IoT and Cybersecurity in Barcelona

Barcelona, the enchanting city on the Mediterranean, attracts visitors not only with its historical highlights such as the Sagrada Família and the lively Ramblas, but also with its modern flair and technological advances. As Product Manager for Digitalization at Kontron AIS, I was excited to attend this year's combined event of the IoT Solutions World Congress (IOTSWC) and the Barcelona Cybersecurity Congress (BCC). The conference promised in-depth insights into the latest developments and challenges in IoT and cybersecurity. With many questions and a notebook in my luggage, I made my way to the exhibition centre, ready to immerse myself in the world of cybersecurity.

The IOTSWC is one of the world's leading events for innovative technology solutions and digital transformation. It focuses on technologies that are revolutionizing industries, such as artificial intelligence, the Internet of Things, robotic automation, and augmented and virtual reality. In 2023, 330 exhibitors from over 100 countries and 15,600 visitors took part.

At the same time, the fourth round of BCC will focus on cybersecurity issues that are important for the connected and digitalized industry. Both conferences offer opportunities to network with industry experts, showcase the latest technology solutions, and discuss the impact of new technologies on various industry sectors. They are important platforms for companies to showcase their products to a global audience and essential meeting places for professionals who want to be at the forefront of technological innovation and industrial change.

Why the IOTSWC and BCC are a must

Attending the ISC and BCC is a must for me, because as a software company it is important to stay on top of the growing threat of cyber-attacks. The combination of cutting-edge presentations, hands-on workshops and the opportunity to network with IoT, cybersecurity and compliance experts makes this conference a valuable platform. Not only will the latest security strategies and technologies be presented, but important discussions on future challenges and solutions will also take place.

As the provider of the EquipmentCloud® digital transformation solution and the KontronGrid device management solution with the secure KontronOS operating system, our customers' security is our top priority. We can learn from the best in the industry and adapt our own security strategies to provide our customers with the most secure and efficient solutions. By working directly with the experts and gaining valuable insights, we ensure that our products always meet the highest security standards while delivering innovative features that meet the demands of today's industry.

3 days of exciting presentations, exhibitions, live demos, networking events and workshops: There were plenty of opportunities to learn about the latest trends in IoT and cybersecurity. Here are my personal highlights:

Adversaries are Getting Smarter in the Cloud – Joan García Sánchez, CrowdStrike

Joan García Sánchez's presentation addressed the growing threat of cloud-based attacks. García Sánchez reported that the average breakout time of an attack is only 62 minutes, with the fastest being only 2 minutes. Speed, automation, and precision are critical to thwarting these attacks. Collaboration between cloud and IT security teams is essential because protecting individual endpoints is no longer enough. Of particular concern is the diversity of attack vectors: Endpoints, cloud services, and identities provide many opportunities for cybercriminals. The use of malware is declining, while cloud-based attack techniques are increasing. There are 235 active attack groups worldwide, including scattered spiders that are familiar with cloud technologies and generative AI. These groups take advantage of silos and noncommunicating systems. Serverless applications also need to be protected. This presentation emphasized the urgency of accelerating and automating security processes. For us at Kontron AIS, this means continuously developing our solutions such as EquipmentCloud® and KontronGrid to ensure the highest security standards. Of particular importance is the KontronOS operating system, whose development and deployment process takes security into account from the outset to provide our customers with the best possible protection as the basis for their applications.

NIS2-Compliance: the key to the cyber security of the future

Compliance with the NIS2 directive was a key topic and one that was important to me. Two presentations highlighted the challenges and requirements of this new directive. The first presentation, 'Keep Operations Running with OT Security Native Technologies: NIS2 Compliance' emphasized the need to integrate legacy OT (Operational Technology) systems with modern IT solutions. Many OT devices are siloed and not always up to date, creating security gaps. The speakers, including Rafael Saorín Adán of Naturgy Renewables and Joan Saltó Segura of Deloitte, emphasized that network security in critical environments is critical and requires an understanding of the applications running. They emphasized that comprehensive, country-specific cybersecurity strategies are essential for all sites and countries to ensure security from the outset (security by design). They also pointed out the new risks posed by the OT cloud and emphasized the importance of local experts (cybersecurity champions) at the enterprise level.

In the second presentation 'NIS2 Directive Panel: Network Information System', experts such as Emil Bisgaard and David Andres Hurtado discussed the new direction of the NIS2 directive, which makes CEOs and managers more accountable. CEOs must now develop a deep understanding of cybersecurity themselves, as they can be held directly accountable. Ideally, the implementation of NIS2 will be driven by CISOs (Chief Information Security Officers), who are responsible for developing and implementing cyber security strategies. A key issue has been the complexity of national implementation and the associated costs. Compliance with supply chain risk management requirements is particularly important, as suppliers must also be integrated into the security strategy. The presentations made it clear that NIS2 can be seen as a milestone on the way to the Cyber Resilience Act, which is due to be implemented by 2027. In addition, NIS2 means that asset owners and providers are finally speaking the same language, which should be seen as an opportunity. The experts emphasized that physical security is the foundation of cybersecurity and that complete documentation is essential. Organizations need to ensure that security is built into their projects from the outset to build customer confidence and ensure business continuity.

Data-driven Outcomes: How IoT Powers Generative AI Innovation – Yasser Alsaied, AWS

Yasser Alsaied from AWS presented how IoT data is driving the innovative power of Generative AI (Gen AI). He emphasized that machines use the language on which our communication is based to work efficiently. IoT data is the difference maker because it not only knows the business, but also knows the customer, adding significant value. Amazon AWS focuses on three levels of security: encryption, integrity, and longevity. Solutions must protect privacy and be secure now and in the future. An example of a Gen AI application based on multiple modeling learning is the use of sensors in trees that determine their need for nutrients, water, and sunlight, and provide accurate data on oxygen and CO2 levels. Correlations can then be queried in real time: How much oxygen is available right now? How much CO2 has been reduced by photosynthesis in the last x months? 

This can be extended to other application areas as needed, and also offers the opportunity to reduce maintenance costs by 60% because GenAI knows not only the business, but also the customers. This has been achieved by AWS building a comprehensive AI stack through long-term investment. Alsaied emphasized that only 1% of the oil and gas industry is connected to the cloud, which opens up new opportunities. He concluded with an outlook on the future of Gen AI, showing promising developments at the edge and with multi-model approaches. Safety remains the most important factor, with regular safety checks at various levels. Algorithms recognize scenarios and immediately isolate threats.

Applying IEC 62443 – Panel Fortinet / Schneider Electric / Yogagawa / Eurocat

The panel on the application of IEC 62443 focused primarily on the different sectors, such as mechanical and plant engineering, shipping and transportation. It became clear that the standard has a far-reaching impact on corporate culture. It also highlighted the need to involve the entire supply chain in safety strategies. Added value is created when availability and protection against cyber-attacks are taken into account from the outset in the development of electrical systems. Subsequent changes to finished systems are neither sustainable nor in the interest of the IEC. These requirements are increasingly being placed on suppliers, regardless of the sector in which they operate. The objective is to minimize risk. Different levels of risk have to be considered and measures have to be adapted to the industry. Incident reporting and business continuity are important issues. 

The new rules are necessary because many companies do not yet have cybersecurity under control. These standards will ensure that everyone has the same requirements and follows them. Harmonization of global standards will enable more efficient collaboration. This applies to governance as well as process-oriented and technical requirements. The diversity of guidelines is expected to decrease, which should lead to more clarity and less duplication of effort. A cultural change is needed to fulfill the IEC 62443 standard and facilitate further regulation. The IEC standard is seen as best practice and embedded safety features are essential.

Digitalization in Standards & Regulations – David Nix, Digital Transformation Officer, IEC

David Nix from the IEC presented the importance of digitization in standards and regulations. He emphasized the partnership with ISO and explained that it is easier to introduce new standards in the industry, but it is often difficult to enter new markets. A key topic was the use of requirements systems to help companies implement new regulations. Nix posed the question: "What is stopping us from applying these new regulations? The answer often lies in the complexity of the processes. LLMs (Large Language Models) could help, but we are not yet able to use them effectively. 

The first step towards implementation is the concept of ‘Smart Standards’: Build, Consume, Tailor. The standards should be made accessible via APIs and apps. An important point is how users are informed about changes to the standards, as they are constantly evolving. Continuous information would make it easier for users to work with the standards. The main goals are to increase efficiency, improve performance and create added value. In the past, the focus was on the protection of data, now the focus should be on the reuse and application of standards - a necessary mindshift. The point is not that standards exist, but that they are practical and useful. Nix presented a timetable: 50% of the standards should be available via apps in Sweden and Norway by the end of 2024, with a business model to follow by the first quarter of 2025. One of the current challenges is the language of the standards. Will this continue to be English or another language of the future? And how will the application of the standards change if the consumer is not a human but an AI? We are curious.  

What I'm taking away from the IoT Solutions World Congress and Cybersecurity Congress 2024

This year's merger of the IoT Solutions World Congress and the Barcelona Cybersecurity Congress was an enriching platform for the exchange of innovative ideas and technological developments. These are my key takeaways and highlights from the event:

Innovation through AI and ML

A dominant theme was the broad application of machine learning (ML) and artificial intelligence. These technologies, which were integrated into products six to twelve years ago, have laid the foundation for many innovative solutions. The presence of many new and unknown companies presenting fresh ideas and technologies was notable.

Focus on devices and data

Discussions focussed heavily on the different types of devices and the underlying data, rather than marketplaces and dashboards. However, the full integration of IT and OT remains a challenge that many companies still have to face.

Regulatory requirements in focus

More than 25% of the presentations focused on regulatory issues, particularly the NIS2 directive. These new requirements raise complex legal issues that are almost impossible to resolve without legal advice. Responsibility for compliance is increasingly being passed down the value chain, meaning that companies, including suppliers, must act proactively before they are legally required to do so.

Security as a fundamental principle

Security was emphasized as an essential part of any function that must be considered from the beginning and throughout. Although cybersecurity is currently seen as a competitive advantage, it will soon become the new normal.