The European Union Agency for Cybersecurity (ENISA) defines the IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making.” In this ecosystem, the information or data flows among the various components of the IoT enable informed decision making for machines, objects, and the spaces in which they operate. Through this web of tightly interconnected cyber-physical systems, the IoT underpins a variety of applications such as smart cities, smart factories, smart agriculture and so forth.
While these applications touch all the areas of our living and working activities, bringing enormous benefits and possibilities, they also exacerbate system complexities and, in turn, significantly enlarge the domain of threats and risks. As a result, securing the IoT is a very complex task, involving the implementation of highly specialised security measures. In market terms, this complexity translates into rich ecosystems of skills and expertise, where there is not one player in charge of securing the IoT, but it is both a responsibility and an opportunity for all players in the value chain.
Thinking about IoT security, the fundamental objective is ensuring the trust between the provider of an IoT solution and the IoT solution adopter. Microsoft IoT Signals, a well-known survey of 3,000 organisations adopting the IoT, emphasizes this in its 2021 edition, where 91% of the organisations surveyed have security concerns about adopting the IoT. 29% of those organisations do not scale their IoT solution due to security concerns. These concerns hamper the benefits enterprises can gain from IoT solutions. For instance, in the same survey, more than 55% of organisations said they were becoming more efficient adopting the IoT, and 23% claimed that their IoT solution has a direct impact on revenue growth. These benefits come from the variety and volume of data gathered through the IoT to drive better informed operational decisions. The result is that IoT data becomes a fundamental and necessary asset that must be protected.
While managing security risks in IoT is often perceived as a necessary burden, this report will instead highlight securing the IoT as an opportunity. For telecoms operators, this opportunity may not always be directly evident in new revenues, but it is fundamental to the creation of trust between provider and the adopter of IoT services. That trust, built through IoT security services, provides a stronger foundation from which to develop new revenue-generating services beyond connectivity.
This report also argues that by building more comprehensive data insights services into their existing IoT platforms mobile network operators are in a strong position to bring that trust to enterprises. As operators expand their security offers from well-known security functions provided at connectivity level – almost embedded in an operator – to more sophisticated security services across the IoT architecture, they can position themselves as a partner and guide to enterprises as they likewise become more sophisticated in their security needs.
The report is structured in three main parts:
- Discussion of the key vulnerabilities in the IoT and responses to those defined by regulators and security bodies such as ENISA, NIST, IoT Security Foundation and others.
- Analysis of the roles mobile network operators are playing in the IoTsecurity services market.
- Analysis of the opportunities for mobile network operators in security services for the IoT.
The research is based on the author’s extensive experience in IoT security, and enriched by interviews with IoT security experts close to the world of mobile network operators. Finally, an understanding of the most authoritative guidelines and analysis (ENISA, NIST, IoTSF, GSMA, OWASP) on IoT security supports the research.
Enter your details below to download an extract of the report
Why IoT security is rising up the agenda
In the fervent debates on the development of the IoT, the security aspect is often hidden or avoided. This stems from a common view among IoT solution companies and end-users that security is a heavy point of discussion that hampers business enthusiasm. This perspective is both unhelpful and dangerous, actively hindering greater scale and trust in the IoT. We strongly believe the argument should be flipped around. Although IoT security is a fundamental risk for the development of the IoT, it is also the means through which to develop robust, reliable, and lucrative IoT solutions. Therefore, IoT security should become a priority in IoT strategy and project development.
There are three considerations that are driving a fundamental shift in perceptions of security from a barrier to an enabler of IoT solutions, both among providers and adopters:
- Rising frequency and prevalence of avoidable large scale IoT security breaches. There are plenty of examples of hacking of connected devices and large IoT systems that have dramatically compromised IoT solutions’ functioning, the business case linked to them, and relationships with customers. Recent examples include:
- In May 2021, Colonial Pipe suffered a ransomware attack that impacted the computerised equipment monitoring the entire pipeline system from Texas to New Jersey, carrying 2.5 million barrel of oil a day. The entire system, based on a vast IoT solution of several sensors along the pipeline, was blocked. To re-boot the system, Colonial Pipeline paid 75 Bitcoin (the equivalent of $4.4 million at the time). (The solution to this type of breach is implementation of a remediation strategy.)
- Consumer IoT devices are no less attractive than big corporations to hackers. In June 2021, the McAfee Advanced Threat Research identified a potential security vulnerability in the Peleton Bike+: “The ATR team recently disclosed a vulnerability (CVE-2021-3387) in the Peloton Bike+, which would allow a hacker with either physical access to the Bike+ or access during any point in the supply chain (from construction to delivery), to gain remote root access to the Peloton’s tablet. The hacker could install malicious software, intercept traffic and user’s personal data, and even gain control of the Bike’s camera and microphone over the internet.” The Peleton Bike+ vulnerability almost become a matter of national security in the US, considering that President Jo Biden is, apparently, a Peleton Bike+ user. (The security solution to this type of breach is software and system updates.)
2. Regulatory bodies are responding to the increasing incidence of IoT attacks with guidelines and regulations. Realising the danger of connected devices and systems developed with inappropriate security features, regulators worldwide are issuing specific procedures and policies in IoT security. In some cases these are mandatory and in other cases function as guidance and support.
- Australia has created a voluntary code of practice, Securing the Internet of Things for Consumers, focussing on issues of authorisation, authentication, and access of IoTdata in consumer devices.
- Singapore has issued the IoT Cyber Security Guide to support enterprises to develop secure IoT systems. Enterprises should also comply to IoT-related standards in sensors, sensor networks, and devices.
- The United Kingdom has focussed on security around IoT devices with the first Code of Practice for Consumer IoT Security published in 2018.
- The European Union is focussing on the development of an “IoT Trust” label for IoT consumer devices.
- The United States launched legislation in 2020 – IoT Cybersecurity Improvements Act – which, through a combination of subsidies and project grants, incentivises companies that build and sell IoT solutions to develop them with a security-by-design
These initiatives are all specifically designed around IoT devices and systems. However, it is important to highlight that the relevant legal framework is wider. For example, in the European Union, the three key regulations applying to the sale and use of IoT devices and ecosystems are CE Marking (health and safety of products sold in the EU), GDPR, and the Network and Information Security Directive (NIS Directive). It is well known, but important to stress it, that violation of GDPR – data breaches and misuses of data – can cost up to EUR20 million. A similar legal framework exists in the United States, in which there are three Acts relevant for IoT devices: Federal Trade Commission Act (FTC Act), the Cyber Security Information Sharing Act (CISA), and the Children’s Online Privacy Protection Act (COPPA). Those who violate America’s Federal Trade Commission Act could face fines of $41,484 per violation, per day.
It is also worth noting that many of these regulations focus on the consumer IoT because it has been the weakest in terms of attention to security features, there is a direct link to data privacy (i.e. by hacking into IoT devices malicious actors can gain access to other digital profile data), and most consumers do not have the skill or resources to protect themselves.
3. The increasing business and economic impact of IoT data. Organisations of all kinds are increasingly relying on data for their strategy development, optimisation of processes, increasing engagement with customers and innovating their business models. The data needed for all these activities is increasingly machine generated by an IoT solution. To illustrate this value, there have been several studies on understanding the economic impact of IoT data. For example, in April 2019, GSMA Intelligence estimated that the economic impact of IoT on business productivity was in the order of $175bn, 0.2% of the global GDP. GSMA Intelligence also forecasted that by 2025 the economic impact would increase to $371bn, 0.34% of the global GDP, with IoT companies generating almost a trillion dollar in revenues. Ultimately, if a competitor or malicious actors gets hold of an organisation’s data, then they have accessed one of its most important assets. Therefore, as organisations become ever more data-driven in their strategic decision making, the importance of securing the systems gathering and storing that data will rise.
Defining IoT Security
The US NIST (National Institute for Standards and Technology) defines cyber-risk as “a function of the probability of a given threat source’s exercising any potential vulnerability and the resulting impact of that adverse event on the organisation.” The IoT security risk is one of many cyber-risks to any organisation and refers to the unforeseen exploitation of IoT system vulnerabilities to gain access to assets with the intent to cause harm.
A major challenge in assessing the IoT system vulnerabilities and threats comes from the technological complexity of an IoT solution and the diversity of applications and environments the IoT solution serves. Therefore, IoT security can be assessed in two levels. The first level regards the IoT architectural stack, which is common to different domains and applications. The second level is solution-specific and requires specialised services depending on the domain of applications.
The starting point of the analysis is a model of IoT architecture, illustrated in a simplified format in the diagram below.
Simplified IoT architecture
Source: STL Partners
Table of contents
- Executive Summary
- Security can enable MNOs to build beyond connectivity in IoT
- Next steps: Building on security in the Coordination Age
- Why IoT security is rising up the agenda
- Defining IoT security
- Key IoT vulnerabilities
- Enterprises’ view on securing IoT
- How to meet enterprise needs: Delivering security across three dimensions
- Mobile operators’ roles in IoT security
- Telco strategy comparison: IoT security offers vs dedicated business units
- Assessing operators’ security services by function
- Future growth trends for operators to capitalise on
- eSIM and integrated eSIM (iSIM) capabilities
- 5G private network security services
- Managing encryption requirements
- Blockchain in telecommunications
- Secure communication through quantum information and communication technology
Enter your details below to download an extract of the report