Published by In partnership with WHITEPAPER Getting IoT security right: a CXO survival guide Eight key recommendations for IoT security decision makers 2 WHITEPAPER Foreword from GSMA Intelligence While the details of comprehensively securing the Internet of Things (IoT) may seem incredibly complex, three very basic facts provide context for prioritizing IoT security discussions: IoT connections The number of IoT connections around the world has been steadily scaling, with a trajectory that shows no signs of decline over the next decade. 5G and critical use cases The rollout of 5G networks promises to enable a diverse set of new IoT use cases, including critical communications where life and death is truly at stake. New threat vectors Security breaches have become increasingly common, but IoT brings added vulnerabilities thanks to new points of (potentially unsecured) entry into a network. Against this backdrop, the importance of fully understanding the security demands and options associated with any given IoT deployment is patently obvious. Building on GSMA Intelligence IoT research, the critical nature of IoT security becomes even more evident. Our data shows that most enterprises not only display a full understanding of the importance of IoT security, but also have taken action to update their IoT security practices. However, as much as this might all seem like good news IoT security threats are on the rise, but enterprises are focused on addressing them we must acknowledge a fundamental risk. The democratization of IoT solutions and services will bring it to a new set of enterprises who may not fully understand the importance of securing their connected devices, or the options available to do so. They may even believe that any solution they deploy is inherently secure regardless of any customization for their specific use cases; our research signals that this is the case for many. While the whitepaper that follows includes a myriad of important facts and insights, one statement stands out as critical to understanding the reality of IoT security circa 2021. “IoT isnt just a bunch of devices its an ecosystem.” We might dismiss the term as a buzzword, but ecosystems enable IoT use cases thanks to the support of myriad suppliers, and myriad solution components. Whats more, the suppliers and components involved will differ depending on the specific vertical market, and the types of connectivity involved. In this way, IoT might be best understood as a matrix of vertical market use cases vs. specific solution components and suppliers. If this seems incredibly complex, thats exactly what bad actors are counting on complexities increase the likelihood of vulnerabilities (big and small) being overlooked. Its also why enterprises deploying IoT need to understand the specific security requirements of any IoT use case they deploy, recognizing the differences between standard IT and IoT security practices, the impact of diverse connectivity options, and the best security solutions based on their specific demands. Getting IoT security right: a CXO survival guide 3 37% Most enterprises have amended IoT security practices in line with new demands. Of those who havent, 37% explained that they expect IoT solutions to already be secure. WHITEPAPER4 IoT is growing at exponential rates, and will only grow faster as 5G becomes more widespread. The vision of an IoT world presents a world of fascinating possibilities a world of smart homes, smart cities, smart farms, smart factories and smart cars on smart roads, with billions of devices communicating with each other and sharing data that enable more efficient and safer lives. However, achieving that vision relies on our ability to secure all those devices and many IoT devices to date are notorious for not being all that secure, or at least not secure enough. There are a variety of reasons for this, from OEMs putting greater priority on a plugand play experience to the fragmented nature of the IoT device market, a lack of common security protocols and a lack of uniform regulations (or indeed a lack of regulation altogether). However, as more IoTrelated hacks make headlines, it has become increasingly clear that security is a prerequisite of IoTs commercial success as well as the benefits it promises society. The good news is that more and more enterprises are taking IoT security seriously, and there are now tools, solutions, frameworks, best practices and checklists that makes it easier for enterprises to plan and implement IoT security to monitor and mitigate threats. The key challenge lies in having a good understanding of IoT security and how its not identical to the IT security practices IT managers are familiar with. IT security processes and skillsets do not translate seamlessly to IoT particularly when it comes to cellular IoT apps, which are growing in prominence and capability on 4G networks and increasingly on 5G networks. IoT in general brings its own unique security issues to the table that vary according to use case and scalability cellular IoT even more so, despite its wellearned reputation for stronger security. Complicating things further is that IoT end points can generally be assumed to be hackable which throws a wrench in enterprise IT security postures that focus on endpoint security. IoT security requires as much emphasis (if not more) on network security management which itself is harder than it sounds, as the “network” in an IoT deployment is a complex ecosystem involving multicloud connectivity and thirdparty service providers. In other words, existing enterprise security postures are unlikely to cover the necessary bases for robust IoT security. Consequently, enterprises need to understand: How IoT security is different from whatever security solutions they have in place The specific issues that certain IoT use cases will bring with them What that means for their risk assessments. This also requires a mindset shift at the CXO level to stop thinking of security primarily as a cost center that balances cost, risk and performance, and more of a business opportunity that gives them a leg up on the competition. Once you realize you need an IoT security solution, the obvious question is: what should I look for? The answer will necessarily depend on the specific IoT use case however, there are eight key recommendations that decision makers can take into account to ensure they select the right security solution that enables them to take control of IoT security and accelerate IoT security deployments. At the end of the day, it comes down to a networkbased approach that can find the right balance between protection and cost and puts a premium on prevention, automation, scalability and visibility. Executive summary Getting IoT security right: a CXO survival guide 5 The rollout of cellular IoT technologies is going strong around the world. According to the latest Ericsson Mobility Report 1 , cellular IoT connections reached 1.6 billion in 2020, and will grow to an estimated 5.4 billion connections by 2026 (23% CAGR). Notably, cellular IoT is shifting increasingly beyond low-bandwidth massive IoT applications such as smart meters and asset tracking towards more advanced broadband IoT use cases that require higher throughput, lower latency and larger data volumes, such as security cameras, drones and connected cars. Many of these use cases are already supported by 4G and 5G networks, and by the end of this year will outnumber IoT use cases running on 2G and 3G networks. This trend will continue as 5G rollouts continue to proliferate, which will enable critical IoT use cases requiring guaranteed data delivery with specified latency targets, such as AR/VR, remote control of machines and cloud robotics, to name a few. And thats just for starters as enterprises increasingly leverage the game- changing capabilities of 5G as part of their digital transformation roadmap, this will enable IoT use cases we can scarcely imagine today. However, IoT presents a massive security challenge for enterprises already tasked with keeping their IT networks secure. Adding hundreds or thousands of new end points to the network creates thousands of potential new threat vectors that need to be protected. Moreover, those end points have security protections ranging from decent to non-existent and none are hackproof. Get it straight: IoT security is not IT security 1 Source: Ericsson Mobility Report, June 2021 IoT attacks on the rise Consequently, IoT devices and networks are ripe targets for attacks and those attacks are growing fast: SonicWalls 2021 Global Cyberthreat Report 2 recorded 56.9 million IoT malware attacks in 2020, up from 34.3 million in 2019 (a 66% increase). In October 2020 alone, 10.8 million cases were recorded more than all IoT malware attacks in 2017. A 2020 survey from Cybersecurity Insiders and Pulse Secure (since acquired by Ivanti) found 72% of organizations experienced an increase in endpoint and IoT security incidents in the previous 12 months, while 56% anticipate their organization will likely be compromised due to an endpoint or IoT-originated attack with the next 12 months. 3 The top three issues were related to malware (78%), insecure network and remote access (61%), and compromised credentials (58%). As with IT-focused cyber attacks, the costs of an IoT breach can range from operational downtime and loss of productivity to compromised customer data, stolen IP, damage to the brands reputation and in some cases end-user safety. This last aspect is not to be taken lightly a hacked car, drone or robot has the potential capacity to harm or kill people, a consequence no IT security team has had to consider until now. Costs for specific IoT security incidents are generally not made public, and many of the more publicized enterprise IoT hacks on “things” like construction cranes, supermarket freezers and driverless cars were carried out by security experts who discovered the vulnerability in question and reported it to the company. However, some recent research gives us an idea: A recent survey from Irdeto estimates that the average financial impact as a result of an IoT-focused cyber attack was $330,602 which Irdeto says may be an underestimate as respondents may not be taking into account all of the costs associated with a cyberattack, such as lost business and the costs of correcting whatever vulnerabilities that led to the attack. 4 A survey from strategy consulting group Altman Vilandrie it also enables advanced operations with efficiency-boosting technologies like AR and autonomous mobile robots all of which require the level of security inherent in 4G and 5G. Cellular IoT can also unlock the intelligence of IIoT use cases by securely enabling data to be transformed into actionable insights that raise productivity and sustainability. However, its worth highlighting one unique challenge to IIoT security: legacy operational technology (OT) networks using specific protocols for solutions such as SCADA, PLCs and DCS. These are typically managed separately from the manufacturers IT systems, but there is currently a debate about whether they should be integrated to better facilitate IIoT use cases (to include making better use of OT data) and lower opex in the process. That convergence potentially creates an opportunity for hackers to exploit both IT and OT systems, with OT being the weakest link, as OT- connected systems tend to run on outdated software and security patches are few and far between to minimize downtime. On the other hand, those concerns could be alleviated by integrating both IT and OT operations onto cellular IoT networks to provide reliable and tough access security for all things connected. (See the previous section of this whitepaper for more on the issue of IT/OT integration and IoT security.) IoT use case spotlight: Industry 4.0 Getting IoT security right: a CXO survival guide 13 Key recommendations for IoT security solutions While IoT security requires a different approach compared to regular enterprise IT security, electing the right security solution for this involves some of the same general considerations as IT security solutions in other words, its a matter of risk assessment, performance and cost (not just the cost of the solution itself, but the cost of a breach not just in terms of dollars, but also lives lost, brand damage, etc). Indeed, its not only about the technical capabilities of the solution, but also the operational limitations. Does the security solution make sense from an operations or commercial point of view? What is the risk for each part of the IoT network? How do you prioritize them? Where does it make the most sense to spend money and effort to secure it? As such, enterprises shopping for a cellular IoT security solution will have their work cut out for them hunting for something that matches their very specific requirements. Theyll also have to decide whether the best solution is something that can be implemented and run in-house, or outsourced from a service provider. However, outside of the specifics, there are eight key recommendations that enterprises can look at when selecting and deploying the right security solution for their IoT use case. 1. Level of preventative protection As mentioned earlier, prevention is the primary objective of IoT security, which brings the focus away from the end points (which its safe to assume are hackable) and towards the network. Once youve completed your threat modelling, you can understand the routes into the system, and design preventative measures based on that. But the solution should be able to support whatever measures you need to take based on the threat model. So, for example, if the devices connect to multiple clouds and you want to limit traffic so it doesnt connect to specific clouds on different levels, a solution with granular options will help make it possible for you to do whatever makes sense for your network. Another consideration related to detection and prevention is how fast the solution can detect and prevent. The level of turnaround time required will depend on the use case, but for critical IoT use cases where real-time communications are essential, you need a security solution that can detect and report potential threats as close to real time as possible, and also manage and mitigate those threats. This in turn has to be balanced against network performance. A security solution may offer the best possible security protection and prevention capabilities, but it may not be worth the cost if its slowing down the network to the point that customers notice, or if it impacts the low latencies required by critical IoT use cases. 2. Completeness of threat detection capabilities Today, some IoT security solutions have capabilities in the device, some have nothing in the device, some can add capabilities in the device, or the capabilities reside in the cloud end points. B