by JD Capuano

As exciting as smart cities and buildings sound, and as big as the market is projected to grow, the path towards and through this promising future will be bumpy.

Before we dive into the risks, if you haven’t seen my post about the upside of IoT, please read it first. And, given the importance of data privacy, I’m dedicating a 3rd post to it in this series.

During the IoT panels I participated in this summer, my peers and I started off describing the upside potential of IoT applications for cities and buildings centralized and remote control, thermal comfort, predictive maintenance, fewer car crashes, data for better decisions. Of course, the conversation inevitably turned to the downside risks. Cybersecurity vulnerabilities are by far the biggest, and they are way trickier to identify than IoT benefits.

Afterthoughts and unintended consequences
Tim Frick, fellow panelist and digital expert, explained that in his 20 years of working on websites and building applications that clients think of security as an afterthought.

Frick cited a 2017 study from Northeastern University that found 37% of websites have a known security vulnerability. There is a quick fix (download the latest version), but that gets ignored all too often. Lack of maintenance was the culprit in this study, but Frick was quick to point out that the big problem is design.

The warning bell has been rung for years and some product manufacturers will prioritize security at the start of product development. But for those that get cybersecurity wrong (even if they’re trying to get it right), damage from IoT security breaches will be physical and immediate compared to website breaches like Equifax. More on that later.

Despite how scary this topic can sound, I am a practical optimist. Many of the examples in this post are unintended consequences that could affect our physical, not just our virtual world. I hope it helps you ask new questions of your colleagues, partners, and suppliers.

The devil you don’t know
Data breaches are a good proxy to understand IoT vulnerabilities. The Target breach of 2013 happened because hackers infiltrated the system of an HVAC vendor for a Target store and were able to tunnel all the way to the company’s point of sale system to plant malware that swiped credit card details. It was a huge, poorly secured system with many points of entry and only a matter of time before a hacker found a vulnerability.

Sadly, companies of all sizes experience regular data breaches. The question isn’t IF you’ll be hacked, it’s WHEN. Data breaches are the devil we know, like the recent Equifax debacle or the Target fiasco. Having our identity stolen because of a breach is a nightmare. So is having your computer ransomed, but neither pose immediate physical danger.

What happens when your car gets hacked while you’re zooming down a highway at 70 mph or your office building systems get shut down when you’re on an upper floor on a sweltering day?

Immediate physical and psychological threats of IoT attacks create a different kind of risk including injury, illness, or even death. Then there’s the business consequences of skyrocketing insurance rates, legal liabilities, downtime, and lost economic activity. This is the devil we don’t know. At least not well.

Dude, who hacked my car?
You’ve probably heard news reports for a couple of years about people being able to hack moving cars. There are even competitions for car hacking to help improve security (perhaps because it was an afterthought in the original design). Car-makers have instituted fixes and learned from such vulnerabilities, but that doesn’t guarantee hackers won’t find a new way.

Imagine if your car gets hacked in the middle of nowhere and someone is not only messing with you, but demands ransom to give you back control of your car? I’ll leave movie-plot scenarios like attempted assassinations to authors such as Benjamin Wittes and Gabriella Blum.

The real answer on AVs depends on how seriously automakers take security as they design and test these cars. How demanding will they be with suppliers of equipment for navigation, machine vision, communications, etc.? How thoroughly are all of these companies searching beyond the hacks mentioned above to identify and fix vulnerabilities in the entire system?

Other smart city vulnerabilities
The smarter public transit gets, the bigger a target it will become. The San Francisco Muni was hacked last year, forcing the city to shut down payment machines and run the system free for a couple of days. This is more akin to a traditional data breach than the threat facing cars on the road today or the AVs of tomorrow.

Public transit infrastructure and system vulnerabilities are still possible. A teenager wreaked havoc on the tram system in Lodz, Poland in 2008 by tripping rail switches and redirecting trains. His stunt derailed four trains, injuring dozens. It’s systems like that we need to think through rail switches, signals, brakes, doors, the list goes on.

Similar vulnerabilities are possible for systems controlling vehicular, cyclist and pedestrian traffic. What happens when traffic signals, street lights or digital highway signs are hacked? We’ll have to ask similar questions as we upgrade and expand our electric grid, and gas, water and wastewater systems. Hopefully the consequences will be mere inconveniences, not injuries, illness or worse.

Smart building blindspots
Cybersecurity frameworks have largely ignored building management systems or building automation systems (BAS). BAS centrally control all the systems in one building or across multiple campuses through a distributed network of electronic devices.

The tradeoff for all the upsides for companies using a BAS (savings, convenience, comfort, predictive maintenance, etc.) is when an issue arises due to a device malfunction or attack, vulnerable systems include mechanical, security, fire suppression, lighting, HVAC and humidity control and ventilation.

What it comes down to in any system is that devices are hackable. More devices means more points of entry to attack (and more to maintain). They key with BAS cybersecurity is to look at vulnerabilities posed by the entire system, not just by single devices. This requires increasingly complicated testing to check for vulnerabilities.

My toaster broke the internet
Smart homes also have vulnerabilities, but until we have widespread adoption of home operating systems, the risks will be lesser than commercial BAS.

Most “smart” devices in the home aren’t yet connected to each other, just your router. Once a home OS is widely available, think about all the internet-connected devices that could serve as points of attack in a home (TVs, thermostats, smart assistants like Amazon Echo or Google Home, appliances like refrigerators and dishwashers, security cameras, etc.).

In addition to being attacked, your devices can be used in an IoT distributed denial-of-service (DDoS) attack. That’s right, we’re in the age of bottoasters.

Who is going to pay?
The short answer is we all are in some form or another. Hopefully IoT security will improve and hacks will be limited, falling more into the category of an inconvenience than immediate physical danger.

That said, hoping is never a good strategy. Preparation is. You don’t want to be the infamous CEO (or IT worker blamed by said CEO) responsible for a flawed design or unpatched vulnerability that results in illness, injuries or fatalities.

We don’t know how damage from IoT attacks will play out and how far the blame will stretch up the supply chain. What we can safely assume is the damages will be broad and expensive. Insurance rates will rise. Litigation will ensue. PR departments will run on overdrive.

I predict that after one or two high-profile IoT hacks, we are likely to see three things: 1. The insurance industry will hedge its bets (and boost revenue) by creating new products to protect as many parties as possible from the risks (customers, manufacturers, suppliers, etc.), 2. Legal teams will fight over new contract structures between companies supplying and buying IoT equipment with the aim of shifting potential future blame to the other party, and 3. Government bodies will push regulations to protect consumers (perhaps later on or only after a serious consumer product mishap).

What can we do?
Listen to Tim Frick’s cautionary tale of the U.S. being 25+ years into the commercial internet and yet 37% of web pages have known, patchable security vulnerabilities. Where are we headed with IoT? We have to do better.

Doing better is a tall order with the accelerating pace of change.

Some solutions are simple. Start engaging manufacturers about their product security so they hear how important it is to customers. Request security protocols of relevant service vendors. Map out and test your system of connected devices. It you’re working on IoT projects, push for security to be included as a driver of project success from design to meticulous testing.

New technical solutions may emerge. Blockchain may be one such solution. It offers promise, but is also hyped up. Blockchain isn’t guaranteed to be secure its security depends on several factors, especially network architecture. If you haven’t heard, it’s currently terrible for the climate. Machine learning and behavioral analysis is another combo to watch.

For now, stay tuned. If you haven’t started seriously questioning what’s happening with the security of the things around you at home, at work, and when you’re out and about, it’s probably time to start.

IoT is a gold rush. These products are coming whether we’re ready or not. It’s incumbent upon all of us to work within our organizations to look up and down our value chains and get the right people involved to consider implications of a more connected car, office, warehouse or transit system.

JD Capuano leads sustainability strategy projects for Third Partners. He has 18 years of experience in strategy consulting and data analytics across industries and sectors. He has broad experience with sustainability, data and technology, and marketing. JD teaches about data at Bard College’s MBA in Sustainability.