The IoT industry is growing at an exponential rate, with forecasts estimating that there will be 41.6 billion IoT connected devices or ‘things’ by 2025. Supporting a new generation of smart, connected products, the IoT ecosystem presents significant opportunities to businesses all over the world to launch and grow new connected services. But as the number and types of connected devices grow, so does the potential landscape for fraudsters to operate. IoT security concerns have already been cited as a significant deployment barrier in a recent survey from IMC, and players in the field agree that securing the IoT application is key to fully realizing its true business potential.
The good news is that the vast majority of attacks can be prevented, and the resilience of a deployment significantly improved, with measures that are simple and cost-effective to implement.
IoT security doesn’t have to be complex
Many enterprises tackling IoT fraud are confronted with the problem of where to start. That’s because the ecosystem of any project is extremely complex, involving chipset manufacturers, device makers, software platform providers, connectivity providers and more – all of whom have different infrastructures. What’s more, attack vectors run into the hundreds of thousands for a large global deployment – from device to network to application. A unified global security standard and certification for IoT – though in progress – is still lacking today, making IoT security a daunting prospect at first glance. But it is important to keep in mind, when raising the level of security, that getting the basic measures right can count for double; typically, the Pareto principle applies here, where 20 per cent of the security measures account for 80 per cent of the overall level of security.
How to reduce the global attack surface of IoT deployments leveraging connectivity features
For any connected device to become ‘smart’, it needs to exchange data with its application platform. There is no IoT without connectivity: Connectivity plays a central role and it is a key enabler for IoT security, with the benefit of being device type and application-agnostic.
Connectivity sits at the center of the technical chain of any IoT deployment, and so the way in which devices are connected to the IoT application server represents a key security consideration.
For any type of IoT deployment, cellular connectivity including 2G, 3G, 4G, LTE-M and NB-IoT is hard to beat from a security standpoint. A SIM card is one of the hardest identifiers in the world to spoof, ensuring high quality authentication. This is complemented by the fact that mobile networks’ radio communications are encrypted with technology that has been guaranteeing the integrity of communications globally for more than 25 years.
The next layer needing protection is the platform, which manages the device and traffic coming in and out of it. Rules must be set up inside this platform to protect against attack – these could include detection of abnormal behaviour patterns, geofencing, deep packet inspection, and more.
And finally, data must be protected when in transit, often across national and network borders. Here again, cellular technology presents major advantages. Mobile data traffic uses IPX infrastructure, which is carried securely on a private network to the platform, segregated from the public internet. Enterprises seeking added security can supplement this with a private network to the data centre.
Ensuring end-to-end security at project design, build and launch
Apart from choosing the best connectivity from a security standpoint, enterprises must adopt a security-by-design mindset during design, build and launch.
- Design– A risk assessment, followed by integrity checks, authentication and accreditation, covering devices, connectivity, application platforms and APIs early on in the design stage can allow enterprises to catch any security flaws when they are still relatively easy to address.
- Build- At this stage, conducting penetration tests and reverse engineering against each layer, as well as on the overall deployment will help to validate the solution and uncover any additional vulnerabilities both for data ‘at rest’ and data ‘in transit’ over the network.
- Launch: Recurrent penetration testing by third parties can also be done at this point to validate security and test for any new threats. For mission-critical deployments, enterprises should think about adding in real-time monitoring solutions such as intrusion detection systems and firewalls.
Best practice for securing IoT connectivity
Whether consumer applications or industrial M2M, data security is critical to the long-term success of IoT. Security must therefore be a concern of every player in the value chain, and enforced on the device, network, application and across the three layers at each stage of development. The central position of connectivity is important to this as it’s both essential to actively securing the end-to-end solution, and with the ability to withstand intrusion, it can also be designed to protect.
Navigating security in a complex IoT ecosystem can be a challenge but if companies take a systematic approach to secure IoT at the design, build and launch phases, the task can be effectively accomplished. By leveraging the connectivity to activate IoT security, enterprises can benefit from a central point of enforcement, a device/ server-agnostic deployment as well as an independent and granular view of data for monitoring purposes.
To find out what the five best practices for securing IoT connectivity look like, download our whitepaper, here, to read more.