The Internet of Things, a term once applied to almost any “smart” gadget connected to the Internet, is becoming more useful, more complex, and more of a security risk as the value of data continues to grow and more people depend on IoT technology.
In the decades since the concept was first introduced, IoT devices have become so ubiquitous that applications cover practically every consumer, commercial, and industrial segment. The growing list of sectors using the IoT includes manufacturing, automotive and transportation, as well as healthcare, agriculture, supply chain, and logistics. Smart homes/buildings, entire smart cities, and energy and power grids are relying on the IoT.
And that is causing some problems. Case in point: Early Christmas morning in 2022, thieves broke into Washington’s Puget Sound Energy and stole equipment that caused 7,000 customers to lose power. A similar crime occurred just a few miles away that month. Other attacks occurred in Oregon, Washington, and North Carolina. Power grids have always been high-value targets, subject to on-site and online assaults, as many different security agencies continue to warn of growing risks.
IoT also is a key part of retail, telematics and telemetry, security technology, animal farming, scientific research, surveillance, and many other areas, and the risk is significant for all of them.
Why IoT is so important
Despite security concerns, the IoT is so useful that it continues to by leaps and bounds — so much so that when ChatGPT, a new AI search engine, was asked to list the top 100 applications for the IoT, the search engine simply added the word “smart” in front of many common places and items. For example, it responded with “smart aquariums, smart theme parks, smart libraries,” etc.
Put simply, the IoT is everywhere. What makes it so popular is its ability to solve problems. For instance, safety is critical in manufacturing, industrial, chemical processing, mining, and many other applications. IoT sensors can be used to monitor environments for the presence of hazardous chemicals. If there is a gas leak, a real-time alert can be sent to the control centers to prevent potential accidents from occurring.
In addition, aging infrastructure such as bridges, buildings, highways, and power grids pose risks. To help mitigate these risks, sensors in an IoT network can track cement movement and the changing size of cement cracks. IoT monitoring of the moisture in some building structures can provide advance warning of potential disasters such as collapsing buildings and bridges.
Tracking high-value assets using the IoT helps increase manufacturing productivity. By using a combination of LTE, LoRaWAN, RF, and sensor tags, assets can be monitored in real-time, from departure to loading the truck to the destination warehouse. A handheld device can be used to pinpoint an item’s exact location within a few centimeters. Additionally, smart factories could include IoT-based preventive maintenance to curtail downtime. These factories also could use AI to check IDs and determine if the identified person is authorized to enter specific areas, increasing safety and security.
IoT-based surveillance solutions can help alert local police and/or security forces to planned power grid attacks, stopping them before they are carried out. IoT solution providers have demonstrated various surveillance solutions.
- Drones equipped with Wi-Fi HaLow monitor the power grid surroundings, making it possible to stream real-time video to the control center before attempted forced entrance.
- Another approach is to use autonomous cars equipped with cameras can patrol the grounds.
- Sensors can be installed in the area to monitor any intrusion.
These surveillance solutions will be able to provide 24/7 real-time monitoring and alert the control center if any unusual movements have been detected. The surveillance solutions can be applied not only to the power grids, but also to any buildings that need protection, including factories, warehouses, hospitals, government buildings, and more.
Today, the Internet of Things is a group of network nodes connected to the cloud, capable of communicating with each other wirelessly to share information. These IoT nodes may include application software, a microcontroller unit (MCU), gateways, firmware, local memory, wireless connectivity, cloud platforms, sensors, and I/O connections. (See figure 1)
Fig. 1: The three layers of IoT show how end-users interact with devices. Source: Qorvo
The network nodes could be on a single device, a module, or a group of devices. With system-on-chip (SoC) innovations, more and more functions are being integrated onto an SoC or into a system-on-module (SoM). Depending on the applications, the communication protocols can be one or more of the following:
- Wi-Fi and Wi-Fi HaLow, which are based on IEEE 802.11a/b/g/n specifications
- Bluetooth/Bluetooth low energy
- IEEE 802.15.4 standard related
- Matter (formerly Zigbee), which is based on the IEEE 802.15.4 specification
- Near-Field Communication (NFC)
- Cellular – LTE/5G
Common IoT application protocols used for messaging include:
- Advanced Message Queuing Protocol (AMQP)
- Data Distribution Service (DDS)
- Extensible Messaging and Presence Protocol (XMPP)
- Machine-to-Machine (M2M) Communication
- Message Queuing Telemetry Transport (MQTT)
- Constrained Application Protocol (CoAP)
- Simple Object Access Protocol (SOAP)
- Hypertext Transfer Protocol (HTTP)
More IoT applications
In factory 4.0, there are condition-based monitoring and collision avoidance in robotic and drones. “Other applications, such as presence detection/object detection and motion detection, are implemented in devices,” said Prakash Madhvapathy, director of product marketing for Tensilica audio/voice DSPs at Cadence. “Additionally, data processing for industrial use cases is moving closer to the edge for various reasons, including connectivity issues, cloud service charges, and latency. This has resulted in on-premise processing, and has further migrated in many cases to on-device processing. On-device processing is the most natural approach, as that is the first point of access to the on-device sensor data.”
Further, new IoT innovations will continue to improve efficiency and the environment. For example, Thomas Lorenser, director of general-purpose compute at Arm, noted that an AI-enabled refrigerator from Arçelik Global will be able to reduce overall energy use by as much as 10%. “Imagine millions of households can save 10% on refrigerator. Consider industrial refrigerator applications and their impact on cost saving and the environment.”
Emerging IoT standards
The benefits of having standards include global interoperability and scalability. Over the years, standards have evolved. There are a number of emerging IoT standards competing for the attention of developers, with various consortia promoting their own unique protocols and standards, such as European Telecommunications Standards Institute (ETSI), Matter, Global Industry Standards for Industrial IoT (iiconsortium.org), and LoRaWAN, among others.
ETSI, a nonprofit organization with 900 members from 60 countries, sets standards for many different types of technologies, including IoT. Members include small private companies, research entities, academia, and government and public organizations. The ETSI IoT standards focus on two specific layers — the radio layer in 3GPP and the service layer in oneM2M.
Matter is a relatively new name. The IP-based Matter standard was established by the Connectivity Standards Alliance (CSA), formerly known as the Zigbee Alliance. The standard is open-source and aims to achieve a low-cost, low-power wireless network for IoT. There is a certification program to ensure all Matter devices are compatible with each other, independent of who makes the device. The specification also includes security practices to ensure certified device authentication. Its promoters include Apple, Amazon, Google, Samsung, and the like. Arm, though not a promoter, also supports Matter.
The Industry IoT Consortium (IIC), formerly Industrial Internet Consortium, released a document in 2022 entitled, “Industrial IoT Artificial Intelligence Framework.” It provides developers with a framework and a standard to follow in developing IoT-related technologies. The 110-member organization, part of the Object Management Group, was founded by Cisco, General Electric, IBM, and Intel.
LoRaWAN has been gaining momentum recently. Behind LoRaWAN is the LoRa Alliance. Its wireless modulation was derived from the Chirp Spread Spectrum (CSS) technology. It operates at the license free sub-gigahertz band, as well as in the 2.4 GHz range. Combining LTE with LoRaWAN means coverage can be both local and long-range. Currently, 173 carrier operators support the LoRaWAN protocol worldwide. The latest LoRaWAN TS1-1.0.4 specification was released in 2020, which simplified the end-to-end deployment for IoT. With the growing momentum of LoRaWAN and Matter, the influence of Z-Wave, which focuses on the smart home applications, may diminish over time.
There are many different IoT deployment considerations, including SoC selection; OS and software protocol and wireless connectivity, including RF; network use; mobility support; thermal management, power management, and battery life; use of public or private networks; standards; operating frequency and data rates; real-time and latency requirements; payload size; cybersecurity; ruggedness (consumer- and industrial-grade); packaging and size; and system reliability.
SoC and SoM innovations that enhance and simplify IoT designs are coming from both large and small organizations, and the overall market continues is accelerating. According to Future Market Insights, the global IoT chip market will grow from $415 billion to $736 billion in the next 10 years at the rate of 5.3% CAGR.
Who would participate in this massive market? Because IoT is so pervasive, every semiconductor manufacturer is a supplier in some way. Emergen Research, on the other hand, named Infineon/Cypress, Intel, Microchip, NVIDIA, NXP, Qualcomm, Samsung, STMicroelectronics, and TI as the top IoT chip suppliers based on their 2022 IoT sales revenue.
Fig. 2: The vast market opportunity has created competition that increases pressure on fast innovation. To create a new IoT device from scratch may take up to 15 months. Source: Infineon
“When designing a simple IoT device such as a smart coffeemaker, many things need to be taken into account including selection of MCU, the radio stack in the wireless connection, firmware design, and the security and trust factor,” said Erik Wood, senior director of IoT product security, IoT, Compute, Wireless Business, and Connected Secure Systems at Infineon Technologies “Additionally, if the design needs to go through certification to be interoperable with other devices, the certification process may take another 18 months upon the completion of the design. Taking the approach of using pre-configured and pre-certified SoCs, the development time can be shortened down from 15 to 3 months, which is significant.”
But without security, any connected thing is vulnerable. The increasing cyberattacks is a constant reminder of the importance of security in the IoT designs. The vast landscape of IoT has made it an easy target for hackers. Developers have to stay on the defensive to minimize cyber vulnerability and increase security measures. There are no shortcuts.
Vulnerabilities also need to be viewed in a larger context. “Our societies are digitizing, and we’re connecting more and more devices to the internet (IoT),” said Maarten Bron, managing director at Riscure. “Conservative estimates show there are approximately 10% more connected devices every year. With time, these devices become more complex, including larger code bases, more functions due to increased customer expectations, Moore’s Law on a chip level, etc. What we have seen is that with more complexity, inherently comes more vulnerabilities. When reviewing code, we find one critical security bug in every thousand lines of code. So as we connect more things online, these things become increasingly more vulnerable.”
There is also now a third dimension to the cyber threats, Bron said. “The first dimension is growth in IoT numbers, making them easy targets. The second dimension is the longer the IoT nodes are exposed, the higher the risks. Now comes the third dimension, which is the increase in IoT target value over time. Data is the new currency, and as devices collect and store ever more data, the value goes up. To an attacker, the IoT may look like a big orchard, full of low-hanging fruit, and as these fruits grow, they become heavier, and hang even lower. This is a security problem that scales. The attack surface is getting bigger. Scaling security problems require scaling security solutions.”
At the heart of the acronym ‘IoT’ is ‘Internet’, which literally means an interconnected network of networks, said to Mike Borza, scientist, Solutions Group at Synopsys. “The other half of the idea is ‘Things,’ big and small, that all use this internet to communicate. All things are not the same as others in terms of cost, complexity, capability, sensitivity of the data they process, the business opportunity they represent, and so on. This lack of even basic requirements on manufacturers to provide secure products means there’s a huge range of approaches and expectations for security.”
Borza noted that many of the highest-volume, lowest-cost products are among the least secure, and most poorly maintained to address vulnerabilities as they are found. “Big vulnerabilities arise when these vulnerable devices are introduced into parts of the network that have much higher needs. These devices become the weak links that can be exploited as the port of entry for more ambitious attacks on nearby devices in the network. These kinds of escalating attacks are seen over and over, starting with a low-complexity compromise as the staging point for a more involved attack.”
Taking cyber threats seriously is the best defense, he said. “It is important to design with end-to-end security in mind, but this is only part of the solution. Much like the operation of the 1,700-mile-long Alaska gas pipeline, while it is important to ensure the content can flow from one end to the other, leaks can occur anytime, anywhere along the pipe. Preventing any leak along the pipe is required.
End-to-end security is important, but before that’s possible, the endpoints themselves need to be secure and trustworthy. “The integrity and authenticity of the firmware and software should be tested, and a reasonable response taken to a failure of those tests, which are the foundation on which the rest of the platform relies. Ideally, the system then measures its integrity and security status on an ongoing basis. Then you have a strong basis for the things communicating at each end of the conversation to trust that they’re talking to the peer they think they are. To make that work, the foundations need to be baked right into the silicon, right into the chip. It’s hard to design and build those things well, to make them secure on day one, and allow them to evolve as attacks improve. Those are some of the ideas that DARPA’s AISS (Automatic Implementation of Secure Silicon) is trying to address, and there are other examples that are similar,” Borza added.
While basic security is typically available in current IoT designs, such as secure boot and the ability to communicate with TLS using trusted certificates, threats evolve and therefore the scope of potential vulnerabilities does as well, explained Gijs Willemse, senior director of product management for Security IP at Rambus. “It is critical for the device owner, as well as the service provider, to ensure that a device can be trusted and is not compromised. End-to-end security is a mandatory pre-requisite to achieve this trust. This includes management of the device lifecycle with provisioning services.”
The usefulness of IoT is improving. It can save energy, help us prepare for and avoid disastrous situations, increase safety in manufacturing, industrial applications and high-risk endeavors such as mining. Even power-grid attacks can be prevented with advance warning and security readiness. Additionally, it provides modern convenience, such as smart parking, smart retailing, water leak and gas leak warning, and more.
IoT technologies will continue to evolve for better, including more energy efficiency, smaller formfactors, increasing integration, better standards, and more applications. But it will have to be kept secure, and that will require diligence from product design to device end of life, and everything connected in between.