IoT in Utilities and Service Monitoring—Smart Meters and Other Stuff
Introduction
It is difficult to name every possible industry where IoT is involved. The easiest thing to say is that it either is or potentially can be involved in any type of business. The concept of IoT can be involved in many different ways in the steps of a value chain enhancing a product, improving the delivery of a service, the user experience, and efficiency, among many other variables. Remember that Industry 4.0 is also about a new way of thinking and the creation of new possibilities. IoT not only serves as a means to make processes that are more efficient in business and industrial environments but also allows the creation of brand-new types of business. This chapter will look at how IoT has contributed to the reinvention of existing services, as well as creating new ones. Again, we will find that there is a trade-off between innovation and efficiency and security.
According to Forbes, there is a high expectation that IoT will allow creating better business models (Insights Team 2018). Technology is allowing the possibility of customizing offers based on the customer’s needs at a low cost. This has become possible by monitoring the behavior of an individual and using artificial intelligence to develop personalized offers. Many users are already familiar with this concept since social networks and other software platforms display different types of content and advertisement based on your recent searches, current location, and places you have been. This has already been a subject of criticism because of privacy. Companies such as Facebook have been under watch for potentially violating the user’s right to privacy. The European Union General Data Protection Regulations (GDPR) impose high economic penalties on companies that prove to have inappropriate use of or insecure practices in handling data of their customers. However, in many cases the same customers might unknowingly accept use of their data by companies by consenting to the terms and conditions of a service.
A typical case of the use of IoT in service industries is utility monitoring and billing. Smart meters are already being installed in many homes across the world to measure and monitor electricity and water consumption. In countries where this technology has not been adopted yet there are plans to do so soon. Although it is still not in most households, smart meters are expected to be the norm at some point. However, this is not the only example of IoT-supported services. The Internet of Things can also support planning and logistics by providing real-time data on the status of complex operations. It can also provide real-time data on external factors that can affect decision making, such as traffic conditions, weather conditions, pollution rates, and building occupation levels.
The authors of the IoT-A architecture reference model cite an interesting example of a service based on IoT, namely, a transport monitoring service with smart load carriers (Bauer et al. 2013) This consists of a carrier equipped with smart sensors that communicate with other devices to prevent the transported goods from being damaged. In the case of an event that can potentially compromise the quality of the goods, such as a temperature change, an alert is sent to the users’ mobile phones that can allow decisions to be taken on logistics such as redirecting the load to a different distribution center or rescheduling plans in order to reduce waste. For example, imagine that three different drivers are transporting food through the same highway and have to reach destinations A, B, and C. If the sensors indicate that the goods transported by one of the drivers are at risk of becoming spoiled sooner, this driver could be redirected to distribution center A, which is the closest.
Services created using IoT can be as innovative as the Zozosuit, which consists of a full body suit that has sensors that take measurements of the user’s body. This allows online shoppers to be sure that the clothes they order will fit. The technology captures 15,000 measurements to ensure that material is tailored according to the unique body characteristics of each individual. Other current examples are health and fitness monitoring devices, which allow the user to personalize sport routines, diets, and medical treatments.
Examples of other new services that can be developed using IoT are many and are limited only by the imagination. Probably the most emblematic case is smart cities since they are based on connected sensors distributed in a wide area. These sensors can provide different sorts of information, such as traffic conditions, weather conditions, levels of pollution, nearest available parking spots, busiest areas and stores, geolocation of buses, and monitor different types of activities going on in the city. This information facilitates planning, as well as reacting promptly to unforeseen events such as traffic accidents.
Having reviewed the different uses of IoT in services, it is not hard to conceive of possible misuses. Imagine a hacker changing the parameters of the smart load carriers that can cause the goods to spoil before getting to their destination, or a terrorist turning all the traffic lights of a city to green at the same time or selectively changing traffic lights and producing fake data to divert traffic to specific areas. How much distress that can cause in a city in an emergency environmental alert because the air quality sensors are falsely alerting about high levels of pollution, or, in the opposite case, how many health issues can arise if those sensors are hacked to show pollution at falsely lower levels! Actually, there is already a known case about fitness apps exposing sensitive data of users in North America, including important business executives.
The security considerations to be taken care of are, in general, the same as those discussed in the previous two chapters, with some additional challenges. In Chapters 5 and 6, IoT systems in business and industrial environments were reviewed on the assumption that the organization that owns the system is mainly responsible for security. In the case of services, this responsibility might be shared between different actors. Factors such as the complexity of the supply chain, variety of stakeholders, ubiquity, and complex interdependencies between systems can make security in smart services more difficult. If your company, instead of implementing an IoT system, is hiring a service based on one or several IoT or IIoT systems, you can apply security only from your end. However, you will also pay for the consequences of a cyberbreach if a third party involved on your supply chain does not have sufficient IoT security. You cannot, therefore, just presume that the supplier of the service is doing its part. Instead, you need to do a risk assessment on your own to see how much a security incident can affect your business and what you can do about it.
Areas to Link into to Improve Security
In addition to the recommendations provided in Chapters 5 and 6, some important areas of concern with regard to IoT-based services will be mentioned here. These aspects are key to understanding how well your company is dealing with cybersecurity.
Look into Critical Dependencies and Impacts on Your Business
Identify which business processes interact with or are influenced by services based on IoT systems. A practical way to look at it would be to establish which important business decisions are made on the basis of information provided by these services and the consequences that can ensue if this information is inaccurate or unavailable.
Supply Chain Management
Here, I will mostly repeat what I have already said in the previous chapters. First, IoT can introduce cyberrisks; second, suppliers can introduce cyberrisks, and a service that depends on IoT systems managed by suppliers . . . guess what? Ask suppliers about their cybersecurity program and what controls they have in place to prevent, detect, stop, and recover from cyberattacks. Ask about their capacity to respond to security incidents and fix vulnerabilities. Check if this service has suffered attacks before and how they handled them. Check what communication protocols and types of devices they use and whether they are known to be secure or not. Be sure to sign satisfactory agreements relating to liability in case of a security incident. Define responsibilities and obligations, as well as compensation in case of damage.
Consider Third-Party Services in Your Cybersecurity Program
Services based on IoT systems, as much as any other IT service provided by a third party, should be part of the scope of your cybersecurity program. One important reason is to be able to identify the security controls that can be applied from your end, for example, managing user accounts and passwords, monitoring event logs, or detecting any abnormal behavior in the data. Whether security measures are under your control or not, it would be advisable to keep track of as many security indicators as possible to give your company a view of the risks.
Business Continuity Planning and Resilience
Even if the service supplier assures you that they have the best security controls in place, you need to know what to do “if”. . . since, finally, your business too would be affected by the consequences of a cyberincident. Ideally, your supplier should have a business continuity plan as well, but this does not spare you the need to have one of your own. Remember that you also have to think about how an attack can affect your customers.
Ownership of Systems and of the Data
A complex supply chain also involves sharing of data among many parties. It is important to keep track of who owns the data and identify the responsibilities with regard to its confidentiality, integrity, and availability. Remember that if either you or your customers are located within the European Union, you must comply with their GDPR.
Consider Getting Insurance
Remember that you can control only what you know and what you can measure. If a critical part of your business depends on third parties and you cannot be sure about how well they handle cybersecurity, the best way to handle the risk may be to transfer it to somebody else.
Summary
IoT systems can be very simple or highly complex and can comprise a heterogeneous ecosystem where different sorts of “things” and services interact. This concept is not restricted to products but includes services, and often enough it is a combination of both: a product that enables a service to be delivered.
We have made enough progress through the book by now, so you may already have acquired a good idea of what IoT is and what it is used for. The next chapter will give you some insight about different types of cyberattacks that can target IoT and IIoT systems. This is also known as “systems of systems.” Sensors and actuators can be concentrated in a perimeter or distributed in a wide area, and different parts of the system are likely to be developed, owned, and administrated by different parties. In many cases, knowledge about the system will be distributed among different actors. It is crucial to provide the mechanisms for different stakeholders to interact and develop a holistic and integrated security strategy aimed at reducing the probabilities of an attack.