As industry experts project a continued explosion in the number of IoT devices connected globally, security remains a hot topic — at least partly because of the significant challenges it brings. Despite IoT being a relatively new industry, there have already been many high-profile security breaches. Perhaps the biggest example to date is the Mirai botnet in 2016, where thousands of devices, such as cameras and DVR players, were infected and a massive denial-of-service attack was launched. The attack affected major services on the internet, including many leading brands like Twitter, The Guardian, Netflix, Reddit and CNN.
Given the severity of this and other breaches, unsurprisingly security remains one of the top technical barriers to IoT implementation success according to a survey published by Gartner in 2018. Undoubtedly, insecure devices and related breaches can result in lost revenue, brand impact and liability for manufacturers and distributors. And, for some IoT applications in areas like healthcare, critical infrastructure and automotive, even human safety can be at risk.
Identity is key to security
IoT brings a new and intricate scale to securing devices as deployments can be large and distributed, and often include mobile devices. Although security remains at the forefront, the industry is still largely grappling with how best to secure IoT deployments. Deployments often undergo a complex manufacturing process with multiple steps and potentially many production lines. Because of these complexities, security is perceived to be difficult, often falling low on the agenda. And as manufacturers are driven to get products to market quickly to maintain a competitive edge, security is often deprioritized instead of ideally being built in from the start.
As a result, the IoT security discussion takes many forms, involves many possible components and still includes a fair amount of confusion. However, underpinning all IoT security schemes is one fundamental requirement: the essential ability to identify devices and services and ensure that they are, in fact, who or what they say they are. This seems simple, but can be detrimental to the protection and governance of an IoT ecosystem if overlooked.
A device identity can take a number of forms; sometimes developers use a piece of information that already resides in one of the existing components, for example, a network MAC address or serial number burned into a microprocessor, or even worse, a hardcoded password compiled into the firmware. These sorts of identities aren’t very secure, are easy to spoof and can’t be used to either guarantee the identity of a device or to secure communications between the device and a service.
Managing IoT complexity with a PKI
To enable a truly trusted ecosystem, each device must be authenticated with an embedded and cryptographically provable identity. If you can’t trust the identity of the device, then you can’t trust the data you receive from the device. This is where public key infrastructure (PKI) comes in. The main purpose of a PKI is to manage keys and certificates that are used to enable trusted infrastructures by enabling parties to mutually authenticate, to transmit data securely between each other and to prove that specific data genuinely came from the party that it claims to have come from. The same elements of trust are required to secure IoT. We need to trust that each device is the one it claims to be and that the device is talking to the appropriate service — both components want to know the communications between them are secure and that there has been no data tampering.
Once a device has a trusted identity, then all the other services and communications from it can be protected. For example, on a medical device, the personal health data being transmitted is sensitive, so it is important to encrypt the communications such that only the authorized healthcare provider can decrypt it. Those encryption keys can be delivered as part of the device’s identity.
Options for implementing a PKI
Fortunately, there are several options for including this critical element of the IoT security puzzle. Many traditional PKI services are available or you may decide to build your own.
Many traditional PKIs were designed to support the delivery of certificates for websites to secure SSL or to deliver employee credentials enabling access to certain services — for example, only managers can access payroll data — to enable VPNs providing secured communications or managing building access control. PKI providers typically haven’t needed to design their infrastructure to scale to the levels required for delivery into IoT. IoT deployments can scale to tens or hundreds of thousands of devices at a time, such as CCTV cameras covering a large metropolitan area. Traditional PKIs also may not support the delivery of custom secured payloads, like secure applications, XML files or other data structures as per your security model. To be sure to choose the right provider, look for one that specializes in delivering device identities.
What about running it yourself? It’s possible, but it’s hard to get right and you are better off leaving it to the experts. There are complexities around running a PKI that require careful consideration. It not only requires a lot of infrastructure, including servers and hardware security modules, but also physically secure data centers with access control and policies. People need to be vetted and processes need to be put in place to ensure no single person can gain access to the keys.
So, now that you know the secret, the most important aspect of any IoT security scheme is that it’s built on the concept of a trusted identity. As identity underpins everything else, it needs to be included in the design from the start, and it should be built on proven trusted technology.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Amazon Prime devotees may not pay much attention to the by-the-minute, step-by-step updates to shipping statuses they can access about their purchases, but this is proof of the triumph of IoT writ large in everyday life. IoT has changed how goods are brought to market, and it has the potential to change the future of mobility even further.
A central component to economic growth is the movement of goods and people. As demographic shifts change where people live and work and the world’s population become more urban, strong transportation networks will be key to continued growth and prosperity for all nations and will have a blunting effect on inequality. IoT can help bolster the resilience of these transportation systems by offering real-time monitoring, adjustments to optimize the flow of goods and people, automation of some services and predictive analytics that can anticipate future needs. These efficiency gains will be all the more important because simply building more infrastructure will not solve the problems posed by rapid urbanization, lack of hierarchical roadway systems, increased motorization, poorly maintained or inadequately built infrastructure and a lack of overall resources. The future of mobility must include IoT capabilities that allow for the monitoring, regulation and logistical support to make a transportation network truly resilient.
Recent research by my colleague, Mariyam Hasham, shows some of the best uses of IoT can already be seen in transportation and logistics companies, where IoT applications are used to track and trace, for network efficiency and to reduce idle time. Real-time monitoring allows for better asset maintenance, and the use of predictive analytics can speed up turnover in supply and demand chains. For transport and logistics companies that have supermarkets and other retailers with a high turnover of goods, the benefits of just-in-time deliveries made possible by IoT reduces overheads and ensures optimum freshness of products. For customers who order a product online, 88% expect to have the ability to track their order from time of purchase throughout the shipping chain until final delivery.
Organizations that manage a fleet can take advantage of IoT capabilities such as intelligent dispatching, real-time incident response and asset monitoring. The logistical complexity of managing vast fleets across multiple countries and supply chains can be simplified by combining IoT applications that provide wide real-time monitoring. This leads to fluidly interconnected business systems, but that allow for customization to meet specific fleet and customer needs. For example, transportation and logistics companies that transport perishable or fragile goods can use IoT technologies to continuously monitor and adjust temperatures without human intervention. This reduces costs through spoilage or contractual failure.
By implementing IoT technologies, transport and logistics companies make their supply chains more resilient, improve their customer interactions, reduce costs and improve their efficacies. Additionally, these initial IoT systems will create the groundwork for city-wide systems that enable driverless cars, improved public transportation systems and a coming revolution in mobility services.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Concerns about security continue to hinder the adoption of IoT devices. Enterprise customers indeed are interested in buying more IoT devices, but only if vendors can provide better security for them.
Bain & Company conducted research into the attitudes of enterprise buyers about cybersecurity and the internet of things, and we found that executives would buy, on average, 70% more IoT devices for their systems if cybersecurity concerns were addressed, compared with what they would buy if the status quo remains. Additionally, 93% of the executives we surveyed said they would pay an average of 22% more for devices with better security. Bain estimates that improving security for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion in 2020.
For IoT device vendors — companies that make IoT devices as well as those that provide related solutions — the message is clear: Improve security to gain a competitive edge and expand your market.
Most executives we surveyed (60%) said they are very concerned about the risks IoT devices pose to their companies — not surprising, given the damage that an IoT security breach can cause to operations, revenue and safety. When poorly protected, IoT devices can allow access to enterprise systems, resulting in large data breaches. For example, in January 2018, a Mirai malware variant called Okiru targeted ARC processors embedded in billions of IoT products.
Executives who manage security say they want technologies that are highly effective, easy to integrate and flexible to deploy. Companies take a range of approaches to meet their security needs based on their capabilities and the availability of marketplace mechanisms from vendors. Only about a third of IoT cybersecurity systems used today are from IoT device vendors, indicating that vendors either are not offering holistic, high-quality technologies that meet consumer needs or are not promoting them well enough. Our research found that companies with the most advanced cybersecurity capabilities rely more on internally developed security mechanisms, not only because they may have more complex needs, but also because they are more likely to have the resources to develop their own technologies. As might be expected, companies with ad-hoc security capabilities have the most gaps across all IoT layers that we tested, including access interface, applications, data, hardware and operating system, network and operations.
We also looked at how companies deploy technologies by layer of security, and found ample opportunity for IoT device vendors at every layer of the stack. Our survey shows that the access interface layer has the greatest level of protection, whether internally developed or provided by a manufacturer or third party. Other layers of the stack are protected by more internal systems — or, in some cases, none at all.
IoT device vendors and ecosystem players that move quickly to improve the security around IoT devices are likely to reap rewards, both from their ability to earn a premium and from an expanded market.
First, manufacturers need to understand how customers are using their devices. Refreshing their understanding of customer use cases every 12 to 18 months will allow them to stay on top of evolving security requirements and identify unmet needs. Ascertaining the average cybersecurity maturity level of their customers will help manufacturers invest in the appropriate out-of-the-box and add-on systems.
Second, manufacturers should provide cybersecurity capabilities on the device and, when possible, partner with trusted cybersecurity vendors to offer additional systems. Engineering teams should embed secure development practices into the software and hardware components of the device, and provide inherent technologies for the access interface, apps, data and device layers.
Third, manufacturers also need to meet quality assurance thresholds and be able to certify that their IoT devices are free from known vulnerabilities. This would mitigate a major pain point for customers, who sometimes install new devices without realizing they contain vulnerabilities. Deploying a more methodical process to identify and remove vulnerabilities across layers, or engaging third-party vulnerability scanning and penetration test firms, can help manufacturers meet this bar.
Finally, manufacturers can fulfill their obligations during the warranty period by continuously testing for new vulnerabilities and by providing software and firmware updates, as well as feature and functionality upgrades for out-of-the-box and aftermarket systems. Delivering updates to firmware, operating systems and applications in response to newly discovered security vulnerabilities should remain a top priority throughout the warranty period.
These four steps are a start, though by no means all it will take to begin addressing the security concerns that are holding back IoT device adoption. While growth in IoT markets seems destined to continue its inexorable march, many enterprise customers will continue to move cautiously until they can gain some reasonable assurance of security — not only of their data, but also of the operations that increasingly rely on devices, sensors and IoT.
This article was co-written by Ann Bosche, a partner with Bain’s Global Technology practice, and Frank Ford, a partner with Bain’s IT practice. Ann is based in San Francisco and Frank is based in London.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
A mere buzzword a few years ago, IoT has come to define modern technology: digital, smart, connected. From watches to vehicles and from homes to entire cities, our world is becoming smarter and more connected by the day.
However, IoT’s promise of a more convenient, more efficient future comes with drawbacks. Smart devices don’t always live up to their name. While they are smart at doing what they were designed to do, most are lacking when it comes to peripheral areas — security in particular.
In recent years, the IoT ecosystem has become a hot target for bad actors, affecting everyone from consumers to critical infrastructure. The healthcare sector in particular has become a lucrative target, not only because it’s one of the most IoT-centric industries, but also because it handles the most sensitive data: personally identifiable information and health data. Protecting medical IoT gear is tough, because embedded devices don’t support individual security agents. So how, then, can we protect medical IoT products?
Lack of security puts lives at risk
Frost & Sullivan estimated IoMT devices will number between 20 and 30 billion by 2020, and will be used for anything from remote patient care to hospital operations to interoperability and data management.
These devices have embedded operating systems, which means they usually don’t allow third-party software into the OS or, even worse, can’t be patched. As IoMT devices proliferate beyond hospital grounds, connected medical equipment used in homes and even in human bodies has become vulnerable to attacks.
Medical IoT security incidents are on the rise, according to the 2018 HIMSS Cybersecurity Survey. A study by Netherlands-based Irdeto goes even further, showing how organizations in transportation, manufacturing and healthcare have suffered substantial losses due to IoT-related incidents. According to the report, such incidents cost on average more than $330,000. Of the 700 enterprises surveyed across China, Germany, Japan, UK and the U.S., 80% admitted to suffering an IoT-related cyberattack in the past year. And almost half of respondents said they need additional expertise within the organization to address all aspects of cybersecurity. More worrying is the fact that 82% of organizations that manufacture IoT devices are themselves concerned that what they put on the market is not adequately secured against potential cyberattacks.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently issued an urgent notice that researchers found a potentially deadly flaw in cardio defibrillators equipped with wireless functions.
Patient data is a hot commodity
The dangers don’t stop at the hardware level. IoMT devices frequently access healthcare networks, expanding the attack surface for criminals to steal electronic medical records and other patient data. Cybercriminals then use the data for monetizing because it is especially lucrative in fraud and extortion campaigns.
As IoMT devices continue to proliferate, and with it the potential for attacks and network breaches, healthcare organizations must be prepared to monitor and detect threats for thousands of endpoints. This means an additional challenge of ensuring the best security posture along with meeting stringent compliance measures.
Catching attackers in transit
The inability to install security reporting agents on individual IoT devices has brought to light a serious issue: Attacks are typically detected when it’s too late. This challenge has given birth to a new category of security mechanisms expressly designed for individual and networked IoT devices. These systems use network traffic analytics (NTA), a technology that lets IT admins detect anomalous network traffic behavior they would normally have missed without the need to install an agent.
The technology is well suited to healthcare environments where IT staff is limited and the specialized skill set of a cybersecurity analyst may not be among the ranks.
The value of NTA is two-fold. First, it identifies and reports what looks like anomalous network traffic without any agents installed by non-intrusively taking a copy of the network traffic for analysis. Second, it focuses on the network traffic metadata without the need for deep packet inspection, thus providing insights into all traffic — regardless if it’s encrypted or not. This also means NTA meets the compliance requirements of GDPR, HIPAA and the like, allowing logs to be stored for future forensics analysis.
Perhaps most importantly, NTA automates the process of security incident triage to accelerate investigations and reduce the number of trivial alerts, addressing the ongoing issues associated with alert fatigue that so many IT personnel face. It uses machine learning models trained in complex scenarios to correlate thousands of events and report anomalous traffic with high accuracy. Additionally, NTA provides detailed explanations for the incident severity score and recommends remedial actions to speed up incident response.
Whether you’re a small medical practice or a state-level healthcare institution, an NTA-based security tool dramatically reduces the risk of exposure to your IT infrastructure, sensitive medical equipment, patient data and even patient lives from the increasingly sophisticated online threats.
IoT is the Rubik’s Cube of business technology. Every company’s playing with it, a few are starting to nail it and many are stuck rotating through possible solutions that aren’t really panning out.
As with the confounding cube, learning the experts’ secret tricks will increase your chances of succeeding time after time.
The foundation of solving the IoT puzzle is this: Both the starting point and ultimate objective are the use case. A use case is a list of actions spelling out how a person and system(s) accomplish a particular goal.
At the outset of any IoT assignment, we invest ample time working through the use case with clients using this tripartite focus: people, systems and goals. Then we dig into our bag of tricks:
First, convene all the players. One of the biggest mistakes businesses make when they launch IoT initiatives is focusing too little on the people part of the use case. Every initiative should start with people. When you’ve identified the broad outlines of a use case — say, your company wants to better manage its truck fleet — get everyone involved in the room and ask them to share their dream scenarios for connectivity, insights and actions.
The fleet manager will want to know where the trucks are at a moment’s notice. The CEO will want to be able to tell how much money the fleet is making or losing. Maintenance will want to know what trucks need to be fixed when and where the parts are. Customers will want to know where their delivery is and when it will arrive. Drivers will want to know their schedule, performance versus their peers and how they’re faring on incentives. The CFO will want to know about extra capacity in the fleet. Customer service will want to know about breakdowns and ETAs for getting back on the road. The list gets long, which is a good thing: Potential uses equal potential business gains. You can prioritize later.
Second, create personas. The brainstorm is just the start. As you refine your IoT plan with your core team, create personas — fictional identities — for all the stakeholders, including those outside your organization, who would conceivably touch the things, data and insights in your IoT system, and who will take or feel the actions. Visually map personas to every use case you put on the drawing board. In the corporate truck fleet, that group would probably be the people mentioned above plus truck manufacturers, insurers, lawyers and logistics experts, for starters.
Third, be sure to span departments. Let’s say the truck fleet is owned by a city, and its fire department needs a big vehicle to block Elm Avenue commuter traffic during a fire. The best-placed available truck with an on-shift driver might be in public works, sanitation or parks and rec, or it might even be a school bus. Make sure your IoT use case spans all the departments, because an asset is an asset no matter whose name is on it.
Fourth, think of your IoT endeavors in terms of a platform first. You may not see it yet, but your business will have as many use cases as it has roles and functions inside the organization. That means you’re better off with an approach that is inclusive and flexible instead of narrow and tech-specific. Ideally, the goal is to create platforms for your things that can consume data in any form and share it via any device. Too often, companies handcuff themselves by building a project around one use case and one proprietary technology. The organization can’t extend, scale, modify or sustain the app, and not surprisingly, there’s negligible return on their investment.
Fifth, keep your eye on the KPI and the ROI. The ideal first IoT project is one with a high potential return on investment, but that’s simple enough to get done. Once you ace a simple project, you can go bolder and more complex. When you do choose a concept, apply numbers to everything, including expected cost, savings, revenue, operating efficiency, customer experience value and so forth. Every use case implies a set of quantifiable key performance indicators that will yield actionable insights. It’s critical to identify those KPIs.
Finally, plow your insights back into the business. In your early planning stages, your concept must show the data you capture being re-ingested by people inside the organization, either to drive the actions of a user or do something on the back end, for example, initiate a repair ticket. If you’re capturing data and not using it to make your people smarter and better at what they do, then it’s not a viable IoT use case.
These tricks — which admittedly smack of common sense — will help anyone more quickly solve the puzzle of IoT, whether you’re managing a smart truck fleet, factory, store chain, health care operation, workforce, energy grid or city.
And soon, as with the multicolored cube that used to be so perplexing, everyone will be getting it right.
All entrepreneurs dream of the moment when their startup becomes a unicorn. Every startup craves the unexplainable valuation that is gifted to companies that burn through cash but continue to attract and retain investors. Every employee imagines the moment his company rings the bell at the New York Stock Exchange and his equity stake triples in value in a single day.
The climb to unicorn valuation is shrouded in mystery — and some would say covered in clouds. But one component of unicorn valuation that should be the obsession of every leadership team is the contribution from one of the financial world’s most underreported intangible assets.
The growth of intangible assets on corporate balance sheets
Intangible assets are those that are nonphysical, but identifiable. Examples include patents, copyrights, licensing agreements and even website domains. Intangible assets, with the exception of goodwill, can be bought and sold independently of core business revenue products. Historically, tangible assets, including cash, inventory, investments and even real estate, were the majority of the components of any company’s balance sheet. But I recently discovered a Forbes article that made a dramatic claim: “Intangibles have grown from filling 20% of corporate balance sheets to 80%.” This is a trend that will continue because most companies do not yet include what should be, and what already is for many, one of the most highly valued intangible assets: data.
Warning! Data swamps ahead
In every industry, the value of data is skyrocketing, and it will soon become a common practice to include the value of this intangible asset on every company’s balance sheet. The path to unicorn valuation gets a lot shorter if this invaluable intangible asset is monetized correctly. Collecting massive volumes of data spanning customer information, operations and supply chain, product development and delivery, and financial and industry trends is a key first step. But when that first step leads to a data swamp, that asset becomes a liability, especially in the face of data privacy and regulatory expectations. Architecting a unified and executable strategy — that word executable is very important when companies get distracted by “free” open source software — is the fork in the road between a highly valued intangible asset and high-risk liability. Analyzing the data without limitations on volume, without compromises on speed, and without well-built bridges between data repositories is not easy, but it’s mandatory.
Short-sighted data brokers miss out on major windfalls
Given the challenges of an executable unified analytics strategy, the first thought that many enterprises have when they seek to monetize their data is to sell it. Data brokering is a relatively straightforward way to add a revenue stream and monetize data. But truly data-savvy companies know that selling their most valuable asset is short-term thinking at best. Consider a company like Netflix, which knows so much about what each of us watches, our interests, the timing of our watching, the keywords and genres we search for and so much more. That data is obviously valuable to many other companies, but Netflix knows that using that data to better engage us all as customers, including algorithmic-driven analytics to create personalized recommendations, as well as providing guidance for its own content creation and development decisions, is the most effective way to capitalize on its data.
New revenue-generating services for auto manufacturers
Automobile manufacturers are following the same path. Tesla is leading the way, but companies like GM, Chevrolet, Ford and BMW are not far behind. The volume of data that these manufacturers are collecting today spans every component of their vehicles and every aspect of how and where and when those vehicles are used by customers. This data is easily classified as one of the most highly valued intangible assets when you consider the new services that could — and will! — be created based on this highly personalized data. Imagine a service offered by your automobile manufacturer that provides you, not your insurance provider, with data that shows your safe driving actions, including following speed limits, blinker usage and no heavy braking due to tailgating. This service is now a benefit to customers, not a threat, and it is also a net-new revenue opportunity for the manufacturer.
Increasing shareholder value by monetizing and protecting data
The balance sheet is a very simple concept. Assets minus liabilities equals shareholder value. The bigger the total asset value is, the better — unless the liability is growing as well. Big data can make a big difference on both sides of the balance sheet, but the true industry disruptors know that building the intangible asset valuation of their data puts money in their pockets and drives the greatest market differentiation.
Everyone has patents, licenses, goodwill and the standard intangible assets. But not everyone is taking action to build up what is soon to be the most valuable intangible asset: data. When I consider my own personal investment strategy, I carefully consider the indications that the company whose shares I am evaluating is focusing on both monetizing and protecting their most valuable intangible asset. Smart investors like Warren Buffett, Jeff Bezos and Peter Thiel did exactly that over the last couple of decades and their strategy clearly paid off — and paid out.
A senior executive from Ericsson recently started a discussion about horizontal IoT platforms. Horizontal IoT platforms are general-purpose platforms. They include reusable functions to support applications in many different industry verticals. Horizontal platforms look appealing in concept. However, a common criticism is that they are a distraction from immediate needs. They might also compromise on the specific needs for vertical use cases. Somehow, this implies a suboptimal solution.
The advice to solution providers from Ericsson’s Rob Tiffany was to start solving specific problems related to connected intelligence that are customer pain points. Customer pain points are an appealing way to tackle IoT applications: They capture management’s attention. They provide organizational focus. Their boundaries are cleaner, making for a straightforward business case. And, successful implementation yields immediate and visible results.
But should that be the end of the debate? No, not in a market where industrial organizations are still learning about IoT.
Keep in mind that IoT technologies cover topics that are outside the core competencies of many industrial organizations. Moreover, while near-term solutions are good, their knowledge deficit means that longer-term considerations are not even on the radar. Think of the typical IoT pilot project or the IoT solution team working on a well-defined use case. How many of them are planning ahead for second-generation requirements? How many are thinking about the need to scale up and support multiple applications? What about interoperability for cross-silo applications or opening solution stacks to partners in an extended value chain? And how about secondary uses and business models for IoT data?
Strategy is more important than IoT technology
A growing school of thought argues that organizations need to take a strategic approach to their IoT deployments, one that emphasizes horizontal capabilities. Rami Avidan, now of Deutsche Telekom’s T-Systems business unit, talked about strategy rather than technology as the critical challenge of enterprise IoT adoption. He explained the choices that businesses face. An organization will have fast results if it is selling a service that gains uptake rapidly. Conversely, if an organization is digitizing a factory, that’s not a quick fix. The work involved in deploying sensors, linking them, optimizing the data and changing the behavior of machines is a long-term process.
He also pointed out that partners, ecosystems and standardization are three critical elements in delivering viable solutions. Partners are essential because there are so many elements in delivering an IoT application; no single organization has mastery over all of the solution elements. Ecosystems represent environments where partners have laid the groundwork to collaborate. This eliminates many of the technical pitfalls. Ecosystems also provide workable commercial models and solution templates. Standardization addresses longer-term benefits by providing clear rules of engagement on technologies, notably in the area of security.
There is a broader recognition about the value of IoT standardization. Here is a recent viewpoint from Enrico Scarrone, who works for Telecom Italia Mobile and is the Steering Committee Chair of the oneM2M standardization initiative. His observations describe the impact of fragmentation and integration costs on the viability of IoT solutions. This may not matter to some companies — they will focus on commercial imperatives and use a quick, off-the-shelf solution that meets their application needs. Others companies will decide that product sustainability is more important. In this case, they will opt for a standards-based system. As Scarrone observed, there is not a default decision that works for all companies and differing product timeframes.
The consequences for purely vertical thinking, however, are to build downstream switching or systems integration costs into IoT applications. With horizontal thinking, some of those costs are brought forward in time. That probably implies a financial and time-to-market penalty. On the flip side, it encourages designers, operators and mangers to consider sustainability issues. This covers the potential to extend their IoT applications and to look for expansion opportunities arising out of cross-silo possibilities.
For companies adopting IoT concepts into their business operations, the question is whether they are in it for the short of the long haul.
In April, I wrote about the IoT-specific challenges in the government vertical. Today, I’d like to put a spotlight on the energy industry.
In the past, we didn’t really have to worry about attacks targeting our electric grids or utility plants because they weren’t connected to the internet and garden-variety cybercriminals had no way to infiltrate operations technology (OT) environments. OT networks and the devices deployed on them — industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, programmable controllers, etc. — were isolated from IT networks and, thus, the associated array of cyber-risks. Today, however, the energy industry is operating in a very different environment.
The Industry 4.0 movement, combined with the increased adoption of IP-enabled infrastructure to overcome the North American electric power grid challenges, has resulted in the convergence of OT and IT networks. No matter the form — transmission and distribution, electric or water — the energy sector relies on a vast supply chain of IT and OT from third-party providers. ICS, SCADA, controllers and other OT devices are now part of the network ecosystem. This fact alone can undermine the security posture of any environment.
While digital technologies and other network modernization initiatives can have a positive impact on the business side of the house — increased efficiency, enhanced product quality, better decision-making and an improved bottom line — it also introduces new security and compliance risks.
For starters, the convergence of IT and OT networks has dramatically expanded the attack surfaces of energy organizations; each connected device now represents a potential entry point for cybercriminals. There’s also the challenge of securing OT devices and environments that weren’t designed to support conventional security technology — because, as mentioned earlier, cybersecurity never used to be an issue. And then there’s compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements.
In response to the 1965 blackout in which 30 million customers were impacted across the northeastern U.S. and southeastern portion of Ontario, NERC was formed to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America. NERC’s CIP plan includes standards and requirements to ensure the bulk electric system is protected from unwanted and destructive effects caused by cyberterrorism and other cyberattacks that could lead to instability or power failure.
Achieving continuous NERC-CIP compliance
The U.S. Department of Energy released an August 2017 report that found seven “capability gaps” in the power sector’s ability to respond to a cyberattack on the electric grid. One of the seven identified gaps was “cyber-situational awareness and incident impact analysis.” This is still an issue today, thanks to increased network complexity and the proliferation of connected OT endpoints.
OT and IT environments are now interconnected, and devices and systems must interoperate for full functionality and value creation. This means that an energy manufacturer may be more inclined to prioritize devices that enable a smart grid, for example, based on interoperability rather than their security profile. So, the process to achieve continuous compliance starts with conducting a gap analysis of compliance management to determine what IT and OT assets it needs to protect, and the likely impact(s) that could result from compromised compliance.
In short, successful security and compliance programs require complete cyber-situational awareness — which is why it’s not surprising that this was raised as a point of concern in the DOE’s report. Achieving cyber-situational awareness can seem like an impossible task with today’s dynamic, hybrid infrastructures. But, the time and energy — no pun intended — spent on making cyber-situational awareness a reality is well worth the effort. Especially when you consider penalties for noncompliance with NERC-CIP requirements can include fines up to $1 million per day.
Avoiding these fines through continuous NERC-CIP compliance requires four key capabilities:
- Comprehensive visibility into all endpoints, assets and connections across all environments — including on-premises, virtual, cloud, OT, ICS and so forth — for an accurate understanding of the state of network infrastructure.
- Continuous monitoring of security controls to pinpoint baseline deviations, ensure that system changes do not have a significant negative impact on security, that security plans remain effective following changes and that security controls continue to perform as intended.
- Identification of critical and sensitive infrastructure components.
- Detection of events or configurations linked to adversarial or anomalous conditions for faster threat detection and incident response.
These capabilities give energy companies the agility they need to keep pace with changing NERC-CIP requirements, not to mention the ever-changing threat landscape.
Consistency is key
The benefit of comprehensive cyber-situational awareness can be summarized in one word: consistency. Energy organizations can benefit from consistent real-time network visibility, consistent change monitoring, consistent intelligence on how changes affect security and compliance, and consistent policy controls across environments.
Consistency of this nature helps energy companies maintain continuous security and NERC-CIP compliance, regardless of how endpoints move and environments change. And with these results, energy organizations can move beyond operating with a metaphorical and tactical “keep the lights on” approach to security, to a truly strategic security approach that actually does keep the lights on for millions of customers!
Today’s IT professionals must have it all: knowledge of scripting, networks, application development, artificial intelligence, architecture and more. But it wasn’t always this way, as we’re seeing the role of IT shift significantly with the proliferation of the latest technological advancements, such as cloud computing, the integration of IoT, incorporation of physical security and an increased emphasis on cybersecurity and privacy.
Incorporating physical security
Though once seen as a siloed department within the enterprise, the IT team has now become a crucial component and resource when it comes to the implementation of physical security infrastructure. With the latest technology developments in this market, including networked devices and remote monitoring, they can also bring complex technical challenges that can be mitigated with the help of IT specialists. As such, the role of the IT pro must include a working knowledge of security best practices and how technology is used to protect people and assets.
IT comes into consideration when you think about the various devices and sensors that must be integrated through an organization’s single, unified platform. A wide array of knowledge is required of today’s IT professionals as they work to achieve this in a secure fashion. The role of IT has shifted to where this level of collaboration now focuses more on data integration, with the goal of extracting the most relevant information for intelligent decision-making. IT teams help identify the right methods for achieving this convergence in an efficient and cost-effective manner.
Security and cybersecurity
Because today’s networked services are about more than just physical devices, they’ve become susceptible to cybervulnerabilities that can be best understood by the IT team. From the beginning to the end of implementation, IT personnel are tasked with identifying any holes or gaps that may leave a system open to vulnerabilities. IT leaders must ensure that the proper techniques are followed when it comes to strengthening cybersecurity, such as updating passwords, encrypting data to the cloud, automatically installing software patches and more.
Collaborating across departments requires a new level of communication for organizations, indicating a transformation in the requirement of certain soft skills. More specifically, communication skills are paramount to anyone in IT, as these individuals are required to not only work across many teams and groups, but also outside departments and contacts to integrate systems across an organization. Collaboration between physical security and IT, alongside additional outside contractors, requires strong leadership and communication skills.
The introduction of the cloud into today’s modern organization has encouraged IT professionals to evolve their knowledge and skill set to incorporate cloud-based functionality. IT professionals benefit from cloud-based services, as they reduce overhead costs, as well as physical hardware they would otherwise have to maintain — this minimizes their security footprint. The IT department must be well-versed in the efficient implementation and use of cloud-based technologies to ensure an organization’s survival with respect to ever-reducing margins.
The inherent value of an IT team is that these professionals are well-versed in the ins and outs of their companies’ current computer and technology setup. The changing nature of their role within an organization requires them to understand emerging technology and tailor it to their duties and goals while remaining up to date in the latest innovations. As these advancements change the needs of organizations, so too should the knowledge base that IT professionals possess and implement across departments.
One of the pioneering applications fueling the exponential growth of IoT in the digital era has been the rise of predictive maintenance as the poster child of IoT applications. Estimates from analysts vary widely, but the overall predictive maintenance market will grow at a rapid clip compared to any other IoT use case. With global assets under operation amounting to roughly 2.5 times the world GDP, the economic impact from effective maintenance practices can be truly transformative and extend to trillions of dollars.
In the past, maintenance was traditionally relegated the status of a support function within the realm of manufacturing and was treated as a pure-play cost center. Predictive maintenance flips this status over and elevates the maintenance function from a cost-centric role to a prime strategic role within the organization.
With the potential that predictive maintenance promises, there is an excessive hype surrounding the topic and enough content peddling the power of algorithms as a magic wand to realize maintenance nirvana.
The reality, unfortunately, is more nuanced. Predictive maintenance is not a pure-play technology gig. Predictive maintenance can be a distinct competitive differentiator — whether you are competing on cost, customer service or innovation — and can truly bring immense business value to your organization. It’s imperative, however, to peep under the hood to gain perspective on the practical application of predictive maintenance and resolve the conundrum:
- It’s all about the metrics.
- Busting the lone ranger attitude.
- There is no “one size fits all.”
- You may have a hammer, but everything is not a nail.
- The great horizontal versus vertical divide.
- It’s not just in the asset.
- Predictive is not the end-all.
- Measurement is key.
- Deployment and sustainability is the end game.
- The future beckons, so embrace it
1. It’s all about the metrics
The risk that the technology works just fine but fails to deliver the goods is quite high in the case of a predictive maintenance application. It’s easy to get enamored by a new shiny toy and dive straight in. Instead, it is imperative to begin with a clear understanding of the business goals. It is imperative to have a clear understanding of the specific KPIs that you wish to impact and more specifically by how much — for example, overall equipment effectiveness, mean time to repair, mean time between failures, on time in full, maintenance effectiveness and so forth. An overall maintenance function audit is a wise strategy in this startup phase.
2. Busting the Lone Ranger attitude
Functional maintenance specialists have a tendency to be enamored with the fruits of their toil and believe that they can alone deliver the results. This induces a siloed mentality that is counterproductive. It is imperative to bust the silos and have integrated thinking when considering a predictive maintenance initiative. Predictive maintenance is a team sport. Maintenance should work as an interdependent function and balance considerations related to other functions including production, inventory, human capital and customer service to optimize overall performance.
3. There is no “one size fits all”
Do not paint all your assets and asset classes with the same brush. Before diving deep, it is imperative to classify your assets into distinct classes, each with its own maintenance strategy suited to maximize business value. Some situations need reliability-centered maintenance for critical high-value assets, but a reactive approach may be sufficient for some simple noncritical assets. The segmentation should enable classifying assets into distinct classes, each with its own strategy but ultimately delivering the best business outcomes.
4. You may have a hammer but everything is not a nail
It is important to have an in-depth understanding of the physics of each asset and its potential failure modes and root causes. Vibration monitoring may be a great technique, but it may not be the right strategy for what you are trying to monitor, for example loose electrical connections. An effective understanding of failure modes and how to proactively preempt them through measuring what characteristics is essential. Knowing where to apply what sensing technique — thermal imaging, ultrasound, infrared, spectral analysis, vibration analysis and so forth — needs good domain expertise.
5. The great horizontal versus vertical divide
One school of thought contends that maintenance is a horizontal function and given enough historic data — hopefully labeled — smart algorithms can figure out all underlying patterns and correlations, delivering near-perfect insights without an iota of understanding on the vertical or asset class. The other school believes that an in-depth understanding of the asset, its constituent components and its functioning modes is essential to a good maintenance strategy. The reality lies somewhere in between. Having domain expertise on the pertinent asset classes and the contextual environment is definitely useful, but there is truly a bit of magic behind the data science algorithms. While they do uncover interesting and often counterintuitive insights that are humanly impossible in the end, the objective should be to balance the two perspectives to derive the most optimal value from your implementation.
6. It’s not just in the asset
Birds of the same feather may flock together, but assets of the same make and model don’t always perform similarly. An inordinate focus on just the asset data — based on sensors — can trip us up. The sensor data needs to blend with the context data — such as ambient conditions, operational environment, asset operation mode, general asset upkeep, etc. — to deliver the right insights. Context is really the king.
7. Predictive is not the end-all
According to Gartner, predictive maintenance is a strategy on a continuum from reactive to financially optimized. In that sense, predictive maintenance is a cog in the wheel that powers higher end objectives. The insights gleaned through predictive maintenance should be actionable in a sustainable way for translating them into real tangible value for the organization. The end goal is clearly either financial optimization or driving new innovative business models. Maintenance should work as an interdependent function and balance considerations related to other functions including production, inventory and human capital to optimize overall financial performance.
8. Measurement is key
Very often, strategic transformation initiatives like predictive maintenance get a bad rap for not delivering the goods. A major issue is often the lack of effective communications on the benefits achieved — e.g., by averting major breakdowns through predictive maintenance, avoiding truck-rolls, etc. — and quantifying the financial impacts. An effective baselining and measurement strategy is key to ensure that the benefits realized through predictive maintenance are adequately measured. Communicating the positive results to gain a wider traction within the organization and keep the momentum going is an imperative.
9. Deployment and sustainability is the end game
Creating standalone algorithmic models and proving their efficacy may get all the attention, but is not the end game. The real value is derived once those models have been deployed in a production context and are integrated into the business applications landscape. It is imperative to refresh models periodically to avoid model fatigue and ensure that the model incorporates new contextual information to sustain high levels of accuracy.
10. The future beckons so embrace it
Predictive maintenance is a fast-evolving function and greatly benefits from its confluence with technologies like AI and augmented reality. McKinsey forecasted productivity increases of up to 20% and reduction of maintenance costs greater than 10% through application of AI in predictive maintenance. Computer vision advancements will further enhance traditional predictive maintenance applications. Augmented reality applications will enhance maintenance worker productivity through wearables for applications like guided repairs. The era of self-healing machines is also not too distant. The field will continue to make rapid strides and it is imperative to stay plugged in and start piloting with new emerging technologies on an experimental basis.
Delivering true benefits from the implementation of a predictive maintenance program calls for a holistic perspective and requires the right blend of domain, consulting, technology and analytic skills. In summary, it’s the recipe that matters more than any one of the above single ingredients.