How to use a systems-based approach to secure cellular IoT

Over the next decade, 5G networks will support billions of Internet of Things (IoT) devices. They will be the engine for societal transformation through use cases that benefit the public and private sectors, such as Industry 4.0, smart critical infrastructure, connected cars, and enhanced public safety. While great benefits will be realized, IoT also introduces new security risks due to the number of devices, impact of an attack, and lack of appropriate security controls. IoT solutions have unique security considerations because the devices are data-centric rather than human-centric. Get an in-depth review of this topic in our paper: Implementing Secure IoT Solutions: A systems-based approach to cybersecurity for cellular IoT

The attack surface is across the entire system, including the individual device profile, scale of devices, network interfaces, IoT application, IoT platform, and shared resources in the cloud. A strong IoT security posture has to take zero trust and defense-in-depth approaches by placing security controls across the system at multiple layers, protecting the end-to-end system and data to minimize risk.

The United States National Institute for Standards and Technology (NIST) and other government agencies around the globe have contributed security guidelines and best practices for manufacturers and users. While device security is a critical component of an IoT security posture, it alone cannot ensure a secure IoT solution. The devices should be secure-by-design, but the reality is that market forces pushing for low-cost devices will often require security controls that are implemented across the end-to-end system. IoT devices are not all the same and must be treated individually. As a result, risk management must be appropriate for the use case.

IoT cyberattacks

The history of IoT attacks underscores the need to systematically invest in an IoT security posture based on a risk analysis of attacks in a zero trust architecture — one in which there is no assumption of implicit trust granted to an asset based upon its location or ownership. System attacks can exploit vulnerabilities to degrade performance, cause denial of service, steal information, compromise individuals, and remotely control device behavior. Enterprises can suffer loss of productivity (manufacturing), loss of situational awareness (public safety), impact to health (healthcare), and risk to safety (utilities). A risk analysis of each system asset helps identify the security controls needed to protect against IoT attack vectors,

including:

• compromise to the IoT device and system supply chain
• weak device authentication by the network and user authentication by the device
• misconfiguration on the device or in the network
• theft or modification of data-in-transit or data-at-rest
• Distributed Denial of Service (DDoS) attacks against the network or cloud applications
• malware infection of devices, including viruses, bricking, bots, and ransomware
• Command and Control (C&C) botnets in which devices target cloud applications and external networks
• unauthorized access to a cloud application leading to data breach
• unsolicited traffic from the internet destined to the device

IoT security controls

A secure IoT system has network security and cloud security controls to protect the devices, network, and cloud applications, all of which can be targets. The recommended security controls for IoT are not exclusive to IoT solutions, and can be applied as security best practices with most wireless solutions. Because IoT devices are data-centric, they require network-based security controls for end-to-end protection of the solution. System security should be based on trustworthiness that is built on security standards and secure products, networks, operations, and management.

IoT platforms and applications can be deployed in either a central cloud or multi-access edge compute (MEC). To protect data on the network, enterprise, and enterprise customer levels, the multi-party relationship between the enterprise, service provider, and cloud provider calls for security responsibilities that are clearly defined. There should be a multi-lateral agreement detailing the controls to be deployed and each stakeholder’s responsibility to implement them. The scope of this multi-lateral agreement should include the attack remediation approach, which may include taking the device offline, whitelisting the device to permitted usage, or placing the device in an isolation zone to limit impact while fulfilling its primary job function. In an IoT ecosystem that includes the enterprise, mobile network operators (MNO), and hyperscale cloud providers (HCP), it is the responsibility of all three to ensure that appropriate security controls are applied in the cloud, including:

• network-based perimeter security: Anti-Malware, Web Application Firewall (WAF), and volumetric DDOS Protection
• zero trust: Strong certificate-based mutual authentication to ensure trusted access to each function
• container security: Tenant isolation, container isolation, container firewall, image scanning for known vulnerabilities, and run-time security
• secure configuration: Maintain login credentials, disable unused protocols, close unused ports.

5G Enhances IoT Security

Many IoT devices connect to applications across the network using cellular IoT or Wi-Fi access technologies. Since 3GPP purposely architected each generation of mobile technology to be more secure than the previous one, 5G is considered to have the highest level of security. 5G provides the global coverage, quality of service, scalability, security, mobility, and flexibility to handle the different requirements for a comprehensive range of use cases. Devices may have Wi-Fi connectivity through an IoT gateway with 3GPP cellular access. The gateway can support both Wi-Fi 6, to securely provide local area device connectivity, and 5G, to securely provide wide area connectivity to applications in the private data center or public cloud. From a security perspective, the IoT gateway is both an asset and a control. As an asset, it must be secured to provide only authenticated access on the management plane and to protect itself from malware infection. It is important to make sure the gateway is properly configured so there are no unused open ports or use of default or weak passwords. The gateway provides security controls for the IoT system through the following capabilities:

• Block anomalous behavior from a device.
• Block non-permitted unsolicited traffic destined for the device.
• Detect and block devices participating in a botnet, based upon indicators of compromise (IoC) that are identified by real-time threat intelligence and/or anomaly detection.
• Detect and block lateral propagation of malware between devices at Layer 2 and across VLANs.
• Detect and block devices from accessing known malicious websites and IP addresses.
• Detect and block malware from passing through the WAN to devices.
• Rate-limit traffic to a device to prevent targeted DDoS attacks.

5G network slicing provides additional security benefits:

• Network separation and segmentation isolate infections and attacks so that impact is minimized and contained. 5G network slicing provides isolated logical networks to enable services with diverse requirements on the same 5G network.
• Dynamic resource management enables each slice to meet QoS and SLA requirements, but network slices also provide inherent security advantages, since end-to-end isolation ensures resources dedicated to one slice cannot be consumed by another and traffic cannot be intercepted or spoofed by another slice.
• Cloud-native technologies and network automation allow customization of each network slice to meet use case and customer requirements. Each slice can be architected to provide tailored security controls for an individual customer and use case.
• Implementation of physically separated slices can provide further network segmentation, and private networks using directly licensed 5G spectrum provide further isolation and tailoring of security controls.

Recommendations for secure IoT

A strong IoT security posture uses zero trust principles and an end-to-end defense-in-depth approach to place security controls across the IoT System that minimize risk. It is recommended that a secure IoT system includes the following security controls:

• Use secure IoT devices, but do not assume trust. These devices should comply with NIST, or other national or industry guidelines, and have a recognized IoT security certification. Devices should be checked to ensure secure configuration is used in production.
• Use 5G. It is designed to provide secure IoT use cases by enabling many of the security controls needed for IoT security.
• Use an IoT gateway for Wi-Fi 6-capable IoT devices to access the 5G network. The gateway can provide security controls closer to the devices, but it is also an asset that must be protected.
• Assume zero trust. IoT solutions should be part of a zero trust architecture (ZTA). Identify authorization boundaries and use strong authentication on every solution component and interface. DTLS 1.2, TLS 1.2, or TLS 1.3 should be used for mutual authentication and protection of data in transit.
• Use network-based security controls on the user plane that provide additional protection against internal attacks from connected devices and external attacks from the public internet. The network can protect the IoT device when it is a target of an attack, such as botnet infection. If a device has been infected to target the network or system resources, such as acting as a C&C botnet or sourcing a DDoS attack, the network can protect itself, applications, and the IoT platform. Network-based security controls also provide protection from external attacks that target network availability, such as DDoS attacks.
• Use network slicing to provide isolation and tailored security controls. Private networks provide further isolation and tailoring.
• Use cloud security best practices and tools to protect applications and data in the cloud.
• Use a security management solution for enhanced visibility into the threat landscape as well as for security policy configuration and continuous compliance monitoring.
• The IoT solution should have a privacy impact analysis (PIA) to identify and mitigate privacy risks to data assets.
• The multi-party relationship between the enterprise, service provider, and cloud provider requires clearly defined security roles and responsibilities, along with a multi-lateral agreement addressing the controls to be deployed and the stakeholders responsible for implementing them. Changes to risk due to evolving threats, attack vectors, and security control technologies should be periodically re-assessed by all stakeholders.

IoT device, network, and cloud providers offer the technological capabilities to secure IoT systems, but market incentives, harmonized standards, and legislative actions require careful balance to improve security without slowing innovation. Governments, the information and communications technology (ICT) industry, device manufacturers, and standards development organizations (SDOs) must work together at a global level to minimize IoT security risks, allowing IoT’s promise to be realized.