IoT vulnerabilities continue to surface, causing confidence in the ability of manufacturers to deliver products that are secured by design to continue to erode. Already this year, several vulnerabilities have been exposed, including:
- Security flaws in smart cameras — Researchers discovered vulnerabilities with Hanwha Techwin surveillance cameras. The flaws existed not only in Hanwha Techwin cameras, but all smart cameras manufactured by Hanwha Techwin.
- Vulnerable medical devices — Medical imaging devices, such as MRI or CT systems, are becoming increasingly vulnerable to cyberattacks, according to researchers from Ben-Gurion University.
- Hackable smart home hubs — Security flaws were discovered in a smart hub used to manage all the connected modules and sensors installed in the home, putting smart home owners at risk.
IoT vulnerabilities are being discovered and exposed across all industries, and hackers are certainly not discriminatory when it comes to who they will target. Throughout countless examples, security flaws are regularly being found in IoT devices, putting sensitive data and even personal safety at risk.
The fundamental issue is that IoT devices are not being built with security in mind. As adoption of these technologies continues to rise, this has created a growing attack surface that does not take a particularly high level of expertise to exploit. Everyone is eager to jump on the IoT innovation train, but in doing so, the critical element of securing these devices is often neglected.
However, despite the risks, organizations are continuing to gather sensitive data from IoT devices. The “2018 Global Data Threat Report” found that nearly three-fourths (71%) of organizations are aggregating data from the millions of IoT devices already in use.
While IoT security as a whole remains lacking, we are nonetheless seeing more organizations starting to apply measures to protect IoT data. The “2018 Ponemon Global Encryption Trends Report” found that 49% of enterprises are either partially or extensively deploying encryption of IoT data on IoT devices.
Organizations are taking a step in the right direction by recognizing that encryption of IoT device data — done correctly — can effectively protect privacy and confidentiality, but challenges remain. At the end of the day, it comes down to trust. If trust is not established regarding the identity and overall integrity of the device, then encrypting untrusted data is not accomplishing the desired goal. And if the device and the data it collects cannot be trusted, there’s no point in going to all the trouble of collecting it, analyzing it and, worst of all, making business decisions based on it.
How to build trust in IoT
Here is what is required to enable trust:
1. A root of trust to enable device authentication
To securely participate in the internet of things, every connected device needs a unique identification. There are various methods used today to prove an identity, from passwords to biometrics to digital certificates and more. However, when it comes to proving the identity of an IoT device, the choices available for authentication depend on the capabilities of the device.
In environments where security and safety are paramount, a hardware-based root of trust provides the strongest means to establish and maintain an authenticated device identity. Digital certificates issued from a trusted public key infrastructure provide a proven mechanism for this, however the storage and processing demands of traditional RSA keys have driven some to favor elliptic curve cryptography (ECC). ECC provides equivalent protection to RSA with much smaller key sizes, and its operations require significantly less processing, making it appropriate for devices with less storage space, processing power and battery life.
Unfortunately, many IoT devices aren’t being designed with even the most basic of security protections, such as requiring default administrative credentials to be changed upon installation. A reasonable level of trust cannot be established in a device until there is a solid means of device authentication in place, and that that the integrity of the device can be assured over time through mechanisms such as secure boot protection and code signing. These are important to prevent introduction of malware especially during firmware updates.
2. Encryption to protect data
With a proper root of trust in place, it is increasingly important to have means in place to protect IoT data which is sensitive, personally identifiable or proprietary. In IoT, this means protection on the device itself, when the data is being transmitted to intermediate points, such as IoT gateways, and when it is en route to final destinations, such as the cloud or a data center for storage and analysis.
This requires not only process steps to identify the specific data to be encrypted, but also a key management scheme to distribute and manage the keys that are used to encrypt the data. Secure storage and access control for keys requires planning — they must be available to permissioned people/entities to enable data access, but properly segregated from the data and stored securely. It might sound easy, but IoT scale and speed is a game changer. Keys have a finite lifetime based on their length and the algorithm being used, and therefore must be rotated at regular intervals. Lose a key that is used to encrypt data and you lose the data. Key management is a crucial capability for IoT deployments with sensitive data.
The adoption of IoT technology is not expected to slow down anytime soon. In fact, Gartner predicts the number of connected devices will rise to 20.4 billion by 2020. Trust is recognized as a key enabler for IoT to deliver the intended results, and authentication and encryption are two critical capabilities in the IoT trust playbook.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Security has been the subtitle for all discussions about the internet of things. But a lot of that discussion has been based on some bad assumptions and misinterpretations. IoT can be secured, but just not in a lot of the ways that are being discussed. Here are six of the most common IoT security myths and the reality behind each of them.
1. Lightbulbs and industrial robots are secured the same way
IoT is really a superset of two very different technologies. The first part is what we think of most with consumer-grade tech: think lightbulbs, TVs and vacuum cleaners. The second part is operational technology, or OT: industrial robots, water turbines, elevators and power plant relay actuators. The essential difference is that OT is serviced and maintained by a dedicated team, usually closely backed by the vendor, whereas IoT, as consumer-grade tech, is not. This difference is significant to how they are secured, and to the impact of being insecure. OT vendors, however, are typically less experienced than IT vendors in the ways of security. This is a rough differentiation though. Cars, for example, although a consumer technology, are in the OT classification because of manufacturer involvement.
2. Standards will secure IoT
This is a common myth. I hosted an OT/IoT roundtable in the UAE, and the majority voted that they believed standards would fix the IoT security problem. This is certainly how things should work when viewed through the lens of safety: safety standards work well in OT and IoT, with established national standards bodies and labs. However, the reality is much different.
There is hope, but no time soon will standards play a role of any impact. Standards play almost no role in IT security today, so our hope for them in IoT is aspirational.
3. IoT vendors will start patching their devices
Product makers don’t want insecure stuff. All IoT is patching-challenged, but for different reasons. This short description won’t completely do the topic justice, as this is a very nuanced and complex discussion.
OT teams do have a strong desire to patch, however their software update cycles are often magnitudes slower than IT patching. Many OT devices will never see a patch, so the development and delivery of time-critical security patches is not part of their corporate DNA. Similarly, patch management is not traditionally part of the OT group’s DNA — there is no “Turbine & Water Filtration System Monday” equivalent to Microsoft Patch Tuesday, nor are patch management tools often in use in OT environments. Much of the patching must be done locally and manually.
IoT has different issues with patching. Most IoT devices were designed without any prospect of patching. Some IoT vendors do not keep a software team in house, making patching problematic. A portion of IoT software is embedded in firmware — chips containing the flaws that can require a replacement — meaning usually the whole device must be replaced. I spoke with one IoT component manufacturer that told me it would add about $0.02 per chip for them to extensively test code and provide patches for security vulnerabilities, whereas the price of their nearest competitor was $0.01per chip, and the manufacturer said the company had never had a buyer factor security into a purchasing decision.
4. OT will make it all better
What is not a myth is that there is usually tension between enterprise IT departments, and the OT staff is responsible for the technology of the shop floor or production environments. The OT teams certainly know their environments best, however they come less equipped and experienced than IT staff concerning modern threats and patch management techniques. OT teams usually lean on their familiar vendors — the manufacturers of the equipment. However, these vendors reflect the OT teams in that they are slow to adapt to the new and incredibly hostile environment. Most of these vendors do not even have any kind of bug bounty or vulnerability research interface. Think about it — OT and their vendor-scape are required to go from 0-100 overnight; from an air-gapped low-threat world to an IP-enabled one attacked by nation states and custom-crafted malware. OT teams do understand their environments the best, so they are rightly skeptical of IT teams. Which leads us to …
5. IT will make it all better
Early on in IoT and OT security, it was assumed that the current IT techniques would be the fix. Just do what we do on the corporate network and everything will be alright. Unfortunately, it was immediately evident that things weren’t business as usual. Not everything is IP-enabled, we cannot risk connecting critical infrastructure to the corporate environment, the service-level agreements for outage or downtime was several magnitudes less forgiving than IT, strange protocols were involved, and there was little if no coverage of these devices by vulnerability research. IT security has the triad of CIA as its foundation: confidentiality, integrity and availability. Suddenly, a new leg was added to that: safety. IT security and ops departments were not equipped to perform their current tasks with that level of impact.
IoT under IT is a bit better than OT, but still requires flexing which IT departments may not be willing to undertake. Most studies predict that IoT devices are growing at magnitudes greater than IT devices. Most IT security products are not equipped to deal with the scale of IoT, even if the teams are willing. For example, most security information and event products are already being challenged to handle the alert load, as well as firewalls handling connections per second. IoT adds an approximate 10x load in most enterprises, with IT departments again often unwilling to take on the load of managing and securing what doesn’t appear to be devices in their realm of responsibility. IT does not have the IoT security answer today. But that doesn’t stop the threat landscape from using IoT as an attack surface in the interim.
6. Special IoT security products will fix it all
Early on, there were IoT-specific security products that emerged. They tended to be either wireless focused — a good thing, since so much of IoT connectivity is wireless based — or from the OT device manufacturers. However, the impact has been limited. OT manufacturers have been slow to bring effective products, and the slow release of real dollars for OT and IoT has alienated vendors. The critical issue is that most IoT and OT security technologies are not linked to corporate IT security groups that are already organizationally decoupled, making the job of a security operations center response almost a manual task of calling coworkers to find out information.
The answer will most likely be via partnerships between OT vendors and IT security vendors, taking the already advanced security technologies and hardening them to work in the organizational, cultural and technical OT environments. IoT is a more difficult issue in that these “unpatchables” must be segmented and surrounded by intrusion prevention systems and antimalware. Instead of a pre-patch shield, this becomes a never-can-patch shield. Segmentation and shielding, especially via wireless connectivity, become the future state.
The bottom line is that not all IoT is created equally, and can’t be secured equally. But IoT is here and the baddies know it to be a soft underbelly. The “two solitudes” of the organizations representing IT and OT can together secure OT, but it is up to mostly IT to embrace and secure consumer-grade IoT technologies. Don’t fall into the traps set by these myths — be informed and get to work now on fixing these … things.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
When it comes to the internet of things, perhaps the key enabling technology is wireless networking technologies. Without the two primary wireless data networking technologies — cellular and Wi-Fi — almost every IoT device would require a wired connection to the internet, dramatically limiting the ability of developers to create IoT applications that deliver value to businesses and consumers.
However, thanks to these two wireless networking technologies, IoT is big and getting bigger — research firm Gartner forecasted that in 2017, 8.4 billion connected things will be in use worldwide, with this number reaching 20.4 billion by 2020. With as many as 10 billion additional connected devices forecast to be deployed over the next three years, IoT application developers face an important question as the market continues to mature — given each technology’s bandwidth, cost, coverage and security characteristics, should they design their IoT applications to use cellular, Wi-Fi or both?
While the differences between Wi-Fi and cellular in terms of bandwidth and cost have been narrowing or disappearing, cellular is expanding on its coverage advantages. By definition, Wi-Fi is a local area network (LAN) which provides great coverage in a very limited area. Yet, the moment a connected device leaves that area, coverage is lost, which results in significant design limitations for IoT application developers. On the other hand, cellular data coverage today is extensive and growing, as wireless network operators compete with each other to offer better coverage to their customers. In addition, standard low-power wide-area (LPWA) cellular IoT technologies (LTE-M and NB-IoT) provide deeper coverage than traditional cellular technologies, expanding cellular connectivity to underground spaces, buildings and rural environments. While LPWA is new, it is rapidly being embraced by network operators, as upgrading 4G LTE infrastructure to support LPWA only requires a simple software update. For developers who want to deploy IoT applications around the world or to remote, underground or similar hard-to-reach locations, cellular provides clear advantages — advantages that will only grow over the coming years.
When evaluating the security differences between Wi-Fi and cellular, one must always remember that no network can ever be made 100% secure. Nonetheless, cellular does possess several security advantages over Wi-Fi. First, all cellular data is encrypted by default. Wi-Fi data can be encrypted, but this encryption has to be turned on. This introduces human error into the Wi-Fi security equation, and as seen in recent cybersecurity attacks, such human-error related vulnerabilities can and will be exploited by cybercriminals. In addition, cellular security updates are made by network operators who have dedicated cybersecurity staff in place and very strong financial and reputational incentives to ensure such updates are made as quickly as possible. However, Wi-Fi depends on individual Wi-Fi network owners to make security updates, and it is easy for individual Wi-Fi network owners to delay or overlook these updates. The problem with overlooking such updates was recently demonstrated by the Key Reinstallation AttaCK, aka KRACK, on the key exchange handshakes used in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) security protocols. Another security issue with Wi-Fi is cybercriminals can create “fake” Wi-Fi networks that unsuspected device owners connect to, allowing these criminals to hack into these owners’ devices. While creating fake cellular networks is theoretically possible, cellular’s built-in security advantages, as well as size and scale of network operators, make the creation of similar fake cellular networks much more difficult. As cyberattacks continue to increase, cellular’s security advantages give it a leg up on Wi-Fi for developers building applications where security is a key design consideration.
For years, Wi-Fi had a significant advantage in bandwidth over cellular, with older 802.11b/g/n Wi-Fi technologies offering speeds up to 450 megabits per second and the newer 802.11ac Wi-Fi technology offering speed up to 1.3 gigabits per second (Gbps). However, cellular technologies based on the 4G LTE standard are now as fast as 1 Gbps, making cellular bandwidth comparable with Wi-Fi. In addition, while new Wi-Fi technologies based on the 802.11ax standard promise speeds of up to 10 Gbps, new cellular technologies using the 5G standard will offer similar speeds. With cellular now able to come close, if not match, Wi-Fi in regard to bandwidth, when it comes to video and other high-bandwidth IoT applications, there is little to no difference between the two technologies on speed.
Security, bandwidth and coverage are not the only capabilities developers need to consider when deciding whether they their IoT applications should use cellular, Wi-Fi or both, but they might be the most important. In terms of cost and bandwidth, cellular has in recent years caught up to Wi-Fi, and today Wi-Fi’s advantages in these areas are minimal or non-existent. However, when it comes to coverage and security, cellular has significant advantages over Wi-Fi, advantages that it will build on over the coming years.
Despite these advantages, Wi-Fi is not going away anytime soon. Wi-Fi has a strong established base in most households, and the fact there are no additional costs to connect multiple devices to a Wi-Fi network means that Wi-Fi will likely continue to be used for many consumer and smart home IoT applications over the coming years. In addition, with costs coming down for both technologies, building IoT applications that support both Wi-Fi and cellular connectivity is an increasingly attractive option for developers looking to cover all their bases and differentiate their consumer versus enterprise-level services. However, with cellular increasingly equal to or better than Wi-Fi in terms of bandwidth, cost, coverage and security, many developers who previously might have only considered Wi-Fi for their IoT applications are likely to be looking at, if not switching to, cellular over the coming years.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
In 2016, ISACA conducted a survey about how consumers today perceive augmented reality. About 60 to 70% of consumers saw clear benefits in using augmented reality, with about 69% believing that AR could help them learn new skills at work.
Its application in real-world scenarios is rapidly making it an integral tool in every sphere. Mega construction sites are usually a congregation of heavy machines and equipment. A single machine breaking down can hamper the workflow of the entire site, which can take hours or even days to repair. However, AR is reducing this downtime by completely changing the manner in which troubleshooting is done. With AR-enabled devices, technicians can now simply scan the machine with their mobile devices and view the technical issues of the equipment on their tablet or smart glasses — feature by feature — to investigate. AR enables them to see the insides of the machine as a 3D overlay, share the visuals with other teams and determine the solution — all at once.
This is the power of augmented reality that has opened up new realms of possibilities for business owners across the world. This paradigm shift is helping business owners save precious time and thousands of dollars, thereby enhancing their ROI significantly.
Almost every industry is poised to transform with AR. However, there are some prominent verticals that have already integrated AR in their daily workflow processes:
- Healthcare: Healthcare is among the leading industries undergoing a radical transformation as more and more healthcare professionals are using AR tools and technologies to solve complex healthcare problems. Augmented reality is helping doctors examine patients across geographical divides. Doctors can even resort to less-invasive surgeries with the help of AR devices and provide substitutes that can help with diagnosis and treatment.
- Real estate: Realty and construction is another industry where AR is making serious headway. Instead of showcasing 3D models on 2D screens, architects, designers and engineers can now present their work to clients as an enhanced holographic. This helps visualize every little nuance of a new space. Instead of poring over cramped floor plans that provide little detail about the value of the space, AR is helping give a more immersive walkthrough to clients and help them in their decision-making.
- Retail: In the retail sector, AR-powered glasses or virtual mirrors are helping customers virtually try on different apparel, makeup and accessories. This method has immense potential, especially in e-commerce, and is already being adopted by several online shopping portals.
- After-sales/customer service: When buying or servicing home or industrial appliances or complex machines, field service representatives often need to resort to printed installation guides that can be tedious. They may even need to consult experts at the office or service center in case of major issues or breakdowns, which can be time-consuming. With augmented reality, field reps can access interactive installation guides where they can see the machine broken apart, making it easier for them to figure out the process. It can also help in connecting with remote experts and following guidelines by overlaying information on a video that both parties can see. This can make field technicians quick and efficient at servicing, thereby saving time and resources for the company.
- Logistics: DHL, the leading global logistics company, has been one of the early adopters of AR. AR-enabled smart glasses help workers by guiding them through the warehouse to pick items for order fulfilment. According to DHL, this has helped the company reduce shipment errors and has allowed for a 25% increase in efficiency. This kind of impact in a modern business can emerge as the key distinguishing factor between close competitors. On-field workers can now access a plethora of information, including schematics, videos, workflows, instructions, charts, lists and so on, enabling them to make quick decisions and actions.
- Travel: This is one of the primary consumer-centric segments for using AR devices and systems. Travelers often need information quickly, whether it be about a particular destination, routes, ordering transportation, or restaurant and accommodation recommendations. AR apps are helping travelers access this information. AR apps can bring printed materials to life and even filter and personalize information depending on the current location and requirements of the user. AR can help hotel owners and travel agencies to better engage with their customers by offering special offers, discounts and reward points which can be accessed by scanning their brochures, and ensuring better brand recall and higher ROI on advertising expenditure.
Augmented reality is changing the way we live, work, play and entertain. The next few years will see the rise and rise of AR applications that will make our interactions with the virtual world more stimulating.
From immersive virtual reality training to interactive augmented reality product experiences, mixed reality experiments are making their way from pockets of innovation within corporations to full-fledged programs — –that is, if they don’t fall prey to “innovation cannibalism” first.
Companies are under increasing pressure to constantly innovate, often guided by a digital transformation or corporate innovation charter that is mandated by the C-suite, supported by middle management guidance and executed by grassroots “intra-preneurs.” This mounting pressure can serve as both a blessing and a curse for survival. Change agents strive to not only brainstorm the next big idea that will push the company into a new era of technology revolution, but also simultaneously hide their efforts from colleagues and other departments in order to get the glory of being the smartest person in the room.
Hence, innovation cannibalism is born, and virtual and augmented reality (VR/AR, or “XR” as a catchall term for “extended reality”) pilots are its latest victim. Rather than moving the company forward, these competing technology proofs of concept (POCs) ultimately compete for executive budgets and attention, rather than operating toward a common goal. Preceded by myriad other bright, shiny technologies under the innovator’s microscope, XR serves as the next tool primed for real market testing and even companywide rollout, if it can make it out of the corporate innovation vacuum.
ARtillry Intelligence projects enterprise mixed reality alone to grow from $554 million in 2016 to $39 billion by 2021. Growth is dependent on both perceived and proven value as organizations look to competitors and other industry best practices in order to gauge potential success. XR is sitting in the sweet spot for corporate innovators looking to reference existing case examples from early adopting enterprises in order to make their case, while still offering plenty of open water to brainstorm that next big idea to differentiate. And the sea of opportunity is indeed wide, spanning both industry and departments in potential use cases to increase efficiencies, improve employee experience and positively impact the bottom line.
In our latest Kaleido Insights report, “Prepare for the New Reality of Super Employees: How VR and AR Technologies Enhance Workforces to Transform the Enterprise,” my co-author Jeremiah Owyang and I detail the top six use cases for enterprise mixed reality (see Fig. 1 infographic below), as well as the challenges encountered along the road to fruition and a checklist of considerations for implementation. From training employees on dangerous tasks in a completely virtual (and safe) environment, to cutting theft of high-ticket item merchandise in-store, organizations are experimenting with reinvention of legacy procedures and methods to future-proof their businesses.
Though these mixed reality experimentations are typically driven straight from a corporate innovation charter and brought to life by innovation teams, labs and outposts, these change agents aren’t the only catalysts of XR testing. Other sparks that set POCs ablaze include:
Middle management pursues efficiencies
In tandem to XR charters led by innovation groups, other typical leaders of mixed reality initiatives rise from useful, real-world applications. When management in more technical roles — like field service, warehouse logistics or engineering production — come across use cases where XR could make their lives easier, they reach out to internal or external resources to begin experimentation. “Our customers are those who are dealing with challenges upfront and see VR as a way to solve a problem,” shared Jakub Korczyński, CEO of VR solution provider Giant Lazer. “These people get VR’s potential the quickest as they envision immediate benefit.”
HR and marketing strive to impress
In an effort to impress current employees and higher-ups, as well as attract new talent, human resources leaders look toward new technologies like mixed reality. The right application will not only draw positive internal buzz, but also help to retain and inspire the existing workforce (while ideally improving their job experience). Similarly, marketing and digital leaders are often enticed by what they see as interesting XR applications on YouTube — even if these applications are not entirely feasible or applicable to the company.
Desire to compete with automation
Augmented and virtual reality enable employees to become “superhumans” in their own right, using these technologies to augment and support their bionic brains. With artificial intelligence and automation posing increasing threats to industrial manufacturing and low-wage employment, many companies are turning to XR to bring employees closer to their robotic counterparts in capabilities. Scope AR’s Co-founder and President David Nedohin explained, “AR is arming employees to compete with AI by putting them in the position to know exactly what to do to complete a task through real-time data and imagery display. Industrial IoT data can initiate the proper workflow, combined with machine learning analysis and AI, to transform employees and help them stay competitive in the workforce.”
Need for increased collaboration
During many internal processes — from product development to training to sales and service — it can be difficult to get multiple busy leaders in the same room for collaboration, especially across departments and geographies of decentralized organizations. The need for easier, more efficient and more frequent collaboration is a common driver of exploring XR’s engaging and immersive environment, where corporations see a valuable investment.
Though many XR pilots are born from corporate innovation programs, among other aforementioned catalysts, these POCs cannot achieve critical mass until supported by the company at large. Executive support is essential in spreading an innovation imperative culturally, as well as greenlighting budgetary allocation and employees toward mixed reality initiatives. Without top-down alignment and goal-oriented prioritization, grassroots XR efforts cannibalize one another in a battle for resources and attention. It takes a comprehensive strategy that examines the impacts and opportunities of all relevant emerging technologies to move mixed reality from catalyzing to testing to fruition.
Download the full research report (note: registration required), “Prepare for the New Reality of Super Employees: How VR and AR Technologies Enhance Workforces to Transform the Enterprise,” from Kaleido Insights’ website.
The benefits of deploying IoT are becoming clearer for many organizations, especially when the use case is identified for a business problem solved with IoT (see my other article for more on that). However, once an IoT technology “sticks,” additional security considerations prior to deployment may not be top of mind — but they should be.
Device security should be incorporated into any design, and IoT deployments are not exempt. The general approach is to use the CIA triad: ensure the confidentiality, integrity and availability of the technology. While there are many debatable concerns around the security of devices, such as smart locks, there also are concrete examples of internet-connected devices posing a security risk with default passwords. The viral video demonstrating how an internet-connected carwash using default passwords can be exploited helps put the urgency of securing IoT devices into perspective. Weak and default passwords on IoT devices and platforms can even put personal safety at risk. When securing IoT devices, seek integration with existing certificate frameworks.
From a reliability perspective, cascading failure is a consideration as well. Consider a smart refrigerator that could run the risk of being “bricked” due to an IoT device failure, misconfiguration, malicious use or bad firmware. If in a hospital use case, unreliable devices could risk ruining a very expensive inventory of medicines that require climate control or even put lives in danger. Device reliability may also be a consideration over time as conditions may change. Temperature and other atmospheric factors, quality of network connection, changes in network equipment and changes in logical configuration (such as routing to the internet) may all introduce small and seemingly irrelevant changes to an environment, but IoT devices may respond unexpectedly to these changes.
From a cost perspective, consider a fixed device removal (and replacement) date or cycle. Just as capital expenditures like PCs and desktops have a three- to four-year life span, IoT assets should have their own asset management cycle. The details of that cycle will depend on factors such as the device, cost and use case, but also consider the process for spare part management, both from a supplier and, possibly, from a private inventory within the organization. A fixed removal date also provides a possible remediation for vulnerabilities that emerge in the future for IoT devices, because updating them may be daunting. Additionally, we should expect that capabilities will increase and costs will decrease for individual devices over time.
While this view on IoT may seem alarmist, a single catastrophic failure or breach could wipe out any IoT benefit. The challenge today is to design with these considerations in place to avoid an unforeseen challenge that wasn’t addressed ahead of time.
When traveling to many different parts of the globe, the local public transportation can give individuals a real feel for a culture. Much like eating where the locals eat, it gives a taste of what everyday life is like in those locations. Public transit provides a greater perspective on people and places and makes the experience of visiting a new city that much more intimate. And, it is almost always a cheaper and more efficient way of getting around (although the Tokyo subway at rush hour might make you rethink how you commute altogether). Visiting countries where public transportation is a way of life can also give an idea of what the future may bring for this industry. In many locations, it can be surprising how smart the local transportation is.
Trying to catch the No. 43 bus in Paris to get to Gare du Nord? Get on the RATP app, and it will provide you detailed ETA for your stop. You no longer have to guess when the bus will arrive. In the world of supply chain, predictive ETAs can identify down to the hour — or to the minute — when a cargo vessel, train, truck or item is going to reach a destination. In the past, this would entail using models to predict, within a window of time, when something would arrive or when an action might happen.
Today, with smart IoT-enabled tags, we can actually “see” where and when these activities are taking place. We can follow the production of a product from supplier to factory floor and track an item all the way down to an individual container — wherever it is on the planet. Now apply that same thinking to mass transit. How can the way we commute and connect with our cities become smarter?
Predictive maintenance means more uptime
One area where IoT has empowered transformative changes is by providing greater insights into how assets are used and when they might fail. We have all seen the advertisements where the building tells the maintenance crew to repair the elevator before it breaks down; the same applies to our transportation assets. If a switch on the subway is not acting just right, smart sensors can identify where and why, and send a signal to the enterprise asset management software to request maintenance. Since the switch is smart, it can ensure that the crew has the appropriate spare parts and qualifications to fix the problem. Once you have a more robust, self-diagnosing and repairing network, what else could you imagine with your transportation network? Sounds like science fiction, but some of this technology is in use today.
Better traffic flow, and not simply for the machines
Whether it is trains, buses or infrastructure, as more assets become smarter, they will be able to better communicate among themselves. As this information becomes richer and available in real time, the network will allow for more optimal flow of vehicles and traffic. We have been exposed to the promise of smarter cars for our personal driving, but as our buses and trains follow the same concept we may start to experience more optimal flows. What about a better-connected passenger? If there are too many passengers on the platform, the IoT-enabled grid will prioritize traffic, maybe even assign a pop-up express train to reduce some of the strain. When the grid notices a surge in traffic, could it push out a message to those entering the train station, giving them a fare reduction if they take the subway an hour later? The smarter grid might even send suggestions to travelers to walk to another, less congested station.
Creating new opportunities with existing assets
Could public transit buses also deliver packages to the customer’s nearest bus stop? This is possible if the bus had sensors that could ensure the proper loading, handling and transport of the package. As its sensors are tied to the network, consumers could monitor when that bus would arrive at a certain stop. As the bus draws closer, the IoT sensors would send a message to recipients’ phones telling them when to get to the stop. The IoT-powered storage unit would then open and allow for scanning of the NFC-enabled phone over a reader. The sensors on the bus could also monitor passengers getting on or off and predict traffic flow to determine if delivering the package at that time would not cause disruptions.
IoT holds much promise for many aspects of our lives. Bringing greater efficiencies to our public transportation is one of them. As we get a more connected transportation grid, not only could we expect the incremental benefits of increased time with our assets, but it could open new business models as well. These new models have the potential to be transformative in nature. Exciting times indeed.
The IoT landscape shows no signs of slowing down, especially as IDC predicted that IoT spend will reach $772.5 billion in 2018. But with this exponential growth, one crucial thing is being overlooked: cybersecurity. A recent study found almost half the organizations with an IoT network have had a security breach, with larger organizations estimating one breach can cost over $20 million. How we secure and react to cybersecurity concerns today will seriously impact the future vulnerability and reliance of IoT.
More data, more risks
The methods and means to capture data in industrial and commercial IoT are currently booming and will continue to rise dramatically as connectivity and networking technology continue to improve. While this increase in data improves operational decisions, reduces manual reporting and increases safety, how can these operators be ensured their data is secure and that increased threat surfaces are protected?
With more data being transported than ever before, it’s important not only to secure assets, but to secure the communication link itself. Traditionally, supervisory control and data acquisition (SCADA) systems have been on the outside of a firewall from the corporate IT network. And with a host of legacy systems still using SCADA, this means those systems are often unprotected.
Smarter equals better
As the use of IoT technologies increases, field operators must utilize the intelligent network connecting the technologies along with intelligent data collectors, sensors and transport to provide additional value. IIoT sensors allow for more functionality, such as edge analytics and predictive maintenance, and increased connectivity to the devices using secure IPv6 standards. And for systems and networks using only remote terminal units and programmable logic controller to connect to the device, that functionality and cybersecurity might be underutilized or unavailable. Long-promised benefits, like assessing predictive failure, become possible only when the device can be accessed directly.
Operators in IIoT environments need to be concerned with everything that could be introduced to the network at every single connection point. This IoT data can be extremely useful, but safely enabling it requires a network that can meet the necessary cybersecurity requirements. Using TLS/SSL and basic AES-128 data encryption standards establishes secure connections, even where data moves across an open network, such as in an IIoT environment like manufacturing floors and oil fields. When data is properly encrypted, an unauthorized party cannot access it even if they can see it, as often is the case in IIoT. In wireless connections, standards-based connections allow relatively easy access to the moving data, leaving encryption as the only line of defense against unauthorized eyes.
Power and pain of IT/OT convergence
Traditionally, IT and operational technology (OT) environments have been divided by a firewall. However, IoT networks have reduced this wall to merely a low fence, meaning the sensors and applications in OT need to be protected to reduce the security threat to the entire network. As the convergence of IT and OT continues with the adoption of intelligent edge devices, industrial organizations are seeing security success with a connected infrastructure utilizing IP-enabled sensors or IP/IIoT-enabled access gateways. This also enables data to be shared with more than just the central control system, including direct communication between machines and multiple systems bringing in real-time sensor data.
IP technology makes it easier to deploy and talk to sensors, but it also makes it easier for intruders to infiltrate valuable data streams. Security through protocol obscurity is not a solution. There are many common attack vectors for industrial devices that become even more relevant when considering IIoT infrastructures and fully networked, geographically dispersed projects.
Knowledge is key
As companies deploy and expand their IIoT networks and technologies, they need to keep their security goals top of mind. A few questions to consider during deployment and adoption include:
- What data is being collected and/or transmitted with this technology? Is it time sensitive and/or mission critical?
- Do we need this technology to be fail-safe to prevent or eliminate catastrophic damage from occurring?
- What external factors might impact the reliable transmission and receipt of critical data from one point to another?
- What is the right tradeoff between features, ease of use and security for my installation?
Whether IT/OT convergence is a factor for an organization, both sides of the fence must put an emphasis on cybersecurity, with alignment between both parties. There are many benefits to the concept of a completely connected IoT system, but this also implies more crossover between IT and OT systems and greater cybersecurity risks. Companies need to prioritize cybersecurity in their quest to create endpoints for all their field assets.
Few industries will see as big an impact from the internet of things as the insurance sector. Indeed, IoT has the potential to touch nearly every facet of insurance, with the promises of both benefits and risks for carriers as well as their customers.
IoT will impact how insurance underwriting and pricing are done for markets including transportation, home, life, healthcare, workers’ compensation and commercial. And it will transform the way insurers gather information about customers and their environments to process claims, determine risks and calculate costs.
Primed for growth
The industry is primed for a big move into IoT. Recent industry research sheds some light on how insurance will be impacted by IoT. Research firm IDC, in a 2017 report that estimated global spending on IoT would grow 17% in 2017 to reach just over $800 billion and rise to nearly $1.4 trillion by 2021, said insurance would see the fastest spending growth of any industry.
During this period, the sector will experience a spending increase at a compound annual growth rate (CAGR) of 20%. A more recent research report predicted even more optimistic growth of 33% CAGR and reaching $9 billion by 2022.
The keys to this growth are the integration of real-time IoT data with AI-powered operational intelligence algorithms. Underwriters will no longer simply rely on actuarial data to insulate their company’s book of business from unacceptable exposure. Real-time operational IoT data will allow insurance companies to proactively prevent loss, ensure contractual compliance and detect fraud.
For example, in the area of auto insurance, vehicles equipped with sensors will provide data back to the carriers about the driving habits of insured individuals and the condition of automobiles and parts. This will help insurers correlate safe or unsafe driving patterns with unacceptable risk of accidents and injury. Unsafe drivers can be alerted before their behavior results in a loss, and premium incentives can be provided to safe drivers.
Automobile insurance pricing will become personalized and dynamic, shifting from being partly based on geographical zones and a forecast of miles driven to observed driving behavior, driving distance, commute route patterns and risks associated with those routes. As an increasingly large number of vehicles are connected to the cloud, more drivers will opt for this type of real-time, usage-based coverage.
Smart homes and buildings
The use of IoT technologies is beginning to transform homeowners’, renters’, workers’ compensation, commercial and general liability insurance.
In the home, connected, smart smoke detectors already help alert security monitoring firms to potential risk of fire. Insurers can offer discounted premiums in exchange for access to IoT home monitoring capabilities (such as smoke and leak-detection sensors) that can reduce the risk and scope of preventable loss. The sooner the homeowner is alerted to an event, the greater the likelihood of keeping damage to a minimum. That results in fewer costly claims for insurers.
Home security monitoring using cloud-connected video cameras and IoT perimeter sensors not only provides a sense of safety and security for the homeowner or renter, but also reduces the risk of burglary and improves the odds of recovering stolen assets.
Of course, the use of IoT sensors to protect assets extends beyond homeowners’ insurance to commercial use cases. Smart commercial facilities, such as office buildings, factories, stores and warehouses, will do more than just controlling lighting and building temperature. These facilities can utilize sensors to monitor valuable assets, detect fire, smoke, earthquakes and hazardous environmental conditions. When integrated with real-time worker notifications, such IoT connected sensors will be able to provide proactive alerts on a variety of dangerous conditions, protecting people as well as property from potential harm and loss. Companies that employ such technologies and are willing to share data with insurers will benefit from a safer operational environment and lower insurance premiums.
Health and fitness
Healthcare insurance providers are starting to gather health and fitness data — with the permission of their customers — to offer promotional programs that encourage good health maintenance practices. The emergence of connected wearable devices that provide personal health-related telemetry promises to usher in a new era of proactive health monitoring and maintenance.
These wearable technologies will have an impact not only on health insurance, but on disability, life and workers’ compensation lines as well. Individuals, employers and carriers all stand to benefit from gaining a better understanding of health-related risks in order to improve premium pricing and reduce costs of claims.
Just as nonsmokers receive preferentially priced health insurance premiums, active individuals may soon be able to receive such benefits. IoT devices will also be able to assist physicians with improving drug regimen compliance. Emerging smart pills contain ingestible sensors that can report when the pill has actually been taken by the patient. Patients who comply with their drug regimen may be at lower risk for adverse healthcare outcomes.
These are just a few examples of IoT’s potential beneficial impact on the insurance industry. But these benefits are not without their challenges. For insurers, one of the biggest challenges will be ensuring robust data security and privacy. Highly personalized insurance will require gathering, storing, processing and analyzing personally identifiable customer information. That data must not fall into the hands of cybercriminals. The costs of such a breach can be significant, including regulatory fines, lawsuits, damaged reputation and loss of trust.
Acquisition and analytic processing of the IoT data are additional significant challenges. Insurers will not simply be collecting and analyzing more data than they ever have; they must also collect and analyze that data in near real time to insure that the operational insights generated can be used to prevent or reduce loss. Traditional insurance companies will require a major upgrade of their IT capabilities to add real-time operational intelligence to their arsenal. Such operational intelligence will require acquiring advanced skills in technology areas such as IoT networking, cybersecurity, cloud computing, big data analytics and artificial intelligence. Finally, it will take time to blend the insurance domain knowledge of traditional underwriting professionals with the knowledge of professionals who are experts in emerging IoT-related technologies.
The good news is that most insurance companies are actively preparing to transform how they do business. The IoT-connected world will change the way both insurers and insured think about preventing loss and managing risk — largely for the better.
Security and privacy are at the root of serious fears about personal information, especially in the IoT space, where remote system hacks become cyberinvasions that impact the physical world. Just look at what happened with Jeep and the Krebs on Security blog. These fears spell trouble for IoT if companies don’t address security concerns and build out a secure IoT infrastructure quickly — indeed, 90% of consumers already express a lack of confidence in the security of IoT devices.
As IoT-related technology is integrated deeper into daily life in the form of fitness wearables, smart home devices, autonomous vehicles and even tracking chips for household pets, it’s up to industry leaders and policymakers to ensure the well-being of the consumer in this smart future. To do this, we must prioritize an aligned IoT framework by keeping the ethics around algorithms and access; values around privacy, security and ownership; and the common reference architectures that protect and build trust with consumers in mind.
IoT ethics: Algorithms and access
By 2021, 40% of new enterprise applications from service providers will include AI. As a result, IoT is set to grow rapidly as scaling costs decrease, and IT and operational technology become more connected. In developing the algorithms that fuel these proliferating IoT devices, enterprises must be cautious of algorithmic flaws and distribution of IoT access.
Industry leaders must be attentive to the reactions and outputs produced when programming IoT algorithms. As the IoT ecosystem becomes increasingly complex, algorithms will be more prone to flaws like exposed biased logic, inaccurate judgments — even security weaknesses allowing manipulated inputs to produce false outputs. If algorithms produce prejudice results that affect consumers, IoT technology will not be trusted.
If IoT progresses according to plan, society will experience tremendous benefits – 61% of consumers predict that increased automation and AI will prompt reduced motor accidents and deaths, safer workplaces, better patient monitoring and more. With these great benefits, industry leaders and policymakers must work together to ensure that all members of society receive these benefits, not just people and areas who can afford to implement IoT into their daily lives.
A strong ethical standard will motivate companies to design smarter and more inclusively to avoid algorithmic issues and ensure global connectivity. When it comes down to it, every company is responsible for maintaining an ethical IoT foundation or else consumers will deny access to their information — resulting in a data deficit for companies. To get this right, leaders must consider the capacity of their IoT technology and how they can expedite access worldwide.
IoT values: Privacy, security and ownership
In addition to developing a code of ethics, IoT should be built on three core values: privacy, security and ownership. IoT devices must retain a certain amount of privacy when processing data and have security measures built in. Ownership of data must also be established clearly for consumers to feel comfortable with integrating IoT into their daily lives.
More precise and extensive data is being recorded through IoT, but customers don’t want their private information scrutinized, monetized or shared without their knowledge. When it comes to storing information and content, 67% of consumers choose to save locally on their device over the cloud. To gain IoT trust and mitigate hesitations, blockchain technology should record and protect the exchanges that contain data. Through these exchanges, consumers could track and maintain ownership over data they want to keep private or secure.
With data ownership, policymakers must be able to determine who holds the rights to IoT data. Wearable manufacturers could sell consumers’ information and impact insurance, credit scores or jobs. By devising policies on data collected within their districts around privacy, security and ownership, policymakers would have those policies travel and expire conjointly with data. Consequently, quantity will be maintained, and concerns will be alleviated.
IoT common reference architectures
After addressing ethics and values around IoT, a clear next step is to discuss and agree on common reference architectures for building out IoT technology. A reference architecture establishes all of the components which are required to implement a complete IoT service. Several organizations, including the Industrial Internet Consortium and the Plattform Industrie 4.0, are making efforts to align the industry. Establishing common reference architectures comes with many benefits for governments, enterprises and consumers to build trust, security and experience. Without common reference architectures, large-scale IoT adoption will take longer and expose businesses and consumers to greater risks.
Of businesses surveyed, 61% think that enterprises should be responsible for securing data at each stage of their journey, and currently, private and public enterprises and policymakers are collaborating on a secure IoT infrastructure. Together, they have explored decoupling data, blockchain technology, securing end-to-end layers from the edge to the cloud and more. By securing IoT frameworks, future developments will have protocols to reference. Subsequently, all socioeconomic levels will benefit from IoT much faster, creating a digitally connected world.
These ethics, values and common reference architectures will set the tone for enterprises creating a smart future. This is already happening at the Center for the Fourth Industrial Revolution, where numerous tech leaders have partnered to use IoT technology to create a safe, connected and sustainable future. Protecting workers from potentially dangerous work environments, providing society with advanced health monitoring devices, and simplifying daily tasks with smart home technology are all great contributions — but these advances should not be made at the expense of security and privacy.