Cities of all sizes are exploring innovative new ways to use technology to optimize public transit routes, reduce vehicle congestion, increase safety and enable faster emergency response. From sensors that detect speeds and can help reroute traffic, to smart mass transit systems that turn buses and trains into Wi-Fi hotspots and provide real-time scheduling updates, technology is enabling innovative new approaches to both public and private transportation. But for these types of connected transportation initiatives to happen, cities, states and local governments will need both new technology architectures as well as new physical infrastructure to help connected vehicles and transit systems share data with each other and the environment around them.
Where to begin
Different cities, states and local municipalities will have different needs and goals, but there are some commonalities among most connected transportation initiatives. Those looking to move forward into the era of connected transportation and mobility may want to begin by focusing on the following areas:
- Safety — Implementing connected transportation initiatives that can help improve safety is top of mind for any government. There are many ways that cities can use data to create a safer environment. For example, by communicating with roadside infrastructure and accessing microclimate weather data, connected vehicles can alert drivers to tell them if there is a patch of fog, ice or other hazard on the road ahead. They can communicate with traffic signals to know if they are about to change and adjust speed accordingly, or even alert the driver to slow down when they are entering a school zone. All these examples can help reduce the number of crashes and fatalities on our roadways.
Another popular safety initiative for cities is traffic signal preemption. By connecting traffic signals and emergency response vehicles with the proper sensors and exchanging real-time data, cities can prioritize emergency responders and police, allowing them to preempt the traffic signals and arrive on scene faster. Doing this on a common, converged IP infrastructure and using standards-based dedicated short range communications enables the reuse of this architecture for many other applications with reduced incremental cost. This can yield enormous value through unlocking new data sets.
- Mobility — With all the different transportation options available today, people want a seamless mobility experience when it comes to optimizing planning, scheduling, wayfinding and paying for their trips across different modes of transportation — and they want to be able to do it all from one platform. For example, if a person’s journey combines multiple modes of transportation such as bus, train and car-sharing, they should be able to easily schedule and pay for all those services from one platform or interface rather than accessing multiple different applications, scheduling and ticketing systems. To do this, cities will need to the ability to connect different modes of transportation — each with varied types of data — from multiple different transportation infrastructure assets and integrate it all in one common platform.
- Efficiency — Asset utilization and the ability to gain benefit out of the common infrastructure assets already in place are important goals for many cities. By connecting existing infrastructure assets to a multiservice IoT network and enabling greater data-sharing capabilities, central operations centers for mass transit systems can monitor their fleets in real time, adding capacity and rerouting or making adjustments as needed. They can also provide riders with real-time alerts on scheduling changes for greater efficiency and reduced operational costs.
Underpinning each of these initiatives is the need for cities to build greater connectivity and data sharing. Much of the transportation infrastructure today is either not connected or is built on legacy and/or proprietary systems, making it difficult to gather and share data from different infrastructure assets all running on disparate technology platforms. For connected transportation to achieve its maximum potential, cities need to be able to gather data in real time from IoT-enabled assets like traffic lights and road sensors, combine it with other data, such as current weather data or video feeds from IP cameras, and share it with connected vehicles, public transit systems, emergency response crews and more.
To increase connectivity and data sharing, cities will need to build out both the technology infrastructure — data centers, cloud infrastructure, power, fiber optic cable, switching and routing infrastructure, cybersecurity — as well as the hardened, physical infrastructure assets such as IoT-connected traffic signals and sensors along roadways. Using the reference designs for connected and automated vehicle systems provided by the Department of Transportation, cities can build a data center architecture that is capable of scaling to handle the huge volume of data that will be generated by the hundreds of millions of connected vehicles and smart infrastructure assets that will all be communicating with each other. They should build a multiservice network that is capable of integrating multiple different technologies and disparate data sources onto one platform. This will allow everything from the traffic signals to connected vehicles on the road to weather data and data from mass transit systems to all function on the same infrastructure.
In addition to building out the technology architecture and physical infrastructure, cities will need to establish policies and procedures for data security and privacy. As transportation systems become more connected, they become increasingly alluring targets for cybercriminals, who can attack both the IT systems and even the operational technology controlling connected transportation systems to cause significant disruptions. Strong cybersecurity needs to span from the data center to the hardened infrastructure assets at the edge of the network, as well as the in-vehicle systems. Cities should plan to make ongoing investment in cybersecurity a high priority both in capital planning as well as operational planning, much the way that safety is today.
Likewise, cities will also need to develop and put into place appropriate processes, policies and procedures regarding data privacy and sovereignty. As citizens’ private vehicles are increasingly connected and communicating with city infrastructure, and vice versa, difficult questions are raised over how much control individuals have over the data their vehicles generate and share, who is allowed to monetize that data and who owns it. Cities will need to address which parties get to use the data being generated by different elements of the transportation system, who can access it, who it is shared with and more.
Finally, if the city or state’s transportation authorities have not already done so, they should join the Surface Transportation Information Sharing and Analysis Center to stay up to date on current threats, mitigation strategies and best practices.
By increasing connectivity and building a technology architecture that integrates data from many different sources onto a single platform, as well as establishing policies for data security and privacy, cities, states and local governments can create the foundation for a modern, connected, transportation system that will improve safety, mobility and efficiency both now and throughout the future.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Smart homes… smart cars… smart lightbulbs… It’s safe to say that the internet of things era is well underway after years of hype and hope. And with all the optimistic predictions about nearly unlimited business opportunities throughout the ecosystem, it seems that everyone is rushing to cash in with new technologies and use cases.
Dumb and dumber?
To date, most of the focus has been on adding sensors and assigning IP addresses to all manner of “things” to create “smart” devices. However, some things, for example, a gas pressure sensor, need to send small amounts of data and are too small, lack an external power source or simply in the interest of cost-efficiency cannot justify the business model for IP connectivity. Such things can communicate using non-IP protocols. A significant amount of IoT value creation will come from such devices. So, is it possible to connect millions of unsophisticated devices without compromising security?
Power to the (IoT) cell!
Cellular IoT (CIoT) networks can be built using several technologies, including CAT-M1, LTE, Extended Coverage GSM or Narrowband IoT. Different technologies are suited to various IoT use cases, so it’s likely that many operators will build their CIoT networks to support more than one technology for maximum functionality. These networks will connect billions of small devices and other things, many of which are expected to send and receive very little data while consuming minimal power.
To achieve these small data transfers as efficiently as possible, 3GPP, referred to as Non-IP Data Delivery (NIDD) can transmit unstructured data without using an IP stack. This involves the forwarding of data to a Service Capability Exposure Function (SCEF), acting as a sort of network gateway within the 3GPP architecture, which then makes the data available via IP-based APIs. 3GPP standards have done a great job optimizing the architecture to extend device battery life, reduce network complexity and improve network performance. Mobile operators require extra safeguards to protect IoT devices — and their networks — from poorly written applications and serious security threats originating from hijacked dumb things.
Many unsophisticated IoT devices will be very simple in terms of processing and lack intelligence to detect and overcome threats. The intelligence to detect threats and protect connected devices needs to reside in the network. Moreover, the operator’s CIoT network also requires intelligence to protect the network and devices from poorly performing application servers. For example, an application undergoing a distributed denial-of-service attack will become unresponsive and may trigger connected devices to stay inactive for longer or to connect more often, thus draining the device battery as well as wreaking havoc on network utilization.
A gateway to tomorrow
In order to fulfill the essential SCEF functionality required for NIDD transmissions without sacrificing security or performance, network operators can use a gateway to connect the CIoT network with cloud-hosted applications. This could be a strategic network component that allows operators to seamlessly and securely interface with cloud-based application frameworks, protecting the network and subscriber devices from cyberattacks and other threats originating from untrusted internet environments. In addition to security, a smart gateway can provide other functions like network abstraction, enhance connectivity to multiple cloud platforms and extend SCEF functionality to other APIs such as MQTT or JSON.
With the addition of a gateway, operators can create intelligent CIoT networks, with the following key functions:
- Analytics to identify abnormal behaviors in device communication, prompting threat investigations
- Backup and disaster recovery features
- Terminate MO messages and send acknowledgement to the device while buffering the message for delivery to the application server
- Buffer and batch MT messages from the application server for device delivery, helping to minimize device wakeups and active connection state
- Cache device dynamic data, enabling applications to receive device state information served from the network without pinging the device
From dumb to smart
As IoT-based communications is message oriented, the use of a smart gateway with a telco-grade distributed database could provide the scale, maturity and flexibility needed to handle billions of devices in a distributed fashion. To fully realize the return on their IoT investments and protect their networks, operators will require smart network gateways to transform all the billions of dumb IoT things to superior and secure connections on the network.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
When people think of cybercrime, they tend to think of geeks in dark rooms staring into computer monitors trying to figure out some new way to infiltrate a network. And historically, that was a pretty accurate assessment.
Today, however, cybercrime is a business. Cybercriminals tend to keep business hours (attack surges very often follow standard work hours), attacks are designed to generate revenue, and cost/benefit ratios are often considered when deciding who and how to attack a target. Hacker tools and malware can be custom built and ordered online, and predesigned attacks can be used, such as the recent rise of ransomware as a service. Some developers even have help desks.
Turning a profit drives a lot of cybercrime. For example, healthcare systems have been a prime target for ransomware: lots of interesting data combined with critical infrastructures that range from managing and assessing patients to actually running life-saving technology. If you manage to take a healthcare system offline, they are highly motivated to turn it back on.
Innovation is the land of opportunity
But why spend all that time and money researching how to break into a healthcare system when there are new critical technologies with attack vectors that are much easier to exploit?
For example, a session at the recent Black Hat conference in Las Vegas discussed modern windmills being held for ransom. Why? Well first, a lot of the technology being used to run and manage these windmills was not designed with security in mind. And second, it’s all about the money.
The loss of a single windmill can cost an energy provider upwards of $30,000 a day. If an attacker is able to shut enough of these down, the victim is likely to fork over a huge ransom to get them back online. Looking at trends over the past year or so, we can see that attacks that target critical infrastructure based on new, interconnected technologies seem most likely to become part of the next generation of ransom-based attacks.
At the center of this target are IoT devices. They include such things as digital security cameras, DVRs, gaming systems, smart appliances, and even heating and ventilation systems. Many of them are being built using unsecured communications protocols and junk code. Many have hardcoded backdoor passwords built into them and pass data in the clear. And since manufacturers commonly use and share code from a single source, these vulnerabilities can crop up across a wide variety of devices sold by a single manufacturer, across multiple brands from manufacturing conglomerates, and even across devices produced by completely separate manufacturers who have used a common code set to connect their devices to the internet.
A perfect case study of what happens when these devices are exploited is the Mirai botnet of last fall that hijacked millions of DVR devices to create a massive denial-of-service attack that shut down huge segments of the internet. As an attack, it was pretty straightforward. What made it unique is that Mirai included worm-like characteristics that allowed it to spread rapidly, and it targeted connected devices that had been built and deployed with virtually no thought given to security.
But Mirai was just a shot across the bow. Newer iterations of IoT-focused attacks, like Hajime and Devil’s Ivy, not only use the same sort of mechanism to attack IoT devices, but have added sophisticated toolsets that allow them to identify different devices, select known passwords or exploit appropriate vulnerabilities, compromise a device and then use its communications protocols to spread infection to other devices. The potential for using multi-vector worms to create massive IoT botnets that span across multiple technologies is very real. And the results can be devastating.
And because these sorts of attacks can be done autonomously and at scale, the ability to impose ransomware on thousands of victims simultaneously, rather than targeting a single large network, is now a possibility. How much would you be willing to pay to turn your entertainment system or refrigerator back on? Fifty dollars? Now multiply that by millions of users and you get an idea of why cybercriminals are very motivated to invest in building these sorts of exploits.
In part two of this article, I will discuss how opportunity is the land of innovation for cybercriminals and how new legislation around IoT cybersecurity can protect consumers with stricter security standards in order to avoid massive market disruptions.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The internet of things market is valued at around $900 billion today. Industry experts have suggested that companies will spend almost $5 trillion on IoT in the next five years. The figures are staggering. Nevertheless, while there is no doubt about the lucrative opportunity that IoT presents for businesses of all sizes, as many as three-quarters of IoT projects are failing.
For many companies, both those already investing in the IoT and those considering it, IoT poses key challenges. New research of IoT professionals found that 53% agree that quantifying a return on investment and providing a clear use case are IoT’s two biggest hurdles. The same study also found that over one-third (34%) of IoT professionals believe that the ability to measure its business benefits would encourage greater IoT adoption.
Fortunately, there are steps that businesses can take to ensure that IoT investments are not short-lived. And there are sustainable business models that can be scaled quickly and effectively.
While it may seem obvious, many companies still fail to set out clear goals and budget allocations before they begin to invest heavily into IoT. This is one of the major reasons why so many projects fail — and quickly. It is critical that businesses forward-plan and identify key metrics. However, it is just as important that business leaders start thinking more strategically, rather than being driven by device sales.
As it stands, 55% of IoT professionals see their long-term profits coming from the sale of hardware. While this is definitely a good revenue stream, it’s certainly not the only one. Pressure from commoditization makes it difficult for vendors to differentiate without offering a premium product. For IoT businesses, this means real monetization relies on value-added services, which transform hardware products into a “things as a service.” It is now all about improving existing capabilities and allowing new ones to be installed onto existing devices. As such, many businesses are turning to IoT app stores to increase their ROI and establish long-term revenue streams.
Sourcing the skills
Companies today are facing a range of new technical and business challenges. One of the key issues when it comes to IoT is a significant skills gap. Our research identified knowledge of big data and analytics as the most important skillset for IoT professionals, with 75% agreeing that it is a must-have for experts within the field. Looking at the skills issue in the short to mid-term, it is important that businesses reduce the pressure to source the right skills internally. Instead, they need to disrupt traditional recruitment methods by looking for new employees from different fields with the desired skillsets.
However, it is also important to remember the fast pace at which IoT is evolving. It will not be long before IoT technologies are built into all aspects of the business. Therefore, skills that are deemed important today may not be so in years to come. This means that remaining agile and constantly evaluating business decisions is essential.
Don’t underestimate the power of data
Perhaps one of the most valuable assets from IoT is the data it provides. Data collected from different IoT platforms, processes and devices is a very powerful tool for business owners to ensure sustained profitability and growth. This could be through selling the data from existing smart devices, enhancing services through analytics or using the information to explore new market opportunities. The data provides savvy businesses with a real opportunity to monetize IoT.
There are plenty of companies moving fast to grab their share of the IoT market. However, it is better to take small risks and adapt as necessary rather than make costly decisions without a strong foundation. After all, it is the small successes that will eventually culminate in the big business benefits.
I recently published part one in this series, which examined the Mirai botnet attacks of late 2016.
For part two, I’d like to take a closer look at the Amnesia botnet, or what I like to call “a Mirai that wasn’t.” Amnesia is notable because it’s an IoT botnet built using compromised DVRs. These DVRs are compromised using a vulnerability that’s been known and not patched for over a year. And our best estimate is that over a quarter million devices around the world are vulnerable.
The circumstances around Amnesia seem to be ideal for a large-scale IoT attack, especially post-Mirai: a quarter-million systems around the world unpatchable for a vulnerability that gives total control and the malware out there to herd them into a botnet.
And yet there’s been no large scale Amnesia outbreak. Why?
One thing that we can point to with Amnesia is the fact that it’s actually easy to block: the botnet hardcoded its command-and-control (C2) servers information, making it easy to block and render inert. And information about the vulnerability and the lack of a patch has been out there for well over a year.
By widely sharing information about the vulnerability and, later, Amnesia and its C2 servers before there was a crisis, we may have been able to help prevent a crisis.
Ironically, that may also be a reason for the lack of additional Mirai attacks after the source code went public. In other words, with that attack information available, defenders have useful information they can use to protect themselves and their organizations.
This brings us to a key point around how the world of the IoT internet is different from the world of the PC internet: There’s a mature security ecosystem today that makes information sharing a priority and prevention a realistic goal.
In the early days of Code Red or Nimda especially, security was an afterthought and there were no information-sharing channels. But today the channels to share information are many; there are Information Sharing and Analysis Centers for most major industries now. And the Cyber Threat Alliance (of which Palo Alto Networks is one of six founding members along with Check Point, Cisco, Fortinet, McAfee and Symantec) is automating information sharing through its platform which enables data to be shared across all members and protections pushed out to their customers in minutes. And these very channels and their effectiveness make prevention a realistic goal: It is now possible to get information out quickly enough to prevent large-scale attacks from taking hold like in the past.
This isn’t to say that the threat of IoT attacks isn’t real; IoT attacks will happen and some of them will be major, like the Mirai attack. But it doesn’t mean that we can’t look at the past as a clear guide to our future either. It also means that the future around IoT attacks isn’t as bleak as some of us may have feared: We can be cautiously optimistic.
Overall, we can’t stop being vigilant and working to share information and keep prevention in mind as a goal. Part of why today is different than yesterday is because of all the hard work of the past 17 years. While we can recognize the good work we’ve done, we can’t afford to celebrate by stopping. The next 17 years look to be even more complex and important.
Almost four years ago, I wrote two posts in my IoT blog — “Are you prepared to answer the M2M/IoT security questions of your customers?” and “There is no consensus on how best to implement security in IoT” — explaining the importance that security has to fulfill the promise of the internet of things.
I have been sharing my opinion about the key role of security in IoT with other international experts in articles including “What is the danger of taking M2M communications to the internet of things?” and at events including Cycon and the IoT Global Innovation Forum 2016.
Security has always been a tradeoff between cost and benefit; the opportunities generated by IoT far outweigh the risks.
But who cares about security in IoT?
A decade of breaches and the biggest attack target yet is looming
We all know the negative impact that news about cyberattacks has on society and enterprises. In less than a decade and according to ICS- CERT, incidents have increased from 39 in 2010 to 295 incidents in 2015.
In a survey published by AT&T, the company logged a 458% increase in vulnerability scans of IoT devices in the last two years.
It is a temptation for hackers to test their skills on connected objects, whether they are connected cars or smart homes appliances. But I’m afraid they will go far beyond attacking smart factories or smart transportation infrastructure or smart grids. With millions of unprotected devices out there, the multitude of IoT networks, IoT platforms and developers with lack of security, I believe the biggest attack target yet is looming.
With the internet of things, we should be prepared for new attacks and we must design new essential defenses.
The OWASP Internet of Things Project is designed to help manufacturers, developers and consumers better understand the issues associated with security in IoT, and to enable users in any context to make better security decisions when building, deploying or assessing IoT technologies.
Who owns the problem?
With IoT, we are creating a very complicated supply chain with lots of stakeholders, so it’s not always clear who “owns” the problem.
Manufacturers can’t divest themselves of responsibility simply because the home owner bought several component parts from different retailers. As a manufacturer, you have a responsibility to ensure that your product is secure and reliable when used in any possible scenario and use case, which means that manufacturers need to work together to ensure interoperability — we all own the problem!
This might come as a shock to some companies or industries, but at some level even competitors have to work together to agree and implement architectures and connectivity that is secure and reliable. Standardization is a good example of this. If you look at the companies actively working together in ISO, ETSI, Bluetooth SIG and so on, they are often fierce competitors, but they all recognize the need to work together to define common, secure and reliable platforms around which they can build interoperable products.
If cybersecurity is already top of mind for many organizations, why the lack of security in IoT?
According to the AT&T State of IoT Security 2015 survey, 85% of global organizations are considering exploring or implementing an IoT strategy, but the bad news is that only 10% are fully confident that their connected devices are secure.
It scares me that only 10% of developers believe that most IoT devices on the market right now have the necessary security in place.
In a publication from Ernst & Young titled “Cybersecurity and the IoT,” the company defines three stages to classify the current status of organizations in the implementation of IoT security:
- Stage 1: Activate — Organizations need to have a solid foundation of cybersecurity.
- Stage 2: Adapt — Organizations must adapt to keep pace and match the changing business requirements and dynamics, otherwise they will become less and less effective over time.
- Stage 3: Anticipate — Organizations need to develop tactics to detect and detract potential cyberattacks.
What enterprises need to do
If you are thinking only about the benefits of IoT without considering security as a key component in your strategy, you will probably regret it very soon. Here are some recommendations to consider before you start your IoT journey; or if you are already started, I hope it is not too late for wise advice:
- Adopt a comprehensive framework and strategy for IoT with end-to-end security and prioritize security as a key IoT technology element.
- Conduct a full audit and assess likely risks within IoT initiatives. Prioritize the opportunities and risks of deploying IoT.
- Bake security into devices and processes early. Include embedded device testing, firmware, protocols, cloud and application security assessments.
- Mobilize the larger workforce around IoT security.
- Bring partners up to rigorous security standards. Evaluate third-party partners with expertise.
- Rethink the roles of IT and OT.
With the proliferation and variety of IoT devices, IoT networks, IoT platforms, clouds and applications, we will see new vulnerabilities and a variety of new attacks over the next few years. The progress in security technologies and processes that prevent these attacks will be key for the adoption of IoT by both enterprises and consumers.
In the future IoT world, an end-to-end security approach is critical to protect physical and digital assets. The ecosystems of this fragmented market must understand the need of security by design and avoid the temptation to reduce costs at the expense of security.
Do not stop asking for security when you buy a connected product or use an IoT service; the temptation of time to market, competitive prices and lack of resources must not be an excuse to offer secure IoT solutions to enterprises, consumers and citizens.
I recently had the privilege of speaking at the SIIA’s conference on “Deciphering the internet of things” in San Francisco. The session started with a report that I had come across two years back — the World Economic Forum’s 2015 report on the industrial internet. The report’s framework concerning the adoption of IoT is still applicable today. Here is a brief summary:
While the world is recognizing the potential for IoT to deliver value, it is still in the early stages. We are only beginning to unlock the full potential of IoT, specifically industrial IoT. Many large industrial companies, while well-established, are not quick to change. Startup and tech companies move at a more rapid pace and strive for constant innovation. These two types of companies must come together for IIoT to move further along.
The four waves of IIoT adoption
There are four waves of adopting IIoT, and currently we are still in the first wave: operational efficiency. This includes activities such as asset utilization, operational cost reduction and worker productivity. These types of activities can produce fast results. Therefore, ROI can be readily determined and it is easier to fund these types of projects.
The first wave lays the foundation for the infrastructure required to drive the next wave. The second wave is new products and services. This consists of new business models, software-based services and data monetization. For example, Michelin sells tires. But if the company sells tire as a service, it takes on monitoring the usage of the tires as well as replacing them when they exceed the maximum mileage. Michelin now creates more value and generates higher revenue. The second wave connects both products and services in a way that improves each.
The third wave of adoption is the outcome-based economy. This wave drives unconventional revenue from products and services. It spans three areas: products, equipment services and information services. For example, the traditional offering is a product with a service contract attached to it. And there is usually a set of information services that come with it, such as maintenance, inspection and monitoring. However, products are increasingly digital. For instance, tractors are connected with sensors. Once connected, a tractor can now be enabled with remote diagnostics and optimization services. This is the very beginning of digital services. With the sensors, the farm equipment is capable of soil, plant and equipment analysis. As this kind of example grows, there will be a new marketplace for agricultural information services.
The final wave of IIoT adoption will be the autonomous pull economy. This is an economy where automation occurs end to end. It results in resource optimization, waste reduction and even continuous demand sensing. This final wave will unlock value on multiple fronts. Consider the example of the Rio Tinto autonomous mine. The mine covers all the different aspects of IIoT — heavy machinery, transportation, critical operations and high downtime costs. See the video for more info:
Even though some of the leaders like Rio Tinto have taken the leap, this wave is still under development. Every single company will have its own unique approach as operations move from manual to self-organizing and demand-driven.
Technology and IoT
According to a recent report published by ReadWrite, there are about 2,888 companies focused on delivering IoT technology and solutions. This follows a report by IoT Analytics covering the 450 IoT platforms that are available today. Yet, according to a survey done by the World Economic Forum, only a small fraction of the companies that could use this technology have a funded budget for IIoT.
The technology vendors, new as well as established, are investing heavily in addressing the technology challenges that arise because of IoT. As a result, even though the ecosystem and standards are still in flux, technology is available for buyers who are looking to get ahead of their competitors. The biggest emerging IoT opportunities are created by companies that can deliver value today by combining deep domain expertise while also laying the foundation for the later adoption waves of IoT. Successful companies have in-house experts with domain, industry and technical knowledge that is combined together to deliver solutions to the problems that these industries are facing.
As IoT adoption grows, the value of IoT in the near future will no longer be based on how many billions of things are connected. It is not even the terabytes of data that are being generated from these connected things. It is the valuable insights that are being unlocked to generate new revenues, reduce costs or mitigate risks.
With IDC predicting that 30 billion “things” will be in use by 2020, it’s clear that the internet of things is playing a critical role in many companies’ digital transformation strategies — whether to enhance customer experiences or improve operational efficiencies.
While most enterprises are already enjoying some benefits, they often struggle with a series of challenges when attempting to aggregate available technologies and devices to maximize the potential of their IoT ecosystems. Most of these IoT device management challenges are common, irrespective of the industry vertical or the specific problem they’re trying to solve. Working with some early adopters, we’ve identified five key challenges and ways to address these in your organization:
Defining device needs. First you need to identify what you want to measure to obtain the necessary insights to support your business decisions and define the device types required to do this. Picking the right devices depends on the atmospheric conditions/locations where they will be deployed, connectivity options available, source of power, local data processing capabilities, remote management and monitoring capabilities, and a way to extract and analyze the data.
For instance, consider an organization that wants to monitor and control the temperature of its geographically distributed warehouses. Key criteria include the sensor’s coverage range; warehouse size; inter-sensor connectivity options, such as BLE, XBee and Z-Wave; and the sensor’s internet connectivity options, such as gateway support. Some deployments might even require local computing (edge computing) capabilities to enable these to work in offline mode when connectivity to the cloud is unavailable. Devices may not be limited to sensing and will have actuators that can do things on command.
IoT data integration. Once you’ve deployed the required devices, the next challenge is to seamlessly integrate them with existing applications to ensure the data collected and transmitted is sanitized and error free. An IoT gateway helps bridge the internal network of sensor nodes and the organization’s external infrastructure.
Data from a deployment, such as a warehouse, could end up going through several physical layers before reaching the cloud application layer given the communication and computing capabilities of sensors. Once devices are connected to the IoT platform, making these available externally is a challenge. On one side, devices bring in sensor data that needs to be stored, summarized and grouped or that requires real-time decisions.
Meanwhile, there are device actuations exposed externally via proper authorization, and some may have management interfaces that will allow its functions to be controlled. For example, a cooling plant inside the warehouse can be programmed to operate from 6:00 am to 6:00 pm. Once the data is received and control functionality and management capabilities of devices are connected to an IoT platform, you need to expose these via managed APIs for external parties to make use of this data.
Device management. Once a properly working system is established, the next challenge is to streamline the day-to-day management of these devices given the business’ dependence on the available data. This includes the ability to monitor a device’s outgoing performance, push updates to remote devices, and carry out resets as needed to ensure proper maintenance. To do this, you need to ensure your cloud-based server has detailed records of every device that’s connected so they can be programmed.
Sensors in the warehouse, for instance, will have a preconfigured pattern of pushing data into the cloud, and the data will have a networking route through which it reaches the IoT platform where failure and anomaly detections are done. It also must be able to perform predictions based on historical data to support business demand. The type of operating system that runs on the device/gateway, too, has a direct impact on how you sync the device within a distributed device deployment. For example, a fairly powerful device running Android or a lightweight Linux variant will have existing platforms through which they can be updated.
Scalability. Another challenge is the deployed device network system’s ability to scale to accommodate future needs. Scaling, however, can be multifaceted. It could be device deployment at the ground level, computing in the edge gateways or related to the IoT platform that facilitates all communication. Given the high cost of deploying devices, it is essential for you to plan for failover and scaling for future needs. Failover is usually achieved through duplicate devices or reconfiguring another device to take on additional load. Scaling involves demanding increased physical actions from devices or an increase in computing actions by the edge gateway or central IoT platform. In both these scenarios, the IoT platform or edge computing platform’s ability to scale and remote re-configurability will play a vital role.
Security. The last, and possibly most critical challenge, is to ensure the organization’s now fully functional system is completely secure and not vulnerable to threats like tampering or loss of sensitive data. Security threat levels might not be the same for all devices, but the technology platform should include a security layer that will prevent potential risks in each instance.
Security in an IoT platform is applicable at multiple levels. It can be between devices to the platform via multiple communication hops, communication between components within the platform, data received from devices, and how devices are stored and shared with other systems. The security layer will typically address these scenarios with policy-driven device management by enabling compliance monitoring for applied policies and role-based access control.
While connected devices are playing a central role in organizations’ digital transformation, the key is to ensure a centralized management environment for efficiently managing all of these devices and extending its benefits. And to do this, in addition to just deploying IoT devices, enterprises should incorporate a complete technology platform with seamless integration, smart analytics and security capabilities to address the common issues that arise when managing these devices.
The internet of things promises a simpler, more intuitive world. Instead of asking people to do special things for the sake of technology, like pushing buttons, navigating screens or following a specific sequence of steps, products can now be designed around natural human experiences. Google Home and Amazon Echo do away with the interface entirely: Just speak into the air, and your wish is granted. (Steve Wilson, Citrix VP of product for Citrix Cloud and IoT, has a great blog on this: “4th gen user interface“). It’s a radical transformation, and one with thrilling potential — but the first step is to change the way engineers think about product design.
I don’t mean to bad-mouth engineers — I am one myself. But it’s our nature to approach things from an engineering perspective: How do I make these technologies fit together to accomplish a purpose? How do I get them to perform at a consistently high level? How much functionality can I deliver? These are all good intentions, and they make plenty of sense in many applications. But when it comes to IoT, it’s the consumer’s perspective that matters most — their context, their perspective.
Think about electricity. Consumers don’t care about the technical challenges that had to be solved to make it flow through their walls, and they couldn’t tell an amp from an ohm if their life depended on it. All that matters to them is that when they flip a switch (or trigger a motion sensor), the lights come on. That’s the kind of natural simplicity and invisibility IoT needs to achieve.
As an engineer, I also understand our inclination to figure things out ourselves. Solving problems is what we do. But in this case, it’s important for us to understand and accept the value of reaching out for real design expertise and following a structured design process. Instead of just engineering a product to work 150% better, you’ll end up creating an experience that delivers 10 times better for the consumer.
Here are a few of the principles I’ve learned by collaborating with the designers at Citrix.
Know what problem you’re solving
You’d be surprised how often people design products without a clear idea of the problem they’re solving. They’ve got a technical innovation that they’re eager to productize, or they’re on a mission to squeeze even more functionality into an existing product. One good reality check is to see if the product manager can tell a simple narrative about the proposed product in a consumer’s daily life. If it seems contrived or farfetched, you’ve got a problem.
To begin with, pay attention to people’s behaviors today so you can document the friction they encounter. What frustrates them? What gets in the way of more interesting or important things? What would they like to be able to do more easily? Meeting technology is a classic case; we’ve all suffered the agony of watching someone fumble with computers, projectors and videoconferencing gear while valuable minutes tick away. But remember, the goal isn’t to make it easier to connect a computer — the goal is to make it easier for people to share information and collaborate. Don’t mistake the tool for its purpose.
Empathize with the consumer
As you’re researching the right problems to solve, remember that the beauty of your technology will be in the eye of the consumer. It’s their priorities and needs that matter, not yours. How many applications end up with barely usable interfaces because they’ve been assembled from an engineering perspective instead of a user’s point of view?
Take the Nest thermostat, for example. Did I buy one because of its technical horsepower or engineering brilliance, or because of purely rational considerations of energy conservation and money savings? I’d like to say yes, but in reality, I just couldn’t resist the way its elegant design called out to me and made me want to interact with it. Like so many Apple products, the Nest thermostat put design front and center while getting technology out of the consumer’s way. And as with Apple, it didn’t even matter how much more expensive the Nest was than the alternatives. Now, this beautiful widget has led the way for a whole host of home automation products from cameras to smoke detectors under the Google umbrella.
Citrix applied this kind of approach in designing the interface for our Octoblu IoT platform. IoT automation can get complicated quickly, from the devices you need to connect to the protocols that make it work, but the goal of Octoblu users is to create experiences, not write code. We made a point of providing a drag-and-drop interface that lets people build complex automations simply by specifying a sequence of actions — when your car pulls into the driveway, your garage door opens, the lights come on and your house unlocks. Remember, elegance wins.
Use a design brief
So, you’ve identified the problem you’re going to solve, and you’ve put yourself in the mindset of the consumer. How are you going to deliver the product? A formal design brief can ensure focus and discipline so you can avoid getting carried away with extraneous features or mission creep. It’s also a good vehicle for collaboration between engineers and designers — it’s an opportunity to check each other’s thinking, so that designers work within the realm of engineering reality, and engineers maintain a design-thinking orientation.
The brief should encompass:
- A problem statement. What are you solving? What’s the narrative from the consumer’s perspective?
- The business rationale. From both a design and an engineering perspective, why is this the right problem to be solving?
- The “before” picture. How are people doing it today? Where does the friction reside?
- The “after.” What is the kind of experience you’re seeking to design? See if you can tell a few stories about people interacting with the experience. How are you meeting their needs?
My colleague Todd Rosenthal, Citrix director of product design for IoT, analytics, mobility and app management, likes to think of this in terms of creating a better relationship between technology and people. Your goal is to support the user’s ability to smoothly move between activities (such as driving, walking and sitting), places (a room, a car, a campus) and things (devices, apps, sensors). Your goal is to ensure that the user’s needs are met in the context of these three variables — Todd represents them as points of a triangle in the diagram below. You’ll note that the user is always at the center of the experience.
You can find more of Todd’s design insights here.
It doesn’t necessarily take a designer to create a design brief. The important thing is to get the product manager and engineer together to agree on the design principles that will guide the project, with a common language, equal ownership and the flexibility to evolve as needed to get the product right. At Citrix, we’ve used a Slack channel to complement weekly meetings with real-time communication between engineers, product managers and designers, and I’ve been struck that the more we work together, the more our thinking comes into sync, so we end up having similar ideas at the same time.
If you think you don’t have time for a design brief — that you’ll just tweak the design as you go — remember that the world is full of $30 thermostats that may have even more features than Nest, but don’t have a fraction of its appeal or sense of purpose. Engineers want to see how many feature bullets they can put on the box, but people are digitally distracted enough as it is — they want simplicity. With this process, you’ll find the one or two features people will benefit most from right away; you can always add more in future releases. Remember, the original iPhone didn’t even come with the App Store ecosystem — it was laughably under-featured in today’s terms. But it became one of the most important and successful consumer products in history.
Products that don’t consult design aren’t maximizing their full potential and opportunity. By bringing design into the process from the very beginning, you have a chance to deliver a product that’s 10 times better from the consumer’s perspective — while bringing in 10 times as much revenue per unit for your business.
Your goal isn’t to impress the consumer. It’s to help them. Sometimes, that means leaving some things in their own hands and resisting the temptation to over-automate. When people walk into a conference room, they don’t necessarily want all of its systems to fire up right way — that might feel pushy or annoying. They’d prefer to spend a few minutes shaking hands and making small talk before Skype starts capturing every word they say. Don’t assume that more automation is always better, and don’t engineer in a silo. Social norms may not be an engineering principle, but they should be a key part of your design context.
Of course, IoT design can have a way of humbling any engineer. Adding features is easy; simplicity is hard. It takes discipline to deliver experiences designed around human needs and quirks rather than technical wizardry. But when you get it right, you can change the world.
In our previous blog post, we discussed how concerns over online security and privacy began to work its way into the public consciousness during the early days of the PC revolution. Those concerns never really went away with smartphones and tablets, and have only multiplied as IoT devices continue to proliferate. At the same time, many industry players are now starting to wonder if the traditional way of addressing security concerns with frequent software patches and updates makes sense for IoT.
There is a growing awareness that IoT security shouldn’t be treated as an afterthought, but rather as a first-class design parameter. In a best-case scenario, this new approach to security for IoT will shape up to be a holistic one, with semiconductor companies seeing devices secured throughout their lifecycle from chip manufacture through day-to-day deployment and all the way to end-of-life decommissioning.
One of the most effective ways of achieving this goal is to equip IoT devices with a silicon-based hardware root of trust. And while hardware-based security may have previously carried a steep price tag, the relentless progression of Moore’s Law over several decades has helped to significantly reduce transistor costs, making this type of implementation quite feasible. So we can now think of IoT as having entered a transitional stage, with the industry actively reevaluating security strategies.
This isn’t surprising, as petabytes of sensitive data are being generated by a wide range of diverse IoT devices and platforms, including wearables, connected vehicles, medical equipment, maker boards and intelligent appliances in smart homes. An additional challenge is to avoid vulnerabilities in products that may be deployed in the field for 10 years or more. It’s difficult to contemplate every possible attack that might happen over a device’s lifetime, which makes it complicated to protect against newly discovered vulnerabilities and fresh exploits.
Differential power analysis (DPA) side-channel attacks are a relatively new method of compromising silicon that has been gaining a lot of attention in recent months. These attacks involve monitoring variations in the electrical power consumption or electromagnetic emissions from a target device. These measurements can then be used to derive cryptographic keys and other sensitive information from chips.
The threat of DPA side-channel attacks is quite real, as even a simple radio can gather side-channel information by eavesdropping on frequencies emitted by electronic devices. In fact, in certain scenarios, secret keys can be recovered from a single transaction secretly performed by a device several feet away. The internet of things already comprises billions of connected endpoints powered by chips, many of which are vulnerable to DPA side-channel attacks. Fortunately, a number of countermeasures are available to help protect chips from DPA attacks.
In conclusion, securing IoT will require a holistic approach that offers robust protection against a wide range of threats through carefully thought out system design using techniques like hardware roots of trust. This paradigm will allow companies to see devices secured throughout the product lifecycle from chip manufacture all the way to end-of-life decommissioning.