As 5G becomes a reality, it’s signaling the dawn of a new age of cellular technology transforming not only the speed, but also the responsiveness of wireless networks. It will enable increased connectivity and flexibility, allowing far more devices to access the mobile internet at the same time. By significantly increasing the available bandwidth, 5G will improve end-to-end performance, delivering a much better user experience.
5G will open up a world of possibilities — from drones acting as the fourth emergency service to allowing autonomous vehicles to communicate with each other and read live map and traffic data. IoT will be transformed from mobile virtual reality to the many touted benefits of smart cities finally coming to fruition.
However, with the rollout of 5G, a new framework for software development is required to cope with the sheer scale and speed of the network. This will necessitate that testing strategies focus on the entire ecosystem rather than a component-driven approach. Companies that have traditionally been competitors will now need to find a way to work together to deliver and maintain the new digital experiences that users expect.
The changing face of testing with 5G: Four factors to include
- Testing the use case, not the code. It needs to work, but the most important question is: Does the experience meet user expectations? With the introduction of the ultra-reliability aspect of 5G, this will become standard.
- Testing energy consumption will now be important. Keeping track of the energy consumption of use cases rather than components will be necessary.
- Testing security. With increased connectivity and speed, security concerns will magnify.
- Testing across companies and ecosystems. Monitor the digital experience on a continuous basis to assure the quality both in pre- and post-production.
For companies that are still burying their heads in the sand and only testing code or component compliance, the advent of 5G will shatter that illusion once and for all. Businesses that want to reap the innovation and monetary rewards from 5G must expand the scope of their testing efforts now or risk being left behind.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Summer is one of the most exciting times of the year. School is out, the weather is great and the countdown to vacation begins. But while the summer brings with it a lot of fun activities, it also brings the potential for higher energy and water consumption, which equals higher bills for personal, business and commercial real estate uses. It’s inevitable that commercial businesses will consume more energy and water during June, July and August with increased usage of cooling systems, lighting and water, but technology can help. The smallest changes can make a huge difference in lowering energy costs and, thanks to smart building technologies offering remote real-time monitoring and control of buildings, it’s possible.
Let’s talk more about how this works.
LoRaWAN is a low-power, wide-area networking protocol based on LoRa technology that enables remote and real-time monitoring and control of buildings. There are hundreds of low-cost sensors always collecting data that is passed through a gateway to a cloud-based server. From there, the data is analyzed by third-party applications putting out real-time metrics which are assessed and generate output responses, such as an alert or action.
LoRAWAN devices and LoRA wireless radio frequency technology enable a number of smart building management systems, such as smart thermostats, sprinklers, locks and outlets, as well as humidity and temperature sensors for water leakage detection. The latter, for example, enables building maintenance professionals to control indoor climates and conserve water and power through predictive analytics, allowing damage to be detected early, thus reducing the cost and potential harm that could come to other sensitive equipment. LoRa technology’s long-range, low-power capabilities also enable a reduction in network infrastructure costs, allowing for easy adaption and implementation.
Outfitting a commercial building with smart devices can lead to significant cost-savings and higher efficiency. This summer, as the heat rises, smart thermostats can be used to auto-adjust indoor temperatures according to preset preferences to ensure employees are comfortable in the work environment and the building is not subject to fluctuating temperatures. Smart outlets reduce electricity consumption by remotely controlling lights, water heaters, humidifiers and anything with a plug, enabling building managers to turn them off and on with a mobile phone. Streamlining this process enables building managers, owners and service providers to view smart devices remotely and ensure all the things within the smart building are continuously connected. LoRa-enabled humidity and temperature sensors are another effective way to monitor water usage and prevent damage due leaks, as they share real-time alerts allowing businesses and homeowners to act fast and address any issues that arise.
With the right technology in place, commercial building managers can make sure employees are working in a comfortable, safe environment all while reducing cost and increasing connectivity. These devices are an economical way to take on the task of conserving energy, showcasing yet another example of the benefits IoT has for smart building maintenance during the peak of summer.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Picking the right cellular low-power wide area technology for an IoT deployment can be a challenge. While you are looking for the right fit for your use case, you must bypass the technology push. If you know what to look for, you’ll see the subtle differences and their advantages to your case.
LTE-M and Narrowband-IoT (NB-IoT) are types of cellular connectivity intended to save power consumption. Both technologies tweak various network parameters in favor of power consumption, but both come with a sacrifice in latency and speed.
This concept remains when comparing LTE-M and NB-IoT among themselves. In the Narrowband-IoT standard, parameters are tweaked even further in favor of power consumption. But this comes at a disadvantage for power-efficient communication when the cellular modem moves.
Devices on the move? No NB-IoT
There are two major reasons why NB-IoT is not right for mobile IoT use cases:
- It does not support roaming
- It does not support handovers between cells
Roaming might not be an issue for every use case. If you deploy your assets in the U.S., for example, the lack of roaming functionalities is generally not an issue. But if you deploy GPS trackers in Europe, chances are that a vehicle will cross a geographical border many times a day.
Deutsche Telekom and Vodafone completed successful roaming tests on both networks. Although this is a promising accomplishment, we are far from publicly available roaming. The NB-IoT standard requires a small radio band of 200 kHz. Operators can choose from three implementing approaches for its core network — this brings flexibility on the network operator’s side. The NB-IoT modem needs to handle these different approaches — a fact that is irreconcilable with the aim to be cheap, simple and energy-efficient.
The absence of handover support in the standard brings similar problems. When a cell becomes out of reach of an NB-IoT device, it has to go through a full registration cycle again. This can take up to 30 seconds, making it a power-hungry and slow procedure. This contradicts the big advantage for NB-IoT: battery life.
So, is NB-IoT less useful than LTE-M?
No, that’s not the case. When used on a fixed location use case, NB-IoT can be efficient. The simple, cost-efficient hardware combined with deep indoor penetration brings great value. But to unlock its full potential, prepare to go all-in on the technology. There are several ways to use its protocols. Finding the perfect setup with NB-IoT can lead into a deep dive of application layer protocols.
The other answer of the 3GPP to non-cellular LPWAN is LTE-M. It focuses on saving power with two functionalities. The first is its deep-sleep, mode called power savings mode. The second technique wakes up the device only periodically while connected, a mode is called extended discontinuous reception. Since LTE-M follows a similar access scheme to 4G LTE, it has a head start with operators already having deployed an LTE-M network.
These two features make LTE-M an attractive option when looking for power efficiency alongside performance. The ubiquity of already-deployed LTE networks acts a big plus.
Cellular modules tell the story
Both technologies have their own advantages, making them suitable for different use cases, but they are hardly interchangeable. One of the leading providers, uBlox, offers both technologies on the same cellular module — this already tells you that the market hasn’t decided which is winning yet.
To make a well-considered decision, knowing whether your devices will often move is an important factor. Just like power-saving, it is crucial to know what you try to achieve. Knowing the true purpose of your systems will help give you decide if low-power cellular is an appropriate option.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
For those who don’t know Goya’s “Saturn Devouring a Son,” it belongs to his series of Black Paintings — and also serves as the best comparison I can make after IoT World Europe Summit, part of TechXLR8, in London last week.
In the painting, the god Cronos, who immutably governs the course of time, is devouring a son. The act of eating your child has been seen, from the point of view of psychoanalysis, as a figuration of impotence.
To relate this to the conference I attended, Saturn is AI and his impotent son is IoT. Sure, there are other brothers waiting their turn to be devoured by their hungry father — augmented reality, virtual reality, blockchain, digital twins .., not even 5G will be spared.
If you’re still waiting for the IoT boom, this event confirmed the fact that IoT is badly wounded — at least in Europe. The few IoT companies that exhibited their products and services showed nothing could overshadow the big winner: the ubiquitous father AI. Although augmented reality and virtual reality presents itself as a great rival, it has yet to beat its competitors.
The speaker lineup this year included a mix of vendor presentations and client success stories, but neither was able to raise the event. The few large IT firms present, including Microsoft, SAP and Oracle, were on the side of the father AI.
Discussions of the first years of the IoT boom revolved around connectivity, security, IoT platforms and even business models. Today, nobody is interested in these topics. I am sorry for those advising in these areas, but it seems that all the fish has been sold in Western Europe.
It was also apparent that the great integrators weren’t present either. Those that should have implemented IoT for years but never risked investing continue to squeeze clients with digitization projects, cloud migration projects, products updates and customized developments. And I believe most of them have done a disservice to the acceleration of IoT.
Also, there was no great IoT news during the event. Perhaps the most important announcement was given by Marc Overton, who took advantage of his presentation to announce the recent collaboration agreement between Sierra Wireless and Microsoft as the industry’s first full-stack IoT offering — something that happened far from the event.
As for my session, it mixed IoT and blockchain, something that would have guaranteed success for attendees over the past two years, but did not arouse enthusiasm this year. It’s evident it is becoming a commodity — something that’s not bad, since we can finally stop speculating about use cases and start using it in our lives and business.
Don’t worry, the life of IoT events will continue; this week alone there are three more:
- Living bits and things in Bled, Slovenia
- IoT Tech Expo Europe in Amsterdam
- IoT Week in Aarhus, Denmark
Organizers and exhibitors need to reinvent IoT events to make them more attractive to visitors and generate qualified leads. We need IoT events where IoT is present in every corner of the floor, on every stage and in every service, including the cafeteria, restrooms, transportation and so forth. We need to breathe IoT every minute. Otherwise, IoT events will continue driving away visitors and exhibitors, and Saturn — AI — devouring a son — IoT — will become a reality.
Thank you for your likes and shares.
There is no shortage of practical commercialized applications around machine learning, AI and blockchain for IoT throughout enterprise and government organizations. Where we have seen the most value across enterprise and government is within prescriptive maintenance. The science of prescriptive maintenance is finally on the cusp of a major transformation with IoT, edge computing and machine learning all poised to accelerate in an era of 5G, quantum computing and innovation in low-power, high-performance processing applications.
It’s critical for companies and government entities to understand the maturity curve of maintenance so they can determine where their operations currently are, where they want to be and where they will get the most return for their investments in technology and processes. They need to explore how to evolve their maintenance programs with future-proof technologies or at least technologies that are not suddenly outdated in the next few years. Prescriptive maintenance is emerging as the next generation of maintenance strategies and will most certainly be a major part of the fourth Industrial Revolution.
What is meant by prescriptive maintenance? The term prescriptive maintenance is derived from the principle of prescriptive analytics. This concept is a step past prescriptive maintenance and it not only supplies the possible outcomes in a situation, but it also gives the best way to approach the maintenance requirements based on analysis of those outcomes. Prescriptive maintenance techniques are designed to help determine the condition of in-service equipment in order to estimate when maintenance should be performed.
Most prescriptive maintenance is performed while equipment is operating normally to minimize disruption of everyday operations. This maintenance strategy uses the principles of statistical process control to determine when maintenance tasks will be needed in the future. The aim of prescriptive maintenance is first to predict when equipment failure might occur, and second to prevent the occurrence of the failure by performing maintenance. Monitoring for future failure allows maintenance to be planned before the failure occurs.
In prescriptive maintenance, a number of tools and techniques monitor the condition of machines and equipment to predict when problems are going to occur by identifying the symptoms of wear and other failures. Prescriptive maintenance is also a philosophy that uses the equipment’s operating condition to make data-driven decisions to improve quality, productivity and profitability. The difference between preventive and prescriptive maintenance is that preventive maintenance tasks are completed when the machines are shut down and prescriptive maintenance activities are carried out as the machines are running in their normal production modes.
Prescriptive maintenance allows government or commercial entities to lower maintenance costs, extend equipment life, reduce downtime and improve production quality by addressing problems before they cause equipment failures. The more high-quality data fed into the prescriptive model, the better its accuracy. Some examples where prescriptive maintenance can be implemented for enterprise and government include the tying together of live monitoring equipment with historical failures and maintenance logs, along with the spare parts refurbishment inventory and maintenance ticketing systems that automate the process of understanding signals that lead up to failure. Algorithmically, it can then have the system check if there is a spare part in inventory and then process the work order for the maintenance event to happen all in a fluid process.
Anyone can advertise these tools. But note that artificial intelligence, machine learning and blockchain services are only part of the process of building, training and deploying coherent models into production systems. When bringing an AI and deep learning solution to a problem, ensure that experience is represented in all aspects of the technology stack.
Any individual can operate the machine; it requires additional knowledge to manage the system. It is critical to determine ways data can be used to configure and trigger machines, prove authenticity or produce any type of output intended to get a business closer to its goals. Also, work to define a problem well before its solution to ensure that the right data gets to the right person or system at the right time.
Amid eye-popping investment figures, hype and claims from both established and emerging automation vendors, gaining clarity on robotic process automation is now a major issue. As the pioneers of RPA technology — which has fueled a rapidly expanding, yet confused market — we feel that it’s more important than ever to redefine what the technology is and what it isn’t.
Forrester Research identified nearly 40 companies offering some sort of RPA or intelligent automation capabilities. This has led to a lot of hype and disappointment on the part of users for what the technology can actually deliver. RPA assertions are important, and not every vendor can back up its automation claims. True RPA is complex and relatively misunderstood, so without a definitive reference point, organizations risk choosing either the wrong options or bad, poorly designed automation options.
Delivering true RPA
True RPA was designed from the start to successfully operate in large-scale, demanding enterprise deployments to enable tactical, business-led change. Since we began developing and evolving RPA software back in 2001, the technology has played an increasingly significant role in transforming the efficiency and productivity of workplace operations of over a thousand large organizations.
We’re now entering a new era of collaborative technology innovation being enabled by ever-greater, more intelligent business automation: connected-RPA. Connected-RPA enables organizations to increasingly release the combined creativity of digitally savvy business users who really understand their business. By giving them the ability to access and exploit leading-edge cloud, AI, cognitive and other capabilities, they can innovate and swiftly develop new, compelling offerings to keep pace with ever-changing market demand.
The origins of connected-RPA go back to when we started solving the “human middleware” issue in banking environments, where human workers perform mission-critical, repetitive tasks requiring interoperability and integration between enterprise-wide IT systems. RPA was the breakthrough software that carried out tasks in the same way humans do — via an easy-to-control, automated digital worker — or intelligent software robot.
Digital workers have also progressed from not only reading any third-party application like humans, but also conducting work like humans. They are interconnected, communicate with one another to collaborate, share workloads and operate as a highly productive digital team. Digital workers make adjustments according to obstacles — whether different screens, layouts or fonts, application versions, system settings, permissions or even languages.
It’s the unique, universal enterprise connectivity capabilities of digital workers, coupled with the increasingly intelligent way that they operate, that’s now being harnessed by business users to integrate with and orchestrate any new or existing technology application. Business users simply create automated processes by drawing and designing process flowcharts, which are then used by the digital worker to automate a task.
Having both human and digital workers working together, while seamlessly interacting with existing and new applications, creates a powerful, intelligent, collaborative digital ecosystem, which is the essence of connected-RPA. This also provides the foundation for ongoing digital transformation, and leading industry academics expect connected-RPA to emerge as the execution platform of choice for best-of-breed AI and cognitive technologies across the enterprise.
Although connected-RPA is business-led, to maintain long-term success it must operate in an IT-endorsed and controlled environment. Therefore, to ensure that they’re trusted by demanding enterprises, digital workers are designed to be scalable, robust, secure, controllable and intelligent. Business users train digital workers without coding, so the system infrastructure remains intact and IT development isn’t needed. If code is used to build automations outside the technology department, unwelcome shadow IT is introduced, along with unaudited process models that represent threats such as backdoors, security flaws and audit failures.
The process models run by the digital worker are made explicit in the process flow chart for each process automated, which is subject to audit and change control and security with dual-key authentication. This approach is highly secure and compliant, as all documentation is securely managed within a connected-RPA platform and protects the business from rogue employees, rogue robots and shadow IT.
Beware of imitators
The majority of newer RPA-labelled offerings, such as robotic desktop automation (RDA), desktop robot, or attended RPA, have been designed to deliver multiple, short record-and-replay tactical automations for navigating systems on desktops. Let’s be very clear: These automation technologies offer limited scaling capabilities and are masquerading as real RPA technology.
Desktop automation’s big promise is that business users working in front and back offices and across different departments can record a process and have software robots deployed within hours. Where processes are complex and require more technical skills, users can automate just some parts of the process that can be recorded and leave the rest. Organizations are being assured that their business users don’t need to involve the IT department, so by bypassing the IT work queue, they can experience both business benefits and ROI faster than other RPA approaches.
The problem with desktop recording and the notion of a personal software robot is that a single human user is given autonomy over a part of the technology estate — their desktop — which introduces a lack of control and by extension creates multiple security and compliance issues. Desktop recording spells trouble for the enterprise as it captures choices based on an individual’s interpretation of a process versus a central consensus for the best path. This obscures a robot’s transparency and hides process steps, which when duplicated over time becomes a potential security threat and limit to scale.
There are two other major drawbacks of the desktop approach to automation. First, if a robot and a human share a login, no one knows who’s responsible for the process; this creates a massive security and audit hole. Secondly, if a robot and a human share a PC, there’s zero productivity gain as humans can use corporate systems as fast as robots. So, this approach doesn’t save any time or make the process any slicker for a user.
By restricting automation to a multidesktop environment outside of the IT department or any central control, RDA vendors are effectively sanctioning and using shadow IT as part of their deployment methodology. This is potentially damaging for an organization as shadow IT, in the context of RDA, means unstructured, undocumented and uncontrolled technologies become part of business process flows.
For example, consider the creator of a desktop-automated process leaves the company or an organization changes. This can lead to audit failure due to an unknown fulfillment activity taking place or security holes, such as passwords embedded in these lost processes, fraud and denial of service. If your business allows departments to build these recorded desktop RDA scripts, then over time you will eventually create a shadow IT nightmare.
Ultimately, as the core architecture of desktop automation isn’t built on strong foundations, it may not be fit for the long-term demands of an enterprise environment. Many of these deployments never get beyond simple subtasks which have been executed using an agent’s login and run on their own desktop. Although they may help that particular task, they deliver limited capabilities and are not transformative at all.
Ultimately, false RPA limits the scale and potential of the technology to the confines of the desktop and introduces a variety of risks, too. True connected-RPA provides a platform for collaboration, securely and at scale, across more than 1,300 large organizations where human workers, systems and applications are already creating a powerful, intelligent, safe ecosystem of partners that enable a real digital transformation.
As industry experts project a continued explosion in the number of IoT devices connected globally, security remains a hot topic — at least partly because of the significant challenges it brings. Despite IoT being a relatively new industry, there have already been many high-profile security breaches. Perhaps the biggest example to date is the Mirai botnet in 2016, where thousands of devices, such as cameras and DVR players, were infected and a massive denial-of-service attack was launched. The attack affected major services on the internet, including many leading brands like Twitter, The Guardian, Netflix, Reddit and CNN.
Given the severity of this and other breaches, unsurprisingly security remains one of the top technical barriers to IoT implementation success according to a survey published by Gartner in 2018. Undoubtedly, insecure devices and related breaches can result in lost revenue, brand impact and liability for manufacturers and distributors. And, for some IoT applications in areas like healthcare, critical infrastructure and automotive, even human safety can be at risk.
Identity is key to security
IoT brings a new and intricate scale to securing devices as deployments can be large and distributed, and often include mobile devices. Although security remains at the forefront, the industry is still largely grappling with how best to secure IoT deployments. Deployments often undergo a complex manufacturing process with multiple steps and potentially many production lines. Because of these complexities, security is perceived to be difficult, often falling low on the agenda. And as manufacturers are driven to get products to market quickly to maintain a competitive edge, security is often deprioritized instead of ideally being built in from the start.
As a result, the IoT security discussion takes many forms, involves many possible components and still includes a fair amount of confusion. However, underpinning all IoT security schemes is one fundamental requirement: the essential ability to identify devices and services and ensure that they are, in fact, who or what they say they are. This seems simple, but can be detrimental to the protection and governance of an IoT ecosystem if overlooked.
A device identity can take a number of forms; sometimes developers use a piece of information that already resides in one of the existing components, for example, a network MAC address or serial number burned into a microprocessor, or even worse, a hardcoded password compiled into the firmware. These sorts of identities aren’t very secure, are easy to spoof and can’t be used to either guarantee the identity of a device or to secure communications between the device and a service.
Managing IoT complexity with a PKI
To enable a truly trusted ecosystem, each device must be authenticated with an embedded and cryptographically provable identity. If you can’t trust the identity of the device, then you can’t trust the data you receive from the device. This is where public key infrastructure (PKI) comes in. The main purpose of a PKI is to manage keys and certificates that are used to enable trusted infrastructures by enabling parties to mutually authenticate, to transmit data securely between each other and to prove that specific data genuinely came from the party that it claims to have come from. The same elements of trust are required to secure IoT. We need to trust that each device is the one it claims to be and that the device is talking to the appropriate service — both components want to know the communications between them are secure and that there has been no data tampering.
Once a device has a trusted identity, then all the other services and communications from it can be protected. For example, on a medical device, the personal health data being transmitted is sensitive, so it is important to encrypt the communications such that only the authorized healthcare provider can decrypt it. Those encryption keys can be delivered as part of the device’s identity.
Options for implementing a PKI
Fortunately, there are several options for including this critical element of the IoT security puzzle. Many traditional PKI services are available or you may decide to build your own.
Many traditional PKIs were designed to support the delivery of certificates for websites to secure SSL or to deliver employee credentials enabling access to certain services — for example, only managers can access payroll data — to enable VPNs providing secured communications or managing building access control. PKI providers typically haven’t needed to design their infrastructure to scale to the levels required for delivery into IoT. IoT deployments can scale to tens or hundreds of thousands of devices at a time, such as CCTV cameras covering a large metropolitan area. Traditional PKIs also may not support the delivery of custom secured payloads, like secure applications, XML files or other data structures as per your security model. To be sure to choose the right provider, look for one that specializes in delivering device identities.
What about running it yourself? It’s possible, but it’s hard to get right and you are better off leaving it to the experts. There are complexities around running a PKI that require careful consideration. It not only requires a lot of infrastructure, including servers and hardware security modules, but also physically secure data centers with access control and policies. People need to be vetted and processes need to be put in place to ensure no single person can gain access to the keys.
So, now that you know the secret, the most important aspect of any IoT security scheme is that it’s built on the concept of a trusted identity. As identity underpins everything else, it needs to be included in the design from the start, and it should be built on proven trusted technology.
Amazon Prime devotees may not pay much attention to the by-the-minute, step-by-step updates to shipping statuses they can access about their purchases, but this is proof of the triumph of IoT writ large in everyday life. IoT has changed how goods are brought to market, and it has the potential to change the future of mobility even further.
A central component to economic growth is the movement of goods and people. As demographic shifts change where people live and work and the world’s population become more urban, strong transportation networks will be key to continued growth and prosperity for all nations and will have a blunting effect on inequality. IoT can help bolster the resilience of these transportation systems by offering real-time monitoring, adjustments to optimize the flow of goods and people, automation of some services and predictive analytics that can anticipate future needs. These efficiency gains will be all the more important because simply building more infrastructure will not solve the problems posed by rapid urbanization, lack of hierarchical roadway systems, increased motorization, poorly maintained or inadequately built infrastructure and a lack of overall resources. The future of mobility must include IoT capabilities that allow for the monitoring, regulation and logistical support to make a transportation network truly resilient.
Recent research by my colleague, Mariyam Hasham, shows some of the best uses of IoT can already be seen in transportation and logistics companies, where IoT applications are used to track and trace, for network efficiency and to reduce idle time. Real-time monitoring allows for better asset maintenance, and the use of predictive analytics can speed up turnover in supply and demand chains. For transport and logistics companies that have supermarkets and other retailers with a high turnover of goods, the benefits of just-in-time deliveries made possible by IoT reduces overheads and ensures optimum freshness of products. For customers who order a product online, 88% expect to have the ability to track their order from time of purchase throughout the shipping chain until final delivery.
Organizations that manage a fleet can take advantage of IoT capabilities such as intelligent dispatching, real-time incident response and asset monitoring. The logistical complexity of managing vast fleets across multiple countries and supply chains can be simplified by combining IoT applications that provide wide real-time monitoring. This leads to fluidly interconnected business systems, but that allow for customization to meet specific fleet and customer needs. For example, transportation and logistics companies that transport perishable or fragile goods can use IoT technologies to continuously monitor and adjust temperatures without human intervention. This reduces costs through spoilage or contractual failure.
By implementing IoT technologies, transport and logistics companies make their supply chains more resilient, improve their customer interactions, reduce costs and improve their efficacies. Additionally, these initial IoT systems will create the groundwork for city-wide systems that enable driverless cars, improved public transportation systems and a coming revolution in mobility services.
Concerns about security continue to hinder the adoption of IoT devices. Enterprise customers indeed are interested in buying more IoT devices, but only if vendors can provide better security for them.
Bain & Company conducted research into the attitudes of enterprise buyers about cybersecurity and the internet of things, and we found that executives would buy, on average, 70% more IoT devices for their systems if cybersecurity concerns were addressed, compared with what they would buy if the status quo remains. Additionally, 93% of the executives we surveyed said they would pay an average of 22% more for devices with better security. Bain estimates that improving security for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion in 2020.
For IoT device vendors — companies that make IoT devices as well as those that provide related solutions — the message is clear: Improve security to gain a competitive edge and expand your market.
Most executives we surveyed (60%) said they are very concerned about the risks IoT devices pose to their companies — not surprising, given the damage that an IoT security breach can cause to operations, revenue and safety. When poorly protected, IoT devices can allow access to enterprise systems, resulting in large data breaches. For example, in January 2018, a Mirai malware variant called Okiru targeted ARC processors embedded in billions of IoT products.
Executives who manage security say they want technologies that are highly effective, easy to integrate and flexible to deploy. Companies take a range of approaches to meet their security needs based on their capabilities and the availability of marketplace mechanisms from vendors. Only about a third of IoT cybersecurity systems used today are from IoT device vendors, indicating that vendors either are not offering holistic, high-quality technologies that meet consumer needs or are not promoting them well enough. Our research found that companies with the most advanced cybersecurity capabilities rely more on internally developed security mechanisms, not only because they may have more complex needs, but also because they are more likely to have the resources to develop their own technologies. As might be expected, companies with ad-hoc security capabilities have the most gaps across all IoT layers that we tested, including access interface, applications, data, hardware and operating system, network and operations.
We also looked at how companies deploy technologies by layer of security, and found ample opportunity for IoT device vendors at every layer of the stack. Our survey shows that the access interface layer has the greatest level of protection, whether internally developed or provided by a manufacturer or third party. Other layers of the stack are protected by more internal systems — or, in some cases, none at all.
IoT device vendors and ecosystem players that move quickly to improve the security around IoT devices are likely to reap rewards, both from their ability to earn a premium and from an expanded market.
First, manufacturers need to understand how customers are using their devices. Refreshing their understanding of customer use cases every 12 to 18 months will allow them to stay on top of evolving security requirements and identify unmet needs. Ascertaining the average cybersecurity maturity level of their customers will help manufacturers invest in the appropriate out-of-the-box and add-on systems.
Second, manufacturers should provide cybersecurity capabilities on the device and, when possible, partner with trusted cybersecurity vendors to offer additional systems. Engineering teams should embed secure development practices into the software and hardware components of the device, and provide inherent technologies for the access interface, apps, data and device layers.
Third, manufacturers also need to meet quality assurance thresholds and be able to certify that their IoT devices are free from known vulnerabilities. This would mitigate a major pain point for customers, who sometimes install new devices without realizing they contain vulnerabilities. Deploying a more methodical process to identify and remove vulnerabilities across layers, or engaging third-party vulnerability scanning and penetration test firms, can help manufacturers meet this bar.
Finally, manufacturers can fulfill their obligations during the warranty period by continuously testing for new vulnerabilities and by providing software and firmware updates, as well as feature and functionality upgrades for out-of-the-box and aftermarket systems. Delivering updates to firmware, operating systems and applications in response to newly discovered security vulnerabilities should remain a top priority throughout the warranty period.
These four steps are a start, though by no means all it will take to begin addressing the security concerns that are holding back IoT device adoption. While growth in IoT markets seems destined to continue its inexorable march, many enterprise customers will continue to move cautiously until they can gain some reasonable assurance of security — not only of their data, but also of the operations that increasingly rely on devices, sensors and IoT.
This article was co-written by Ann Bosche, a partner with Bain’s Global Technology practice, and Frank Ford, a partner with Bain’s IT practice. Ann is based in San Francisco and Frank is based in London.
A mere buzzword a few years ago, IoT has come to define modern technology: digital, smart, connected. From watches to vehicles and from homes to entire cities, our world is becoming smarter and more connected by the day.
However, IoT’s promise of a more convenient, more efficient future comes with drawbacks. Smart devices don’t always live up to their name. While they are smart at doing what they were designed to do, most are lacking when it comes to peripheral areas — security in particular.
In recent years, the IoT ecosystem has become a hot target for bad actors, affecting everyone from consumers to critical infrastructure. The healthcare sector in particular has become a lucrative target, not only because it’s one of the most IoT-centric industries, but also because it handles the most sensitive data: personally identifiable information and health data. Protecting medical IoT gear is tough, because embedded devices don’t support individual security agents. So how, then, can we protect medical IoT products?
Lack of security puts lives at risk
Frost & Sullivan estimated IoMT devices will number between 20 and 30 billion by 2020, and will be used for anything from remote patient care to hospital operations to interoperability and data management.
These devices have embedded operating systems, which means they usually don’t allow third-party software into the OS or, even worse, can’t be patched. As IoMT devices proliferate beyond hospital grounds, connected medical equipment used in homes and even in human bodies has become vulnerable to attacks.
Medical IoT security incidents are on the rise, according to the 2018 HIMSS Cybersecurity Survey. A study by Netherlands-based Irdeto goes even further, showing how organizations in transportation, manufacturing and healthcare have suffered substantial losses due to IoT-related incidents. According to the report, such incidents cost on average more than $330,000. Of the 700 enterprises surveyed across China, Germany, Japan, UK and the U.S., 80% admitted to suffering an IoT-related cyberattack in the past year. And almost half of respondents said they need additional expertise within the organization to address all aspects of cybersecurity. More worrying is the fact that 82% of organizations that manufacture IoT devices are themselves concerned that what they put on the market is not adequately secured against potential cyberattacks.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently issued an urgent notice that researchers found a potentially deadly flaw in cardio defibrillators equipped with wireless functions.
Patient data is a hot commodity
The dangers don’t stop at the hardware level. IoMT devices frequently access healthcare networks, expanding the attack surface for criminals to steal electronic medical records and other patient data. Cybercriminals then use the data for monetizing because it is especially lucrative in fraud and extortion campaigns.
As IoMT devices continue to proliferate, and with it the potential for attacks and network breaches, healthcare organizations must be prepared to monitor and detect threats for thousands of endpoints. This means an additional challenge of ensuring the best security posture along with meeting stringent compliance measures.
Catching attackers in transit
The inability to install security reporting agents on individual IoT devices has brought to light a serious issue: Attacks are typically detected when it’s too late. This challenge has given birth to a new category of security mechanisms expressly designed for individual and networked IoT devices. These systems use network traffic analytics (NTA), a technology that lets IT admins detect anomalous network traffic behavior they would normally have missed without the need to install an agent.
The technology is well suited to healthcare environments where IT staff is limited and the specialized skill set of a cybersecurity analyst may not be among the ranks.
The value of NTA is two-fold. First, it identifies and reports what looks like anomalous network traffic without any agents installed by non-intrusively taking a copy of the network traffic for analysis. Second, it focuses on the network traffic metadata without the need for deep packet inspection, thus providing insights into all traffic — regardless if it’s encrypted or not. This also means NTA meets the compliance requirements of GDPR, HIPAA and the like, allowing logs to be stored for future forensics analysis.
Perhaps most importantly, NTA automates the process of security incident triage to accelerate investigations and reduce the number of trivial alerts, addressing the ongoing issues associated with alert fatigue that so many IT personnel face. It uses machine learning models trained in complex scenarios to correlate thousands of events and report anomalous traffic with high accuracy. Additionally, NTA provides detailed explanations for the incident severity score and recommends remedial actions to speed up incident response.
Whether you’re a small medical practice or a state-level healthcare institution, an NTA-based security tool dramatically reduces the risk of exposure to your IT infrastructure, sensitive medical equipment, patient data and even patient lives from the increasingly sophisticated online threats.