Even though they differ greatly, what analyst and vendor projections all agree on is that the number of connected internet of things devices will essentially go through the roof over the next couple of years. Estimates range anywhere from 20 to 50 billion connected IoT devices by 2020 — with Gartner, for example, projecting 20 billion devices as more a “conservative” estimate, if there ever is a conservative view in light of these stunning figures. But no matter how many billions of devices it will finally be, one thing is for sure — it’s going to be huge!
While this sounds encouraging and almost too good to be true, there are downsides, namely security flaws and the unprecedented threat of cybercrime. Nobody wants to be the party pooper and demonize the technological advance toward a bright and shiny digital universe, but it would be fairly naive to bluntly ignore the facts.
Let’s face reality: As much as the IoT universe grows, so does the security challenge
Over the last few months, the cybersecurity industry has been observing some quite interesting trends such as an uptick in distributed denial-of-service (DDoS) attacks with unparalleled data traffic. Cybercrime has become a vast ecosystem that keeps soaring. Experts predict that data breaches could cause damages of up to $2.1 trillion globally by 2019, which is essentially right around the corner. According to Juniper, the average cost of a data breach in 2020 will exceed $150 million as more business infrastructure gets connected.
In a recent study, nearly 52% of the participating consumers believed that IoT products do not have the necessary security in place. And far worse, 85% of IoT developers admitted to being pressured to get a product to market before adequate security could be implemented. A shocking 90% of developers surveyed didn’t believe that IoT devices on the market currently have the necessary security in place.
One of the driving forces for this drastic increase of devices is simply price. With cheap internet pretty much accessible around the globe and wearables becoming a commodity, the price spiral is heading south and the market is simply flooded with low-cost hardware. This enormous price sensitivity, however, almost inevitably precludes to inherently embed comprehensive security features, as this is nothing else but a mutually exclusive trade-off.
On average, IoT devices are inexpensive. With 50% of all connected devices targeting the consumer space, manufacturers are caught between the devil and the deep blue sea. As a consequence, those targeting the mass market have little financial margin to invest into the security challenge as it’s simply a costly undertaking.
For the bad guys on the other hand, it’s literally the land of milk and honey with vulnerable devices accessible in abundance. In other words: The hunting ground for the predators is full of possible prey and fence season is long gone.
DDoS attacks are just an example, but once these devices are filled with user data, the issue will be taken to a whole new dimension. Unfortunately, the circumstances aren’t getting any better as more IoT devices will continue to go online every single day.
The security challenge: How to get out of here?
While the above might sound rather scary, it’s far from being hopeless, though it does require action now. Ultimately, there are two sides of the same coin, the first being technology and the second being the human factor.
Overall, the cybersecurity industry is progressing with its R&D efforts in order to come up with solutions that will alleviate various security challenge pain points. If everyone involved is committed to fixing the problem, then developing new technologies with built-in security features will become the norm and the result will be a much safer IoT. With the emergence of software-defined technology, tight security protocols and encryption can be implemented at the fraction of the cost of hardware components.
Vendors should consider de-commoditizing and coming up with a more differentiated product offering that, for example, includes security features. It’s obvious that these features come with a price tag. However, only when vendors translate these features into tangible benefits will consumers be prepared to pay a higher premium.
At the same time, it’s an important task for society to drastically increase its awareness of how to deal with data and teach at least basic principles of how consumers can protect themselves and mitigate cyberthreats. Consumers need to understand the implications of their actions and should think twice about what kind of data to store on which IoT device.
Finally, governments must take appropriate action and shift their attention toward the rising threat of cybercrime in the 21st century by strengthening their cyberdefense activities and making it a strategic component of their security policies. Policymakers love talking about it, but the time has come to walk the walk. As a wise man once said, “Let’s not close the barn door after the horse has bolted.”
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Below, we will explore the technical elements of a security-oriented wearable, and subsequent posts will concentrate on the balancing act between great security and end-user convenience.
To establish identity, we’re all used to our username/password combination, and probably have started using our fingerprints to log into our phones. Password policies are really hard to get right — so much so that, in most companies, it is the number one tech support question.
Fingerprints and other biometrics are better for a few reasons — mostly that they’re based on who you are, rather than what you know. So, you’re not going to forget your fingerprint, your retina or other things that make you who you are.
But if your fingerprint is not changing and someone steals it, what happens? Well, the short answer is that you should hope that this “template” is safely stored locally and not shareable across devices, networks and so forth. The beauty of a wearable is that it allows for the proximity necessary to keep that information close.
For example, part of a new phone setup is to capture your fingerprints. Even if you’ve owned three generations of the same phone, you can transfer your data to your new phone, but not your fingerprint. The reason was mentioned above. It is undesirable for both user and vendor to store sensitive, static data about a user.
Hopefully, this serves as a piece of useful information. In the world of wearables, portables and the like, the device should be assumed to be self-authenticating if well designed. That the information it shares is simply, “yes, this is the right person” or “no, it’s not.”
If you would like to rely on a wearable as a source of identity verification, there are some key things to keep in mind. Firstly, these devices should be able to confirm the known wearer’s identity. The next thing is thinking about how to query the wearable. Given the state of standards today, prevailing technologies for sharing this confirm/reject are Bluetooth Smart, NFC and USB.
In the real world, one would assume that a wearable must have Bluetooth Smart or NFC or both to communicate with IoT devices. Bluetooth Smart gives better range, but establishing a transient relationship with a thing is complicated and not yet standardized. NFC has less perceived threat to man-in-the-middle attacks and works well under certain circumstances, but you should assume that the wearable is on or near the user’s hand (NFC range is <20cm).
Another key component is tamper-resistance and/or tamper-proofing. A well-designed wearable will prevent a nefarious person from being able to access algorithms or biometric data. There are both physical and logical ways to preserve this data, but secure wearables can and should see tampering as a major threat.
Lastly, one should assume that a wearable has cryptographic functions. There are many options, but these devices can exchange keys with another device. This allows for encrypted messages between devices.
Experts at many security-minded companies have found these building blocks to be elemental to a credible secure wearable. My organization has demonstrated the ability to unlock computers, phones and physical doors from major players with these basic features, and these safeguards have provided the needed assurances.
Are there other considerations here? Yes. This is the beginning of a journey, but these are the lessons that we’ve learned so far.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
In addition to a series of high-profile acquisitions (including Jasper, Wyless, Solair, ARM, PLAT.ONE and Bit Stew), 2016 saw some of the largest individual funding rounds for commercial and industrial internet of things companies. While total funding may be slowing down, the size of the individual rounds is, if anything, ramping up. Sigfox led the charge with a massive $173 million Series E, bringing its total funding up to $323 million, and its post-funding valuation up to $648 million. Investors threw huge piles of cash at several other companies developing innovative technologies centered on devices, connectivity, applications and analytics — these companies target a wide range of use cases, including energy, manufacturing, commercial buildings and connected products.
Below is a list of companies Lux has covered that raised big rounds in 2016:
- Sigfox: $173 million Series E / November 2016 — Sigfox builds public low-power wide-area networks (LPWANs) and sells data plan subscriptions geared towards connecting low-power sensors and IoT devices. The radios are smaller and consume less power than traditional cellular radios. The company has active networks deployed across a large portion of Western Europe and the UK, as well as small portions of Central Europe, North America and Oceania, with over 7 million connected devices. This latest funding round will help the firm increase its global coverage and put it in position for an IPO that it expects to achieve in late 2017 or early 2018.
- C3 IoT: $70 million Series D / September 2016 — Founded in 2009 by software veteran Thomas Siebel and originally focused on application and analytics platforms for energy organizations, C3 recently rebranded to focus more broadly on IoT. The firm has developed a platform for connecting sensors, IoT devices and enterprise systems to an environment that offers prebuilt AI and machine learning applications, an application development environment and analytics tools. This round, led by TPG Capital, brings the firm’s total funding up to $131 million. In addition to attracting this investment, C3 IoT won some big deals in 2016, including enterprise contracts with Engie and the U.S. State Department.
- GreenWave Systems: $60 million Series C / January 2016 — Greenwave was founded in 2008 by several former Cisco executives. The firm offers a horizontal IoT platform, called AXON, which enables connectivity between devices and the cloud. The company is currently targeting applications related to energy management, building controls, health care, asset tracking and smart cities. This funding round brings the firm’s total funding up to $76 million. GreenWave plans to use the funds to accelerate its global expansion and provide growth capital for strategic investment.
- Ayla Networks: $39 million Series C / June 2016 — Ayla has developed an IoT enablement suite that helps companies deliver internet-connected products. The offering includes an embedded software stack installed on devices and gateways, an Amazon-hosted cloud platform for device management, basic analytics tools and a set of applications for controlling devices from supported iOS and Android devices. Ayla has a strong footprint in connected home appliances and building systems, and a major presence in China. This latest round was led by China-based Ant Capital Partners — it brings Ayla’s total funding up to $59 million and will help the company continue to expand globally.
- Maana: $26 million Series B / May 2016 — Maana was founded in 2013 to develop an operational analytics platform focused on industrial use cases — the solution crawls and mines different data silos, indexes the information gathered, generates models and helps users operationalize insights. Maana has won a few big customer deals, including GE, Chevron and Shell, all three of which are also strategic investors. Saudi Aramco Energy Ventures led this round, bringing Maana’s funding up to a total of $40 million. Maana plans to leverage the capital to expand product development and ramp up the sales and marketing teams.
- Enlighted: $25 million Series D / February 2016 — Enlighted integrates a compact sensor and controller unit for commercial space sensing and lighting optimization. The sensor and controller is compatible with any type of lighting fixtures, such as fluorescent or LED, and it has embedded intelligence to control nearby lights in response to occupancy and light level. The firm has won several big deals to optimize office buildings at customers like Apple, AT&T, Barclays, Google, Oracle and LinkedIn. This Series D round brings the firm’s total funding up to $80 million — the company plans to use this new funding to “accelerate its IoT app development” and expand its international distribution to France, Germany and the UK.
- Electric Imp: $21 million Series C / April 2016 — Imp was founded in 2011 to develop a platform that helps manufacturers deliver connected products. The firm offers a toolset that includes a line of Wi-Fi/Ethernet modules, a proprietary embedded operating system, a cloud platform and a set of application development tools. Imp is well-regarded for the strong cybersecurity posture inherent in its platform architecture. This Series C round was led by London-based Rampart Capital — Imp plans to use the funds to ramp up strategic growth and product development.
In many ways, 2016 was the year of the IoT platform, and the financing truly tells the story — investments in and acquisitions of IoT platforms totaled well over $2 billion in 2016 (possibly even $3 billion, depending on some undisclosed figures). Sigfox broke the mold in this regard, as it is not a true platform, but rather a network operator and networking IP developer. However, Sigfox offers a preview of what’s to come in 2017: based on client enthusiasm and ongoing deployments, 2017 may be the year of the LPWAN (meanwhile, the reign of the IoT platform will likely continue, since platforms naturally manage the data from the things connected to LPWANs).
Between Sigfox, LoRa and the emerging LTE standards, a huge portion of the globe will deploy LPWAN in 2017, which is why Lux Research is currently writing a report on the topic and plan to publish during the latter portion of Q1. Those looking to invest in IoT startups should understand that platform and LPWAN startups will be desirable investment targets in 2017, with the potential for even more exits in 2017 than we saw in 2016 (several of the above companies are indeed poised for 2017 exits at huge revenue multiples). Those shopping for acquisitions to broaden capabilities and pursue new business should be on the prowl for top platform and LPWAN startups, like the ones mentioned in this article.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Most articles about the internet of things and its impact on business intelligence are targeted towards an IT audience and focus on real-time data ingestion, big data technology and analytic solutions for data scientists. And while these are critically important elements of the IoT/BI landscape, a discussion about delivering direct business value is often missing.
It’s important to shift the focus of discussion to the solutions required to drive clear, tangible business value with IoT and BI. Deriving business value by achieving greater efficiencies, creating revenue streams and increasing profit for an enterprise can only be achieved if these solutions are focused on business users and end customers. IoT driven BI solutions must be embedded into the business user’s everyday work experience and be designed for an entire enterprise ecosystem.
There is much talk in the industry about how the wealth of IoT data can, for example, provide early warnings to enterprises to better serve their customers, a relatively simple task if the IoT device is reporting an error condition. But more likely, the IoT device is reporting telemetry about usage, operating conditions and performance. This is great data, but how will it drive better business actions that result in direct business value? This is especially difficult when the data is delivered to a small set of data scientists and analysts versus the people who have the ability to take action to implement change.
Placing this burden on a business user to examine the data for potential problems or opportunities and take action is clearly unreasonable. A business user cannot possibly process the tremendous amount or diversity of data, nor will they be able to identify the barely perceptible patterns that could be that ever important early warning sign.
This is a perfect scenario for machine learning. Machine learning needs to augment an IoT-driven BI solution to process and identify those hard-to-perceive patterns to guide the business user towards action. In fact, machine learning can be applied to deliver suggestive and prescriptive analytics to directly influence better business actions.
But machine learning alone will not ensure that this augmented insight will lead to a better business action if it is not embedded at the point-of-work. Ultimately, an actionable insight is dependent on “location, location, location.” When it comes to business users, the insights to drive better business actions must be embedded where that business user works. When done properly, the combination of embedding and machine-learning capabilities can deliver in-context automation, recommendations and insights to help the business user drive tangible benefits for their company.
Consider, each New Year many people make resolutions and sign up for new gym memberships which go unused or are cancelled by midyear. Gyms of course have access to when one enters the gym but have little other data around what the member actually accomplished during his visit. If gyms were to take advantage of the wealth of IoT data increasingly coming from their fitness equipment, wearable technologies and facilities, machine learning augmented analytics could proactively identify patterns indicating customer churn so that targeted recommendations and interactions can be made to increase “customer stickiness.”
Consequently, the business intelligence platform must be designed specifically for application integration and embedded delivery to ensure that the IoT-driven insight is contextually delivered at the point-of-work. Otherwise, if the insight is located elsewhere, such as in a standalone dashboard or delivered solely as an email alert, there is a high probability that the IoT-driven insight, no matter how valuable, will not result in a better business action and business value will be forever lost.
With the tremendous amount of IoT data being collected, the enterprise is in a perfect position to become an “insights as a service” provider and deliver data products to monetize their IoT data. For example, a manufacturing company can provide IoT-driven benchmarking solutions to its ecosystem of service providers.
Let’s further our example of the gym by considering a manufacturer of fitness equipment. In the manufacturing of fitness equipment, there are potentially hundreds of products made of thousands of parts that could potentially fail inside each gym. Since fitness equipment manufacturers are beginning to add IoT to their products, they can track how often they are used, how they perform and when they fail. The fitness equipment manufacturer could provide benchmarks around performance, lifespan and failure based on usage and environment to provide competitive advantage for service providers. Such information would allow the service provider to focus on maximizing longevity, quality of experience and availability of fitness equipment for gym members with proactive servicing and repair.
But, being an insights as a service provider is more than just creating an API endpoint to access the raw data; it needs to be curated, governed, secured, semantically consistent and accessible to business users. In other words, the business intelligence platform needs to be designed for secure, scalable, analytically consistent and easy-to-use distribution. This is not “your father’s typical BI solution,” but requires a new breed of business intelligence.
A BI platform designed for the enterprise and the enterprise ecosystem must consider deployed analytics, standalone or embedded, as a product. And just like any product delivered as a service, it must have means for provisioning, user management, security, lifecycle management, billing and continuous improvement.
There is much opportunity for IoT and business intelligence to drive direct and indirect value for an enterprise, but it requires the thoughtful application of solutions focused on business users and end customers and less on “techy” solutions focused on the analytically elite.
It seems like every week there’s another doom and gloom story about how IoT security is irretrievably broken. In general, the stories involve a number of players:
- Manufacturers who appear to have more interest in shipping devices than developing the functioning basics of security architecture.
- IP developers — often silicon vendors — who provided an application stack example to the product manufacturer, which was often used with minimal changes and little or no security testing.
- Hapless customers who provided power and connectivity to a device, trusting the manufacturer would have embedded the appropriate security and performed the appropriate testing to know that the device could be trusted to perform only the task it was designed to do.
- Multiple victims, across well-known industries with services relied upon by millions, hit with distributed denial-of-service (DDoS) traffic generated by these devices.
- Security professionals wringing their hands about the insolubility of the problem.
- Critics who essentially fear every connected product and call for the government to mandate standards in an area where no one approach can possibly fit all devices.
However despondent for those familiar to security architecture, this state of affairs is fairly predictable in all reality — and easily explained by the motivations of each party. Additionally, one cannot simply expect these concerns to evolve without the landscape and related revenue flow also changing. We can examine the primary motivations of each party, though, to better understand their perceptions.
1. The manufacturer
A successful manufacturer is one that knows their customer, and so produces quality products with features that their customers appreciate. The customers then purchase and recommend these products, driving volume sales and manufacturer success.
The biggest issue here is that the technologies required to build an IoT product are generally vastly different to those they have mastered to build great non-connected products. Even the best embedded software team tends to have little experience with scalable cloud back ends and cryptographic stacks.
Usually, a manufacturer will look towards the supplier of the wireless silicon they are integrating in their connected product for assistance with the required software.
Unsurprisingly, manufacturers worry about development costs, which have to be amortized across every product sold. If the product never hits sufficient volumes to recoup these costs, the product will never make money, so development budgets for the new breed of connected devices are often small.
Finally, typical product cycles for a manufacturer are in the one to five year range; a product team will ship a product then usually a slightly different team will reassemble to make the next product. It can be very hard in most product companies, even with the best will, to ensure a product that was made many years ago receives appropriate ongoing effort to ensure security (see comments about costs). Team members leave. Source code and tribal knowledge gets lost.
2. The IP developer
The first thing to note about connectivity software is that a lot of it comes from the vendor of the wireless silicon. Over the past five years, silicon suppliers have had to augment their offering with a fully featured software stack to support that silicon — moving beyond hardware drivers to network and security stacks and even embedded operating systems. Once one vendor started offering a full stack, the others had to follow suit as their customers started making silicon choices based on how comprehensive the free software stack provided was.
The problem with a silicon vendor being a software supplier is that software is essentially a marketing expense, and it is provided to make a customer pick their silicon versus the competitors’. Once silicon is designed into a product, there is little incentive for the vendor to provide robust support and maintenance of the stack. They get the design win, and after that point it’s very hard for a customer to move to a competitor’s chip, even more so when their application code is delicately intertwined with the vendor’s stack.
Given a typical five-year silicon production lifespan, especially for chips that get designed into high-volume consumer applications, there is even more concern about what support is provided once the part is no longer in production.
3. The customer
In the end, customers just want a product to work, and work well. Though savvy customers may be able to make judgments based on subtle security characteristics, most essentially trust the manufacturer’s brand to guarantee a certain level of design and quality.
This brings up an important point: should customers trust a brand to be an expert in an area where they have no prior experience?
For example, I may have complete trust in a premium washing machine maker in being able to make a reliable, long-lived, high-performing washing machine. After all, the company has done this for decades — but should I also place my trust in them making all the right security decisions in their connected products, particularly if they have no track record in this area?
An interesting analog is looking at the mobile phone ecosystem. I don’t necessarily trust every app vendor to be making the best security decisions, but I do trust the OS vendor ensures that my phone is secure and that the OS also prevents malicious apps that could cause series harm to either myself or my data.
4. The victims of attacks
As IoT-originated attacks become both more common and more dangerous — and I don’t believe that hackers have yet learned how to use these new tools to their most devastating effect — it will become clear that everyone is a potential victim.
The world has become reliant on a functioning internet, and maintaining that requires participation in cybersecurity from all parties involved.
5. Security professionals
The internet security field, in general, is quite large. There is robust demand for security, particularly in ecommerce, for decades now — not counting the already large antivirus industry.
Many security practitioners have approached IoT as an offshoot of an existing specialist area (for example, phone app security) and have only been adding embedded expertise recently, which means they often lack the necessary holistic view of the problem and instead see it as a collection of discrete ones.
Because security professionals often are only called in after a negative security experience, they are very negative about IoT security. Either they are buying flawed products and finding problems with them, or they’re investigating a DDoS attack spawned by IoT devices, or they are brought in by a manufacturer who is inevitably cash- or time-strapped to test an “almost finished” product before shipment and find it far from secure.
In any case, they get to impart bad news. Rarely are they consulted early in a design process on best approaches, or given free rein to fix problems in a product before shipment.
So how can IoT security be fixed?
The biggest thing that needs to change is that both customers and manufacturers need to place value in security and secure products.
When a customer values security, they will insist the products they buy are secure. When a manufacturer values security — and worries about how bad security may reflect on their brand — they will accept that building secure products will add some cost.
Essentially, once security is valued, then secure products will be built.
But, how will this happen?
A key difference in IoT security is that it cannot be focused on a single part of the product. Security must be architected across the entire product and services. Unlike traditional products, this requires integration between the players along the value chain. This is very different from a traditional supply chain where each supplier is focused on optimizing only on their part of the deliverable.
It is still hard for customers and manufacturers to significantly affect the quality of the software stacks from the IP/silicon providers — the whole problem with software-as-marketing is that the software only needs to be better than the nearest competitor to have the desired effect of impacting a purchasing decision.
Also, most silicon companies are not structured to be able to deliver software, or software maintenance, as a core product offering. Software maintenance is not built into their cost equation and the last thing you want is for maintenance to be an afterthought.
Obviously, given that this is a blog from a platform vendor, the conclusion I’m reaching — hopefully with the reader understanding why the conclusion is being reached — is that the solution to these issues is the use of a secure platform.
The main thing a platform provides is clear alignment. A platform vendor that creates software and services covering a device’s full lifecycle — and is paid for keeping these devices online securely — has a clear incentive to provide this ongoing support.
A platform vendor that does not charge large non-recurring engineering fees for development wants to get products to market as soon as practical, as they don’t receive any significant income until that point. This incentivizes a secure platform architecture and support structure that assures fast time to market and easy adoption.
Because true platforms (i.e., those which are identical across customers and products) are shared between customers, the amount of effort and hence expense that can go into its design, construction and maintenance is orders of magnitude more than even a high-volume product could justify on its own. However, the cost to an individual customer is much less than any in-house development simply because this cost is spread.
This communal sharing of technology investment also means that no customer, no matter how small, is ever left out of a security update.
When a weakness is found in the platform (realistically, every system will have weaknesses) whether or not they are ever exploited, it can be fixed for everyone simultaneously. This is an important point, because it means that all the platform vendor’s efforts are going into making every customer’s product better.
In conclusion: if you’re making a connected product, it’s your responsibility — both as a brand and a contributor to the internet — to highly value security and create secure products. This will either lead you to spend a lot of money and time building your own unique connectivity infrastructure (secure design and exhaustively tested implementations don’t come cheap, and neither does ongoing maintenance) or to build with a secure platform purpose-built for IoT.
We’re all watching the rapid advance of the internet of things — from self-driving cars and connected homes to drone grocery deliveries and smart hairbrushes — with excitement and trepidation. The thrill about the potential for vast improvements in life and work is tempered when our confidence in shaken as cracks appear in our vision of a connected world. Two big examples come to mind: the discovery that cars can be hacked and remotely taken control of, and the increase in distributed denial-of-service attacks powered by millions of internet-connected devices. We may wonder: are the rewards worth the risks? Yes, if we work to manage the risks better than we are now. This will take patience on the part of the public and serious coordination among industry players. And, more importantly, we have to resist the strong urge to dive into regulations that could interfere with innovation and progress.
Security issues surrounding IoT are often compared to the automobile industry which was forced by governments to continuously add safety measures to keep people safe as more and more cars raced down highways at increasingly higher speeds. Most notably, the introduction of seatbelts reduced the risk from death in an accident by as much as 50% and saved tens of thousands of lives each year in the U.S. alone. However, the number of devices and software and hardware platforms make for a much more complex and global IoT industry than the auto industry of the mid-20th century. Regulating IoT wouldn’t be as simple as it was for the auto industry.
The scope of the IoT market is huge and increasing exponentially in an unprecedented fashion and security for these devices is lagging way behind. The number of devices rose 30% last year to 6.4 billion and is forecast to reach 25 billion by 2020. Already there are more than 1 million active IoT bots. IoT devices are more vulnerable than legacy computing devices. The industry has spent at least 20 years getting Microsoft, Apple and the various Linux and browser developers to secure their software that made up the core of internet and desktop users. That was a relatively small market and it grew at manageable rate for security to keep pace.
The IoT industry is riddled with security issues, including speed-to-market, lack of security by design and lack standards. The growth in IoT is coming so fast that security is overlooked as companies rush products to market. Along with the fast pace of development and adoption, there is homogeneity among platform technologies that make it easier for malware to proliferate, as well as design constraints that enable ease of use for everyone, including attackers. Devices use low-power chips that have poor authentication and rely on software with inadequate access/user controls that enable arbitrary code (i.e., attack code) to run. Where security is baked into Windows and OSX, IoT platforms are wide open. In addition, there are no standards on products, many of which come from China where security and quality standards are dubious. In essence, the global market is being populated with billions of devices that are essentially sitting ducks, waiting for criminals to figure out how to exploit them.
This is becoming evident to governments and lawmakers and there are calls for regulating IoT and creating legislation to address the security problem with IoT. As a result of IoT-related DDoS attacks last year, including one that took major sites offline temporarily, the European Commission is considering new legislation this year that would force companies to meet tough security standards and undergo privacy certification processes.
That scares me. Regulators are rushing to propose rules, but that’s not the answer. Regulations for emerging areas are often ineffective and overreaching. Just look at the Computer Fraud and Abuse Act, which targeted malicious hacking but is so broad that it can be interpreted as criminalizing legitimate security research and even password sharing. In another example the Federal Aviation Administration dragged its feet on regulations for commercial drone use and held that industry back. Not only can aggressive regulation interfere with the progress of an industry, but it’s difficult to change bad laws after the fact. Unintended consequences of poor regulation that hijacks a nascent industry can be worse than the security risks the rules are designed to address.
Rather than hastily adopt regulation that could hinder the development of important markets like IoT, industry groups and major players should work together to address the issues and push security-enabling technologies and creating standards. We’ve seen this in other tech areas already. Broadband providers worked within the Messaging, Malware and Mobile Anti-Abuse Working Group community to reduce spam and botnet levels of home internet users. Open Wi-Fi vendors, Cisco, Apple and others have devices that are easy to use, manage and secure out of the box. For IoT, we need secure default passwords, randomly generated passwords and auto-update mechanisms, as well as limited services on the box — security features enabled by unikernels and Android OS. We also need new frameworks and guidelines, such as the efforts from the Online Trust Alliance for an IoT Trust Framework. The DDoS attacks using IoT devices have scared people, and rightly so. But we can’t overreact regulating IoT or we face interfering with a promising and fast-growing market.
Indeed, already the U.S. FTC has taken a market-based approach to IoT security. In the wake of the October DDoS attacks, Chinese manufacturers recalled a number of implicated IoT devices, possibly under threat of legal action. Earlier this year, the FTC also filed a complaint against D-Link for its sale of insecure embedded devices. And in January, the FTC issued the Home Inspector Challenge on securing IoT devices in the field, one of the biggest hurdles in the IoT landscape. These actions all point in the same direction — that the FTC is leading the U.S. government’s role in IoT security in the market (with NIST and others leading the way in technology), and shaping the market without regulations.
These actions are sure to continue, and vendors are sure to respond. What may emerge is a market-led technology foundation more secure than regulations could have accomplished, leading to a more lasting impact, marrying ease of use and reliability together with secure defaults, something consumers are sure to embrace.
Over 175,000 people descended on Las Vegas for the Consumer Electronic Show (CES). The lines were long, the noise volume was high, but one thing that cut through all the clutter was the tremendous amount of companies showcasing how near field communications (NFC) technology within their IoT offerings helps brands create a better overall customer experience.
It was the second straight year in a row that NFC technology and IoT remained a hot topic at CES. So hot in fact that NXP Semiconductor’s NFC technology was used in an all-in-one badge to allow CES participants to pre-purchase Las Vegas Monorail tickets and have them directly installed on their CES badges. Not only were CES attendees wearing an NFC-enabled IoT device, but some even had it under their skin as the editor of Digital Trends had an NFC chip implanted in his hand.
Below are two more of the coolest implementations of NFC and IoT at CES 2017.
- Carnival Cruise Line launched a wearable that allows services on board its ships to be personalized for guests. Called the Ocean Medallion, it can be worn as a necklace, clip or keychain — or carried in a passenger’s pocket. It uses NFC and BLE technologies to connect users to onboard facilities, track meal orders, unlock cabin doors, locate family onboard, buy merchandise and provide gambling platform access. The first ship to feature the system is the Regal Princess. Seventy-five miles (121km) of cables, more than 7,000 sensors and 4,000 digital screens were installed on the ship in 10 days in Italy.
- Smartrac and high-performance blending equipment manufacturer Vitamix showcased how they are using NFC technology to turn a blender into a sophisticated IoT device. The Vitamix Ascent Series blenders puts NFC readers into the appliance base and custom-built NFC tags embedded in the containers and cups. The NFC-enabled blender unit and the container can differentiate between containers, i.e., the blender unit will turn on only if you use a compatible container. The NFC solution from Smartrac with self-detect containers can modify program settings, button functions, ramp rates or maximum time settings making it easier and providing a great customer experience. A scale along with a recipe app are also included.
NFC, IoT and CES. Three three-letter acronyms that belong together. There were many more NFC and IoT implementations unveiled at CES that showed how NFC can improve the overall customer experience for a product or service. Let me know if you went to CES this year and add a comment or two below about what NFC-enabled IoT product or service you got excited about.
Oklahoma Gas and Electric is to add smart streetlight technology to its smart grid initiative to not only improve customer service and reliability, but also improve system efficiency and reduce energy consumption.
The utility company services 30,000 square miles, most of which is in Oklahoma with a small area in western Arkansas. Using Silver Spring Networks’ IoT platform and smart Streetlight.Vision control software, it will connect and manage 250,000 LED streetlights, building on its 2012 project in which it deployed smart meters to more than 830,000 customers.
“Connecting streetlights and integrating them within our existing smart grid network will definitely add strength to our network,” said Toney Cooper, product development technical planner at OG&E. “Additionally, we will have failure notifications, control and monitoring capabilities, GPS tracking and much improved asset management.”
And, of course, it will help the company better address its number one customer complaint: “The lights are out.”
“In addition to the improved efficiency, better nighttime visibility and extended bulb life of LED, we love the fact that this new technology allows us to know before our customers that a light is out,” Cooper said. “It gives OG&E an opportunity to be proactive on the maintenance side.”
During Hurricane Matthew, Silver Spring Networks customer Florida Power & Light restored 90% of affected residents’ power — more than 1 million customer interruptions — in less than 48 hours, and prevented approximately 118,000 service interruptions using Silver Springs Networks’ technology. OG&E looks forward to the same benefits, Cooper said, especially given the unpredictability of Oklahoma’s spring weather.
Brandon Davito, VP of smart cities at Silver Spring Networks, said pre-deployment planning and design for the project are currently underway, and three pilot projects in Oklahoma City and Moore, Oklahoma, demonstrate the benefits of intelligent lighting to city officials and the general public.
“Vision-controlled intelligent lighting systems will help significantly enhance the quality of service and reliability for OG&E customers, improve the speed of streetlight restoration response in the event of outages, and help drive increased system efficiencies and lower energy consumption through dimming and adaptive controls,” Davito said.
While Cooper said no additional smart initiatives are underway as of yet, connecting the quarter-million smart streetlights affords OG&E the opportunity for easier adoption of future smart projects.
“We have seen cities with streetlights use the infrastructure as a foundation to showcase immediate results and benefits,” Davito said, “But that can also be used to deploy more advanced services and applications over time — including traffic control systems, smart parking, electric vehicle charging, energy and water metering, environmental and pollution sensors, adaptive outdoor lighting, motion-sensing applications, waste management and other sensors to leverage a common network, control and data platform.”
In addition to OG&E, Silver Spring Networks has announced smart streetlight projects with Baltimore Gas & Electric, ComEd, Pepco Holdings, Inc., and has partnered with Florida Power & light on what Davito said is believed to be the largest smart streetlight project in the world, totaling nearly 500,000 smart streetlights in Miami and South Florida. The company also has smart streetlight projects in Copenhagen, Glasgow, London, Paris, providence and Stockholm.
Few three letters are presently generating more excitement in the consumer electronics and enterprise software world than IoT. However, as with most emerging technologies, the introduction of IoT into existing or new businesses has made new challenges apparent. As a result, many software vendors have risen to address these challenges by focusing on providing IoT solutions and platforms. But is IoT becoming a channel instead of a business necessity?
The more things change…
The IoT evolution has many similarities to the same cycles observed in mobile. For example, a diverse and complex ecosystem was created with disruption of the iPhone, especially with the first mobile app store. This pattern continually repeats with new technologies.
I break a technology lifecycle into several specific points — similar to the Gartner Hype Cycle. The key milestones are indicators of technology maturity and, unfortunately, obsolescence — or at least being deemphasized.
- Demand: Solving a broader issue created by a disruptive technology
- Ecosystem: Consisting of point solutions focused on a singular problem
- Platforms: Consolidation of the ecosystems into platforms which address many functions across a disruptive technology
(At this phase, the larger enterprises typically begin to latch on to the products and services.)
- Features: These platforms become features within broader offerings; although the belief is that computing is changing, the reality is that a new channel or channels are being created
- Irrelevance: The end state, when entire markets are absorbed by others and lose relevance
There are some basic fundamentals which exist regardless of how technology is consumed. I’m going to use the term “application” to generally mean code which serves the need of users. Applications have inputs and outputs. They may take new inputs, such as data, and process it via a platform; analyze existing stored data; or perform some other function. If the user engages via traditional computing interfaces, web interfaces, mobile interfaces, voice, or virtual or augmented reality, the application is a set of interfaces for the user (or interfacing with another application) and should be a set of APIs on the back-end. APIs allow for any new computing models to be incorporated easily via the APIs. The API remains ever present and ever relevant.
In a similar manner, the application needs data. Data is stored, but often further collection and analysis are required. That data can come from many sources, and must be collected, stored and retrieved for distillation, and have algorithms applied to it. For the most part, these patterns are common regardless of where the data originates.
We continually see a new technology and repeat the same mistakes, which ends up with the same results.
We are in the middle of this cycle with IoT, while mobile has now passed off the edge. We’ve seen significant less-than-successful investments in mobile platforms. For example, Facebook’s Parse mobile, and its subsequent shutdown. Similarly, Twitter just announced it was “selling” the Fabric mobile platform to Google. What led to its lack of success? The reality is that these platforms become just a single channel and not core to the business.
More examples include technologies such as MDM, which was once one of the most highly demanded technologies. VMware bought market leader Airwatch for over $1.5 billion. But it’s since become quite commoditized and less relevant to buyers than it once was. Even before the MDM was the ESB trend, which was once again replaced by much lighter-weight open source messaging technologies.
…The more they stay the same
As computing interfaces march on — most likely towards augmented and virtual reality, personal assistants, and integration of AI into these models — we’ll once again see a shift occurring. IoT as a channel will certainly play a critical role in the ecosystem moving forward, as measuring our world and other worlds and collecting countless amounts of data are keys to integrating the digital and physical universes.
As momentum builds toward a ubiquitous, connected internet of things world, an array of new smart devices are marching to market, like so many Galactic Stormtroopers. Wi-Fi thermostats and video doorbells; Amazon Echo and Google Home; even remote-controlled window shades… all manner of nifty gadgets to delight today’s tech-savvy consumer. Yet, while smart devices or “things” like these are certainly the focal point for interconnected systems, they are only the tip of the iceberg.
The nature of IoT has created a new reality in which physical devices and virtual interfaces coexist in a tangled web. How well a solution works — or fails to work — is dependent on a multitude of factors: back-end software, hardware, algorithms, security, interoperability and connectivity. Testing the performance of a smart device is only one piece of the puzzle. As a result, IoT requires a paradigm shift in the way that products and solutions are developed and tested.
Seek the truth
Just suppose that your innovative new solution is nearly ready for market after years of design work. The end-user device has undergone product reliability testing, and your mobile app has been put through its paces. The dream is coming to fruition.
But what happens if your algorithm calculations are off, even by just a little bit? How do you know for sure that your new solution will perform as expected within the broader ecosystem? The interaction of software, hardware and environmental conditions creates many unknown variables.
After you introduce a new IoT system is not the time to discover broken algorithms, interoperability issues or a buggy user interface. If you have to go back to the drawing board and start the whole development process all over again, you’ll lose valuable time, money and your competitive advantage.
The complex nature of IoT use cases means that connected products and solutions require rigorous and reproducible development and testing of software, hardware, sensors and algorithms before going to market. This can only be done under real-life conditions, or in a simulated real-world environment, where precise reproduction of deployment conditions enables identification and comparison of various parameters. In other words, you can achieve “ground truth” validation of reliable performance and accurate algorithms.
Lab-driven product development allows all the components to be tested and optimized collectively, ensuring appropriate reactions to inputs like touch, voice and motion tracking. This method also enables a wide range of communications and security protocols to be effectively tested, such as Wi-Fi, 4G LTE, 5G, Bluetooth, ZigBee, etc.
Moreover, beyond testing performance and interoperability, the ability to reproduce nearly any scenario in a lab setting also can aid in validating the business case and fine-tuning competitive differentiation. This enables device manufacturers, solution providers and enterprises to deliver initiatives to market more efficiently and with greater overall success.
Watch your step
So what are the most critical steps to take when testing IoT? In general terms, the broad testing and QA categories include data testing using firmware; testing data comprehensiveness; validating data accuracy; simulation-based testing; interruption testing; connectivity and interoperability.
However, to simplify the process, IoT testing can be broken down into three steps:
- Sensor: Algorithm validation
- Device: Connectivity/compatibility
- Use case: Functionality, performance and usability
In the more established realm of software development, a considerable amount of manual testing and QA processes are automated through continuous integration. With IoT, the interdependencies between software, hardware and the ecosystem make testing more complicated, but there are still some aspects that can be automated for rapid integration, speeding time to market without sacrificing quality.
For example, third-party APIs, GUIs and other system components can be virtualized to isolate performance issues and speed up testing cycles. Likewise, test management frameworks are helpful for unifying testing of apps across web and smart devices. And testing for compliance with regulatory requirements can be partially automated using static analysis tools.
There’s no question that the greenfield IoT market presents considerable opportunities for business success. But bringing a new use case to market also requires a significant investment in time and money. Before making a leap of faith, give yourself a head start over the competition by ensuring compatibility and end-to-end platform performance at all stages of the development lifecycle with ground truth validation and a smarter testing protocol.