private network Archives

IoT security: The foundation for growth beyond connectivity

Introduction

The European Union Agency for Cybersecurity (ENISA) defines the IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making.” In this ecosystem, the information or data flows among the various components of the IoT enable informed decision making for machines, objects, and the spaces in which they operate. Through this web of tightly interconnected cyber-physical systems, the IoT underpins a variety of applications such as smart cities, smart factories, smart agriculture and so forth.

While these applications touch all the areas of our living and working activities, bringing enormous benefits and possibilities, they also exacerbate system complexities and, in turn, significantly enlarge the domain of threats and risks. As a result, securing the IoT is a very complex task, involving the implementation of highly specialised security measures. In market terms, this complexity translates into rich ecosystems of skills and expertise, where there is not one player in charge of securing the IoT, but it is both a responsibility and an opportunity for all players in the value chain.

Thinking about IoT security, the fundamental objective is ensuring the trust between the provider of an IoT solution and the IoT solution adopter. Microsoft IoT Signals, a well-known survey of 3,000 organisations adopting the IoT, emphasizes this in its 2021 edition, where 91% of the organisations surveyed have security concerns about adopting the IoT. 29% of those organisations do not scale their IoT solution due to security concerns. These concerns hamper the benefits enterprises can gain from IoT solutions. For instance, in the same survey, more than 55% of organisations said they were becoming more efficient adopting the IoT, and 23% claimed that their IoT solution has a direct impact on revenue growth. These benefits come from the variety and volume of data gathered through the IoT to drive better informed operational decisions. The result is that IoT data becomes a fundamental and necessary asset that must be protected.

While managing security risks in IoT is often perceived as a necessary burden, this report will instead highlight securing the IoT as an opportunity. For telecoms operators, this opportunity may not always be directly evident in new revenues, but it is fundamental to the creation of trust between provider and the adopter of IoT services. That trust, built through IoT security services, provides a stronger foundation from which to develop new revenue-generating services beyond connectivity.

This report also argues that by building more comprehensive data insights services into their existing IoT platforms mobile network operators are in a strong position to bring that trust to enterprises. As operators expand their security offers from well-known security functions provided at connectivity level – almost embedded in an operator – to more sophisticated security services across the IoT architecture, they can position themselves as a partner and guide to enterprises as they likewise become more sophisticated in their security needs.

The report is structured in three main parts:

Discussion of the key vulnerabilities in the IoT and responses to those defined by regulators and security bodies such as ENISA, NIST, IoT Security Foundation and others.
Analysis of the roles mobile network operators are playing in the IoTsecurity services market.
Analysis of the opportunities for mobile network operators in security services for the IoT.

The research is based on the author’s extensive experience in IoT security, and enriched by interviews with IoT security experts close to the world of mobile network operators. Finally, an understanding of the most authoritative guidelines and analysis (ENISA, NIST, IoTSF, GSMA, OWASP) on IoT security supports the research.

Enter your details below to download an extract of the report

Why IoT security is rising up the agenda

In the fervent debates on the development of the IoT, the security aspect is often hidden or avoided. This stems from a common view among IoT solution companies and end-users that security is a heavy point of discussion that hampers business enthusiasm. This perspective is both unhelpful and dangerous, actively hindering greater scale and trust in the IoT. We strongly believe the argument should be flipped around. Although IoT security is a fundamental risk for the development of the IoT, it is also the means through which to develop robust, reliable, and lucrative IoT solutions. Therefore, IoT security should become a priority in IoT strategy and project development.

There are three considerations that are driving a fundamental shift in perceptions of security from a barrier to an enabler of IoT solutions, both among providers and adopters:

Rising frequency and prevalence of avoidable large scale IoT security breaches. There are plenty of examples of hacking of connected devices and large IoT systems that have dramatically compromised IoT solutions’ functioning, the business case linked to them, and relationships with customers. Recent examples include:

- In May 2021, Colonial Pipe suffered a ransomware attack that impacted the computerised equipment monitoring the entire pipeline system from Texas to New Jersey, carrying 2.5 million barrel of oil a day. The entire system, based on a vast IoT solution of several sensors along the pipeline, was blocked. To re-boot the system, Colonial Pipeline paid 75 Bitcoin (the equivalent of $4.4 million at the time). (The solution to this type of breach is implementation of a remediation strategy.)
- Consumer IoT devices are no less attractive than big corporations to hackers. In June 2021, the McAfee Advanced Threat Research identified a potential security vulnerability in the Peleton Bike+: “The ATR team recently disclosed a vulnerability (CVE-2021-3387) in the Peloton Bike+, which would allow a hacker with either physical access to the Bike+ or access during any point in the supply chain (from construction to delivery), to gain remote root access to the Peloton’s tablet. The hacker could install malicious software, intercept traffic and user’s personal data, and even gain control of the Bike’s camera and microphone over the internet.” The Peleton Bike+ vulnerability almost become a matter of national security in the US, considering that President Jo Biden is, apparently, a Peleton Bike+ user. (The security solution to this type of breach is software and system updates.)

2. Regulatory bodies are responding to the increasing incidence of IoT attacks with guidelines and regulations. Realising the danger of connected devices and systems developed with inappropriate security features, regulators worldwide are issuing specific procedures and policies in IoT security. In some cases these are mandatory and in other cases function as guidance and support.

- Australia has created a voluntary code of practice, Securing the Internet of Things for Consumers, focussing on issues of authorisation, authentication, and access of IoTdata in consumer devices.
- Singapore has issued the IoT Cyber Security Guide to support enterprises to develop secure IoT systems. Enterprises should also comply to IoT-related standards in sensors, sensor networks, and devices.
- The United Kingdom has focussed on security around IoT devices with the first Code of Practice for Consumer IoT Security published in 2018.
- The European Union is focussing on the development of an “IoT Trust” label for IoT consumer devices.
- The United States launched legislation in 2020 – IoT Cybersecurity Improvements Act – which, through a combination of subsidies and project grants, incentivises companies that build and sell IoT solutions to develop them with a security-by-design

These initiatives are all specifically designed around IoT devices and systems. However, it is important to highlight that the relevant legal framework is wider. For example, in the European Union, the three key regulations applying to the sale and use of IoT devices and ecosystems are CE Marking (health and safety of products sold in the EU), GDPR, and the Network and Information Security Directive (NIS Directive). It is well known, but important to stress it, that violation of GDPR – data breaches and misuses of data – can cost up to EUR20 million. A similar legal framework exists in the United States, in which there are three Acts relevant for IoT devices: Federal Trade Commission Act (FTC Act), the Cyber Security Information Sharing Act (CISA), and the Children’s Online Privacy Protection Act (COPPA). Those who violate America’s Federal Trade Commission Act could face fines of $41,484 per violation, per day.

It is also worth noting that many of these regulations focus on the consumer IoT because it has been the weakest in terms of attention to security features, there is a direct link to data privacy (i.e. by hacking into IoT devices malicious actors can gain access to other digital profile data), and most consumers do not have the skill or resources to protect themselves.

3. The increasing business and economic impact of IoT data. Organisations of all kinds are increasingly relying on data for their strategy development, optimisation of processes, increasing engagement with customers and innovating their business models. The data needed for all these activities is increasingly machine generated by an IoT solution. To illustrate this value, there have been several studies on understanding the economic impact of IoT data. For example, in April 2019, GSMA Intelligence estimated that the economic impact of IoT on business productivity was in the order of $175bn, 0.2% of the global GDP. GSMA Intelligence also forecasted that by 2025 the economic impact would increase to $371bn, 0.34% of the global GDP, with IoT companies generating almost a trillion dollar in revenues. Ultimately, if a competitor or malicious actors gets hold of an organisation’s data, then they have accessed one of its most important assets. Therefore, as organisations become ever more data-driven in their strategic decision making, the importance of securing the systems gathering and storing that data will rise.

Defining IoT Security

The US NIST (National Institute for Standards and Technology) defines cyber-risk as “a function of the probability of a given threat source’s exercising any potential vulnerability and the resulting impact of that adverse event on the organisation.” The IoT security risk is one of many cyber-risks to any organisation and refers to the unforeseen exploitation of IoT system vulnerabilities to gain access to assets with the intent to cause harm.

A major challenge in assessing the IoT system vulnerabilities and threats comes from the technological complexity of an IoT solution and the diversity of applications and environments the IoT solution serves. Therefore, IoT security can be assessed in two levels. The first level regards the IoT architectural stack, which is common to different domains and applications. The second level is solution-specific and requires specialised services depending on the domain of applications.

The starting point of the analysis is a model of IoT architecture, illustrated in a simplified format in the diagram below.

Simplified IoT architecture

Source: STL Partners

Executive Summary
- Security can enable MNOs to build beyond connectivity in IoT
- Next steps: Building on security in the Coordination Age
Introduction
- Why IoT security is rising up the agenda
Defining IoT security
- Key IoT vulnerabilities
- Enterprises’ view on securing IoT
- How to meet enterprise needs: Delivering security across three dimensions
Mobile operators’ roles in IoT security
- Telco strategy comparison: IoT security offers vs dedicated business units
- Assessing operators’ security services by function
- Takeaways
Future growth trends for operators to capitalise on
- eSIM and integrated eSIM (iSIM) capabilities
- 5G private network security services
- Managing encryption requirements
- Blockchain in telecommunications
- Secure communication through quantum information and communication technology

Related research

Why the consumer IoT is stuck in the slow lane
Reliance Unlimit: How to build a successful IoT ecosystem
More IoT research from STL Partners

Enter your details below to download an extract of the report

Telstra’s journey in commercialising 5G

Telstra: Maintaining its network leadership

SK Telecom, Verizon and Telstra were among the first in the world to start commercialising 5G networks. SK Telecom and Verizon launched broadband-based propositions in 2018, but it was only in 2019, when 5G smartphones became available, that consumer, business and enterprise customers were really able to experience the networks.

Part 3 of our 3-part series looks at Telstra’s 5G experience and how its propositions have developed from when 5G was launched to the current time. It includes an analysis of both consumer and business offerings promoted on Telstra’s website to identify the revenue streams that 5G is supporting now – as opposed to revenues that new 5G use cases might deliver in future. (We have covered this extensively for a number of verticals, including healthcare, manufacturing, energy, and transport and logistics.)

When its 5G network was launched, Telstra went to market with a 12-month free 5G access period and the intention to charge AUD15 ($12) at the conclusion of the free period. However at the end of the promotion period it opted to keep things simple for consumers, choosing to bundle 5G access with higher tier plans (effectively AUD65 / $50 and above) – and only offer 5G under its main Telstra brand. There were no 5G specific services at launch, however capacity advantages were leveraged to offer zero-rated access to subscription services available with the plan (i.e., subscription services would not consume data). From a customer standpoint the principal and most visible benefit from 5G in the early stages was its noticeably faster speeds.

This report examines the market factors that have enabled and constrained Telstra’s 5G monetisation efforts, as it moves to extend 5G access beyond premium early adopters to a wider audience. It identifies lessons in the commercialisation of 5G for those operators that are on their own 5G journeys and those that have yet to start.

Enter your details below to request an extract of the report

Telstra 5G performance to date

Given that four of the top five key purchase considerations for Australian customers (across consumer, small business and enterprise segments) are network-related (i.e., coverage, speed, reliability and security), Telstra has made network leadership a point of competitive differentiation. It views its investment in 5G as enabling it to stay ahead of customer network expectations as they evolve.

The operator was Australia’s 5G first-mover and it has been able to maintain its leadership in terms of 5G network coverage to date. This is a key deliverable of its T22 plan for transformation in response to challenging industry dynamics and the impact of the National Broadband Network (NBN) – the government’s broadband upgrade initiative.

In a market release on 21 April 2021, Telstra announced that its 5G network covered close to 66% of the Australian population and that it would attain its target of 75% coverage by the end of June 2021 (it achieved this goal on 28 June 2021). Telstra 5G sites number more than 3,700, across 200+ cities and towns, and 5G coverage extended to over 2,700 suburbs.

Post launch in 2019, early take-up of 5G devices was skewed towards consumer and SME segments, but the launch of Apple’s first 5G device in October 2020 helped promote 5G take-up in the enterprise segment (there has historically been a higher penetration of Apple devices in the Enterprise market).

Early consumers were typically metro customers, which aligned to Telstra’s network rollout strategy (covering more populous/high traffic metro areas first).
Enterprise customers were not among the early adopters of 5G devices.

Net porting to the Telstra network was higher for 5G than for 4G for the first few quarters after launch and Telstra saw strong growth from its installed base (largely the early adopters). In August 2020, Telstra reported 210,000 5G devices connected to its network (before iPhone). The launch of iPhone 12 caused the number of 5G devices to jump to 400K by November 2020 (reported at Telstra’s November investors meeting), with 40K new 5G devices being added per week.

72% of 5G iPhones devices were on plans which included 5G access (i.e. top tier).

At the same meeting in November, Telstra reported that 65% of all new Android device sales were of 5G models (e.g. Oppo, Google, Motorola, Samsung), a factor attributed to getting handsets below the AUD1,000 ($771) threshold. This has helped to increase 5G readiness among its customer base.

By February 2021, the number of 5G devices on the Telstra network was over 1 million (this compares to 8.6 million postpay retail customers reported in December 2020, and 19 million customers overall). The share of devices on 5G plans is not public. Telstra continues to report that it is adding “thousands” of 5G devices to its network weekly.

5G devices connected to Telstra’s network since launch

Source: STL Partners based on Telstra public data

Telstra continues to see an increase in customer take-up of 5G-ready plans (new connections and upgrades). It attributes the increase in postpay service additions over the period to a leadership in 5G (supporting its network leadership perceptions), but also acknowledges that other non-network considerations, such as large data allowances may also be driving the uptake of these plans.

Telstra has reported an increase in the “transacting minimum monthly commitment” (TMMC) versus previous calendar period (PCP) for its postpay handheld customers for six months ending December 2020. TMMC is regarded as a lead indicator of ARPU trends (actual ARPU declined due to lost roaming revenue, new plan accounting which allocates more revenue to handsets, lost out-of-bundle revenue and other factors). Telstra regards some of the increase in TMMC as having been driven by the introduction of the latest model handsets. It noted a high attach rate for 5G inclusive plans – AUD65 and above plans – with iPhone 12 devices and the latest Samsung handsets that were introduced during the period (i.e., customers want 5G-ready plans with these new 5G handsets, not 5G access alone).

AUD ($) increase in TMMC on PCP for postpay handheld customers

Source: Telstra

Whilst the initial most obvious benefits of 5G relate to speed, Telstra assumes a broader perspective of 5G’s success metrics, including a comparison of overall NPS which has been consistently higher for customers on 5G plans than for those on 4G plans. There could be a number of reasons for this, aside from better network performance, e.g.:

Positive associations with having something “new”;
A positive effect as a result of iPhone ownership (though Telstra has noticed that the positive trend started before the iPhone launch);
Post-purchase rationalisation;
Richer device capabilities.

Telstra continues to monitor this trend to determine if it will be maintained.

Executive Summary
Introduction
Performance indicators to date
Details of launch
Consumer propositions
- At launch…
- …And now
- Consumer monetisation summary
Business propositions
- At launch…
- …And now
- Business monetisation summary
Analysis of 5G market developments
What next?
Conclusions
Index
Appendix 1

This report builds on earlier STL Partners research, including:

Enter your details below to request an extract of the report

Indoor wireless: A new frontier for IoT and 5G

Introduction to Indoor Wireless

A very large part of the usage of mobile devices – and mobile and other wireless networks – is indoors. Estimates vary but perhaps 70-80% of all wireless data is used while fixed or “nomadic”, inside a building. However, the availability and quality of indoor wireless connections (of all types) varies hugely. This impacts users, network operators, businesses and, ultimately, governments and society.

Whether the use-case is watching a YouTube video on a tablet from a sofa, booking an Uber from a phone in a company’s reception, or controlling a moving robot in a factory, the telecoms industry needs to give much more thought to the user-requirements, technologies and obstacles involved. This is becoming ever more critical as sensitive IoT applications emerge, which are dependent on good connectivity – and which don’t have the flexibility of humans. A sensor or piece of machinery cannot move and stand by a window for a better signal – and may well be in parts of a building that are inaccessible to both humans and many radio transmissions.

While mobile operators and other wireless service providers have important roles to play here, they cannot do everything, everywhere. They do not have the resources, and may lack site access. Planning, deploying and maintaining indoor coverage can be costly.

Indeed, the growing importance and complexity is such that a lot of indoor wireless infrastructure is owned by the building or user themselves – which then brings in further considerations for policymakers about spectrum, competition and more. There is a huge upsurge of interest in both improved Wi-Fi, and deployments of private cellular networks indoors, as some organisations recognise connectivity as so strategically-important they wish to control it directly, rather than relying on service providers. Various new classes of SP are emerging too, focused on particular verticals or use-cases.

In the home, wireless networks are also becoming a battleground for “ecosystem leverage”. Fixed and cable networks want to improve their existing Wi-Fi footprint to give “whole home” coverage worthy of gigabit fibre or cable connections. Cellular providers are hoping to swing some residential customers to mobile-only subscriptions. And technology firms like Google see home Wi-Fi as a pivotal element to anchor other smart-home services.

Large enterprise and “campus” sites like hospitals, chemical plants, airports, hotels and shopping malls each have complex on-site wireless characteristics and requirements. No two are alike – but all are increasingly dependent on wireless connections for employees, visitors and machines. Again, traditional “outdoors” cellular service-providers are not always best-placed to deliver this – but often, neither is anyone else. New skills and deployment models are needed, ideally backed with more cost—effective (and future-proofed) technology and tools.

In essence, there is a conflict between “public network service” and “private property” when it comes to wireless connectivity. For the fixed network, there is a well-defined “demarcation point” where a cable enters the building, and ownership and responsibilities switch from telco to building owner or end-user. For wireless, that demarcation is much harder to institutionalise, as signals propagate through walls and windows, often in unpredictable and variable fashion. Some large buildings even have their own local cellular base stations, and dedicated systems to “pipe the signal through the building” (distributed antenna systems, DAS).

Where is indoor coverage required?

There are numerous sub-divisions of “indoors”, each of which brings its own challenges, opportunities and market dynamics:

• Residential properties: houses & apartment blocks
• Enterprise “carpeted offices”, either owned/occupied, or multi-tenant
• Public buildings, where visitors are more numerous than staff (e.g. shopping malls, sports stadia, schools), and which may also have companies as tenants or concessions.
• Inside vehicles (trains, buses, boats, etc.) and across transport networks like metro systems or inside tunnels
• Industrial sites such as factories or oil refineries, which may blend “indoors” with “onsite”

In addition to these broad categories are assorted other niches, plus overlaps between the sectors. There are also other dimensions around scale of building, single-occupant vs. shared tenancy, whether the majority of “users” are humans or IoT devices, and so on.

In a nutshell: indoor wireless is complex, heterogeneous, multi-stakeholder and often expensive to deal with. It is no wonder that most mobile operators – and most regulators – focus on outdoor, wide-area networks both for investment, and for license rules on coverage. It is unreasonable to force a telco to provide coverage that reaches a subterranean, concrete-and-steel bank vault, when their engineers wouldn’t even be allowed access to it.

How much of a problem is indoor coverage?

Anecdotally, many locations have problems with indoor coverage – cellular networks are patchy, Wi- Fi can be cumbersome to access and slow, and GPS satellite location signals don’t work without line- of-sight to several satellites. We have all complained about poor connectivity in our homes or offices, or about needing to stand next to a window. With growing dependency on mobile devices, plus the advent of IoT devices everywhere, for increasingly important applications, good wireless connectivity is becoming more essential.

Yet hard data about indoor wireless coverage is also very patchy. UK regulator Ofcom is one of the few that reports on availability / usability of cellular signals, and few regulators (Japan’s is another) enforce it as part of spectrum licenses. Fairly clearly, it is hard to measure, as operators cannot do systematic “drive tests” indoors, while on-device measurements usually cannot determine if they are inside or outside without being invasive of the user’s privacy. Most operators and regulators estimate coverage, based on some samples plus knowledge of outdoor signal strength and typical building construction practices. The accuracy (and up-to-date assumptions) is highly questionable.

Indoor coverage data is hard to find

Contents:

Executive Summary
Likely outcomes
What telcos need to do
Introduction to Indoor Wireless
Overview
Where is indoor coverage required?
How much of a problem is indoor coverage?
The key science lesson of indoor coverage
The economics of indoor wireless
Not just cellular coverage indoors
Yet more complications are on the horizon…
The role of regulators and policymakers
Systems and stakeholders for indoor wireless
Technical approaches to indoor wireless
Stakeholders for indoor wireless
Home networking: is Mesh Wi-Fi the answer?
Is outside-in cellular good enough for the home on its own?
Home Wi-Fi has complexities and challenges
Wi-Fi innovations will perpetuate its dominance
Enterprise/public buildings and the rise of private cellular and neutral host models
Who pays?
Single-operator vs. multi-operator: enabling “neutral hosts”
Industrial sites and IoT
Conclusions
Can technology solve MNO’s “indoor problem”?
Recommendations

Figures:

Indoor coverage data is hard to find
Insulation impacts indoor penetration significantly
3.5GHz 5G might give acceptable indoor coverage
Indoor wireless costs and revenues
In-Building Wireless face a dynamic backdrop
Key indoor wireless architectures
Different building types, different stakeholders
Whole-home meshes allow Wi-Fi to reach all corners of the building
Commercial premises now find good wireless essential
Neutral Hosts can offer multi-network coverage to smaller sites than DAS
Every industrial sector has unique requirements for wireless

Tag: private network

IoT security: The foundation for growth beyond connectivity

Introduction

Enter your details below to download an extract of the report

Why IoT security is rising up the agenda

Defining IoT Security

Simplified IoT architecture

Table of contents

Related research

Enter your details below to download an extract of the report

Indoor wireless: A new frontier for IoT and 5G

Introduction to Indoor Wireless

Where is indoor coverage required?

How much of a problem is indoor coverage?

Sample Reports