Securing the Internet of Things

1 Sep 2016
Joe Barrett

The world is evolving to a point where everyone’s daily lives will change dramatically as devices, places and people become fully inter-connected. The world’s industries are evolving to accommodate the technology shift that is happening with the Internet of Things (IoT) – homes, cars, drones, wearables, healthcare, connected cities – all will experience massive interactions and there will be a mega flow of data across a variety of networks as operators build out the fabric of IoT so that entire industries can redefine their businesses and what will become possible.

Securing this network and the data flows is going to be critical for industries to readily adopt IoT and the technologies behind it. Hackers are going to try to access your connected home security system, your autonomous car, an industrial sensor, an office’s air conditioning system or a utility meter. Mission critical or business applications cannot be undermined, they must be secure and the suppliers to the mobile industry recognize that security has to be at the heart of their IoT solutions.

Mobile industry suppliers and others are developing and providing IoT platforms, or supplying hardware for these systems that use security analytics, machine learning and artificial intelligence to constantly monitor for infrastructure and device threats.

Some of these IoT platforms may need to support third party security applications to create a homogenous and robust communications and connectivity network. Others will have security built in. Connection to the IoT platform should also be simple and intuitive. If the connection to the platform is complex, the more difficult it will be to monitor for threats to the system. Keeping the connection simple also means that deployment of the IoT network will be faster, ideally lower cost, as well as more secure.

The biggest cyber security threat will be with the billions of devices or “Endpoints” in the IoT network. For an Endpoint to connect with and function to an IoT platform or service it must be capable of being securely identified so that its connection and service feature set can be authenticated.

The mobile industry has always placed security and encryption at the forefront of its standardization process, and this is being replicated with IoT networks. Mobile Network Operators (MNO) are today delivering secure connectivity to over half of the world’s population and are in an ideal position to deliver a highly secure, reliable IoT network that maintains the privacy of all data.

The history of Mobile Network Security

The European Telecommunications Standards Institute (ETSI) developed three security algorithms for GSM: A3, A5 and A8. The A3 and A8 algorithms are specific to the operator and are saved on the Subscriber Identity Module (SIM) card in the mobile device and in the authentication centre. A5 is saved in the mobile equipment and allows for data encryption and decryption over the radio air interface.

ETSI further enhanced the security in 3G by adopting an innovative authentication and key agreement protocol. The protocol retains the structure of GSM authentication enhanced by features such as mutual authentication, agreement on an integrity key between the user and the serving network, and freshness assurance of agreed cipher key and integrity key.

4G/LTE authentication is based on 3G Authentication and Key Agreement (3G-AKA), which has been re-used for the IP network. An improved Universal Subscriber Identity Module (USIM) is used to authenticate access to LTE, as it was in GSM. Two sets of security algorithms were developed for LTE: one based on AES (Advanced Encryption Standard) and the other on SNOW 3G, a word-oriented stream cipher that generates a sequence of 32-bit words under the control of a 128-bit key and a 128-bit initialization variable. The principle being two algorithms as different from each other as possible, are better than one.

To simplify the use of the SIM and bring a level of flexibility and management to device authentication, the mobile industry is introducing the Embedded SIM (eSIM), which will replace the current physical SIM card used in the majority of mobile devices. This will reduce Endpoint costs and is already mainstream in the current Machine-to-Machine market. As an example, Telecom Italia Mobile and Samsung recently announced the launch of the first smart watch with an eSIM with support from digital security specialist company Gemalto.

The eSIM will also make switching between mobile networks or IoT platforms simpler so companies can quickly migrate their Endpoints onto alternative networks or IoT services and applications, without compromising on security.

Machine-to-Machine (M2M) specifications, including security, are within the ETSI oneM2M Partnership Project. Release 1 aims to address client-server based “one to many” industrial M2M deployments while future releases will address the complex challenges arising from a distributed “many to many” dynamic IoT security scenarios.

With over 20 years of security credentials, Mobile Network Operators (MNO) and their equipment suppliers are therefore in the prime position to deliver a secure IoT solution into multiple industries.