The Mobile IoT market is set for rapid growth over the coming years and providers are concentrating more on rapid widescale deployment with security often being a later consideration. This is not a tenable position as IoT applications can be mission critical and security needs to be at the forefront of any solution. In this webinar, MEF Advisor Andrew Parkin-White is joined by two security experts: Ian Smith, IoT Security Lead at the GSMA and Stephen Fitzpatrick, VP IoT at Cellusys.
We explore key issues relating to IoT security including how mobile network operators (MNOs) are implementing the GSMA’s IoT security standards, the processes that need to be in place to deliver trusted IoT services to an MNO’s partners and customers and the commercial benefits that MNOs can achieve through following best practice.
Watch the MEF IoT Webinar in full
Mobile access technologies: a rapid deployment
As an established trade body for mobile network operators, GSMA reaches over 8bn connections globally via its members. IoT will dwarf these figures with an estimated 25bn connected devices by 2025 with large markets in consumer electronics, connected industry, connected vehicles, smart homes and smart cities. Around 3.5bn IoT connections will be on cellular networks. Basic connectivity is shifting to new networks with LTE-M and NB-IoT having seen 115 commercial launches in 52 markets. Most of the developed world is covered with NB-IoT more prevalent in Europe and Asia and LTE-M in the Americas. A few markets are seeing both technologies co-existing, as is the case in the USA, Brazil, France and Germany. The technologies are complimentary and align to specific IoT use cases. Network technology needs to be in place to achieve the vision of 25bn connected devices.
Stephen sees applications emerging on these newer LTE-M and NB-IoT networks. Smart metering is operating well on these networks in Ireland, Denmark, the Netherlands and Sweden. They are not as yet ready for national or pan-European rollout.
IoT Security – the need for a framework
While IoT networks are emerging, the challenge to provide end to end security connect to these devices remains a major concerns. Ian Smith points to the connected city as an example with a large attack surface in evidence with millions of devices, including vehicles, sensors, building and lighting, connecting to cloud-based service platforms. The need for security is inherent to ensure availability, protect identity and deliver privacy and integrity in devices that have low complexity and power, long lifecycles and are physically accessible. Furthermore, there is a regulatory push for security to protect the privacy of citizens and manage the risk of millions of connected devices. Guidance is in the form of codes of conduct providing recommendations, but these guidelines tend to lack detail which is needed for a truly secure solution. A security framework is key to mitigate security risks.
Whilst the guidelines are a good starting point, a security assessment is needed and the GSMA has developed a framework for the 85 recommendations where they are tabulated with control statements. Security laboratories have emerged offering a security assessment service to customers with a number of operators, including Telefonica and Orange, now providing this service.“
Stephen believes that people understand where the security vulnerabilities lie and expertise is developing in cloud, device and SIM security. He sees the main barriers as lack of understanding, needing education and lack of spend on security, as a function of a low cost to market. Security issues are complex but resolvable. They need both thought and finance to address the challenges.
The GSMA framework
The GSMA starts its IoT security framework with the definition of a generic IoT architecture that contains the building blocks for multiple applications covering the
- endpoint ecosystem (devices, sensors, robots, user interface)
- communications element (mobile, fixed and local networks)
- service ecosystem (cloud platform)
- back end APIs.
With this simplified architecture, it is possible to represent the attack models and to define mitigations easily. This approach led to a series of best practices; including how to stop cloning and protecting identities from being snooped on, tampered with and being kept private whilst ensuring secure service management and protected communications.
This framework is supported by a series of documents that set the structure for security by design from the high-level principles (referenced by government agencies) through to detailed issues (required by experts in the ecosystem).
Of particular interest, it the risk assessment template: a suite of recommendations, mitigation techniques and suggestions on how to adapt a particular product or service.
Stephen considers the security framework to be very valuable and believes that security is intrinsic to market development. His opinion is that the more the market and ecosystem partners embrace security thinking, the more futureproof and secure these IoT applications will be.
The recommendations from GSMA
The key recommendation is having a trusted computing base within the endpoint device and strong credentials management. Ian notes that leveraging the SIM for IoT security is a value add that the mobile industry can bring. Whilst the guidelines are a good starting point, a security assessment is needed and the GSMA has developed a framework for the 85 recommendations where they are tabulated with control statements. Security laboratories have emerged offering a security assessment service to customers with a number of operators, including Telefonica and Orange, now providing this service.
IoT security creates new challenges to traditional IT security approaches
The panel was asked about the main security challenges facing IoT services. Ian sees these challenges as needing new guidelines as they represent a different scenario to traditional IT issues and it is not always possible to take security models straight from the IT world and apply them to IoT. These IoT devices are not traditional IT devices as they are simple, cheap, low powered, have a long field life and are physically accessible to attackers. He considers that reducing the attack surface of devices to a small footprint to condense security is a way forward, as is making the device physically tamperproof and resilient to physical attack.
Stephen’s opinion is that best practice is emerging and the ecosystem is beginning to understand where the security vulnerabilities lie. The main barrier has been a lack of education and a reluctance to spend on security. Without robust security, the market will fail.