For many companies, the internet of things has suddenly become the thing: a techno-competitive mega-trend that can no longer be ignored. However, creating an effective IoT strategy — and carrying it out with excellence — can be difficult and confusing.
In a recent survey, all CEOs in the Fortune 500 were asked, “What is your company’s greatest challenge?” The top answer was, “The rapid pace of technological evolution.” IoT is a prime example of the rapidity of this technological evolution. The methodology for companies to stay abreast of this pace and meet it with the talent required to navigate it is no small undertaking, but success in the process will define the parameters of technology competition over the coming decade.
Innovation programs are historically the vehicle that protects against internal stagnation and external irrelevance. However, the larger an organization gets, the more difficult it becomes to innovate outside of historical core competencies and market-facing product lines, both of which are common with IoT.
The global trend of the increasing need for smart connected products and services poses a number of challenges to traditional internal corporate innovation programs. These include:
- An unprecedented competitive landscape. With the rapid pace of technological change, it’s never been easier to create a technology startup company that anticipates user needs before they are well-articulated and disrupts an established market player. If you don’t understand the why, then the how doesn’t matter. With the internet of things, often the why — and the corresponding response behavior of the competitive landscape — is elusive.
- A heavy dependency on cross-divisional collaboration. The internet of things requires cross-divisional collaboration that many companies are not used to. By definition, developing a connected product implies an ongoing service that requires support, manufacturing integration, and a new sales and marketing strategy that transcends traditional corporate walls. Often this cross-divisional collaboration results in the formation of several new ecosystems in what had been a traditionally laid out corporate ecosystem.
- A rapidly-expanding digital ecosystem of products, services and data. Creating value with internet of things technologies often involves creating new products (e.g., a smart connected version of a legacy product), a new service (e.g., a predictive maintenance service for connected industrial assets) or new data streams (e.g., environmental condition data that can be consumed by an adjacent product or service). This rapidly expanding digital ecosystem is causing companies to innovate outside their comfort zones into new areas including data science, information security, outcome-based business models and enterprise software integrations.
- A knowledge deficit of IoT technologies, business models and market needs. Companies that stand to benefit the most from deploying IoT technologies and business models are the least prepared to do so. It is not uncommon for a durable goods manufacturer to have historical expertise in materials science, mechanical/chemical engineering or metal bending. These types of companies have historically faced challenges in being able to develop adaptive user experiences, integrate products in the field with enterprise IT services, sell recurring subscription contracts or monetize the value of data. The challenges are often due to a knowledge deficit that can easily hinder the effectiveness of any corporate IoT innovation program and obscure the success of the undertaking.
An evolutionary perspective
Many companies already have innovation programs in place. Adding an internet of things focus, although a revolutionary trend in thinking, usually requires surgical evolutionary adjustments in the following five areas:
- Clarity of strategic direction. IoT innovation program participants must know why the internet of things is important to the competitive success of the company. A lack of clarity or outlined, forward-looking goals that include a designated timeline can be detrimental to success. For example, having a vision that an enterprise needs to become known as a software and data company by 2025 in order to remain competitive helps drive critical direction, focus and momentum.
- Emphasis on cross-departmental collaboration. Product innovation historically focuses on the products themselves. However, smart connected products usually also include IT. The blending of operational technology (the physical products themselves) and information technology requires a new type of cross-departmental collaboration, introducing new people and roles to the entire innovation process itself.
- Identification of reusable technology, business models and processes. Companies often have multiple product lines, business units and/or market segments. Companies can get an edge in the competitive landscape by intelligently understanding how to reuse not just technology components, but also business models and process improvements. All components should be included as part of the innovation process.
- Adaptation of business processes to data and services. Many companies have business processes (e.g., order fulfillment and billing) that center on the manufacturing, distribution and sale of physical products. However, with the advent of smart sensors and data, new business models are possible by selling services (which may include a product or consumable), or by selling the data stream itself. Leading innovation programs lead participants to think outside the box of traditional product features and business processes, and expand the scope of thinking to data and services.
- Revised approach for capturing and acting on market feedback. Product companies usually have a new product introduction (NPI) process for ensuring a high-quality and normalized market launch. Although releasing software and products early to gain market feedback is a best-in-class approach, doing so prematurely can be detrimental to building a long-term trusted brand. Adapting existing NPI processes to gather critical market feedback while at the same time supporting and building a high-quality connected brand is a critical success factor for IoT innovation programs.
Change: The new competitive advantage
Leading organizations that have become the key innovators in this process got there by harnessing the reins of IoT innovation and focusing on early success with a small number of projects. Only after that do they then accelerate upon that success through the creation and establishment of corporate-sponsored IoT funding. This process naturally helps subsidize bright new ideas that help the company achieve its long-term vision.
Once the pace of IoT innovation is moving, the momentum continues to be driven by many forces: things like effective training, support readiness, manufacturing integration, adaption to business process changes, thoughtful talent acquisition and pricing calibration. While there is a tapestry of the aforementioned pieces to weave together, by fostering a culture of technology innovation and cross-divisional collaboration along with a keen focus on services and data, organizations can turn their ability to change into a competitive advantage for long-term success.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The internet of things is coming to a supply chain near you.
There will be 50 to 200 billion connected “things” by the end of this decade. Regardless of which research numbers you follow, we are about to be inundated by connected devices and things. IoT will be throwing off mountains of data — even more information to be added to our existing mountain of big data. This information will take on a new form and pace. Possibly smaller data points, but at a more rapid pace and coming from parts of our supply chains that were otherwise dark. The promise of this is to not only light up these dark parts of the supply chain, but also to fundamentally change how our supply chains operate. We should view this as a key component of the digital transformation of supply chains.
The digital journey is only beginning. IoT will be a vital part.
There is very little in our day-to-day lives that has not seen the impact of the digital revolution. How we think of point-to-point transportation will never be the same due to Uber. Where and how we stay when we travel has been radically changed due to Airbnb. How we listen to music no longer revolves around CDs, records or tapes. The very idea of purchasing a full album is foreign to many who have been accustomed to accessing music via services such as Pandora, Spotify, Apple and Amazon music. Watching television is not limited to our family rooms, nor is the activity restricted to time slots. Commercials, in some ways, are becoming a thing of the past.
While these are consumer-centric examples, the digital revolution’s impact is felt throughout B2B commerce, specifically in the supply chain. Supply chains are beginning to reap the benefits of digitization. How? From greater visibility throughout the supply chain. Industries from agriculture to automotive and consumer goods, heavy industry and retail, have all started to extract value from enhanced digitization throughout their supply chains.
In the chocolate industry, brands such as Mars have a greater view into cocoa production in sub-Saharan Africa through greater usage of connected farms. Companies such as Harley Davidson are more in tune with their manufacturing facilities thanks to IoT. Logistics firms lean on telematics to do a better job with fleet and asset management, and to capture greater efficiencies with regards to load management and routing.
However, many of these digital enhancements are being felt in pockets of supply chains. The digital revolution is not a tidal wave impacting all aspects of the supply chain with a giant bang. Rather digital, and in large part IoT, is taking hold at specific parts of the supply chain. At times this is being leveraged to enhance existing processes, while in other situations we are seeing new transformative business models emerging. A good start. The exciting opportunity for supply chains will be when they are fully connected, fully networked. For this IoT holds out much promise.
IoT is a vital step towards a truly digitized and networked supply chain.
A truly digital supply chain is one where processes and business models are centered on digital communications. It’s a world where the mechanical and digital are integrated in such a way as the physical world has a digital mirror of information and data. This digital mirror allows the physical to be more efficiently managed, to be used in different ways and to allow the physical world to take on new business models otherwise not possible. This digitization revolves around a greater access to, and usage of, data. This data is rich with information, consumed in a timely fashion and leveraged to make greater business decisions.
Supply chains shouldn’t simply look to place sensors on objects and assets, but rather, understand why being able to “see” more from these objects can benefit their business. IoT plays an important role in this vision. It will add a layer of visibility and access to data that supply chains are otherwise blind to.
As supply chain professionals continue to work down the digital road, they need to take into consideration a number of these technologies and innovations. IoT is just one cog in an otherwise complicated and dynamic ecosystem.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Even though they differ greatly, what analyst and vendor projections all agree on is that the number of connected internet of things devices will essentially go through the roof over the next couple of years. Estimates range anywhere from 20 to 50 billion connected IoT devices by 2020 — with Gartner, for example, projecting 20 billion devices as more a “conservative” estimate, if there ever is a conservative view in light of these stunning figures. But no matter how many billions of devices it will finally be, one thing is for sure — it’s going to be huge!
While this sounds encouraging and almost too good to be true, there are downsides, namely security flaws and the unprecedented threat of cybercrime. Nobody wants to be the party pooper and demonize the technological advance toward a bright and shiny digital universe, but it would be fairly naive to bluntly ignore the facts.
Let’s face reality: As much as the IoT universe grows, so does the security challenge
Over the last few months, the cybersecurity industry has been observing some quite interesting trends such as an uptick in distributed denial-of-service (DDoS) attacks with unparalleled data traffic. Cybercrime has become a vast ecosystem that keeps soaring. Experts predict that data breaches could cause damages of up to $2.1 trillion globally by 2019, which is essentially right around the corner. According to Juniper, the average cost of a data breach in 2020 will exceed $150 million as more business infrastructure gets connected.
In a recent study, nearly 52% of the participating consumers believed that IoT products do not have the necessary security in place. And far worse, 85% of IoT developers admitted to being pressured to get a product to market before adequate security could be implemented. A shocking 90% of developers surveyed didn’t believe that IoT devices on the market currently have the necessary security in place.
One of the driving forces for this drastic increase of devices is simply price. With cheap internet pretty much accessible around the globe and wearables becoming a commodity, the price spiral is heading south and the market is simply flooded with low-cost hardware. This enormous price sensitivity, however, almost inevitably precludes to inherently embed comprehensive security features, as this is nothing else but a mutually exclusive trade-off.
On average, IoT devices are inexpensive. With 50% of all connected devices targeting the consumer space, manufacturers are caught between the devil and the deep blue sea. As a consequence, those targeting the mass market have little financial margin to invest into the security challenge as it’s simply a costly undertaking.
For the bad guys on the other hand, it’s literally the land of milk and honey with vulnerable devices accessible in abundance. In other words: The hunting ground for the predators is full of possible prey and fence season is long gone.
DDoS attacks are just an example, but once these devices are filled with user data, the issue will be taken to a whole new dimension. Unfortunately, the circumstances aren’t getting any better as more IoT devices will continue to go online every single day.
The security challenge: How to get out of here?
While the above might sound rather scary, it’s far from being hopeless, though it does require action now. Ultimately, there are two sides of the same coin, the first being technology and the second being the human factor.
Overall, the cybersecurity industry is progressing with its R&D efforts in order to come up with solutions that will alleviate various security challenge pain points. If everyone involved is committed to fixing the problem, then developing new technologies with built-in security features will become the norm and the result will be a much safer IoT. With the emergence of software-defined technology, tight security protocols and encryption can be implemented at the fraction of the cost of hardware components.
Vendors should consider de-commoditizing and coming up with a more differentiated product offering that, for example, includes security features. It’s obvious that these features come with a price tag. However, only when vendors translate these features into tangible benefits will consumers be prepared to pay a higher premium.
At the same time, it’s an important task for society to drastically increase its awareness of how to deal with data and teach at least basic principles of how consumers can protect themselves and mitigate cyberthreats. Consumers need to understand the implications of their actions and should think twice about what kind of data to store on which IoT device.
Finally, governments must take appropriate action and shift their attention toward the rising threat of cybercrime in the 21st century by strengthening their cyberdefense activities and making it a strategic component of their security policies. Policymakers love talking about it, but the time has come to walk the walk. As a wise man once said, “Let’s not close the barn door after the horse has bolted.”
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Below, we will explore the technical elements of a security-oriented wearable, and subsequent posts will concentrate on the balancing act between great security and end-user convenience.
To establish identity, we’re all used to our username/password combination, and probably have started using our fingerprints to log into our phones. Password policies are really hard to get right — so much so that, in most companies, it is the number one tech support question.
Fingerprints and other biometrics are better for a few reasons — mostly that they’re based on who you are, rather than what you know. So, you’re not going to forget your fingerprint, your retina or other things that make you who you are.
But if your fingerprint is not changing and someone steals it, what happens? Well, the short answer is that you should hope that this “template” is safely stored locally and not shareable across devices, networks and so forth. The beauty of a wearable is that it allows for the proximity necessary to keep that information close.
For example, part of a new phone setup is to capture your fingerprints. Even if you’ve owned three generations of the same phone, you can transfer your data to your new phone, but not your fingerprint. The reason was mentioned above. It is undesirable for both user and vendor to store sensitive, static data about a user.
Hopefully, this serves as a piece of useful information. In the world of wearables, portables and the like, the device should be assumed to be self-authenticating if well designed. That the information it shares is simply, “yes, this is the right person” or “no, it’s not.”
If you would like to rely on a wearable as a source of identity verification, there are some key things to keep in mind. Firstly, these devices should be able to confirm the known wearer’s identity. The next thing is thinking about how to query the wearable. Given the state of standards today, prevailing technologies for sharing this confirm/reject are Bluetooth Smart, NFC and USB.
In the real world, one would assume that a wearable must have Bluetooth Smart or NFC or both to communicate with IoT devices. Bluetooth Smart gives better range, but establishing a transient relationship with a thing is complicated and not yet standardized. NFC has less perceived threat to man-in-the-middle attacks and works well under certain circumstances, but you should assume that the wearable is on or near the user’s hand (NFC range is <20cm).
Another key component is tamper-resistance and/or tamper-proofing. A well-designed wearable will prevent a nefarious person from being able to access algorithms or biometric data. There are both physical and logical ways to preserve this data, but secure wearables can and should see tampering as a major threat.
Lastly, one should assume that a wearable has cryptographic functions. There are many options, but these devices can exchange keys with another device. This allows for encrypted messages between devices.
Experts at many security-minded companies have found these building blocks to be elemental to a credible secure wearable. My organization has demonstrated the ability to unlock computers, phones and physical doors from major players with these basic features, and these safeguards have provided the needed assurances.
Are there other considerations here? Yes. This is the beginning of a journey, but these are the lessons that we’ve learned so far.
In addition to a series of high-profile acquisitions (including Jasper, Wyless, Solair, ARM, PLAT.ONE and Bit Stew), 2016 saw some of the largest individual funding rounds for commercial and industrial internet of things companies. While total funding may be slowing down, the size of the individual rounds is, if anything, ramping up. Sigfox led the charge with a massive $173 million Series E, bringing its total funding up to $323 million, and its post-funding valuation up to $648 million. Investors threw huge piles of cash at several other companies developing innovative technologies centered on devices, connectivity, applications and analytics — these companies target a wide range of use cases, including energy, manufacturing, commercial buildings and connected products.
Below is a list of companies Lux has covered that raised big rounds in 2016:
- Sigfox: $173 million Series E / November 2016 — Sigfox builds public low-power wide-area networks (LPWANs) and sells data plan subscriptions geared towards connecting low-power sensors and IoT devices. The radios are smaller and consume less power than traditional cellular radios. The company has active networks deployed across a large portion of Western Europe and the UK, as well as small portions of Central Europe, North America and Oceania, with over 7 million connected devices. This latest funding round will help the firm increase its global coverage and put it in position for an IPO that it expects to achieve in late 2017 or early 2018.
- C3 IoT: $70 million Series D / September 2016 — Founded in 2009 by software veteran Thomas Siebel and originally focused on application and analytics platforms for energy organizations, C3 recently rebranded to focus more broadly on IoT. The firm has developed a platform for connecting sensors, IoT devices and enterprise systems to an environment that offers prebuilt AI and machine learning applications, an application development environment and analytics tools. This round, led by TPG Capital, brings the firm’s total funding up to $131 million. In addition to attracting this investment, C3 IoT won some big deals in 2016, including enterprise contracts with Engie and the U.S. State Department.
- GreenWave Systems: $60 million Series C / January 2016 — Greenwave was founded in 2008 by several former Cisco executives. The firm offers a horizontal IoT platform, called AXON, which enables connectivity between devices and the cloud. The company is currently targeting applications related to energy management, building controls, health care, asset tracking and smart cities. This funding round brings the firm’s total funding up to $76 million. GreenWave plans to use the funds to accelerate its global expansion and provide growth capital for strategic investment.
- Ayla Networks: $39 million Series C / June 2016 — Ayla has developed an IoT enablement suite that helps companies deliver internet-connected products. The offering includes an embedded software stack installed on devices and gateways, an Amazon-hosted cloud platform for device management, basic analytics tools and a set of applications for controlling devices from supported iOS and Android devices. Ayla has a strong footprint in connected home appliances and building systems, and a major presence in China. This latest round was led by China-based Ant Capital Partners — it brings Ayla’s total funding up to $59 million and will help the company continue to expand globally.
- Maana: $26 million Series B / May 2016 — Maana was founded in 2013 to develop an operational analytics platform focused on industrial use cases — the solution crawls and mines different data silos, indexes the information gathered, generates models and helps users operationalize insights. Maana has won a few big customer deals, including GE, Chevron and Shell, all three of which are also strategic investors. Saudi Aramco Energy Ventures led this round, bringing Maana’s funding up to a total of $40 million. Maana plans to leverage the capital to expand product development and ramp up the sales and marketing teams.
- Enlighted: $25 million Series D / February 2016 — Enlighted integrates a compact sensor and controller unit for commercial space sensing and lighting optimization. The sensor and controller is compatible with any type of lighting fixtures, such as fluorescent or LED, and it has embedded intelligence to control nearby lights in response to occupancy and light level. The firm has won several big deals to optimize office buildings at customers like Apple, AT&T, Barclays, Google, Oracle and LinkedIn. This Series D round brings the firm’s total funding up to $80 million — the company plans to use this new funding to “accelerate its IoT app development” and expand its international distribution to France, Germany and the UK.
- Electric Imp: $21 million Series C / April 2016 — Imp was founded in 2011 to develop a platform that helps manufacturers deliver connected products. The firm offers a toolset that includes a line of Wi-Fi/Ethernet modules, a proprietary embedded operating system, a cloud platform and a set of application development tools. Imp is well-regarded for the strong cybersecurity posture inherent in its platform architecture. This Series C round was led by London-based Rampart Capital — Imp plans to use the funds to ramp up strategic growth and product development.
In many ways, 2016 was the year of the IoT platform, and the financing truly tells the story — investments in and acquisitions of IoT platforms totaled well over $2 billion in 2016 (possibly even $3 billion, depending on some undisclosed figures). Sigfox broke the mold in this regard, as it is not a true platform, but rather a network operator and networking IP developer. However, Sigfox offers a preview of what’s to come in 2017: based on client enthusiasm and ongoing deployments, 2017 may be the year of the LPWAN (meanwhile, the reign of the IoT platform will likely continue, since platforms naturally manage the data from the things connected to LPWANs).
Between Sigfox, LoRa and the emerging LTE standards, a huge portion of the globe will deploy LPWAN in 2017, which is why Lux Research is currently writing a report on the topic and plan to publish during the latter portion of Q1. Those looking to invest in IoT startups should understand that platform and LPWAN startups will be desirable investment targets in 2017, with the potential for even more exits in 2017 than we saw in 2016 (several of the above companies are indeed poised for 2017 exits at huge revenue multiples). Those shopping for acquisitions to broaden capabilities and pursue new business should be on the prowl for top platform and LPWAN startups, like the ones mentioned in this article.
Most articles about the internet of things and its impact on business intelligence are targeted towards an IT audience and focus on real-time data ingestion, big data technology and analytic solutions for data scientists. And while these are critically important elements of the IoT/BI landscape, a discussion about delivering direct business value is often missing.
It’s important to shift the focus of discussion to the solutions required to drive clear, tangible business value with IoT and BI. Deriving business value by achieving greater efficiencies, creating revenue streams and increasing profit for an enterprise can only be achieved if these solutions are focused on business users and end customers. IoT driven BI solutions must be embedded into the business user’s everyday work experience and be designed for an entire enterprise ecosystem.
There is much talk in the industry about how the wealth of IoT data can, for example, provide early warnings to enterprises to better serve their customers, a relatively simple task if the IoT device is reporting an error condition. But more likely, the IoT device is reporting telemetry about usage, operating conditions and performance. This is great data, but how will it drive better business actions that result in direct business value? This is especially difficult when the data is delivered to a small set of data scientists and analysts versus the people who have the ability to take action to implement change.
Placing this burden on a business user to examine the data for potential problems or opportunities and take action is clearly unreasonable. A business user cannot possibly process the tremendous amount or diversity of data, nor will they be able to identify the barely perceptible patterns that could be that ever important early warning sign.
This is a perfect scenario for machine learning. Machine learning needs to augment an IoT-driven BI solution to process and identify those hard-to-perceive patterns to guide the business user towards action. In fact, machine learning can be applied to deliver suggestive and prescriptive analytics to directly influence better business actions.
But machine learning alone will not ensure that this augmented insight will lead to a better business action if it is not embedded at the point-of-work. Ultimately, an actionable insight is dependent on “location, location, location.” When it comes to business users, the insights to drive better business actions must be embedded where that business user works. When done properly, the combination of embedding and machine-learning capabilities can deliver in-context automation, recommendations and insights to help the business user drive tangible benefits for their company.
Consider, each New Year many people make resolutions and sign up for new gym memberships which go unused or are cancelled by midyear. Gyms of course have access to when one enters the gym but have little other data around what the member actually accomplished during his visit. If gyms were to take advantage of the wealth of IoT data increasingly coming from their fitness equipment, wearable technologies and facilities, machine learning augmented analytics could proactively identify patterns indicating customer churn so that targeted recommendations and interactions can be made to increase “customer stickiness.”
Consequently, the business intelligence platform must be designed specifically for application integration and embedded delivery to ensure that the IoT-driven insight is contextually delivered at the point-of-work. Otherwise, if the insight is located elsewhere, such as in a standalone dashboard or delivered solely as an email alert, there is a high probability that the IoT-driven insight, no matter how valuable, will not result in a better business action and business value will be forever lost.
With the tremendous amount of IoT data being collected, the enterprise is in a perfect position to become an “insights as a service” provider and deliver data products to monetize their IoT data. For example, a manufacturing company can provide IoT-driven benchmarking solutions to its ecosystem of service providers.
Let’s further our example of the gym by considering a manufacturer of fitness equipment. In the manufacturing of fitness equipment, there are potentially hundreds of products made of thousands of parts that could potentially fail inside each gym. Since fitness equipment manufacturers are beginning to add IoT to their products, they can track how often they are used, how they perform and when they fail. The fitness equipment manufacturer could provide benchmarks around performance, lifespan and failure based on usage and environment to provide competitive advantage for service providers. Such information would allow the service provider to focus on maximizing longevity, quality of experience and availability of fitness equipment for gym members with proactive servicing and repair.
But, being an insights as a service provider is more than just creating an API endpoint to access the raw data; it needs to be curated, governed, secured, semantically consistent and accessible to business users. In other words, the business intelligence platform needs to be designed for secure, scalable, analytically consistent and easy-to-use distribution. This is not “your father’s typical BI solution,” but requires a new breed of business intelligence.
A BI platform designed for the enterprise and the enterprise ecosystem must consider deployed analytics, standalone or embedded, as a product. And just like any product delivered as a service, it must have means for provisioning, user management, security, lifecycle management, billing and continuous improvement.
There is much opportunity for IoT and business intelligence to drive direct and indirect value for an enterprise, but it requires the thoughtful application of solutions focused on business users and end customers and less on “techy” solutions focused on the analytically elite.
It seems like every week there’s another doom and gloom story about how IoT security is irretrievably broken. In general, the stories involve a number of players:
- Manufacturers who appear to have more interest in shipping devices than developing the functioning basics of security architecture.
- IP developers — often silicon vendors — who provided an application stack example to the product manufacturer, which was often used with minimal changes and little or no security testing.
- Hapless customers who provided power and connectivity to a device, trusting the manufacturer would have embedded the appropriate security and performed the appropriate testing to know that the device could be trusted to perform only the task it was designed to do.
- Multiple victims, across well-known industries with services relied upon by millions, hit with distributed denial-of-service (DDoS) traffic generated by these devices.
- Security professionals wringing their hands about the insolubility of the problem.
- Critics who essentially fear every connected product and call for the government to mandate standards in an area where no one approach can possibly fit all devices.
However despondent for those familiar to security architecture, this state of affairs is fairly predictable in all reality — and easily explained by the motivations of each party. Additionally, one cannot simply expect these concerns to evolve without the landscape and related revenue flow also changing. We can examine the primary motivations of each party, though, to better understand their perceptions.
1. The manufacturer
A successful manufacturer is one that knows their customer, and so produces quality products with features that their customers appreciate. The customers then purchase and recommend these products, driving volume sales and manufacturer success.
The biggest issue here is that the technologies required to build an IoT product are generally vastly different to those they have mastered to build great non-connected products. Even the best embedded software team tends to have little experience with scalable cloud back ends and cryptographic stacks.
Usually, a manufacturer will look towards the supplier of the wireless silicon they are integrating in their connected product for assistance with the required software.
Unsurprisingly, manufacturers worry about development costs, which have to be amortized across every product sold. If the product never hits sufficient volumes to recoup these costs, the product will never make money, so development budgets for the new breed of connected devices are often small.
Finally, typical product cycles for a manufacturer are in the one to five year range; a product team will ship a product then usually a slightly different team will reassemble to make the next product. It can be very hard in most product companies, even with the best will, to ensure a product that was made many years ago receives appropriate ongoing effort to ensure security (see comments about costs). Team members leave. Source code and tribal knowledge gets lost.
2. The IP developer
The first thing to note about connectivity software is that a lot of it comes from the vendor of the wireless silicon. Over the past five years, silicon suppliers have had to augment their offering with a fully featured software stack to support that silicon — moving beyond hardware drivers to network and security stacks and even embedded operating systems. Once one vendor started offering a full stack, the others had to follow suit as their customers started making silicon choices based on how comprehensive the free software stack provided was.
The problem with a silicon vendor being a software supplier is that software is essentially a marketing expense, and it is provided to make a customer pick their silicon versus the competitors’. Once silicon is designed into a product, there is little incentive for the vendor to provide robust support and maintenance of the stack. They get the design win, and after that point it’s very hard for a customer to move to a competitor’s chip, even more so when their application code is delicately intertwined with the vendor’s stack.
Given a typical five-year silicon production lifespan, especially for chips that get designed into high-volume consumer applications, there is even more concern about what support is provided once the part is no longer in production.
3. The customer
In the end, customers just want a product to work, and work well. Though savvy customers may be able to make judgments based on subtle security characteristics, most essentially trust the manufacturer’s brand to guarantee a certain level of design and quality.
This brings up an important point: should customers trust a brand to be an expert in an area where they have no prior experience?
For example, I may have complete trust in a premium washing machine maker in being able to make a reliable, long-lived, high-performing washing machine. After all, the company has done this for decades — but should I also place my trust in them making all the right security decisions in their connected products, particularly if they have no track record in this area?
An interesting analog is looking at the mobile phone ecosystem. I don’t necessarily trust every app vendor to be making the best security decisions, but I do trust the OS vendor ensures that my phone is secure and that the OS also prevents malicious apps that could cause series harm to either myself or my data.
4. The victims of attacks
As IoT-originated attacks become both more common and more dangerous — and I don’t believe that hackers have yet learned how to use these new tools to their most devastating effect — it will become clear that everyone is a potential victim.
The world has become reliant on a functioning internet, and maintaining that requires participation in cybersecurity from all parties involved.
5. Security professionals
The internet security field, in general, is quite large. There is robust demand for security, particularly in ecommerce, for decades now — not counting the already large antivirus industry.
Many security practitioners have approached IoT as an offshoot of an existing specialist area (for example, phone app security) and have only been adding embedded expertise recently, which means they often lack the necessary holistic view of the problem and instead see it as a collection of discrete ones.
Because security professionals often are only called in after a negative security experience, they are very negative about IoT security. Either they are buying flawed products and finding problems with them, or they’re investigating a DDoS attack spawned by IoT devices, or they are brought in by a manufacturer who is inevitably cash- or time-strapped to test an “almost finished” product before shipment and find it far from secure.
In any case, they get to impart bad news. Rarely are they consulted early in a design process on best approaches, or given free rein to fix problems in a product before shipment.
So how can IoT security be fixed?
The biggest thing that needs to change is that both customers and manufacturers need to place value in security and secure products.
When a customer values security, they will insist the products they buy are secure. When a manufacturer values security — and worries about how bad security may reflect on their brand — they will accept that building secure products will add some cost.
Essentially, once security is valued, then secure products will be built.
But, how will this happen?
A key difference in IoT security is that it cannot be focused on a single part of the product. Security must be architected across the entire product and services. Unlike traditional products, this requires integration between the players along the value chain. This is very different from a traditional supply chain where each supplier is focused on optimizing only on their part of the deliverable.
It is still hard for customers and manufacturers to significantly affect the quality of the software stacks from the IP/silicon providers — the whole problem with software-as-marketing is that the software only needs to be better than the nearest competitor to have the desired effect of impacting a purchasing decision.
Also, most silicon companies are not structured to be able to deliver software, or software maintenance, as a core product offering. Software maintenance is not built into their cost equation and the last thing you want is for maintenance to be an afterthought.
Obviously, given that this is a blog from a platform vendor, the conclusion I’m reaching — hopefully with the reader understanding why the conclusion is being reached — is that the solution to these issues is the use of a secure platform.
The main thing a platform provides is clear alignment. A platform vendor that creates software and services covering a device’s full lifecycle — and is paid for keeping these devices online securely — has a clear incentive to provide this ongoing support.
A platform vendor that does not charge large non-recurring engineering fees for development wants to get products to market as soon as practical, as they don’t receive any significant income until that point. This incentivizes a secure platform architecture and support structure that assures fast time to market and easy adoption.
Because true platforms (i.e., those which are identical across customers and products) are shared between customers, the amount of effort and hence expense that can go into its design, construction and maintenance is orders of magnitude more than even a high-volume product could justify on its own. However, the cost to an individual customer is much less than any in-house development simply because this cost is spread.
This communal sharing of technology investment also means that no customer, no matter how small, is ever left out of a security update.
When a weakness is found in the platform (realistically, every system will have weaknesses) whether or not they are ever exploited, it can be fixed for everyone simultaneously. This is an important point, because it means that all the platform vendor’s efforts are going into making every customer’s product better.
In conclusion: if you’re making a connected product, it’s your responsibility — both as a brand and a contributor to the internet — to highly value security and create secure products. This will either lead you to spend a lot of money and time building your own unique connectivity infrastructure (secure design and exhaustively tested implementations don’t come cheap, and neither does ongoing maintenance) or to build with a secure platform purpose-built for IoT.
We’re all watching the rapid advance of the internet of things — from self-driving cars and connected homes to drone grocery deliveries and smart hairbrushes — with excitement and trepidation. The thrill about the potential for vast improvements in life and work is tempered when our confidence in shaken as cracks appear in our vision of a connected world. Two big examples come to mind: the discovery that cars can be hacked and remotely taken control of, and the increase in distributed denial-of-service attacks powered by millions of internet-connected devices. We may wonder: are the rewards worth the risks? Yes, if we work to manage the risks better than we are now. This will take patience on the part of the public and serious coordination among industry players. And, more importantly, we have to resist the strong urge to dive into regulations that could interfere with innovation and progress.
Security issues surrounding IoT are often compared to the automobile industry which was forced by governments to continuously add safety measures to keep people safe as more and more cars raced down highways at increasingly higher speeds. Most notably, the introduction of seatbelts reduced the risk from death in an accident by as much as 50% and saved tens of thousands of lives each year in the U.S. alone. However, the number of devices and software and hardware platforms make for a much more complex and global IoT industry than the auto industry of the mid-20th century. Regulating IoT wouldn’t be as simple as it was for the auto industry.
The scope of the IoT market is huge and increasing exponentially in an unprecedented fashion and security for these devices is lagging way behind. The number of devices rose 30% last year to 6.4 billion and is forecast to reach 25 billion by 2020. Already there are more than 1 million active IoT bots. IoT devices are more vulnerable than legacy computing devices. The industry has spent at least 20 years getting Microsoft, Apple and the various Linux and browser developers to secure their software that made up the core of internet and desktop users. That was a relatively small market and it grew at manageable rate for security to keep pace.
The IoT industry is riddled with security issues, including speed-to-market, lack of security by design and lack standards. The growth in IoT is coming so fast that security is overlooked as companies rush products to market. Along with the fast pace of development and adoption, there is homogeneity among platform technologies that make it easier for malware to proliferate, as well as design constraints that enable ease of use for everyone, including attackers. Devices use low-power chips that have poor authentication and rely on software with inadequate access/user controls that enable arbitrary code (i.e., attack code) to run. Where security is baked into Windows and OSX, IoT platforms are wide open. In addition, there are no standards on products, many of which come from China where security and quality standards are dubious. In essence, the global market is being populated with billions of devices that are essentially sitting ducks, waiting for criminals to figure out how to exploit them.
This is becoming evident to governments and lawmakers and there are calls for regulating IoT and creating legislation to address the security problem with IoT. As a result of IoT-related DDoS attacks last year, including one that took major sites offline temporarily, the European Commission is considering new legislation this year that would force companies to meet tough security standards and undergo privacy certification processes.
That scares me. Regulators are rushing to propose rules, but that’s not the answer. Regulations for emerging areas are often ineffective and overreaching. Just look at the Computer Fraud and Abuse Act, which targeted malicious hacking but is so broad that it can be interpreted as criminalizing legitimate security research and even password sharing. In another example the Federal Aviation Administration dragged its feet on regulations for commercial drone use and held that industry back. Not only can aggressive regulation interfere with the progress of an industry, but it’s difficult to change bad laws after the fact. Unintended consequences of poor regulation that hijacks a nascent industry can be worse than the security risks the rules are designed to address.
Rather than hastily adopt regulation that could hinder the development of important markets like IoT, industry groups and major players should work together to address the issues and push security-enabling technologies and creating standards. We’ve seen this in other tech areas already. Broadband providers worked within the Messaging, Malware and Mobile Anti-Abuse Working Group community to reduce spam and botnet levels of home internet users. Open Wi-Fi vendors, Cisco, Apple and others have devices that are easy to use, manage and secure out of the box. For IoT, we need secure default passwords, randomly generated passwords and auto-update mechanisms, as well as limited services on the box — security features enabled by unikernels and Android OS. We also need new frameworks and guidelines, such as the efforts from the Online Trust Alliance for an IoT Trust Framework. The DDoS attacks using IoT devices have scared people, and rightly so. But we can’t overreact regulating IoT or we face interfering with a promising and fast-growing market.
Indeed, already the U.S. FTC has taken a market-based approach to IoT security. In the wake of the October DDoS attacks, Chinese manufacturers recalled a number of implicated IoT devices, possibly under threat of legal action. Earlier this year, the FTC also filed a complaint against D-Link for its sale of insecure embedded devices. And in January, the FTC issued the Home Inspector Challenge on securing IoT devices in the field, one of the biggest hurdles in the IoT landscape. These actions all point in the same direction — that the FTC is leading the U.S. government’s role in IoT security in the market (with NIST and others leading the way in technology), and shaping the market without regulations.
These actions are sure to continue, and vendors are sure to respond. What may emerge is a market-led technology foundation more secure than regulations could have accomplished, leading to a more lasting impact, marrying ease of use and reliability together with secure defaults, something consumers are sure to embrace.
Over 175,000 people descended on Las Vegas for the Consumer Electronic Show (CES). The lines were long, the noise volume was high, but one thing that cut through all the clutter was the tremendous amount of companies showcasing how near field communications (NFC) technology within their IoT offerings helps brands create a better overall customer experience.
It was the second straight year in a row that NFC technology and IoT remained a hot topic at CES. So hot in fact that NXP Semiconductor’s NFC technology was used in an all-in-one badge to allow CES participants to pre-purchase Las Vegas Monorail tickets and have them directly installed on their CES badges. Not only were CES attendees wearing an NFC-enabled IoT device, but some even had it under their skin as the editor of Digital Trends had an NFC chip implanted in his hand.
Below are two more of the coolest implementations of NFC and IoT at CES 2017.
- Carnival Cruise Line launched a wearable that allows services on board its ships to be personalized for guests. Called the Ocean Medallion, it can be worn as a necklace, clip or keychain — or carried in a passenger’s pocket. It uses NFC and BLE technologies to connect users to onboard facilities, track meal orders, unlock cabin doors, locate family onboard, buy merchandise and provide gambling platform access. The first ship to feature the system is the Regal Princess. Seventy-five miles (121km) of cables, more than 7,000 sensors and 4,000 digital screens were installed on the ship in 10 days in Italy.
- Smartrac and high-performance blending equipment manufacturer Vitamix showcased how they are using NFC technology to turn a blender into a sophisticated IoT device. The Vitamix Ascent Series blenders puts NFC readers into the appliance base and custom-built NFC tags embedded in the containers and cups. The NFC-enabled blender unit and the container can differentiate between containers, i.e., the blender unit will turn on only if you use a compatible container. The NFC solution from Smartrac with self-detect containers can modify program settings, button functions, ramp rates or maximum time settings making it easier and providing a great customer experience. A scale along with a recipe app are also included.
NFC, IoT and CES. Three three-letter acronyms that belong together. There were many more NFC and IoT implementations unveiled at CES that showed how NFC can improve the overall customer experience for a product or service. Let me know if you went to CES this year and add a comment or two below about what NFC-enabled IoT product or service you got excited about.
Oklahoma Gas and Electric is to add smart streetlight technology to its smart grid initiative to not only improve customer service and reliability, but also improve system efficiency and reduce energy consumption.
The utility company services 30,000 square miles, most of which is in Oklahoma with a small area in western Arkansas. Using Silver Spring Networks’ IoT platform and smart Streetlight.Vision control software, it will connect and manage 250,000 LED streetlights, building on its 2012 project in which it deployed smart meters to more than 830,000 customers.
“Connecting streetlights and integrating them within our existing smart grid network will definitely add strength to our network,” said Toney Cooper, product development technical planner at OG&E. “Additionally, we will have failure notifications, control and monitoring capabilities, GPS tracking and much improved asset management.”
And, of course, it will help the company better address its number one customer complaint: “The lights are out.”
“In addition to the improved efficiency, better nighttime visibility and extended bulb life of LED, we love the fact that this new technology allows us to know before our customers that a light is out,” Cooper said. “It gives OG&E an opportunity to be proactive on the maintenance side.”
During Hurricane Matthew, Silver Spring Networks customer Florida Power & Light restored 90% of affected residents’ power — more than 1 million customer interruptions — in less than 48 hours, and prevented approximately 118,000 service interruptions using Silver Springs Networks’ technology. OG&E looks forward to the same benefits, Cooper said, especially given the unpredictability of Oklahoma’s spring weather.
Brandon Davito, VP of smart cities at Silver Spring Networks, said pre-deployment planning and design for the project are currently underway, and three pilot projects in Oklahoma City and Moore, Oklahoma, demonstrate the benefits of intelligent lighting to city officials and the general public.
“Vision-controlled intelligent lighting systems will help significantly enhance the quality of service and reliability for OG&E customers, improve the speed of streetlight restoration response in the event of outages, and help drive increased system efficiencies and lower energy consumption through dimming and adaptive controls,” Davito said.
While Cooper said no additional smart initiatives are underway as of yet, connecting the quarter-million smart streetlights affords OG&E the opportunity for easier adoption of future smart projects.
“We have seen cities with streetlights use the infrastructure as a foundation to showcase immediate results and benefits,” Davito said, “But that can also be used to deploy more advanced services and applications over time — including traffic control systems, smart parking, electric vehicle charging, energy and water metering, environmental and pollution sensors, adaptive outdoor lighting, motion-sensing applications, waste management and other sensors to leverage a common network, control and data platform.”
In addition to OG&E, Silver Spring Networks has announced smart streetlight projects with Baltimore Gas & Electric, ComEd, Pepco Holdings, Inc., and has partnered with Florida Power & light on what Davito said is believed to be the largest smart streetlight project in the world, totaling nearly 500,000 smart streetlights in Miami and South Florida. The company also has smart streetlight projects in Copenhagen, Glasgow, London, Paris, providence and Stockholm.