New Report Outlines Security Considerations for LPWA Technology
Information security analysts, Franklin Heath, have released an independent report that compares and contrasts the security features of five different Low Power Wide Area (LPWA) network technologies for several typical IoT use cases such as Smart Agriculture, Smart Street Lighting, Smoke Detectors, Water Meters and Smart Meters. It assesses the security features of three 3GPP standardised Mobile IoT technologies that operate in licensed spectrum, LTE-M, NB-IoT and EC-GSM-IoT as well as unlicensed spectrum technologies LoRaWAN and Sigfox.
The detailed report, which can be downloaded here, argues that organisations must work out what level of security they need in addition to other considerations such as cost, long battery life and network coverage when considering a LPWA solution, it is still an important element that must be factored into any decision making process. It highlights how IoT security needs are driven largely by privacy and safety concerns and any deployment using LPWA technologies should be subject to a security risk assessment using tools such as the GSMA IoT Security Assessment.
Some important network security factors highlighted in the report that should be considered as part of any such assessment include:
- Bandwidth, including Maximum Downlink and Uplink Data Rates – This may limit the security features that can be supported by the LPWA network or implemented in the application layer.
- Daily Downlink and Uplink Throughput – LPWA devices do not typically transmit or receive data all of the time which can impact security features such as over-the-air security updates.
- Authentication – Device, Subscriber and Network – Secure network connectivity requires a number of different parties to authenticate themselves to each other such as the device, the subscriber and the network provider – the technology must protect against the ‘spoofing’ of these parties by malicious actors.
- Data Confidentiality – Encryption is typically used to keep data safe from being intercepted by an attacker. Trust in this can be increased by establishing end-to-end security at the application layer.
- Key Provisioning – Cryptographic techniques for authentication, confidentiality and integrity all rely on cryptographic keys being securely shared between parties.
- Certified Equipment – In many markets there are legal requirement for devices with radio transmission to have approval or certification before being sold. This is an opportunity for security features to be verified.
- IP Network –Use of IP can open up the possibility of attack on devices from the internet and IP security features must be considered.
The report concludes that Mobile IoT technologies, such as LTE-M and NB-IoT support the necessary security features to provide adequate security for all of the use case examples. Noting that some of these security features are optional and must be enabled by the network operator.
The report stresses that following security guidelines, such as the GSMA IoT Security Guidelines, can help companies deploying IoT sevices ensure that they are making the right technology choices and are aware of the security implications of their approach.Back