IoT security: The foundation for growth beyond connectivity

Introduction

The European Union Agency for Cybersecurity (ENISA) defines the IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making.” In this ecosystem, the information or data flows among the various components of the IoT enable informed decision making for machines, objects, and the spaces in which they operate. Through this web of tightly interconnected cyber-physical systems, the IoT underpins a variety of applications such as smart cities, smart factories, smart agriculture and so forth.

While these applications touch all the areas of our living and working activities, bringing enormous benefits and possibilities, they also exacerbate system complexities and, in turn, significantly enlarge the domain of threats and risks. As a result, securing the IoT is a very complex task, involving the implementation of highly specialised security measures. In market terms, this complexity translates into rich ecosystems of skills and expertise, where there is not one player in charge of securing the IoT, but it is both a responsibility and an opportunity for all players in the value chain.

Thinking about IoT security, the fundamental objective is ensuring the trust between the provider of an IoT solution and the IoT solution adopter. Microsoft IoT Signals, a well-known survey of 3,000 organisations adopting the IoT, emphasizes this in its 2021 edition, where 91% of the organisations surveyed have security concerns about adopting the IoT. 29% of those organisations do not scale their IoT solution due to security concerns. These concerns hamper the benefits enterprises can gain from IoT solutions. For instance, in the same survey, more than 55% of organisations said they were becoming more efficient adopting the IoT, and 23% claimed that their IoT solution has a direct impact on revenue growth. These benefits come from the variety and volume of data gathered through the IoT to drive better informed operational decisions. The result is that IoT data becomes a fundamental and necessary asset that must be protected.

While managing security risks in IoT is often perceived as a necessary burden, this report will instead highlight securing the IoT as an opportunity. For telecoms operators, this opportunity may not always be directly evident in new revenues, but it is fundamental to the creation of trust between provider and the adopter of IoT services. That trust, built through IoT security services, provides a stronger foundation from which to develop new revenue-generating services beyond connectivity.

This report also argues that by building more comprehensive data insights services into their existing IoT platforms mobile network operators are in a strong position to bring that trust to enterprises. As operators expand their security offers from well-known security functions provided at connectivity level – almost embedded in an operator – to more sophisticated security services across the IoT architecture, they can position themselves as a partner and guide to enterprises as they likewise become more sophisticated in their security needs.

The report is structured in three main parts:

  1. Discussion of the key vulnerabilities in the IoT and responses to those defined by regulators and security bodies such as ENISA, NIST, IoT Security Foundation and others.
  2. Analysis of the roles mobile network operators are playing in the IoTsecurity services market.
  3. Analysis of the opportunities for mobile network operators in security services for the IoT.

The research is based on the author’s extensive experience in IoT security, and enriched by interviews with IoT security experts close to the world of mobile network operators. Finally, an understanding of the most authoritative guidelines and analysis (ENISA, NIST, IoTSF, GSMA, OWASP) on IoT security supports the research.

Enter your details below to download an extract of the report

Why IoT security is rising up the agenda

In the fervent debates on the development of the IoT, the security aspect is often hidden or avoided. This stems from a common view among IoT solution companies and end-users that security is a heavy point of discussion that hampers business enthusiasm. This perspective is both unhelpful and dangerous, actively hindering greater scale and trust in the IoT. We strongly believe the argument should be flipped around. Although IoT security is a fundamental risk for the development of the IoT, it is also the means through which to develop robust, reliable, and lucrative IoT solutions. Therefore, IoT security should become a priority in IoT strategy and project development.

There are three considerations that are driving a fundamental shift in perceptions of security from a barrier to an enabler of IoT solutions, both among providers and adopters:

  1. Rising frequency and prevalence of avoidable large scale IoT security breaches.  There are plenty of examples of hacking of connected devices and large IoT systems that have dramatically compromised IoT solutions’ functioning, the business case linked to them, and relationships with customers. Recent examples include:
    • In May 2021, Colonial Pipe suffered a ransomware attack that impacted the computerised equipment monitoring the entire pipeline system from Texas to New Jersey, carrying 2.5 million barrel of oil a day. The entire system, based on a vast IoT solution of several sensors along the pipeline, was blocked. To re-boot the system, Colonial Pipeline paid 75 Bitcoin (the equivalent of $4.4 million at the time). (The solution to this type of breach is implementation of a remediation strategy.)
    • Consumer IoT devices are no less attractive than big corporations to hackers. In June 2021, the McAfee Advanced Threat Research identified a potential security vulnerability in the Peleton Bike+: “The ATR team recently disclosed a vulnerability (CVE-2021-3387) in the Peloton Bike+, which would allow a hacker with either physical access to the Bike+ or access during any point in the supply chain (from construction to delivery), to gain remote root access to the Peloton’s tablet. The hacker could install malicious software, intercept traffic and user’s personal data, and even gain control of the Bike’s camera and microphone over the internet.” The Peleton Bike+ vulnerability almost become a matter of national security in the US, considering that President Jo Biden is, apparently, a Peleton Bike+ user. (The security solution to this type of breach is software and system updates.)

2. Regulatory bodies are responding to the increasing incidence of IoT attacks with guidelines and regulations. Realising the danger of connected devices and systems developed with inappropriate security features, regulators worldwide are issuing specific procedures and policies in IoT security. In some cases these are mandatory and in other cases function as guidance and support.

    • Australia has created a voluntary code of practice, Securing the Internet of Things for Consumers, focussing on issues of authorisation, authentication, and access of IoTdata in consumer devices.
    • Singapore has issued the IoT Cyber Security Guide to support enterprises to develop secure IoT systems. Enterprises should also comply to IoT-related standards in sensors, sensor networks, and devices.
    • The United Kingdom has focussed on security around IoT devices with the first Code of Practice for Consumer IoT Security published in 2018.
    • The European Union is focussing on the development of an “IoT Trust” label for IoT consumer devices.
    • The United States launched legislation in 2020 – IoT Cybersecurity Improvements Act – which, through a combination of subsidies and project grants, incentivises companies that build and sell IoT solutions to develop them with a security-by-design

These initiatives are all specifically designed around IoT devices and systems. However, it is important to highlight that the relevant legal framework is wider. For example, in the European Union, the three key regulations applying to the sale and use of IoT devices and ecosystems are CE Marking (health and safety of products sold in the EU), GDPR, and the Network and Information Security Directive (NIS Directive). It is well known, but important to stress it, that violation of GDPR – data breaches and misuses of data – can cost up to EUR20 million. A similar legal framework exists in the United States, in which there are three Acts relevant for IoT devices: Federal Trade Commission Act (FTC Act), the Cyber Security Information Sharing Act (CISA), and the Children’s Online Privacy Protection Act (COPPA). Those who violate America’s Federal Trade Commission Act could face fines of $41,484 per violation, per day.

It is also worth noting that many of these regulations focus on the consumer IoT because it has been the weakest in terms of attention to security features, there is a direct link to data privacy (i.e. by hacking into IoT devices malicious actors can gain access to other digital profile data), and most consumers do not have the skill or resources to protect themselves.

3. The increasing business and economic impact of IoT data. Organisations of all kinds are increasingly relying on data for their strategy development, optimisation of processes, increasing engagement with customers and innovating their business models. The data needed for all these activities is increasingly machine generated by an IoT solution. To illustrate this value, there have been several studies on understanding the economic impact of IoT data. For example, in April 2019, GSMA Intelligence estimated that the economic impact of IoT on business productivity was in the order of $175bn, 0.2% of the global GDP. GSMA Intelligence also forecasted that by 2025 the economic impact would increase to $371bn, 0.34% of the global GDP, with IoT companies generating almost a trillion dollar in revenues. Ultimately, if a competitor or malicious actors gets hold of an organisation’s data, then they have accessed one of its most important assets. Therefore, as organisations become ever more data-driven in their strategic decision making, the importance of securing the systems gathering and storing that data will rise.

Defining IoT Security

The US NIST (National Institute for Standards and Technology) defines cyber-risk as “a function of the probability of a given threat source’s exercising any potential vulnerability and the resulting impact of that adverse event on the organisation.” The IoT security risk is one of many cyber-risks to any organisation and refers to the unforeseen exploitation of IoT system vulnerabilities to gain access to assets with the intent to cause harm.

A major challenge in assessing the IoT system vulnerabilities and threats comes from the technological complexity of an IoT solution and the diversity of applications and environments the IoT solution serves. Therefore, IoT security can be assessed in two levels. The first level regards the IoT architectural stack, which is common to different domains and applications. The second level is solution-specific and requires specialised services depending on the domain of applications.

The starting point of the analysis is a model of IoT architecture, illustrated in a simplified format in the diagram below.

Simplified IoT  architecture

Simplified-IoT-architecture-STL-Partners

Source: STL Partners

 

Table of contents

  • Executive Summary
    • Security can enable MNOs to build beyond connectivity in IoT
    • Next steps: Building on security in the Coordination Age
  • Introduction
    • Why IoT security is rising up the agenda
  • Defining IoT security
    • Key IoT vulnerabilities
    • Enterprises’ view on securing IoT
    • How to meet enterprise needs: Delivering security across three dimensions
  • Mobile operators’ roles in IoT security
    • Telco strategy comparison: IoT security offers vs dedicated business units
    • Assessing operators’ security services by function
    • Takeaways
  • Future growth trends for operators to capitalise on
    • eSIM and integrated eSIM (iSIM) capabilities
    • 5G private network security services
    • Managing encryption requirements
    • Blockchain in telecommunications
    • Secure communication through quantum information and communication technology

Related research

Enter your details below to download an extract of the report

Indoor wireless: A new frontier for IoT and 5G

Introduction to Indoor Wireless

A very large part of the usage of mobile devices – and mobile and other wireless networks – is indoors. Estimates vary but perhaps 70-80% of all wireless data is used while fixed or “nomadic”, inside a building. However, the availability and quality of indoor wireless connections (of all types) varies hugely. This impacts users, network operators, businesses and, ultimately, governments and society.

Whether the use-case is watching a YouTube video on a tablet from a sofa, booking an Uber from a phone in a company’s reception, or controlling a moving robot in a factory, the telecoms industry needs to give much more thought to the user-requirements, technologies and obstacles involved. This is becoming ever more critical as sensitive IoT applications emerge, which are dependent on good connectivity – and which don’t have the flexibility of humans. A sensor or piece of machinery cannot move and stand by a window for a better signal – and may well be in parts of a building that are inaccessible to both humans and many radio transmissions.

While mobile operators and other wireless service providers have important roles to play here, they cannot do everything, everywhere. They do not have the resources, and may lack site access. Planning, deploying and maintaining indoor coverage can be costly.

Indeed, the growing importance and complexity is such that a lot of indoor wireless infrastructure is owned by the building or user themselves – which then brings in further considerations for policymakers about spectrum, competition and more. There is a huge upsurge of interest in both improved Wi-Fi, and deployments of private cellular networks indoors, as some organisations recognise connectivity as so strategically-important they wish to control it directly, rather than relying on service providers. Various new classes of SP are emerging too, focused on particular verticals or use-cases.

In the home, wireless networks are also becoming a battleground for “ecosystem leverage”. Fixed and cable networks want to improve their existing Wi-Fi footprint to give “whole home” coverage worthy of gigabit fibre or cable connections. Cellular providers are hoping to swing some residential customers to mobile-only subscriptions. And technology firms like Google see home Wi-Fi as a pivotal element to anchor other smart-home services.

Large enterprise and “campus” sites like hospitals, chemical plants, airports, hotels and shopping malls each have complex on-site wireless characteristics and requirements. No two are alike – but all are increasingly dependent on wireless connections for employees, visitors and machines. Again, traditional “outdoors” cellular service-providers are not always best-placed to deliver this – but often, neither is anyone else. New skills and deployment models are needed, ideally backed with more cost—effective (and future-proofed) technology and tools.

In essence, there is a conflict between “public network service” and “private property” when it comes to wireless connectivity. For the fixed network, there is a well-defined “demarcation point” where a cable enters the building, and ownership and responsibilities switch from telco to building owner or end-user. For wireless, that demarcation is much harder to institutionalise, as signals propagate through walls and windows, often in unpredictable and variable fashion. Some large buildings even have their own local cellular base stations, and dedicated systems to “pipe the signal through the building” (distributed antenna systems, DAS).

Where is indoor coverage required?

There are numerous sub-divisions of “indoors”, each of which brings its own challenges, opportunities and market dynamics:

• Residential properties: houses & apartment blocks
• Enterprise “carpeted offices”, either owned/occupied, or multi-tenant
• Public buildings, where visitors are more numerous than staff (e.g. shopping malls, sports stadia, schools), and which may also have companies as tenants or concessions.
• Inside vehicles (trains, buses, boats, etc.) and across transport networks like metro systems or inside tunnels
• Industrial sites such as factories or oil refineries, which may blend “indoors” with “onsite”

In addition to these broad categories are assorted other niches, plus overlaps between the sectors. There are also other dimensions around scale of building, single-occupant vs. shared tenancy, whether the majority of “users” are humans or IoT devices, and so on.

In a nutshell: indoor wireless is complex, heterogeneous, multi-stakeholder and often expensive to deal with. It is no wonder that most mobile operators – and most regulators – focus on outdoor, wide-area networks both for investment, and for license rules on coverage. It is unreasonable to force a telco to provide coverage that reaches a subterranean, concrete-and-steel bank vault, when their engineers wouldn’t even be allowed access to it.

How much of a problem is indoor coverage?

Anecdotally, many locations have problems with indoor coverage – cellular networks are patchy, Wi- Fi can be cumbersome to access and slow, and GPS satellite location signals don’t work without line- of-sight to several satellites. We have all complained about poor connectivity in our homes or offices, or about needing to stand next to a window. With growing dependency on mobile devices, plus the advent of IoT devices everywhere, for increasingly important applications, good wireless connectivity is becoming more essential.

Yet hard data about indoor wireless coverage is also very patchy. UK regulator Ofcom is one of the few that reports on availability / usability of cellular signals, and few regulators (Japan’s is another) enforce it as part of spectrum licenses. Fairly clearly, it is hard to measure, as operators cannot do systematic “drive tests” indoors, while on-device measurements usually cannot determine if they are inside or outside without being invasive of the user’s privacy. Most operators and regulators estimate coverage, based on some samples plus knowledge of outdoor signal strength and typical building construction practices. The accuracy (and up-to-date assumptions) is highly questionable.

Indoor coverage data is hard to find

Contents:

  • Executive Summary
  • Likely outcomes
  • What telcos need to do
  • Introduction to Indoor Wireless
  • Overview
  • Where is indoor coverage required?
  • How much of a problem is indoor coverage?
  • The key science lesson of indoor coverage
  • The economics of indoor wireless
  • Not just cellular coverage indoors
  • Yet more complications are on the horizon…
  • The role of regulators and policymakers
  • Systems and stakeholders for indoor wireless
  • Technical approaches to indoor wireless
  • Stakeholders for indoor wireless
  • Home networking: is Mesh Wi-Fi the answer?
  • Is outside-in cellular good enough for the home on its own?
  • Home Wi-Fi has complexities and challenges
  • Wi-Fi innovations will perpetuate its dominance
  • Enterprise/public buildings and the rise of private cellular and neutral host models
  • Who pays?
  • Single-operator vs. multi-operator: enabling “neutral hosts”
  • Industrial sites and IoT
  • Conclusions
  • Can technology solve MNO’s “indoor problem”?
  • Recommendations

Figures:

  • Indoor coverage data is hard to find
  • Insulation impacts indoor penetration significantly
  • 3.5GHz 5G might give acceptable indoor coverage
  • Indoor wireless costs and revenues
  • In-Building Wireless face a dynamic backdrop
  • Key indoor wireless architectures
  • Different building types, different stakeholders
  • Whole-home meshes allow Wi-Fi to reach all corners of the building
  • Commercial premises now find good wireless essential
  • Neutral Hosts can offer multi-network coverage to smaller sites than DAS
  • Every industrial sector has unique requirements for wireless