The Internet of Things is a fast-growing phenomenon in which formerly dumb devices get chips and sensors to become smart gadgets, connected to a network as part of various cyber-physical systems. Sokwoo Rhee, associate director of the Cyber-Physical Systems Program at the National Institute of Standards and Technology, is one of the government’s chief overseers of this rising trend.

Rhee spoke at a recent Wharton conference titled “Strategies for Success in the New Era of Connected Ecosystems,” sponsored by the Mack Institute for Innovation Management. Separately, he spoke with Knowledge@Wharton about some of the less obvious trends in the Internet of Things, how companies are adapting their business models, the government’s role in this cyber world, and how we should secure new smart devices coming online from potential hackers and cybercriminals.

An edited transcript of the conversation appears below.

Knowledge@Wharton: You’re the associate director of the Cyber-Physical Systems Program, which is part of the National Institute of Standards and Technology. What is that?

Sokwoo Rhee: Cyber-Physical Systems is pretty simple, actually. Cyber means connectivity, Internet and software. Physical means sensors, actuators, anything you can touch — cars, chips, radios, etc. So when you combine anything with a networking software component with anything that is physical — those are cyber-physical systems. That’s really what the Internet of things is about. There’s a slight difference between CPS, that’s what it’s called, cyber-physical systems, and IoT. CPS puts a little more emphasis on security issues, and risk management issues and robustness and reliability issues. That’s really the only difference — generally, it proves the same.

Knowledge@Wharton: And the National Institute of Standards and Technology?

Rhee: The National Institute of Standards and Technology is actually part of the Department of Commerce. A lot of people think that it’s an independent lab, but that’s not the case. We are part of Commerce, and we do a lot of standards and measurement science, research in all the different areas, including chemistry, physics, all the way down to food science, color measurements and optics — anything you can think about.

“A lot of manufacturers think that it means they are going to sell more chips. … The real value comes from establishment of services on top of the connectivity.”

Knowledge@Wharton: What is the state of cyber-physical systems’ implementation in the U.S. today? Where are we? What more needs to be done?

Rhee: I’m going to talk in the context of IoT because it’s what a lot of people understand. The U.S. and Europe and Asia are on three different paths right now in terms of implementing IoT in general. The U.S. is leading in terms of technology, but in terms of investment, probably the Europeans are ahead. They’ve been investing in IoT and CPS for more than 10 years. So the U.S. is lagging in terms of that. But in the end, I believe the U.S. industry has a lot more potential to invest a lot more funding to this, so I believe it’s going to catch on pretty soon.

Knowledge@Wharton: How can cyber-physical systems help the U.S. become more competitive and how can they spark growth in more mature industries, in particular?

Rhee: A lot of people think that IoT is all about sensors and chips and radios, and a lot of manufacturers think that it means they are going to sell more chips. But that’s probably a very small piece of the whole IoT value. The real value comes from establishment of services on top of the connectivity; that’s where the value is going to be. The manufacturers in the industry will have to think about how they can transform themselves to [adopt] a completely different business model.

Knowledge@Wharton: Could you give an example of that?

Rhee: Sure. What GE is doing right now is a great example. GE, traditionally, has been selling jet engines, for example … they are big in jet engines. And the traditional model is, they sell a jet engine at a unique price. There’s typically a warranty for a few years, and after that, they offer a maintenance agreement. So if something goes wrong, they come and fix it. They’re now changing to more of a subscription model. They practically give the jet engines away for free. However, they charge a monthly or annual subscription, and it comes with a guarantee. They don’t necessarily guarantee the product, but they guarantee the trust. Meaning that if you have this subscription, then you don’t have to worry about the repairs or anything like that. If anything goes wrong, GE is going to come in and replace the engine. So whenever you turn the switch, you can have a certain trust that it’s ready and the engines will turn on. That’s the model.

Knowledge@Wharton: So it’s a rental or leasing model, in a way.

Rhee: Yes. However, here’s the interesting play. To make the model work, GE has to know exactly when its engines are going to fail. Here’s why: If you replace an engine too early, you are leaving money on the table, because the engine could have gone even longer. And if you wait too late and a disastrous situation happens, planes are going to fall. So you have to know exactly when it’s going to fail.

“If your PC gets hacked, you’re going to lose your credit card number. OK, that’s not good. But in CPS and IoT, if something gets hacked, somebody may die because of it.”

To determine that, GE started putting many, many hundreds of sensors around the engines for several years, and then they monitored the status and health of the engines in real time. They have 100 year’s worth of experience in the diagnostics model; they have tons of data. They can combine these IoT sensors with their big data analytics, and it tells them exactly when each engine is going to fail — and that’s how they make money.

Knowledge@Wharton: How receptive has the private sector been to developing cyber-physical systems? Does it require a big investment? What’s the ROI?

Rhee: The ROI question is tightly connected to the business model question. Again, there are still companies who think they are going to sell more chips and more radios, and they will make more money that way. But really, they have to think about how they can create a real ecosystem around their existing products, and then create more services that they can charge for, instead of thinking about each piece of hardware as a unique prize that they’ll sell once.

That’s where the GE model is a very interesting model. The companies that are trying to embrace that model are embracing a new reality. Now, they’ll have to go to the next step, not just to manufacture through the factory. The problem is, that takes a lot of creativity. These are not the kinds of changes where you can copy somebody else’s model and implant it on yours — because, for example, not many companies make jet engines. You have to devise your own creative model for your own company, and that is the hard part of this for most of the companies out there. Getting there, it’s tough.

Knowledge@Wharton: Can you give us a couple examples of that — maybe one company that has failed at this, and another one that has succeeded?

Rhee: Well, I wouldn’t say anybody has “failed” yet. It’s still an early stage and everybody’s putting in a lot of time and effort. It’s an ongoing process. There are certain companies that have made more headway — usually, those that have said, “Well, we’re going to do it this way, and whether we fail or not, we’re going to go this way.” That’s the case with GE, and also with Bosch, the Germany industrial company, which is actually taking a similar type of approach.

Knowledge@Wharton: People say — especially with innovation — that you need failures to learn — that failure is not a bad word. You just can’t have too many of them.

Rhee: Absolutely. Without failure, you don’t learn. And if failure itself does not generate revenue, it is going to generate tons of data, so when you have your next challenge, you’ll be able to look at the data you accumulated and make adjustments faster than others.

Knowledge@Wharton: How do you regulate cyber-physical systems? And how do you secure them, especially given the increasing levels of cyber-attacks and hacking?

Rhee: Regulation and security are two different things, actually. Regulation is really the policy issue that government or other bodies should think about. Security comes down to more of a technology issue. In terms of regulation, there are a lot of discussions going on right now inside of the government, but they’re still a fairly early stage. We are probably in the first inning of the ball game at this point. And some would say, “We haven’t even started the game yet, so how are we going to regulate when you don’t even know the game that we’re going to play out?” There are a lot of discussions, and I think government is ready to jump in when it needs to jump in, but at this point, we are just looking into what’s going on and trying to decide.

Knowledge@Wharton: And what about security, in terms of guarding against cyber attacks?

Rhee: One thing that we have to think about in cyber-physical systems and IoT is that the security issues are different than conventional cybersecurity issues.

In conventional cyber security issues, if your PC gets hacked, you’re going to lose your credit card number. OK, that’s not good. But in CPS and IoT, if something gets hacked, somebody may die because of it. Having said that, conventional cybersecurity is always thinking about, how are you going to actually look at the network, and how we can actually use either firewall technologies or something to block any kind of intrusion?

However, if you look at it from the IoT perspective, now there are physical systems involved, so there are different dimensions that you can deal with regarding the cybersecurity. For example, even if somebody breaks into the system, if the system itself is designed so it’s physically protected from doing any harm, then that cyber-intrusion doesn’t really mean much, because the hackers cannot really do anything.

“The requests coming from the end users are not exactly aligned with the problems that these companies are solving today.”

To give an example: If there’s a car running and it’s connected to the Internet, somebody could hack into the car and take control — if the steering system and brake system are somehow connected to that Internet link. But that’s not exactly the best design in the world. As an engineer, if I were the designer, I probably could design a complete decouple between the Internet and those live, safety-critical components of the car’s network. You can design a car that way, so that you can still watch movies through the Internet, but you don’t connect that directly to the steering wheel.

Knowledge@Wharton: What haven’t I asked you that would be important to understand about your world?

Rhee: One thing that is extremely important is the issue of collaboration. IoT by definition is about connectivity, so if you do not work together, the value is not going to be realized, because if you do not connect to each other, that’s not good, that doesn’t really generate any kind of value. But that’s now understood very widely.

A lot of companies do their own thing, a lot of academic institutions do their own thing, but when you go out to talk to the actual end users, their needs are different. Let’s take the case of smart city technology, which is one great example of IoT deployment. When companies try to sell to the cities, city authorities say, “I don’t really need this, because you’re telling me that your product is going to have a better battery life, or something like that. I don’t need to worry those things. I need to have fewer traffic jams. I need to have a better emergency-response scheme, for example. How can you help me with those things?”

The requests coming from the end users are not exactly aligned with the problems that these companies are solving today. So the important thing is to have an end user and a company communicating, and include government from the beginning of the product design and deployment process. That way, whatever effort they put in is not wasted.