If you missed this year’s IoT Solutions World Congress (IOTSWC) in Barcelona, there’s one throughline that no one in attendance should have missed — the stakes for IoT security have been raised… on many fronts and by no small margin. From a flood of fresh government regulations across the world, to the number and diversity of “things” now coming online, IoT’s risk profile is on the rise; and in desperate need of some renewed zeal around matters of security.
From the Internet of Things to the Internet of Everything
During my stay in Barcelona for the 7th IoT Solutions World Congress (IOTSWC), I was struck by the fact that all the growth and excitement around IoT that had been happening inside the Fira Barcelona center all these years had finally spilled over into the city itself. Beyond the convention center doors, little clusters of IoT technology had sprung up across the Barcelona cityscape, transforming the centuries-old Catalonian capital into one of the world’s leading smart cities in just a few short years.
Today, there are well over 19,000 internet-connected sensors spread across Barcelona, intelligently monitoring and managing everything from parking and street lighting, to trash disposal services and air-quality. Barcelona has even rolled out smart sprinkler systems in some of their public parks, which actively monitor local weather forecasts to determine whether or not they should water the grass.
Barcelona is an exceptional city in many ways, but it’s far from alone in its pursuit of civic IoT. Cities around the world are bringing different elements of infrastructure and public services online — from bicycle shares to stormwater drainage systems — seemingly by the day. By doing so, they’ve been able to cut costs, improve quality of life for their inhabitants, and support public health initiatives. There’s practically no limit to the potential IoT has for improving civic life. However, there’s an often overlooked cost that comes with each new “thing” to come online — an expanding attack surface.
If there’s one thing I’ve learned in my years in cybersecurity, it’s to never underestimate the ingenuity of threat actors. If you’re asking yourself how anything from bicycle shares to critical municipal infrastructure could possibly pose a threat, then you aren’t using your imagination enough. Take the case of Oldsmar, Florida, for example. Last year, a hacker gained remote access to Oldsmar’s water treatment facility and began manipulating the concentration of sodium hydroxide (aka lye) in the city’s drinking water. And ended up increasing the concentration of the harmful chemical by over 100 times its normal levels. Thankfully, the treatment facility’s operator was able to regain control of the system before anyone was harmed. However, the incident illustrates in no uncertain terms just how serious the risks of an increasingly connected world can get.
Digital Twins Come of Age
When we think of digital twins, the first thing that comes to mind is jet engines and predictive maintenance schedules for multi-million-dollar machinery. While that brand of digital twin was still alive and well at this year’s IOTSWC, it was now sharing the floor with a whole host of applications we don’t typically associate with digital twin technology — some of which have seriously upped the ante in terms of IoT security.
Chief among the game-changing applications on display at this year’s IOTSWC was the use of digital twins in healthcare. In fact, digital twin technology is already being trialed for a wide range of applications across the medical landscape. Everything from planning surgical procedures to testing the effects of medications on vital organs is being explored in clinical trials. Digital twin technology is also being explored as a means of tracking and predicting cancer patients’ health trajectories in order to inform treatment decisions and recommend timely interventions.
Traditionally, we think of digital twin technologies as operating on a one-way street. Real world systems are scanned and replicated as a digital simulation, and information about changes to the real-world system is tracked and recreated in the digital duplicate. Increasingly, however, applications are being developed in which that one-way informational model becomes a two-way street – in which changes to the digital twin either inform or directly affect changes to the real-world subject. As we prepare to put a fundamentally whole new level of trust into digital twins, organizations relying on IoT devices to enable these technologies would be wise to give a great deal of consideration to questions around data provenance and integrity – can we trust the data being used to make decisions or automate controls? Concepts like digital birth certificates (to identify first security certification issued to a given device), device identity, and device integrity will be critical to verify provenance and trace vulnerabilities, even all the way back to manufacturing, if necessary.
The secure provisioning, operations, retirement and repurposing of data will likewise be of even greater importance as the role of digital twins expands in the coming years. While a jet engine may be a complex, big ticket item, the value of human life goes well beyond any dollar amount. Even before any and all considerations around the implications for data security, we must acknowledge that the introduction of applications such as those in medicine have significantly raised the stakes of IoT security.
Regulations on the Rise
I like to think of regulations as a rite of passage for successful industries. If you make enough waves, you’re bound to attract the attention of legislators, and that isn’t necessarily a bad thing. Not all waves are entirely benign, and the more influence an industry has over a region and its population, the more likely legislators are to intervene on behalf of their constituents (in a perfect world, that is).
This rule of thumb has certainly held true in the world of IoT – and now that connected technologies have become more ubiquitous and more closely entwined with the real world than ever before, it should come as no surprise that governments are looking to ensure these disruptive technologies don’t adversely impact our digital security, or even some of our constitutional and human rights. It should also come as no surprise that the European Union is leading the charge in the regulation of IoT with proactive measures aimed at preventing many of the same concerns I’ve raised in this article.
The EU has long stood at the cutting edge of tech regulation, and IoT is no longer an exception. Among the most-talked about topics to emerge from the IOTSWC this year, was the EU’s new NIS 2 Directive, which will apply to medium and large organizations operating in critical sectors, including digital services, wastewater management, and healthcare, among others. Under the new regulations, organizations will be required to flag all cybersecurity incidents to authorities within 24 hours, patch software vulnerabilities, and prepare risk management measures for attacks. Those who run afoul of the regulations will face fines of up to 2% of their annual revenues. If that isn’t high-stakes, I don’t know what is.
As I dodged foot traffic at this year’s IOTSWC, I couldn’t help but marvel at how far the field of IoT has come since even just a few years ago. Far behind us are the days when smart thermostats and connected kitchen appliances served as standard bearers of IoT innovation in the public imagination. Since then, we’ve seen a steady stream of increasingly-sophisticated IoT technologies propel the field into a widening range of industries, applications, and aspects of our daily lives.
As IoT’s reach expands and profile rises, we would be wise as an industry to ensure security always remains a step ahead.