On May 22nd 2017, the European Union Agency for Network and Information Security (ENISA) issued a position paper raising this very issue of IoT security. Together with major actors of the semiconductor industry (Infineon, NXP, STMicroelectonics), the agency warned of a “market failure” in IoT security so far: it’s important to act now.
It’s true that the current enthusiasm for connecting objects hasn’t brought about a corresponding concern for security issues. As the Mirai botnet and Wannacry attacks made the headlines, there was however growing concern that data theft or device hacking within the IoT ecosystem could lead to dramatic outcomes—and not only in the virtual world.
Achieving true end-to-end security for the IoT will require to leverage on cellular networks’ intrinsic security mechanisms, says Jacques Bonifay, CEO for global embedded connectivity provider Transatel.
Connecting without securing is hazardous
The number of connected ‘things’ is expected to reach 50 billion by 2020 and the opportunities of this tectonic shift are limitless. When all is connected, things work together. It becomes possible to better manage our homes, our factories, our cars, our health, and our environment. This may very well be the key to economic growth and prosperity in the coming decades.
Nothing new under the sun. But let’s pause for a moment. We’re all aware that massive cyber-attacks are taking place in the digital world, with critical consequences such as theft, loss of privacy or ransom. If you believe these threats are important, just imagine how harmful they could be if they occurred in the physical world, for example in a connected car!
Everyone is at risk. 48% of small firms polled in a recent survey by Altman Vilandrie & Company, have experienced at least one IoT security breach in the past year. They expected it to cost them 13.4% of their total revenue.
A dire need for IoT security standards
The industry is in dire need of global security standards but the IoT market remains too fragmented for those to emerge. In consumer as well as in industrial IoT, there exist several competing platform providers, many of which are incompatible, impeding devices’ interconnection.
In this context, no general standards or architectural principles have been adopted as a reference for IoT security.
The two pillars of IoT security
Transatel has a long history of developing and managing secure connectivity solutions. Our 17 years’ experience suggests that two pillars should be at the heart of future global IoT security standards.
Security in the IoT starts with strong ‘things’ identities, rooted in hardware. With strong identity, things can be authenticated when they communicate with each other, with services, or users. And hardware is the best protection for such identities. In the Public Key Infrastructure (PKI), which is already widely used as a standard security technology, the main challenge consists in protecting the secrecy of the private key. To achieve this, software protection is not enough, a secure hardware element is needed.
Luckily, if your device is using cellular connectivity, then it so happens that you already have a secure element: the SIM card. Offering secure end-to-end communication capabilities (known as SIM OTA), a SIM is the perfect security toolbox.
The second recommended approach in an IoT security strategy is to ensure data security on the transport layer, through a secure private network. Cellular networks offer such security because devices and users are given a dedicated APN (Access Point Name) to access the network.
With its SIM 901, Transatel leverages on these two pillars. Contrary to traditional mobile network operators, Transatel grants access to its own SIMs so that they can be used as secure elements by IoT service providers. Thanks to its network-agnostic nature and virtualised core network, Transatel’s SIM 901 lets you benefit from the same APN worldwide. In a word, SIM 901 is the next unified, single and global solution for IoT security.
The author of this blog is Jacques Bonifay, CEO, Transatel