Industry is failing in securing connected products on mid- and long-term support. Furthermore, we see the influence of lobbying trying to lower the barriers and liabilities to provide security for connected products. There is no doubt, if vendors do no care on future support for the connected products they build, they will trap themselves and their customer in uncertain future cybersecurity risks.
Risks that not only affecting the user of a single unsecure product. As everything will be connected this risk are multiply towards risks for our infrastructure, society and freedom.
Paradigm shift in product lifecycles
The average lifecycle of a car in Germany is 19 years. Machines in for industrial production are often build for lifetimes with 25 years and more. Residential Homes are built for a lifespan of 70 -100 years. This is manageable in maintenance, as long the product was not connected. Keeping the products secure was limited to take care on physical parts by replacing timeworn elements as long the replacement is economical feasible. The mindset of all stakeholders – starting from industry towards costumer is shaped by this experience.
But the connected era has changed everything. The product lifecycles of digital products have accelerated. The first iPhone was sold in 2007. Can you imagine using a Nokia 3310 mobile Phone instead you Smartphone today? 2018 we are used on the comfort of our iPhone X or Samsung Galaxy 9. Also, we are used that our Smartphones will be changed every two years on the next new model. We are getting continuous update support for iOS and Android which provides rather stable protection from cybersecurity risks. But there are no more software updates for the Symbian Operating System of a year 2000 Nokia 3310. Well, even Nokia as Vendor does not exist anymore.
Smart Things are only smart on short term lifecycles
The struggle is starting, when we turn our “classical” products into “smart” products without challenging the product lifecycle paradigm shift. Let me explain this on two examples.
First autonomous driving:
there is this brilliant vision of autonomous car fleets with in a full digital user experience. Cars are optimizing mobility in intelligent swarms and providing their users digital service platforms. To keep such systems safe and secure needs permanent service and support. Keeping apps up to date and providing patches in case of vulnerabilities in its operating systems. This service and support with software updates is necessary for quality of service. Without such autonomous mobility is not possibility.
But providing continuous services is not possible in the current business model of selling cars, where car ownership is leading into product lifecycles of 19 years. It’s impossible to keep the digital hardware components and software up to date on such a product lifespan. Outdated hard and software components, certification schemes and drain of knowledge will bring vendors support to economic limits.
If you want to step into autonomous smart vehicle area you have to change an entire business model from car ownership to mobility on demand. In the mobility of demand the connected vehicles are owned and managed by fleet operators. The vehicle lifecycle is the maximum 5 years of long term operating system software support. In this 5 years the vehicle usage is optimized by the mobility operator equal the 19 years “owned” car model.
But currently the automotive industry is trapped in the old 19 years business model. And that’s where they start to doom us all. Turning current cars models into “smart” connected vehicles will create a Tsunami of out of software maintenance cars in the next 5 years. Cars with old hard- and software. Their owner will become potential targets for cybercriminals or cyber weapons. Owning a connected car is a bad idea, if you desire to hold it longer than 5 years. Selling such products to consumers is a ticking time bomb.
Second example the smart home:
turning buildings into energy optimized and assisted living areas. No doubt, smart homes have a high potential for example in supporting elderly or handicapped people. By assisted living they can life in their familiar household instead being replant on stationary care. Expending self-determined living will have an enormous positive effect on individuals and the overall economy. But domiciles are also high sensitive areas towards privacy. This status is a human right and protected by our constitution. Defending this extraordinary status from cyberattacks on privacy and security is a must. In the age of smart homes this basic human right is tied to the support of smart products during their lifetime. Only a continues updated smart home system is a secure and safe habitat.
But at this point the industry and policymakers are failing. In Germany, the liability for physical building construction elements is usually 4 years but only 2 years for the electronic devices installed inside a building. There is no perception, that an unsecure electronic device can harm habitants as badly than a bungling roof.
Keep in mind, houses are built for 70-100 years and ownership of houses is an envisaged model. There must be an answer, how we keep smart homes up to date in future, otherwise we are running into real trouble for habitants and for our critical infrastructures in smart cities. Smart homes will become primary targets for cybercriminals and cyber weapons. To face this challenge, we need common efforts of politics and industry to create incentives on keeping the hard- and software of smart buildings up to date during their lifetime.
We need to stop stepping into smart connected future with our mindset from analog age. This is a challenge for consumers, industry and politics.
You like to listen my talks on cybersecurity in Internet of Things? Visit my next sessions at:
11.12.2018 in Frankfurt