Securing the LPWA environment – a step into the unknown?

The arrival of any new communications technology on the scene always poses a conundrum: while it might bring promise improvements in any number of areas, it might also introduce our industry – and our users and customers – to an entirely new set of security vulnerabilities. Recent history shows that, in many cases, appropriate security levels have had to be added retrospectively, adding time and cost to deployments and eroding trust in each particular solution.

The current ferment around the LPWA (Low Power Wide Area) networks area and, in particular, the emergence of solutions from outside the already well-policed 3GPP and ETSI standards communities, means that questions now have to be asked about the security techniques and policies used by these new technologies. At the risk of mixing some metaphors, while we don’t want to cry wolf unnecessarily, we also don’t want to have to close the stable door after the proverbial horse has bolted…

Against this backdrop, IoT Now’s Alun Lewis thought he should sit down for a chat with Loic Bonvarlet, product marketing director for M2M solutions and services at Gemalto, one of the world’s leading secure communications companies, to discuss the security aspects and challenges of the LPWA domain and, more specifically, LoRa.

IoT Now: Loic, historically the great majority of M2M solutions have relied upon cellular networks for connectivity. Security issues in this domain are not only well-understood and based upon many years of practical experience, but they’re also based on the use of SIMs. The LPWA solutions not based on 3GPP technologies – such as LoRa – that are now appearing don’t use SIMs. What security management issues does this raise for service providers?

LB: There are probably two main areas that are currently rather problematic with LPWA – as opposed to the cellular world that we’ve grown used to over the last couple of decades. Firstly, in the absence of a SIM, how can you provide appropriate credentials to each device to identify it in unique and secure ways? A complementary issue to this involves the challenge of spotting cloned devices, where a device or sensor’s identity can be effectively hijacked for nefarious purposes, or making sure right from the start that devices cannot be cloned.

The second area of potential concern involves the now fast expanding LoRa ecosystem, bringing a wide range of companies, both old and new, into the space. Expertise and experience in IoT security are not evenly distributed across all the participating vendors and service providers now entering the sector, particularly given the extremely broad attack surfaces that this environment presents to opportunists. As a result, for the time being at least until more formal processes are established, both users and network providers must proceed very carefully when it comes to joining together the different elements, data and applications that collectively make up an LPWA service. Some system, device and application functionalities might need to be disabled or limited to impose some level of isolation and ensure that any attacker can’t get the keys to all of the kingdom in one fell swoop.

IoT Now: The success – and revenue potential – of the IoT depends on there being a pretty open ecosystem that’s able to share data across devices, communications links, gateways, databases and applications. How will the deployment of LoRa affect the security environment that all the other players in the ecosystem, such as application developers and device manufacturers, have to understand and apply consistently?

LB: Security has to be imposed by design right from the start of any project – or, indeed, right from the very first discussions with device and sensor manufacturers and application developers. Companies have to make sure the risk exposures associated with the eventual end-to-end solution and its specific operational environment are well understood. Understanding the contexts in which the system will eventually be used is essential in applying appropriate levels of security. Security by Design principles are both well understood and well established and involve taking into account both software and hardware factors. Skilled and well-equipped hackers, for example, can even use probes on individual chips, extracting information and commands before they are encrypted.

It’s also essential to have plans in place to be able to manage your devices and solutions across the whole of their life cycle, because tomorrow’s threats will be different from today. This issue is particularly acute in the LPWA environment where the long battery life means that many devices will be intended to remain in situ and unattended and unvisited for many years, especially if they are in settings hazardous to human health.

IoT Now: There are always going to be some ‘civilisation-critical’ IoT applications – such as the utilities – where extra security will be needed. What solutions would Gemalto advise here?

LB: For critical infrastructures such as the utilities, or specific use cases such as the monitoring of high value assets and items, the security inherent in an LPWAN transport network today might be deemed insufficient to cope with the risks currently at hand. In such a case, by applying a thorough risk analysis, it becomes possible to complement the network’s security with application security principles. These, at a minimum, involve using both encryption and applying signatures to the end-to-end data flows from end device sensors to the backend servers actually processing the data.

LPWA networks hold a huge potential when it comes to realising the next wave of the IoT vision and the deployment of smart ‘things’ across an increasingly interconnected planet. We just have to make sure that our next steps are made on solid ground – and that only comes through a deep understanding of the accompanying vulnerabilities and tools and processes that must be used to protect ourselves, our business and our communities.

RECENT ARTICLES

Army’s new next generation squad weapon programme to launch ARC’s weapons intelligence platform

Posted on: August 12, 2022

Washington – Armaments Research Company, Inc, a technology and data company serving national security and public safety customers, announced their Internet-of-Things (IoT) full-stack technology will be introduced in the Next Generation Squad Weapon (NGSW) programme of record, in partnership with Sig Sauer. For the first time in 65 years, the U.S. Army’s initiative will replace

Read more

Connected logistics market to hit $47.6bn valuation by 2029 backed by MaaS for fleet management

Posted on: August 12, 2022

The global connected logistics market stands at a valuation of US$22.2 billion (€21.61 billion) in 2022 and is projected to reach $47.6 billion (€46.34 billion) by the end of 2029. Demand for connected logistics is estimated to increase at a compound annual growth rate (CAGR) of 11.5% over the forecast period (2022-2029).

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox