Trusting the ecosystem that sustains and maintains the Internet of Things
Most people don’t stop to think about where their clean water and electric power come from. All they know is that these infrastructures are seemingly everywhere, and that when they malfunction or need maintenance, somebody or something takes care of it.
When they’re successful, utilities can become indistinguishable from the communities they serve—that is, the system that sustains the community tends to blur into the ecosystem that it supports. Open standards accelerate the process under which a ubiquitous utility evolves into a complete environment that seems to manage itself.
That spontaneous self-management is both illusion and reality, especially when the range of autonomous administrative domains grows to the point that impersonal market forces take over. For example, nobody in particular manages the Internet from end to end as a public utility upon which modern life depends. Instead, what we have is the ongoing administration of an ecosystem—ranging from domain-name registrars to service providers, website administrators, web application developers and others—whose collective efforts ensure this shared utility serves all interests at all times. From the point of view of the average Internet user, this impersonal ecosystem is essentially indistinguishable from the impersonal system being administered. We implicitly trust the former to keep the latter in good working order.
Having confidence in the sometimes impersonal Internet of Things (IoT) will also require pervasive, ongoing and implicit trust by society as a whole in the IoT’s invisible ecosystem. Vulnerabilities may be introduced anywhere in the constellation of solution providers, service businesses, certification authorities and others who build, deploy, test, manage and vouch for the endpoints and infrastructures.
IoT ecosystem trust needn’t be tied purely to IoT security, in terms of my discussion in this IBM Data magazine article from 2013. Trusting IoT ecosystems involves more than making sure every IoT manufacturer, service provider and application developer isn’t planting malware. It also requires a more comprehensive certification of confidence in the provenance and ongoing maintenance of every element that anyone in the ecosystem might provision into the Internet of Things.
Certification is not too strong a word to describe what’s needed. Having some rudimentary degree of certification-based trust across the IoT ecosystem would enable all users to count on some basic assured level of reliability, availability, isolation, performance and interoperability associated with any endpoints or infrastructure nodes, considered individually or in various combinations. In this way, we could be certain that no segment of the IoT might, deliberately or inadvertently, grab more than its fair share of bandwidth. Likewise, having a basic level of IoT ecosystem certification mitigates the risk that “weakest-link” faults anywhere in the IoT might bring it all down. Whatever its origin, an IoT “blackout” might become either a major catastrophe or a minor nuisance, depending on the extent of industry, infrastructure and society as a whole that has been impacted.
To mitigate the risks associated with IoT ecosystems, the guidance I offered in that previous post still holds true:
- Ask whether we trust the IoT components’ value chains in the physical and virtual world.
- Implement a big data IoT ecosystem registry to facilitate tracking of all value-chain parties that “touch” things throughout their lifecycles.
- Assemble the compliance, legal, contractual, trust, reputation, governance, operational and risk management frameworks to handle the interlocking responsibilities of all these parties for ensuring end-to-end IoT reliability, availability, security and interoperability.
- Inspect, certify, vet, monitor and audit the suppliers of IoT components and lifecycle services for conformance to generally accepted IoT practices
- Implement strong authentication, permission management, content encryption, tamper-proofing and other technical safeguards to prevent unauthorized parties in the value chain from gaining access to sensitive data.
- Develop a universal framework for IoT lifecycle management and mandate that all manufacturers, service providers and other ecosystem parties implement these as rigorously as they do, for instance, their privacy protection policies.
Moving toward pervasive IoT ecosystem trust requires ongoing investments by business, industry and other parties. In this regard, IBM recently made an important set of linked announcements. These announcements surrounded new IBM offerings to accelerate the creation of a trusted ecosystem of partners and clients to create, build and manage connected IoT products and systems:
- A new collaboration with Texas Instruments to develop a secure, cloud-hosted provisioning and lifecycle management service for IoT devices.
- New IBM IoT cloud solutions and IoT Consulting Services offerings based on Bluemix IoT Zone, covering such critical ecosystem requirements as real-time asset management, managed continuous IoT engineering and IoT system design/impact modeling.
- New industry solutions to optimize the availability and extend the life of complex, safety-critical aviation IoT components and product line engineering capabilities to enable efficient IoT product-design customization for specific markets.
None of these IBM initiatives involve IoT component certification. That’s a matter best handled in open, international industry standards groups, such as the Industrial Internet Forum, of which IBM is an active member.