Professional Documents
Culture Documents
June 2016
Table of Contents
Conclusion ............................................................................ 9
EXECUTIVE SUMMARY
The media delivers a steady stream of news coverage about hackers taking
control of end devices in the IoT network, including cars, refrigerators, baby
monitors, and webcams. These incidents typically involve consumer devices
that connect over Wi-Fi networks with user-configured password policies. The
reality is that IoT security issues extend well beyond the end device.
TRANSPORT
SECURITY Successful IoT implementations need to incorporate best practices to ensure
end-to-end security, fueled by a network that goes beyond consumer-grade
mobile and Wi-Fi. As enterprises shift from a product focus to embracing IoT
services to expand business opportunities and grow revenue, they must also
respond to early lessons in IoT security. The cellular IoT solution architecture
addresses these concerns with a multi-layer strategy for keeping the
enterprise secure while adopting the benefits of IoT.
NETWORK
SECURITY To minimize risk and optimize operations for mission-critical connected
devices and services, businesses should adopt cellular IoT—devices
connected over a cellular network—for secure connections. While ironclad
security may be impossible to achieve, enterprises can gain a very high
degree of security at a reasonable cost.
APPLICATION
SECURITY
As enterprises shift
from a product
focus to embracing
IoT services to
expand business
opportunities and
grow revenue, they
must also respond to
early lessons in IoT
security.
The cellular IoT view of security covers four key layers for protecting an IoT
deployment:
• Device
● Transport
• Network
• Application
This white paper discusses the security advantages of a cellular IoT solution
architecture, from the perspective of each of the four layers.
DEVICE SECURITY
According to the study, a key area of IoT vulnerability springs from weak
TRANSPORT
SECURITY passwords on devices with direct end-user access. Intrusions can also enter
into the enterprise IoT infrastructure from spoofed or unauthorized endpoints.
A simple way to remedy hacked passwords is to apply more stringent
password policies in the device application. Proper authentication and
authorization of devices connecting into network resources is a critical step
in an overall security plan. However, most low-cost, low-powered devices
cannot support sophisticated access control measures.
NETWORK
SECURITY Securing devices with GSM standards
APPLICATION The Global System for Mobile Communications (GSM) network authenticates
SECURITY
the identity of the subscriber through the use of a challenge-response
mechanism:
Each of these tasks take place within the device and SIM hardware,
drastically reducing the likelihood of a device being hijacked or spoofed—
and optimizing a secure network connection.
1
https://www.dropbox.com/s/36nxibezelxrduk/FTC-PrivacyCon-2016.pdf
in the cellular IoT Another advantage of a cellular IoT implementation is the ability to prevent
architecture— connected devices from communicating directly with each other. Preventing
device-to-device communications reduces the risk of a compromised device
device-to-device and interacting directly with another device in the IoT network and jeopardizing
overall security. All communications in the cellular IoT architecture—
device-to-cloud— device-to-device and device-to-cloud—can be regulated from the network,
can be regulated significantly enhancing the overall integrity of the IoT deployment.
Preventive innovations in the cellular IoT implementation can thwart intruders from gaining network
Here’s how it works in Control Center, the Cisco Jasper IoT service platform:
Control Center’s business rules engine uses a mobile device’s International Mobile Equipment Identity
(IMEI), a unique identifier for cellular capable devices, to check if the device is authorized to connect
to the network.
The first time the device connects to the network, the device’s IMEI is locked to the SIM. The action
of tampering or removing the SIM card to use it with a different, non-trusted device will raise a flag
that can trigger a number of possible defensive actions. For example, the device in question can be
barred from gaining network access, thus safeguarding the IoT infrastructure.
TRANSPORT SECURITY
Beyond the device, cellular IoT also helps eliminate vulnerabilities in data
transmissions between a connected device and cloud applications. Weak or
nonexistent data encryption compromises the integrity and privacy of the data
DEVICE being sent. Attacks such as “man-in-the middle” and session hijacking are
SECURITY
common methods for breaching the privacy of transmitted data.
TRANSPORT
SECURITY Securing the transport network with GSM encryption
The keys are never exposed outside of the SIM hardware, and the true
identity of the end device is never revealed—two factors that make this
solution particularly secure.
APPLICATION
SECURITY
Cellular IoT
addresses the
privacy challenge
with an alternative
solution: it provides
GSM standardized
encryption between
the mobile network
and the end device.
NETWORK SECURITY
TRANSPORT
SECURITY Cellular IoT provides a standardized and cost-effective approach to create
private networks between the enterprise and its connected devices.
Enterprises can use custom access point names (APNs) as a way to extend
the local-area network (LAN) out to the remote device. The enterprise can
then allocate their own private IP addresses, and specify additional levels
of authentication and authorization beyond what’s provided by the GSM
network.
NETWORK
SECURITY In essence, the cellular IoT solution architecture enables an enterprise to
extend its secure private network from the data center, across the mobile
operator network, all the way to the individual devices.
APPLICATION
SECURITY
APPLICATION SECURITY
Finally, applications • Transactions must be protected against common attacks such as SQL
themselves must injections, and each transaction should require validation.
support the ability • All data transmissions must be encrypted, and any data stored by a
cloud-based service provider should comply with SSAE 16 (or the
to identify and
earlier SAS 70) standards.
analyze anomalous
Finally, applications themselves must support the ability to identify and
or suspicious analyze anomalous or suspicious behavior when it happens. They must be
behavior when it able to flag any irregular patterns in network and data transmission activities
among devices or between devices, and the associated cloud applications
happens. should be removed from the network to prevent widespread disruptions.
CONCLUSION
End-to-end IoT security architecture extends from the device to the cloud
—and the cellular IoT solution delivers the robust infrastructure to help
companies minimize risk and maximize uptime:
IoT is the next wave of evolution in the networked world. To capitalize on the
endless possibilities while preventing the business from becoming tomorrow’s
hacking headline—enterprises can look to cellular IoT as a proven model to
accelerate their IoT service business.
WP_AETESITIOT_06012016
Achieving End-to-End Security in the Internet of Things (IoT)