South Africa is no less reliant on technology and data than other countries of the global community. This technology brings added efficiency, ease, it also adds risk. In the past week, Liberty has been the latest corporate entity to have its digital assets compromised, and with this, the data of millions of clients. Due to its influence on the world and our interaction with it, the World Economic Forum (WEF) has described technology as a “language [which] must [be mastered] … if they are to thrive in the modern workplace and society.”
Our increased reliance on technology has given rise to the Internet of Things (IoT) which generally refers to networks of devices that communicate with each other, most often via wireless protocols, and enable functionality ranging from remote user interaction to full autonomy. This transformational connectivity is revolutionising nearly every aspect of our lives, accelerating technological advancement, improving efficiency and influencing the way we live, work, and play.
With seemingly unlimited possibilities, the technology can build connections in ways unimaginable even a decade ago. Key challenges for the international safety community however, are to anticipate and manage the new and emerging risks associated with this innovation, to anticipate and manage the new and emerging opportunities associated with this innovation, and help smooth the way for its safe adoption.
IoT devices already pervade the marketplace. What they all increasingly have in common is functionality that is specific to a particular use environment and the potential to add new or different functionality beyond what has been programmed during production. There has already been much attention paid to the subject in consumer product standards.
But while we have correctly focused on mitigating emerging hazards and risks, we must challenge ourselves to also consider the opportunity that IoT devices may present to us to improve safety outcomes. Is it possible that smart devices, in some cases, might alert users to changing conditions that could become hazardous. Might interconnected smart devices be capable of taking direct action to prevent hazards from manifesting? Enhanced safety outcomes in the connected world will be realized through the application of safety science, collaborative research, and consensus standards development.
As the number of smart and connected devices continue to proliferate at an astounding rate, the international safety community, will encounter new challenges in managing associated safety and software security risks. This, undoubtedly, will be complicated by the need to balance safety and software security with other desired attributes such as interoperability and privacy, all while not stifling innovation. Safety standards examine and seek to mitigate the safety risks inherent in the intended function.
If IoT is incorporated into a product, existing assumptions must be challenged with respect to functionality and hazards. Can the product be reprogrammed? Would lack of software security controls be considered a hazard-in-itself that the standard should address? These types of considerations are the starting point for addressing the safety of IoT. Voluntary safety standards consensus bodies are taking strides to address some of this already. For example, they have considered that embedded functions that are possible, and not just those of the initial factory configuration, may be altered via an IoT connection. Where that could lead to a safety consequence, the hardware and software must reliably minimize that risk.
Similarly, the ability to locally override a remote setting or control has been addressed. It is important that any contemplated requirements or standards revalidate the underlying assumptions for the product in question when employing IoT technology. To the greatest extent practical, any resulting requirements should take into account the individual end-use applications to fully appreciate these assumptions. We must appreciate the degree of complexity and potential risks that a world of interconnected technologies brings. Related cybersecurity breaches across the globe illustrate that such risks apply to all.
There are more than 13 billion interconnected digital and electronic devices in operation globally – the equivalent of nearly 2 devices for every person on earth. Breaches can compromise the physical safety of individuals – for example, interfering with the performance of such life safety critical devices as pacemakers. Breaches can compromise the personal data and financial security of individuals. Breaches can compromise the physical infrastructure of cities. And breaches can compromise governments’ efforts to protect its people.
The far-reaching impact of cyber threats means that we need to understand that data privacy and security are intertwined. And the attacks’ occurrence across borders means that we need to evolve our governance models to drive greater cross-border cooperation and collaboration. And our experiences to date underscore the need to build a framework grounded both in protection/prevention and in the resiliency of systems.
This is an area of active safety standards work. It is highly desirable to enable the download of firmware that could “fix” a problem that emerges after the product is in the field. The act of downloading, however, can be a source of risk as is an insecure connection to a public network. Media reports of hacking incidents demonstrate that insecure technology products are discoverable; there may be motivation to alter the product such that its safety is no longer assured. This would be of particular concern in high risk products, such as indoor space heaters.
We strongly believe that establishing effective and appropriate safety and software security requirements for connected technologies can best be accomplished through a comprehensive consensus process which is informed by the ability to access timely and comprehensive data, varied subject matter expertise, and shared resources. International collaboration between governments and the private sector is critical here.
Cybersecurity is more than just the latest buzz word. It has far-reaching impact on the security, privacy and prosperity for any nation. The stakes are high. The risks challenge existing governance frameworks, therefore requiring a shift in our mindsets and how we organize. We must think and act globally. Connectivity brings risk, but it also brings great opportunity. We must work together and form partnerships to mitigate the risks and to seize the opportunities.
Dan Ryan is an International Standards Manager with Underwriters Laboratories Inc. and is responsible for UL’s standards collaboration relationships with national and regional standards bodies and other key standards focused organizations around the world.