The business case for IoT

The range of commercial and industrial IoT use cases is broad and growing by the day. In the factory, sensors embedded in machines inform operations management when parts will need to be replaced. This helps to reduce unplanned downtime. On the farm, sensors relay information on the temperature and humidity level of the soil. The farmer will know the optimal time to plant crops and to deploy labour and equipment to the task. In the office environment, IoT can automate processes such as controlling access to floors, ordering new stationery and identifying the daily availability of hot desks.

IoT also enables companies to create new revenue streams or entirely new business models. Take the example of a provider of industrial batteries for remote mobile base stations. In the past, this company’s mobile operator customer had to send out engineers each year to assess the condition of the battery and decide whether it needed to be replaced.

Then, the industrial battery provider created a new type of battery with embedded connectivity that sent data to the cloud, from where it could be accessed by the mobile operator through a web-based interface.

This enabled the mobile operator to save time and costs on unnecessary visits by its engineers to its remote base stations. For the battery provider, the innovation was transformational. Its development of a connected battery enabled it to become not just a provider of products (industrial batteries), but also one of recurring services - that of access to the data about the condition of the battery. The same company was also able to diversify further by developing retrofit connectivity modules and sell them and recurring services to companies using its competitors’ batteries.

There are three common aspects to the above use cases. First, the integration of connectivity into devices, machines or assets. Second, the creation of valuable data about these devices, machines or assets that would not exist if they were not connected. Third, the analysis of this data to create efficiencies or new sources of revenue.

Increasingly, IoT is being used to drive entire processes or supply chains. Connectivity used to track the status of incoming components to a factory will trigger machines to be fired up and packaging for the final product to be made available. As such, IoT creates huge opportunities for innovation and digital transformation for all companies.

Specific vulnerabilities
Corporate awareness of the potential benefits of IoT is growing. But due to the spate of high-profile hacks involving IoT devices, businesses are also increasingly concerned about the cybersecurity risks around IoT. Three attacks over the past two years illustrate the damage that might be caused by the hacking of IoT devices.

On 21 October 2016, the servers of Dyn, a Domain Name System (DNS) provider, were bombarded with millions of DNS lookup requests. These were generated by around 100,000 connected devices that had been infected by the Mirai malware. Hackers created a botnet of these contaminated devices to launch three DDoS attacks on Dyn’s servers. These attacks resulted in millions of internet users across North America and Europe being unable to access over 60 leading websites, among which those of Amazon, BBC, Netflix, Spotify and Visa, for several hours during the day.

In July 2015 security researchers at Wired demonstrated that the Uconnect dashboard computer in a Jeep Cherokee could be hacked. The hack gave them remote control of the vehicle’s dashboard functions, steering, brakes and transmission. Chrysler, the maker of Jeep Cherokee, identified some 1.4 million vehicles (not only Jeep Cherokees) that could be vulnerable to a similar attack and provided owners with a USB to install a software update via a port located on their dashboard. Chrysler also worked with Sprint, which provides connectivity to its vehicles, to detect and block attacks within the mobile network.

Most recently, in November 2016, a group of university researchers gained remote access to Philipps Hue lightbulbs located in a house and office. A van driving 70 meters outside of the house and a drone flying around 350 meters above the office building were used to wirelessly penetrate the buildings. The researchers were able to access the lightbulbs by extracting the AES-CCM key, which manufacturers use to encrypt and authenticate new firmware in connected devices. They were then able to install malicious firmware in the form of a worm to enable them to control the lights and spread the infection to other devices. Following the staged hack, Philipps issued a firmware update or “patch” for owners of its Hue lightbulbs.

Not all breaches involve exploiting specific vulnerabilities of IoT devices. In 2014, hackers embarked on an email phishing campaign targeted at specific individuals working for a German steel mill company. Individuals were tricked into opening up the malicious email, which exposed log-in credentials. The hackers were then able to access to the steel’s control systems and according to a German Federal Office for Information Security (BSI) cause “massive damage” to the mill.

These and many other types of attacks can cause inconvenience or temporary disruption at one end of the scale and major physical damage to assets or people at the other. For businesses selling internet-enabled devices such as video cameras or smart thermostats to homes, security breaches can result in heavy costs related to product recall, harm to their reputation and lower future revenues. Businesses that have implemented IoT to monitor and control machines or manage supply chains are as exposed. Cybersecurity breaches can result in damage to machines and failure to meet contractual obligations to customers.

Impossible objective
Hacking is undertaken by a wide range of individuals and groups for a variety of reasons. Criminals are typically seeking financial gain, foreign states look for confidential information and individuals either want to cause disruption or, if benign, help organisations identify and fix vulnerabilities. For the foreseeable future, none of these motivations will disappear. Indeed the opportunity for disruption will grow as billions more devices get connected over the next few years.

Businesses should not seek to achieve the impossible objective of eradicating the potential for their devices or internal systems to be hacked. Instead, they should focus on policies and practices designed to reduce the risk of a successful attack and minimise the impact of any actual breach.

Companies that sell IoT devices to the household must ensure that security is entrenched in the lifecycle of each device. Security should begin at the chipset level. The sharing of keys used to programme and update device firmware as it moves from the silicon vendor, through to the OEM and contract manufacturer, should be tightly controlled. Secure, over-the-air updates or “patches” to the devices firmware should be enabled to address new threats. Consumers should be educated on the need to change default passwords to access devices.

Businesses that integrate connectivity into their internal devices and systems must be as diligent. They should train employees throughout their companies on how to identify and respond to phishing. Corporate IT and OT (operational technology) teams must work closely together to design and continually monitor cybersecurity policies and practices. They must also embed the issue of security into their relationships with their external providers of connectivity, hardware and software.

Central governments, in response to growing threats, are developing cybersecurity strategies and putting more funds into research. But developing legislation that can address the rapidly evolving, amorphous nature of the threat is a tough ask. Businesses considering implementing IoT for the first time should instead seek to learn about best practices from partners who have already deployed IoT and umbrella organisations like the Internet of Things Security Foundation (IoTSF).