Cellular IoT — Device security is as important as infrastructure security
As the awareness of the transformative nature of 5G is increasing, the industry is slowly waking up to the enormous challenge of securing not only the networks but also all the things these networks connect and the vital data they carry. When it comes to the Internet of things (IoT), the challenges of security couldn’t be bigger, and the stakes involved couldn’t be higher. The spread of IoT in homes, enterprises, industries, governments, and other places is making wireless networks the backbone of the country’s critical infrastructure. Safeguarding it against potential threats is a basic national security need.
With 5G set to usher in industry 4.0-the next industrial revolution, governments across the globe are understandably taking a keen interest in how 5G is deployed in their countries. There has naturally been a lot of emphasis on its security aspects. The current focus has primarily been on the network infrastructure side. Many countries, such as the USA, Australia, and New Zealand, have put restrictions on buying equipment from certain network infrastructure vendors such as Huawei and ZTE. As stated by these governments, their concerns are regarding the lack of clarity about the ownership and control of these vendors. While these concerns are valid, focusing only on the infrastructure side is not sufficient. It might even be more dangerous because it might give a false sense of security.
Infrastructure-focused security is insufficient
Network infrastructure is only one part of the story. Telecommunications is often referred to as “two-to-tango” as it needs both infrastructure as well as devices to make the magic happen. So, to have foolproof security, one needs to cover both ends of the wireless link, especially for IoT. Securing only the network side would be akin to fortifying the front door while keeping the back door ajar. Let me illustrate this with a real-life scenario. Consider something as benign as traffic lights, which at the very outset, don’t seem to need strong security. But what if somebody hacked into and turned off all the traffic lights in a major metropolitan area? That would surely bring the city to a screeching halt, resulting in a major disruption, and even loss of life. The impact could be even worse if power meters are hacked, causing severe disruption. It would be an outright catastrophe if critical systems, such as the national power grid, are attacked, bringing the whole country to its knees.
When it comes to IoT devices, conventional wisdom is to secure only the most expensive and sophisticated pieces of equipment. However, often, simple devices such as utility meters are more vulnerable to attacks because they lack strong hardware and software capabilities to employ powerful security mechanisms. And they can cause huge disruptions.
IoT device security is a must
IoT devices are the weakest link in providing comprehensive system-wide security. More so because IoT’s supply chain and security considerations are far too different and much more nuanced than those of smartphones. Typically, the development and commercialization of smartphones are always under the purview of a handful of large reputed organizations such as device OEMs, OS providers, and chipset providers. Whereas the IoT device ecosystem is highly fragmented with a large number of relatively unknown players. Usually, large players such as Qualcomm, and Intel provide cellular IoT chipsets. A different set of companies use those chipsets to make integrated IoT modules. Finally, the third set of companies use those modules to create IoT end-user devices. Each of these players adds their own hardware and software components into the device during different stages of development. Because of this, IoT devices are far more vulnerable than smartphones.
Address IoT device security during the procurement
It is evident that IoT users have to be extremely vigilant regarding security and integrity of the entire supply chain. This includes close scrutiny of the origin of the modules and the devices, as well as a detailed evaluation of the reputation, business processes/practices, long-term viability and reliability of the module and device vendors. Because of the high stakes involved, there is also a possibility of malicious third-parties infiltrating the supply chain and compromising the devices even without the knowledge of vendors. Case in point, the much-publicized Bloomberg Business Week report about allegedly tampered motherboards vividly exposed the possibility of such vulnerability. Although the allegations, in that case, are not yet fully corroborated or debunked, it confirms beyond doubt that such vulnerabilities do exist.
It is abundantly clear that the more precautions IoT users take during the procurement and deployment phases, the better it is. Because of the sheer volume, and the long life of IoT devices, it is virtually impossible to quickly rectify or replace them after the security vulnerabilities or infiltrations are identified.
The time to secure IoT devices is now!
Looking beyond the current focus on 5G smartphones, 5G Massive IoT will be upon us in no time. Building upon the solid foundation of LTE IoT, Massive IoT, as the name suggests, will connect anything that can and needs to be connected. This will span homes, enterprises, industries, critical city, state, and national infrastructure, including transportation, smart grids, emergency services, and more. Further, with the introduction of Mission Critical Services, the reach of 5G is going to be even broad and deep. All this means the security challenges and stakes are going to get only bigger and more significant.
So, it is imperative for the cellular industry, and all of its stakeholders to get out of the infrastructure-centric mentality and focus on comprehensive, end-to-end security. Every IoT device needs to be secured, no matter how small, simple, or insignificant it seems, because the system is only as secure as its weakest link. The time to address device security is right now, while the networks are being built, and the number of devices is relatively small and manageable.
Originally published at https://www.rcrwireless.com on June 6, 2019.