The global community is becoming increasingly reliant on technology and data, which among others impacts on competitiveness and relevance. The digital revolution also impacts on how South Africa’s private and public sector does business.
Due to its influence on the world and our interaction with it, the World Economic Forum (WEF) has described technology as a “language [which] must [be mastered] … if we are to thrive in the modern workplace and society.”
Our increased reliance on technology has given rise to the Internet of Things (IoT), which generally refers to networks of devices that communicate with each other, most often via wireless protocols, and enable functionality ranging from remote user interaction to full autonomy.
Key challenges for the international safety community, however, are to anticipate and manage the new and emerging risk, and to anticipate and manage the new and emerging opportunities associated with this innovation, and help smooth the way for its safe adoption.
While we have correctly focused on mitigating emerging hazards and risks, we must challenge ourselves to also consider the opportunity that IoT devices may present to us to improve safety outcomes. Is it possible that smart devices, in some cases, might alert users to changing conditions that could become hazardous? Might interconnected smart devices be capable of taking direct action to prevent hazards from manifesting? Enhanced safety outcomes in the connected world will be realised through the application of safety science, collaborative research, and consensus standards development.
As the number of smart and connected devices continues to proliferate at an astounding rate the international safety community will encounter new challenges in managing associated safety and software security risks. This, undoubtedly, will be complicated by the need to balance safety and software security with other desired attributes such as interoperability and privacy, all while not stifling innovation. If IoT is incorporated into a product, existing assumptions must be challenged with respect to functionality and hazards. Can the product be reprogrammed? Would lack of software security controls be considered a hazard in itself that the standards should address? These types of considerations are the starting point for addressing the safety of IoT.
Voluntary safety standards consensus bodies are taking strides to address some of this already. For example, they have considered that embedded functions that are possible, and not just those of the initial factory configuration, may be altered via an IoT connection. Where that could lead to a safety consequence, the hardware and software must reliably minimise that risk. Similarly, the ability to locally override a remote setting or control has been addressed.
It is important that any contemplated requirements or standards revalidate the underlying assumptions for the product in question when employing IoT technology. To the greatest extent practical, any resulting requirements should take into account the individual end-use applications to fully appreciate these assumptions.
We must appreciate the degree of complexity and potential risks that a world of interconnected technologies brings. Related cybersecurity breaches across the globe illustrate that such risks apply to all. Breaches can compromise the physical safety of individuals, personal data and financial security as well as the physical infrastructure of cities. And breaches can compromise governments’ efforts to protect its people.
The far-reaching impact of cyber threats means that we need to understand that data privacy and security are intertwined. And the attacks’ occurrence across borders means that we need to evolve our governance models to drive greater cross-border cooperation and collaboration. And our experiences to date underscore the need to build a framework grounded both in protection/prevention and in the resiliency of systems.
This is an area for active safety standards. It is highly desirable to enable the download of firmware that could ‘fix’ a problem that emerges after the product is in the field. The act of downloading, however, can be a source of risk as is an insecure connection to a public network. Media reports of hacking incidents demonstrate that insecure technology products are discoverable; there may be motivation to alter the product such that its safety is no longer assured. This would be of particular concern in high risk products, such as indoor space heaters.
We strongly believe that establishing effective and appropriate safety and software security requirements for connected technologies can best be accomplished through a comprehensive consensus process, which is informed by the ability to access timely and comprehensive data, varied subject matter expertise, and shared resources. International collaboration between governments and the private sector is crucial here. ESI
About the author
Dan Ryan is an International Standards Manager with Underwriters Laboratories Inc. (UL) and is responsible for UL’s standards collaboration relationships with national and regional standards bodies and other key standards focused organisations around the world. www.ul.co.za