By Karen Rose, Senior Director of Strategy & Analysis at Internet Society and Scott D. Eldridge, Principal of Cam & Sprocket LLC
The Internet of Things promises new opportunities for innovating products and services, harnessing customer and business intelligence and optimizing internal operations. It also comes with challenges and risks that businesses must manage.
From wearable fitness monitors and building automation systems to self-driving cars and entire “smart city” concepts, products and services are being integrated with data communications features like never before. The Internet of Things (IoT) is promising to transform the way we live, work and play. The projected impact of this IoT revolution on our world and economy is nothing less than impressive. In fact, some analysts predict there will be as many as 100 billion connected devices online by 2025 with an economic impact of as much as $11 trillion globally.
Although connected consumer goods have received the lion’s share of attention, businesses and industries of all types are considering how the IoT can drive product and service innovation, harness business intelligence and optimize operations. But what really is the IoT? How does it create value? And what are some of the challenges and risks that businesses need to manage in adopting IoT technology?
At its heart, the term IoT refers to the extension of communications and computing capability to objects, sensors, devices and other items, allowing them to generate and exchange data that can be mined, analyzed and combined in powerful back-end systems. The key transformational power and value of IoT comes from the ability to gain intelligence and insights from this data and harness it to create new applications, services and operational efficiencies.
The buzz around IoT is relatively new, and yet, the basics of the technology have existed in commercial and business settings for decades. Precursor Radio-Frequency Identification (RFID), remote sensor technology and custom machine-to-machine (M2M) systems for applications such as inventory control, asset tracking and remote monitoring, laid the foundation for the modern IoT revolution. The widespread availability of wireless and Internet connectivity, the miniaturization of technology and advances in data analytics have simply made it cheaper and easier to connect smaller components to achieve more powerful capabilities.
Enabled by advancements in data analytics, low-cost data storage solutions and cloud computing, companies using IoT can gain insight into their own business operations as well as how customers use their products. For example, companies are looking to integrate IoT technology into products to garner more detailed information on how they are used by customers and perform in the field. This offers unprecedented knowledge and specificity of how the customer uses the product, providing data to guide future product designs, market new value-added services — such as predictive maintenance and remote service management — and create targeted advertising.
In terms of business efficiency, IoT-enabled systems promise to reduce cost and streamline operations. For example, IoT-enabled environmental control systems for commercial facilities are the norm for many new building developments and industrial construction projects. Similarly, IoT technology is being widely implemented in fleet vehicle management systems, production and warehousing operations and in optimizing capital asset use and tracking. Many future opportunities will come from transforming legacy systems by adding IoT capabilities and data analytics for deeper insight into operational efficiencies.
Managing IoT Challenges
Although IoT can create considerable opportunities, adoption of IoT comes with potential challenges that must be managed. Ensuring the security of IoT systems and the data they generate is at the top of the list and should not come as an afterthought.
Poorly secured IoT devices and services can be used as entry points for cyber attacks and can expose user data to theft if related data communications and storage are inadequately protected. By their nature, IoT systems establish connections between devices that are operating in their environment and the networks and data systems used to communicate, analyze and store data. That chain of systems, from the device itself through to back-end data systems, can be tantalizing targets for a wrongdoer seeking to exploit vulnerabilities. Businesses producing or adopting IoT should evaluate each system’s potential vulnerabilities along this chain.
When thinking about security in IoT or information technology more generally, it is important to recognize that there is no such thing as perfect security. Security will be a function of how businesses assess IoT security risks and the efforts taken to mitigate them.
A proactive security approach is needed to effectively minimize security risks while balancing the benefits of this technology. Corporate information security teams should consider a detailed assessment of the individual risks each IoT device and system exposes along with the likelihood and potential impact of possible security breaches. For example, systems with insecure and poorly protected data streams can expose corporate and customer data to Internet snoopers and can be entry points into other corporate systems. A compromised device on a network might also be programmed to do harm to itself or inflict damage on other devices across corporate data networks and even the broader Internet at large.
Overall, IoT security depends not only on how well companies manage their internal risks, but also how they manage security risks their systems may pose to others. For smaller companies short on internal IT expertise, it may be useful to engage IT security professionals to help evaluate systems and create IoT security plans.
Privacy concerns can be an especially challenging proposition for businesses looking to take advantage of IoT technology. By design, IoT devices frequently collect data about people. Devices and sensors could be monitoring and sending information about someone’s behavior, geolocation and movements, personal preferences or other sensitive information, and doing so without the knowledge or consent of the people being monitored.
These types of IoT applications can violate a person’s sense of privacy, resulting in upset customers and loss of business. Furthermore, indiscriminate data collection by IoT devices may run the risk of violating privacy laws or data protection regulations in certain jurisdictions. Companies operating overseas should be aware that many countries have strict data protections that apply to devices that collect personal data about their citizens as well as the transmission of such data across borders.
At a minimum, businesses developing and deploying IoT systems should ensure their data collection and use practices are open, transparent and understandable, and comply with applicable laws and regulations. IoT systems and services should also be selective about what data is collected, stored and transmitted about individuals and ensure that adequate security safeguards are in place to protect that information. Furthermore, ensuring privacy is not simply being careful about the data IoT devices are collecting. The use of data correlation techniques in conjunction with IoT data to characterize individual behavior and preferences may also violate expectations of privacy.
Overall, businesses should seek to develop IoT data strategies and practices that not only comply with laws and regulations, but also protect and respect privacy across a broad spectrum of expectations.
In addition to IoT security and privacy issues, businesses should be aware of potential interoperability and integration challenges. Products and services in the IoT market today are built to a diverse range of competing standards and proprietary technical solutions. As a result, many devices do not interoperate across platforms, which can significantly increase the cost and complexity of implementing and integrating IoT systems and lead to business continuity issues when vendors are not able to continue support for specific platforms. In fact, a recent report by the World Economic Forum indicates that lack of interoperability is one of the greatest barriers keeping businesses from adopting the technology.
Although a number of industry forums and standards organizations are working to rationalize the space, it will likely be some time before clear, market-leading solutions emerge. In the meantime, the market is starting to address this challenge in the consumer IoT market with the arrival of hub devices that bridge the different standards used by IoT products. However, the suitability of this bridge approach for business and industrial applications remains an open question.
When considering IoT deployments, businesses should assess the compatibility of products and services and the extent to which systems integration is a priority. Vendors should be asked about the technical solutions their products and services employ and the extent to which they use open, interoperable standards versus proprietary solutions.
Maximizing the Opportunities
The Internet of Things is happening now and promises to bring new opportunities for businesses to innovate, create new business models and service offerings, and optimize operations. Ultimately, the key to maximizing the value of IoT will depend on how companies capitalize on the opportunity for transformational change while managing the challenges associated with implementing new technology and business processes.
Businesses should keep these practical security points in mind with respect to IoT devices:
- Evaluate the extent to which the data streams from IoT devices are encrypted and authenticated. Strong encryption and authentication practices provide a first-order defense against theft of data, making IoT devices harder to penetrate.
- Consider partitioning IoT device data traffic onto networks separate from the ones that carry other corporate and customer information. This can help reduce the number of vulnerability points into corporate systems.
- Know the connection capabilities and features of the system. Certain IoT devices can automatically connect and communicate with other devices without the user’s knowledge. It is also possible for some IoT devices to be directly connected to the Internet without being shielded from intrusion behind a hub or firewall, which may increase their exposure to cyber attacks. Carefully consider how IoT devices with direct connections to the Internet are monitored and managed.
- IoT devices and services should be upgradable over the span of their lifetime. Devices that aren’t may become vulnerable and used as stepping-stones in attacks against the device itself, the local infrastructure or the Internet at large.
Questions Worth Asking
In order to be successful in deploying IoT products and services, companies need to invest time investigating them before integrating them into their business. Some critical questions to ask include:
- How much effort is required to integrate the devices together with your back-end data systems?
- Are the devices and related data streams sufficiently secure to protect your business interests, including corporate and customer information?
- Are the devices flexible enough to be reconfigured and updated as your business grows and needs change?
- Do the manufacturers or services providers collect device usage data about your business or your customers? If so, how do they use this data and do they share it with third parties?
- Do the IoT systems you are considering use interoperable standards or proprietary technical solutions? How does that impact reliance on single suppliers and business continuity?
More information about IoT can be found in the Internet Society’s recent paper: “The Internet of Things, An Overview: Understanding the Issues and Challenges of a More Connected World.” www.internetsociety.org/doc/iot-overview
Karen Rose is Senior Director, Strategy & Analysis at the Internet Society, a global non-profit organization dedicated to advancing the open development and evolution of the Internet around the world.
Scott D. Eldridge is Principal of Cam & Sprocket LLC, a technology and information privacy consultancy.