During IOT Solutions World Congress Andrew Parkin-White, Mobile IoT Advisor of MEF was joined by an expert panel comprising Fernando Llobregat Baena of BICS, Charles Bernard of Cellusys, Martin Garner of CCS Insight and Sylvia Kechiche of the GSMA. The panel explored the issues and challenges of mobile IoT security.
Without, robust IoT security, forecasts of billions of IoT devices may not be achievable. Security is a key issue for enterprises and Sylvia pointed to a large scale GSMA survey over eight IoT verticals which highlighted that IoT security is among the top three challenges that enterprises are facing. The panel agreed with this assessment citing that end-to-end security of low power devices with a large physical surface of attack and endpoint access can be problematic. Furthermore, the panel felt that there is a lack of internal understanding of and skills in IoT security in enterprises that can often drive them to outsourced third party security assessments.
Watch the MEF IoT panel in full
When asked about the principal challenges surrounding IoT security, the panel concluded that there is often a denial that security issues exist and that many enterprises are still in the starting blocks when it comes to IoT security. One main issue is that devices have a long field life of ten to fifteen years and this can make them vulnerable. Martin believes that even if they are secure today, this long lifecycle means that security will reduce over time. New developments, such as quantum computing, may well not have been a consideration for today’s devices and current in-built security will become redundant. Charles’ opinion is that devices do represent the weak point and there is still a long way to go to make them secure with limited power, computing capability and the inability to have over-the-air updates.
Insufficient expertise, lack of education and inadequate investment all need to improve before enterprises can achieve effective IoT security. There is often a reluctance to invest in robust security despite security breaches proving very harmful to business continuity. On the question of educating the ecosystem, the panel thinks that attacks should be brought to wider attention. Moreover, professionals with a growing responsibility for IoT tend to come from an IT hardware background and are unfamiliar with the questions that they need to ask and do not necessarily have a view on the ten-year software cycle. IoT security remains a large issue to address.
Insufficient expertise, lack of education and inadequate investment all need to improve before enterprises can achieve effective IoT security. There is often a reluctance to invest in robust security despite breaches proving very harmful to business continuity.“
Security is often an afterthought and not considered critical in the rush to launch IoT solutions. It may form part of the latter half on an IoT deployment budget but Charles believes that security should be by design even though this approach seems out of odds with IoT development cycles. There is often an overarching question of who pays for IoT security.
The panel then explored the role of certification and standardisation in IoT security. Codes of conduct do exist but end-to-end standardisation would be difficult to achieve. Fernando sees certification is some parts of the IoT ecosystem but is difficult to scale up and sees a need for self-certification in the future. Charles points out that the device is the weakest link and regulation should be there to prevent the shipping of IoT devices with a default password.
Should MNOs be a trusted IoT security provider? Sylvia believes that this is a preferred position and cited the example of Telefonica having its Eleven Paths security business to reinforce this. Remaining panellists pointed out that MNOs can only realistically secure connectivity and most IoT applications do not use cellular at present. Fernando feels that security is beyond the capability of the MNO with many different use cases and that specialist organisations prove a better option.
Turning to the issues of IoT privacy, there is a consensus that the web and IoT present different issues. Martin considers that there is better privacy for things than for people but there are questions over where the IoT data goes. In automotive applications, for example, telemetry and personal location data require very different treatment. Sylvia states that applications generate large amounts of data and little is analysed and an alternative approach for things is needed compared to the GDPR approach for individuals. Charles points out that there remains a question of who the data actually belongs to.
Finally, the panel was asked for one piece of advice they would give in regard to IoT security. Martin believes that organisations should consider of the worst things that may happen and plan for this while hoping for the best. Sylvia’s view is that the ecosystem is becoming better informed but still needs to plan to prevent worst case scenarios. Charles states that education is critical with much detail on security issues being guarded by enterprises. A clearer view on security issues will help the market develop. Fernando points out that steps are required to make devices tamper proof, to take care with identity and what it is transmitting.
IoT security must remain a key area of focus to sustain the growth of IoT. Without adequate security provision and investment, there are significant risks to future market development.
Join us at the Cellusys Barcelona offices for the best IoT party of MWC Barcelona from 6pm Tuesday 25th Feb 2020 – The networking event will see discussions with expert IoT panelists as they debate key questions on Device Security and Vulnerabilities in IoT followed by music, food and drinks until late.