Data I/O Corporation (DAIO) Earnings Call Transcript & Summary

Hello, everyone. Welcome to the Data I/O fireside chat series for the investment community. I'm Anthony Ambrose, President and CEO of Data I/O Corporation. I'd like to welcome you to today's session Installment Security for Internet of Things and Automotive. I'm pleased to introduce today's guest host, Avi Fisher, who's portfolio and manager analyst at Long Cast Advisers. Avi's been a follower of Data I/O for many years and he's graciously agreed to discuss his opinions on SentriX, ask some questions, and I'm sure it will be an informative session for everyone. So with that, Avi, take it over and fire away.

Thanks for the introduction, Anthony, and congrats for the company on 50 years. I think you've been there since 2012, so 10 years for you.

Exactly. Thank you.

One of the things you've done -- 2 things you've done is, one is transition the company more to the automotive side, which you've talked about on another fireside chat and also to introduce this security provisioning system called SentriX. And I wonder if you could sort of lay out for investors sort of what problems is solved by SentriX, what problems it solves for the customers, how it solves the problem and who you work with in coming up with the solution?

Sure. So you identified sort of the 2 big initiatives we've had to go to automotive and also begin the journey on security. And they're somewhat different. Automotive was a market that was developed and we saw a need to just do it better as the market transitioned to some of the newer applications in automotive, in-vehicle infotainment, advanced driver assist and electrification. But it's a big market, it's an existing market and one that we've been serving for a number of years. SentriX was different. We believed, and this is several years ago, over 5 years ago, looking at semiconductor road maps, looking at a number of the problems that we're seeing in Internet of Things devices around security, lack of security, inability for customers to easily and quickly develop a platform that was fundamentally secure to protect their supply chain and also protect their firmware. And so we did an investigation and said, what does it take to protect the supply chain from counterfeit devices and protect firmware both in manufacturing and in operation of devices. And it's pretty clear that customers were deploying technologies around existing security architectures such as PKI. Fundamentally, the same security architecture you have on websites and other techniques to provide key certificates to manage identity and create authenticity to allow people to onboard devices to the cloud in a secure manner, so they can be managed and do all of this. And the technology that we've developed strongly leverages the programming platform that we've created for data. And add some capabilities around a hardware security module, a.k.a., a black box to store and manage keys and certificates as well as the necessary tools and infrastructure to allow customers to manage the creation of jobs and manage the interaction between their certificate authority or who holds the keys as well as the cloud and downstream management services so when they get their product done, it can be managed. So the genesis of SentriX was we believe there was a problem in IoT, and it was very clear that strong hardware-based security that could be deployed relatively easily, we felt it was a really good way to approach the problem. We also saw at the time a number of semiconductor companies announcing new products built on standards, security standards so that they would have the ability to securely store and manage these keys and certificates as well as the firmware associated with the products. So that's really the genesis of SentriX, the need for customers to have secure IoT devices as well as the beginning of the semiconductor road maps that supported security on their chips.

Now Anthony, just to dig in a little bit, there are something -- hardware security module is a way of providing some security. How is SentriX different from that? Any improvement on that?

Well, it's actually -- we used an HSM, Avi. So an HSM is included in the SentriX system. So we actually leverage all of the industry standard work on HSM technology, okay? So that's the black box that manages the encryption. The customers may want a different curve. They may want 128-bit encryption, 256-bit encryption. There are lots of little choices they can make and all of those capabilities are fundamentally included in the HSM. The trick is how do you tell the HSM what you want and how do you manage it in such a way that it's easy for customers to get what they want, okay? And that's where the SentriX platform comes in. It's not just an HSM and a data machine, but it's a whole set of tools that are on top of it. So for example, if you are a certificate authority and by CA, that's the fundamental host, if you will, of the -- and keeper of the keys, all right? And the way it works is you have a certificate authority and they can delegate subordinate CAs. In other words, they can have a certificate authority platform in place that would allow the devices ultimately to be managed by that certificate authority. And we can do that with SentriX. SentriX also allows customers to onboard devices. So once you provision all the security information. So let's say it's Avi is great and wonderful certificate authority, and he is going to run a standard certificate for maintaining identity in his device and you're going to want to onboard and you're going to want to have a choice you and say, yes, I want to be able to onboard to Azure or Amazon both. And okay, Data I/O, how do I do that? So you say, great, Avi, let's just talk a little bit about how we get your certificate authority information. We can build that into the SentriX tool flow. Tell us what chips you're going to be using. Are you going to be using a secure element, which is a stand-alone security device that can sort of be bolted on to existing designs relatively easily or you're going to use a new generation of secure microcontrollers that have a lot of the secure element functionality built into them, secure storage. So I can put my keys and certificates in special regions of the device, a secure boot loaders, so I can structure a way for the whole system to come up in a secure way to manage and protect my firmware, not only in manufacturing, but in operation. So you come to us and say, this is what I want to do. This is my certificate authority. These are the keys and certs I want. These are the cloud technologies I wish to support. Okay. And here's my chip. Now Data I/O, what do I do? We go, great. Chances are we probably already support the chip you want to do. If not, we'll go do a device support for you. We'll have a conversation, and we'll share with you our job creator tool suite so that you can input information securely on your end or your certificate authority, your cloud onboarding, et cetera, and then hand that to your own factory or your own manufacturing partner or a programming center. Again, this is a securely wrapped job. And you tell it, okay, I got this chip, here's the CA information I want. Here's what I wish done with it, and here's a cloud that I'm going to be onboarding to and away you go. We believe, and it's taken us a while to get it to be that straightforward and that simple, but we believe that's ultimately what needs to happen to make the market move. And that capability is in SentriX today. It's in SentriX, whether you choose to deploy it in your own factory, in a partner-owned factory, for example, if you're choosing a contract manufacturer or if you choose one of our programming center partners that will do that as part of their logistics and kitting services.

So Anthony, just to summarize and sort of help me understand this a little bit. My understanding is like if you take -- when you program a chip without security, you're taking a piece of hardware, a chip and you're kind of waking it up and it's now programmed and now I'm a chip and it has a function. When you program it with SentriX, it's my understanding that it wakes up "wakes up," I'm a chip, but I'm not just a chip. I'm a unique chip, I'm different from the other chips in this patch, and I can't be counterfeited and now it's better for manufacturing inventory control and secure control through the supply chain. Is that kind of how customers use that?

You hit the nail on the head. So if you do standard data programming, no manufacturing process is perfect, okay? So at the end of the day, you have -- we in the industry call it actually the bone pile, right, which is leftover panels or boards that have chips with firmware on it. And so your firmware can be in the clear. It can be discovered by potentially nefarious actors and they can change the firmware. And if they change the firmware, then they can control the device, okay? We've heard about people doing -- getting into devices for denial of service attacks and things like that, taking over compute power or worse, right? They could take over the device and prevent it from operating properly. So what SentriX does is you can still have your data when you turn on the device and wakes up, that firmware package tells the device what to go do, which you can also protect it so that no other firmware can be written over that original firmware load, for example, unless you have the secret handshake or the secret code. That's probably one of the most important aspects of SentriX is protecting firmware throughout the lifecycle of the product. But you also highlighted another benefit that comes and it comes with protecting firmware. There's no other added functionality you need to deploy, but you can also do a full counterfeit check, make sure the parts you have are indeed the parts coming from the manufacturer. Many manufacturers put their own keys in at the beginning of the process, at the wafer level or at the foundry level so they can be authenticated as part of the manufacturing process. So again, Avi, if you're picking, let's just say, TI chips or Infineon chips or NXP chips, many of them have the capabilities to have you go in and read their unique keys so that you can authenticate, yes, this is a chip that I'm paying for. And it's to say model number, the same performance guarantee, et cetera. And then what often happens is that you'll write on top of that, additional keys or certificates that then show it's now part of Avi's great and wonderful IoT device. Okay? So you're right, it's protecting the firmware through the lifecycle of the product that -- and also ensuring you have a secure supply chain. SentriX can help you with both.

Understanding that some of your customers are -- for the SentriX especially are security-conscious, can you discuss some of the more prominent use cases or examples of how customers are using the SentriX platform?

Sure. I'll go over these, and I'll just point out to those of you listening that this is also on our Investor Relations website and our latest IR presentation. So I'll go pretty quickly, but you can see some of the specific examples. One of the early applications, Avi, is metering, both electric metering as well as water metering. If you think about it, this is very important because you pay for the amount of water or electricity that you use. At the same time, most customers and the customers here being the power or the utilities essentially, they need to have accurate billing. And in the old days, they send someone around with a truck and go read the meter on the side of the house. Well, that's very expensive. It's inefficient. And today, a lot of the meters have the ability to upload that information to the utility automatically through some sort of wireless connection. But it's very important that that information be accurate and can't be hacked or duplicated. No one wants -- the utility certainly doesn't want someone getting free power or free water. And you, as a consumer, don't want to get double-billed for inaccurate information. And so we have a number of customers, electric meter OEMs, water meter OEMs that have secured those meters to make sure they can deliver accurate information, not only to the utility, but also that can be proven to the customer, then they have confidence that they're getting a fair bill. And to a certain extent, that security has been mandated in Europe, and we're seeing it also in other parts of the world. So that's probably a very important early application metering. Along the other lines of smart lock. You buy a smart lock because you want to be able to take advantage of the fact that you can open it with your smartphone, you can control access. If you want to let someone in for an hour, either to clean the house or let's say you're running an Airbnb, you can authorize them for a couple of days. It's a great function, but it needs to work and it needs to be something that can't be hacked. Otherwise, you sort of lose the basic capability of a lock. So we have smart lock customers. We also have an electric vehicle manufacturer using us in their charging stations. And again, if you think about it, a lot of these things have a property that they're not under the physical control of the owner, right? One of the key aspects in security, if you go read the books is, well, maintain physical control of your assets, right? If you're a server or a router or something like that, great, you maintain control of that in the data center. But by very definition, a meter or a lock or an electric charger, okay, is going to be out outside of your ability for physical control. So that's why they've been some of the early adopters because if they don't protect these devices that someone can just simply come up and try and hack them and people would do that, but pretty smart. So again, devices that are outside of physical control for IoT are an early market. We've also picked up a large industrial print OEM to make sure that their systems have factory-authorized components if they ever need to be replaced. We've also had multiple wins with a logistics solution provider. Again, they're trying to manage a fleet and that fleet is outside their physical control. So some common themes, customers that want to have the ability to absolutely control their platform even though they don't have physical control. At the same time, they're using newer generation of secure microcontrollers or secure elements. And also they worked with us and we actually have repeat customers here amongst this group. Once they understand how easy it is to work with SentriX and go through it the first time, really, the second and third time is actually even much simpler. So those are some examples of people more generically using the technology. We also have a customer -- I wish we could name, but we can't, that's using our technology to secure a TPM device in hyperscale cloud application for AI. And obviously, it's really important for them -- any time you're doing anything in artificial intelligence, if you don't have security, it's a big problem. As I like to tell people, if you have AI without security, you're making a Terminator movie sequel, okay? Because that's really a problem. If you can't control that device, then AI is just going to run wild on it.

Right. All of these have in common, which is basically taking over the device, hacking and take over the device and that's prevented with this?

Exactly. Make sure that the owner of the device and the provider of the service have confidence that they'll retain control of the device and the data coming off the device, which is what they're paying for, right? The data in this case is a bill. A meter of some sort is authentic and genuine and can stand up to scrutiny.

So now we overlay this -- one of the aspects of your business is you're serving clients, you're not serving clients who want 10 million units or maybe even 1 million units. But you're serving clients who want smaller volume and quantity of units. But when I think about electric meters, water meters and smart locks, there are 30 million households in the United States. There must be millions of smart locks. These OEMs who are using you, when they want to go up to a higher scale, do they stick with you? Are they going to continue to use SentriX? Or do they need to then graduate to someone who could provide millions of chips?

No. The SentriX model is scalable. We've targeted a certain class of customer because we think that's a customer that's underserved today. Now before SentriX, right, you could do security, you could pick up the phone or call your semiconductor supplier and say, I'm a big fruity phone supplier, and I need 1 million chips a week. And they're going to answer that phone call and they're going to take care of you. The challenge is when you have firmware, firmware changes all the time. So getting a semiconductor company to program chips with your firmware is a problem because there are weeks of inventory and we've seen semiconductor shortages here, what happens if you can't get the parts you need, you're in big trouble. So the model for SentriX supports customers that generally won't get the great service directly from the semiconductor suppliers, but also really like the security capability that SentriX offers that provisioning later on in the factory process does not provide, right? You can always also build the whole device and then bolt-on security at the end, okay? It's better than doing nothing. But the analogy I use there is no security is kind of like the 3 little pigs, right? It's the house of straw. Good luck. Bolting on security at the end of the line is the house of wood, right? It's better, but when the hackers hop and pop, they're going to blow down that house. So SentriX is sort of the house of bricks and is much sturdier for all sorts of use cases because it protects the part not only in service, but also through the entire manufacturing process.

Right.

And again, we are -- when we get this chance to sit in front of customers and explain it and walk through this, they get it and they love the technology, they love the ease of use. And we have a couple of customers that are extraordinarily sophisticated. One of them is certainly big enough to do anything they wanted, but they chose SentriX because they can put the technology directly in their factory and do what they needed to do with no one else having any understanding of what that was. And so they're quite comfortable with the security capability of SentriX.

Do you have any -- if I can just ask a quick question, like this root of trust, the idea of root of trust has been in the journals, the electrical engineering journals for, if not 10 years, probably more than that.

Right.

And it's starting finally to get into the market and you're sort of a market point of the sphere for this, for this larger market. What -- is the cadence of interest in a commercialized product picking up? Can you talk about the cadence of interest? Is it taking longer than you expected? Where are you in the process? Where are we? Who is asking you for this product? Is it the chief technology officer, is it the CEO? I'm curious.

Yes. So what we've been trying to do is find the right people to talk to. And you bring up an interesting part. Well, we love the technology, but it's pretty clear we'd love to have more customers as well. And so we think of finding and acquiring the customers is our biggest challenge right now. So step one is, all right, let's talk to our existing customers. And we've had some success there. The problem is we're talking to people generally today on our data programming business that are way downstream from where security decisions are made, okay? So we've had, in some cases, talk to the people that know us real well and say, all right, I understand if you're not the security decision maker, who is? And so we end up going upstream into those organizations and trying to help them understand the benefits of using SentriX technology in many cases on platforms they already have deployed in production, okay? Once we get to those people, it's also -- it does take more time for us to get that interest to turn into revenue. Okay? And a good example is on one of the metering companies. We had a win 2 years ago and we're just starting to see volume production right now. That's not the case typically on anything we do on our data programming business. We move from a win to revenue in 3 to 6 months typically because people are anxious to get going in manufacturing. What we found is we need to be calling further upstream and talking to people about the capability because by the time they get to the factory, they've generally already made a decision on security.

Right. And when you think about the sales cycle, SentriX is a longer sales cycle, but it's not just a capital sale, right? There's -- you've been trying to implement some kind of recurring revenue aspect of this.

Right.

Can you talk about that evolution?

Right, Avi. We've brought in recurring revenue or pay-per-use model with our initial partners in franchise distribution. The model that they use is a pay-per-use model. If you go to a programming center, they're happy to do the work for you. They do a great job and you pay a fee per part. So our original goal was to say, all right, well, let's just -- we'll go on a pay-per-use part as well because we thought the CapEx hurdle upfront was going to be pretty high for some of these people. We broadened that model as we've gone to the OEM channel. Some of the OEMs are okay with pay-per-use. Some of the contract manufacturers are okay with pay-per-use. Some of the OEMs, frankly, just said, look, give me a one -- an all-in price. And so we broadened the pay-per-use model include licensing as well, okay? So you get a SentriX license in addition to everything else you get on the machine and that can be up for a certain volume or it can be an all-you-need license. So we have 2 models there. The license does have an annual renewal fee associated with it because we provide updates, maintenance, enhancements, things like that and customers are pretty happy to get those updates as well.

Can you disclose at all or discuss at all sort of revenue contribution from SentriX yet where it is relative to your expectations, where you see it going?

So the contribution as part of the company is not big enough for us to break it out separately, which means it's -- I wanted to get -- I wanted to get to that point as quickly as possible, but we're not there yet. Where we're going in the future is not only with our existing channels that we've talked about, but also to the OEMs that are using our technology today and also the OEMs that may want a future-proof equipment they're buying from us today, because they believe they're going to have security needs in the future. And so one of the things we've done with SentriX as the platform as it currently stands, is if a customer comes to us and says, look, I have a data need today. But I might have a security need in the future, but I'm not ready to sign up for a contract yet because I don't have all the eyes dotted and teas crossed. What can you do for me, Data I/O? So you can say, all right, we understand. We can give you on your system that you're buying from us today for data programming needs only. We can get you SentriX-ready, okay? In other words, we can change our manufacturing process slightly to include the capabilities for SentriX that the customer may not use for a while. They can go ahead and do all their data programming needs today and know that if they come back to us in 6 months or a year or 2 years and say, in addition to all those parts I'm doing for data, I have this new security chip. I want to run it on SentriX. They already have the machine. They already have SentriX-ready. We can literally come in with a device support and flip a switch to make sure that their machine now can handle SentriX jobs just as easily as it can handle data programming jobs.

Right. Which actually gets me my next question, which is, it's my understanding that SentriX is available on the PSV5000 and 7000. And I don't think you're going to tell me how many of those units you have out. I know you have over 400 units altogether out, but not just -- but what -- of the PSV5000, 7000 that are at what portion or percent are SentriX-ready at this point? Or how many are SentriX-ready? And thinking about the addressable market, how many could be SentriX-ready?

So if you look at the 400 systems, the vast majority are 7000 and 5000. Okay? So of those, you're talking about of SentriX systems and SentriX-ready systems we have in the field, you're looking at a small single-digit percentage today that's actually SentriX-ready or SentriX, actual SentriX. Okay? And if a customer comes in, if they want to have it SentriX-ready when they buy a new system, it doesn't impact their lead time at all. If they wish to upgrade in the field, we can come in and in a day, we can have SentriX-ready.

And SentriX-ready device converts a prior CapEx sale that you may have done last quarter, last year or 2 years ago, and suddenly, you slip a switch, and now that machine is producing a recurring revenue through either a pay-per-use model or an annual license?

The SentriX-ready would include a component of either the pay-per-use or licensing that we described earlier.

And it converts this capital piece of equipment into a recurring revenue generator?

It doesn't -- it wouldn't necessarily change the prior -- for example, the customers paid for a system, they paid for a system. But if they were to add SentriX capability, then we can do that unique additional piece on the recurring revenue model we described.

So there are 350 to 400 machines out there. A small portion of them are already set up for SentriX, but as those other machines and if those other machines convert to SentriX, now you have these machines in place that can conceptually turn into a recurring revenue generators?

Exactly.

And how big do you think that opportunity is? I'm curious if you could sort of lay out how much have you spent to date on the R&D on SentriX and how big do you think this opportunity could be?

Well, we spent -- if you look at R&D over the past 5 years, millions of dollars on SentriX. And the -- we have the core platform done. We spent additional money working with customers on a NRE basis to develop new device supports and things like that. But that's very similar to the model we have on data. So we have the basic SentriX platform done. What we see happening going forward is as more and more customers get past COVID, get past semiconductor shortages, get past sort of an inability to understand how to do security that more and more opportunities will come in. And our job is to simplify and simplify and simplify that process. Okay? And we're to the point now where if a customer comes in and they say I need to add security to something I already have, that's a simple and straightforward process. Okay? If they come in and say, look, Data I/O, I have a whole brand new family of semiconductors that I'm launching, I want you to support them. We're also working with customers on that. Some semiconductor companies wanted to have their chips enabled for SentriX. Others want to have the customer pay for that at the time of use and we're willing to work with both models.

And can you -- I mean, I'm going to put you right in the line of fire here, but can you estimate or provide some sense of, say, an expected revenue -- SentriX revenue per machine? Is it in the $10,000 range, $100,000 range, $1 million range?

I think if you look at the machines that are deployed today, it's not the $1 million range per machine. But I think between the $10,000 and $100,000 range, I think, is appropriate. If a customer comes in with a lot of use, it might be higher than that. They come in with a small use, it might be towards the low end of the range there.

Right. I mean, because you're talking, again, 400 machines, call it, now $50,000 per machine. You're talking about $20 million of annual revenue. And again, you're not going to convert every machine, right, but that's the opportunity for the investor is a long tail.

100% of the installed base convert at the $50,000 number that you mentioned that your math is correct.

Right. I mean we're not there yet. We're...

Probably not there yet, but that sort of gives you an idea what the total available market of the installed bases.

Of the installed base of machines you've already sold, and this is just an incremental recurring aspect of it?

Exactly.

I just thought an opportunity to sort of lay out what the opportunity could look like over time as the security and provisioning matures.

Exactly.

I appreciate you taking the time. Anything else I didn't ask that you want to -- need to -- why is it taking so long?

It's taking so long, Avi, because, frankly, we overestimated how fast the market would convert. We weren't the only ones, but it's on us to get it right. And then as I mentioned earlier, I think -- when we look at what happened with COVID, right, we've been able to keep the business going with COVID. But the ability to sell people on something new has been cut down when you're only able to talk to people on Zoom. Right? It's a fundamental decision where you have to get to the right people. You have to know who they are. You have to sell them on your approach. And the other one was semiconductor shortages. Our distribution partners have been great, but they don't have to sell a lot of security to make a good living right now with semiconductor prices the way they are. And -- go ahead.

What are some of the conferences you attend where you present and sell SentriX if people want to learn a little more?

There are some security conferences. In general, we do a lot of work with the Global Semiconductor Alliance. Embedded World is a great place. That's in Nuremberg, Germany, in -- usually in March. We go to Productronica and Electronica, which are also in Germany. By the way, we think Europe is the leading market for this for a variety of reasons, but we think Americas is coming up quickly. We'll be at APEX, which is a trade show in San Diego at the end of January, talking about SentriX. And we also have some other webinars and other unique content where we talk more specifically via video as we're doing today.

All right. Well, thank you. I hope to -- maybe San Diego in January sounds appealing for this New Yorker.

We'll have room for you at the booth, Avi, come on down.

All right. Thank you.

Thanks very much, Avi. And I'd like to thank everyone for joining us today on this episode of the fireside chat. If you have any questions, please come visit us at the Data I/O website, www.dataio.com. This is Anthony Ambrose. Thank you very much.

Thank you.