Luc Vidal-Majdar, Head of Sim for Things at BICS writes in this contribution to IoT Insider how the “humble SIM” can secure IoT growth
It feels like just yesterday that the IoT was more of a concept than a reality. Fast forward to the present, and it’s no longer a tool just for the most technologically advanced or futuristic companies. There are currently over 15 billion connected IoT devices worldwide, with that number expected to double by 2030.
But there is a downside to this progress. The promise of the IoT has always been to make everything more connected and digitised than ever before – but this opens the door (or more accurately, millions of tiny doors) to bad actors. We’re already seeing this start to play out, as evident by a 400% increase in malware attacks on IoT devices.
It’s time to get serious about security as we enter IoT’s next growth phase.
Cybercrime 4.0
As industry and technology become more advanced and complex, so do the associated risks. Broadly speaking, we can group IoT security risks into three categories:
Operational disruption
Several types of attacks threaten to bring down IoT systems, either intentionally or as a byproduct of achieving some other goal. IoT networks can be a tempting target for denial-of-service attacks (DoS) and malware can infect devices as a way of extortion (such as ransomware) or to launch DDoS attacks on other targets through botnets. For enterprise IoT operations, such disruptions could have a significant financial impact. However, for IoT supporting critical national infrastructure, such as in hospitals, the consequences could be even more severe.
Data compromise
Attacks that seek to steal data from IoT networks can include accessing sensitive personal or corporate data collected by IoT devices such as medical, operational, or financial data. This could happen through hacking, interception, poor access control, or impersonation.
Fraud
Finally, there are several ways IoT networks could be exploited for fraudulent or illegal use. Devices could be compromised to launch cyberattacks, distribute illegal content, or commit fraud. For example, you could hack a smart thermostat to increase (or decrease) energy bills. So, as IoT devices become more ingrained in the process of measuring and billing for services like utilities, subscriptions or rentals, revenue assurance could become a challenge.
A complex landscape
All of this sounds scary, but it’s just an extension of the risks that already come with the online world. As the physical world becomes more digitised, we need to ensure cybersecurity keeps up. But when it comes to securing Industry 4.0 and the IoT ecosystem that supports it, we face a whole new level of complexity. As it happens, four factors make securing the IoT such a challenge:
Firstly, the IoT value chain is highly fragmented. Creating and delivering such solutions involves lots of different parties all handling separate parts of the process. This creates inconsistencies, compatibility problems and differing security standards and protocols.
Secondly, there’s a huge amount of deployment diversity. In other words, IoT is used across a wide range of environments, use cases and industries. An IoT solution in healthcare is going to be very different from an agricultural one, for example. That leads us to the third factor: IoT applications themselves are nearly infinitely varied, with many being built bespoke.
The fourth and most significant challenge is the sheer breadth of the attack surface. IoT solutions can easily have thousands of endpoints (devices) all of which present a potential point of contact for bad actors. But it’s not just devices. Any IoT solution is made up of three pillars: devices, the application, and the connectivity that binds everything together. While devices are often the most numerous, all three make up the attack surface and potential entry points.
This has prompted the UK government to introduce the first legally mandated cybersecurity standards for IoT devices. This is a step in the right direction, but there’s a solution that is already available that provides more end-to-end protection…
(Re)enter the SIM card
Funnily enough, this high-tech and highly complex challenge can be solved via a technology that’s been around since the early 90s. That’s right, the humble SIM card.
While there have been some innovations like the eSIM and iSIM, the SIM card has remained remarkably unchanged and unreplaced in its thirty-year reign. That’s because it continues to deliver in terms of performance, and most importantly, in this case, its security. This is due to several factors from its tamper-resistant hardware to secure storage and strong authentication protocols.
The key to securing IoT, including its three distinct layers and millions of endpoints, is to use the SIM card as the ‘root of trust’. Thankfully, frameworks already exist for this. The GSMA’s IoT SAFE is a standard developed by the mobile industry that puts encryption and authentication of the IoT system at the heart of the SIM card, via an applet. It uses standardised APIs to make this easily integrated across different environments, devices, and applications. It means the system is widely compatible and cheap to implement.
Despite this, this secure IoT standard is not yet the standard. This is due to low awareness and IoT security still being in its nascent stages. As the threat increases, this will change, but there’s no need for organisations to let it get to this point. The tools are available now, and they are very accessible – it’s time to start using them.
Author: Luc Vidal-Madjar, Head of Sim for Things, BICS
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
