The promise is utopian. The Internet of Things (IoT) will free us from mundane jobs and automate processes in a wide range of industries, from manufacturing and mining to homecare and healthcare. It will transform lives, change the face of industry and lead us to the next global economic revolution — generally called Economy 4.0 — thereby raising productivity exponentially.

But what is the obverse side? What are the risks? Are we opening a Pandora’s Box without mitigating the risks? Before we get to that, let’s look at some numbers first:

Research house Gartner Inc forecasts that 8.4 billion connected “things” will be in use worldwide, up 31% from last year, and will reach 20.4 billion units by 2020. Total spending on endpoints and services will touch US$2 trillion this year. China, North America and Western Europe, which are driving the use of IoT, will represent 67% of the overall IoT installed base this year.

Bain & Co predicts that by 2020, the global market for IoT (including devices, software, hardware and services) will cross US$470 billion.

McKinsey put the global IoT market size in 2015 at US$900 million. It estimates that it will reach US$3.7 billion by 2020, growing at a 32.6% annual clip between 2015 and 2020.

Industrial giant General Electric Corp has the biggest number so far. It says investment in the Industrial Internet of Things, or IIoT, will reach US$60 trillion in the next 15 years.

What about Malaysia, a key manufacturing and industrial hub in Asia-Pacific? The country’s IoT market is worth US$700 million, says research company International Data Corp (IDC). By next year, connected vehicles, insurance telematics, personal wellness and smart buildings will be the four key IoT use cases in the spotlight on the nation.

“These use cases will take centre stage in 2018 as heralded by the high concentration of players from sectors such as manufacturing, IT and utilities,” says Nikhil Batra, IDC research manager for telecoms in Asia-Pacific. “By comparison, insurance telematics, which gives insurance companies the possibility to monitor driver behaviour and adjust premium calculation accordingly, will continue its growth, slowly becoming the new normal for players in the sector.”

Pranabesh Nath, IDC research director for Malaysia, says local companies understand that they need to transform to be globally competitive, despite economic pressures at home. “Enterprises across diverse industries, such as retail, manufacturing, construction, finance and oil and gas, are at various stages of exploration and adoption of new technologies.

“Some enterprises are focused on internal transformation, where technologies such as enterprise mobility, data warehousing and security technologies remain highly relevant. Others, however, want to focus more on building new external applications and services, using tools such as augmented reality, virtual reality and IoT.”


DX nirvana

The aim? Get to a state of enterprise nirvana, now called DX or digital transformation. That is a loose term that roughly means using digital tools to transform your enterprise.

Early this year, McKinsey reported that on average, industries are less than 40% digitalised, despite the relatively deep penetration of these technologies in media, retail and high-tech.

In July, Dynatrace, which specialises in digital performance metrics, released the results of a survey of 1,240 business and IT professionals. The study noted that up to half of the respondents stated that digital performance challenges were directly hindering the success of digital transformation strategies in their companies. Up to 75% of the respondents reported low levels of confidence in their ability to resolve digital performance problems.

As for Malaysia, IDC says local companies are seriously considering DX technologies to attain macro-economic scale over the next three to four years. “This is changing the way organisations operate and is reshaping the Malaysian economy. This could lead to the dawn of the DX Economy,” says Nath.

Are companies focusing too closely on industrial applications and ignoring the consumer? Another research house points out that consumer applications represent 63% of the total IoT applications spend.

“The consumer segment is the largest user of connected things with 5.2 billion units to be installed this year, representing 63% of the overall number of applications in use,” says Gartner research director Peter Middleton.

“Businesses are on pace to employ 3.1 billion connected things this year. Apart from automotive systems, the apps that will be most used by consumers will be smart TVs and digital set-top boxes, while smart electric meters and commercial security cameras will be most used by businesses.”


Security scare

Consumer apps are exactly what worries governments and regulators. The fear? Increased risk of hacking, given that there are no strong security standards defined or implemented for IoT devices yet.

The US Food and Drug Administration (FDA) recently warned users about a serious hacking possibility in pacemakers that regulate the heart rhythms of affected patients. On Jan 9, the FDA issued a public notice mentioning cybersecurity vulnerabilities that were identified in implantable cardiac devices, specifically the Merlin@home Transmitter made by St Jude Medical Inc.

“Many medical devices, including St Jude Medical’s implantable cardiac devices, contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the internet to hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” says the FDA.

It adds that it had reviewed information concerning potential cybersecurity vulnerabilities associated with St Jude Medical’s Merlin@home Transmitter and had confirmed that these vulnerabilities, if exploited, could allow an unauthorised user to remotely access a patient’s radio frequency-enabled implanted cardiac device by altering the transmitter. The altered software could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.

That, in fact, could be fatal. If that were to happen, it would be the world’s first murder by IoT hacking.

To be sure, the FDA explicitly states that “there have been no reports of patient harm related to these cybersecurity vulnerabilities.” So far.

St Jude Medical, meanwhile, has developed and validated a software patch for the transmitter, which cuts the risk of specific cybersecurity vulnerabilities. The patch, available since Jan 9, will be applied automatically to the transmitter. Patients and caregivers only need to make sure that their Merlin@home Transmitter remains plugged in and connected to the network to receive the patch.

What is the prognosis? The FDA warns users that any medical device connected to a communications network (WiFi or public or home internet) may have cybersecurity vulnerabilities that could be exploited by unauthorised users. “The increased use of wireless technology and software in medical devices, however, can also offer safer, more efficient, convenient and timely healthcare delivery,” it adds.

“We will continue to work with manufacturers and healthcare delivery organisations — as well as security researchers and other government agencies — to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.”

The biggest bottleneck to IoT adoption would be security, or lack of it. Research company Forrester Inc says many such devices lack basic security requirements. “There is a plethora of IoT standards and protocols, which create security blind spots. The scale and scope of IoT deployments hinder visibility into security incidents. There is a lack of clarity of responsibility regarding privacy and security.”

As the leader in IoT software and usage, the US has to show the way. On Aug 1, the Senate introduced a bill that would set baseline security standards for the US government’s purchase and use of a broad range of IoT devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyberattacks last year that were fuelled for the most part by poorly secured IoT devices.

The IoT Cybersecurity Improvement Act of 2017 seeks to use the US government’s buying power to signal the basic level of security that IoT devices sold to government agencies need to have. For example, the bill would require the vendors of IoT devices purchased by the federal government to ensure that the devices can be patched when security updates are available. The devices should not use hard-coded (unchangeable) passwords and vendors should ensure that the devices are free from known vulnerabilities when sold.

IoT has great potential and can transform the industrial face of a country. It can also be a great competitive advantage. This is especially true for Malaysia. Manufacturing accounted for 81.5% of the country’s total exports last year, according to Malaysia External Trade Development Corp. The manufacturing sector directly employs 1.03 million people, out of a total labour force of 14.65 million.

The bottom line: Malaysian companies should embrace IoT, but keep a cautious eye on vulnerabilities and security patches.