Historically, businesses have been able to treat user consent purely as a risk management exercise, something they have to do simply for privacy compliance. However, the rise of the internet of things combined with a fast-changing regulatory environment means this mindset needs to change — and soon.
A fast-changing landscape
The move to a genuine “internet of things” is undoubtedly going to be the next major phase of digital transformation, one that will lead to a wave of new business models, services and behaviors. However, IoT brings one change that is not often discussed: the fundamental reshaping of our interaction and consent options.
The classic web and mobile models of gathering permission will simply not be practical for the IoT era. A huge range of IoT devices and services will be accessed and operated without the use of a conventional interface, raising major questions regarding how we can properly manage user consent and data privacy.
Regulations like the EU’s General Data Protection Regulation (GDPR) make consent an increasingly important value, one that goes far beyond basic “data protection.” The GDPR, which will impact any business that operates in the European Union or who sells to EU citizens, requires organizations gathering consent from individuals to make consent as easy to withdraw as it was to give. In practical terms, this means it had better be a convenient and pleasant experience.
More broadly, businesses need to change the way they think about consent in order to build — and maintain — trusted relationships with customers. The increasing digital transformation of business puts pressure on personal data to flow farther and faster. However, consumers are increasingly sensitive and savvy about their personal data — and will not be slow to take action if they feel they are being taken advantage of.
So, what’s the solution? We must imagine a positive new approach to privacy and consent, one that takes a holistic view of the individual-business relationship based on a balanced view of risk management and business aims. Often “user consent” is optional according to the letter of the law. To succeed in building trusted digital relationships, we must be bold about taking that option — lean in to consent! We cannot be trustworthy if we don’t act trustworthy. Luckily, with new “consent tech” that puts the user back in control, it’s possible to live up to this vision.
As an industry, we need to recognize a more comprehensive paradigm for consent and permissions that can guide the evolution of our digital consent strategies. Personal data should be thought of as a joint asset, something that is valued by both users and service providers. Users do want to take advantage of the features and benefits of smart devices. However, they also want control over their own data — and control sometimes means sharing for personal benefit.
Imagine all the ways in which an Airbnb host wants to be in charge of selective sharing, not just of smart-home device data, but also device functions. If you are renting out your spare room or apartment for a series of short-term tenants, you will probably want to share limited access to certain devices or services with your renters for the duration of their stay, and then revoke that access when they have left. And with smart beds and connected cars part of today’s landscape, both device owners and renters have an incentive to ensure that data is associated with the correct “body” and shared only with correct parties. As the sharing economy becomes increasingly mainstream, companies should be building this kind of relationship-focused identity and permissioning control into all of their services.
In a professional context, where connected assets such as a police car or body camera might be used by different officers throughout the day, this is even more important. For instance, it might be necessary to check the data from these assets to investigate specific events. Doing this accurately requires the ability to associate the right car or camera with the right officer at any given time. The ability to associate and disassociate human and device identities seamlessly is critical to making this work effectively.
Among privacy advocates in the healthcare sector there’s a saying: “No data about me, without me.” This should become the core principle for IoT players as well. An identity-centric approach to security and privacy is key to making this possible. You have to be able to look at the relationships between people, devices and services and make adjustments accordingly.
As founder and chair of the working group for the User-Managed Access (UMA) standard at the Kantara Initiative, I have been working to innovate a way to give individuals a unified point for controlling who and what can get access to their cloud, mobile and IoT services. The essence of the UMA approach is that organizations need to be focused on delivering convenient control for users.
Trust is essential for businesses and users reaping the advantages of IoT and in fact all facets of digital transformation. The businesses that can prove their trustworthiness will reap the benefits in the form of better customer relationships and greater insight into user need.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Internet of things solutions are constantly evolving and producing massive amounts of data at an unprecedented rate. In order for these products or services to be successful, they require a cloud-based monetization engine to handle the avalanche of information that IoT provides. But while most billing applications these days claim to be cloud-based, not all “clouds” are created equal.
So how can companies ensure that they are marrying their IoT initiatives with cloud-based billing engines that drive meaningful ROI over the long term? Here are four essential characteristics every company should consider:
1. Monetization from the start
In 2016, it was apparent that the monetization of IoT still tended to be near the bottom of a company’s IoT checklist. Still focused on IoT hardware, many companies had been fixated on how to bring their smart devices to market rather than how to make money off these products over the long term. The ability to quickly integrate and adapt IoT-specific business models is set to reach a major tipping point in 2017. To ensure that an IoT-device will not just be profitable months from now — but also years from now — a monetization model needs to be at the forefront of a company’s IoT plan. By doing so, organizations will be better suited to articulate ROI on an initiative and understand how it impacts the entire business.
Most IoT solutions are inherently elastic. With sensors everywhere, companies can see huge spikes in event volumes. As IoT solution providers monetize these events, they need a solution that easily adapts to these demands. This is where the elastic cloud comes in. An elastic cloud architecture dynamically monitors system demand against current capacity, automatically adjusting system resources to address demand. The beauty of this solution is that it allows companies using cloud solutions to only pay for what they consume when they consume it. There’s one catch: just because something is hosted in the cloud, does not mean it is engineered to leverage the benefits of elastic compute. As IoT companies evaluate solutions, they need to make sure they’re only paying for what they need.
The only certainty in business is that business will change. Translate that into requirements for a billing solution — companies need to rely on a solution that will be adaptable and flexible to their business. In evaluating cloud solutions, some service providers will offer you a “black box” solution that requires a company to adapt its business to the black box capabilities. These solutions are typically cheaper and can be implemented faster. Unfortunately, these solutions are unable to adapt to most businesses as they grow and become increasingly more complex. Ideally, a cloud-based solution should offer 90% or greater “out-of-the-box functionality” and provide a highly configurable and extensible product that allows for the solution to continually evolve and adapt to a company’s needs.
4. Technology abstraction
Like death and taxes, technology evolution is inevitable. It’s been happening for decades and isn’t slowing down anytime soon. The question is, how can companies prepare for what’s ahead? When deploying a monetization platform, consider a solution that is not dependent on one technology platform, one ecosystem or one provider. Seek out a billing platform that is cloud-agnostic, for example. This allows a business to have geographic flexibility and the ability to work across all providers such as Amazon Web Services, GE Predix, IBM Bluemix and others. In this model, companies are given the diversification and abstraction from technology allowing them to rest well knowing their solution will not vanish.
In summary, it’s important for businesses to know what to look for when making mission-critical infrastructure decisions that will last the test of time. Being able to identify and define the key characteristics of a cloud-based monetization engine will help ensure that a business is set up for success for not just today, but for years to come.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The age of the dinosaurs came to an abrupt end with the arrival of a large meteor. As the huge reptiles died off, the quicker, nimbler creatures adapted and rose up. Today’s digital transformation of business and government is having a similar effect, making short work of organizations that do not evolve rapidly. CEOs must quickly define where their organizations can compete for success and lead them on that journey. If they can’t — or won’t — change, they risk fading away like the dinosaurs.
Transformation at the speed of digital
If digital transformation is the outcome of the digital revolution, leaders must position their companies to ride this digital tidal wave. Operations technology (OT) isn’t going away, but a rise in the convergence of information technology (IT) and OT infrastructures means that evolution is necessary to survival.
Leading analyst group IDC predicted that IoT will be a $7 trillion industry by 2020. This is a tremendous growth trajectory with significant implications. According to a recent study, 40% of companies at the top of their industries will be replaced in the next ten years. Yet, the same survey found that 45% of respondents do not think digital disruption is worthy of attention from their organization’s board of directors.
Digitization presents both danger and opportunity. No industry is immune.
Netflix has been able to capture the online streaming content subscription market as traditional brick-and-mortar video rental stores are rarely seen today. So would you rather be a Netflix or a traditional video rental store? It is important for industry leaders to plan for digital transformation proactively instead of reactively. Nearly 30% of businesses worldwide have already begun limited IoT deployments, according to Strategy Analytics’ 2015 IoT Deployment and Usage Trends Survey. Organizations cannot wait for change to overtake them. If they are not prepared and have not set up the infrastructure to adapt quickly, change could sweep them away.
IoT opens up new worlds of possibilities because organizations now can extract data from network connected devices and sensors — data that was never available before. Insights from this data can add enormous value to organizations, but they must reshape their current infrastructures in order to use their data effectively. And they must hire and train the right people to bring their digital change strategies to fruition.
In the IoT age, part of the infrastructure reshaping means that siloes cannot remain. IT and OT were once separate and did not often communicate with each other. Now they must come together. It’s a huge and critical step in the digital journey.
However, it’s easier said than done. Most organizations don’t know how to merge IT and OT. At this point in the evolution in the industry, many IT and OT professionals do not fully grasp converged IoT networking. Industrial IoT security adds another challenge, as do endpoint data management and analytics. And it remains to be seen how all of the preceding will add value to their organizations. How will it lead to new business models? Or new services and revenue sources?
Both new talent and the right training to update the skills of existing staff will be required to find answers to these questions. The World Bank predicts that over the next decade, there will be 2 million unfilled information and communication technology-related jobs worldwide. There will be a global need to train 220,000 new control engineers every year for manufacturing plant operations alone.
The IT department is better positioned to take the lead in the digital journey due to its historic role of information processing. Data from IoT-connected devices is just one more information stream to parse, interpret and monetize. But IT must collaborate with OT during the transition.
Here’s a real-world example to underscore the need for this collaboration. A steam valve system that controls water flow through a cooling apparatus has and will continue to operate within the OT domain. However, manual intervention had been required to take its readings and make decisions. Now, in an IoT environment, the data is collected, analyzed and acted upon via the interconnected network and IT software that monitors all of the valve systems’ parameters. Therefore, data generated from these OT managed devices and sensors is delivered across the IT system to take critical, real-time action to maintain or drive to specific parameters.
Benefits and challenges of the IoT
In the long run, IoT data analysis leads to new revenue opportunities, which all departments will benefit from. What organizations must avoid is a scenario where their IT and OT departments never talk to each other; each working in siloes. If both departments build networks that exclude the involvement of the other, the organization can incur unnecessary costs and reduced efficiency.
It doesn’t have to be this way, and for companies that want to survive, it can’t. In a major cultural shift, OT executives must align with current IT initiatives in addition to breaking out of existing silos. It is a tall order because OT executives are facing a major talent gap, in addition to a lack of process or any industry-recognized talent framework for IoT job roles and related trainings and credentials. Insufficient staffing and lack of expertise are the top-cited barriers for organizations currently looking to implement and benefit from IoT, according to research from Gartner.
A successful journey arises from two factors.
Leadership is the first one. Digital champions need to be installed in every organization that wants to thrive. These leaders will have a firm IoT vision and the enthusiasm to motivate employees to make transformational changes in systems and processes. Companies that take bold actions to align their value proposition, capabilities, products and services together view their culture as their greatest asset.
The second factor is current skills. Time after time, CEOs report that key skills are a top concern. Both IoT and OT require digital expertise, and training staff for this is essential for organizations to avoid the proverbial meteor and thrive.
The old-school silo approach is the fastest approach to extinction these days. To avoid the fate of the dinosaurs, organizations must embrace digital transformation in a way that coordinates IoT with the OT and IT departments.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Today’s cities, factories, power plants, oil rigs, hospitals and industries are changing. The rise of the industrial internet, big data and other trends are reshaping how industrial companies need to identify, hire, skill and manage talent.
Much is being discussed about digital transformation today given the rising importance of the internet of things. However, this is a broad category. The focus of our work and this paper is on the industrial internet of things — and IIoT is still a large, ($225 billion), space with unique challenges and complex issues.
It’s important to realize that this process of digital transformation looks very different at an industrial company versus a pure technology company. The idea of technological speed and agility are evolving concepts in the industrial world. The industrial sector is just beginning to embrace more digital elements in order to compete successfully in the current era. Shifting the culture of an industrial company to more quickly adopt and embrace digitization will be one of the biggest factors in a successful transformation.
Where to begin?
Thinking about digitally transforming your organization can be overwhelming, so it’s best to start simply. Ask yourself and your leaders a few key questions:
- Where do you see your current business model potentially getting disrupted by digital?
- Where do you have new opportunities for growth using data and analytics?
- Where do you have opportunities inside your company to better leverage digital in a way that directly benefits your customers?
Use these insights to formulate a vision and explore another set of questions often forgotten or understated:
- Do you have the talent in your organization today to fulfill this vision?
- What is your culture (the unwritten norms that exist) today and where does your culture need to be?
- Do you have a talent/organizational ecosystem (e.g., organizational structure, compensation, benefits, rewards) that will attract and retain talent?
- Is your vision compelling enough to attract top IoT talent that wants to work on cutting-edge solutions and advanced technologies?
Many of the top industrial internet talent magnets are working on meaningful problems that are changing how the world works. Articulating this value proposition to potential candidates is crucial to success.
The right talent
People are the key differentiator in successful digital industrial transformations. It is critical to acquire talent that has grown up in tech and is comfortable with agile methods of process, as well as an agile culture. But it’s also important to bring in the right talent at the right time. I like to think of this change involving a “first” and “second” generation of talent.
In the “first generation” of your digital transformation, look for talented disruptors, similar to those who might be part of a startup. This initial stage also requires a safe environment for experimentation, without pressure to deliver immediate results or implement across entities. You need to expect that some things may fail and that needs to be okay. This seeds a culture of taking chances and learning from what works and doesn’t work. Pick a few big problems and begin experimenting. GE Digital initially formed as a Software Center of Excellence, away from other business units, in order to create the initial proof of concept (POC) of what became Predix. By taking this incubation approach, we were able to learn fast, apply the platform to internal business use cases and build a successful POC before going to market.
As your business matures in its digital industrial transformation to what I call “second generation,” you need people who know what it means to disrupt, as well as what it means to scale. Talent at this phase should meet the organization where it’s at, while also pushing progress forward. This talent profile has typically has worked in multiple startups and at large companies. Ideally, they bring experience of being acquired and spending time at the acquiring company. Bottom line: this talent knows how to juggle the demands of a startup in a larger company environment.
At every phase of your digital industrial transformation, it is critical to give your key talent permission to disrupt, push back and question how things are done. By talking with each other, digital talent and industrial talent can learn from each other — and both get better.
Digital natives and digital migrants
So who are the right people to accelerate digital industrial transformation in your business? It should be a healthy mix of external and internal candidates, which can be referred to as “digital natives” and “digital migrants.”
A digital native has spent his or her entire career in technology and has experienced — and more likely participated in — tech disruption. Digital migrants are industrial by background but are now starting to learn the principles of agile development in a digital environment. Both are critical to the success of the modern, digitized industrial company. A recent Industry Week article by Jens-Thomas Pietralla and David Finke analyzed the psychometric profile of a productive disruptor versus a traditional industrial leader and supports the rationale for why both personas are needed to successfully transform traditional industrials to digital industrials.
Within the industrial organization, the goal is to nurture and develop a cadre of digital migrants as part of the existing workforce while attracting digital natives into a new kind of workplace. Digital natives coming to an industrial for the first time need to understand the end-customer and the larger, industrial ecosystem, while having an appreciation for a matrixed organization.
Digital migrants should have high learning agility, systems thinking, empathy and coaching skills. Typically, they serve in a translator role, understanding enough about both the digital natives and the current workforce to educate and coach both groups, becoming true advocates for transformation. Cross-functional leaders from finance, HR, manufacturing and engineering are great candidates for becoming digital migrants.
Change is difficult. It always is. But this is not an ordinary change — this is transformation. It requires a strong vision, leap of faith assumptions and a fierce protection of the new idea you are incubating, lest it be choked by the inertia of the existing culture.
Incoming leaders must assess what the cultural values are for the company today, and strike a balance between that existing culture and integrating new talent who can teach and bring the company and its culture further along.
My own personal example helps bring light to this concept. When I joined GE Digital four years ago (when it was a software center of excellence) to lead the HR function, I came from 11 years in one of GE’s largest industrial businesses — GE Aviation. As one of only a handful of traditional industrial employees in the software business, I initially felt like an outsider. Over time, I became a “digital migrant” among many “digital natives.” Success required learning from digitally experienced and minded colleagues while incorporating their insights into the larger GE world — embracing change and innovation, while also protecting what is best about GE. This process is ongoing, but I believe that the digital and industrial worlds have a lot to learn from each other.
The growing trend of digitization is impacting no sector more profoundly than the industrial, a fact that I live every day. The digital transformation of industrial organizations requires sweeping changes to how the company identifies, hires, skills and manages its talent. Ultimately, the digital transformation of industrial organizations requires the full alignment and buy-in of corporate culture and its leadership to bring them into the digital era.
A decade ago, spurred by his concerns over the amount of waste plastic utensils created, an entrepreneurial Indian scientist had this idea: Why put in the landfill what you can (nutritiously) put in your stomach? So Narayana Peesapaty decided to invent an edible spoon, and last year his creation finally gained traction thanks to a viral video and his considerable determination.
There is much that the smart city can learn from this venture.
Consider that in 2014, according to an EPA fact sheet, Americans produced 33.2 million tons of plastic; and though around a third of that was recycled, that’s mountains of waste going into landfills. While Peesapaty’s approach, though admirable, won’t scale to address the sustainability needs of entire cities, it is an object lesson in how those issues can be addressed in — you might say — bite-sized chunks.
The internet of things will empower smart cities to achieve widespread sustainability in those discrete chunks. Indeed, it is in the very nature of IoT-driven smart solutions to reduce waste, eliminate unnecessary infrastructure and create cost savings in the process.
The key to this sustainability is the networking capacity of IoT sensors and the ability to analyze and act upon the data they provide, both of which produce a cascade of benefits. Consider what can be accomplished simply with networked waste receptacles:
- Because they are discoverable with mobile devices, residents and visitors to cities can be directed to the nearest to either dispose of or recycle their waste.
- The receptacles can monitor their own capacities and alert the waste collection agency when they are nearly full.
- The agency can then tailor collection routes to only service those receptacles, reducing the amount of fuel consumed by trucks.
- Since the trucks can be equipped with sensors as well, they can automatically deliver waste and recyclables to the appropriate processing facility when they’re full, eliminating wasted trips.
- Because the system helps divert recyclables from the waste stream, it extends the usable life of a landfill.
This domino effect on sustainability can be replicated within almost any smart solution. Smart lighting and utility metering reduces demand on electricity, saving money and allowing larger populations to be served without increased generating capacity. Electronic ticketing not only reduces paper waste, but by eliminating ticket vending machines allows for unhindered access to transit services, reducing journey times and energy costs.
There are also more passive ways IoT allows smart cities and businesses to affect sustainability and meet environmental regulations. Air quality can be monitored and adjustments made or alerts sent out as necessary. Sites where illegal dumping has occurred can be monitored remotely, and law enforcement alerted when more takes place. Utility usage in public buildings and other infrastructure can be tracked, providing data that can be used to determine where to invest in energy efficiency, or possibly alerting to situations like leaking water pipes or unauthorized access.
Key in all of this is the fact that sustainability benefits are frequently ancillary to other IoT implementations — they’re a bonus, in other words. Networked smart meters are not generally installed by utilities because they will cut down on fuel costs since no one has to drive around reading them, for example — they’re installed for the ability to holistically monitor the system enables more rapid response to problems and more effective maintenance.
Edible spoons are an imaginative approach to a serious sustainability challenge; they are, in their own way, a smart solution. But when cities apply IoT to the larger challenges facing them, they will broadly improve sustainability across the urban ecosystem while implementing solutions that improve the urban experience.
Whitfield (Whit) Diffie is a giant in the crypto world.
Whit sat down with Rubicon Labs for an extensive Q&A interview that we publish as the mammoth RSA Conference gets underway this week in San Francisco. The interview also coincides with the 40th anniversary of the publication of “New Directions in Cryptography.” The paper, co-authored by Diffie and Martin E. Hellman, laid the groundwork for public key cryptography, set the stage for the broad adoption of the internet and made e-commerce not only possible, but safe. The pair were named 2015 winners of the prestigious Turing Award, widely considered the Nobel Prize of Computing.
In part one of this two-part edited Q&A, Whit weighs in on the privacy risks in an unprotected IoT world, tells why it’s better to build a bank vault than hire a guard service, why using GPS to track truck drivers is an invasion of their privacy and shares why he doesn’t own a Nest thermostat. Part two of the Q&A will be published tomorrow.
At the 2017 RSA show there will be a lot of attention focused on products that detect intrusions and malware. Are these good investments in your view?
If the amount of money spent on antimalware were spent on something else, it would be better. The malware industry depends on the problem not being solved. Protecting against malware is like hiring guard services to protect something valuable.
Are you saying that more investment should be put into secure software rather than into detecting flaws in the fingerprints of malware?
Yes. That is what works with crypto and it also works with bank vaults. Almost nobody gets into bank vaults.
But, the software industry wants to run incredibly fast.
Well, yes, that may be an intrinsic problem. There are a whole bunch of fans of a moving-target strategy and I think they are mostly wrong. And I parody what they say as “let’s keep everything jumping and hope it confuses the opponents more than it confuses us.”
Back when you co-created public key cryptography in the 1970s, did you in your wildest dreams ever imagine state-sponsored cyberattacks, ransomware or the Mirai viruses of today?
That was simply not a direction for crypto that I thought about in the 1970s. I knew about breaking into systems, but I didn’t so much think about system security as much as crypto security. My goal at the time was to secure the North American phone system because my collaborator Martin Hellman and I lived in North America, there were 100 million landline phones, lots of people, and there was just a sense of scale that we could achieve.
With the explosive growth of IoT devices, what are your biggest concerns?
My biggest concern is probably what is going to be built in an IoT device to snoop on everybody.
So you’re worried about “Big Brother” in your kitchen or living room?
I’ve believed for decades that human freedom cannot stand the decline in human communications. And I think this is just another sign of it. Truck drivers had a very independent job a generation ago. And now they are being watched by GPS all of the time. A generation ago, loosely speaking, a truck driver’s boss would say, “Here we are in Maine, get this to San Diego in a week.” And they wouldn’t know or even much care if he stopped to pick up some other stuff and went a little out of the way to take it to somebody. And, presumably now that is essentially impossible because they know where the drivers are every second. This is sort of an attack on privacy.
How do you mean?
Let me give an example on the other end of the spectrum. In the year 1800, the president would assign military generals and say, “Go take care of this problem,” and a year later he would either reward them or court martial them. The notion that the president — or in this case a company — is entitled to immediate control is one of the greatest security threats to the United States because presidents have a vison but not direct knowledge of a given situation.
Should people really be connecting all of these IoT devices in their homes or, would you say, the best thing to do is airwall gap your house so you have as few connections as possible?
You probably really don’t have a choice about it. I’m not sure you can fight these things, depending on how you can isolate your house. The truth is you may want to talk to the web and see the TV, etc. Look at Nest as an example, people want their thermostats viewed. They want to look over and see how the house is doing or turn up the heat because they are coming home from somewhere.
So would the father of crypto have a Nest in his house, and would you be concerned about privacy with smart thermostats?
I considered getting a Nest, but not for its communications features. No, the last time a thermostat broke, I went down to the hardware store and there was one on sale for $25. I didn’t buy a Nest because I needed a new thermostat and there was one that cost a 1/10 as much.
Should the burden be on the manufacturer to provide security for IoT devices?
Well I’m sure it should, but that doesn’t mean anything. In the first place, the basic principal of the world is that the more power you have, the more responsibility you have. But, the fact of the world is that the more power you have the first thing you do is try to negotiate your way out of responsibility. All sorts of things — including companies — that are tremendously powerful, in fact, in the end have very little responsibility.
Why do you think there are so many problems with securing IoT devices?
Most people think they can build something and then secure it later. It is obvious why they think that, because it is hard enough as it is to build it without security in it. So to tie your hands by insisting that it be secure at every stage of the operation will mean that someone else will beat you to market. Microsoft is the perfect example. That seems to be a basic problem of how we develop things fast and sacrifice the quality of the software.
What are your thoughts on hacking cars via over-the-air software updates?
Why you should be able to update it over the air or by radio is not clear to me. It is clear why it gets them into security problems.
The internet of things isn’t coming, it’s already here. New healthcare, industrial, home and personal devices are being connected every day, right under our noses. Gartner predicts that by 2020, nearly 21 billion IoT devices will be online. Yet as exciting as this explosive growth may be, it also brings new challenges — and chief among them is security.
As the adoption of IoT grows we are witnessing major security incidents. The Mirai botnet, for example, was able to hijack thousands of connected home devices and launch distributed denial-of-service attacks that knocked out large portions of the internet.
As more IoT devices come online, such attacks — and potentially more dangerous ones — seem inevitable. Keeping them from becoming commonplace will take new approaches to online security, and one of the more promising solutions that’s under research right now is rooted in blockchain.
You’ve probably heard of blockchain if you’ve looked into any of the various digital “cryptocurrencies,” of which Bitcoin is the best known. The success of these currencies has inspired a number of researchers to start applying blockchain technology to other applications, including to help secure IoT.
Without getting into all of the complex computer science behind it, a blockchain is a kind of distributed database that acts as a distributed digital ledger for transactions. With cryptocurrencies, for example, blockchain keeps a record of every time the digital cash changes hands.
What makes blockchain interesting to security researchers is that once it is created, a blockchain is immutable. By the nature of its design, blockchains are inherently resistant to modification of the data. Once the data is recorded, the data in a block cannot be altered retroactively. Any attempt to corrupt and modify the data instantly raises a red flag, because the validity of the blockchain is constantly verified and corrected using cryptographic algorithms and multiple distributed data records. The blockchain is itself secure and difficult for a person or a group of people to hack, making it an ideal tool for data security applications.
The distributed and decentralized nature of blockchain-based technology also makes it a natural fit helping secure IoT. IoT itself is a fundamentally distributed system composed of countless devices, any of which might jump on or off the network at any given time, making it a poor fit for centralized controls.
Who (or what) goes there?
So how can blockchain help secure IoT? One way is through blockchain-based identity and access management systems. The idea is to use a private blockchain to store cryptographic hashes of individual device firmware, creating a permanent record of device configuration and state. This record can then be used to verify that a given device is genuine and that its software and settings haven’t been tampered with before allowing it to connect to other devices or services.
Such systems can be an effective defense against IP spoofing attacks like those launched by later versions of the Mirai botnet. Because blockchain can’t be altered, devices that attempt to connect can’t disguise themselves by injecting fake signatures into the record.
Another application for blockchain to secure IoT is as a directory for device and service discovery. The advantage over other discovery mechanisms is because a blockchain is distributed and cryptographically verifiable, it’s less vulnerable to man-in-the-middle attacks and other exploits. By comparison, not only could centralized controls or intermediaries be compromised, but they also limit the ability of the IoT network to grow and reconfigure itself organically.
Putting the pieces in place
While this is all exciting stuff, however, it’s still too early to say definitively that blockchain will be a major component of IoT in the near future. This is a new and evolving area. There is much work to do in the way of industry standards to make IoT security systems from multiple vendors interoperable.
It should go without saying that blockchain-based security is no panacea, either. Early versions of Mirai relied on simple vulnerabilities like weak passwords and well-known default passwords to compromise devices, some of which were baked into firmware. IoT will never truly be secure until manufacturers accept greater responsibility for locking down their devices and adopt highly secure technologies such as blockchain.
Hardware, however, is only part of the equation. As IoT evolves toward greater autonomy, the need for innovative, end-to-end systems that can secure this new type of network environment becomes increasingly urgent. Blockchain, while still an emerging solution, is one of the more intriguing technologies with potential to set us down that road.
Technology advances like the internet of things, big data and cloud-based services have generated an explosion in the number of IP connections. To keep them secure, all connections must be underpinned by basic cybersecurity measures comprising cryptographic keys and digital certificates that are tracked and protected.
When an enterprise fails to apply these basic security measures to its assets, it risks leaving whole systems vulnerable to attacks.
A 2016 report by Gemalto and the Ponemon Institute found 92% of businesses encrypt just 75% or less of their sensitive and confidential data when it is sent via the cloud. The proportion of respondents that encrypt data stored in the cloud was even lower at 40%.
Encryption in the cloud
Encryption is one of the most basic methods for securing data, however many companies make the mistake of failing to encrypt sensitive information. If they did, only authorized users with a matching key would be able to actually see private documents and information if they were to be breached.
Data stored in the cloud is often not within an organization’s control. Instead, it may rely entirely on best security practices by third parties. Unfortunately, with third parties it is almost impossible to guarantee that best practices will be applied. Trends like shadow IT are increasingly putting organizations at risk. According to Gartner, one-third of security breaches will come in through shadow IT services by 2020. Also known as bring your own app (BYOA) or bring your own cloud (BYOC), shadow IT is in direct conflict with enterprise data security.
The growth of bring your own device (BYOD) in the workplace means employees may be tempted to use their own cloud-based apps to store or share customer data with colleagues. The result may leave sensitive company data vulnerable with only the strength of an employee’s password to protect it.
Virtual private networks
A simple way to protect data stored in the cloud is with encryption using a VPN tunnel. A VPN enables remote off-site employees to create an encrypted, end-to-end connection with their company network and transfer data securely regardless of their location or the application they are using.
In summary, failure by cloud providers, enterprises and employees to implement basic security measures when handling sensitive cloud-based data is a major contributing factor behind many of the high-profile breaches reported in the media.
With more employers allowing employees to use their own cloud-based apps at work, the risk of sensitive data being leaked is set to increase. Using a VPN will keep company data private and secure whenever it is transferred to and from the cloud.
At IoT Evolution Expo in Fort Lauderdale, Fla., one question that emerged repeatedly was how best to build IoT infrastructures that can then be leveraged for new uses, uses that we haven’t necessarily yet devised. Speakers mentioned commercial lighting systems, traffic control signal systems and of course cellular data networks, with particular focus on the emerging wider-area, lower-data-rate standards.
Smart lighting, for instance, means wirelessly connected lamps. At a panel in a track on connected buildings, two representatives of the commercial lighting business argued that lighting in a commercial lighting installation is the least of it. The bulbs that replace traditional, higher-energy bulbs use bulbs with computing and radio components built into them and thus get networking components into shop floors and the like without explicitly creating a traditional IT network.
A lightbulb went off
Kaynam Hedayat, vice president of product management at Digital Lumens, said companies “can increase energy savings up to 95%.” As compelling as that might be (and, one should note, some eyebrows in the room went up at that figure), both Hedayat and Don Barnetson, chief product officer of Lunera Lighting, Inc., argued that selling lighting for a living is a loser’s game. That’s primarily because new lamps based on LEDs rather than hot filaments, last 10 to 20 years, so each sale is effectively a one-time affair, rather than an ongoing series of replacements.
“The lighting is the way we Trojan horse a wireless infrastructure onto the shop floor,” Barnetson said, to agreement from Hedayat.
This leaves the question of how the infrastructure works and what you’re able to offer in the way of services across that infrastructure once it’s there. Options Barnetson and Hedayat discussed included interior location services using Bluetooth beacons built into the lamps, collecting sensor data from devices other than lighting and providing highly granular control over HVAC systems.
Wireless IoT comparisons
One clear takeaway from IoT Evolution Expo as a whole is that there isn’t particular agreement over which wireless infrastructure makes the most sense.
Digital Lumens uses a customized (and therefore not standard compliant) Zigbee mesh network. Lunera uses Wi-Fi. Each has its benefits and downsides, but one striking downside for the mesh approach is the degree of bandwidth used merely to administer the mesh itself. Many of the sessions at IoT Evolution Expo took it as a given that cellular connections were the answer for most IoT applications. But cellular has considerably higher costs for the hardware along with ongoing network data costs.
The range of options for cellular connections is evolving, however. In a keynote presentation at the event, KORE CEO Alex Brisbourne said that the emerging LTE “categories” at lower data rates will make cellular connections for lower-cost devices economically feasible. “We’re starting to talk about ubiquity and very, very low cost,” Brisbourne said. “More importantly, you’re starting to build networks with relatively low latency. So LTE is a way of taking us up the chain to the richer applications, the ones that are being hosted in clouds, where we really want to have richness of content.”
As Brisbourne sees it, the highest volume of IoT transactions will be coming from consumer devices that only very occasionally check in with the network. “These devices may only need a signal out to them once a week or even once a month. Those kinds of requirements need devices that are extremely low cost, that can get on and off the network easily, running on very low power.” For this, Brisbourne favors NB-IoT.
But while there was interest in low-power, low-bandwidth connectivity options in some sessions, in others it was clear that enormous data streams would be generated by each machine on a shop floor, or by hundreds of sensors in a building, or from individual connected autos. Pavel Cherkashin, managing partner at GVA Capital, argued in a plenary panel on the financial dimensions of IoT investment that “most of the world doesn’t have the throughput at the level that we need it. Core communication technologies are going to have to be reimagined.”
For many companies, the internet of things has suddenly become the thing: a techno-competitive mega-trend that can no longer be ignored. However, creating an effective IoT strategy — and carrying it out with excellence — can be difficult and confusing.
In a recent survey, all CEOs in the Fortune 500 were asked, “What is your company’s greatest challenge?” The top answer was, “The rapid pace of technological evolution.” IoT is a prime example of the rapidity of this technological evolution. The methodology for companies to stay abreast of this pace and meet it with the talent required to navigate it is no small undertaking, but success in the process will define the parameters of technology competition over the coming decade.
Innovation programs are historically the vehicle that protects against internal stagnation and external irrelevance. However, the larger an organization gets, the more difficult it becomes to innovate outside of historical core competencies and market-facing product lines, both of which are common with IoT.
The global trend of the increasing need for smart connected products and services poses a number of challenges to traditional internal corporate innovation programs. These include:
- An unprecedented competitive landscape. With the rapid pace of technological change, it’s never been easier to create a technology startup company that anticipates user needs before they are well-articulated and disrupts an established market player. If you don’t understand the why, then the how doesn’t matter. With the internet of things, often the why — and the corresponding response behavior of the competitive landscape — is elusive.
- A heavy dependency on cross-divisional collaboration. The internet of things requires cross-divisional collaboration that many companies are not used to. By definition, developing a connected product implies an ongoing service that requires support, manufacturing integration, and a new sales and marketing strategy that transcends traditional corporate walls. Often this cross-divisional collaboration results in the formation of several new ecosystems in what had been a traditionally laid out corporate ecosystem.
- A rapidly-expanding digital ecosystem of products, services and data. Creating value with internet of things technologies often involves creating new products (e.g., a smart connected version of a legacy product), a new service (e.g., a predictive maintenance service for connected industrial assets) or new data streams (e.g., environmental condition data that can be consumed by an adjacent product or service). This rapidly expanding digital ecosystem is causing companies to innovate outside their comfort zones into new areas including data science, information security, outcome-based business models and enterprise software integrations.
- A knowledge deficit of IoT technologies, business models and market needs. Companies that stand to benefit the most from deploying IoT technologies and business models are the least prepared to do so. It is not uncommon for a durable goods manufacturer to have historical expertise in materials science, mechanical/chemical engineering or metal bending. These types of companies have historically faced challenges in being able to develop adaptive user experiences, integrate products in the field with enterprise IT services, sell recurring subscription contracts or monetize the value of data. The challenges are often due to a knowledge deficit that can easily hinder the effectiveness of any corporate IoT innovation program and obscure the success of the undertaking.
An evolutionary perspective
Many companies already have innovation programs in place. Adding an internet of things focus, although a revolutionary trend in thinking, usually requires surgical evolutionary adjustments in the following five areas:
- Clarity of strategic direction. IoT innovation program participants must know why the internet of things is important to the competitive success of the company. A lack of clarity or outlined, forward-looking goals that include a designated timeline can be detrimental to success. For example, having a vision that an enterprise needs to become known as a software and data company by 2025 in order to remain competitive helps drive critical direction, focus and momentum.
- Emphasis on cross-departmental collaboration. Product innovation historically focuses on the products themselves. However, smart connected products usually also include IT. The blending of operational technology (the physical products themselves) and information technology requires a new type of cross-departmental collaboration, introducing new people and roles to the entire innovation process itself.
- Identification of reusable technology, business models and processes. Companies often have multiple product lines, business units and/or market segments. Companies can get an edge in the competitive landscape by intelligently understanding how to reuse not just technology components, but also business models and process improvements. All components should be included as part of the innovation process.
- Adaptation of business processes to data and services. Many companies have business processes (e.g., order fulfillment and billing) that center on the manufacturing, distribution and sale of physical products. However, with the advent of smart sensors and data, new business models are possible by selling services (which may include a product or consumable), or by selling the data stream itself. Leading innovation programs lead participants to think outside the box of traditional product features and business processes, and expand the scope of thinking to data and services.
- Revised approach for capturing and acting on market feedback. Product companies usually have a new product introduction (NPI) process for ensuring a high-quality and normalized market launch. Although releasing software and products early to gain market feedback is a best-in-class approach, doing so prematurely can be detrimental to building a long-term trusted brand. Adapting existing NPI processes to gather critical market feedback while at the same time supporting and building a high-quality connected brand is a critical success factor for IoT innovation programs.
Change: The new competitive advantage
Leading organizations that have become the key innovators in this process got there by harnessing the reins of IoT innovation and focusing on early success with a small number of projects. Only after that do they then accelerate upon that success through the creation and establishment of corporate-sponsored IoT funding. This process naturally helps subsidize bright new ideas that help the company achieve its long-term vision.
Once the pace of IoT innovation is moving, the momentum continues to be driven by many forces: things like effective training, support readiness, manufacturing integration, adaption to business process changes, thoughtful talent acquisition and pricing calibration. While there is a tapestry of the aforementioned pieces to weave together, by fostering a culture of technology innovation and cross-divisional collaboration along with a keen focus on services and data, organizations can turn their ability to change into a competitive advantage for long-term success.