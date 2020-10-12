Gartner has started to postulate that in a few years’ time, laws could be made and enforced where CEOs are held liable for the (mis)operation of IoT systems that a specific company produces.

This is an interesting statement. Parallels can potentially be drawn to the impact on CEOs and Chief Financial Officers further to the Sarbanes-Oxley Act of 2002 that established financial regulations and auditing of public companies, a part of which requires those company leaders to certify the appropriateness of their financial statements and disclosures.

In the case of IIoT networks, the consequence of a platform’s functionality being compromised can result in the loss of human life. While many people’s brains will immediately leap to the (infamous) self-driving vehicles, the reality is that humans are increasingly in close proximity and sometimes actively collaborating with connected systems deployed in warehouses, factories, hospitals, drones and aircraft.

What the Mirai attack taught us was that it wasn’t simply that connected system that was at risk. I originally dismissed the need for security on a toaster, but Mirai showed that devices like this (okay, in actuality, it was CCTV cameras and DVRs) could be repurposed and turned against other connected platforms across the world.

While the Gartner statement is easy to say, the challenge is that IIoT systems are extremely complex. They consist of multiple subsystems often delivered by a myriad of companies, often at different times. In short, cybersecurity is a team sport. No single throat to choke. What does need to happen is to digitally audit these systems and know that a platform has been updated with the latest patches.

Europe drove recommendations a few years ago which gave countries rights to audit and deliver punitive fines if critical infrastructure was found to be lagging behind on security updates. The UK (okay, yes, not now under the jurisdiction of Europe, but I digress) has created sector security resiliency plans that cover their recommendations for thirteen sectors that include health, water, transport, energy and food. It is good to have specifications and guidelines and for the industry to know that they will be enforced.

The reality though is that industry needs to police itself. Governments will never be able to keep pace with the progress in technology. There are pieces coming together and I believe that the auditing of IIoT needs to be done digitally using technology like distributed ledgers (no one uses the word “Blockchain” anymore). Digital twins that connect to the real world and which can be connected securely into the rest of the IIoT components that, together, form a mission critical connected system has to be the way to go in the long term.

Nearer term, across a number of vertical markets, we are seeing OEMs and cloud companies investing in hardware and low-level software building blocks: