IoT May Be an Expensive Mistake

The Internet of Things (IoT) encompasses a broad range of variants with some obvious conflicts in their abbreviations:

• Consumer Internet of Things (CIoT) vs Commercial Internet of Things
• Industrial Internet of Things (IIoT) vs Infrastructure Internet of Things
• Internet of Medical Things (IoMT) vs Internet of Military Things

All six (there are likely more) are legitimate applications of IoT, often with special requirements. Together, these IoT variants have connected devices to the cloud in a broad way. But security issues[i] have plagued these technologies, including:

• Incorrect access control
• Overly large attack surface
• Outdated software
• Lack of encryption
• Application vulnerability
• Lack of Trusted Execution Environment
• Vendor security posture
• Insufficient privacy protection
• Intrusion ignorance
• Insufficient physical security
• User interaction

Many of these issues stem from companies implementing IoT themselves.

Engineers have many choices for platforms:

• Message Queuing Telemetry Transport (MQTT)
• Advance Message Queuing Protocol (AMQP)
• Constrained Application Protocol (CoAP)
• Extensible Messaging Presence Protocol (XMPP)
• Dedicated systems

So, how do the engineers choose which one is best?

The answer is quite simple: it depends on the product you are building. If your product is one of a myriad of sensors or devices that an end-user will want to integrate with their own existing or 3^rd party IoT control systems, then you are wise to choose a standard protocol. Many have done this, although it appears that when software engineers implement MQTT, AMQP, CoAP and XMPP, for whatever reason, the implementations sometimes leave gaping security holes.[ii]^{,[iii],[iv],[v]}

If, on the other hand, you are selling products to end-users and you will be the primary service provider for those products, then you want a more dedicated solution. Such systems are available off-the-shelf—you don’t have to distract your engineers building your own solution. Products like maiLink SRM, which was built with a security-first mindset, let you accomplish all your goals:

• Custom telemetry direct to your service team’s dashboards
• Outbound-only links for customer peace of mind
• Secure remote access, on demand or with approval
• Service automation
• File transfer up and down, with no limit on file size
• Lightweight product connectivity footprint preserves product compute resources

Most critical is realizing when IoT is the simply not the right solution. By honestly appraising the amount of engineering resources necessary to implement IoT, including all the necessary security precautions, you may soon discover that purchasing an off-the-shelf solution is far less expensive. IoT development can be time consuming (roughly 18 months)[vi] and expensive (as many as six full-time engineers)[vii], totaling $1M or more. Once development is done, don’t forget that you need a sustaining engineering team to maintain the infrastructure.

If your product stands alone, and you are the primary service provider, IoT is likely the wrong choice for you.

maiLink SRM software is a service relationship management platform that helps you build a rich database about your installed devices. It also seamlessly integrates telemetry from your products and has no per-user fee (so any employee you authorize can have access to the data). To learn more about maiLink SRM, visit www.maiData.io and sign up for a free trial.

[i] https://www.eurofins-cybersecurity.com/news/security-problems-iot-devices/

[ii] https://blog.paessler.com/why-mqtt-is-everywhere-and-the-security-issues-it-faces       

[iii] https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1208&context=ism

[iv] https://ieeexplore.ieee.org/document/8728533

[v] https://bishopfox.com/blog/xmpp-underappreciated-attack-surface

[vi] https://foobot.io/resources/hvac-pro-blog/how-long-does-it-take-to-create-an-iot-product/

[vii] https://www.oreilly.com/content/creating-functional-teams-for-the-iot