One of the many shock waves that the Internet of Things has set in motion across different technology markets can be found in telecommunications. Previously, the direction of the telecoms industry seemed very unambiguous: to keep increasing the data rates that can be delivered over the air. This strategic homogeneity made the industry predictable and even stale, with all suppliers pursuing more or less the same goals.
The status quo is now being shaken up by IoT, which is shifting attention from data rates to power efficiency. The latter priority is largely at odds with the former, so the new technologies that this shift is leading to are decidedly low in terms of bandwidth, in order to minimize the power consumption of end devices.
There obviously is still a time and a place for using high-bandwidth communications in IoT applications that require higher data rates and lower latency — such as connected car, smart grid or industrial automation — but all in all, the really transformative stuff is happening at the opposite end of the connectivity space. As an innovation enabler, the emergence of low-power IoT networks could be compared to how the rise of mobile unleashed personal communications and computing from the world of wires.
The key difference, though, is that this time around the Things are being unleashed from electricity wiring. Advances in low-power, low-bandwidth telecoms are allowing enterprises and makers to develop “connected” and “smart” products that have to rely neither on access to power supply nor frequent recharge cycles. They can be built to run several years on batteries and, furthermore, those batteries can be small enough to permit significantly more discreet and flexible form factors for the end device than what could have been envisioned only a few years ago.
In the following, let’s take a look at the most important recent developments that the quest for low-power telecoms has lately led to:
- Thread is a new 802.15.4-based protocol that deserves to be highlighted for the mere fact that it has triggered a whole new sense of urgency amidst the vendors that drive the following three technologies on the list. Designed for home and building automation, Thread has generally gotten off to a good start and its certification program is currently vetting the first cohort of compliant devices. Once the commercial versions of such products start hitting the market — probably in the second half of the year — we can start assessing how well Thread’s implementations can actually match the admittedly lofty expectations.
- Bluetooth has had its IoT-friendly incarnation, Bluetooth Low Energy, available already for half a decade, but its relevance to developers has been quite seriously inhibited by its short range and point-to-point nature. This year, Bluetooth as a standard should finally get its eagerly awaited capability for running mesh networks. That is an addition that could, especially, divert the (hitherto over-hyped) beacon space into an interesting direction.
- Wi-Fi HaLow is the framework for the low-power, longer-range implementations of Wi-Fi, run in the increasingly sought-after 900-MHz frequency bands. Given the relative ubiquity of Wi-Fi in homes, buildings and urban spaces, HaLow could certainly reshuffle the connectivity market for a variety of IoT applications. On the downside, the progress towards it has been undeniably slow; for example, the certification program is scheduled for not earlier than 2018. That is starting to be rather late, given everything else that is going on.
- ZigBee 3.0 is the latest version of the ZigBee standards, whose infamous fragmentation has so far made the technology as a whole amount to quite much less than the sum of its parts — or application profiles, to be more specific. Ratified in the end of 2015, the third generation aims to harmonize the profiles substantially and thus improve device interoperability. The case for developing Thread from scratch had a lot to do with ZigBee’s shortcomings, so there is something of a last-ditch feel to the attempt.
- Low Power Wide Area (LPWA) is an umbrella concept for a group of new technologies that have been built to combine power efficiency and inexpensive hardware components with the operational benefits of wide area networks. Machina Research further splits the concept into two subcategories: with “dedicated” LPWA consisting of the purposely designed technologies such as LoRa, RPMA and Sigfox, and “evolutionary” LPWA covering the alternatives that have been developed as upgrades to existing ones like LTE. During 2015, LPWA became one of the hottest topics on the supply side of IoT. Collectively, these networks could well prove a real game changer, although there are still also certain question marks related to their technical, commercial and even regulatory feasibility.
- Other major developments in IoT connectivity can be found mostly in low-power mesh networking. Wi-SUN is an 802.15.4-based standard that has been engineered especially for utility networks, and it has shown a lot of early promise in that sector. Its most high-profile implementation, Silver Spring Network’s Starfish, has been just opened up to also serve developers outside of the company’s own customer base. At the same time, Wirepas is a vendor that has come up with a software solution that seems to be able to dramatically boost the scalability aspect of mesh networks, which has always been their weakest spot from the enterprise perspective.
By far the best part about such multipolar innovation is that the involved technology camps are keeping each other on their toes, and progress by one pushes the others to up their game. It should also keep the bargaining power of key vendors or service providers in check, preventing rent seeking and other practices that would ultimately stifle innovation on the enterprise level.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The objective of the connected home experience is to enhance the lifestyle of the consumer, delivering an anytime, anywhere, borderless lifestyle where all devices work together whether the applications are entertainment, home control or energy management. The connected home makes it easier and simpler to accomplish what people are already doing today. Many daily activities like eating, sleeping, driving to work, listening to music, watching television, reading a book or going shopping can be enhanced by connected technology.
For the promise of this truly connected home to be realized, it is imperative that the connected devices can exchange data among themselves as well as with third-party applications and services. Common barriers to smart home market growth are the results of interoperability challenges, and include inconsistent and limited connectivity capabilities, lack of contextual richness of data expensive devices with long lifespans, and point-to-point integration strategies that quickly become unmanageable.
Parks Associates has identified the following key challenges that the industry must overcome to accomplish a true smart home experience.
Bridging different home area networks
The past few years have seen a lot of activities by players in the Internet of Things (IoT) space to address the issue of interoperability. A number of industry alliances have formed to work towards creating common standards and communication protocols to allow devices, cloud services and applications to communicate and exchange data.
The smart home landscape is currently littered with a plethora of proprietary as well as open source communication protocols in an attempt to connect devices with one another.
The leading communication protocols in use in the smart home space include Z-Wave, ZigBee, IEEE 802.15.4, 6LoWPAN, DECT ULE and Low Power Wi-Fi. Each of these protocols has its own strengths and weaknesses, which make them suitable for specific use cases. Parks Associates believes that there will not be a single winner of this war of protocols; all will continue to co-exist for the foreseeable future.
Integrating platforms and connected products
In addition to the communication protocols, a plethora of industry standards attempt to create a framework for integrating devices, services and applications. These standards either are backed by a group of technology companies or come from influential platform players such as Apple or Google. Small device makers and app developers — which have limited resources — must weigh the pros and cons from both technology and business perspectives. In most cases, it is an overwhelming task to pick a side, and also a costly one to support multiple standards in order to hedge their bets.
Popular industry standards include:
- Thread Group
- Brillo and Weave
Finally, there is an additional challenge of bridging apps used for different connected devices. As consumer adoption of smart home devices accelerates, the number of connected devices in a household is also expected to grow. Mobile apps are the primary interface for these connected devices in a smart home. Parks Associates data indicates that more than 80% of smartphone/tablet users who use at least one smart home device have downloaded mobile apps for these devices.
The frequency of smart home app use is on the rise too. Parks Associates research shows that nearly half of broadband households with a smart motorized garage door opener use a smartphone, tablet or computer to control the opener daily or almost daily.
In this context, consumers navigating multiple apps for use of connected devices within a smart home act as a deterrent to adoption of connected devices. A number of technology solution providers have developed hubs or gateways and a corresponding mobile application that serves as a dashboard to the connected home. These solution providers come from a multitude of backgrounds and include service providers, home improvement retailers and security companies, as well as startups.
As the smart home market is increasingly moving towards a battle among multiple ecosystems led by influential companies from the technology sector and the service provider industry, it has become urgent that the industry must accomplish interoperability at all three levels: device-to-device connectivity, device to-platform and app-to-app. A close collaboration among smart home ecosystems could minimize the danger of fragmented user experience and bolster healthy growth of this exciting market.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
Larry Prusak noted that “the only thing that gives an organization a competitive edge, the only thing that is sustainable, is what it knows, how it uses what it knows, and how fast it can know something.”
Information is foundational to business success, but understanding that data — and acting on it — is not always a simple matter. Using IoT allows your enterprise to access real-time data, and analytics allows you to elucidate insights. But then what? At IBM’s InterConnect 2016, Chunka Mui, managing director of the consulting team Devil’s Advocate Group, laid out five key lessons to “stress test” your enterprise innovation approach. How can companies drive innovation, create value and help create “fans” who are loyal? Mui’s key lessons were to embrace the gap, think big, start small, learn fast and cultivate a sense of “patient” urgency.
Time and technology waits for no man
Mui emphasized the need to embrace the gap: this chasm is the difference between the rapid development of technology and the incremental change desired by companies. He stressed that embracing the gap is not simply deliberating about ways you can serve customers’ needs or wants. It’s about approaching that chasm and then seizing the opportunity that lies there. Mui noted that a failure to embrace technology quickly limited enterprise ability to thrive in the marketplace. He noted that IoT is augmenting a range of disruptive “gap” technologies, such as social media, mobile devices, cloud computing, and analytics and artificial intelligence.
It’s bigger than you
Uber. Lyft. They’ve had an astounding effect on the taxi industry (and are being banned in certain areas because of it), but they are also revolutionizing cars and travel in ways never thought possible. Mui noted that in order to “think big,” enterprises must also be willing to move in directions that were never considered before. Businesses are being disrupted by technology (such as the shift to mobile), but are not investing enough time and consideration for new directions — or even completely novel problems. Startups have the advantage of a clean slate; they are small and agile, able to take advantage of the technology to serve a particular customer demand. Larger, more established companies may need to approach the marketplace with a clean slate in order to use innovation to drive growth. “Reimagining the customer experience,” Mui added, is key to develop “big” ideas.
The journey of a thousand miles…
After considering ideas about serious market disruption, Mui’s suggestion to take small steps seems anachronous. However, his reasoning is based on a solid approach to development: break the idea into smaller pieces and test them. Each small test provides a mountain of data which can be used to provide insights into whether the product or service is going to be successful. Many companies do not learn enough from playing around with or developing their prototypes (or identifying the best possible location to test them, either). Starting small can mean your company invests R&D resources in your app or considers a new connected device on a small scale. But none of this will be successful without his fourth step, which is…
It’s a given that enterprises need to be in a constant state of innovation — they need to be relentlessly adding to their knowledge base and pursuing new avenues for meeting customer needs. Mui pointed to Bob Lutz’s 931 approach to car design as one method for moving swiftly through the research and development phase. The most important part of the process is that the information that is derived from each step is understood and analyzed before moving into the next phase of development. IoT sensors can provide significant amounts of data, and companies can realize value by implementing data driven tweaks throughout the development cycle. (Currently, only about 1% of IoT data is actually used.)
Hurry up. Now wait.
Perhaps the most difficult lesson to implement is Mui’s final one: knowing when to move an innovation into the market is a highly sought after but sometimes elusive talent. The perfect timing to release your innovation is an amalgamation of well-informed analyses, a deep understanding of market trends, a thorough comprehension of your competition, rich, rounded insights about your customers — and yes, even pure instinct. History is littered with visionaries who were well ahead of their time — the Da Vincis and Teslas who imagined truly innovative creations … that the world was not ready for. Analytics can offload some of this problem by pinpointing what your customers desire now and predicting patterns of behavior that can inform your launch strategy.
“Innovate or die” is a business maxim that not only pushes companies into the red, but moves many others into the development of profitable, useful creations that disrupt the industry. Mui’s lessons underscore a key aspect of modern enterprise innovation: it is completely data driven.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
The first thing you need to do when designing an IoT system is to get everyone onboard with the fact that it won’t work — at least every once in a while. Even if you’ve spent the time and expense to achieve several 9s of reliability for the stuff you build, there will likely be a dependency — somewhere in the chain — that is simply out of your control and causes some sort of IoT downtime.
IoT systems are often enabled by several supporting services on the back-end. Third-party services such as network providers, messaging platforms and even the core infrastructure of the Internet add dependencies between the sensors in the field and the dashboards they feed. While these supporting services are convenient and often necessary, they are managed by someone else and are consequently a risk. Maybe an IT person unknowingly changes the Wi-Fi configuration. Or maybe an ISP blacklists traffic from your devices, or there’s a widespread cellular outage. It’s important to identify dependencies, minimize the risk where possible and set expectations accordingly. The larger the system scales, the more distributed it becomes and the more likely it is that the spaces between “your stuff” will hiccup and you’ll have to deal with it. This means you have to plan for failure and handle it well.
“Handle it” doesn’t stop with technology. It’s important — arguably more important — to set the business expectation that IoT downtime could be a natural occurrence. It should spark conversation around expectations and the cost/benefit of making something truly highly available. You have to weigh the cost of support issues against the ROI of the opportunity at large. When margins are thin, even a single truck roll could kill the ROI for several units. It’s definitely not easy to quantify, but having those discussion early on will go a long way to minimizing the overall impact of issues.
Here’s a real scenario: An IoT system reported that several devices were not communicating after a routine firmware upgrade. The team determined that most of the devices were working as expected, but several devices were indeed offline. After a long troubleshooting session, they found the outage was coincidentally timed with a widespread DNS issue caused by a totally unrelated event which prevented the devices from communicating for several hours. Of course, the customer wanted to fix it immediately, but they had no way to communicate with the devices until the public DNS service was restored; the customer simply had to wait it out. Ironically, not long before, the same DNS service enabled them to avoid a previous outage by quickly pointing all of the devices to a failover system. Point being, dependencies aren’t inherently bad, but you should understand the tradeoffs.
Identify types of IoT downtime outages: Blips, blocks, bombs
A good practice is to walk through the entire system and identify potential types of outages. This could be as simple as walking through a block architecture and asking, “What happens if this block stops working?”
Ask yourself questions in this format, if this block fails:
- Can units still be shipped/produced?
- Would it prevent from someone from doing their job in the field?
- Can units still send data?
- Can we still communicate with the devices?
- Are we dropping data?
- Will it impact accuracy or quality of data?
- How does this outage affect billing?
- Will we have to visit the site?
Asking these types of questions will likely identify situations that fall into the category of blip, block or bomb.
Blips are the most common errors associated with cloud computing, typically called “transient errors.” Blips are typically short, on the order of seconds or minutes. You should plan for blips as if they are a common occurrence; implementing retry logic is typically all that is required. Blips often happen when a service is busy and access to it is temporarily throttled. Another example might be regional network congestion. From a UI perspective, just adding a little feedback can go a long way. Let the user know that you hit a blip but we’re still trying.
A block is typically infrequent, but a significant step up in severity. Blocks are typically longer, on the order of minutes or hours. Think cellular outage or the DNS issue explained earlier. In these cases, retries fail and you’ll need to implement something like a pipe and filter pattern to queue up work that is waiting for the block to clear. Another common way to handle a block is to store and forward. These methods allow the stuff on either side of the block to continue normally and minimize any data loss or downtime. Blocks are extremely disruptive and potentially costly if left unhandled. For example, a service technician might not be able to do his job because the onsite workflow takes a dependency on a system that is not available.
Bombs can occur when the previous situations persist to the point where they result in a cascade of failures. A bomb is as bad as it gets and usually something that requires manual intervention to recover. A cascade might look something like this: A cellular outage causes all of the devices in a huge region to reconnect at the same time, creating a denial of service on the servers which, in turn, causes the server to restart … which starts the cycle all over again. Your goal here is to identify bombs and work to put barriers between them in an effort to convert them to blocks or blips if possible.
In any case, feedback to end users is a huge help and will go a long way towards mitigating the frustration associated with outages and IoT downtime. Don’t leave a user in the dark if you know something isn’t working. Let them know so they can do something else instead of hitting a button over and over.
Taking the time to think through these scenarios will help everyone appreciate how outages impact their part of the business. This is as much an educational and discovery process as anything. Probably the most important suggestion is to give yourself health and diagnostics visibility focused on dependencies. That visibility can be a huge time saver; without it, you’ll end up spending time hunting down something you can’t fix anyway.
When McKinsey Global issued a report in 2015 that highlighted the potential of IoT, it noted two major challenges: interoperability and integration. Without the ability to interact with other devices and systems via standardization, the overwhelming potential of IoT will sit untapped.
At IBM InterConnect 2016, the company announced its hybrid cloud offering. IBM is now offering all of its rapid time-to-benefit solutions (i.e., WebSphere, API Connect, AppConnect, etc.) on its hybrid cloud platform. This is a seismic move in IoT, since it now means that there will be a major effort towards standardization through IBM’s services. IBM’s move creates a new dynamic in the industry; its partnerships with other companies and extensive customer base make it a natural center for IoT standardization.
IBM took its cue from the market: according to Forrester, strengthening and expanding the customer base will involve a far greater reliance on technology than ever before. It predicts that 46% of consumers will have mobile devices and use them as a key interaction point with businesses. Customers will expect an easy-to-use app for your enterprise — and they will expect you to have in-depth knowledge of their personal preferences.
Driving innovation for every enterprise
IBM’s hybrid cloud creates a firm, consistent foundation for growth. For startups, IBM’s cloud is an unparalleled opportunity. A serious concern facing startups involves choosing (and speedily using) the correct technology — no simple decision considering how rapidly technology evolves. By choosing IBM’s cloud platform, startups have access to the same types of software and computing power as those available to much larger, more established companies. Alpha Modus CEO William Alessi was at InterConnect, and noted that by going with IBM’s platform, the company was able to develop its app in seven days. Compare that to Kinvey’s developer’s survey, showing that the average iOS/Android app dev time is about 18 weeks.
Larger or more established businesses can take advantage of IBM’s knowledge base to derive more value for their customers, become leaner and enhance profitability (or even create new streams of revenue). Accessing the newer technologies needed for IoT can be costly: whether it involves new hires or retraining employees, technology demands the constant investment of man-hours and resources. However, by allowing access to IBM’s platform of services, your development team will be able to access a suite of technologies already in use by thousands of clients (and millions of users). The extensive knowledge base alone can cut into development time, as programmers won’t need to hunt around for solutions.
Real power for IoT
IoT demands significant computing resources, far beyond those available to most enterprises. With millions (soon to be billions) of sensors sending real-time data about products, customers and equipment, only the most advanced systems will be able to deliver the insights needed. Unless your company has a dedicated server farm, the ability to tap into the power of IoT data is beyond reach. Case in point: Google’s image recognition foray involved the use of about 16,000 microprocessors — and that processing power was used to identify a photo of a cat. IBM’s cloud services provide that type of large-scale computing power, and it eliminates the need for costly hardware upgrades and supports a range of app and analytics services.
Managing data goes beyond collection: IBM’s analytics offer actionable enterprise insights that contribute directly to creating a leaner, faster, more profitable company. The InterConnect stage played host to Richard Holmes, General Manager, Infrastructure and Operations of Westpac Group Technology, one of Australia’s most respected businesses that has been in operation for almost two centuries. Holmes noted Westpac is expecting to move 70% of its operations to the hybrid cloud in the next three to five years. One reason may be the value it found by tapping into the power of analytics: the bank was able to cut down its provisioning time from 84 days to minutes.
Access to the cloud has significant advantages for development, as well. For example, developing prototypes and simulations significantly benefit from the implementation of real-time data. Siemens CEO Mattias Rebellius noted that because the company was able to identify heating/cooling equipment issues, it was able to address the problem quickly, and used that data to generate better, more realistic simulations. (On a side note, Siemens wants to change its buildings into value generators for its customers, and has leveraged its knowledge derived from analytics to generate fewer carbon emissions — about 10 million tons last year).
Pivot towards the future
IBM’s commitment to hybrid cloud is a fundamental shift in the IoT industry; it alters the conversation about IoT integration and levels the playing field for companies, regardless of private cloud and public cloud services with orchestration between the two platforms. By allowing access to unparalleled processing power, time to market will decrease, and innovation and access will increase. With billions of dollars in play, companies need to move quickly to implement IoT solutions.
According Harbor Research, some 4.3 billion new devices (excluding laptops and PCs) were connected to the Internet in 2015. Based on current installations, our modeling forecasts there will be some 36 billion devices in just four years (by 2020). But one central question is how and where will these devices come online?
As the IoT space matures, what we will see is an eventual IoT convergence of what has thus far remained largely bifurcated: Industrial IoT and consumer IoT. We are, in fact, already seeing this trend underway, as what have traditionally been “consumer” devices are leveraged in enterprise settings, and enterprise-class technology moves into the hands of the masses. To understand this IoT convergence is to consider examples of it, as manifestations vary considerably.
Manufacturers apply virtual reality for more agile product prototyping and employee training
The virtual reality market has mostly belonged to gamers until recently. Now, discrete manufacturers such as Ford and BAE Systems are using augmented and virtual reality tools to make the design and prototyping process faster, more agile and far more cost effective than physical renderings. These virtual models and simulations help manufacturers make decisions earlier in the design process, detect issues more rapidly, and enable real-time collaboration across geographically diverse groups of engineers and designers. These manufacturers, among many other industrial businesses, are using this technology to train employees to become familiar with dangerous working environments, simulating, for instance, how to handle dangerous factory or in-the-field situations.
Software vendor builds platform for wearables
Enterprise software vendor, Salesforce.com launched a full platform for industrial service applications designed for the Apple Watch in 2015. Businesses are already relying heavily on consumer mobile devices in their enterprise mobility and IoT service functions, from communications to analytics, to remote monitoring, to appointment scheduling, to inventory tracking, machine controls, troubleshooting and beyond.
Grocery store augments shopper experience (and replenishment process)
Coop, a grocery retailer in Italy, is experimenting with the Kinect, as well as robots, interactive screens and sensors, to detect when shoppers pick up a product, then use that sensor data to display relevant information (its composition, source, freshness, nutrition, etc.) on a digital sign above the item. By measuring shelf weights and locating stock beneath the shop floor, they are able to optimize replenishment and automate inventory replacement.
Insurance looks to wearables to mitigate risks (and costs) for workers injured on the job
Insurance company AIG recently acquired Human Condition Safety (HCS), a wearable start-up, in a bid to mitigate its risks (and costs) of employees injured in the workplace. As one of the largest providers of worker’s compensation coverage, AIG will leverage the research, development, software, analytics and wearable hardware that HCS has been developing for high risk worksites. The technology, according to AIG, can detect how much a worker is carrying, risky bodily movements that could result in injury and proximity to dangerous equipment, among other worker or environment hazards.
Logistics company streamlines packaging operations
Gaming consoles and movement trackers are now being applied in industrial and commercial infrastructure because they often serve the use case better — and more cheaply — than more traditional machine vision solutions. DHL, for instance, is using Microsoft Kinect sensors to scan pallets, allowing it to determine optimal packing sequences and volume-based shipping prices.
From robots assisting shoppers in a home supplies retailer such as Orchard Supply Hardware, to 3-D printing of customized toys made available to the kids via Mattel, to conveying the value of “smart cities” to citizens through consumer mobile apps that direct drivers to available parking spaces… examples of this collision are manifold. They are reflective of the vastness and variety of applications, interfaces and componentry that comprise the Internet of Things itself.
For consumers, the goal is visibility into our carbon footprint, potential risks or areas needing our attention, greater convenience, time and information efficiency, and simplicity. For businesses, the goal is merging “internal”-facing and “external”- or customer-facing connected environments for a unified operational and customer experience.
The perceived benefits, efficiencies and novelty inherent to applying sensor-based technology to will drive IoT convergence. For the pragmatic, costs and adoption pressures will continue to blend these worlds as employees will desire the tools they have at work in their personal lives, and vice versa.
As more and more businesses and consumers adopt connected devices that comprise the so-called Internet of Things (IoT), it begets the question: what security risks are those users also adopting? A wide range of security research — much of which has made its way to mainstream media — has demonstrated some pretty serious IoT security flaws in a number of different device types. However, all of those findings seemed to feel disjointed; are these flaws coincidentally similar, and limited to the particular device or manufacturer studied? Or is there a larger issue at play?
At Independent Security Evaluators, we had the hypothesis that these IoT security flaws in connected devices might plague the entire IoT industry, not just the few manufacturers who had been studied to date. So in order to prove (or disprove!) that hypothesis, we organized a hacking event known as IoT Village.
IoT Village first debuted at esteemed security conference DEF CON from August 7-9, 2015. Over the course of the event, we had researchers from a wide range of security organizations present their work on various aspects of the IoT security flaw problem. In conjunction with these talks, we also had security researchers teaching hands-on workshops about how to break devices and how to harden them. Finally, we had a hacking contest, where we bought a range of devices and encouraged attendees to hack them together.
Upon conclusion of IoT Village, we had unequivocally proven that IoT security flaws in connected devices are pervasive. Here is a snapshot of some of the metrics to support that finding:
66: 0-day vulnerabilities discovered/presented overall
14: 0-day vulnerabilities discovered/presented in the contest
27: Unique devices
18: Different manufacturers
IoT Village proved that security issues are pervasive across connected devices; the event served as a platform that produced 66 previously undiscovered security vulnerabilities across a wide array of manufacturers and distinct device types. Fourteen of those vulnerabilities were discovered on-site during the hacking contest that occurred during the few days of the event. In so doing, IoT Village highlighted the fact that security is an industry issue for manufacturers of connected devices, as these issues are not relegated to any particular manufacturer or device type. Furthermore, many violations of the underlying secure design principles were repeated across devices and manufacturers. This suggests that building security into connected devices is not yet seen as a business-critical mandate in most cases. As connected devices continue to become rapidly adopted, it is imperative that manufacturers better build security in and, through security assessment, better validate that those security measures are effective.
IoT security flaws: Examples
SmartThings Motion Sensor: An attacker could exploit a vulnerability in such a way to interfere with the device’s ability to monitor motion. This would be very useful for a property thief or violent criminal, who could run the attack from outside the physical premise, break in to steal items or attack a tenant, and then leave the premise. After leaving the premise, the adversary would stop the attack against the device, returning it to normal operation. The motion sensor would not have triggered, and thus the adversary could circumvent the entire purpose of the device. (Credit: Wes Wineberg, Synack).
iSpy Tank: Adversaries could exploit vulnerabilities that enable them to take over control of the wheels and the video capture. Effectively, an adversary would be able to obtain a remote controlled, powered, spying machine. This is especially concerning because this toy is intended for children, so most likely anyone victimized by this attack would potentially have exposed their children as well. (Credit: Ken Munro, PenTest Partners).
Parrot Drone: Using a single command, the attacker can make the drone drop out of the sky. As drones are being deployed for an ever-widening array of purposes, so too do the implications of this attack broaden. (Credit: Ryan Satterfield, Planet Zuda).
IoT Village is scheduled to run in future iterations at other upcoming conferences throughout the year. If you are a researcher in this space, manufacturer of connected devices, or in the business of deploying connected devices, we encourage you to get involved. Together we can make meaningful change to resolve this problem.
Bob Whitaker, chief science and technology officer at the Produce Marketing Association, thinks the Internet of Things (IoT) will draw CIOs and CTOs into the field of food safety.
In his role at the Produce Marketing Association, a trade organization for companies in the fresh produce and floral supply chain, Whitaker focuses on food safety and security as well as supply chain technical innovation. He said CIOs and CTOs historically have not been involved with food safety initiatives, but predicted that the emergence of IoT will change that situation.
Indeed, IoT is already intersecting with food safety, with projects getting underway or soon to begin. Over time, sensors installed across the supply chain — from local growers to processing plants to distribution centers — will gather data that will provide greater visibility into food safety from farm to fork.
“I think the IoT is going to make food safety transparent within our supply chain and eventually to consumers,” Whitaker said.
And as IoT becomes more embedded in food safety programs, CIOs and CTOs may find themselves being pulled into those initiatives.
That’s largely due to the amount of data expected to be generated from various points along the food supply chain. Bags and boxes of produce equipped with RFID tags will report location data as items traverse the supply chain. Temperature sensors will keep tabs on whether food is being stored or transported within a safe temperature range.
In addition, more equipment in the food supply chain will be built to give off digital signals. Whitaker pointed out that produce washing systems in a number of food processing plants already include equipment that monitors and reports the level of disinfectant in the wash water and the water’s pH level to ensure the disinfectant is at the right acidity level to be effective. Operators use disinfectants in wash water to kill microorganisms that might exist on the surface of fruits or vegetables when they come in from the fields.
“If [microorganisms] slough off into the water, you want to kill them so they do not build up to potentially dangerous levels and contaminate all of the product that might be washed over a given period of time,” Whitaker explained.
The monitoring systems generate data that can be captured and used to analyze wash water quality, he said. Armed with that data, operators can make decisions on whether to add more disinfectant, adjust the pH or change the water to maintain proper operating conditions.
Both processing plants and growers will increasingly find themselves awash in data. Whitaker said even small or mid-sized operations can potentially generate thousands of data points.
He said many people in the industry are starting to ask which types of data are the most important and how they can put that data to use. IT leaders in the food supply chain, he believes, will be called on to help with data analysis.
“You will see the CIO and CTO become much more involved in food safety,” Whitaker said.
Spring is around the corner, so thoughts will soon turn to de-cluttering, and what better way to apply it to the IoT world than to try to lend some structure to the amorphous mass of middleware, software and actual platforms collectively titled “IoT Platforms” — over 200 at last count. The platforms space has grown so much that the term “IoT platforms” has become overused and misunderstood. Machina Research has put together a taxonomy of platforms that defines the types of IoT platforms that exist; types of platforms may be considered under the groupings “connectivity,” “applications enablement,” “device management,” and “analytics and business services.” There is no one vendor that can provide a single end-to-end platform comprising all four groups of platforms on its own.
Therein lies one of the unique attributes of the IoT platforms space: the role of the partner ecosystem. If a customer wants an end-to-end solution, there can be one single vendor point of contact, but that vendor will be the client-facing frontend of at least two partners that are providing the solution. Usually, one of the partners will be a systems integrator as the lead or in a supporting capacity, as projects have a requirement to either piece different vendors’ components together and/or frequently to connect with the existing business systems of the customer.
Integration with customer systems like CRM or ERP is no coincidence as IoT serves to enrich the offering of the customer by taking sensor data collected by a machine in a traditional M2M solution and integrating it with other points of information to create a solution that is transformative to the business. As a result, for example, instead of just gathering meter data in order to manage capacity, a utility can now provide a more enriched user offering through integrating into their CRM system to offer individualized solutions to customers based on their usage, on a timely basis.
As the platforms space grows, it also matures. And like other maturing industries, there can no longer be a features bake-off. As IoT vendors move from being engineering-driven to customer-driven, being able to explain business value not only becomes necessary, but the norm. This is especially true in IoT, where the transformative and strategic nature of its impact on the business means that other business units outside of IT are stakeholders, if not outright decision makers. Business technology decisions as big as what CRM system to use, what handset OS, what enterprise email solution, are explained to an organization’s team members outside the IT team in terms of what it means for productivity, efficiency, ease of use, integration with legacy systems, ROI, impact on running the business and impact on the customer, among other metrics. Why is it then that when determining why a type of IoT platform should be considered, the default is still to only talk about APIs, architectures, MQTT, HLRs and more? That may be part of a platform’s value, but it cannot be all of it.
Technology powerhouses such as IBM, Microsoft, Amazon and others know about mature technology solutions and therefore know that the above is the way to be successful in business. As platform vendors grow from start-up and mid-market, the key way to succeed is to speak and engage in the way the successful older players do — and because technological one-upmanship is ephemeral.
If a vendor knows what type of platform it is selling, it has partnerships (where applicable including systems integrators in place), it can speak to its features, it knows how it connects to customers’ systems and how it will provide transformative business value, then the amorphous mass that is “IoT platform” is now tidied up into something that can be productized.
The forecasts for IoT are huge, with some pundits suggesting that there will be 50 billion devices connected by 2020. Whether or not these forecasts are correct, it is clear IoT is already gaining meaningful market momentum, buoyed by a seemingly endless array of applications for consumers enterprises and public services. Unfortunately, as these applications proliferate, they create a multitude of security vulnerabilities and attack surfaces, exacerbated by a variety of factors including:
Poor system designs that lack basic IT security measures, such as encryption and secure authentication. Commonly these poor designs reflect inadequate security skills and, in some cases, aggressive time to market demands among ecosystem players.
Integration with legacy systems not designed for secure connectivity.
Security vulnerabilities and associated attack surfaces increase as more devices are connected. This is particularly the case for IoT devices with limited computing capabilities that operate in unsupervised and hostile environments.
The stakes can be higher for the many IoT applications that interact with machines. This was clearly illustrated last year on prime-time television as viewers saw a Jeep Cherokee drive into a ditch after security researchers demonstrated how they could remotely disable its brakes.
IoT solutions commonly use proprietary and specialized standards to enable specific use cases and large scale deployments, and to integrate into legacy environments such as M2M. The security vulnerabilities of these proprietary and specialized standards are typically greater than those associated with mainstream standards.
To make matters more challenging, enterprises cannot protect themselves by banning IoT applications. Unfortunately, IoT applications are well suited to shadow IT implementations since they are increasingly embedded in connected infrastructure and are proliferating in a slew of consumer markets. As a result, enterprises must arm themselves with the necessary tools, procedures and expert support to address IoT security. Much of these efforts involves getting back to basics, including network assessments to identify and investigate the behavior of IoT device connections, and IoT device audits to ensure that they have trusted identities, encrypted traffic and safe software/firmware.
IoT is also well suited to advanced policy and heuristic-based security solutions. In particular, IoT devices tend to have narrowly defined functions that can be validated by policy enforcement platforms. For example, an IoT-connected device that monitors the temperature in a manufacturing plant should not accept temperature updates through a remote connection. Similarly, machine learning and artificial intelligence-based heuristics can be used to monitor the activities of IoT devices based on learned activity profiles. While both policy and heuristic based platforms are well suited for IoT security, they require regular maintenance to ensure that the implemented policies and learned behaviors are valid.
Since large-scale data breaches are on the increase, the stakes are potentially high for IoT systems that harbor confidential information. This is particularly important when protecting the privacy of individuals, commercial and national secrets, and regulatory compliance. For a growing number of IoT applications, stored data is increasingly becoming a liability and therefore there is growing interest in processing and filtering data at the IoT devices so that only the meta-data is stored. For example, a video surveillance solution might be used to classify highway traffic for a smart city application. Rather than storing the video streams for post processing, some solutions process the videos in real-time and store only the vehicle counts.
With the continued expansion of IoT solutions, IoT security vulnerabilities and attack surfaces will increase, and security breaches are inevitable. To reduce the incidence of these breaches, it is crucial that security becomes a core component of IoT design principles, which should include effective remediation for incidences when security is compromised.