Conversations about the Internet of Things often focus on its most visible outposts: consumer devices. Products like the Nest Thermostat, IP-enabled home security cameras or Samsung’s Smart TV are like ambassadors for the IoT: highlighting cool features and capabilities that just hint at the transformative power of the much larger revolution that small, powerful Internet-connected objects will herald.
The truth is that although consumers are still warming to the Internet of Things, businesses and industry have already embraced it. Manufacturers of heavy equipment have outfitted their products with an extensive mesh of small sensors that provide close to real-time data on the functioning of critical components. As a measure of this, Virgin Airlines said in March that it will upgrade its network infrastructure to accommodate an “explosion” of data from a new fleet of Boeing 787 Jetliners, which will produce close to half a Terabyte of data per flight.
But what is the relationship between the highly visible “Internet of Things” and the less-visible (but possibly larger) “Industrial Internet?” And are their paths intersecting or diverging?
To get an idea, we spoke to someone who has his feet in the trenches of the IoT. Philip DesAutels is the Vice President of Technology at Xively, a wholly owned subsidiary of LogMeIn, and one of the largest commercial platforms for Internet of Things products. DesAutels, who spent much of his career at Microsoft, said that businesses and consumers have vastly different takes on the Internet of Things – including issues of privacy and security in IoT transactions.
Paul: Tell me a little bit about what you do at Xively and what you and your company are up to these days.
Philip DesAutels: I’ll start with a couple different emails I got this morning. A good friend of mine sent me a note and said ‘what do you think of this?’ I can’t even remember the name of the thing, but it was a home security camera. I get one of those a day: some home automation thing and the question is ‘Have you seen this?! This the wave of the future!” It’s so funny. It reminds me of X10 stuff at Radio Shack. They’re smarter and faster and they connect to a phone, but its hobbyist stuff, and that’s great.
On the other side, I spent some time this morning talking to a potential customer about how they collect information on trucks that are doing deliveries in the field. They have sensitive products from the perspective of temperature and vibrations. They wanted to do telemetry so I met up with them at (Salesforce) Dreamforce and we spent a bunch of time talking about how all that works.
Those two product spaces beg two vastly different security questions. The consumer space is all about ‘how do I make my stuff work together?’ On the other side, the commercial customers are asking: ‘how do I ensure that I have a secure connection?’ and ‘what platforms can I use so that I have a higher level of assurance with a telemetry product?’ ‘What protocols do they use?’ Once it leaves them and goes to a service, they want to know how they ensure the data is their data, they ask things like ‘what is the security model at the API level?’ So their questions aren’t ‘I want to share my lock data with the package delivery guy so he can open the door at 3:00 o’clock when he shows up.’ They’re very complex questions that are reminiscent of enterprise conversations because, at end of day, that’s what they are.
It’s only at the very end of that conversation with the customer that they say ‘oh, by the way, we want to do an integration with our delivery truck and … And then they name something. In the case of the company I was speaking with this morning, they had a notification server that informs the customer when the delivery will happen. That’s a third-party service, so they want the message to travel from whatever platform they use to the notification service to send the notification.
So, unlike the consumer story where people just want to match these technologies up, it’s a very thoughtful story of security and handoffs and how do things connect and all work together.
Paul: And what role does Xively play in that conversation?
Philip: We have a platform with an explicit model for wire and application security. A lot of people choose us to guard their data when they do development because that’s our origin: data sharing. Our commercial customers are on the opposite side of that. They’re building commercial products where data is the product. They want tighter models around security.
What we’re doing now is working through questions like ‘how can we help customers build end-to-end solutions – to go beyond packaged solutions?’ With the example of the delivery truck and telematics solution, they want to get data out of their service or into their service in a secure way. So we’re talking and working a lot with customers on interoperability at the edges and tightened security in the middle.
What we don’t want is what you have so often in the SCADA world, where you have devices secured with default administrative and password credentials. Just as an example, I had a customer that was using a custom-developed device that used Raspberry Pi, and I logged into it using the default administrator account and password, and they were totally shocked. And this was their device!
What we don’t want is what you have so often in the SCADA world…devices secured with default administrative and password credentials.
Paul: What’s the profile of the company coming to Xively? Where are they in the Internet of Things ecosystem?
Philip: We have a wide variety of companies. I feel like everyone who is building a (Internet of Things) product that isn’t purely a lifestyle product goes through the same steps. It starts with the ‘nirvana’ vision, which is like that Ericsson video of the guy driving home and the car and vacuum cleaner are talking to each other. That’s their vision of the Internet of Things.
Step one for them is ‘we have to connect the product,’ whatever that is. So, ‘I have a truck. Let’s put a smart device on it so we know where that truck is. And I need the temperature of the refrigerator unit on the back and let me know if the door is open.
Now that I can do that – I’ve connected the device and maybe I have a reporting application, the question becomes ‘how can I optimize my business?’ Can I design better truck routes or notify drivers when they leave the door open because that costs me a lot of money? Can I notify customers when the traffic is bad or the delivery truck is delayed so they’re not waiting hours for delivery?
It’s at that point that they get that first level of connecting the dots: I’m optimizing my business. The delivery truck that was not connected is now connected and now, maybe, the oil tank in a house that is not connected is also now connected. So now I don’t have to send someone to your house as often. If you use 8 gallons a day and you have 100 gallons, I know that I have 12 days to get you a delivery before you’ll run out. Now I can use a travelling salesman-type algorithm to optimize my truck routes. And, if I can cut down on truck rolls, which cost me $150 a piece, I can optimize my business and make more money and everyone is happy.
Next, everyone has that ‘A-ha!’ moment where they say ‘gee, maybe I don’t need to sell truck deliveries, but oil tanks.’ Or ‘maybe I can do just in time deliveries.’ So they make up a new business model because they’ve been able to connect something that was not connected, and they’ve optimized their business to make more money and now they realize that they have capabilities that they never knew they had.
Paul: Right. So there’s this follow-on effect: a flowering of ideas now that businesses can see all this data about how their company runs?
Philip: Exactly. And eventually they get back to the issue of ‘we were an oil company, now we’re selling a different product, which is warm houses, but we’re not selling oil anymore. And, by the way, now that we’re connected to 50,000 houses, maybe we can buy oil futures. And maybe we don’t deliver oil any more, but hire third parties to do that, so we’ll just become an oil futures company that aggregates thousands of delivery companies. That’s the product of the connectivity idea that started with the Ericsson video.
The companies we see pushing the hardest right now are the ones that know they have to connect their product because they know it will lead to business efficiency. The customers we talk with are trying to be market leaders because they read a story somewhere else. You know “Union Carbide did it with trains. We want to do it with X.”
Saying ‘our competitors have done it and are getting customers, so we need market parity’ is a really good reason to want to connect. Or ‘I see how we can make more money in the marketplace.’
Paul: How big a topic of conversation is data security? How much are they thinking about issues like the security of data at rest, data in transit, potential attack vectors, and software vulnerabilities?
Philip: It depends on the situation. If you come from the physical product or service world and you’re relatively new to applications and connected stuff, you need to be educated more to understand those issues.
If you’re a company that has at least gone through some part of the mobile revolution, then you’re going to ask things about the platform and how secure it is. And the fact that (Xively) owns our cloud and have good bona fides running our own cloud service allays some of those fears.
Paul: I know Xively does a lot of work on the industrial side. Some folks have noted that is where the IoT revolution is happening. Is your sense that there’s more of a conversation going on regarding security and that the consumer space is particularly bad, or do you see problems across the board with Internet of Things and security?
Philip: I think the light industrial space, the commercial space, and municipals – they have all been trained in security going back to Windows 98 and Windows 2000, when all that security stuff started bubbling up. These folks have been trained to think about security and security always comes up in those conversations. ‘Tell me about your platform, your API security, your wire-level security. Tell me about your data backup and what happens to that data?’ So they ask good questions.
On the consumer side, for all the talk about consumers caring about security, they will still show up at your favorite electronics retailer and buy something made by an indeterminate party and sign up for a service associated with it and provide all their personal information, and not think about the level of security. It’s just a product for them, so they press a button and go. With some of the bigger companies, that’s great.
But for every large company where you have a high level assurance that they think about (security) – for every Nest, where they’re very thoughtful, there’s a no-name thermostat with an embedded web browser that wants you to sign up for their web service that has a .TW domain. I’m not sure the average consumer thinks about that stuff until something bad happens.
Paul: To that point, there seems to be a lot of rumbling in policy circles about how to regulate or set some boundaries or best practices that companies can follow. Is that going to happen, or do we end up in a balkanized environment with the Xively cloud and Thingworx cloud and they don’t talk to each other?
Philip: It’s hard to answer your question just in terms of the Internet of Things. The guy who is delivering fish in Boston might want to connect up his trucks, but he doesn’t want to connect to anything else. He just wants to make sure that fish not get out of the temperature range during delivery time. That’s probably the first thing he cares about, not whether the restaurant’s freezer system can adjust or one of those fictitious scenarios.
The consumer may want to know if their data is going up to the cloud and selling it to someone. I want my Nest thermostat to work with my security system in a smart way. They don’t know, but I’d like to have them interoperate. So the answer to your question is complicated in that sometimes there are things we want to interoperate and sometimes there are things we don’t want to interoperate. As a consumer I want disclosure. As a business I have disclosure, because its my system.
Paul: Philip, thanks so much for speaking to The Security Ledger.
Philip: Thank you very much!