The Internet of Things (IoT) is evolving rapidly, with a wide array of “smart” systems, mobile apps, personal communication devices and other platforms already networked together. Research firm IDC projects that there will be 30 billion connected things by 2020. And to paraphrase Forbes in defining the IoT, if something can be connected to the internet, it’s only a matter of time before it will be.
In an increasingly digital world, senior executives and boards of directors need to be keen observers of all technological change that could potentially impact the business and its risk profile. The IoT is exactly that type of disruptive change. Management and boards therefore must understand how to recognize the signs of IoT change and any related implications to the business model or strategic objectives of the organization.
As the IoT expands and the world becomes more interconnected — and devices in the IoT collect more and richer data from objects, machines and people — organizations across industries will face new opportunities and risks. Privacy issues, hacking and other cybercrime, and the potential for catastrophic business failure due to heavy reliance on the internet are examples of risks that businesses will need to monitor closely in the IoT landscape.
This white paper discusses the emerging IoT and provides an overview of IoT opportunities and risks for businesses, including how the IoT potentially could help them to mitigate risk. More important, it presents several questions that management and boards should consider — and work together to answer — so that the business is well-positioned to take advantage of IoT technologies and capabilities and operate in a future “Internet of Everything” world.
What Is the IoT?
The IoT is an environment in which “things” — objects, animals or people — are provided with unique identifiers on the internet and the ability to transfer data over a network without the need for human-to-human or human-to-computer interaction. The IoT has evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet.
A major enabler of the IoT is IPv6, a communications protocol that provides an identification and location system for computers on networks and routes traffic across the internet. IPv6 was developed in 1999 to replace IPv4, as the more than 4 billion IPv4 IP addresses had essentially been exhausted.
IPv6 allows for 340 undecillion addresses. To put that massive number in context, it means every single atom on the surface of the Earth could be assigned an IP address — and, according to some, there would still be enough addresses remaining for another 100 Earths.
In short, IPv6 presents an opportunity to make everything connectable. However, the IoT isn’t just about connecting and gathering data from things like wireless smart devices and systems — a category that today includes everything from mobile phones and personal fitness trackers to home appliances, buildings and cars. The IoT is a critical technology transition that is essential to the development of a much bigger and deeply interconnected network, the Internet of Everything, or IoE, and to advancing and supporting digital business.
The key components of the IoT are:
- Data collection: At the core of the IoT are sensors and actuators that collect, transmit, store and act on data at the source. These devices range in size and capability. Some have minimal operating systems (OS). Others have robust embedded OS, including Microsoft Windows and Google Android.
- Connectivity: The IoT cannot exist without the interconnection of devices and sensors. Bluetooth, near-field communication (NFC), Wi-Fi and cellular are familiar technologies for enabling connectivity. On the horizon is NB-IoT, a narrowband IoT protocol based on current cellular technology. It will support quality of service (QoS), as well as the critical success factor for any IoT implementation: a low-power wide area network (WAN). NB-IoT will also offer security — something that many platforms and protocols for connectivity lack.
- People and processes: As the number of connected devices grows, so, too, will the need for new methods of managing, interpreting and acting on the massive volumes of data being generated and collected by those devices. The type and amount of data being collected holds potentially powerful insights. The value proposition behind the IoT is based on the idea that action will be taken based on this data. In some cases, the action may be immediate; in others, data may accumulate over time to provide trending, metrics across populations or predictive analytics. This is where people, processes and risk management come into play. Processes must be designed to ensure data-driven actions are well-thought-out, consistent, and aligned with strategic objectives and risk management protocols. The real promise of the IoT lies in this third component. The integration of people and processes in the IoT is required to help the IoE evolve.
What Opportunities Does the IoT Present for Businesses?
IDC projects a revenue of $1.7 trillion for the IoT ecosystem in 2020. So, in addition to understanding key IoT-related risks, discussed later in this paper, management and boards must recognize the opportunities the IoT presents to the business, remembering that failure to take advantage of the IoT opportunity is a risk in and of itself. These opportunities may be unexpected, and previously unimagined. The example of the “connected cow,” discussed on the following page, shows how the IoT can bring positive disruption and innovation to a very traditional and non-digital industry — one that was not an obvious candidate to employ IoT technology in its processes.
Here is a sampling of IoT applications for various industries:
- Consumer technology: Smartphones and tablets, personal activity trackers and other wearables, smart home appliances, and smart thermostats are already widely available and in use. Amazon Dash, the Wi-Fi-connected device that lets users reorder their favorite product through Amazon with the press of a button, was not only adopted literally overnight, but was also soon hacked by users to enable it to do other things, such as order a pizza or call an Uber. Through risk exposure came an opportunity to adapt and improve. Amazon is now offering a configurable Dash Button that consumers can use to link to a host of IoT-enabled services. This is just one example of how consumers themselves are driving the market for IoT-enabled technology, and the untapped potential there.
- Electricity and utilities: Smart grid technology is enabling distribution intelligence and providing a two-way opportunity to send electricity back to the grid, particularly during peak usage periods. Automatic detection of outages by smart meters can lead to faster repairs. Other IoT advancements, such as the ability to schedule smart home appliances to run during lower usage periods, are helping to reduce consumers’ energy consumption.
- Oil and gas: IoT technology is helping businesses in this sector to increase efficiency through advancements in pressure, temperature and flow rate monitoring, as well as in the measurement of handoffs, volume and pipeline integrity. Sensors in the field can enable smart forecasting and help companies optimize well production. By becoming “digital technology companies,” oil and gas companies can further improve rig uptime and oil recovery rates, reduce oil spillage, boost employee productivity, shrink costs, and more. For example, a U.S. oilfield services company that employs advanced drilling techniques and sophisticated machinery that is service-intensive and requires specific expertise to operate and maintain is now using collaborative technologies, such as unified communications, to provide on-demand expert guidance and faster problem resolution, leading to reduced costs and downtime for the business.
- Insurance: Geospatial applications can alert drivers to potential severe weather events (e.g., hailstorms), helping them to avoid vehicle damage and the need to file an insurance claim. Environmental sensors in workplaces and other buildings and facilities are already being used to detect temperature, smoke, toxic fumes, mold, earthquake motion and more.
- Automotive: Autonomous cars can help reduce traffic and increase road safety. Road sensors can alert drivers of sensor-equipped cars to rain, frost and ice. Some road sensors also can measure the thickness of ice, analyze the makeup of chemicals on the road surface that have been used for deicing and then report back to departments of transportation so they can improve their application of those chemicals.
- Medical: Patient care is an obvious application for IoT technologies — from scheduling appointments to monitoring conditions like diabetes to ensuring the proper dosage of medicine has been administered. Medical device downtime also can be reduced through remote monitoring and support. IoT technology is already helping hospitals optimize the supply chain while reducing risk: Supply cabinets with built-in RFID readers with antennas can record which staff members have accessed the inventory and what they took and when.
Real-World Example: The Connected Cow
There are already compelling examples of how the use of internet-connected sensors by businesses and industries can generate insights that create real value. One is the “connected cow.”
To help cattle ranchers increase the success rate of artificial insemination in cows, Japanese electronics firm Fujitsu developed a system of internet-connected pedometers that count the cows’ steps. Cattle breeders know that when cows significantly increase their walking activity, it’s a sign that they are fertile. This helps to pinpoint the very short window of time when the cow is fertile — a period that often occurs at night, so breeders miss it.
Fujitsu reports that the success rate for a single artificial insemination attempt for a cow wearing its pedometer is nearly double the rate for cows that aren’t connected. The “connected cow and farm” market, which includes other “cow applications” like automated milking & feeding, is expected to grow to a $10.1 billion industry in 2021, from $1.2 billion today.
The Risks of the IoT
Considering the potential opportunities that the IoT presents, perhaps the most significant IoT-related risk for businesses is not moving fast enough, or at all, to develop and leverage new IoT technologies and applications. However, to succeed in the IoT world, organizations must also be aware of and closely monitor their risk exposure in areas such as privacy, interruption of service and distributed denial of service attacks.
Data is already being collected in more ways than ever before, from more devices and apps, and at an accelerating rate. Much of this data can be associated with specific groups of users and, often, tied to unique individuals or objects. In a more interconnected environment like the IoT, it stands to reason that many more devices will be capturing user data for analysis — and that data will be much richer.
The richer the data, the more valuable it will be to businesses — and to the hacker economy. Malicious actors look to steal more than just users’ financial data; they also want email addresses, dates of birth, telephone numbers, account passwords, security questions and more so they can commit fraud and other crimes. This is exactly the type of personal data that was compromised in a major hacking campaign launched in 2014 that targeted more than half a billion active users of Yahoo.
Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy. They must understand the full data lifecycle and where all the risks exist throughout it. They also must implement appropriate safeguards — administrative, physical and technical — to reduce known risks to acceptable levels. The following aspects of data should all be considered:
- Data collection: Understand the data that is being collected — some data is clearly more sensitive than other data. Unique identifiers, such as uniquely personal information, increase the risk profile.
- Data ownership: Understand who owns the data once it is gathered. Determining data ownership is often not straightforward; a starting point might be with the question, “Who is the entity/individual who would answer to ramifications of data disclosure, were it to occur?”
- Custodial responsibility: In many cases, the data owner is not directly responsible for safeguarding the data, but is ultimately responsible for any exposures. Programs to identify and monitor third-party providers that manage sensitive data are critical on several fronts, including the IoT.
- Data retention and disclosure: Retention standards for IoT-type data may not be considered, or may be considered differently than for other types of data. Processes around the disclosure of data — even, or especially, to law enforcement — is a hot topic. Mobile phones often serve as a hub for interconnected devices, and contain a treasure trove of data, including locations, call logs and search results. Clear policies in that regard can help avoid ambiguity and lawsuits.
Interruption of Service
With wide adoption, the IoT can create new, often unexpected vulnerabilities where there were none before. Businesses or industries with heavy reliance on information produced by IoT devices will need to pay more attention than others to IoT availability. These businesses can suffer an interruption of service if the connected devices they have come to rely on malfunction, or become disconnected or damaged, whether intentionally or not. This is especially critical for industries where the safety of consumers, employees or patients is at stake, such as oil and gas or healthcare.
Risk Mitigation: Identity Management
In an IoT world, the use of biometrics can transform identity management. It’s already happening. For instance, financial institutions are providing users the ability to log in through fingerprint, voice or facial recognition. Software company Nymi has developed a new wristband that can verify a user’s identity through an EKG. Touch ID, introduced by Apple, adds biometric capabilities to its mobile devices. Several large banks are already using the technology to identify users of their mobile apps.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks, in which attackers flood the bandwidth or resources of a targeted system such as a web server in order to “take down” an online service (that is, make it unavailable to users), is a risk that is increased significantly by the IoT. In fact, IoT-related DDoS attacks are already making headlines. For example, malware-infected components used by a Chinese electronics manufacturer played a role in a massive DDoS attack that slowed or completely shut down major websites in the U.S.
Prior to that, in September 2016, French web hosting firm OVH was hit with two concurrent DDoS attacks due to “botnets made up of compromised IoT devices capable of launching [DDoS] attacks of unprecedented scale.” These DDoS attacks followed a massive campaign that targeted KrebsonSecurity.com, the website of cybersecurity journalist Brian Krebs, earlier that same month.
Top 10 IoT Risks
The Open Web Application Security Project (OWASP) helps manufacturers, developers and consumers to better understand IoT security issues so that they can make better security decisions when building, deploying or assessing IoT technology. Below is OWASP’s list of the top 10 IoT risks, which organizations can use to assess their specific IoT risks:
- Insecure web interface
- Insufficient authentication/authorization
- Insecure network services
- Lack of transport encryption/integrity verification
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configurability
- Insecure software/firmware
- Poor physical security
Facing the Future
The IoT is not just a “What if?” scenario for the future; it’s already here, and growing every day. Management and boards need to help prepare their organizations to meet new challenges and risks resulting from this wave of disruptive technological change. The good news is that many of the strategies for managing the challenge of the IoT already exist and are deployed in managing other security and operational activities of the organization.
With that in mind, senior management and boards should seek to answer, in collaboration with internal audit and technology leadership in the organization, the questions below. Doing so will lead to a better understanding of the IoT and the potential opportunities and risks it presents to the business:
- How is the IoT deployed in our organization today? Who owns it, or its components? What is the potential IoT inventory in our organization? For example, is IoT technology part of the products that we sell, is it installed internally to manage processes or are third-party vendors deploying IoT technology within our solutions?
- Have we considered the risks associated with our IoT presence? Have those risks been quantified or controlled? Are we actively including our IoT inventory in broader risk assessments? Do we consider the IoT when applying data and privacy policies and practices and evaluating security?
- Do we know what data is collected, stored and analyzed? Have we assessed related potential legal, privacy and security implications? For example, if IoT technology is within our solution offerings, are we certain that it is in compliance with our customers’ agreements about disclosing the potential capture and sharing of information?
- Do we have contingency plans for internet-connected things that are hijacked or modified for unintended purposes? Have we evaluated the use of IoT technology in our processes, and what the potential impact would be if something was, or had to be, taken offline? Is the IoT considered in our business continuity management plans? And if the IoT is that important to our business, what procedures are in place for recovery in the event of a catastrophic failure?
- To what extent are third parties acting on our behalf with regard to IoT technology? Do we have appropriate processes and service-level agreements (SLAs) in place to monitor them? As we continue to push out our business processes to other service providers, are those providers using IoT technologies on our behalf? If so, are we monitoring their usage? Are we aware of any components from an IoT perspective that they may have added? Also, are we monitoring the data that we are capturing and delivering through our third-party service providers?
- What role does the IoT play in our current strategy as an organization? How are we measuring achievement related to any goals associated with our strategic objectives? Do we actually have an IoT strategy? Have we evaluated the potential impact of the IoT on our business? What about our competitors? Where do they stand?
- What is the risk of not considering or leveraging IoT possibilities? What is the risk if we ignore the IoT? What if we don’t take full advantage of data analytics capabilities in the IoT? Do we risk not meeting our strategic objectives simply because we failed to recognize the evolution of a disrupted landscape?
That last question is particularly important for management and boards to answer. Different organizations use, benefit from or are affected by the IoT in different ways. Their leaders therefore must evaluate not only the risks to the business posed by the IoT, but also the risk of failing to act to take advantage of the IoT in the context of the company, its competitors and its industry.
 “Connecting the IoT: The Road to Success,” IDC.
 “A Simple Explanation of ‘The Internet of Things’,’’ by Jacob Morgan, Forbes, May 2014.
 Cisco defines the IoE as “the intelligent connection of people, data, process and things.” For more information, see the “Internet of Everything FAQ,” Cisco.
 “Are there enough IPv6 addresses for every atom on the surface of the Earth?” StackExchange.
 “Connecting the IoT: The Road to Success,” IDC.
 “Amazon Expands Dash Button Lineup With Programmable IoT Button,” by Megan Crouse, Manufacturing Net, May 13, 2016.
 “A New Reality for Oil & Gas: Complex Market Dynamics Create Urgent Need for Digital Transformation,” by Robert Moriarty, Kathy O’Connell, Nicolaas Smit, Andy Noronha and Joel Barbier, Cisco, April 2015.
 “5 Ways the IoT Will Transform the Insurance Industry,” by Robert Reiss, Forbes, Feb. 1, 2016.
 “The Smart Home Is a Fantasy, but ‘Smart Cows’ Are Already Real,” by Arik Hesseldahl, Recode, April 2016.
 “Connected Cow and Farm Market (2016–2021),” Arcluster, 2016.
 “Yahoo Security Head Discusses Worst Hack in History,” by Jeff John Roberts, Fortune, Sept. 2016.
 “Chinese Firm Admits Its Hacked Products Were Behind Friday’s DDoS Attack,” by Michael Kan, Computerworld, Oct. 23, 2016.
 “Armies of Hacked IoT Devices Launch Unprecedented DDoS Attacks,” by Lucian Constantin, InfoWorld, Sept. 2016.
 “KrebsOnSecurity Hit With Record DDoS,” KrebsonSecurity blog, Sept. 2016.
 For more details on OWASP’s IoT Project, visit www.owasp.org/index.php/OWASP_Internet_of_Things_Project.