Q: How is Cisco approaching the challenges of Internet of Things (IoT) rollouts?

It’s unlike what happened in IT. What you notice is that the world of IT, from a networking perspective, has gotten a lot simpler, meaning it used to be very diverse and it’s gotten a lot more homogeneous. It used to be in a typical enterprise you’d have token ring, you’d have FTDI, you’d have ISDN, you’d have satellite connections, you’d have Ethernet connections, you’d have lots and lots of different kinds of connectivity. Today if you walk into the average office you’ll see Ethernet and Wi-Fi. So it’s gotten a lot simpler on the IT side, but if you go and look at the industrial side you’ve got ZigBee, you’ve got Z-Wave, you’ve got Bluetooth Low Energy (BLE), you’ve got USB connections, you’ve got power-line communications, you’ve got HomePlug. There are so many ways to connect these things, and the reason there are is that they’re all solving, for instance, “I want to go really far but I don’t need to send a lot of data so I don’t need a lot of speed,” or “I need to be able to send at close range but with very low battery consumption.” So range, speed, energy, and whether it’s on a licensed or unlicensed spectrum are sort of the four dimensions, and in those four dimensions you have one end of the spectrum versus the other, so you have 16 possible combinations just out of different permutations of that.

[Cisco] makes these routers that we call gateways, and gateways are sort of the “Swiss Army Knife” of the networking world – they talk multiple things on the southbound side and they speak different interfaces on the northbound side. Typically, a sensor, a robot, some kind of device will end up talking to a gateway at some point, either over a wired or wireless connection. The challenge will be, while we try to build as many interfaces as possible into our gateways, we’re always going to come up short. Somebody is always going to point out, “Well, but you don’t do this interface" or "You don’t have this one.”

Where we can solve for this is, for example, increasingly people are very comfortable with the USB interface and they are saying, “Well, I’ve got a little stick that talks my proprietary I/O interface that I happen to enjoy,” and we’ll say, “Great, bring your USB stick like you would a memory stick in a PC, stick it into my router, and if you’ve got a Linux driver for that particular I/O interface, just recompile it and go.” I tongue-in-cheek refer to this as Bring Your Own Interface (BYOI). That is going to allow a lot more innovation to occur. If you’re a small startup, you spend an awful lot of your cash building this entire gateway when all you really cared about was the interface. If you could have showed up with your interface and stuck it into our routers, then you didn’t have to burn all of that cash building another gateway. So I think that’s the problem today. In the IoT world, what’s holding it back is people are building a completely separate network for every single use case. How many of these gateways are people going to string on every street corner? There’s going to be a whole Christmas tree of ornaments hanging on every street corner. And that’s the problem we’re trying to solve for, which is to say what if you had, truly, a Swiss Army Knife-type capability where you put one gateway on every street corner and whether you’re doing parking or LED street light monitoring or pollution monitoring or video surveillance, whatever, they just plug in. They just connect.

Q: How do you handle comprehensive security in the IoT?

People always think that security issues are going to come from hackers coming from without, but the problem most often is that we have met the enemy and it is us, meaning it’s our own employees, it’s our contractors, it’s our suppliers that increasingly will bring in the threats to our connectivity infrastructure. If you’re the owner of a factory you should be much more careful about the technicians that are coming in to service your machines than the random hacker from some strange country that’s going to try to hack your system from the outside. So when they show up and say, “Hey, sir, we’d like to update the firmware on our device here,” that’s when you should say, “Whoa, hang on!” because that’s how Stuxnet got brought in – it was brought in on a USB stick. The problem is that today the security model is typically what I call a candy bar security model with a crunchy outside and a soft gooey center. We need more like an onion. We need rings within rings of security, and what we’re doing to protect against that is all kinds of stuff from when the device boots it needs to have a securely stored, encrypted version of the Operating System (OS); during the boot cycle it has to avoid being tampered with so that somebody can inject malicious code as it’s booting and subvert it; we need to encrypt all the communications; we need to authentic to the device as well as the user; we need to combine physical and logical security.

In the world of IoT, I think we have a better opportunity to protect the infrastructure than we do on the IT side. The reason I say that is let’s say I’m in IT and I want to protect your laptop. I might say, “Well, I’m not going to give you access to Gmail, or going to let you access YouTube, or let you access Netflix.” But increasingly today people bring their own device to work and it’s like, “Wait a minute, this is my system” or “Frankly I need those things to do my job.” It’s very difficult to lock anything down. But on the IoT side you could say this robot on the factory floor should only be talking to the Programmable Logic Controller (PLC) sitting right there. It has no business going to Gmail, it has no business going to Netflix – it’s a robot. I think because of the fixed roles of devices in IoT we can be much more prescriptive. Now that we know that it’s a robot we can lock it down completely; we can make sure that it’s only ever talking to “that” but nothing else. We were not able to do that on the IT side because it’s like anything goes: these PCs are multi-purpose devices, they run many apps, they can talk to anything.

Q: What is the role of Software-Defined Networking and Network Functions Virtualization?

Let’s go back to the example I gave of the robot on the assembly line only having to talk to the PLC. We’re going to make that happen through SDN. We’re essentially going to – once we discover the identity of a device – reprogram the network to optimize the traffic that needs to control that device, but also to secure it. So the more we know what a device is and the role that it plays, the more we can configure the network. So SDN for us is a way of making the network itself programmable.

When you talk about NFV, I think what’s actually going to happen is the virtualization of all compute resources that today exist in the industrial world. If you look at a typical industrial plant, whether it’s a factory or a substation or something like that, you find lots of devices that are actually kind of computers under the hood. So think about a Remote Terminal Unit (RTU), think about a PLC, think about any kind of intelligent electrical device by the way, and you kind of discover that what they’re really about is I/O interfaces and compute. And today those are dedicated devices that essentially don’t evolve very fast, and it’s not just the industrial space. Think of the average ATM. What is the average ATM? A PC running Windows XP.

I think our opportunity is to virtualize all of those devices. So today the thing that exists as an RTU or an intelligent electrical device or a PLC or a vending machine, all of that compute is going to get turned into software and all of that software is going to be turned into apps and those apps are going to run on the communication device. Now, why is it going to go on the communication device versus the communication device getting turned into a server? Because primarily job one is still “I need to connect.” And back to the Swiss Army Knife, you still need all of those interfaces so you need a communication device first and foremost. The reality is of course the heart of that communication device is a computer, and increasingly they have space for rent. All of those dedicated devices are going to get virtualized over time and they’re going to become apps. And that’s of course an interesting question for companies that make some of those devices, because I suspect what they’ll realize is their core competency is not the actual physical device, it is the logic or the automation that that device actually exercises.

Q: For companies looking to get involved with the IoT, how would you suspect they prepare?

Well, it depends if you’re a small company or a big company. I would say there are a couple of different ways to play the IoT market. The first is that the market is kind of broken down into three layers: you’ve got devices, connectivity, and apps. You could make a device, for example if today you’re a company making things – you’re making washing machines, you’re making robots, you’re making ATMs – you’re probably going to have to figure out very quickly how you make your thing a connected thing. That I think is just pretty obvious. If you’re making a pump, a solar panel, a windmill, there’s going to be some additional service you can sell if you were to connect it back home and have it phone home so you can then service it. So that is for the maker of things. The key opportunity is make a connected thing.

For the people that make connectivity like Cisco, I think the answer is connect more things and find a way to add more value to the connectivity, hence, what we’re doing with application enablement. If you’re an app maker, I think in the app space you can actually play it in several layers. There are an existing automation apps, control apps, visualization apps where as you are able to connect more things your application all of a sudden becomes more valuable. So you can simply say, “Before I was only able to see so far, today I can see a lot further. I can see more things, I can see more information.” So great, your world gets richer, you get more valuable.

There is, however, a completely open new space that is yet another way to play this whole IoT area, which is a lot of old-world companies are going to go from being data anemic to data bulimic. So the BMWs, the Kaiser Permanentes, they think they have a lot of data now? You just wait. And I think there is an opportunity for startups to come along and say, “Building lots of washing machines or solar panels is a very acid-intensive industry that costs a lot of money. But I can hire some smart people and I’m going to concentrate on turning your data exhaust into gold. All of that raw data that you’re currently collecting, I’m going to look for patterns, I’m going to look for insights, I’m going to turn those insights into foresights, I’m going to turn those into predictions, I’m going to turn those predictions into automation, I’m going to allow you to save you money by keeping machines up for longer, letting them operate within better tolerances, detecting problems before they happen.” So, I could data mine your things and turn that into a business. It might be that you’re really good at this for oil and gas, you’re only ever going to be good at this in oil and gas, and you can’t then turn that around and do that in agriculture or in healthcare. But I do think that there’s an opportunity in data-rich startups exploiting the analytics and living almost as a financial services company offering to invest your portfolio.

Cisco Systems • www.cisco.com • @Cisco_IoT • www.linkedin.com/groups?home=&gid=4826658