Smart supply chains: Data challenges to IoT adoption

US companies such as Apple and Tesla are required by Chinese data localization law to store the data of their Chinese customers in China.

Data security

As businesses increasingly look to adopt IoT technologies, devices and equipment become more connected, and IoT applications become more sophisticated, companies will also need to increasingly manage cybersecurity threats. In fact, a 2020 survey by Trend Micro found that over 60% of manufacturers (surveyed across the US, Germany and Japan) have experienced cybersecurity incidents in their smart factories, with such incidents causing a production outage for three quarters of these businesses.

Cyber threats to industrial IoT could take various forms (e.g. phishing, brute force attack, unauthorised use of credentials) and could disrupt operations through the supply chain. For example, Maersk’s operations were significantly affected in 2017 by the NotPetya malware, which impacted its ability to process shipping orders for several days and was estimated to have cost the shipping company up to USD300m in losses.

According to Tiempo, there are five key factors that make industrial IoT difficult to secure and that businesses could focus on to reduce the risk of future cyber threats: (1) legacy equipment and software (i.e. backdoors left open from previous breaches often go unnoticed leaving systems vulnerable to future threats); (2) incorrect authentication practices (i.e. poorly configured user authentication could allow attackers to steal credentials); (3) interoperability (i.e. industrial IoT systems are made up of various sensors, software and equipment that could make it difficult to secure end points); (4) vulnerable communication protocols (i.e. operational technologies such as sensor and controllers have not typically been designed to detect cyber threats); (5) disconnect between operational technology and IT (i.e. IT and operations teams operate separately in many organisations which could affect a business’s ability to implement and monitor security controls).

Restrictions to cross-border data flows

In addition to cybersecurity threats, restrictions that impede the free flow of data across borders could also impact the adoption of IoT technologies. For instance, some economies implement data localisation restrictions that require certain data to be stored domestically rather than abroad, which can restrict the cross-border flow of data.

According to the Information Technology and Innovation Foundation, the number of economies that implement data localisation requirements has nearly doubled from 35 in 2017 to 62 in 2021, with China, India, Russia and Turkey implementing the most number of data localisation measures globally. This means, for instance, that US companies such as Apple and Tesla are required by Chinese law to store the data of their Chinese customers in China.

Although data localisation restrictions generally serve to restrict the free flow of personal data, such requirements could have implications for industrial adoption of IoT. For example, it could impede the ability of manufacturers to receive data from their customers that could be used to conduct predictive maintenance and further enhance their products. Restrictions to cross-border data flows could also restrict secure logistics and tracking.

In agriculture, for instance, farm data captured by sensors (e.g. around farming conditions) are transferred between countries to feed into other parts of the value chain (e.g. to food processors and retailers) for traceability, quality assurance, food safety and/or animal welfare reasons – something that will only grow in importance as consumers become more sustainability-minded.

Therefore, data localisation requirements could have the effect of diverting trade and production to national suppliers. But even though some domestic businesses may see their activity increase as a result of such measures, others may face efficiency losses as foreign-sourcing might be more costeffective. Adhering to data localisation requirements could also lead to added costs for businesses
that have to relocate or replicate certain functions (e.g. after-sales services).
There have been some efforts to tackle barriers to cross-border data flows via modern trade deals. For example, the United States-Canada-Mexico Agreement (USMCA) prohibits data localisation for all sectors including for financial services – a sector that is typically carved out of such provisions in trade agreements.

The recent Australia-Singapore Digital Economy Agreement (DEA) also prohibits data localisation requirements for all sectors and includes commitments around not forcing businesses to build data storage centres or use local computing centres as a condition of doing business. This deal entered into force on 8 December 2020.