Insecure and open to attack: holding up the "black mirror" to the Internet of Things

The emergence of the Internet of Things has great similarities with the electrification of industrial countries. Beginning in the 1880s with the construction of power generation and distribution systems, the effect of electrification on the manufacturing base, productivity, quality of life and technological progress was nothing short of miraculous.

Yet with electrification came dire unintended consequences. Electrical safety was not well understood at the time, and with the advent of electrically-operated appliances came a new hazard in homes and businesses – the risk of electrocution.

In tandem with a rise in deaths due to electrical shocks came rising life insurance payouts. To address this growing expense, Underwriters Laboratories (UL) was formed in 1894 to draft safety standards for electrical machines. Unlike typical standards organizations which can only advise and recommend, insurance underwriters that espoused UL standards provided an enforcement mechanism with teeth: complaint behaviour resulted in lower insurance premiums, while non-compliance would significantly increase the cost of insurance.

Many municipalities adopted UL standards as part of their building codes. Coupled with a consumer awareness outreach programme, UL changed both product design and consumer buying behaviour.

The digital world has a parallel to electrification and its unintended consequences. In 1959 the first industrial computer control system was deployed at a refinery in Texas and the worlds of automation and machine control were forever changed. Digital controls spread across industries, aided by the introduction of the programmable logic controller in 1968, and low-cost CPUs like the 8080 and Z80.

Parallel advancements in data networking – including X.25, Ethernet and dial-up in the 1970s – paved the way for connecting control systems to one another over wide area networks. Reductions in the cost of semiconductors, coupled with the advent of wide-area networks and the internet, expedited the implementation and interconnection of control systems, which we refer to as the Internet of Things (IoT). Today the IoT powers the industrial base of the world’s economies, the infrastructure that underpins modern societies and the military forces that protect them.

As with electrification, the Internet of Things also has unintended consequences – its own “black mirror”. But these consequences are even more ominous because they’re far more difficult to detect.

Security is the “insulation” that protects the Internet of Things from the shock of manipulation, deception and denial. As more companies develop and deploy IoT devices, the opportunities for attacks have grown exponentially, as have the consequences of security breaches. In the rush to build IoT products, the focus has too often been on the function of the end product and not the security of the infrastructure. The integration of IoT security, much less awareness of the need for it, has been sorely lacking. In the 1950s the breach of an industrial control system would have only affected a single plant; today it can affect millions of users. Our world economies are built on a foundation of untrustworthy IoT devices and systems.

Who is left to pay for the liabilities of an IoT security breach? Once again, it’s the insurance underwriters. They are the ones who issue liability insurance to the IoT manufacturers who build the products, the system integrators who deploy them, the companies that use them, and the consumers affected.

The issue of IoT security is almost as old as the technology itself, and while vendors like Aruba, a Hewlett Packard Enterprise company, are among suppliers that design IoT security into the fabric of its solutions, the broader market has not self-corrected or self-policed. We need to break the black mirror by creating an IoT underwriters laboratory to establish best practices for IoT security and the teeth of insurance underwriting to force compliance. As with electrical safety, the underwriters can do what the market hasn’t: put in place the financial incentives and disincentives to change behaviour.

The protocol for such a solution is currently being drafted by partners to the World Economic Forum’s Industrial IoT Safety Network and underwriter interest is growing. We have proof from the electrical safety world that such a programme can profoundly change industry and consumer behaviour and there’s no reason why it won’t also work for IoT.