3 ways we can boost IoT security
By 2024, we’re going to have more than 22 billion connected devices in the world, according to Ericsson projections. And that’s not even including smartphones. We’re talking connected cars, robots, shipping containers, agricultural fields, traffic systems and things we can’t even imagine yet.
It’s a vast opportunity but it also brings vast risk. How do you keep billions of devices secure? How about the networks they run on? How do you make sure the data you get from all those devices isn’t compromised?
There is no one-size-fits-all solution, but let’s look at three pillars of the new and comprehensive security approach necessary to make the IoT safe for business:
1. Device security
Your smartphone is a trusted connected device. For example, it is generally the only device allowed easily on corporate networks, and 90 percent of Swedes between the age of 20-40 use a mobile-phone-based digital national identity system launched just seven years ago. The GSMA has also launched Mobile Connect, a global standard in digital authentication connected to a user’s mobile phone.
We need to move this level of security into the IoT. But connecting IoT devices is different from connecting people and their smartphones. First, the IoT encompasses a huge range of devices An IoT device can’t enter a password to gain access, for instance. And while the systems that run our computers and phones are regularly updated, many IoT devices have extremely limited capabilities, cannot have any downtime and will go years between updates.
So how to keep these new devices safe? It requires holistic security thinking spanning new business models, technologies, standards and regulations.
It will also require automation and artificial intelligence. After all, no single person can manually manage the volume of devices on an IoT network. Plus, the continuous flow of new devices and network reconfigurations means that the security landscape will shift constantly. The network must be able to adapt itself to new threats.
In North America, the CTIA has started a certification program for IoT security. The goal is to identify device vulnerabilities and help businesses put the right cybersecurity defenses in place. There is already great demand, and AT&T says that vulnerability scans of IoT devices have grown by four times over the past two years, with only 10 percent of the organizations they’ve surveyed fully confident in their IoT security measures.
We’ve joined forces with AT&T to offer comprehensive testing of IoT devices within the wider CTIA certification program. We’re looking at everything from body cameras to connected streetlights, utility meters, industrial routers and medical devices. Our labs will identify vulnerabilities that could threaten data send from a device across a network.
2. Data integrity, confidentiality and privacy
The value of data is based on its integrity across devices, networks, the cloud and analytics platforms. Data failure can be disastrous – especially within essential industries such as energy, transportation and healthcare. Take the data sent by heart monitors. Instead of worrying about whether the data is being observed, it's more important to make sure it hasn't been tampered with. In this case, an attack on the integrity of the data could (literally) prove fatal.
This means that all parties involved must ensure their data has not been manipulated or tampered with while at-rest, in-transit or in-use. This is a particular challenge with the large volumes of data generated by simple devices that only support limited on-board security technology.
With more data residing in the cloud, traditional perimeter protection for networks will no longer be enough. When data flows across organizational boundaries and nations, it must be protected at all stages; when it is generated, stored, transmitted and used. This must be done over both trusted and untrusted infrastructures. Privacy and confidentiality are important parts of this as well.
3. End-to-end ecosystem security
The real answer to what needs to be secured in the IoT is simple.
To achieve end-to-end ecosystem security, we will depend on collaborative ecosystems of device manufacturers, network providers, platform providers, app developers and end-users.
We need to manage and orchestrate IoT components both horizontally (from device to service and service user) as well as vertically (from hardware to application). This will require a solid underpinning of standardized 3GPP security at the bottom, built-in security and focus on privacy and data protection. 5G is going to enable more and more IoT use cases with vastly diverse requirements, from ultra-reliable connectivity to long battery life to very low cost. The current ad-hoc and fragmented nature of security does not allow for security at massive scale.
Last year we signed a groundbreaking IoT partnership deal with Sprint. We will together build a distributed and virtualized core network dedicated specifically to IoT, in addition to a world-class IoT operating system. This new environment will create an optimal flow of device data, enabling immediate, actionable intelligence at the network edge for end users and enterprises.
And it will only work because security is built into every layer, from what Ivo Rook, senior vice president of IoT for Sprint, calls “unmatched security at the chip level” to distributed and virtualized core networks to service assurance for every element.
Securing the IoT is a challenge only equaled by its business potential. We’re eager to take it on. To learn more, please check out our dedicated page on IoT security.