Why IoT security must be a [RAN, edge] core focus for network operators
In recent years the telecoms industry has scrutinised, debated, forecast and developed a huge variety of IoT use cases, as well as outlining the benefits they promise business, industry and society, and the opportunities for monetisation they present to a sector undergoing radical digitalisation.
While the spotlight is currently on the deployment of services, says Robert Winters, TeraVM Director at Viavi Solutions,operators must turn their attention to a far more pressing concern: securing the IoT.
DDoS: A major threat, distributed
Operators are currently in the early stages of IoT deployment cycle, with most seeking advice on – but not all deploying – effective security measures. However, the extent of the damage caused by widely-reported distributed denial of service (DDoS) attacks has highlighted the crucial role network security will play.
A 2018 report by Akamai measured a 16% increase in the number of DDoS attacks recorded since last year, with the largest such attack setting a new record at 1.35Tbps. The main concern with IoT-launched DDoS attacks is they stress the key infrastructure components of the mobile core, thus affecting and potentially bringing down the entire mobile network.
The negative effects are distributed over a huge area, as victims of such attacks could include all of those users leveraging the network (as they’re connecting to the same mobile core used to handle IoT): businesses, critical industries, as well as regular consumer device users.
One solution is to separate consumer traffic from IoT traffic, with some operators looking at network slicing to ringfence the latter into its own dedicated pipe. The viability of this approach has been demonstrated by one Australian operator, which has used network slicing to dedicate a ‘lane’ to critical traffic generated by first response teams. Isolating a specific part of the network aids security efforts by making it easier and quicker to identify and address potential attacks.
However, network slicing is complex to implement and forms just one part of the wider plan for 5G roll out – so remains in early stages of development at present. Even after 5G roll-out, network slicing will be only a single mechanism among many of securitising against IoT-based botnet attacks.
Taking testing to the edge (and RAN, and core)
The growth of the IoT will be accompanied (and enabled by) mobile edge computing (MEC) applications. This is great: moving processing and compute capabilities to the edge of the network – and closer to the end-user – will support high bandwidth, low latency, real-time access to the radio network, enabling ultra-reliable communications as well as exciting use cases across a range of industries.
At present, an in-built security gateway will typically sit in a data centre at the mobile core, where base station traffic is processed. With IoT and MEC, we’ll see the processing of this traffic shift to the edge, closer to the radio. As such, the security gateway too will have to move to the edge.
This is must for securing networks and a secure IoT, but despite much talk in the industry, distributing the security gateway to the edge has not been done (on a widespread scale) quite yet.
What we are seeing is the adoption by network operators of what are in effect, mini, localised data centres. These mobile-edge components will host multiple servers – making them the perfect target for hackers.
To secure this entire – and entirely new – mobile network infrastructure, operators will need a full suite of end-to-end mobile network testing capabilities that validate network performance and security from the RAN to the core, via the mobile edge. In addition to measuring the quality of end-user experience for data applications, testing solutions such as this will ensure robust network security.
Scalable, virtual, flexible
As the number of IoT end-points grows, so too does the opportunity for malicious infiltration of a network. Many use cases and applications are still in beta stage, but operators cannot afford to wait: their networks must be readied to support these end-points, protect end-users and industries, and secure their networks and their business.
The most effective way to do this is via virtualised network stress-testing, emulating real-world scenarios including the millions of IoT devices which will connect to a network via the complete range of connectivity standards, including NB-IoT and CAT-M (the LPWAN technologies which support IoT apps).
Testing in a virtualised lab environment allows operators to plan for the inevitable IoT future, identify and address potential issues with their infrastructure ahead of time, and ready their networks to help them monetise the IoT.
As this testing takes place in a virtualised environment, it’s also possible to scale without the associated costs – and logistical/physical impossibilities – of doing so in the real world. This flexibility means operators can test the reliability and security of a few hundred devices connected to their networks, or many millions. Different types of traffic can also be tested simultaneously, readying infrastructure against the kind of network-overload scenarios which have been played out in DDoS incidents.
Operators must respond immediately to the IoT security threat, or risk compromising their services and their reputation, and slow the development of the IoT.
The author of this blog is Robert Winters, TeraVM Director at Viavi Solutions.