A New Approach to IoT Security Evaluations
Security threats have the potential to undermine confidence in the IoT. As such, ensuring end-to-end security and data privacy for IoT solutions is increasingly an industry priority. The security challenges are threefold:
Contrary to traditional IT services, successful deployment of IoT solutions requires the collaboration of a large ecosystem, from IoT device manufacturers to network operators to IoT developers and service providers. The lack of consistent terminologies in the IoT and IoT security industry in particular further complicates successful collaboration and deployment.
A large number of IoT devices and services are at risk of never being launched to market, because security concerns and risks outweigh the benefits of investment – making security a serious deployment barrier.
Traditional internet security methods, while still applicable, don’t necessarily address new challenges that are unique to the IoT. These include service availability, secure identity, data privacy, and service integrity in devices that are low complexity and low cost, have constrained power supplies, very long lifecycles and are physically assessable to hackers. The industry will also have to rise to the challenge of remotely monitoring and maintaining the security of billions of new devices throughout their entire lifecycles.
Many challenges of IoT security can be addressed with the expertise and assets of mobile network operators, such as the use of private APNs to isolate endpoint devices, communication monitoring to detect unusual traffic activity, and use of SIM cards to enable secure network authentication.
However, security at network level is not enough, for security can be compromised on multiple levels such as physically within endpoint devices, at the service layer, and within the service platform. As a result, IoT security is dependent on all players in the ecosystem, meaning that the end-to-end solution can only be as strong as the weakest link in the chain.
IoT Security Evaluations
Consequently, the IoT industry requires different best practices for security which build upon traditional IT security approaches, but focus on the new challenges ahead. The GSMA IoT Security Guidelines promote such best practice for the secure design, development and deployment of IoT services, covering the entire ecosystem while addressing security challenges unique to the IoT.
The complexity and diversity of the IoT ecosystem as well as the quick pace of technological development is creating obstacles for using traditional methods of security evaluation for IoT, such as using a lab based security certification. Traditional methods are often geared towards a single product and may not be applicable to the whole ecosystem. Instead, light-touch benchmarking tools and general approaches are better suited to accommodate the complexity of the IoT ecosystem which contains a diversity of stakeholders and components.
The GSMA IoT Security Self-Assessment covers security controls for the whole ecosystem and further enhances the alignment of all stakeholders by putting in place a concise framework with consistent terminology and a structured approach to IoT security information.
The scheme enables companies to discover if their security measures align with the best practice outlined in the GSMA IoT Security Guidelines. Companies can use the scheme to address weaknesses in their products and services, and demonstrate to their customers that they’ve taken Cybersecurity seriously.