Back
News - 18.01.23

How to Secure IoT (in the Network)

IoT security should not be a game of whack-a-mole!

Introduction

As highlighted in our blog,Key IoT Trends 2023, the IoT market has significant potential for rapid growth due to its highly diverse technologies and use cases.  However, important challenges in IoT security need addressing and these challenges will grow over time, in scale, complexity and criticality.

According to Kasperksky research, 43% of businesses have unprotected IoT infrastructure and cybersecurity concerns remain a barrier to widespread IoT implementation. The most common IoT security threats in 2022 included unencrypted data storage, unsecured financial information, unauthorised access to physical property, weak passwords and ID verification, and botnets and malicious IoT devices.

Kaleido Intelligence’s IoT Connectivity Survey 2022 surveyed more than 750 IoT professionals - they said that end-to-end security was their number one concern. The focus on security is paramount to connectivity providers, as all respondents to the survey expect connectivity providers to offer some form of security, with over half wanting advanced options such as IP address restrictions, traffic burst detection and dynamic control of unconfigured ports.

Building trust is critical for IoT and in 2023 we will see even sharper focus on IoT security. In this blog, we explore the role of the network in securing IoT, plus other important and complementary approaches, such as cybersecurity mesh and zero-trust security.

Here is our take on the key topics and principles relating to IoT security.

Zero-trust security

 

The zero-trust security model

Zero-trust is a security model and associated set of architectural principles and patterns that, by default, assumes that any connection, endpoint or user is a threat. As a result, the mechanisms and security controls associated with the zero-trust concept don’t rely solely on traditional controls or network boundaries. Instead, a zero-trust security approach requires users and systems to actively prove their trustworthiness. Furthermore, it enforces fine-grained, identity-based rules that govern access to applications, data, and assets.

Transport Layer Security (TLS) is an example of an encryption protocol that is used to establish zero-trust connectivity.

 

Demand for zero-trust products is growing

The demand for products supporting zero-trust is growing significantly and the zero-trust market is forecast to reach over $50 billion in 2026. The main factors driving the zero-trust market are the rapid growth of the IoT market, the frequency of targeted cyber-attacks, new IoT regulations being implemented in the US, EU, UK and China, and the adoption by organisations of zero-trust network access (ZTNA) during the pandemic.

 

Zero-trust IoT is not straightforward

However, securing IoT devices in a comprehensive way via a zero-trust approach is not a simple task.  It involves layers of complexity due to the incredible diversity of the IoT device ecosystem – hardware design and capabilities, operating systems, varied connectivity bearers, legacy vs new devices, varied deployment locations etc.

In a zero-trust model the device itself forms a critical element of the security regime. This imposes responsibilities on the device that bring technical and operational complexities – in terms of both design and operation. Many IoT devices are themselves quite ‘dumb’ and/or deployed using infrastructure and equipment not initially designed for a connected world. As a result, it can be hard to integrate them into a zero-trust security model.

 

Security-in-the-network can have a complementary role

Intelligent, software-defined mobile networks provide real-time visibility and control of IoT connectivity - per customer, per SIM or per data session. This involves granular, real-time control of data routing and security policies at the individual IMSI or application level.

In the case of cellular networks, the SIM card itself a component with sophisticated and well-proven security capabilities which have been gradually refined through the evolution to todays’ 4G and 5G networks. Although the security mechanisms they encapsulate were originally designed to secure the attachment to the network (through robust authentication and encryption), they can also be leveraged by IoT applications to bring the same benefits. By using these mechanisms to robustly secure the link between the SIM and the network, zero-trust techniques can then be used between the network and the application without the complexity, burden and risk of doing so from the device itself.

Network level control can determine how individual SIMs connect (and therefore how the devices containing these SIMs can be accessed). Via API, in real-time, access can be limited to a single, trusted IP address, mitigating the risk of a hack or breach.

It is also possible to screen IoT data traffic in real-time, to detect anomalous behaviour.

Such network layer security features complement a zero-trust approach by providing protection across the full spectrum of connected IoT devices, even those which cannot support on-device zero-trust configuration.

Cybersecurity mesh

 

A top strategic security technology trend for 2022

The cybersecurity mesh was listed as one of Gartner’s Top Strategic Security Technology Trends for 2022.  They also highlighted the growing importance of IoT security, due to due to growth in remote working and edge computing.

Fortune Business Insights project that the global cybersecurity market will grow to over $375 billion by 2029, with losses due to cyberattacks, ransomware and other malware estimated at around $6 trillion annually.

A cybersecurity mesh enables the creation of virtual networks to connect and secure devices. In this “mesh network” data between multiple computer nodes is shared to provide increased protection from cyber-attack. Mesh networks can be specifically designed for use by IoT devices.

 

Cybersecurity mesh architecture

Gartner defines cybersecurity mesh architecture as “a composable and scalable approach to extending security controls, even to widely distributed assets.” A cybersecurity mesh enables a more flexible and resilient security ecosystem, which is especially suitable for hybrid multi-cloud environments, edge computing and building trust in IoT security across a highly diverse range of technologies.

A cybersecurity mesh enables tools to interoperate through several supportive layers. By advocating interoperability and coordination between individual security products, a cybersecurity mesh results in a more integrated security policy to protect individual endpoints instead of attempting to protect all assets with a singular technology.

 

Real-time control of mobile data routing and security

As part of a cybersecurity mesh architecture, security-as-a-service in the network layer can play an important role.

This approach can be described as ‘zero-touch’ as opposed to zero-trust, because it involves securing IoT devices in the network without there being a need to touch/configure the device itself.

An intelligent mobile network can implicitly provide security for capability-constrained devices and allow security policies governing device access to be updated without updating each actual device.

Using network level controls, it can be assured that secure resources are only be accessed by authorised endpoints, protecting secure services from unauthorised access.

Traffic screening in the network layer can play an important role in overall IoT solution security, by surfacing anomalies which indicate an active security threat.

Finally, via the intelligent and dynamic control of data routing, as required on a per endpoint basis, traffic can be guaranteed to bypass the internet entirely and travel only over more secure routes - for example, direct-to-cloud or secure transit networks.

Clearly, intelligent networks have an important role to play in overall IoT ecosystem security.  Achieving a holistic approach to remote device security that spans both intelligent (e.g. mobile phone, laptop, gateways) and dumb IoT devices (e.g. simple sensors) requires an integrated approach which ensures strong security across all devices, whilst also monitoring traffic across the network. Microsoft’s own Enterprise Next Generation Connectivity strategy advocates a similar approach, whereby they aim to facilitate access through multiple technology solutions instead of a single service (Transforming Microsoft’s enterprise network with next-generation connectivity - Inside Track Blog).

Private mobile connectivity

 

Private APNs

An APN (Access Point Name) is a point of entry onto an IP network for a mobile device, giving greater control in securing and configuring IoT SIM cards. Common IoT applications utilising private APNs include connected payment terminals, EV charging stations and connected cars.

In effect, the APN is a gateway between the mobile network and another virtual world, with the APN handling and connecting the protocols of both virtual worlds. Every SIM has at least one APN provisioned in the mobile network core of the connectivity provider.  SIMs with multiple APNs can access multiple virtual worlds e.g. internet, VPN tunnel A (to mobile operator A), VPN tunnel B (to mobile operator B) etc.

Access to a Private APN improves on IoT solution security by ensuring that data from IoT devices provisioned with that APN travels only a dedicated, private network.

Private APNs are assigned by upstream mobile operators.  However, the process of requesting/implementing one is not always straightforward. It can take months and involve significant upfront and/or ongoing cost.  This can make it an impractical option, particularly for lower SIM volume use cases and/or where more real-time control is required by the customer.

An exciting, emerging alternative is setting up software-defined, private, secure networks for IoT SIMs. These private ‘slices’ of connectivity can be controlled in real-time, down to the individual SIM level. To enable this capability, IoT connectivity customers need only secure one Private APN from their preferred mobile operator – ‘the last private APN they will ever need’.  From this, the customer can self-serve and manage as many private slices of connectivity as they require.

It is also possible to combine connectivity from multiple upstream APNs/mobile operators into a single, unified consistent service, so that regardless of which APN/mobile operator is used, downstream configurations (including the APN used in the IoT device) can remain unchanged.

 

Securing ‘dumb’ devices

So-called ‘smart’ devices (in our doorbells, home security systems, thermostats and bikes etc.) are often low-cost sensors that are not very intelligent. They commonly do not have meaningful onboard processing power.  Securing these ‘dumb’ devices in the network is another critical tenet in securing IoT. These simple sensors are not sophisticated enough to support on-board VPN configuration.  However, the data travelling to and from these services must be secured. This can be accomplished by managing device VPNs at the network level, in real-time, to ensure that even these dumb devices can be protected.

The role of SIMs in IoT security

 

Growth of eSIM will support enhanced IoT security

The standard SIM is now morphing into embedded SIM (eSIM) in both consumer and IoT devices.  This is a programmable SIM card which can be embedded directly into a device. eSIM adoption is rapidly accelerating and Juniper Research predicts that the number of eSIMs installed in connected devices will reach 3.4 billion in 2025. More than 200 mobile network operators have plans to or have already launched eSIM services.

For every IoT project, device authentication and secure provisioning represent common elements of heavy lifting.  Players in IoT are now examining how eSIM capabilities can reduce this burden whilst also improving IoT security. For example, IoT projects may use eSIM as an authentication token, whereby the eSIM authenticates the device when it is turned on. The eSIM is also very tamper tolerant.

Initially adopted for connected cars and wearables, eSIMs are now in the industrial space, especially for massive IoT deployments. The ability to deploy thousands of IoT devices efficiently whilst also enabling secure onboarding are example reasons why eSIMs are viewed as the future of mobile-connected IoT. Whilst eSIM adoption in the IoT market remains low relative to its long-term potential, eSIM will eventually become the primary means of mobile network authentication and service provision.

 

Footnote:

It’s hard to provide a comprehensive list of all key IoT security topics and principles within a relatively short blog. So, if you have any aspects of IoT security you think we should add or different views, please reach out. We’d love to hear from you.

Conclusion

IoT has enormous potential for rapid growth due to its highly diverse technologies and use cases, but cybersecurity concerns remain a barrier to widespread implementation. Critical challenges in IoT security need addressing to mitigate key threats, such as unencrypted data storage, unsecured financial information, access to physical property, weak passwords and ID verification, and botnets and malicious IoT devices.

Building trust is critical. This can be accomplished by adopting a multi-layered approach whereby complementary technologies and architectures, such as zero-trust connectivity and security-as-a-service in the network, can be combined. Even large-scale deployment must start somewhere and with someone.  It is crucial in the early exploration/design phases that individual developers have access to the right set of connectivity controls available, to ensure that their security approach fits the needs of their unique use case. The ‘power of one’ developer precedes and unlocks every attractive business case.

More generally, a comprehensive and pragmatic approach such as that described about can help to ensure that the inevitable complications of large-scale IoT deployments in the real-world do not derail overall solution security.

Mobile connectivity providers, such as IoT MVNOs and mobile operators must innovate to enhance vanilla IoT connectivity services with added value security features, if they are to remain competitive.

How can stacuity help you?

 

We’re on a mission to help IoT MVNOs, mobile operators and IoT developers by empowering them with fine-grained control of mobile connectivity. Contact our team today if you want to be part of this exciting IoT future and provide more valuable connectivity services.

Related content