Securing the LPWA environment – a step into the unknown?

The arrival of any new communications technology on the scene always poses a conundrum: while it might bring promise improvements in any number of areas, it might also introduce our industry – and our users and customers – to an entirely new set of security vulnerabilities. Recent history shows that, in many cases, appropriate security levels have had to be added retrospectively, adding time and cost to deployments and eroding trust in each particular solution.

The current ferment around the LPWA (Low Power Wide Area) networks area and, in particular, the emergence of solutions from outside the already well-policed 3GPP and ETSI standards communities, means that questions now have to be asked about the security techniques and policies used by these new technologies. At the risk of mixing some metaphors, while we don’t want to cry wolf unnecessarily, we also don’t want to have to close the stable door after the proverbial horse has bolted…

Against this backdrop, IoT Now’s Alun Lewis thought he should sit down for a chat with Loic Bonvarlet, product marketing director for M2M solutions and services at Gemalto, one of the world’s leading secure communications companies, to discuss the security aspects and challenges of the LPWA domain and, more specifically, LoRa.

IoT Now: Loic, historically the great majority of M2M solutions have relied upon cellular networks for connectivity. Security issues in this domain are not only well-understood and based upon many years of practical experience, but they’re also based on the use of SIMs. The LPWA solutions not based on 3GPP technologies – such as LoRa – that are now appearing don’t use SIMs. What security management issues does this raise for service providers?

LB: There are probably two main areas that are currently rather problematic with LPWA – as opposed to the cellular world that we’ve grown used to over the last couple of decades. Firstly, in the absence of a SIM, how can you provide appropriate credentials to each device to identify it in unique and secure ways? A complementary issue to this involves the challenge of spotting cloned devices, where a device or sensor’s identity can be effectively hijacked for nefarious purposes, or making sure right from the start that devices cannot be cloned.

The second area of potential concern involves the now fast expanding LoRa ecosystem, bringing a wide range of companies, both old and new, into the space. Expertise and experience in IoT security are not evenly distributed across all the participating vendors and service providers now entering the sector, particularly given the extremely broad attack surfaces that this environment presents to opportunists. As a result, for the time being at least until more formal processes are established, both users and network providers must proceed very carefully when it comes to joining together the different elements, data and applications that collectively make up an LPWA service. Some system, device and application functionalities might need to be disabled or limited to impose some level of isolation and ensure that any attacker can’t get the keys to all of the kingdom in one fell swoop.

IoT Now: The success – and revenue potential – of the IoT depends on there being a pretty open ecosystem that’s able to share data across devices, communications links, gateways, databases and applications. How will the deployment of LoRa affect the security environment that all the other players in the ecosystem, such as application developers and device manufacturers, have to understand and apply consistently?

LB: Security has to be imposed by design right from the start of any project – or, indeed, right from the very first discussions with device and sensor manufacturers and application developers. Companies have to make sure the risk exposures associated with the eventual end-to-end solution and its specific operational environment are well understood. Understanding the contexts in which the system will eventually be used is essential in applying appropriate levels of security. Security by Design principles are both well understood and well established and involve taking into account both software and hardware factors. Skilled and well-equipped hackers, for example, can even use probes on individual chips, extracting information and commands before they are encrypted.

It’s also essential to have plans in place to be able to manage your devices and solutions across the whole of their life cycle, because tomorrow’s threats will be different from today. This issue is particularly acute in the LPWA environment where the long battery life means that many devices will be intended to remain in situ and unattended and unvisited for many years, especially if they are in settings hazardous to human health.

IoT Now: There are always going to be some ‘civilisation-critical’ IoT applications – such as the utilities – where extra security will be needed. What solutions would Gemalto advise here?

LB: For critical infrastructures such as the utilities, or specific use cases such as the monitoring of high value assets and items, the security inherent in an LPWAN transport network today might be deemed insufficient to cope with the risks currently at hand. In such a case, by applying a thorough risk analysis, it becomes possible to complement the network’s security with application security principles. These, at a minimum, involve using both encryption and applying signatures to the end-to-end data flows from end device sensors to the backend servers actually processing the data.

LPWA networks hold a huge potential when it comes to realising the next wave of the IoT vision and the deployment of smart ‘things’ across an increasingly interconnected planet. We just have to make sure that our next steps are made on solid ground – and that only comes through a deep understanding of the accompanying vulnerabilities and tools and processes that must be used to protect ourselves, our business and our communities.

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Python developers now have native access to powerful multimodel data platform

Posted on: October 28, 2021

CAMBRIDGE, Mass. 27 October, 2021 – InterSystems, a data technology provider dedicated to helping customers solve the most critical scalability, interoperability, and speed problems, announced that its InterSystems IRIS data platform now features full native support for Python, unleashing the power of the popular programming language for creating data-intensive, mission-critical applications.

Read more

Opt-in software-based government – Nationality as a Service (NaaS)

Posted on: October 28, 2021

The government functions to serve and represent its citizens, but around the world, citizens experience substandard public services with minimum transparency.  The governments fail to support individuals and communities efficiently. The services provided in many parts, from education to health, are broken.

Read more