Imagine, if you will a couple, of grim scenarios.

In the first, a commercial airliner loaded with people is suddenly imperiled when a hacker breaks into its avionics system. The avionics goes dead, making it impossible for the plane to access engine telemetry or communicate with the airport control tower or the FAA.

In the next, an elevator ferrying several people to the top floor of a hotel suffers a similar fate: Bad actors take control over it, causing it to crash into the top of the shaftway.

While, statistically speaking, airplanes and elevators are incredibly safe, the question of liability in hypothetical cyberattacks like this could grow thornier thanks to the IoT-fueled product-as-a-service business models. In such situations, industrial companies could rent out, say, avionics systems or jet engines to airlines, or elevator makers could charge building owners per ride rather than selling them a steel box.

The idea of a customer paying for an outcome rather than a means to that end sounds attractive. If you can forecast demand and predict mechanical problems before they happen, why not adopt the product-as-a-service business model? But what happens when the service suffers a catastrophic cyberattack and the relevant regulations aren’t worked out yet?

To make the leap to selling a product as a service, the vendor must first make that product more sophisticated, adding in connected sensors and layering in machine-learning tools. If you accept security expert Bruce Schneier’s decree that complexity is the worst enemy of security, such products masquerading as services would be undoubtedly create new cyber risks, thanks to their expanded options, service offerings, connectivity, interfaces and functionalities. The conclusion may sound obvious, but it doesn’t seem to come up often in discussions surrounding IoT-enabled power-by-the-hour business models.

The Dead Sea Effect

Companies mulling the sale of their goods as services rather than as products are also likely to limit their liability. “Can you imagine if a vendor assumed 1,500 customers’ IT security risk? I don’t think any business would want to do that,” says Peter Tran, RSA’s Advanced Cyber Defense general manager and senior director.

Meanwhile, organizations that sign up for “as-a-service” products will likely want to minimize their own risk exposure. “If you are the owner of the Pleasant Stay Hotel and you sign up for an as-a-service contract with Acme Elevator Co., the reputation risk will be enormous if that elevator gets hacked,” says Don DeLoach, author of the recently published book “The Future of IoT: Leveraging the Shift to a Data Centric World.” “If you are the CEO or the CISO of the Pleasant Stay Hotel, you are going to push as much liability as you can onto [external vendors] while doing whatever you can to minimize your risk profile. Whether the Acme Elevator Company goes out of business, if they take you down with them, you are still out of business.”

You have this middle ground that is literally dead—uninhabitable. Nobody wants to cross over, but everyone knows about the threats of that environment.

It is more likely that both the OEM and its customers will take some responsibility for cybersecurity while attempting to shift a portion of that risk onto the other party. “I call this the ‘Dead Sea effect,’” Tran says. “You have this middle ground that is literally dead—uninhabitable. Nobody wants to cross over, but everyone knows about the threats of that environment. In the end, each business will creep towards it, but they will never bridge the Dead Sea. That’s a problem in many as-a-service arrangements.”

Data Sharing Questions

Another consideration with the product-as-a-service business model is data sharing. Vendors providing as-a-service offerings will have contractual agreements for data sharing. As businesses across the world become more data-driven, battle lines could be drawn over who owns the data. “Again, returning to our hotel example, let’s say that the elevator company is capturing a range of data—velocity of the elevators, occupancy information, estimated number of people on a given floor, temperature, and so on,” DeLoach says. “The elevator company might offer the hotel one-tenth of the data they capture. But if you are the hotel owner and you want a holistic picture of how your hotel operates, you’ll want access to all of the data that is relevant. You could tell them: ‘I am going to work with a different elevator company unless you give me access to it.’”

Meanwhile, businesses that wrest control of the data away from the vendor could face a demand for data coming from the opposite direction, DeLoach explains. “If a company is providing elevation as-a-service, they could optimize that service if they had access to relevant data from the hotel,” he says. “If they could enrich their own data, they could have a better signature and thus provide better service to the hotel,” DeLoach says. “In the end, IoT data has the ability to be valuable to the organizations on both sides of the equation.”