A strong resources sector, challenging geography, and high internet penetration in the consumer market mean Australia is becoming a hotbed for the Internet of Things. But new questions about the regulatory and legal frameworks join long-standing privacy, security and complexity concerns as potential blockers to the emerging technology.
One of Malcolm Turnbull’s first post-politics moves was to invest in a company called Myriota. The Adelaide-based startup provides low cost, long battery life IoT connectivity via nano-satellites.
The former PM joins a host of venture capital investors in betting on the potential of Myriota’s proprietary technology and network of satellites being able to save customers 100’s of millions of dollars in asset maintenance and other industrial use cases for IoT.
According to the company’s co-founder and CEO, Dr Alex Grant, Australia is the ideal place for such applications where IoT technology can gather and share data and information at a fraction of the cost of traditional methods.
“Australia is the perfect location for IoT disruption to take place because of our unique geography, and the nature of some of our largest industries such as resources and agriculture, which operate across remote locations,” Grant tells Which-50.
“This means there is both a willingness to invest in IoT technologies, and a large economic imperative. Because of this, IoT technology is likely to have a transformational impact across multiple sectors and in many Australian industries.”
Grant says while ambitious concepts with the prefix “smart” – cities, agriculture and supply chains – garner much of the attention, Myriota is focused on providing the underlying infrastructure of “an IoT enabled future”.
“Our focus has been on products and services that the market is ready to adopt today, and that serve as stepping stones to that future. Connected sensors that support applications like predictive maintenance, logistics optimisation, operational efficiency, and risk reduction.”
For example, the company claims it is saving a wind turbine company half a billion dollars a year in maintenance costs by partnering with Ping Services, an IoT company which uses IoT devices to monitor damage to the enormous wind blades based on their acoustic signal. Myriota says the technology has the potential to save turbine companies 25 per cent in blade maintenance.
Indeed, local Gartner analyst Kristian Steenstrup says predictive maintenance is now the “killer application” for IoT, a point belied by the attention placed on consumer applications.
“IoT originally did have a lot of airtime and play in the consumer world, so that you could have more intelligent products: your fridge could talk to your washing machine and your TV set will tell you when to wake up and make coffee and all sorts of cool connected things.
“All of those have no intrinsic value,” Steenstrup tells Which-50. “They are fashion items. They are things to impress your neighbours.”
According to the Gartner analyst, a consequence of that early IoT hype in the consumer market was it pulled in a lot of interest from business and developers, and eventually led to more adoption and innovation in industrial use cases.
“What happened was the industrial area is where you get real ROI, you’ll get a financial demonstrable benefit. Somebody will pay for it. So what we’ve seen in the last few years is a real shift in the emphasis that industrial IoT is, if you like, the killer app for IoT.”
Put simply, industrial IoT extends the reach of data capture, allowing businesses to be more informed about their plant. Relatively cheap sensors can be retrofitted to old equipment, helping extend an asset’s lifespan.
That information is especially critical for natural resource giants which operate their equipment all day, everyday.
“If you’re in a factory and you have an hour [long] outage, you tell everybody to work an hour later tonight and you catch it up,” Steenstrup says. “But if you’re producing iron ore or gas 24 hours a day and you lose an hour, you’ve lost that hour forever.
“It’s unrecoverable lost production.”
What’s holding back IoT
Despite the value and a demonstrable ROI businesses aren’t yet flocking to the technology because there are still considerable challenges around complexity, standards and cost, according to Steenstrup.
“People aren’t doing it because you’ve got to work out how to do it. And there’s no universal plug and play capability across all this range of [industrial IoT].”
While IoT hardware can be relatively simple, integrating the data and actually leveraging the information can be complex, a challenge amplified by a lack of industry standards, multiple vendors, and, for most, the need to bring in consultants, Steenstrup says.
“How do you solve complexity and a lack of standards? You get somebody tell you how to do it. Some of the larger organisations are self learning because they’re larger scale organisations and they’ve got the R&D capacity with really big development shops in them already. But apart from those top tier organisations, if you’re trying to put something together that doesn’t have standards, there’s not one single vendor – there’s multiple parties, it’s a complex project. And yes, there is going to be a need for an external party and external parties will want that piece of the pie.
“The ROI case is strong. But working it all out and proving it and getting multiple trusted vendors to participate in that puts it a little bit further out of reach from some companies.”
But Steenstrup remains confident that IoT will become a relatively standard way of companies monitoring and operating their equipment in Australia.
Organisations are also concerned about the well known security risks of introducing more connected devices to a network.
“Any device that you add to your network is going to have some impact on that network and will increase your threat surface,” says Dick Bussiere, principal architect, APAC, for Tenable, a company which monitors networks and devices for vulnerabilities and exposures.
“There’s an old saying from a long time ago: ‘the only way to secure a computer is to fill it full of concrete and toss it in the ocean.’ Every machine is going to have some kind of vulnerability that is exploitable by a determined adversary. Some are worse than others.”
According to Bussiere, the volume of IoT devices means organisations can quickly lose track of those risks.
“One of the problems a lot of our customers have is not having a complete understanding, a complete knowledge of all of the assets that are present within their organisations. And something you don’t know about is risk because it’s an unknown unknown. It could be no risk, it could be infinite risk. But one of the more important things that we do is help our customers find everything that’s present on their networks, including the IoT devices.”
The security threat is one of the reasons Australia’s approach to IoT regulation will be critical, according to Bussiere.
In November last year the Australian government released its first ever IoT code of practice. The draft document focused on consumer devices and is totally voluntary but its 13 principles give an insight into how Australia may approach broader regulation and how it expects IoT devices to include “security by design”.
The voluntary code of practice, which borrows heavily from the UK code, follows an agreement with “Five Eyes” countries last year on IoT security. The code emphasises three principles in particular: strong passwords, a vulnerability disclosure policy and regular software updates.
The code is a good “starting point” for the industry, says Myriota’s Grant, but it remains to be seen if a voluntary code will have a real impact.
“IoT security and privacy is a collective responsibility, one that to date has been poorly delivered by IoT equipment and service providers, rightfully earning IoT an incredibly poor reputation in the market.
“The consequences are high, with hackers potentially gaining access and control of incredibly sensitive personal, commercial or national information, or control of key infrastructure, and this could have devastating consequences.
Tenable’s Bussiere agrees the code is welcome but argues it is important that Australia’s IoT regulation has some real consequences.
“I’m of the opinion that there needs to be some teeth in regulations [and] a minimum level of compliance that you need to meet in order to be sold or in order to have a label says ‘I’m secure on the technology.’”
According to Bussiere, a variance in the maturity of device manufacturers and the resources they have to dedicate to security, as well as the expected explosion in the number of connected devices, means it’s critical for regulators to act now on IoT standards and legislation. And it may be naive to expect end users to have the capability to properly assess device security.
Currently, there is no legislation in Australia regarding IoT specifically, and where privacy and security laws do exist, critics argue they may not be effective.
Dr Kayleen Manwaring, a senior lecturer at UNSW and former solicitor of the federal and high courts of Australia says IoT privacy and security protections still lag well behind what is needed for the technology.
Manwaring, whose research includes the privacy and security risks of consumer IoT, says Australia’s privacy regulators are still focused on the data collection and processing of tech giants online and are yet to address IoT technology.
“One of the things that concerns me a lot is that there does seem to be a reasonable amount happening in the industry space but none of the regulators really want to tackle [IoT] now because they’re still catching up with stuff they should have done before.”
The government’s IoT code of practice is welcome but is limited by being high level and non-binding, according to Manwaring. She points to the leading IoT industry association which has already released more detailed privacy and security guidelines, including for non-consumer goods, as a potential model which the government could adapt into enforceable standards.
“I think that what we’d seen in the last few years, particularly in relation to privacy, is very soft regulation doesn’t work … You’ve got to have security standards that people are mandated to comply with. And there’s a reasonable amount of work done by industry that could be used to support those standards.”
Manwaring also argues the problem could be addressed with better education of the people creating and using IoT technology, starting with students in engineering and computer science courses by arming them with more than the skills to “just get a job”.
“[Technology professionals] are not innately evil people. They just don’t necessarily think about these things because it’s not part of their education,” she says.
“You get a really good technical education in Australia. But there’s often very little in the way of ethical humanities education in our technical degrees.”