IBM’s $3 Billion Stake into IoT: A Low-Risk Gamble

IBM has announced it is establishing a new Internet of Things business unit with more than 2,000 consultants, researchers, and developers, and will invest $3 billion in it over the next four years. Three business areas are being highlighted:

  • IoT Open Cloud Platform for Industries – vertical market oriented big data analytics services
  • Bluemix IoT Zone – expansion of IBM’s platform-as-a-service to improve development and deployment of IoT apps
  • IoT Ecosystem – additional partners for secure integration of IoT data and services (existing partners include AT&T and ARM)

(We won’t rehash all the details of the announcement, which you can read here.) Ibm_logo

VDC finds this IBM initiative particularly noteworthy, for several reasons:

  • By establishing a dedicated IoT group, IBM is putting in place structures to speed both technical and business development targeting IoT. It will be interesting to see how the unit: a) navigates a complex weave of horizontal and vertical technologies and markets; and b) intersects and overlaps (and perhaps clashes or not) with IBM’s enterprise IT services.
  • By announcing the size of its investment up front, IBM is communicating the degree of its commitment to IoT. However, considering the amounts of money being spent collectively by other major companies claiming turf in the IoT (Cisco, GE, Google, Intel, etc.), significant mid-size participants (e.g. ARM, PTC), and hundreds of minor players and wannabees, $3 billion might only equate to table stakes necessary to reserve a seat at the high rollers’ table.
  • IBM’s announcement makes no mention of any external investments, i.e. acquisitions or startup funding. Since the year 2000, IBM has acquired more than 125 companies, including more than a dozen for which the price exceeded $1 billion, so we have little doubt that IoT-related acquisitions are in the offing.
  • Unlike Google’s $3.2 billion acquisition of Nest, which has modest short term but substantial long term potential, IBM’s $3 billion to scale up and expand its existing IoT capabilities can go a long way to generating real IoT revenue in the short term. While most consumers are yet to be convinced of the need for a “smart home” (unaware that their cable TV boxes and electric meters are already part of the IoT), enterprises are already seeing the benefits of the IoT on many levels, including customer satisfaction, recurring revenue, cost savings on service parts and labor, and product refinement. Considering IBM’s position in the IT industry, $3 billion seems like a low risk bet.

To look at it another way: as IoT becomes further integrated into day-to-day business IT and operations, what would have been IBM’s risk if it didn’t invest big money in IoT?


With Azure IoT Suite, Microsoft Spreads Further into IoT. Is it Far Enough?

On March 16th at Microsoft’s Convergence Conference in Atlanta, the company announced its forthcoming Azure IoT Suite of cloud services. (See official Microsoft announcement here.) Microsoft has existing IoT-oriented services with Azure cloud—including Event Hubs to ingest data, and Stream Analytics (currently in preview testing) to process and analyze data. The announcement did not provide many details on the new services that would be added, but in general terms it said Azure IoT Suite “manages, analyzes and presents [data] as usable information to the people who need it to make better decision.” Specific features mentioned include remote monitoring, asset management and predictive maintenance.

Microsoft also reiterated that the forthcoming Windows 10 operating system would include a Windows 10 IoT version intended for embedded devices. (This was originally mentioned last fall by CEO Satya Nadella, and in February 2015 Microsoft said it would make the new IoT OS available at no charge for use with the Raspberry Pi 2.)

Here at VDC Research, one of our areas of keen interest for IoT is security. Microsoft hasn’t said much about security features that will be built into Windows 10 IoT specifically, but Windows 10 in general is slated for a variety of security improvements, including OS support for two-factor authentication and app-by-app access to VPN.

On the cloud side, Azure already offers numerous security features, including Microsoft’s Active Directory structure, which controls authentication and authorization. Plus, for customers with extra-high security requirements, Azure ExpressRoute can be used to connect local networks to Azure via fiber optics that are physically separated from the public Internet.

With both an embedded operating system and its own major cloud infrastructure, plus its recent acquisition of Revolution Analytics, Microsoft is in a strong position to offer IoT services. The company’s IoT ambitions perhaps could benefit even further from pieces filling in the middle:

  • a true IoT application platform, similar to what Amazon just acquired with 2lemetry; and
  • a field-deployable IoT gateway (hardware) solution, along the lines of Intel’s intelligent gateway designs. [Microsoft has demonstrated a software reference architecture called Azure Cloud Gateway Accelerator, project codename Reykjavik, which performs protocol/message translations (among other tasks), but it requires an IoT-capable device or a field gateway to get data to the cloud.]

We’re awaiting further word from Microsoft on IoT-related features coming to Windows 10 and Azure.


Will Patents Hinder IoT Openness?

Coined by Kevin Ashton in 1999, the term “Internet of Things” (IoT) has only recently become a widespread concept. Use of the term began its slow emergence from the tech world in 2003-2004 when popular publications like The Guardian and Scientific American wrote articles on IoT. However, based on Google Trends, interest by tech companies and the public began rising around 2009 with a dramatic increase in 2013, a year filled with smart home appliances and tech giants’ connected device innovations.

To delve more into the increasing interest in the Internet of Things, VDC conducted an analysis of U.S. patent applications and patent awards specifically mentioning “Internet of Things” or “IoT.” In the chart below, the green line represents the number of IoT-specific U.S. patent applications, and the purple line represents the number of IoT-specific patents awarded. (Note that the average award of a U.S. patent takes more than two years from its date of application.)

IoT Patent Chart
Not only is “Internet of Things” being mentioned in more patent applications, but more applications mentioning IoT are also being awarded patents. A peak number of patents mentioning IoT were awarded in the most recent quarter, 2014Q4, and an increase to this peak is nearly certain in 2015.

Undoubtedly there are many more patent applications and awards related to IoT that don’t specifically mention the term in their filing documents. However, the small but growing use of the term in patents, as shown in the chart, is an indicator that we are just at the leading edge of what is likely to become a large wave of IoT-oriented patents.

While earlier IoT technologies and communication methods were often openly published, many IoT methods are now being retained as intellectual property through patents. Examples include, “Internet of Things Lawful Interception” (application #20130057388), “Methods, devices and systems for establishing end-to-end secure connections and for securely communicating data packets” (application #20140143855), and “Mobile communications devices and transmission methods for transmitting machine type communication data thereof “(patent #8,681,701).

Of course there is a fine balance between the stimulation of innovation via openness vs. the economic incentive of owning intellectual property, but increased patenting of IoT communications techniques could adversely impact the future structure of the IoT, making it less open. On the other hand, the increasing number of IoT patents might merely reflect the spread of the term’s marketing buzz. In either case, navigating a plethora of IoT patents is likely to increase development burden and possibly hinder product introductions for nascent IoT companies.

This post was researched and written by VDC intern Jamie Yang, with assistance from Steve Hoffenberg.


IoT Lessons from the Blizzard of 2015


A few lessons for the IoT industry in the wake of this week’s blizzard:

  • Forecasts based on historical patterns represent probabilities, not certainties. Here in the Boston area, we received the full dumpload of predicted snowfall from the blizzard, but in New York City and regions further south, weather forecasters were apologizing for their overestimates. When big data analyses of complex IoT systems make predictions, don’t expect them to be right 100% of the time.
  • Whichever way the wind blows, snow drifts into peaks and troughs. The IoT market is not homogenous, so some categories of devices and services will grow faster than others. This is normal, but favorable wind direction is hard to predict.
  • The Snowdrift Dilemma fosters cooperation. In game theory, the Snowdrift Dilemma is a variation of the Prisoner’s Dilemma, but the Snowdrift scenario is more likely to produce cooperation between parties that would otherwise have little or no incentive to work together. When digging out from a snow storm, many hands make light work. In the IoT, even competitors need to cooperate on communications standards, security warnings, and market awareness.
  • Ignore warnings at your own peril. No matter how loudly forecasters shout about an impending storm, there are always a few people who blithely ignore them. IoT users can approach warnings logically. If sensor conditions signal the need for replacement of a part that is likely to fail prematurely, evaluate the relative cost of the replacement at a convenient time vs. the cost of a failure at an inconvenient time.
  • Don’t wait until the last minute to prepare. People who didn’t stock up on supplies until the snow started falling found that grocery stores were already depleted of staples like milk, fresh meat, and toilet paper. Those who stocked up when the predictions came in a day or two earlier had no problem. And those who routinely kept plenty of non-perishable foods on hand didn’t even have to think about it. In IoT systems, sooner or later downtime or security breaches will happen. Prepare your response well ahead of time. And don’t forget the toilet paper.


QNX Ex-Owner Harman International Acquires Red Bend Software


Harman International is best known as an audio electronics maker, owning numerous brand names targeting consumers and professionals, including AKG, Crown, dbx, Harman Kardon, Infinity, JBL, Lexicon, Mark Levinson, and Revel. As old-school “car stereos” have evolved in recent years into multifunction “infotainment systems,” Harman has also become a major player in automotive electronics.

Red_Bend_Logo_HorizontalOn January 22, Harman announced its acquisition for $170 million of Red Bend Software, which is the leading provider of software and services for Firmware Over The Air (FOTA) updating for mobile devices and automobiles. (See press release here.) Harman simultaneously announced its acquisition of software services firm Symphony Teleca, although Red Bend has more interesting implications for IoT.

QNXBack in 2004, Harman had acquired for $138 million QNX Software Systems, developer of the real-time operating system QNX Neutrino, as well as a number of other embedded software solutions which have since become especially popular in the automotive market. Fast forward to 2010 when Harman sold off QNX for $200 million to Research In Motion (RIM, since re-named Blackberry Limited for its line of mobile phones). At the time, Harman said about its sale of QNX, “This move allows Harman to continue its relationship with QNX and the advanced software solutions it provides to Harman and our customers. At the same time, this deal achieves value for all stakeholders and is an important step in a new strengthened relationship with RIM.”

Perhaps Harman’s sale of QNX was influenced by economic conditions during the Great Recession, but it leads us back to Harman’s acquisition of Red Bend, and it raises a few questions:

  • Would Harman have been able to leverage synergy between Red Bend and QNX in the automotive market if it had retained ownership of both? If not, why not? If so, might the value of such synergy have outweighed the gains realized by selling QNX?

  • What value does Harman now see in Red Bend that it no longer saw in QNX?

  • Considering that much of Red Bend’s current business is in the mobile phone industry, does Harman view Red Bend as a stepping stone into that market?

  • What would it take for Harman to believe that a potential future sale of Red Bend might “achieve value” for stakeholders and produce “a new strengthened relationship”?

We‘ll leave these questions for readers to ponder for themselves


Cybersecurity, Politics, and the State of the Union

Even before President Obama’s State of the Union address on January 20th, The White House was touting new cybersecurity initiatives that would be mentioned in the address. Indeed, during his speech, President Obama told a nationwide (and worldwide) TV audience, “To stay one step ahead of our adversaries, I have already sent this Congress legislation that will secure our country from the growing danger of cyber-threats.” This is the first time that the topic of cybersecurity has received such high profile political exposure in the State of the Union, and given the increasing sophistication of hackers, it likely won’t be the last. Cybersecurity is now an integral component of national security. (The complete State of the Union address is available at www.whitehouse.gov/sotu.)

The legislative proposal that the President had already sent to Congress was outlined in a press release on January 13th. It included three main components:

  • Enabling Cybersecurity Information Sharing – to foster collaboration between private and public sectors on cybersecurity, as well as enhance some privacy aspects of consumer data collection and usage.
  • Modernizing Law Enforcement Authorities to Combat Cyber Crime – to bolster efforts to find, disrupt, and prosecute hackers.
  • National Data Breach Reporting – to put in place national requirements for disclosing data breaches to employees and customers.

In addition, the Obama administration is clearly committed to keeping cyber-security on the front burner, with a Summit on Cybersecurity and Consumer Protection to be held at Stanford University on February 13th.

VDC’s opinion is that the legislative proposal, even if it is adopted into law (which isn’t a given in the Republican-controlled Congress), doesn’t go far enough. Perhaps no U.S. law could possibly go far enough, because most hackers operate outside of U.S. territory. Cyberspace isn’t constrained by geographic borders, and some nation-states (including the U.S.) are themselves occasional perpetrators.

In our view, true cybersecurity will require improved technology to reduce cyber-vulnerabilities, as well as international treaties or agreements that dramatically improve abilities to find, thwart, and prosecute hackers worldwide. The White House has already announced the first such agreement with the United Kingdom. We have no doubt that other U.S. allies, such as in the European Union, will follow suit. But the real challenge will be gaining participation from rogue nations or others which are not U.S. allies. Russia and Eastern Europe appear to be the sources of many organized hacker groups. Russia, now suffering economically with low oil prices and U.S. and E.U. sanctions over its invasion of Crimea, isn’t likely to cooperate any time soon. Don't expect North Korea to pitch in during the lifetime of Kim Jong-un (irrespective of whether or not that country was behind the massive Sony Pictures breach of 2014). And China may espouse cooperation while practicing coopetition.

In short, we’re not holding our breath for a worldwide cybersecurity group hug.

For now, our advice to The White House is to start by cleaning up the security of its own website. When we pointed our browser to www.whitehouse.gov the morning after the State of the Union address, up popped the error message, “Internet Explorer blocked this website from displaying content with security certificate errors.” (See screen shot below.) A facepalm is in order.

WhiteHouse.gov certificate errors


VDC Research is attending Embedded World 2015!

Contact us ASAP to schedule a meeting

VDC will be making the trip across the Atlantic again this year to visit the largest embedded technology tradeshow of the year, Embedded World in Nuremberg, Germany. Last year, the conference boasted 26,700 visitors and 856 exhibiting companies!.

While we are at the conference, we welcome the opportunity to meet with attending vendors to learn more about their embedded solutions and any show-related (or other recent) announcements.

You can arrange a meeting time with VDC by contacting us directly.

For meetings contact:

André Girard, Senior Analyst, IoT & Embedded Technology, agirard@vdcresearch.com, 508.653.9000 x153; or
Steve Hoffenberg, Director, IoT & Embedded Technology, shoffenberg@vdcresearch.com, 508.653.9000 x143.

Haven't decided if you're attending Embedded World yet?

Please check out the Embedded World website for more information on the conference program as well as information on all of the companies that will be exhibiting.

We look forward to seeing you at the show!


Intel’s IoT Platform Extends Security Toward Edges

At a press and analyst event in San Francisco on December 9, Intel announced its “IoT Platform” reference model. The model is horizontal in scope, encompassing numerous technologies applicable to everything from edge devices to gateways to the cloud. In addition, it is intended to be a modular approach, such that Intel’s hardware and software components (including those from subsidiaries Wind River and McAfee) can be mixed with those of other vendors. For example, a customer could deploy its preferred gateway devices not limited to those based on Intel’s Moon Island design, while remaining compatible with Intel’s reference model. We won’t attempt to describe the entire Intel IoT Platform in this blog post, but we’ll focus on a couple of security aspects announced. (Readers can find the full Intel press release here.)

  Intel-McAfee Security Execs

Intel executives discuss IoT Platform security: (left to right) Lorie Wigle, VP of IoT Security Solutions; Steve Grobman, Intel Fellow and CTO for Security Platforms and Solutions; and Luis Blando, SVP of Intel Security Group [McAfee].

As part of the latest announcement, McAfee’s ePolicy Orchestrator (ePO) is being extended into IoT gateways. ePO is software for security management, enabling centralized deployment and control of security policies, as well as monitoring of endpoint security status. Previously, ePO was intended for enterprise IT networks, but the announcement means that it can now encompass a much wider range of industrial and commercial IoT networks. In VDC’s opinion, this could help ease integration between IT and OT (operational technology) departments when transitioning standalone OT systems into IoT systems. OT could maintain functional control over the gateways and edge devices, while IT institutes improved access control between the gateways and enterprise network assets.

A second notable security announcement was that Intel Security will now license its Enhanced Privacy Identity (EPID) technology to other silicon vendors. EPID is a form of remote anonymous attestation using asymmetric (public key and private key) cryptography, through which central systems can confirm the integrity and authentication credentials of remote devices, without those devices having to reveal their identities or those of their owners. (One common use for anonymous attestation is digital rights management for content protection.) Anonymous attestation requires security hardware, such as a CPU with a Trusted Platform Module (TPM) or Trusted Execution Environment (TEE), for which Intel of course is a prime supplier.

EPID can create groups of devices, where a single public key can work with multiple private keys, i.e. one assigned to each device within the group. The mathematics behind EPID is complex, but for those interested, we suggest checking out the article, “Enhanced Privacy ID: A Remote Anonymous Attestation Scheme for Hardware Devices,” by Intel’s Ernie Brickell and Jiangtao Li (Intel Technology Journal, Volume 13, Issue 2, 2009, pp. 96-111). The chart below from that article summarizes how EPID differs from other attestation technologies, including Direct Anonymous Attestation (DAA).

Chart source: Intel Technology Journal

Intel has not yet disclosed licensing terms for other chip makers to use EPID, and onerous or expensive terms could limit its acceptance. However, VDC believes that EPID could be applicable to many IoT scenarios where a central system needs to trust remote devices owned or operated by others. This type of function will become increasingly important as interested parties seek to extract shared or publicly provided data from private IoT devices.

Although numerous security technologies from many vendors are taking hold in the IoT, Intel is uniquely positioned in this market by virtue of its presence at both the network/system level (McAfee, Intel Server Systems) and the device level (Intel CPU hardware, Wind River software). Intel says, for example, that its existing McAfee Embedded Control software for application whitelisting is used by about 200 device manufacturers. Intel’s IoT Platform is the latest evidence that the company will remain a force to be reckoned with in IoT security.


Where's The Action On Security Concerns?

Recognition of Software Security Issues Are High; Mitigation is Not

I read an interesting report from Spiceworks recently about mobile security actions by IT departments...or perhaps, lack of actions might be more accurate. The report, which is free to download, shows that nearly all IT professionals are worried about security risks affecting mobile devices supported by their company. However, this level of concern vastly outweighs the level of action their organizations have actually taken to lessen security threats.

This central finding, while disappointing, does not come as a surprise. Year after year, we see a persistent gap between awareness of software security importance and the steps taken to mitigate these issues. To help inform our analysis of the software and systems development market, VDC conducts an extensive end-user survey of global development community. In 2014, only 7.7% of embedded engineers surveyed considered security “not at all important” on their current project; just 2% of enterprise/IT developers felt the same way. Yet 22% of the respondents in embedded and 12% from enterprise report their organization has taken no actions in response to security requirements on their current project.

Picture3 - ATVT security

Need to Close the Awareness – Action Gap

The potential financial and safety impacts of software vulnerabilities have been clearly demonstrated by several recent and very public cases. Incidents, such as those exposing customer data from major retailers and software-related automotive recalls can dominate news cycles, damage brand equity, and more importantly - risk lives.

A growing reliance on software for embedded device functionality and to manage financial data has raised the importance of actively addressing security considerations during software design. Unfortunately, the velocity of software innovation is outpacing the application of safeguards and challenges continue to mount. Code base volume and complexity continues to rise. Development teams are increasingly utilizing alternative code sources including open-source software to meet their time-to-market windows. The number of potential entry points for malicious activities is increasing exponentially as more connected devices are deployed as part of the Internet of Things (IoT).

Teams designing software for the IT or embedded markets should start testing for security vulnerabilities early in the development lifecycle when resolution is the least costly. We recommend static and binary analysis as effective tools for finding the most common security defects such as buffer overflows, resource leaks, and other vulnerabilities. Use of these solutions should be incorporated as part of a comprehensive testing regime. Undoubtedly, the ramifications of software vulnerabilities are too severe to leave addressed by manual processes or chance.


More insight and Recommendations

For further investigation and discussion about this and other important trends in the automated test and verification tool landscape, as well as other disruptive shifts in systems lifecycle management, please see our 2014 Software and System Lifecycle Management (SSLM) intelligence service.


Automotive Privacy Protection Principles Don't Go Far Enough

The Association of Global Automakers and the Alliance of Automobile Manufacturers jointly announced on November 13, 2014 a set of voluntary “Consumer Privacy Protection Principles.” (See the press release here, and download the principles PDF document here.)

The document is written in quasi-legalese, but in essence, it’s a pledge by automakers, beginning with the 2017 model year, to among other things:  ConsumerPrivacyProtectionPrinciples

  • inform consumers about how data collected from their vehicles will be used
  • obtain “affirmative consent” for certain ways that data might be used
  • anonymize aspects of the data under some circumstances

VDC applauds the auto industry for recognizing the importance to consumers of privacy for data collected by electronic and digital technologies, which are growing by leaps and bounds in new vehicles. However, the principles don't go far enough in several respects:

Security – The document states that participating members must “implement reasonable measures to protect Covered Information against loss and unauthorized access or use,” then says that “reasonable measures include standard industry practices.” The word reasonable is too wishy-washy in this context, so those statements in the privacy principles don’t inspire confidence that automakers and their partners will go the extra mile for data security. (Why don't the principles say the members must "implement strong measures" to protect the data?) Without defining any minimum security measures or committing to create or adhere to an ISO standard, it comes across as a nice way of saying, “We’ll make a good effort at security, but don't expect us to guarantee the data won't get breached.” In addition, security issues apply for data within vehicles' internal systems, for data during communications from vehicles to infrastructure, and for the databases where the manufacturers will aggregate and store the data. Security policies should specify minimum requirements for how data will be secured at each of these levels, as well as how authorized third parties with data access will be required to secure the data.

Consent – The document states that automakers need to obtain consent to “a clear, meaningful, and prominent notice disclosing the collection, use, and sharing of Covered Information.” However, the document includes no provision for a vehicle owner to deny such consent or revoke it afterwards. Why would that be important? Because the consent form is likely to be presented to consumers among a stack of numerous papers that they sign in a perfunctory manner when buying a car. In addition, consent ideally would provide vehicle owners with the ability to agree or not to agree to each type of data collected, rather than any blanket statement of consent to collection of all data. We’ll see how this plays out when the first consent forms hit the market.

Data Access – The document says that consumers will have “reasonable means to review and correct Personal Subscriber Information.” Such information may include name, address, telephone number, email address, and even credit card number. It’s fine that automakers will give consumers the right to access the data that they themselves provided in the first place, but what the document misses entirely is the basic principle that consumers should have the right to access data produced by their own vehicles. Although this isn't a data privacy issue, it is a data rights issue that automakers need to address. In VDC’s opinion, vehicle owners should have, for example, the ability to take diagnostic data to an independent mechanic, rather than manufacturers only providing such data to its dealers or third parties that have paid to access it. That concern is partly mitigated by "right to repair" laws, which are already in effect in the European Union and slated to take effect in the U.S. in the 2018 model year, although full data access would go beyond such laws. Vehicle owners also should have the ability to access geolocation and nearly all other data generated by their own vehicles. Certain types of data may need to be kept confidential, but the default should be to provide consumers access to data from their own vehicles unless there’s a legitimate safety reason not to make it available to the people whose vehicles generated it.

For further discussion of data rights issues related to the automotive industry and the Internet of Things, see the recent VDC View article entitled, Beyond "Who Owns the Data?" 


Recent Posts

IBM’s $3 Billion Stake into IoT: A Low-Risk Gamble

With Azure IoT Suite, Microsoft Spreads Further into IoT. Is it Far Enough?

Will Patents Hinder IoT Openness?

IoT Lessons from the Blizzard of 2015

QNX Ex-Owner Harman International Acquires Red Bend Software

Cybersecurity, Politics, and the State of the Union

VDC Research is attending Embedded World 2015!

Intel’s IoT Platform Extends Security Toward Edges

Where's The Action On Security Concerns?

Automotive Privacy Protection Principles Don't Go Far Enough

Related Posts Plugin for WordPress, Blogger...