These days many companies are looking to IoT to enable their products. In the case of commoditized items, some see an opportunity to differentiate themselves and increase their margins; and with the help of some good marketing, may convince people that they need a smart kettle to get the water boiling 5 minutes before they get home so that they can get their hot cup of tea minutes after walking through the door — or torment their mother in law who keeps wondering why the darn kettle keeps turning on. In the case of more specialized or complex products, connectivity gives some the option of creating richer and more user-friendly tools to control and manage their products.
If you have thought about making your products IoT capable, you have probably learned that there are many companies out there who want to sell you their IoT platform. We have worked with AWS IoT, Ayla Networks and Xively by LogMeIn, but there are many more. If you have seriously investigated IoT solutions you have probably figured out that it would take six months to a year to integrate such an IoT platforms into your products. This timeline and its associated costs discourages some from taking the leap, and may cause others to question the value of an IoT platform. If you are considering a build vs buy (for your IoT platform), which in this case is really a “build all” vs. “buy and build some,” there are a few things you should consider.
Do you plan to make IoT connectivity a core competency, or just an enhancement to your products? If it is the latter, an IoT platform makes sense. Does your product require IoT features that go beyond standard remote connectivity, basic control, alerts and Over-The-Air (OTA) upgrade? If not, most IoT platforms will meet your needs.
Finally, I would ask if you have the expertise to ensure your devices cannot be hacked. Your customer will likely have personally identifiable information (PII) that could be at risk. Obviously, many customers will be concerned about potential burglaries that could result from hackers being able to remotely determine when they are away from their house; or the potential for people spying on them if someone can hack their security cameras.
Even if your device does not contain PII and can’t be used against its owner, it could be used by hackers to attack a third party. Remember that about a year ago (October 21, 2016), a massive DDOS attack took down many important sites in the U.S. This attack was carried out by using hacked IP cameras made by Xiong Mai Technologies, a Chinese company. You wouldn’t want your company to make headline news because your IoT product was hacked and used to take down the internet across the country.
You may feel that security is still an issue even if you go with a third party IoT platform, and that is correct. You will never completely eliminate that risk, but your IoT platform provider should be able to dedicate far more resources to security than you can as this is their core business. Also, in the event the IoT platform you selected gets hacked, the headline news is about them, not you. Instead of “Internet grinds to a halt – Company XYZ’s IoT device is to blame” the story is “IoT platform ABC is hacked, products from many companies, including XYZ, are used to take down the Internet.”
Security is one of the main reason to select a proven IoT platform vendor. Since your expertise is in kettles, sprinkler systems, air conditioning, light bulbs or something else, let someone else manage the security of the cloud and devices as this would otherwise be a daunting maintenance task you would struggle with for a long time.
If you decide to go with an IoT platform vendor, which is probably the right choice, you must make sure they have a strong solution for securing your device and even consider contracting with penetration testing companies like Cardinal Peak. This should include the ability to perform OTAs on all SW components including all communication stack (some low-cost radio modules with limited flash memory may burn their communication stack into ROM, making updates impossible and potentially leaving devices vulnerable). It is likely that your device will be limited to contacting only their server through their APIs. They will likely block any other network access (e.g., blocking things such as SSH and Telnet). You may find this limiting, but this is how they prevent you from creating vulnerabilities.
Over time the number of IoT devices will grow, but the number of platform vendors will diminish as the industry consolidates. There will be some winners and some losers as the industry and customers converge on the best solutions. If you intend for your IoT products to be out in the field for a long time, make sure you understand what the consequences will be to your deployed products if your IoT platform vendor gets acquired or goes out of business.
