While this may sound like the old joke about the three “L’s” of real estate success — location, location, location — it’s actually deadly serious. When it comes to IoT (Internet of Things), CSPs should pay particular attention to the 3 S’s: Security, Security, Security. Unless internalized, there could be some real heartache coming to providers and consumers as IoT, and its siblings, IIot (Industrial Internet of Things) and EIoT (Enterprise Internet of Things) literally take over the world.
Almost everything is becoming connected: cars, home appliances, factory machines, office equipment, entertainment. In Forbes Magazine roundup of IoT forecasts and market estimates for 2016 in, industry leaders General Electric predicted investment in IIoT will top $60 trillion during the next 15 years. IHS Markit Consulting for its part, forecast that the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025.
It is against this background of all pervasive IoT that we examine “Security, Security, Security”: all the same in name, but each represents a different, and equally critical, facet of the IoT challenges; each with its own set of needs, parameters, risks…but also opportunities.
Security — of devices and systems:
This remains the prime concern of enterprises. Because IoT devices are generally cheap, low resource units, they are typically not secured. This fundamental omission makes them easy targets for hacker and malware attacks. Apart from creating huge disruptions for CSPs and their customers, such attacks also put the CSP’s reputation in jeopardy. This is what happened when a major European CSP suffered significant reputation damage — as well as direct and indirect financial losses —when close to 1,000,000 of its customer’s home routers were disabled by the IoT Mirai malware for more than 2 days. Similar incidents occurred just this month with two more European CSPs.
In a January 2014 article in Forbes, cyber-security columnist Joseph Steinberg listed Internet-connected appliances that can already provide easy access for hackers by “spying” on people in their own homes: e. g. televisions, kitchen appliances, cameras, thermostats. Computer-controlled devices in cars such as brakes, engine, locks, hood and trunk releases, and dashboard instruments have been shown to be dangerously vulnerable to attackers who have access to the on-board network. In some cases, vehicle computer systems are Internet-connected, inviting remote exploitation. Fortunately, not much has happened to date.
While manufacturers can try to diminish the problem at an assembly-line level, they are unlikely to be able to fully combat the vast hordes of nasties out there who will, sooner rather than later, find a way to crawl into anything and everything in the most destructive way. Their tentacles will spread out beyond IoT devices and networks, hurting the service.
Undoubtedly, an effective solution must be delivered through the network, and the CSPs who own the networks and communications channels, are best positioned to deliver such services exercising highly effective countermeasures to Bots, DDOS, malware and more, updated in real time. We’ll circle back to this later.
Security— against internal threats:
IoT-based attacks initiated from a CSP’s own (sometimes unsuspecting) customers or employees, threaten their commercial network infrastructure. For example, the DNS infrastructure of a Singaporean CSP was hurt by an attack executed through an innocent customer’s connected devices.
Although there is not much discussion about “outgoing” DDOS attacks, they can become a real threat to the CSPs. Indeed, vulnerable IoT devices connected to a CSP are an easy target for malicious activities. And, since the devices are primarily connected to the CSP’s “soft underbelly” – usually a less secured internal network — they can be very effective in attacking the CSP itself.
In light of recent developments and the wide deployment of IoT services, CSPs must install more security measures to protect their internal networks.
Security — as a Service: A value added opportunity for CSPs:
As connectivity has become a “commodity” in recent years, CSPs looking to increase their future revenues with IoT need to think beyond connectivity to maximize the vast opportunities which already exist and those which will no doubt develop going forward. Being at the forefront of this opportunity curve, with proper capacities and security planning, will give the concerned CSP a huge advantage into the future.
IoT devices, as already mentioned, are typically low resource, fairly cheap devices. In terms of ARPU, data from these devices generates a fraction – about 10% – of the overall revenue associated with a smartphone. This in turn creates a strong need for cost optimization and a demand for creative value added services, beyond connectivity, and geo-location information, to be offered to the CSP’s customers. Therein lies the opportunity.
Because CSPs are owners of the communications channel, they are perfectly positioned to develop and provide effective, reliable and cost-efficient IoT Security as a Service, complementing and supporting all other security measures.
This promises a number of significant benefits to the CSP: increase in loyalty (“stickiness”) by taking a major headache off the shoulders of consumers, protecting the CSPs reputation and most important of all, providing extra revenue channels. Importantly, deployment of such a service does not require CSPs to develop any new skills in specific business domains or to provide any “unusual” type of services, such as application support etc. Network Security as a Service requires core CSP expertise and can be deployed with a relatively small investment.