This year at the IoT Developer’s Conference in Santa Clara, many software developers, managers, CTOs, and innovators came together to share and discuss the challenges and opportunities in IoT from a deeper, more technical perspective. We had a great time sharing a little bit about infiswift with attendees and our CEO spoke on LPWAN technologies and how the different options fit into IoT applications. Check out the slides here.
In this post, we take a deeper look at a few recurring themes from the DevCon event focusing on security, interoperability, and communication.
As IoT technologies become more prevalent in enterprise and industrial applications, security is taking center stage. Maarten Bron of Underwriter Laboratories kicked the show off with a look at how UL437, which focuses on physical locks, is still relevant in IoT today. It looks at locks through three lenses: covertness, brute force attacks, and key controls and these three lenses simply require a different assessment in IoT as opposed to a physical lock. For example, brute force attacks used to be carried out with a hammer but are now done with techniques like testing passwords or port scans.
While many companies talk about security from the standpoint of encryption and authentication, at IoT DevCon the conversation got into broader aspects of secure systems as opposed to just secure components. For example, if a device is compromised or hacked, it may pose direct threats to the broader system in proximity to the device and may even mask the underlying cause of harm. An example is a controller for a gas stove that could potentially open a gas valve but not ignite the source. The ensuing fire would look like a basic malfunction but in reality is a cyber security event.
In a discussion with Shrinath Eswarahally from Infineon Technologies, the importance of considering security from initial product design and development through production to deployment and evaluation was highlighted. We look at four steps in product commercialization that are critical to strong security:
1. Design/Development During this phase, a product owner must consider overall security models, identify weak points in the system, develop an understanding for the tactical security requirements, and develop a framework for testing and validating security throughout the product lifecycle.
One specific design consideration is key management, which is far more difficult than encryption and should therefore be considered carefully. For cloud based solutions, this includes understanding whether keys should be stored in the same cloud as data they protect. Many terms and conditions of cloud services allow the handover of such information upon the request of government authorities, so separating this type of data affords protections especially in scenarios where you are providing a shared service in your cloud instance and data from one customer could end up exposing others.
Additionally, physical resilience and mitigation measures such as how the system detects and responds to intrusion are critical to design. Many IoT systems today lack the ability to identify and report on cyber security breaches or identified threats.
2. Production Often overlooked, security during production primarily deals with hardware aspects of the solution and transfer of software and keys to devices, which can lead to vulnerabilities. Appropriate protection, detection, and auditing mechanisms must be put in place during production.
3. Evaluation and Certification How the product is evaluated and certified is also important and can impact sales and business development efforts. For physical security, many standards exist that can gauge and rank the quality of the hardware security.
Software security, on the other hand, is often more difficult to evaluate and certify due to its proprietary nature, complexity, and variation from solution to solution. There are many examples of companies who lost large sales due to third-party security testing performed during the product qualification phases, so it is important to act preemptively in these respects.
4. Deployment It’s critical to consider the entry points of security threats – and how those can be identified and mitigated – throughout the product lifecycle but particularly during commissioning. Devices are highly vulnerable to attacks that may be triggered by capabilities built into the product but not fully secured. Meticulous planning and analysis during design and development can reduce these risks at commissioning.
During ongoing operation, the most significant weaknesses tend to be how well a product adapts to evolving security threats, attack detection and reporting, and protection of the firmware and keys stored on the device itself (especially during over the air updates).
Summary While not every IoT product requires heavy security, it is important to consider full-product security incorporating solutions such as:
- Format preserving encryption
- Secure booting
- Key management and storage techniques
- Impact of interaction between software and hardware
Interoperability & Heterogeneous Systems
No one vendor will make everything for the IoT, so hardware and software need to play well together but that’s difficult and a significant challenge that we must face today. At IoT DevCon, speakers and attendees explored how to do this scalably.
Some reasons for the issues we now encounter with heterogeneous IoT systems are:
1. Diverse Technology: Complete IoT systems typically need multiple underlying technologies from multiple providers. Walled gardens and closed ecosystems make such implementations difficult but are very prevalent currently constraining the value of the IoT.
2. Data sharing: Many systems would benefit from cross-functional use of data but there are countless challenges getting vendors to enable such sharing. This can result in duplicative sensors and inputs causing a deluge of data, data quality issues, and in many cases making early adopters less willing to move forward with new technologies due to siloed systems that are less valuable.
3. Obsolescence: With rapidly evolving technology, systems are deployed now that will ultimately need to interact with newer versions deployed elsewhere in the same ecosystem or across ecosystems as silos are broken down.
4. Pilot technology: During pilots, technology that hasn’t had the necessary investment in robustness, security, certification, and hardening are often deployed but not replaced or improved during the commercial growth phase.
Taking these issues into consideration at a high level, Stan Schneider from Real-Time Innovations (RTI) talked about how “interoperability is meaningless without ‘between’”. What he meant was that we need to focus on how endpoints should interact as opposed to forcing generic requirements onto devices. An analogy was of shoes and skis being interoperable with feet but not with each other. As systems comprise more and more sub-systems and grow in complexity, communication and coordination between these aspects of product development become more important and difficult at the same time.
One way to manage interoperability is to abstract devices with a virtual layer, which is supported by the infiswift platform. With the ability to connect a physical device to the infiswift system over any protocol (WiFi, Zigbee, cellular, etc.), other endpoints can interact with the virtual representation of that device with ease and are able to focus on the data being exchanged as opposed to the physical endpoint or system being interconnected. Such a system allows for great flexibility and agility incorporating different devices from different vendors communicating using different communication protocols that can only be imagined now.
One piece of interoperability is the choice of communication technology (or technologies). Due to the diversity of endpoints in IoT systems, this choice can be very challenging. Different communications technologies fit better for different endpoints and applications. In some scenarios you may have battery powered devices that need to operate autonomously for years using very little bandwidth alongside a device with high bandwidth and low latency requirements in the same IoT system. Using the right communication technology for each and making them work together is a challenge that was addressed at the conference.
At a high-level, communication in IoT falls into a few categories:
During the conference, many sessions focused on the emerging and established technologies in each of these sub-areas and looked at use cases where different technologies offered compelling opportunities. LPWAN technologies were of specific interest since they are fairly new. Kannan Dorairaj, infiswift’s CEO, did a comparison of existing technologies looking at how they are different and which might work better in IoT applications with Adaptrum coming out as a very intriguing new technology. An interesting point came up in the Q&A about how all LPWAN technologies are closed and proprietary and historically this type of approach has never worked for networking. Overall, an interesting area to follow and one that will certainly offer great flexibility for remote IoT applications in the future.
On the hardware side, Vivek Mohan of Silicon Labs presented on an interesting solution that uses switched multi-protocol hardware, allowing communication over multiple protocols with common hardware. For example, a device can switch between ZigBee and Thread for operation. The catch is that the physical layer must overlap, so both protocols must be on the 2.4GHz band in this example. Since there will be no one communication technology for IoT, this type of solution will be important for driving interoperability.
Security, interoperability and connectivity will continue to receive significant attention and solutions will standardize over time. As the Internet-of-Things (IoT) grows, technical innovation will drive further market growth by opening up the doors to new use cases, applications, and business models that we can’t imagine now. This year’s IoT DevCon helped to dig into the details of the problems we’re all trying to solve together and provided a great platform for collaboration and discussion.
We can’t wait to see what innovations will drive the next phase of IoT growth!