-metal-death-trap-with-strangers; last accessed August 14, 2019.

lifteye.com

Aleksey Gorilovsky has been CEO of LiftEye, Ltd. since 2013. He is an electromechanical engineer and specializes in precise torque drives. He also has extensive experience in the academic field. He studied at London School of Economics and received his Executive Master of Business Administration from Stockholm School of Economics. He entered the elevator business in 1993 and set up his own lift company in 1997. It grew to have a leading position in the upscale segment, providing full service for world-famous hotel-chain, retail and office buildings. He has received patents for tall-building elevators.

Kirill Knyazev joined Stein, Ltd. in 2009 as an engineer, and soon took charge of the sales team. An electronic communications engineer by training, he has more than 10 years’ experience in the elevator industry, in which he has performed a variety of tasks on a daily basis. He has successfully managed a list of the company’s key projects; the first St. Petersburg project in collaboration with the LiftEye team became a part of this article’s topic.

Figure 9: An aerial view of the Winter Palace and Palace Square in St. Petersburg, Russia; photo by Andrew Shiva via Wikipedia

Figure 10: The car interior with the LiftEye system is shown with the system (l-r) off and on.