material gains
The IoT is Fantastic but Flawed. We Need to Fix the Vulnerabilities – and Fast
Plus, how AI can help deal with the threats.
Forget enterprise digital transformation. For better or worse, we are digitizing the world, and it’s changing everything. The opportunities to make things better are tremendous; we can save wasted energy and natural resources, democratize access to all kinds of services, improve standards of healthcare, prevent avoidable accidents, and accelerate our transition to renewable energy. By connecting everything, and introducing AI into the mix, we can gain insights we would otherwise never detect. Moreover, we can see the effects of our own behavior and use the analysis to identify ways to improve. Earlier technologies could never have done all this for us.

But there is always an “on the other hand,” and in this case the issues relate mostly to privacy and cybersecurity. We are putting more information about ourselves than ever before into the hands of data scientists. While we can expect better shopping experiences, we are at the same time disclosing insights into ourselves, our activities, and our preferences as individuals. And if we are not giving away information directly, everything we do online (and we are almost permanently online) reinforces the accuracy of any and every inference made by the AIs that constantly watch from the cloud.

We may not be too bothered about giving organizations information to help them offer us more of the things we like, but manipulation can take many forms, and power in the hands of rogue agents can enable abuse on any level – from rogue blackmailers threatening to expose details of our personal lives, to organized groups seeking to gain control of essential infrastructures, damage our economies, even destroy our democracies. The potential for damage through hacking IoT assets is limitless, both in scope and extent. Yet the technical standards surrounding IoT cybersecurity are underdeveloped, and legislation is inconsistent and fragmented. There are signs the situation will improve. The US IoT Cybersecurity Improvement Act, signed into law in December 2020, places obligations on bodies such as the National Institute of Standards and Technology (NIST) specifically related to securing IoT devices. In Europe, the European Telecom Standards Institute (ETSI) Technical Committee on Cybersecurity has published a standard, ETSI EN 303 645, for consumer IoT devices that could aid the development of future IoT certification schemes. Neither of these can yet be considered a global standard.

As a result, today’s IoT and IIoT practitioners have only limited tools at their disposal to make “things” secure. Even so, given the scale of the risks, it’s surprising many projects still fail to implement even the most basic security measures, such as changing the factory-set default password when installing a new IoT device. There is an urgent education challenge here, and there can only be more to learn as the future unfolds, so organizations that are installing and managing IoT applications must keep pace with developments. This is a battle of arms versus armor that will become increasingly complicated.

AI’s ability to identify patterns, both normal and anomalous, buried within vast quantities of data, can help deal with these threats. Although AI can be a bit scary – it can get to know us better than we know ourselves and risk exposing the insights to others who have no business knowing them – it could become the most powerful tool we have to protect our safety and privacy against the most serious cyber evils. AI-based threat detection can work by spotting known patterns associated with attacks that have happened in the past. AI can spot previously unseen attacks, too, by looking for unusual patterns in otherwise normal data flows. We may draw some comfort from this: It means getting any kind of trick past an AI, whether recognized or unrecognized, is extremely difficult.

The development of laws for prosecuting hackers is, arguably, more seriously lacking than the technical standards situation. Existing laws on computer misuse are way behind the pervasively connected world of today. There has been no justice for the Stuxnet gang, or those responsible for Mirai or BlackEnergy. In any case, there is much speculation they may be backed by various state security services, so prosecution would be difficult or impossible, even if they are positively identified.

We know IoT devices are vulnerable, and it’s partly due to the tight constraints usually imposed on factors like power consumption, computing performance, and cost. They simply cannot execute heavy security protocols. Security for edge devices needs to be strong yet lightweight and unobstructive for legitimate users.

With the continued expansion of the IoT, we are seeing a growing diversity of connected devices in use, spanning a widening performance spectrum. We can get more and more computing done for each dollar spent on the silicon and for each watt dissipated. Tougher security standards, as they evolve, should consume some of this extra capability. On the other hand, device makers will inevitably face pressure to increase features and performance. We can expect future generations of edge devices to become more capable, bigger, more power-hungry, with performance-oriented design evident at every level from the application software to low-loss and thermally enhanced substrates. Expect more focus on highly optimized board designs, even for relatively simple devices.

Leveraging AI in the cloud, as well as embedded in edge devices, the IoT – for all its vulnerabilities – is the most pervasive and empowering influence in the modern world, a critical enabler for handling challenges like the climate crisis and complex of cross-border trading arrangements like that between the UK and EU. The benefits are too good to ignore, despite the obvious security dangers.

Alun Morgan smiling
Alun Morgan
is technology ambassador at Ventec International Group (ventec-group.com); alun.morgan@ventec-europe.com.