Matthew Margetts, a director at leading IoT company Smarter Technologies, explains the importance of IoT risk assessments. While cyber security needs round-the-clock consideration, the process of mitigating risk should not be onerous, but rather positive. These risk assessments, as Matthew tells in his opinion piece, are about being prepared to meet the challenges as they happen, rather than having to take remedial action later down the line.
The Internet of Things (IoT) is a wonderful phrase that communicates the positive power of technology in the home or workplace, and the ability to take control to direct an outcome remotely. No ambiguity—you ask for it to happen, and *puff*, it is done. From switching heating controls to flushing toilets and replenishing items, the IoT automates, optimises and controls both simple and complex day-to-day tasks.
But what if the control is hijacked by someone unknown, operating at a distance with a dark motive? Impossible to imagine… or is it? I recently heard of white supremacists in the United States seeking to take control of the automated chlorine (Cl) release valves at a municipal water treatment works. Their intention was purportedly to increase the levels of Cl in the water. Why? Did they want to bleach everyone, to lighten the population in some misguided interpretation of the Aryan Herrenvolk manifesto? Ultimately, the “purification purge” failed, but it did act to spread fear even terror of simple technology being turned against the community.
As a manufacturer of remote monitoring and control equipment, I was recently asked about security to prevent third-party attacks along with the security audits we support and sponsor. At this point, it must be noted that we use radio spectrum that is not truly “Internet of Things”, but we are lumped into that category (perhaps because Radio of Things is not a good acronym?). But the principle of security is the same: one must undertake a risk assessment on any equipment being introduced.
At a minimum, the risk assessment should cover:
- What are you monitoring?
- How is this being done?
- What would happen if the data were lost, tampered with etc?
In 99% of cases, the risk is minimal as the data flow is linear, heavily encrypted, backed up, and the monitors do not affect the operation of the underlying equipment.
Where a device can take control—such as in an auto flush system or entry door control mechanism—clearly, the operational software and device firmware need to be understood, and, at minimum, meet UK standards. Further, the operational protocols need to include provisions for if the equipment malfunctions, how that is captured and remedied. If people get locked in a revolving door, for example, you need definitive, easily accessible information on how to get them out.
IoT risk assessments are not onerous. I believe that conducting a risk assessment allows the client to look at the operations of a property or unit independently of the IT piece. This presents an opportunity to consider separate systems and outcomes. Importantly, the client considers how they act on the data they are capturing, ensuring that the patterns that are revealed are understood and that the associated benefits can be harnessed across the organisation.
Cyber security is a 24/7 consideration, but the process of mitigating risk should be a positive experience. It is about being prepared and ready to meet the challenges rather than having to take remedial action.