As cyber security expert Bruce Schneier has said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

Usually understated in discussions about IoT security: a system only needs to be breached once to wreak havoc on it, or worse, weaponize it. There is no telling what loopholes will soon exist alongside the ones we already face. Likewise, there is also no reason to suspect that AI or other new countermeasures will be enough. Cybercrime evolves with the technology, often outpacing security efforts. “Smart” cars, appliances, and even pacemakers have been hacked, many overridden and controlled remotely. People now talk very enthusiastically about “smart grids”, assuming the cyber defense will be robust enough by then. It won’t be.

Siemens has every practical and PR reason to push for the utmost in cyber security measures, though this is in the high hope that they have already learned to effectively secure existing software. Recall that the Iranian nuclear program, run on Siemens centrifuges, was decimated due to the Struxnet malware in 2010. Though the immediate Struxnet effect proved favorable for national security efforts, it still demonstrates that outside actors can compromise machinery by commandeering the software.

There is no threshold for cyber security; there is only better and worse risk management. For every optimistic IoT development, it is most realistic to multiply the associated risk factor by ten, maybe more. In practice, interconnecting all of our most sensitive and powerful systems means that “smart” hardware at a water treatment facility supplying water to a hundred thousand people can be compromised by malware in the phishing email the receptionist opens. Siemens must choose the path of lowest risk in lieu of the most “innovative” one. There is too much on the line.