Interview with José Rodríguez: "Security is a reason for trusting the deployment of IoT solutions"
26 Jun 2017 IoT General
What are the main aspects that draw our attention when we talk about security in the IoT? What are engineers dealing with when they make sure our data and devices are secure? When talking about security in the Internet of Things, we must take into account the wide variety of challenges at all points in the technology stack. "From devices with limited resources and small batteries to different types of connectivity, managing them remotely is complex," says Rodríguez. "The target platforms where the information is generated are also very diverse, with different protocols and different authentication mechanisms and identity management of devices”. This vast diversity is the reason for the first challenge faced by security experts.
And each of these elements must be adequately secured. "There is a lot of fragmentation. There are many very different devices with very different capacities depending on the use case", says Rodríguez. Secondly, in addition to diversification, there is the challenge of scalability. "Implementing security for a few devices is not the same as doing it for several thousand or million. At such large scales, everything becomes much more complicated, and a high level of automation of identity management or incident response is required", explains the expert. Identity access management is also one of the specific areas where the most efforts are focused to ensure that devices can be safely identified with the platform to send the data. “On the other hand, we must not forget the security of the platforms where IoT devices report data. This is the classic part of IT security”, says Rodríguez, "but we should not neglect it".
The four challenges
There are four especially critical points, four challenges, which reveal how the efforts mentioned above are channelled: the heterogeneity of devices, the resources they rely on, identification, and the operation of those devices. "There are many types of devices, operating systems, data transmission protocols and cloud platform media”, Rodríguez explains when asked about the first of the challenges. "As we said, it is very complex and has many elements, each with its own difficulties". In terms of resources, they are limited by the technological capabilities of the device, which is conditioned by the use case. "This means that the measures that can be applied are limited depending on the business. Securing an environmental pollution sensor is not the same as securing an autonomous vehicle", says the engineer. "There is also another problem, a classic one, namely the issue of device identity. For example: how to securely assign an identity to devices, because ultimately this identity is key to the relationship with other devices and platforms".
As for the challenges associated with the operation of the devices, Rodríguez highlights several particularly significant issues. "Another important security problem in IoT is device maintenance, that is, how to manage them safely and how to manage their connectivity. It is imperative to provide a secure remote update mechanism. If any incident occurs, the firmware must be upgraded or, in the worst-case scenario, if a device is compromised, it will have to be disabled". Operations, especially maintenance operations, are among the costliest ones in terms of resources and time with regard to security. "In summary", says Rodríguez, "the closer we are to the device, the more difficult it is to maintain safety". But in addition to these challenges, there are also solutions, of course.
The keys to security
From the device to the application, Telefónica, in conjunction with the GSMA, has developed a series of key recommendations to ensure the integrity of devices and data to the extent possible. José Rodríguez points to this set of recommendations at the technological level when we ask about the best cyber security solutions in the IoT. When asked about applications and service platforms, he stated: "In particular, special attention must be paid to unsafe default configurations. Incidents like the Mirai exploited users and passwords for defects in webcams to install malware on them".
The next recommendation introduces us to a new layer of technology, managed connectivity from Smart m2m. "Here we can detect suspicious activity on the device itself, identify if it has moved to an unusual location, or identify if the data consumption is higher than it normally is or even see if a SIM card has been inserted into an unauthorised device". If something anomalous is found, the device could be compromised. "Another important point in connectivity is automation. For example, if we detect a compromised device, we have to be able to disconnect or disable it automatically", explains the expert.
Third, it is crucial to ensure customer communications security. "In many cases, a very effective solution is to isolate Internet clients’ malicious devices through a private APN and a VPN. Then we need to monitor network activity to detect malicious behavior". Finally, the recommendations also focus on the devices themselves. "Being able to interact remotely with these devices is fundamental to the IoT. Being able to disable them massively in the case of malicious behaviour is extremely important", says the engineer. But so is the way these devices transmit information. "It is essential to value the encryption of the data that is sent and have mutual authentication on the device; that is, it is essential that the device validates the data and the platform validates the other’s identity". Finally, another key to security is the reactiveness and enforcement of security measures. "We have to start with the fact that incidents are inevitable. Therefore, you have to perform a good risk analysis and have a protocol defined in advance so that when something happens it can be resolved as quickly as possible".
Cybersecurity: From fear to opportunity
"At Telefónica, we believe that cybersecurity is an opportunity for the telco sector. As operators, we have a central position that allows us to help clients secure their IoT solutions in such a complex environment. Additionally, thanks to ElevenPaths products, we can help improve external security end to end, and not only focus on connectivity". With this statement, the expert provides a necessary positive note on this topic.
As companies and customers become aware of the importance of maintaining good security practices, they are showing more interest. "We have seen an increase in attention to IoT security in recent months. There has been a significant shift. The number of questions from clients, as well as the complexity of these questions, is increasing", says Rodríguez when asked about companies’ interest in security. These data are in line with estimates in various reports that point to security as a major concern for IoT developers.
"On the one hand, we get a subjective perception from companies and clients that reveals a greater interest in security. And on the other hand, we have the data from surveys and reports that highlight security as the major concern when developing IoT solutions. The advantage of offering network-based security solutions, such as detecting malicious activity patterns, is that we can offer customers security by default without having to perform an integration project", explains the IoT security manager when asked about Telefónica’s role in its customers’ security. With this comment, the expert provides a conciliatory view of security. "Our goal is to reduce the complexity of IoT security for our customers and help them secure their end-to-end solutions".