If we look at the history of the Internet of Things (IoT), its existence is derived from the trend Machine-to-Machine communication (M2M). M2M was focused on the business to business market. Connectivity was not yet so inexpensive as nowadays. Connectivity modules were limited to engineering companies, that implemented e.g. cellular connections for production machines in the industry. Why was it driven by the industry? The answer to that is Return On Investment. There were business cases in the industry that were justified by their ROI, e.g. lowering downtime in a factory. For the same reason, IoT is now finding its way to consumers, because the hardware is getting less expensive and therefore it can drive more business cases on a larger scale.
If we look at the value chain of IoT, it consists of devices, gateways, cloud platforms, and applications that transform data into (visualized) information. Below you see a schematic of such a value chain.
This value chain spans over multiple domains (devices, connectivity, cloud, web technologies, client devices (mobile, PC, etc.)), it reaps both the benefits and risks of those domains. The benefits are versatile and relatively easy to understand and therefore not discussed. But when it comes to risks we have still a lot of ground to cover. This is where I personally think there are lots of opportunities. As soon as trends like IoT are getting monetized, they represent value, i.e. money. When money is involved, technology will be put through tests in a multitude of aspects, you can think of acceptance, security, governance, scalability, usability to name a few.
Take for example security. The value chain can be attacked at all levels. Devices and gateways can be hacked both physically as well as virtually. Communication can be intercepted or distorted, moreover, the data can be intercepted and manipulated. The cloud infrastructure can contain multiple vulnerabilities in the firewalls, routers, switches, servers, platforms, databases and other services. These vulnerabilities do not stop at the cloud, also the client’s infrastructure is a possible entry point to the information that needs to be secured.
When we look at security solutions, often it is implemented ad hoc and separately per domain. But instead, it should be properly designed through the whole value chain. This requires interdisciplinary cooperation. Hardware development for the constrained devices should closely work together with firmware development, on the subject of security, choosing the right solution that also matches the standards of the cloud. In reality, security is often implemented as patches in the firmware, meaning that the standards at the cloud side need to be lowered because in the firmware there are limited resources for security functionality, let alone support for this in the hardware. Especially with a diverse value chain as in IoT, security is not something that can be implemented afterward.
In order to improve this, it requires changes from both the hardware and software culture. Shipment dates and life cycle management need to be aligned and the security architecture fully thought through, before the hardware design is frozen. Since necessary security solutions and device provisioning methods can potentially impact hardware design. Moreover, both cultures should be educated on the basics of security, in order to understand and mitigate the risks.
It is a natural process that with new technology the different disciplines are focused inwards. However, it is necessary to look outwards after familiarization with the technology and understand the strength and weaknesses of the different disciplines. Security is just one of the many subjects that need to be tackled system-wide, especially when the value chain starts to represent value.
— Bob Peters (Embedded System Engineer), Embedded Systems Enthusiast