The Internet of Things (IoT) ecosystem has radically evolved in the last two decades, facilitated by the evolution of distributed network technologies. McKinsey estimates that by 2025, the world will own 50 billion networked devices, a 400 per cent increase on 2010, and creating $11 trillion in economic value. While this proliferation of networked technology over the last 20 years has created a myriad of opportunities for businesses, governments and developers to explore it has created new challenges to overcome.
With such rapid developments of IoT devices and technologies, threats and attacks are a clear and present danger for individuals as well as organisations all over the world.
In a case of more haste, less speed, we have seen that security has been a secondary concern for IoT technology manufacturers, exposing networks to potential cyber-threats. Below, Andrea Gaglione, IoT expert and Technology Lead at Brit Insurance, examines the potential risks of IoT and the steps that users, developers and insurers can take to help mitigate against these.
Who uses IoT?
Put simply, IoT is a system of physical objects that can be discovered, monitored, controlled, or interacted with by electronic devices that communicate over various networking interfaces (usually wirelessly) and eventually can be connected to the wider Internet. In fact, these physical objects can be digitally augmented with: (i) sensors to measure physical parameters (e.g., temperature, light, motion); (ii) actuators to control alarms, displays, machineries; (iii) communication interfaces to interact with the objects remotely; (iv) computing devices to run programs that access sensors, actuators, and communication interfaces. The IoT landscape ranges from smart tags and near-field devices, to sensing and monitoring (wearable) devices, to more complex objects such as appliances, machines, and cars. These smart objects constitute the building blocks of smart environments such as smart homes, buildings, factories, and cities.
IoT solutions are already playing an important role in the development of next-generation applications across several vertical markets. Besides popular smart home and consumer applications, IoT has brought a massive transformation in various businesses and industries. For example, in the manufacturing sector, IoT is considered the backbone of the fourth industrial revolution (Industry 4.0), enabling the creation of new data-driven services to improve operational efficiency, optimise the supply chain, and implement predictive maintenance strategies. In agriculture, IoT-enabled devices are being used to monitor soil and environment parameters and drive irrigation cycles. Local authorities and city councils around the world are developing long-term plans to make their cities ‘smart’ by deploying IoT infrastructures, fostering the creation of new citizen-centric services, and enabling agile policy making and evidence-based procurement practice.
What are the risks?
With the wide scale of IoT systems, the security and cyber-threats are magnified, by virtue of the sheer size of the ‘attack surface’ and number of potential entry points. According to recent data, 26.66 billion IoT devices were active in 2019 and 127 new devices are being connected to the Internet every second. The key challenge is the management and protection of all the data that IoT captures and uses – there are a number of ways to address this for developers of devices, users and insurance providers.
A primary concern, as with most cyber-risks, is the loss or compromise of data, especially customer and personal data. As a result, privacy should be a crucial component of IoT, especially with regards to data transmission. In one incident, a casino had high profile customer data stolen via the WiFi connected temperature monitor in their smart aquarium.
As supply chains and business processes become more reliant on networked devices, businesses are more at risk of attack. Significant business interruption, through devices being taken offline by a hack can result in a significant loss in revenue, or even worse, reputation and trust.
And finally, an emerging risk of IoT is that of cyber-physical – take the example of a medical devices such as pacemakers, self-driving cars or expensive industrial processes controlled by a connected device. A malicious hack of these devices, taking control of these activities could lead to costly and potentially dangerous physical damage or accidents.
Stuxnet was one of the first instances of a computer worm destroying real-world devices, as opposed to just hacking them to perform software damage. Stuxnet targeted programmable logic controllers (PLCs) used to control uranium centrifuges (machines used to isolate isotopes of uranium) and reprogrammed them to perform varying cycles that result in the centrifuges disintegrating. Although Stuxnet was not a typical IoT attack because it relied on PLCs to be connected to a Windows machine, it represents a clear example of the damages caused by hacking mission-critical devices.
How can we mitigate the risk?
So far for IoT manufacturers there has been a perceived trade-off between speed of bringing a product to market and the robustness of the system. As we have seen with the first wave of IoT, security wasn’t considered a priority requirement but increasingly is due to high profile data breaches and new privacy regulation.
Users themselves, whether individuals, companies, councils or governments, have a responsibility to adopt best practice with their devices. Designated individuals should play an active role in shaping company policy on IoT and be responsible and up to date on the threats facing their businesses. Many of these measures have become second nature in traditional IT but are slowly being adopted and considered in regard to IoT. Measures users can take to limit risk (and indeed liability in the event of a cyber-incident) include: considering security requirements since the initial stage of system design; using strong passwords and security keys, updated regularly; monitoring devices and systems to detect and swiftly response to security events; continuously updating security of devices with the download of patches from the manufacturers.
Insurers have a crucial role in mitigating these risks through varying degrees of cover which address risks including compromised networks, business interruption of IoT (if they are taken offline) and the theft of data.
What role does insurance play?
When discussing insurance and IoT, the focus tends to be on its application within the insurance industry along with the various opportunities that may arise from it. In fact, the increasing availability of IoT data will allow insurers to better assess and price risk as well as to develop value-added services leading to a closer, more proactive relationship with policyholders. Also, IoT will provide unprecedented insights into customer behaviour and support claims management.
On the other hand, when it comes to insuring IoT devices and networks, insurers should apply the same writing approach to IoT cover as is applied in traditional cyber-products. In addition to providing cover, an increasing number of insurers have introduced cyber-guides to help clients better understand the risks and importance of ensuring that systems are updated regularly and embedded with security.
Cyber, Technology E&O alongside General Liability and Product Recall are insurance products that all IoT companies should be considering, especially when software and hardware is combined.
As a concluding thought, it is clear that the IoT clearly is becoming increasingly central to both our way of life and how businesses and infrastructure operates. As the opportunities for innovation grow, it is paramount that we remain conscious of the risks at play and how we mitigate these.
Andrea Gaglione, Technology Lead, BritX