In 2017, more than two dozen companies, governments, organizations and universities collaborated with the Centre to co-design the Industrial IoT (IIoT) Safety and Security Protocol. The protocol was published in April 2018. This first-of-its-kind policy framework generates an understanding of how risk and insurance can facilitate the improvement of IIoT security design, implementation and maintenance practices. It also puts forth a universal set of risk management best practices that should be incorporated in all IIoT deployments.
The next step of this project is to develop and pilot an incentive framework with insurance companies, capital risk and insurance brokers, and industry stakeholders. The World Economic Forum has convened a multistakeholder community that will collaborate to design and implement the pilot project.
IIoT is expected to transform manufacturing, energy, agriculture, transport and other industrial sectors of the economy, which together account for nearly two-thirds of the global gross domestic product. The opportunities emanating from cyber capabilities are unprecedented. Unfortunately, many of these industries are unprepared for the potential risk and liability that may be brought on by these new technologies, including new threats to public safety, physical harm and catastrophic systemic attacks on shared public infrastructure.
Rapid breakthroughs of cyber capability make cyberthreats and attacks difficult to detect and control. Cyberattacks on critical infrastructure may generate cascading effects resulting in economic loss, industrial disruption and, in some cases, human casualties. When applied to critical infrastructure such as airports, the impact can be catastrophic.
Moreover, cybersecurity poses a unique challenge for government regulation of businesses, as the process for certifying and enforcing good security practices can be too labour-intensive and costly for governments to address on their own.
Market forces could play a critical role in helping establish and catalyse new norms and best practices for the security of industrial IoT devices and systems. Lower insurance premiums, for example, prompted millions of business and consumers to install fire and security systems. Similarly, good driver discount programmes have created tangible financial incentives for safer and more careful behaviour.
Public and private sectors are finding ways to increase collaboration and to support the drafting of an effective strategy and build the required levels of cyber-resilience understanding and governance. Through this project, key stakeholders in the aviation industry are aligning to develop a method to quantify risk exposure against a defined baseline of “common duty of care” for the aviation sector. It is intended that this measurable baseline would become the reference for risk owners and managers, capital investors and the insurance industry, where the lower the position the higher the indicative cost of transferring risk.
This framework to quantify risk exposure will be piloted through the airport structure and its operational community. The airport ecosystem provides immediate access to the critical capabilities and infrastructure of the aviation industry. Airports also provide an important reference to the interdependencies associated with cyber incidents and the impacts across such a broad ecosystem. Furthermore, the framework will serve as a foundation that will be adapted to a series of industry use cases.
The importance of airports
The International Data Corporation forecasts worldwide spending on IoT to reach $745 billion in 2019. Transport is ranked third among the industries that will spend the most on IoT solutions, after manufacturing and consumer. Furthermore, airport facility automation is one of the IoT use cases that is expected to deliver the fastest worldwide spending growth over the 2017-2022 period. While this rapid modernization introduces new efficiencies, it also creates new vectors of a potential attack. Researchers have identified cyber-risk among the top three risks facing the transport industry globally.
Given airports’ essential role in the maintenance of critical societal and economic activities, a cyber incident would significantly disrupt service provision; hence the need to safeguard the economy, society and people’s well-being. The framework being piloted in the airport ecosystem aims to address the challenges faced by the aviation industry.
The pilot project will consist of three stages: control guidance design; risk quantification and assessment; and industry insights and value generation for the global market. Throughout these phases, the project will:
Inform: Enable conversations on and increase awareness of cyber issues across stakeholder groups, including public-private constituents, academia and civil societies and geographies, particularly on risk exposure and operational systems.
Assess: Develop a framework to quantify the risks that form part of the cyber operational technology and enterprise internet technology landscape for the aviation eco-system to be referenced as an industry baseline; and generate insight for board/executive members to prioritize and make informed decisions on cyber-risk investments, for cyber insurance providers to design tailored cyber insurance premiums based on benchmarking information of agents’ risk exposure, and for capital investors to make informed decisions of investment allocation and asset management.
Incentivize: Help the aviation industry become more cyber-resilient by incentivizing the adoption of appropriate security and risk mitigation strategies that enable the safe, secure and continuous digital transformation of the sector
How to engage
Project Community: Nominate experts, policy-makers or senior executives to provide regular input as the project develops
Fellow: Nominate an individual from your company to work full- or part-time at the Centre(s) with an integral role in shaping this initiative
For more information please contact:
Lead for IoT, Robotics and Smart Cities
Centre for the Fourth Industrial Revolution
Georges De Moura
Head of Industry Solutions
Centre for Cybersecurity