Massive IoT? Massive set of security requirements
IoT is here right now but it’s also one of the biggest application areas for 5G. Yet it’s easy to forget that while the industry has a clear vision of services that it hopes 5G will facilitate, much remains to be determined on the technical front with standardisation activities just beginning.
However, it is clear that just as IoT security is big news today, security and privacy will remain fundamental requirements, with the changes foreseen for 5G likely to broaden the range of attractive attack targets, says Paul Bradley, chairman, 5G Working Group, SIMalliance.
The massive IoT segment, and its close neighbours the critical machine type communications and vehicle-to-X segments are extremely broad, covering not just M2M but consumer based services too. Typical use cases are highly varied and may include drones, driverless cars, home appliances, some wearables and machine type communications including metering, sensors and alarms.
Clearly this is a very broad range of use cases and as such, operational and security requirements will vary. For example, communications will be either:
- long range, low power, low bandwidth and infrequent or
- focused on speed.
Data is likely to encompass geolocation data, sensor data such as meter readings and private consumer data. Location and privacy protection for data must be enforced to ensure, for example in the case of a meter, that a thief cannot determine if the premises are occupied are not.
Devices may be connected to the network either directly or indirectly, for example via a gateway. How this is done may have implications for security requirements.
Security requirements in this segment will be based around devices, the network and backend. That means that following high level types of security requirements can be distinguished:
- Network access security
- Network application security
- Service layer security
- Authenticity, Integrity and confidentiality of data transmitted at different network layers.
In use cases such as smart metering the data transferred needs to be protected against manipulation, as, compared to voice communications, data can be more easily attacked and modified. Because the value comes from the integrity of the data, integrity protection becomes more important for 5G IoT.
Because these devices are connected to the network, if they lack adequate security, they could be used as an entry point to the network for attackers who may have little interest in the device or service itself.
There is also a risk of equipment cloning, leading to potential massive attacks to overload the network leading to denial of services. Carefully managing the identity of the device and securing the authentication to the network is therefore key to ensuring a good network quality of service.
Managing initial network connectivity securely will require secure provisioning of unique device and user identities for both network and service level access, network and service authentication credentials and communication cryptographic keys as well as application identifiers. The content of the securely provisioned data will likely depend on the devices’ location as well as agreements between integrators, service providers and mobile network operators.
Managing identities on the network will require identification of the application and corresponding application provider. It will also need secure storage of the unique identity on the device.
Mutual authentication of the device and network will also be necessary (it has been mandatory since 3G) as may mutual authentication for applications back to their service platforms.
SIMalliance believes that it is vital that security is built into 5G from the outset. It has just published a marketing paper An Analysis of the Security Needs of the 5G Market outlining its view of the security needs of each 5G segment. It is now starting work on a follow up technical security requirements paper that will be published later in 2016.
For more information go to: http://simalliance.org/
The author of this blog is Paul Bradley, chairman, 5G Working Group, SIMalliance.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow