Large Companies Lack Clear Vision on Industrial IoT
4.5.2017 securityweek IoT
Interest in the internet of things (IoT) and the industrial internet of things (IIoT) continues to grow; but actual activity lags behind interest. Security remains industry's biggest concern.
A recent survey and report from the Business Performance Innovation (BPI) network and the CMO Council, sponsored by The Nerdery, indicates that 55% of all executives say IIoT is gaining adoption within their industries, including both pilots and larger-scale adoption. But only 1.5% of executives at large companies say they have a "clear vision with implementation well underway".
Cyber security and data privacy are the top concerns, with cost and complexity and staff issues following. Although security and privacy are separate issues, the report places greater emphasis on privacy than security -- which is perhaps not surprising given the CMO Council's involvement.
Patrick Theimer, Director of Marketing Technologies at Kennametal, sees the IoT revolutionizing both productivity and sales. But he also sees a conflict between the demands of IT and marketing.
"You need to design to prevent data breaches because the customer now has much more access to your organization, but you also need to ensure it is done in such a way that they don't keep you from having the response levels you need," Theimer said. "I think we will see a lot of struggles over this balance between the CIO and the CMO, with CMOs rightly focused on the need to respond quicker and be more agile and with CIOs focused more on security and protection. In larger organizations, this is a significant challenge."
Arjan de Jong, a senior business developer at Nuon, the Dutch subsidiary of Vattenfall (which works with renewable energy and smart homes) doesn't see security as the biggest problem. His concern is over standards. "We have an example of a smart lighting producer that wants to do business with us, but we have been unable to partner with them because of different standards; their products do not really integrate with popular solutions, such as Apple Home."
Nevertheless, he does see privacy as an issue. In the Netherlands, he believes that the privacy issue is hyped by activists who 'leverage fear'. "We did some testing, and we found that about a third of the Dutch population is deeply concerned or even paranoid about privacy -- they do not want to share anything. Another third wants to share data, especially if it makes their life easier. The other third is prepared to share their data if they profit from it, so they want to sell us their data. Data security is the same as regular security. There will always be a risk, but also potentially a great opportunity."
CMO and head of strategy at Philips Lighting, Bill Bien, suggests that customers are not yet aware of the advantages that can accrue from IoT. "I think the biggest issue for us is to educate customers about the benefits and opportunities of connectivity and how lighting technology has changed by developing use cases that demonstrate significant value gains," he explains.
For security professionals and researchers, a big concern with this report will be the relative lack of interest in cyber security and data privacy. It is discussed as a concern, but with no solutions beyond educating customers to the benefits of data sharing.
Despite this, both security and privacy are likely to play major parts in the evolution of the IoT. The General Data Protection Regulation (GDPR) will force vendors to be more open about the data collected and how it is used, and to protect that data from cyber criminals.
In the US, recent months have seen increased activity from lawmakers who now seem to accept the need to impose security by legislation. Two developments in particular are designed to force cyber security responsibility into the boardroom: the New York State Department of Financial Services regulation and the Cybersecurity Disclosure Act of 2017.
There is even a new bill aimed specifically at the IoT: the California SB 327 Information privacy: connected devices. It proposes: "A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."
It also proposes, "A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device."
While industry might be viewing the IoT in terms of competitiveness and commercial opportunity, it simply cannot and must not ignore cyber security and data privacy.