The number of connected IoT devices or “things” is forecast to rise to 41.6 billion by 2025 according to IDC, presenting huge opportunities for breakthrough innovation… but also increasing the threat of security breaches too. Did you know that 61% of organizations have experienced an IoT security incident? In fact, according to Symantec, this is a growing problem with IoT devices experiencing an average of 5,200 attacks per month.
After spending months designing your smart product or device and releasing it into the field, you might find it’s targeted by malicious actors. Security has been breached – leaving data exposed and resulting in significant penalty fines. In Palo Alto Network’s “2020 Unit 42 IoT Threat Report” they state that 57% of IoT devices are vulnerable to medium- or high-severity attacks, while 41% of attacks exploit device vulnerabilities. IoT malware threats are a growing threat – think of the IoT botnet Mirai – whist ransomware attacks are having a damaging effect on large manufacturers and energy operators.
It’s a gut-wrenching situation. And one that you certainly want to avoid falling victim to. Hardware, software and connectivity platforms all must be secure for IoT devices to deliver the intended service safely and effectively. In this blog we examine IoT security: specifically, connectivity. Learn about the top security risks often associated with connectivity for industrial IoT projects and our robust approach to security in IoT.
GSMA’s IoT Security Guidance
Before we dive into specific IoT connectivity security challenges, we thought we would share some wider industry guidance developed by the GSMA.
To promote best practice for the secure design, development and deployment of IoT services, the GSMA has created a set of IoT Security Guidelines aimed to guide IoT service providers, IoT device manufacturers, IoT developers and network operators. These informative resources cover networks as well as service and endpoint ecosystems include 85 detailed recommendations and address security challenges, attack models and risk assessments.
GSMA state that there are four security challenges preventing IoT from evolving effectively. These hurdles are:
Availability: Ensuring constant connectivity between Endpoints and their respective services
Identity: Authenticating Endpoints, services, and the customer or end-user operating the Endpoint
Privacy: Reducing the potential for harm to individual end-users
Security: Ensuring that system integrity can be verified, tracked, and monitored
By addressing each of these challenges and following GSMA’s IoT Security Assessment, technology and security weaknesses can be identified and resolved. We would recommend looking at these resources, whether you are at the start of your IoT project or reviewing your IoT ecosystem’s security as a whole.
4 IoT connectivity vulnerabilities
Now focusing on specific IoT connectivity vulnerabilities… Without security, any connected device, from vehicles, medical devices to payment systems, can be hacked – opening the floodgates to cybercriminals who can usurp the devices functionality, steal valuable digital data and use the device as an entry point on the larger network. Perhaps more concerningly if a vehicle, for example, is hacked then this could present a risk to human life. More recently a UK-based medical research firm was targeted by the Maze ransomware group and after refusing to pay a ransom, thousands of patient’s personal and medical details were published online. These severe incidents cause long-lasting damage and highlight security vulnerabilities.
Our IoT experts advise that the security risks most associated with IoT connectivity include:
1. Detection time
If IoT devices are unchecked for long periods, security threats and vulnerabilities may go undetected, compounding the impact.
2. Single-purpose IoT devices can be less secure
The unsophisticated single-task nature of many IoT devices can make it difficult to include security software.
3. Lack of certificate-based security
Many IoT SIMs lack more advanced certificate-based security measures.
4. Unsecure data transmission
Many IoT SIMs available today send data via HTTP over standard internet channels, and don’t make use of a private Access Point Name (APN) or Virtual Private Network VPN) to provide a secure data connection back to the customer’s server or cloud service provider. This increases the risk of data being intercepted or lost through malicious or accidental means, or even Denial of Service (DoS) attacks.
The risks to industrial IoT are high. Put simply, the larger the device estate the more attractive the business is to hackers. Smart cities are vulnerable – the more connected a city becomes, the more exposed it becomes to attacks. Smart cities operate using data from a whole host of sensors, from lighting to road conditions, and public services; these sensors could act as a target gateway for hackers.
Imagine the fallout from hackers altering critical information, causing frequent streetlight blackouts, or tampering with traffic flow resulting in major road accidents.
IoT is a rapidly growing space but for wider adoption to take place, it’s imperative we build trust, instil buying confidence and uphold our responsibility by safeguarding IoT applications from the start with robust security.
Eseye’s robust security approach to IoT connectivity
Since our inception, Eseye has built security into our offering from the ground up in our AnyNet Secure® SIM and AnyNet Connectivity Management Platform that delivers our global connectivity service to devices all over the world.
The Eseye AnyNet Secure® SIM and Connectivity proposition combats data security risks as well as offering additional future-proofed functionality. Eseye has a layered but end-to-end approach for security in IoT. Some of these layered services are provided as standard to all customers out-of-the-box, others are provided as a chargeable value-added service to customers who are looking for superior levels of protection.
Eseye’s private Access Point Names (APNs) can be relied upon to provide a secure connection. The network is key to the approach here as it’s a control point and the connectivity layer provides for long term security management of the device. The Eseye APNs are custom-built gateways that sit between the cellular network and the enterprise. It provides authentication of the connections, allocating IP addresses and routes the data from the device to the cloud. This eliminates the risks associated with using a standard shared MNO internet APN.
Thanks to the extended and robust IT infrastructure, Eseye’s private APNs cover all but a few geographies worldwide. Eseye’s APNs have built-in management and monitoring capability to ensure all connections get the best possible service. This capability can reveal a rich stream of information about your data sessions, as well as device activity and network usage. We can use this information to provide enriched device information. Through our constant monitoring solution, we ensure that action is taken immediately to block or mitigate any IoT attacks.
Eseye operates and manages private global networks for all its major clients, allowing them to mask the identities of devices from the public internet or provide private networks and IP connections end-to-end. This secures the connection to the device. At the network level, Eseye restricts access to any service or network as required to help our customers manage the enterprise risk.
IoT connectivity – simply, securely, successfully
A lot of uncertainty surrounds IoT security; the fear of getting it wrong looms large, which makes getting it right even more important.
Our IoT specialists strongly believe that IoT products must be secured at the design stage to protect both data and finances. In this blog, we’ve covered security for IoT connectivity but it’s key to draw attention to the security of your IoT hardware and software too. These three elements come together as your security backbone across your IoT device estate, actively shielding it from security threats.
Discover more about the security measures you need to have in place from device to cloud in this Security Whitepaper and learn how our high levels of device and data security provide our customers with complete peace of mind.