Why does the IoT industry need OTA administration systems?

Ten years from now, it will be hard for us to remember a world where everything wasn’t connected to the internet in a way or another. Even today, we don’t really care to know which technology will be used; things will be simply either connected or will be a problem (and our kids, customers or business partners will chase us until we get everything connected back).

A Gartner study called “IoT Endpoint Use Cases Drive Demand for Semiconductor Total Solutions” published in September 2020 is predicting a bright future for the 32-bit MCU market, but only for MCU vendors who will successfully bundle their MCUs with software and services such as:

  • Over-the-Air (OTA) software update
  • Security services
  • Security software

It is now widely accepted by the industry that new Internet- or Intranet-connected devices, appliances and machines should not only rely on more secure hardware and software but also on Over-the-Air (OTA) servicing capabilities in order to get rid of manual maintenance.

Believe it or not, if the statement sounds obvious, the industry as a whole seems very far from turning it into reality. Many good reasons do explain this gap.

First, the industry is lacking unifying standards in IoT security, good practices and services to deploy and how to implement them.

Second, the technologies required to implement securely such services are very complex, span from the world of embedded hardware, firmware and software to the world of IT and are very often left to the OEM to consolidate reference designs with reference or open-source software and turn these into an industrial solution.

Third, the infrastructure needed to deploy such services in a secure manner is expensive and such costs are simply deterrent for most OEMs. To date, only a few mass-market industries can afford both the infrastructure and some services, like for example:

  • The smartphone industry: major smartphone manufacturers (Apple, Samsung, Huawei, Xiaomi, etc) and OS providers (Apple, Android) have OTA infrastructure and services in place to make sure that they can maintain billions of devices upgraded and secure
  • The PC industry: major PC manufacturers (HP, Lenovo, Acer, Apple to name a few) and OS providers (Microsoft, Apple, Android, Linux) have OTA infrastructure and services in place to make sure that they can maintain billions of machines upgraded and secure
  • Utilities (electricity, water, gas) deploying smart metering and infrastructure monitoring
  • Public transportation and freight (air, rail, road)
  • Telecom and Internet service operators
  • The automotive industry to a lesser extend

For the rest, many pieces of the puzzle are missing: it may be that the hardware is built on easily hackable chipsets and/or that the software implements weak security and/or is not OTA upgradable and/or that the device administration services are very limited and weaved into the data management platform.

Topping this with mandatory compliance with the General Data Protection Regulation (GDPR) or equivalent schemes in non-EU territories and a desire to host their infrastructure as much locally as possible leaves OEMs with the feeling that their IoT technical implementation will be more difficult than climbing Mount Everest.

Could this be one of the reasons why the market is 5 years behind the most conservative IoT predictions from the 2010 decade? Most probably!

Secure systems don’t have the luxury of video or connectivity standards, both of which are able to evolve in time with improvements, innovations and breakthroughs while maintaining ascending compatibility and slow obsolescence. Especially in the eyes of end users, security can only exist state-of-the-art. There is a good reason why a security standard like SSL/TLS has had six new releases since 1994: weaknesses and flaws discovered and exploited by hackers need an immediate fix—and the market won’t take “we’ll do it later” for an answer.

This calls for a very important property of secure devices: they need to embed mechanisms supporting upgrades, not only of their application software or firmware but also their operating system, their kernel, and their security subsystem whether an embedded secure core or a distinct secure element. Moreover, these upgrades should only be possible via a very secure channel from a very secure administration platform with administration rights and credentials keeping track of every device in the field. Implementing real security in an IoT solution may require up to 7 layers and as many partners that an OEM will need to orchestrate and maintain to hold everything together in the long run.

Having a system that not only builds in security at every layer, but also ensures that an IoT solution is future-proofed through lifecycle maintenance means that this IoT solution can be competitive today and stay competitive in the future as the market continues to grow.

There is therefore a niche for players capable to put together pure-play device administration platforms and software kits on which OEMs can build their own applications. These players will need to resist the temptation of capturing customer data, locking customers to their systems, to specific chipsets or to data platforms. In the meantime, they will need to contribute to IoT security standards and comply with them in order to help drive the industry to a safe and open IoT which is the only viable IoT at all.

 

 

Guillaume Crinon, Global IoT Strategy Manager, Avnet